Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Certified in Cybersecurity (CC) > Ch. 3 - Access Control Concepts > Flashcards

Ch. 3 - Access Control Concepts Flashcards

1
Q

Understand Access Control Concepts:

Access is based on all of the following except:

A. Subjects (Who)
B. Objects (What)
C. Rules (How and When)
D. Reason (Why)

A

D. Reason (Why)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Understand Access Control Concepts:

  • An information security strategy that integrates people, technology and operations capabilities to establish variable barriers across multiple layers and missions of the organization.
  • Applies multiple countermeasures in a layered fashion to fulfill security objectives.
  • Should be implemented to prevent or deter a cyberattack, but it cannot guarantee that an attack will not occur.

All of the following support:

A. Access Control
B. Defense in Depth
C. Privileged Access Management
D. User Provisioning

A

B. Defense in Depth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Understand Access Control Concepts:

  • Reduces risk by allowing admin privileges to be used only when needed.
  • Provides confidentiality by limiting the need for administrative access that is used during routine business.
  • Ensures integrity by only allowing authorized administrative access during approved activities.
  • Confirms availability by providing administrative access when needed.

All of the following support:

A. Access Control
B. Defense in Depth
C. Privileged Access Management
D. User Provisioning

A

C. Privileged Access Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Understand Access Control Concepts:

  • New employee – account created
  • “Onboarding” – creating an account (or cloning a baseline account) for a new employee
  • Changed position – account modified
  • Temporary leave of absence – account disabled
  • Separation of employment – account deleted
  • “Offboarding” – deleting an account (or disabling then deleting an account) for a terminated employee

All of the following support:

A. Access Control
B. Defense in Depth
C. Privileged Access Management
D. User Provisioning

A

D. User Provisioning

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access Controls:

The following are examples of what type of access control?

Security guards
* Fences
* Motion detectors
* Locked doors/gates
* Sealed windows
* Lights
* Cable protection
* Laptop locks
* Badges
* Swipe cards
* Guard dogs
* Cameras
* Mantraps/turnstiles
* Alarms

A. Physical Access Controls
B. Logical/Technical Access Controls
C. Administrative Access Controls
D. Temporary Access Controls

A

A. Physical Access Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Access Controls:

All of the following are types of Logical Access Controls except.

A. Discretionary access control (DAC)
B. Technical Access Controls (TAC)
C. Mandatory access control (MAC)
D. Role-based access control (RBAC)

A

B. Technical Access Controls (TAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Definitions:

Information security strategy integrating people, technology, and operations capabilities to establish variable barriers across multiple layers and missions of the organization.

A. Defense in Controls
B. Defense in Layers
C. Defense in Depth
D. Defense in Steps

A

C. Defense in Depth

Source: NIST SP 800-53 Rev 4

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Access Controls:

A certain amount of access control is left to the discretion of the object’s owner, or anyone else who is authorized to control the object’s access. The owner can determine who should have access rights to an object and what those rights should be.

A. Discretionary access control (DAC)
B. Technical Access Controls (TAC)
C. Mandatory access control (MAC)
D. Role-based access control (RBAC)

A

A. Discretionary access control (DAC)

Source: NIST SP 800-192

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Access Controls:

Access control that requires the system itself to manage access controls in accordance with the organization’s security policies.

A. Discretionary access control (DAC)
B. Technical Access Controls (TAC)
C. Mandatory access control (MAC)
D. Role-based access control (RBAC)

A

C. Mandatory access control (MAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Access Controls:

An access control system that sets up user permissions based on responsibilities.

A. Discretionary access control (DAC)
B. Technical Access Controls (TAC)
C. Mandatory access control (MAC)
D. Role-based access control (RBAC)

A

D. Role-based access control (RBAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Definitions:

Devices that enforce administrative security policies by filtering incoming traffic based on a set of rules.

A. Firewalls
B. Routers
C. Switches
D. Hubs

A

A. Firewalls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Definitions:

An entity with authorized access that has the potential to harm an information system through destruction, disclosure, modification of data, and/or denial of service.

A. Outsider Threat
B. Insider Threat
C. Threat Vector
D. Threat Asset

A

B. Insider Threat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Definitions:

Collecting and storing user activities in a log, which is a record of the events occurring within an organization’s systems and networks.

A. Documenting
B. Stacking
C. Collecting
D. Logging

A

D. Logging

Source: NIST SP 1800-25B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Definitions:

An automated system that controls an individual’s ability to access one or more computer system resources, such as a workstation, network, application or database. It requires the validation of an individual’s identity through some mechanism, such as a PIN, card,
biometric or other token. It has the capability to assign different access privileges to different individuals depending on their roles and responsibilities in an organization.

A. Logical Access Control Systems
B. Physical Access Control Systems
C. Administrative Access Control Systems
D. Logical Process Controller Systems

A

A. Logical Access Control Systems

Source: NIST SP 800-53 Rev.5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Definitions:

An entrance to a building or an area that requires people to pass through two doors with only one door opened at a time.

A. Piggybacking
B. Mantrap
C. Mancave
D. Man-in-the-Middle

A

B. Mantrap

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Passive information system-related entity (e.g., devices, files, records, tables, processes, programs, domains) containing or receiving information.

A. Subject
B. Object
C. Rules
D. Reason

A

B. Object

Source: NIST SP 800-53 Rev 4

17
Q

Controls implemented through a tangible mechanism. Examples include walls, fences, guards, locks, etc. In modern organizations, many physical control systems are linked to technical/logical systems, such as badge readers connected to door locks.

A. Physical Access Controls
B. Technical Access Controls
C. Administrative Access Controls
D. Logical Access Controls

A

A. Physical Access Controls

18
Q

Definitions:

The concept that users and programs should have only the minimum privileges necessary to complete their tasks.

A. Principle of Least Access
B. Separation of Duties
C. Principle of Least Privilege
D. Segregation of Duties

A

C. Principle of Least Privilege

19
Q

Definitions:

An information system account with approved authorizations of a privileged user. Elevated privileges.

A. User Account
B. Privileged Account
C. Disabled Account
D. Special Access Account

A

B. Privileged Account

Source: NIST SP 800-53 Rev. 4

20
Q

An instruction developed to allow or deny access to a system by comparing the validated identity of the subject to an access control list.

A. Subject
B. Object
C. Rule
D. Reason

A

C. Rule

21
Q

Definitions:

The practice of ensuring that an organizational process cannot be completed by a single person; forces collusion as a means to reduce insider threats.

A. Principle of Least Access
B. Segregation of Access
C. Principle of Least Privilege
D. Segregation of Duties

A

D. Segregation of Duties aka Separation of Duties

22
Q

Generally, an individual, process or device causing information to flow among objects or change to the system state.

A. Subject
B. Object
C. Rule
D. Reason

A

A. Subject

Source: NIST SP800-53 R4

23
Q

The security controls (i.e., safeguards or countermeasures) for an information system that are primarily implemented and executed by the information system through mechanisms contained in the hardware, software or firmware components of the system.

A. Physical Access Controls
B. Technical Access Controls
C. Administrative Access Controls
D. Logical Access Controls

A

B. Technical Access Controls

Certified in Cybersecurity (CC) (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions