CHAPTER 14 Questions Flashcards
Which of the following best describes an implicit deny principle?
A. All actions that are not expressly denied are allowed.
B. All actions that are not expressly allowed are denied.
C. All actions must be expressly denied.
D. None of the above.
B. All actions that are not expressly allowed are denied.
The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn’t require all actions to be denied.
A table includes multiple objects and subjects, and it identifies the specific access each subject has to different objects. What is this table?
A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege
B. Access control matrix
An access control matrix includes multiple objects and subjects. It identifies access granted to subjects (such as users) to objects (such as files). A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management (FIM) system for single sign-on (SSO). Creeping privileges refers to excessive privileges a subject gathers over time.
You are reviewing access control models and want to implement a model that allows the owner of an object to grant privileges to other users. Which of the following meets this requirement?
A. Mandatory Access Control (MAC) model
B. Discretionary Access Control (DAC) model
C. Role-Based Access Control (RBAC) model
D. Rule-based access control model3.
B. Discretionary Access Control (DAC) model
A discretionary access control model allows the owner (or data custodian) of a resource to grant permissions at the owner’s discretion. The other answers (MAC, RBAC, and rule-based access control) are nondiscretionary models.
Which of the following access control models allows the owner of data to modify permissions?
A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Rule-based access control
D. Risk-based access control
A. Discretionary Access Control (DAC)
The DAC model allows the owner of data to modify permissions on the data. In the DAC model, objects have owners, and the owners can grant or deny access to objects that they own. The MAC model uses labels to assign access based on a user’s need to know and organization policies. A rule-based access control model uses rules to grant or block access. A risk-based access control model examines the environment, the situation, and policies coded in software to determine access.
A central authority determines which files a user can access based on the organization’s hierarchy. Which of the following best describes this?
A. DAC model
B. An access control list (ACL)
C. Rule-based access control model
D. RBAC model
D. RBAC model
A role-based access control (RBAC) model can group users into roles based on the organization’s hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.
Which of the following statements is true related to the RBAC model?
A. A RBAC model allows users membership in multiple groups.
B. A RBAC model allows users membership in a single group.
C. A RBAC model is nonhierarchical.
D. A RBAC model uses labels.
A. A RBAC model allows users membership in multiple groups.
The role-based access control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control (MAC) model uses assigned labels to identify access.
You are reviewing different access control models. Which of the following best describes a rule-based access control model?
A. It uses local rules applied to users individually.
B. It uses global rules applied to users individually.
C. It uses local rules applied to all users equally.
D. It uses global rules applied to all users equally.
D. It uses global rules applied to all users equally.
A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally or to individual users.
Your organization is considering deploying a software-defined network (SDN) in the data center. Which of the following access control models is commonly used in a SDN?
A. Mandatory Access Control (MAC) model
B. Attribute-Based Access Control (ABAC) model
C. Role-Based Access Control (RBAC) model
D. Discretionary Access Control (DAC) model
B. Attribute-Based Access Control (ABAC) model
The ABAC model is commonly used in SDNs. None of the other answers are normally used in SDNs. The MAC model uses labels to define access, and the RBAC model uses groups. In the DAC model, the owner grants access to others.
The MAC model supports different environment types. Which of the following grants users access using predefined labels for specific labels?
A. Compartmentalized environment
B. Hierarchical environment
C. Centralized environment
D. Hybrid environment
B. Hierarchical environment
In a hierarchical environment, the various classification labels are assigned in an ordered structure from low security to high security. The mandatory access control (MAC) model supports three environments: hierarchical, compartmentalized, and hybrid. A compartmentalized environment ignores the levels, and instead only allows access for individual compartments on any level. A hybrid environment is a combination of a hierarchical and compartmentalized environment. A MAC model doesn’t use a centralized environment.
Which of the following access control models identifies the upper and lower bounds of access for subjects with labels?
A. Nondiscretionary access control
B. Mandatory Access Control (MAC)
C. Discretionary Access Control (DAC)
D. Attribute-Based Access Control (ABAC)
B. Mandatory Access Control (MAC)
The MAC model uses labels to identify the upper and lower bounds of classification levels, and these define the level of access for subjects. MAC is a nondiscretionary access control model that uses labels. However, not all nondiscretionary access control models use labels. DAC and ABAC models do not use labels.
Which of the following access control models uses labels and is commonly referred to as a lattice-based model?
A. DAC
B. Nondiscretionary
C. MAC
D. RBAC
C. MAC
Mandatory access control (MAC) models rely on the use of labels for subjects and objects. They look similar to a lattice when drawn, so the MAC model is often referred to as a lattice-based model. None of the other answers use labels. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management, such as a rule-based access control model deployed on a firewall. Role-based access control (RBAC) models define a subject’s access based on job-related roles.
Management wants users to use multifactor authentication any time they access cloud-based resources. Which of the following access control models can meet this requirement?
A. Risk-based access control
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Discretionary Access Control (DAC)
A. Risk-based access control
A risk-based access control model can require users to authenticate with multifactor authentication. None of the other access control models listed can evaluate how a user has logged on. A MAC model uses labels to grant access. An RBAC model grants access based on job roles or groups. In a DAC model, the owner grants access to resources.
Which of the following access control models determines access based on the environment and the situation?
A. Risk-based access control
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Attribute-Based Access Control (ABAC)
A. Risk-based access control
A risk-based access control model evaluates the environment and the situation and then makes access decisions based on coded policies. A MAC model grants access using labels. An RBAC model uses a well-defined collection of named job roles for access control. Administrators grant each job role with the privileges they need to perform their jobs. An ABAC model uses attributes to grant access and is often used in software-defined networks (SDNs).
A cloud-based provider has implemented an SSO technology using JSON Web Tokens. The tokens provide authentication information and include user profiles. Which of the following best identifies this technology?
A. OIDC
B. OAuth
C. SAML
D. OpenID
A. OIDC
OpenID Connect (OIDC) uses a JavaScript Object Notation (JSON) Web Token (JWT) that provides both authentication and profile information for internet-based single sign-on (SSO). None of the other answers use tokens. OIDC is built on the OAuth 2.0 framework. OpenID provides authentication but doesn’t include profile information.
Some users in your network are having problems authenticating with a Kerberos server. While troubleshooting the problem, you verified you can log on to your regular work computer. However, you are unable to log on to the user’s computer with your credentials. Which of the following is most likely to solve this problem?
A. Advanced Encryption Standard (AES)
B. Network Access Control (NAC)
C. Security Assertion Markup Language (SAML)
D. Network Time Protocol (NTP)
D. Network Time Protocol (NTP)
Configuring a central computer to synchronize its time with an external NTP server and all other systems to synchronize their time with the NTP will likely solve the problem and is the best choice of the available options. Kerberos requires computer times to be within 5 minutes of each other and the scenario, along with the available answers, suggested the user’s computer is not synchronized with the Kerberos server. Kerberos uses AES. However, because a user successfully logs on to one computer, it indicates Kerberos is working, and AES is installed. NAC checks a system’s health after the user authenticates. NAC doesn’t prevent a user from logging on. Some federated systems use SAML, but Kerberos doesn’t require SAML.