CISSP Sybex Official Study Guide Chapter 13 Review Questions

Question 1

Which of the following would not be an asset that an organization would want to protect with access controls?

A. Information
B. Systems
C. Devices
D. Facilities
E. None of the above

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 618). Wiley. Kindle Edition.

Answer 1

E. None of the above

Explanation:
All of the answers are included in the types of assets that an organization would try to protect with access controls.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 969). Wiley. Kindle Edition.

Question 2

Which of the following is true related to a subject?

A. A subject is always a user account.
B. The subject is always the entity that provides or hosts the information or data.
C. The subject is always the entity that receives information about or data from an object.
D. A single entity can never change roles between subject and object

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 618). Wiley. Kindle Edition.

Answer 2

C. The subject is always the entity that receives information about or data from an object.

Explanation:
The subject is active and is always the entity that receives information about, or data from, the object. Asubject can be a user, a program, a process, a file, a computer, a database, and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 969). Wiley. Kindle Edition.

Question 3

Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?

A. Preventive
B. Detective
C. Corrective
D. Authoritative

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 618). Wiley. Kindle Edition.

Answer 3

A. Preventive

Explanation:
A preventive access control helps stop an unwanted or unauthorized activity from occurring. Detective controls discover the activity after it has occurred, and corrective controls attempt to reverse any problems caused by the activity. Authoritative isn’t a valid type of access control.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 969). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 969). Wiley. Kindle Edition.

Question 4

What type of access controls are hardware or software mechanisms used to manage access to resources and systems, and provide protection for those resources and systems?

A. Administrative
B. Logical/technical
C. Physical
D. Preventive

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 618). Wiley. Kindle Edition.

Answer 4

B. Logical/technical

Explanation:
Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems. Administrative controls are managerial controls, and physical controls use physical items to control physical access. A preventive control attempts to prevent security incidents.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 969). Wiley. Kindle Edition.

Question 5

Which of the following best expresses the primary goal when controlling access to assets?

A. Preserve confidentiality, integrity, and availability of systems and data. B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 618). Wiley. Kindle Edition.

Answer 5

A. Preserve confidentiality, integrity, and availability of systems and data. B. Ensure that only valid objects can authenticate on a system.

Explanation:
A primary goal when controlling access to assets is to protect against losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system, but objects do not authenticate. Subjects access objects, but objects do not access subjects. Identification and authentication is important as a first step in access control, but much more is needed to protect assets.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 969). Wiley. Kindle Edition.

Question 6

A user logs in with a login ID and a password. What is the purpose of the login ID?

A. Authentication
B. Authorization
C. Accountability
D. Identification

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 619). Wiley. Kindle Edition.

Answer 6

D. Identification

Explanation:
A user professes an identity with a login ID. The combination of the login ID and the password provides authentication. Subjects are authorized access to objects after authentication. Logging and auditing provide accountability.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 969). Wiley. Kindle Edition.

Question 7

Accountability requires all of the following items except one. Which item is not required for accountability?

A. Identification
B. Authentication
C. Auditing
D. Authorization

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 619). Wiley. Kindle Edition.

Answer 7

D. Authorization

Explanation:
Accountability does not include authorization. Accountability requires proper identification and authentication. After authentication, accountability requires logging to support auditing.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 8

What can you use to prevent users from rotating between two passwords?

A. Password complexity
B. Password history
C. Password age
D. Password length

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 619). Wiley. Kindle Edition.

Answer 8

B. Password history

Explanation:
Password history can prevent users from rotating between two passwords. It remembers previously used passwords. Password complexity and password length help ensure that users create strong passwords. Password age ensures that users change their password regularly.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 9

Which of the following best identifies the benefit of a passphrase?

A. It is short.
B. It is easy to remember.
C. It includes a single set of characters.
D. It is easy to crack.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 619). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 619). Wiley. Kindle Edition.

Answer 9

A. It is short.

Explanation:
A passphrase is a long string of characters that is easy to remember, such as IP@$$edTheCISSPEx@m. It is not short and typically includes all four sets of character types. It is strong and complex, making it difficult to crack.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 10

Which of the following is an example of a Type 2 authentication factor?

A. Something you have
B. Something you are
C. Something you do
D. Something you know

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 619). Wiley. Kindle Edition.

Answer 10

A. Something you have

Explanation:
A Type 2 authentication factor is based on something you have, such as a smartcard or token device. Type 3 authentication is based on something you are and sometimes something you do, which uses physical and behavioral biometric methods. Type 1 authentication is based on something you know, such as passwords or PINs.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 11

Your organization issues devices to employees. These devices generate onetime passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?

A. Synchronous token
B. Asynchronous token
C. Smartcard
D. Common Access Card

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 619). Wiley. Kindle Edition.

Answer 11

A. Synchronous token

Explanation:
A synchronous token generates and displays onetime passwords, which are synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the onetime password. Smartcards do not generate onetime passwords, and common access cards are a version of a smartcard that includes a picture of the user.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 12

Which of the following provides authentication based on a physical characteristic of a subject?

A. Account ID
B. Biometrics
C. Token
D. PIN

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 620). Wiley. Kindle Edition.

Answer 12

B. Biometrics

Explanation:
Physical biometric methods such as fingerprints and iris scans provide authentication for subjects. An account ID provides identification. A token is something you have and it creates onetime passwords, but it is not related to physical characteristics. A personal identification number (PIN) is something you know.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 13

What does the CER for a biometric device indicate?

A. It indicates that the sensitivity is too high.
B. It indicates that the sensitivity is too low.
C. It indicates the point where the false rejection rate equals the false acceptance rate.
D. When high enough, it indicates the biometric device is highly accurate.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 620). Wiley. Kindle Edition.

Answer 13

C. It indicates the point where the false rejection rate equals the false acceptance rate.

Explanation:
C. The point at which the biometric false rejection rate and the false acceptance rate are equal is the crossover error rate (CER). It does not indicate that sensitivity is too high or too low. A lower CER indicates a higher-quality biometric device, and a higher CER indicates a less accurate device.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 14

Sally has a user account and has previously logged on using a biometric system. Today, the biometric system didn’t recognize her so she wasn’t able to log on. What best describes this?

A. False rejection
B. False acceptance
C. Crossover error
D. Equal error

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 620). Wiley. Kindle Edition.

Answer 14

A. False rejection

Explanation:
A false rejection, sometimes called a false negative authentication or a Type I error, occurs when a valid subject (Sally in this example) is not authenticated. A Type 2 error (false acceptance, sometimes called a false positive authentication or Type II error) occurs when an invalid subject is authenticated. Crossover errors and equal errors aren’t valid terms related to biometrics. However, the crossover error rate (also called equal error rate) compares the false rejection rate to the false acceptance rate and provides an accuracy measurement for a biometric system.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 15

What is the primary purpose of Kerberos?

A. Confidentiality
B. Integrity
C. Authentication
D. Accountability

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 620). Wiley. Kindle Edition.

Answer 15

C. Authentication

Explanation:
The primary purpose of Kerberos is authentication, as it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 16

Which of the following is the best choice to support a federated identity management (FIM) system?

A. Kerberos
B. Hypertext Markup Language (HTML)
C. Extensible Markup Language (XML)
D. Security Assertion Markup Language (SAML)

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 620). Wiley. Kindle Edition.
Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 620). Wiley. Kindle Edition.

Answer 16

D. Security Assertion Markup Language (SAML)

Explanation:
SAML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. XML could be used, but it would require redefining tags already defined in SAML.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 970). Wiley. Kindle Edition.

Question 17

What is the function of the network access server within a RADIUS architecture?

A. Authentication server
B. Client
C. AAA server
D. Firewall

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 620). Wiley. Kindle Edition.

Answer 17

B. Client

Explanation:
B. The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn’t the primary function.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

Question 18

Which of the following AAA protocols is based on RADIUS and supports Mobile IP and VoIP?

A. Distributed access control
B. Diameter
C. TACAS+
D. TACAS

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 621). Wiley. Kindle Edition.

Answer 18

B. Diameter

Explanation:
Diameter is based on Remote Authentication Dial-in User Service (RADIUS), and it supports Mobile IP and Voice over IP (VoIP). Distributed access control systems such as a federated identity management system are not a specific protocol, and they don’t necessarily provide authentication, authorization, and accounting. TACACS and TACACS+ are authentication, authorization, and accounting (AAA) protocols, but they are alternatives to RADIUS, not based on RADIUS.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

Question 19

Refer the following scenario when answering questions 19 and 20. An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he’s had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter. Which of the following basic principles was violated during the administrator’s employment?

A. Implicit deny
B. Loss of availability
C. Defensive privileges
D. Least privilege

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 621). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 621). Wiley. Kindle Edition.

Answer 19

D. Least privilege

Explanation:
The principle of least privilege was violated because he retained privileges from all his previous administrator positions in different divisions. Implicit deny ensures that only access that is explicitly granted is allowed, but the administrator was explicitly granted privileges. While the administrator’s actions could have caused loss of availability, loss of availability isn’t a basic principle. Defensive privileges aren’t a valid security principle.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

Question 20

What could have discovered problems with this user’s account while he was employed?

A. Policy requiring strong authentication
B. Multifactor authentication
C. Logging
D. Account review

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 621). Wiley. Kindle Edition.

Answer 20

D. Account review

Explanation:
Account review can discover when users have more privileges than they need and could have been used to discover that this employee had permissions from several positions. Strong authentication methods (including multifactor authentication methods) would not have prevented the problems in this scenario. Logging could have recorded activity, but a review is necessary to discover the problems.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.