Chapter 1 - Access Control

Question 1

Access Controls encompass all operational levels of an organization.

Answer 1

Facilities; Support Systems; Information Systems; and Personnel

Question 2

C-I-A

Answer 2

Confidentiality, Integrity and Availability

Question 3

Two Philosophies for Access Control

Answer 3

Allow by Default and Deny by Default

Question 4

Defense in Depth Strategy

Answer 4

Applying multiple layers of security protection between an information resource and a potential attacker.

Question 5

Three step process for determining access controls

Answer 5

1. Defining Resources 2. Determining Users 3. Specifying the Users use of the resources

Question 6

Consistent Access Control Strategy

Answer 6

Simplicity is the key to an effective security system.

Question 7

Separation of Duties

Answer 7

Primary Objective is the prevention of fraud and errors. Distributing tasks and associated privileges for a specific process among multiple people

Question 8

Processes

Answer 8

Collection of tasks that must be performed to achieve an objective.

Question 9

Applicabililtiy of Separation of Duties

Answer 9

Sensitivity of the function under consideration; and the elements within a function are prone to abuse, which are easily segmented, and what skills are available.

Question 10

Least privilege

Answer 10

User is given no more access priviliege than necessary to perform a job, task, or function

Question 11

Need to know

Answer 11

Defines the minimum needed to know to perform job function

Question 12

Compartmentalization

Answer 12

Seperating groups of people and information such that each group is isolated and information does not flow between groups.

Question 13

Security domain

Answer 13

Area where common process and security control work to separate all entities involved in these processes from other entities or security domains.

Question 14

Information Classification

Answer 14

Objective is to group an organization’s information assets by levels of sensitivity and criticality.

Question 15

Information Classification Program

Answer 15

1. Determine objectives 2. Establish organizational support 3. Develop policy and supporting procedures 4. Develop process flows and procedures 5. Develop tools to support 6. Identify process and application owners 7. Identify information owners and delgates 8. Distribute standard templates 9. Classify information and applications 10. Develop auditing procedures 11. Load classification information into a central repository 12. Train users. 13. Periodically review and update information classifications.

Question 16

Access Control System Requirements

Answer 16

Reliability, Transparency, Scalability, Integrity, Maintainability, Authentication Data Security, and Auditability

Question 17

Main Categories of Access Control

Answer 17

1. Directive - apply rules 2. Deterrent - discourage violations 3. Preventitive - prevent incident 4. Compensating - mitigate risk 5. Detective - signal warning when breached 6. Corrective - remedy circumstance 7. Recovery - restore conditions

Question 18

Access Control Types

Answer 18

1. Administrative Controls - define roles, responsibilities, policies, and administrative functions. 2. Logical (Technical) controls - electronic hardware and software solutions implemented to control access to information and information networks. 3. Physical Controls - protect physical environment - locks, gates, guards

Question 19

Major Groups of Administrative Controls

Answer 19

1. Policies and Procedures 2. Personnel Security, evaluation and clearances 3. Security policies 4. Monitoring 5. User management 6. Privilege management

Question 20

BCP/DRP

Answer 20

Business continuity plan/disaster recovery plan

Question 21

RADIUS

Answer 21

Remote Authentication Dial In User Service

Question 22

Major Groups of Logical Controls

Answer 22

1. Network Access 2. Remote Access 3. System Access 4. Application Access 5. Malware Control 6. Encryption

Question 23

Discretionary Access Controls (DACS)

Answer 23

Controls placed on data by the owner of the data

Question 24

Mandatory Access Controls (MACS)

Answer 24

Controls determined by the system and based primarily on organizational policy. Data needs to be labeled as to its classification. Access permissions are applied to an object based on the level of clearance given to a subject.

Question 25

Nondiscretionary Access Control

Answer 25

Based on assignment of permissions as defined by the administrator of a system

Question 26

Access Control Matrix

Answer 26

An access control list in the form of a table - showing what permissions a user has for various system objects.

Question 27

Rule-based Access Control

Answer 27

Specifies the privileges granted to user s(e.g read, write) when the specific condition of a rule is met - e.g. the time a certain file can be accessed.

Question 28

Role-based Access Control

Answer 28

Based on job function - objects associated with a role will inherit privileges assigned to that role

Question 29

RBAC

Answer 29

Non-RBAC - user granted access Limited RBAC - users mapped to roles within a single application Hybrid RBAC-role applied to multiple applications or systems, but instances wheresubjects assigned to roles defined within an application FUll RBAS - roles defined by organizational policy

Question 30

Content Dependent Access Control

Answer 30

Based on content of data not roles

Question 31

Constrained User interface

Answer 31

Restricting users to specific functions based on their role in the system - e.g. limiting menus, data views, encryption, etc

Question 32

Capability Tables

Answer 32

Used to match subjects and their capabilities - read, write

Question 33

Temporal Isolation

Answer 33

Activities may be restricted on when they can be performed

Question 34

Identification

Answer 34

Assertion of a unique identity for a person or system and is the starting point of access control. - Uniqueness

Question 35

Authentication

Answer 35

The process of verifying the identity of the user - Validity

Question 36

Authorization

Answer 36

Process of defining the specific resources a user needs and determining the type of assess to those resources the user may have. - Control

Question 37

MAC Address

Answer 37

Media Access Control - 48-bit number - machine address - now can be set in software so no longer can be considered a strong identifier

Question 38

IP Address

Answer 38

Logical location of a device on the IP network - assigned in software

Question 39

RFID

Answer 39

Radio Frequency Identification - small label that can be embedded in almost any object - they can be read from a distance

Question 40

Email Address

Answer 40

globally unique - enforced by convention

Question 41

User Identification Guidelines

Answer 41

User identification must be unique; user identification should be non-descriptive and disclose as little as possible about the user; user identification must be secure; and the final process must be logged and documented so that it can be verified and audited.

Question 42

Identity Management

Answer 42

refers to a set of technologies intented to offer greater efficiency in the management of a diverse user and technical environment

Question 43

Challenges for Identity Management Solutions

Answer 43

Consistency; usability; reliability; and scalability

Question 44

Centralized Access Control Systems

Answer 44

RADIOS and TACACS+(Terminal Access Controller Access-Control System Plus)

Question 45

Authentication Methods

Answer 45

By knowledge (knows); by possession (has); by characteristic (is); and geolocation (where)

Question 46

Single - factor authentication

Answer 46

user id and password

Question 47

Two - factor authentication

Answer 47

user id, password, and fob

Question 48

Three - factor authentication

Answer 48

user id, password, fob, and biometric

Question 49

Secure passwords

Answer 49

typically hashed; a hash function takes an arbitrary amount of data as input and, through the use of a mathematical algorithm, will produce a unique, fixed-length representation of the data as output. Hash is a one-way function.

Question 50

Authentication by Posession

Answer 50

Asynchronous token - challenge response technology; sychronous is based on an event, location, or time based sychronization between the requestor and the authenticator

Question 51

Memory Card

Answer 51

Holds information but cannot process information. e.g users swipes card and enters a PIN. Data stored on the card is not protected.

Question 52

Smart Card

Answer 52

Embedded semiconductor chip that accepts, stores and sends information.ICC (integrated circuit card). Based on ISO 7816-2 there are 8 electrical contacts - six are currently used. Can be used in Proximity of a reader.

Question 53

Biometrics

Answer 53

Physical (finger print) and behavioral (voice pattern). Most common -finger prints. tend to provide higher security than other methods - higher strength

Question 54

Hand Geometry

Answer 54

tension in the tendons, temperature, finger length, bone length, and hand width.

Question 55

Palm Scans

Answer 55

combination of hand geometry and fingerprint analysis

Question 56

Face Individuality

Answer 56

Iris, Retina (blood vessels back of the eye), entire face (facial geometry and heat signatures

Question 57

Vascular Scan

Answer 57

veins in hands or face - relatively new

Question 58

Keystroke Dynamics

Answer 58

stroke speed, acceleration, deceleration and pen pressure

Question 59

False Reject Rate

Answer 59

when authorized users are falsely rejected

Question 60

False Acceptance Rate

Answer 60

when unautorized users are falsely accepted

Question 61

CER

Answer 61

Crossover Error Rate - amount to adjust sensitivity and maximul acceptable level of change - organization will need to determine based on its overall risk tolerance

Question 62

Session Management

Answer 62

single instance of identification and authentication are applied to resources

Question 63

Session hijacking

Answer 63

A form of “man in the middle” attack

Question 64

Accountability

Answer 64

ability to determine who or what is responsible for an action and can be held responsible

Question 65

Repudiation

Answer 65

is the ability to deny an action, event, impact or result

Question 66

Password management

Answer 66

Require users to change passwords, lockout mechanisim, self-registration process aids

Question 67

Account Management Systems

Answer 67

Central facility, workflow, automatic replication, facility for loading batch changes, automatic creation, change, or removal of access to system resources

Question 68

Profile Management

Answer 68

collection of information associated witha particular identity or group.

Question 69

Directory Management

Answer 69

centralized collection of user data

Question 70

Directory Technologies

Answer 70

X.500, LightWeight Directory Access Protocol (LDAP), Active Directory and X.400

Question 71

X.500

Answer 71

developed by the Interantional Telecommunications Union (ITU-IT) - initially worked with OSI to operates over TCP/IP as well. 4 protocols: Directory Access Protocol, Directory system protocol, directory information sharing protocol, and the directory operational binding management protocol. Hierarchial database with a key field of distinguished name (DN)

Question 72

LDAP

Answer 72

Provides simpler implementation - hierarchial, operates in client/server architecture, typically runs over unsecured network using TCP port 389. Version 3 of LDAP - suports TLS to encrypt or use of TCP port 636 over an SSL connection

Question 73

Active Directory

Answer 73

LDAP for Micorsoft-based environments, provides central authentication and authorization capabilities - organized in forest and trees - forest is a collection of all the objects and their associated attributes and trees are logical groupings of one or more AD security domains within a forest. Domains are identified by their DNS name. Objects are grouped by Organizational units.

Question 74

X.400

Answer 74

ITU-T guidelines for exchange of e-mail - known as messaging handling system. Supports message transfer and message storage - supplanted in recent years by SMTP

Question 75

Single Sign-on

Answer 75

SSO reduced sign-on or federated ID management - script based single sign-on - aids with leagacy technology

Question 76

Kerberos

Answer 76

three-headed dog: authentication, authorization, and auditing. Security system using secret key cyrptography - users must have a unique ID for each application on the network. 4 requirements for access control - security, reliability, transparency, scalability. Based on symmetrical encryption and a secret key shared amongst the participants. Primary goal is to ensure private communiocations between systems over a network,

Question 77

Kerberos Process

Answer 77

interaction between three systems: requesting system, the endpoint destination server, and the Kerberos or Key distribution center (KDC). Time-sensitive

Question 78

KDC

Answer 78

serves two functions during the authentication transaction: as an authentication sever and as a ticket-granting server. Maintains database of the secret keys of all the participants

Question 79

Realm key

Answer 79

a common key used for intitial trusted communication - then unique key is created to support future communications - common to use a hash of the user’s password as the unique user key

Question 80

TGT

Answer 80

Ticket granting ticket - user will receive once authenticated with AS along with session encryption key

Question 81

Secure European System for Application in a Multi-Vendor Environment (SESAME)

Answer 81

offers single sign-on services and uses both symmettic and asymmetric cryptographic techniques Key attributes: single sign-on,role based access control, use of privileged attribute certificate (PAC), use of Kerberos Version5 protocol to access SESAME components, use of public key cryptography for distribution of secret keys

Question 82

Web Accessed Management

Answer 82

WAM - replace sign-on process in affiliated WEB applications, typically by using a plug-on service on the Web server hosting the portal to the member applications.

Question 83

Federated Identity Managment

Answer 83

Each organization subscribes to a common set of policies, standards, and procedures for the provisioning and managment of user identification, authentication, and suthorization information, as well as a common process for access control for systems these users must access. Uses cross-certification model for trust but once it goes beyond a small number it becomes very complex. Use of a third party bridge model is an alternative to the cross-sertification model.The third party is considered trust worthy - good for a large number of organizations.

Question 84

OIUA

Answer 84

once in unlimited access

Question 85

Auditing Events

Answer 85

Network events, System events, Application events, User Actions, and Keystrole Activity

Question 86

Unix System Keystroke Activity

Answer 86

logging files are found in the user’s $HOME directory with names like “.history”, “sh_history”

Question 87

IDS

Answer 87

Intrusion detection system - part of a network device or dedicated device - does not take any action on the problem. Considered network monitoring

Question 88

IPS

Answer 88

Intrusion prevention system - will take proactive prevention action - responds in real time to an event at the system or network layer. Considered an access control.

Question 89

SIEM

Answer 89

Security Information and Event Management - aggregates information about access controls and selected system activity to store for analysis and correlation.

Question 90

Denial of Service

Answer 90

DoS - consumption of resources preventing useful processesing and interrurption of network resources to preventing communication rendering a system unusable - SYN floods - attackers makes an overwhelming number of session initiation requests - TCP/IP protocol

Question 91

Tear Drop

Answer 91

exploits how operating systems managed fragmented IP packets - overlap fragmented packets causing a flaw in the system - shutting it down

Question 92

DDoS

Answer 92

Distributed denial of service - attacks a server from thousands of locations

Question 93

Buffer overflows

Answer 93

buffer temporarily stores information for processing - an attack manipulates the system’s ability to manage its buffers. - Can also be used to inject malicious code - used to gain unauthorized access or to escalate privileges.

Question 94

Mobile Code

Answer 94

transmitted across network from remote source - ActiveX controls, Java applets, Java Script code from a Web page and HTML based email

Question 95

Malicious software

Answer 95

Virus - parasitic code which attaches itself to another program; worm - self-propogating code; trojan horse - appear desireable but contain something harmful; spyware - used to deploy malware, collect private data, send advertising;

Question 96

Password crackers

Answer 96

if attacker has obtained hashed password file using brute force attacks to compare combinations

Question 97

Martin Hellman

Answer 97

developed public key cryptography with Whitfield Diffie

Question 98

Phillip Oechslin

Answer 98

faster method of organizing hased chain - rainbow chain

Question 99

Spoofing/Masquerading

Answer 99

With IP protocol alter source to a trusted IP - remove the assurance that a person is dealing with a trusted entity.

Question 100

Kevin Mitnick

Answer 100

popularized tecnique of IP spoofing

Question 101

sniffers

Answer 101

collection information from a communication medium like a network

Question 102

Emanations

Answer 102

proliferation of electromagnetic signals given off by electronic devices

Question 103

Tempest

Answer 103

late 1960s - Government program studies compromising emanations - equipment should be located in center of building possibly protected by a Faraday cage (wrapped in wire mesh) - restricts signal leakage

Question 104

Shoulder surfing

Answer 104

direct observation - seeing a password typed in

Question 105

Object Reuse

Answer 105

residual data should be cleared - print only one user’s output at a time

Question 106

Data remanence

Answer 106

remains of partial data or even the entire set of digital information

Question 107

FAT

Answer 107

File allocation table maintains physical location and often when files are deleted the information is removed form the FAT but the actual data is still residing on the drive.

Question 108

Slack space

Answer 108

space at the end of a file - it can be used by hacker’s to store information

Question 109

Data mining

Answer 109

act of collecting and analyzing large quantities of information to determine patterns of use of behavior and use those patterns to form conclusions

Question 110

Dumpster diving

Answer 110

taking what peopl assume is trash - cross cut shredders are more effective

Question 111

Backdoors and Trap doors

Answer 111

special access capabilities put in by developer

Question 112

Logic bombs

Answer 112

results of attacks can be delayed for a long period of time - logical progression of events before they unleash theri aggression.

Question 113

Theft

Answer 113

physical theft - anything o f value can be removed, digital theft - copies of data

Question 114

Social Engineering

Answer 114

practice of misdirection to obtain information through social contact

Question 115

Threat Modeling

Answer 115

using scenario analysis with knowledge of threats and vulnerabilities to help determine what risks ares present in a system or application and where to apply resources to ensure the best mitigation for the value

Question 116

Formula for risk

Answer 116

impact vs. likelihood

Question 117

Asset Valuation

Answer 117

Hardware, Software, Integration, Opportunity COst, Regulatory exposure (Civil/Criminal), Information replacement, reputational exposure

Question 118

SLE=AV x EF

Answer 118

Single loss expectancy = asset value x exposure factor (estimate how much an asset will decline %wise)

Question 119

ALE= SLE x ARO

Answer 119

Annualized loss exposure = single loss expectancy x Annualized rate of occurrence

Question 120

Penetration Test methodology

Answer 120

reconnaissance, enumeration, vulnerability analysis,execution, document findings

Question 121

Identity and Access Provisioning Life Cycle

Answer 121

Provisioning, Review, Revocation

Question 122

A preliminary step in managing resources is A. Conducting a Risk Analysis B. Defining who can access a given system or information C. Performing a business impact analysis D. Obtaining top management support

Answer 122

B. Defining who can access a given system or information

Question 123

Which best describes Access controls? A. Access controls are a collection of technical controls that permit access to authorized users, systems, and applications B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities an providing access to information and systems to only those who have been approved C. Access Control is the employment of encryption solutions to protect authentication information during log-on D. Access Controls help protect against vulnerabiliteis by controlling unauthorized access to systems and information by employees, partners and customers

Answer 123

B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities an providing access to information and systems to only those who have been approved

Question 124

_____ requires that a user or process be granted access to only those resources necessary to perform assigned functions A. Discretionary Access Control B. Separation of Duties C. Least Privilege D. Rotation of Duties

Answer 124

C. Least Privilege

Question 125

What are the 7 main categories of access control? A. Detective, Corrective, monitoring, logging, recover, classification, and directive B. Directive, deterrent, preventative, detective, corrective, compensating and recovery C. Authorization, identification, factor, corrective, privilege, detective, and directive D. Identification, authentication, authorization, detective, corrective, recovery, an directive

Answer 125

B. Directive, deterrent, preventative, detective, corrective, compensating and recovery

Question 126

What are the three types of access controls? A. Adminstrative, Physical and technical B. Identification, authentication, and authorization C. Mandatory, discretionary, and least privilege D. Access, management, and monitoring

Answer 126

A. Adminstrative, Physical and technical

Question 127

WHich approach revolutionized the process of cracking passwords? A. Brute Force B. Rainbow table Attack C. Memory tabling D. One-time Hashing

Answer 127

B. Rainbow table Attack

Question 128

What best describes two-factor authentication? A. A hard token and a smart card B. A user name and a pin C. A password and a pin D. A pin and a hard token

Answer 128

D. A pin and a hard token

Question 129

A potential vulenrabilty of kerberos authentication server is A. Single Point of Failure B. Asymmetric key compromise C. Use of dynamic passwords D. Limited lifetimes for authentication credentials

Answer 129

A. Single Point of Failure

Question 130

In mandatory access control the system control access and the owner determines A. Validation B. Need to know C. Consensus D. Verification

Answer 130

B. Need to know

Question 131

Which is the least significant issue when considering biometrics? A. Resistance to counterfeiting B. Technology type C. User acceptance D. Reliability and Accuracy

Answer 131

B. Technology type

Question 132

Which is a fundamental disadvantage of biometrics? A. Revoking credentials B. Encryption C. Communication D. Placement

Answer 132

A. Revoking credentials

Question 133

Role based access control A. Is unique to mandatory access control B. Is independent of owner input C. Is based on user job function D. Can be compromised by inheritance

Answer 133

C. Is based on user job function

Question 134

Identity management is A. Another name for access controls B. Technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment C. Technologies and processes focused on the provisioning and decommissioning of user credentials D. Technologies and processes used to establish trust relationships with disparate systems

Answer 134

B. Technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment

Question 135

A disadvantage of single sign on is A. Consistent time-out enforcement across platforms B. A compromised password exposes all authorized resources C. Use of multiple passwords to remember D. Password change control

Answer 135

B. A compromised password exposes all authorized resources

Question 136

Which of the following is incorrect when considering privilege management? A. Privileges associated with each system, service or application and the defined roles within the organization to which they are needed, should be identified and clearl documented B. Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group or role C. An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function

Answer 136

D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function

Question 137

Threat modeling is the process of A. Determining which threats to neutralize first B. Developing access controls that compensate for the vulnerabilities C. A risk assessment approach in whihc decisions are based on risk and value D. Scenario analysis targeted towards determining the best approach for threat elimination

Answer 137

C. A risk assessment approach in whihc decisions are based on risk and value

Question 138

When reviewing user entitlement the security professional must be most aware of A. Identify management and disaster recovery capability B. Business or organizational processess and access aggregation C. The organizational tenure of the user requesting entitlement D. Automated processes which grant users access to resources

Answer 138

B. Business or organizational processess and access aggregation

Question 139

Which formula represents ALE or annual loss exposure? A. ALE = SLE * ARO B. SLE = ARO * ALE C. SLE = SRO * EF D. ALE = EF * SLE

Answer 139

A. ALE = SLE * ARO

Question 140

In constructing a continuous monitoring system, numerous feeds from several systems must be correlated and analyzed. Which of the following best provides the capability? A. Intrusion Prevention System B. Identity Management and Access Control System C. Intrusion Detection System D. Security Information and Event Management

Answer 140

D. Security Information and Event Management

Question 141

A guard dog patrolling the perimeter of a data center is what type of control? A. Recovery B. Administrative C. Logical D. Physical

Answer 141

D. Physical