Chapter 1 Flashcards

1
Q

Name at least seven access control types.

A
  1. Preventive
  2. Deterrent
  3. Detective
  4. Corrective
  5. Recovery
  6. Compensation
  7. Directive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the three primary authentication factor types

A

Type 1. Something you know
Type 2. Something you have
Type 3. Something you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Name the method that allows users to log on once and access resources in multiple organizations without authenticating again.

A

Single Sign On (SSO)

examples: Kerberos, SESAME, Directory, SESAME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identify the three primary elements within the identity and access provisioning life cycle.

A
  1. Provisioning accounts
  2. Periodically reviewing and managing accounts
  3. Revocation of accounts when they are no longer being used.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. Which of the following is true related to a subject?
    A. A subject is always a user account.
    B. The subject is always the entity that provides or hosts the information or data.
    C. The subject is always the entity that receives information about or data from the object.
    D. A single entity can never change roles between subject and object
A

C. The subject is active and is always the entity that receives information about or data from the object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Which of the following is considered a primary goal of access control?
    A. Preserve confidentiality, integrity, and availability of systems.
    B. Ensure that only valid objects can authenticate on a system.
    C. Prevent unauthorized access to subjects.
    D. Ensure that all subjects are authenticated.
A

A. Access control mechanisms help to prevent losses, including any loss of confidentiality, loss of availability, or loss of integrity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
3. Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?
A. Preventive
B. Detective
C. Corrective
D. Authoritative
A

A. A preventive access control is deployed to stop an unwanted or unauthorized activity from occurring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
4. What type of access controls are hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems?
A. Administrative
B. Logical/technical
C. Physical
D. Preventive
A
  1. B. Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
5. All of the following are needed for system accountability except for one. Which one is not needed?
A. Identification
B. Authentication
C. Auditing
D. Authorization
A

D. Authorization is not needed for accountability. However, users must be identified and authenticated and their actions logged using some type of auditing to provide accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Which of the following is an example of a Type 2 authentication factor?
    A. “Something you have,” such as a smart card, ATM card, token device, and memory card
    B. “Something you are,” such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, and hand geometry
    C. “Something you do,” such as typing a passphrase, or signing your name
    D. “Something you know,” such as a password, personal identification number (PIN), lock combination, passphrase, mother’s maiden name, and favorite color
A
  1. A. A Type 2 authentication factor is “something you have,” including a smart card, token device, or memory card.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
7. Users are given a device that generates one-time passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?
A. Synchronous token
B. Asynchronous token
C. Smart card
D. Common access card
A
  1. A. A synchronous token generates one-time passwords and displays them in an LCD, and this password is synchronized with an authentication server
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
8. What can be used as an authentication factor that is a behavioral or physiological characteristic unique to a subject?
A. Account ID
B. Biometric factor
C. Token
D. PIV
A
  1. B. A biometric factor is a behavioral or physiological characteristic that is unique to a subject, such as fingerprints and face scans, and is also known as a Type 3 authentication factor.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. What does the crossover error rate (CER) for a biometric device indicate?
    A. It indicates that the sensitivity is tuned too high.
    B. It indicates that the sensitivity is tuned too low.
    C. It indicates the point where false rejection rate and the false acceptance rate are equal.
    D. It indicates that the biometric device is not properly configured.
A
  1. C. The point at which biometric Type 1 errors (false rejection rate) and Type 2 errors (false acceptance rate) are equal is the crossover error rate (CER).
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
10. A biometric system has falsely rejected a valid user, indicating that the user is not recognized. What type of error is this?
A. Type 1 error
B. Type 2 error
C. Crossover error rate
D. Equal error rate
A
  1. A. A Type 1 error occurs when a valid subject is not authenticated and is also known as a false negative authentication.

A Type 2 error occurs when an invalid subject is authenticated. This is also known as a false positive authentication.

The crossover error rate (also called equal error rate) compares the rate of Type 1 errors to Type 2 errors and provides a measurement of the accuracy of the biometric system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
11. A large table includes multiple subjects and objects. It identifies the specific access each subject has to different objects. What is this table called?
A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege
A
  1. B. An access control matrix includes multiple subjects and objects and lists subjects’ access to various objects.

A single list of subjects for any specific object within an access control matrix is an access control list.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
12. What is an access control list (ACL) based on?
A. An object
B. A subject
C. A role
D. An account
A
  1. A. An ACL is based on an object and includes a list of subjects that are granted access
17
Q
13. What type of access controls rely upon the use of labels?
A. Discretionary
B. Nondiscretionary
C. Mandatory
D. Role based
A
  1. C. Mandatory access controls rely on use of labels for subjects and objects.

Discretionary access control systems allow an owner of an object to control access to the object.

Nondiscretionary access controls have centralized management such as a rule-based access control deployed on a firewall.

Role-based access controls define a subject’s access based on job-related roles.

18
Q
14. An organization has created an access control policy that grants specific privileges to accountants. What type of access control is this?
A. Discretionary
B. Mandatory
C. Rule based
D. Role based
A
  1. D. A role-based access control policy grants specific privileges based on roles, and roles are frequently job based or task based.
19
Q
15. Which of the following is not used to support single sign-on?
A. Kerberos
B. Federated identity management system
C. TACACS+
D. SPML
A
  1. C. TACACS+ is a centralized authentication service used for remote access clients but not for single sign-on.

Kerberos and federated identity management systems are used to support single sign-on. Service Provisioning Markup Language (SPML) is a language used with some federated identity systems.

20
Q
  1. Which of the following is the best choice to support federated identity management systems?
    A. Kerberos
    B. Hypertext Markup Language (HTML)
    C. Extensible Markup Language (XML)
    D. Service Provisioning Markup Language (SPML)
A
  1. D. SPML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system
21
Q

An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he’s had during his tenure. Recently, he has been admonished for making unauthorized changes to systems. He once again made an unauthorized change and this change resulted in an unexpected outage. Management decided to terminate his employment at the company. He was allowed to come back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the data center.

18. Which of the following basic principles was violated while the administrator was employed?
A. Implicit deny
B. Loss of availability
C. Defensive privileges
D. Least privilege
19. Which of the following concepts was not adequately addressed for the identity and access provisioning life cycle?
A. Provisioning
B. Separation of duties
C. Revocation
D. Authentication methods
  1. What could have discovered problems with this user’s account while he was employed?
    A. Policy requiring strong authentication
    B. Multifactor authentication
    C. Logging
    D. Account review
A
  1. D. The principle of least privilege was violated because he retained privileges from all his previous administrator positions in different divisions.
  2. C. The life cycle of accounts includes provisioning, review, and revocation, and his account should have been disabled as soon as his employment was terminated to ensure that his access was revoked
  3. D. Account review can discover when users have more privileges than they need and could have been used to discover that this employee had permissions from several positions
22
Q

What is Preventive Access Control, and examples

A

A preventive access control is deployed to stop unwanted or unauthorized activity from occurring

Examples of preventive access controls include

fences and locks
biometrics
alarm systems 
separation of duties and job rotation
data classification
encryption
security cameras or closed circuit television (CCTV)
security policies
23
Q

What is Deterrent Access Control, and examples

A

A deterrent access control is deployed to discourage violation of security policies

Deterrent controls pick up where prevention leaves off

A deterrent doesn’t stop with trying to prevent an action, but implies certain consequences in the event of an attempted or successful violation

Examples of deterrent access controls include 
security badges
security guards
security cameras
trespass or intrusion alarms
firewalls
24
Q

What is Detective Access Control, and examples

A

A detective access control is deployed to discover unwanted or unauthorized activity

Often detective controls operate after the fact

Examples of detective access controls include
intrusion detection systems
security guards, guard dogs
motion detectors
review of recordings captured by security cameras
audit trails
honeypots or honeynets
incident investigations
25
Q

What is Corrective Access Control, and examples

A

A corrective access control is deployed to restore systems to normal after an unwanted or unauthorized activity has occurred

Usually corrective controls are simple, such as terminating access or rebooting a system
have only minimal capability to respond to access violations

Examples of corrective access controls include
antivirus solutions
alarms
business continuity planning
security policies
26
Q

What is Recovery Access Control, and examples

A

A recovery access control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies

Recovery controls have more advanced or complex capabilities to respond to access violations than corrective access controls

Examples of recovery access controls include 
backups and restores
fault-tolerant drive systems
server clustering
antivirus software
database or virtual machine shadowing
27
Q

What is Compensation Access Control

A

A compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of security policy

Examples of compensation access controls include
security policy requirements or criteria personnel supervision, monitoring, and work task procedures

Compensation controls can also include controls used instead of more desirable or damaging controls

For example, if a guard dog cannot be deployed due to proximity of a residential area, a motion detector with a spotlight and a barking sound playback device can be used instead

28
Q

What is Directive Access Control

A

A directive access control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies

Examples of directive access controls include
security guards and guard dogs
posted notifications
supervision and work task procedures
awareness training
29
Q

What are Administrative Access Controls

A

Administrative access controls are the procedures defined by an organization’s security policy to implement and enforce overall access control

Administrative access controls focus on two areas
Personnel
Business practices

Examples of administrative access controls include 
hiring practices and background checks
data classification
security training
work supervision
30
Q

What are Logical/Technical Access Control

A

Logical access controls and technical access controls are the hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems

Examples of logical or technical access controls include
encryption
smart cards, passwords, and biometrics
access control lists (ACLs)
protocols
firewalls and routers 
intrusion detection systems
clipping levels (e.g., report more than 3 consecutive failed logon attempts )
31
Q

Physical Access Control

A

Physical access controls are physical barriers deployed to prevent direct contact with systems or areas within a facility

Examples of physical access controls include 
guards
fences and locks
swipe cards
video cameras 
mantraps
alarms
32
Q

Describe Kerberos Logon Process

A
  • The user types a username and password into the client
  • The client encrypts the credentials with AES for transmission to the KDC
  • The KDC verifies the user credentials
  • The KDC generates a ticket granting ticket (TGT) by hashing the user’s password
  • The TGT is encrypted with AES for transmission to the client
  • The client installs the TGT for use until it expires
33
Q

Describe Kerberos Service Access Process

A
  • The client sends its TGT back to the KDC with a request for access to a server or service
  • The KDC verifies the validity of the TGT and verifies that the user has sufficient privileges to access the requested resource
  • A service ticket (ST) is generated and sent to the client
  • The client sends the ST to the server or service host
  • The server verifies the validity of the ST with the KDC
    Once identity and authorization is verified, Kerberos activity is complete
  • The server or service host then opens a session with the client
34
Q

What is Kerberos

A
  • Relies upon symmetric-key (private-key) cryptography
    Advanced Encryption Standard (AES)
  • Provides end-to-end security for authentication traffic between clients and the key distribution center (KDC)
  • Relies on a trusted server hosting the functions of the KDC, a ticket-granting service (TGS), and an authentication service (AS)
  • An exchange of tickets (cryptographic messages) between clients, network servers, and the KDC