Chapter 14

Question 1

______ refer to the access granted for an object and determine what you can do with it.

a) rights
b) permissions

Answer 1

Permissions

Question 2

A _____primarily refers to the ability to take an action on an object.

a) rights
b) permissions

Answer 2

right

Question 3

________ are the combination of rights and privileges.

a) rights
b) permissions
c) Privileges

Answer 3

Privileges

Question 4

An _________ is a table that includes subjects, objects, and assigned privileges.

Answer 4

access control matrix

Question 5

ACLs are focused on ______ and a capability table is focused on ______.

Answer 5

objects , subjects

Question 6

____ ___ ______________ uses multiple

layers or levels of access controls to provide layered security.

Answer 6

defense-in-depth strategy.

Question 7

_____ allows the owner, creator, or data custodian of an object to control and define access to that object

Answer 7

discretionary access controls (DACs)

Question 8

Administrators centrally administer _______and can make changes that affect the entire environment. In contrast, __________ models allow owners to make their own changes, and their changes don’t affect other parts of the environment.

Answer 8

nondiscretionary access controls , discretionary access control

Question 9

What is the difference between DAC and role- BAC ?

Answer 9

In the DAC model, objects have owners and the owner determines who has access. In the role-BAC model, administrators determine subject privileges and assign appropriate privileges to roles or groups.

Question 10

Which access control model relies on the use of classifilcation labels ?

Answer 10

mandatory access control (MAC)

Question 11

A ___________ relates various classification labels in an ordered structure from low security to medium security to high security, such as Confidential, Secret, and Top Secret, respectively.

Answer 11

hierarchical environment

Question 12

A _____ is the possibility or likelihood that a threat will exploit a vulnerability resulting in a loss such as harm to an asset.

a) threat
b) risk
c) vulnerability

Answer 12

risk

Question 13

A ______ is a potential occurrence that can result in an undesirable outcome.

a) threat
b) risk
c) vulnerability

Answer 13

threat

Question 14

A _____________ is any type of weakness.
The weakness can be due to a flaw or limitation in hardware or software, or the absence
of a security control such as the absence of antivirus software on a computer.

a) threat
b) risk
c) vulnerability

Answer 14

vulnerability

Question 15

___________ refers to the process of identifying,

understanding, and categorizing potential threats.

Answer 15

Threat modeling

Question 16

Name 3 Threat Modeling Approaches

Answer 16

Focused on Assets, Focused on Attackers, Focused on Software

Question 17

What is Access aggregation ?

Answer 17

Collecting multiple pieces of nonsensitive information and combining (i.e., aggregating) them to learn sensitive information.

Question 18

A ____________ is an attempt to discover passwords by using every possible password
in a predefined database or list of common or expected passwords.

Answer 18

dictionary attack

Question 19

A previously used password, but with one character

different is called __________

Answer 19

oneupped- constructed password

Question 20

An attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symbols is called ______________ .

Answer 20

brute-force attack

Question 21

What is it called when two separate passwords create the same hash ?

Answer 21

Collision

Question 22

What is A birthday attack ?

Answer 22

Using a tool to create the same hash value as a password.

Question 23

What type of attack reduces this time by using large

databases of precomputed hashes.

Answer 23

rainbow table

Question 24

What is a salt ?

Answer 24

a group of random bits, added to a password before hashing it.

Question 25

Capturing packets sent over a network with the intent of analyzing the packets is called what ?

Answer 25

Sniffing

Question 26

A form of social engineering that attempts to trick users into giving up sensitive information, opening an attachment, or clicking a link.

Answer 26

Phishing