Chapter 1 Flashcards
Name at least seven access control types.
- Preventive
- Deterrent
- Detective
- Corrective
- Recovery
- Compensation
- Directive
Describe the three primary authentication factor types
Type 1. Something you know
Type 2. Something you have
Type 3. Something you are
Name the method that allows users to log on once and access resources in multiple organizations without authenticating again.
Single Sign On (SSO)
examples: Kerberos, SESAME, Directory, SESAME
Identify the three primary elements within the identity and access provisioning life cycle.
- Provisioning accounts
- Periodically reviewing and managing accounts
- Revocation of accounts when they are no longer being used.
- Which of the following is true related to a subject?
A. A subject is always a user account.
B. The subject is always the entity that provides or hosts the information or data.
C. The subject is always the entity that receives information about or data from the object.
D. A single entity can never change roles between subject and object
C. The subject is active and is always the entity that receives information about or data from the object.
- Which of the following is considered a primary goal of access control?
A. Preserve confidentiality, integrity, and availability of systems.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.
A. Access control mechanisms help to prevent losses, including any loss of confidentiality, loss of availability, or loss of integrity.
3. Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring? A. Preventive B. Detective C. Corrective D. Authoritative
A. A preventive access control is deployed to stop an unwanted or unauthorized activity from occurring
4. What type of access controls are hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems? A. Administrative B. Logical/technical C. Physical D. Preventive
- B. Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems.
5. All of the following are needed for system accountability except for one. Which one is not needed? A. Identification B. Authentication C. Auditing D. Authorization
D. Authorization is not needed for accountability. However, users must be identified and authenticated and their actions logged using some type of auditing to provide accountability.
- Which of the following is an example of a Type 2 authentication factor?
A. “Something you have,” such as a smart card, ATM card, token device, and memory card
B. “Something you are,” such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, and hand geometry
C. “Something you do,” such as typing a passphrase, or signing your name
D. “Something you know,” such as a password, personal identification number (PIN), lock combination, passphrase, mother’s maiden name, and favorite color
- A. A Type 2 authentication factor is “something you have,” including a smart card, token device, or memory card.
7. Users are given a device that generates one-time passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this? A. Synchronous token B. Asynchronous token C. Smart card D. Common access card
- A. A synchronous token generates one-time passwords and displays them in an LCD, and this password is synchronized with an authentication server
8. What can be used as an authentication factor that is a behavioral or physiological characteristic unique to a subject? A. Account ID B. Biometric factor C. Token D. PIV
- B. A biometric factor is a behavioral or physiological characteristic that is unique to a subject, such as fingerprints and face scans, and is also known as a Type 3 authentication factor.
- What does the crossover error rate (CER) for a biometric device indicate?
A. It indicates that the sensitivity is tuned too high.
B. It indicates that the sensitivity is tuned too low.
C. It indicates the point where false rejection rate and the false acceptance rate are equal.
D. It indicates that the biometric device is not properly configured.
- C. The point at which biometric Type 1 errors (false rejection rate) and Type 2 errors (false acceptance rate) are equal is the crossover error rate (CER).
10. A biometric system has falsely rejected a valid user, indicating that the user is not recognized. What type of error is this? A. Type 1 error B. Type 2 error C. Crossover error rate D. Equal error rate
- A. A Type 1 error occurs when a valid subject is not authenticated and is also known as a false negative authentication.
A Type 2 error occurs when an invalid subject is authenticated. This is also known as a false positive authentication.
The crossover error rate (also called equal error rate) compares the rate of Type 1 errors to Type 2 errors and provides a measurement of the accuracy of the biometric system.
11. A large table includes multiple subjects and objects. It identifies the specific access each subject has to different objects. What is this table called? A. Access control list B. Access control matrix C. Federation D. Creeping privilege
- B. An access control matrix includes multiple subjects and objects and lists subjects’ access to various objects.
A single list of subjects for any specific object within an access control matrix is an access control list.