Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > CISSP (Chapter 3 - Access Control) > Flashcards

CISSP (Chapter 3 - Access Control) Flashcards

1
Q

CISSP (Chapter 3 - Access Control)

Which of the following statements correctly describes biometric methods?A. They are the least expensive and provide the most protection.B. They are the most expensive and provide the least protection.C. They are the least expensive and provide the least protection.D. They are the most expensive and provide the most protection.

A

D. Compared with the other available authentication mechanisms, biometric methods provide the highest level of protection and are the most expensive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

CISSP (Chapter 3 - Access Control)

Which of the following statements correctly describes passwords?A. They are the least expensive and most secure.B. They are the most expensive and least secure.C. They are the least expensive and least secure.D. They are the most expensive and most secure.

A

C. Passwords provide the least amount of protection, but are the cheapest because they do not require extra readers (as with smart cards and memory cards), do not require devices (as do biometrics), and do not require a lot of overhead in processing (as in cryptography). Passwords are the most common type of authentication method used today.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

CISSP (Chapter 3 - Access Control)

How is a challenge/response protocol utilized with token device implementations?A. This protocol is not used; cryptography is used.B. An authentication service generates a challenge, and the smart token generates a response based on the challenge.C. The token challenges the user for a username and password.D. The token challenges the user’s password against a database of stored credentials.

A

B. An asynchronous token device is based on challenge/response mechanisms. The authentication service sends the user a challenge value, which the user enters into the token. The token encrypts or hashes this value, and the user uses this as her one-time password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

CISSP (Chapter 3 - Access Control)

Which access control method is considered user-directed?A. NondiscretionaryB. MandatoryC. Identity-basedD. Discretionary

A

D. The DAC model allows users, or data owners, the discretion of letting other users access their resources. DAC is implemented by ACLs, which the data owner can configure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

CISSP (Chapter 3 - Access Control)

Which item is not part of a Kerberos authentication implementation?A. Message authentication codeB. Ticket granting serviceC. Authentication serviceD. Users, programs, and services

A

A. Message authentication code (MAC) is a cryptographic function and is not a key component of Kerberos. Kerberos is made up of a KDC, a realm of principals (users, services, applications, and devices), an authentication service, tickets, and a ticket granting service.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

CISSP (Chapter 3 - Access Control)

If a company has a high turnover rate, which access control structure is best?A. Role-basedB. DecentralizedC. Rule-basedD. Discretionary

A

A. It is easier on the administrator if she only has to create one role, assign all of the necessary rights and permissions to that role, and plug a user into that role when needed. Otherwise, she would need to assign and extract permissions and rights on all systems as each individual came and left the company.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

CISSP (Chapter 3 - Access Control)

The process of mutual authentication involves _______________.A. A user authenticating to a system and the system authenticating to the userB. A user authenticating to two systems at the same timeC. A user authenticating to a server and then to a processD. A user authenticating, receiving a ticket, and then authenticating to a service

A

A. Mutual authentication means it is happening in both directions. Instead of just the user having to authenticate to the server, the server also must authenticate to the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CISSP (Chapter 3 - Access Control)

In discretionary access control security, who has delegation authority to grant access to data?A. UserB. Security officerC. Security policyD. Owner

A

D. This question may seem a little confusing if you were stuck between user and owner. Only the data owner can decide who can access the resources she owns. She may be a user and she may not. A user is not necessarily the owner of the resource. Only the actual owner of the resource can dictate what subjects can actually access the resource.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CISSP (Chapter 3 - Access Control)

Which could be considered a single point of failure within a single sign-on implementation?A. Authentication serverB. User’s workstationC. Logon credentialsD. RADIUS

A

A. In a single sign-on technology, all users are authenticating to one source. If that source goes down, authentication requests cannot be processed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

CISSP (Chapter 3 - Access Control)

What role does biometrics play in access control?A. AuthorizationB. AuthenticityC. AuthenticationD. Accountability

A

C. Biometrics is a technology that validates an individual’s identity by reading a physical attribute. In some cases, biometrics can be used for identification, but that was not listed as an answer choice.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

CISSP (Chapter 3 - Access Control)

What determines if an organization is going to operate under a discretionary, mandatory, or nondiscretionary access control model?A. AdministratorB. Security policyC. CultureD. Security levels

A

B. The security policy sets the tone for the whole security program. It dictates the level of risk that management and the company are willing to accept. This in turn dictates the type of controls and mechanisms to put in place to ensure this level of risk is not exceeded.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CISSP (Chapter 3 - Access Control)

Which of the following best describes what role-based access control offers companies in reducing administrative burdens?A. It allows entities closer to the resources to make decisions about who can and cannot access resources.B. It provides a centralized approach for access control, which frees up department managers.C. User membership in roles can be easily revoked and new ones established as job assignments dictate.D. It enforces enterprise-wide security policies, standards, and guidelines.

A

C. An administrator does not need to revoke and reassign permissions to individual users as they change jobs. Instead, the administrator assigns permissions and rights to a role, and users are plugged into those roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

CISSP (Chapter 3 - Access Control)

Which of the following is the best description of directories that are used in identity management technology?A. Most are hierarchical and follow the X.500 standard.B. Most have a flat architecture and follow the X.400 standard.C. Most have moved away from LDAP.D. Many use LDA.

A

A. Most enterprises have some type of directory that contains information pertaining to the company’s network resources and users. Most directories follow a hierarchical database format, based on the X.500 standard, and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows subjects and applications to interact with the directory. Applications can request information about a particular user by making an LDAP requestto the directory, and users can request information about a specific resource by using a similar request.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

CISSP (Chapter 3 - Access Control)

Which of the following is not part of user provisioning?A. Creation and deactivation of user accountsB. Business process implementationC. Maintenance and deactivation of user objects and attributesD. Delegating user administration

A

B. User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. User provisioning software may include one or more of the following components: change propagation, self-service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers, or other recipients ofa service. Services may include electronic mail, access to a database, accessto a file server or mainframe, and so on.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

CISSP (Chapter 3 - Access Control)

What is the technology that allows a user to remember just one password?A. Password generationB. Password dictionariesC. Password rainbow tablesD. Password synchronization

A

D. Password synchronization technologies can allow a user to maintain just one password across multiple systems. The product will synchronize the password to other systems and applications, which happens transparentlyto the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CISSP (Chapter 3 - Access Control)

Which of the following is not considered an anomaly-based intrusion protection system?A. Statistical anomaly–basedB. Protocol anomaly–basedC. Temporal anomaly–basedD. Traffic anomaly–based

A

C. Behavioral-based system that learns the “normal” activities of an environment. The three types are listed next:• Statistical anomaly–based Creates a profile of “normal” and compares activities to this profile• Protocol anomaly–based Identifies protocols used outside of their common bounds• Traffic anomaly–based Identifies unusual activity in network traffic

17
Q

CISSP (Chapter 3 - Access Control)

Which of the following has the correct definition mapping?i. Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.ii. Dictionary attacks Files of thousands of words are compared to the user’s password until a match is found.iii. Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.iv. Rainbow table An attacker uses a table that contains all possible passwords already in a hash format.A. i, iiB. i, ii, ivC. i, ii, iii, ivD. i, ii, iii

A

C. The list has all the correct terms to definition mappings.

18
Q

CISSP (Chapter 3 - Access Control)

George is responsible for setting and tuning the thresholds for his company’s behavior-based IDS. Which of the following outlines the possibilities of not doing this activity properly?A. If the threshold is set too low, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).B. If the threshold is set too low, nonintrusive activities are considered attacks (false negatives). If the threshold is set too high, then malicious activities are not identified (false positives).C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not identified (false negatives).D. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too high, then malicious activities are not identified (false negatives).

A

C. If the threshold is set too high, nonintrusive activities are considered attacks (false positives). If the threshold is set too low, then malicious activities are not identified (false negatives).

19
Q

CISSP (Chapter 3 - Access Control)

Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company’s partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.Which of the following changes would be best for Tom’s team to implement?A. Move from namespaces to distinguished names.B. Move from meta-directories to virtual directories.C. Move from RADIUS to TACACS+.D. Move from a centralized to a decentralized control model.

A

B. A meta-directory within an IDM physically contains the identity information within an identity store. It allows identity information to be pulled from various locations and be stored in one local system (identity store). The data within the identity store are updated through a replication process, which may take place weekly, daily, or hourly depending upon configuration. Virtual directories use pointers to where the identity data reside on the original system; thus, no replication processes are necessary. Virtual directories usually provide the most up-to-date identity information since they point to the original source of the data

20
Q

CISSP (Chapter 3 - Access Control)

Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company’s partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.Which of the following components should Tom make sure his team puts into place?A. Single sign-on moduleB. LDAP directory service synchronizationC. Web access managementD. X.500 database

A

C. Web access management (WAM) is a component of most IDM products that allows for identity management of web-based activities to be integrated and managed centrally.

21
Q

CISSP (Chapter 3 - Access Control)

Tom is a new security manager for a retail company, which currently has an identity management system (IdM) in place. The data within the various identity stores update more quickly than the current IDM software can keep up with, so some access decisions are made based upon obsolete information. While the IDM currently provides centralized access control of internal network assets, it is not tied into the web-based access control components that are embedded within the company’s partner portals. Tom also notices that help-desk technicians are spending too much time resetting passwords for internal employees.Tom has been told that he has to reduce staff from the help-desk team. Which of the following technologies can help with the company’s help-desk budgetary issues?A. Self-service password supportB. RADIUS implementationC. Reduction of authoritative IdM sourcesD. Implement a role-based access control model

A

A. If help-desk staff is spending too much time with password resetting, then a technology should be implemented to reduce the amount of time paid staff is spending on this task. The more tasks that can be automated through technology, the less of the budget that has to be spent on staff. The following are password management functionalities that are included in most IDM products:• Password Synchronization Reduces the complexity of keeping up with different passwords for different systems.• Self-Service Password Reset Reduces help-desk call volumes by allowing users to reset their own passwords.• Assisted Password Reset Reduces the resolution process for password issues for the help desk. This may include authentication with other types of authentication mechanisms (biometrics, tokens).

22
Q

CISSP (Chapter 3 - Access Control)

Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company’s CEO wants to allow its partners’ customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company’s partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.Which of the following is the best identity management technology that Lenny should consider implementing to accomplish some of the company’s needs?A. LDAP directories for authoritative sourcesB. Digital identity provisioningC. Active DirectoryD. Federated identity

A

D. Federation identification allows for the company and its partners to share customer authentication information. When a customer authenticates to a partner web site, that authentication information can be passed to the retail company, so when the customer visits the retail company’s web site, the user has less amount of user profile information she has to submit and the authentication steps she has to go through during the purchase process could potentially be reduced. If the companies have a set trust model and share the same or similar federated identity management software and settings, this type of structure and functionality is possible.

23
Q

CISSP (Chapter 3 - Access Control)

Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company’s CEO wants to allow its partners’ customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company’s partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.Lenny has a meeting with the internal software developers who are responsible for implementing the necessary functionality within the web-based system. Which of the following best describes the two items that Lenny needs to be prepared to discuss with this team?A. Service Provisioning Markup Language and the eXtensible Access Control Markup LanguageB. Standard Generalized Markup Language and the Generalized Markup LanguageC. Extensible Markup Language and the HyperText Markup LanguageD. Service Provisioning Markup Language and the Generalized Markup Language

A

A. The Service Provisioning Markup Language (SPML) allows company interfaces to pass service requests, and the receiving company provisions (allows) access to these services. Both the sending and receiving companies need to be following XML standard, which will allow this type of interoperability to take place. When using the eXtensible Access Control Markup Language (XACML), application security policies can be shared with other applications to ensure that both are following the same security rules. The developers need to integrate both of these language types to allow for their partner employees to interact with their inventory systems without having to conduct a second authentication step. The use of the languages can reduce the complexity of inventory control between the different companies.

24
Q

CISSP (Chapter 3 - Access Control)

Lenny is a new security manager for a retail company that is expanding its functionality to its partners and customers. The company’s CEO wants to allow its partners’ customers to be able to purchase items through their web stores as easily as possible. The CEO also wants the company’s partners to be able to manage inventory across companies more easily. The CEO wants to be able to understand the network traffic and activities in a holistic manner, and he wants to know from Lenny what type of technology should be put into place to allow for a more proactive approach to stopping malicious traffic if it enters the network. The company is a high-profile entity constantly dealing with zero-day attacks.Pertaining to the CEO’s security concerns, what should Lenny suggest the company put into place?A. Security event management software, intrusion prevention system, and behavior-based intrusion detectionB. Security information and event management software, intrusion detection system, and signature-based protectionC. Intrusion prevention system, security event management software, and malware protectionD. Intrusion prevention system, security event management software, and war dialing protection

A

A. Security event management software allows for network traffic to be viewed holistically by gathering log data centrally and analyzing them. The intrusion prevention system allows for proactive measures to be put into place to help in stopping malicious traffic from entering the network. Behavior-based intrusion detection can identify new types of attack (zero day) compared to signature-based intrusion detection.

25
Q

CISSP (Chapter 3 - Access Control)

Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets as in databases, servers, and network-based devices. Also, while the company telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO’s secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.Which of the following is the best remote access technology for this situation?A. RADIUSB. TACAS+C. DiameterD. Kerberos

A

C. The Diameter protocol extends the RADIUS protocol to allow for various types of authentication to take place with a variety of different technologies (PPP, VoIP, Ethernet, etc.). It has extensive flexibility and allows for the centralized administration of access control.

26
Q

CISSP (Chapter 3 - Access Control)

Robbie is the security administrator of a company that needs to extend its remote access functionality. Employees travel around the world, but still need to be able to gain access to corporate assets as in databases, servers, and network-based devices. Also, while the company telephony solution in place for two years, it has not been integrated into a centralized access control solution. Currently the network administrators have to maintain access control separately for internal resources, external entities, and VoIP end systems. Robbie has also been asked to look into some suspicious e-mails that the CIO’s secretary has been receiving, and her boss has asked her to remove some old modems that are no longer being used for remote dial-in purposes.What are the two main security concerns Robbie is most likely being asked to identify and mitigate?A. Social engineering and spear-phishingB. War dialing and pharmingC. Spear-phishing and war dialingD. Pharming and spear-phishing

A

C. Spear-phishing is a targeted social engineering attack, which is what the CIO’s secretary is most likely experiencing. War dialing is a brute force attack against devices that use phone numbers, as in modems. If the modems can be removed, the risk of war dialing attacks decreases.

27
Q

CISSP (Chapter 3 - Access Control)

Tanya is working with the company’s internal software development team. Before a user of an application can access files located on the company’s centralized server, the user must present a valid one-time password, which is generated through a challenge-response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that have been classified and deemed critical to the company’s missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.Which of the following best describes what is currently in place?A. Capability-based access systemB. Synchronous tokens that generate one-time passwordsC. RADIUSD. Kerberos

A

A. A capability-based access control system means that the subject (user) has to present something, which outlines what it can access. The item can be a ticket, token, or key. A capability is tied to the subject for access control purposes. A synchronous token is not being used, because the scenario specifically states that a challenge\response mechanism is being used, which indicates an asynchronous token.

28
Q

CISSP (Chapter 3 - Access Control)

Tanya is working with the company’s internal software development team. Before a user of an application can access files located on the company’s centralized server, the user must present a valid one-time password, which is generated through a challenge-response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that have been classified and deemed critical to the company’s missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.Which of the following is one of the easiest and best items Tanya can look into for proper data protection?A. Implementation of mandatory access controlB. Implementation of access control listsC. Implementation of digital signaturesD. Implementation of multilevel security

A

B. Systems that provide mandatory access control (MAC) and multilevel security are very specialized, require extensive administration, are expensive, and reduce user functionality. Implementing these types of systems is not the easiest approach out of the list. Since there is no budget for a PKI, digital signatures cannot be used because they require a PKI. In most environments access control lists (ACLs) are in place and can be modified to provide tighter access control. ACLs are bound to objects and outline what operations specific subjects can carry out on them.

29
Q

CISSP (Chapter 3 - Access Control)

Tanya is working with the company’s internal software development team. Before a user of an application can access files located on the company’s centralized server, the user must present a valid one-time password, which is generated through a challenge-response mechanism. The company needs to tighten access control for these files and reduce the number of users who can access each and every file. The company is looking to Tanya and her team for solutions to better protect the data that have been classified and deemed critical to the company’s missions. Tanya has also been asked to implement a single sign-on technology for all internal users, but she does not have the budget to implement a public key infrastructure.Which of the following is the best single sign-on technology for this situation?A. SESAMEB. KerberosC. RADIUSD. TACACS+

A

B. SESAME is a single sign-on technology that is based upon public key cryptography; thus, it requires a PKI. Kerberos is based upon symmetric cryptography; thus, it does not need a PKI. RADIUS and TACACS+ are remote centralized access control protocols.

30
Q

CISSP (Chapter 3 - Access Control)

Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.Which of the following best describes the type of environment Harry’s team needs to set up?A. RADIUSB. Service oriented architectureC. Public key infrastructureD. Web services

A

B. A service oriented architecture will allow Harry’s team to create a centralized web portal and offer the various services needed by internal and external entities.

31
Q

CISSP (Chapter 3 - Access Control)

Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.Which of the following best describes the types of languages and/or protocols that Harry needs to ensure are implemented?A. Security Assertion Markup Language, Extensible Access Control Markup Language, Service Provisioning Markup LanguageB. Service Provisioning Markup Language, Simple Object Access Protocol, Extensible Access Control Markup LanguageC. Extensible Access Control Markup Language, Security Assertion Markup Language, Simple Object Access ProtocolD. Service Provisioning Markup Language, Security Association Markup Language

A

C. The most appropriate languages and protocols for the purpose laid out in the scenario are Extensible Access Control Markup Language, Security Assertion Markup Language, and Simple Object Access Protocol. Harry’s group is not necessarily overseeing account provisioning, so the Service Provisioning Markup Language is not necessary, and there is no language called “Security Association Markup Language.”

32
Q

CISSP (Chapter 3 - Access Control)

Harry is overseeing a team that has to integrate various business services provided by different company departments into one web portal for both internal employees and external partners. His company has a diverse and heterogeneous environment with different types of systems providing customer relationship management, inventory control, e-mail, and help-desk ticketing capabilities. His team needs to allow different users access to these different services in a secure manner.The company’s partners need to integrate compatible authentication functionality into their web portals to allow for interoperability across the different company boundaries. Which of the following will deal with this issue?A. Service Provisioning Markup LanguageB. Simple Object Access ProtocolC. Extensible Access Control Markup LanguageD. Security Assertion Markup Language

A

D. Security Assertion Markup Language allows the exchange of authentication and authorization data to be shared between security domains. It is one of the most used approaches to allow for single sign-on capabilities within a web-based environment.

CISSP (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions