Cissp - Access Control

Question 0

A passive data file

Answer 0

Object

Question 1

An active entity on an information system

Answer 1

Subject

Question 2

Gives subjects full control of objects they have been given access to, including sharing the objects with other subjects.

Answer 2

Discretionary access control - DAC

Question 3

System enforced access control based on subject’s clearances and objects labels.

Answer 3

Mandatory access control - MAC

Question 4

Subjects are grouped into roles and each defined role has access permissions based on the role not the individual .

Answer 4

Role based access control - RBAC

Question 5

The mission and purpose of access control is to:

Answer 5

Protect the confidentiality, integrity, and availability of data.

Question 6

1. What type of password cracking attack will always be successful?

Answer 6

Brute Force

Question 7

2. What is the difference between password cracking and password guessing?

Answer 7

Password guessing attempts to log into the system, password cracking attempts to determine a password used to create a hash.

Question 8

3. The most insidious part of phishing and spear phishing attacks come from which part of the attack anatomy.

Answer 8

Phishing and spear phishing attacks are rarely successful.

Question 9

4. What is the term used for describing when an attacker, through a command and control network, controls hundreds, thousands, or even tens of thousands of computers to perform actions all at once?

Answer 9

Botnets

Question 10

5. What are the main differences between retina scans and iris scans?

Answer 10

Iris scans invade a person’s privacy and retina scans to not.

Question 11

6. What is the most important decision an organization needs to make when implementing RBAC?

Answer 11

The roles users have on the system need to be clearly defined..

Question 12

7. What access control method weighs additional factors such as time of attempted access before granting access?

Answer 12

Context-dependent access control.

Question 13

8. An attacker sees a building is protected by security guards and attacks a building next door with no guards. What control combination are the security guards.

Answer 13

Physical/deterrent

Question 14

9. A Type II biometric is also known as what?

Answer 14

False accept rate (FAR)

Question 15

10. Within Kerberos, which part is the single point of failure?

Answer 15

Key distribution center

Question 16

11. Your company has hired a third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are:
12. The tests will be conducted on live, business functional networks. Thes networks must be functional in order for business to run and cannot be shut down, even for an evaluation.
13. The company wants the most indepth test possible.

What kind of test should be recommended?

Answer 16

Full knowledge

Question 17

12. Your company has hired a third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are:
13. The tests will be conducted on live, business functional networks. Thes networks must be functional in order for business to run and cannot be shut down, even for an evaluation.
14. The company wants the most indepth test possible.

While conducting the penetration test, the tester discovers that a crical business system is currently compromised. What should the tester do?

Answer 17

Immediately end the penetration test and call the CIO.

Question 18

13. What group launches the most attacks?

Answer 18

Outsiders

Question 19

14. A policy stating that a user must have a business requirement to view data before attempting to do so is an example of enforcing what?

Answer 19

Need to know.

Question 20

15. What technique would raise the false accept rate (FAR) and lower the false reject rate (FRR) in a fingerprint scanning system?

Answer 20

Decrease the amount of minutiae that is verified.

Question 21

CIA stands for

Answer 21

Confidentiality, integrity, and availability

Question 22

What do access controls protect against.

Answer 22

Unauthorized access, inappropriate modification of data, and loss of confidentiality of data

Question 23

What are the opposing forces in CIA

.

Answer 23

Disclosure, Alteration, and Destruction

Question 24

What is PII

Answer 24

Personally identifiable information

Question 25

What is integrity

Answer 25

Unauthorized modification of files

Question 26

What is availability

Answer 26

Data is accessible when needed

Question 27

What is confidentiality

Answer 27

Prevent unauthorized disclosure

Question 28

What is DAD

Answer 28

Disclosure, alteration destruction (opposite of CIA)

Question 29

What is AAA

Answer 29

Identity and authentication, authorization and accountability

Question 30

What is authentication

Answer 30

You are the person you claim to be

Question 31

What is Authorization

.

Answer 31

Actions you can preform on a system once you have identified and authenticated

Question 32

What is non-repudiation

Answer 32

User can not deny having performed a transaction (combines authentication and integrity

Question 33

What is least privilege

Answer 33

User granted minimum amount of access

Question 34

What is a subject

Answer 34

Is an active entity on a system, running computer programs are also subjects

Question 35

What is an object

Answer 35

Passive data within the system

Question 36

What is Defense in depth

Answer 36

Also known as layered security, uses multiple safeguards, or controls, to protect an asset

Question 37

What are controls

Answer 37

Controls are measures taken to protect an asset

Question 38

What is Discretionary access control (DAC)

Answer 38

Gives full control of objects the user has been given access to, including sharing the objects with other subjects.

Question 39

Deploying a range of different ___________ safeguards in your organization lowers the chance that all controls will fail.

Answer 39

Defense in Depth

Question 40

What is MAC

Answer 40

Mandatory Access Control

Question 41

Honeywell’s SCOMP and Purple Penelope are examples of _______ systems.

Answer 41

MAC

Question 42

What is RBAC

Answer 42

Role-Based Access Control

Question 43

What rules are included in RBAC

Answer 43

Role assignment, role authorization, and transaction authorization.

Question 44

Role Assignment means

Answer 44

A subject can execute a transaction only if the subject has selected or been assigned a role. Identification and authentication are not considered a transaction. All other user activities on the system are conducted thru activities.

Question 45

Role authorization means

Answer 45

A subject’s active role must be authorized for the subject. This with Role assignment ensures that users can take on only roles for which they are authorized.

Question 46

Transaction authorization means

Answer 46

Subject can execute a transaction only if the transaction is authorized through the subject’s role memberships, and subject to any constraints that may be applied across users, roles, and permissions.

Question 47

Non-Discretionary access control

Answer 47

RBAC is a type of ________ because users do not have discretion regarding the groups of objects they are allowed to access and are unable to transfer objects to other subjects.

Question 48

What is role based access control

Answer 48

How information is accessed on a system based on the role of the subject. Permissions are based on role not individual user

Question 49

What is task based access control

Answer 49

Another non-discretionary access control, permission based on a task the subject I preforming

Question 50

Content and content-dependent play what role?

Answer 50

Defense in depth supporting role

Question 51

Content-depend relies on

Answer 51

Access based on the content the subject is accessing

Question 52

What is centralized access control

Answer 52

Instead of managing access locally you have a central system managing it, Single Sign on (SSO). Subject can authenticate once then access multiple systems

Question 53

Access control catagories

Answer 53

• Preventative
• Detective
• Corrective
• Recovery
• Deterrent
• Compensating

Question 54

Access control catagories

Can fall into one of three categories

Answer 54

Administrative (Directive) controls– policies, training regulations
Technical controls- Software, hardware, firmware
Physical Controls – locks, fences, gates

Question 55

Type one authentication: Passwords

Answer 55

Involves testing a subject with some sort of challenge

Question 56

Static passwords -

Answer 56

user generated and often used with another authentication method

Question 57

Passphrase -

Answer 57

comprised of words or phrases with different twists. Maybe using a “Zero” instead of a “O”

Question 58

One time password -

Answer 58

can only be used once

Question 59

Dynamic passwords –

Answer 59

passwords that always change (RSA)

Question 60

Microsoft Lan Manager makes password all

Answer 60

uppercase before hashing

Question 61

Hybrid attack

Answer 61

substitutes and and prepends characters in a password

Question 62

Salt allows one password to be

Answer 62

hashed multiple ways, prevent rainbow tables

Question 63

Asynchronus dynamic tokens are not

Answer 63

synchronized with a central server, EX: challenge response token …System produces a challenge for the token device user then enter information into device along with a pin. It then goes back to the system The reponse is tied to the system making it correct