Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > CISSP Sybex Official Study Guide Chapter 14 Review Questions > Flashcards

CISSP Sybex Official Study Guide Chapter 14 Review Questions Flashcards

1
Q

Which of the following best describes an implicit deny principle?

A. All actions that are not expressly denied are allowed.
B. All actions that are not expressly allowed are denied.
C. All actions must be expressly denied.
D. None of the above.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 657). Wiley. Kindle Edition.

A

B. All actions that are not expressly allowed are denied.

Explanation:
The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn’t require all actions to be denied.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the intent of least privilege?

A. Enforce the most restrictive rights required by users to run system processes.
B. Enforce the least restrictive rights required by users to run system processes.
C. Enforce the most restrictive rights required by users to complete assigned tasks.
D. Enforce the least restrictive rights required by users to complete assigned tasks.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 657). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 657). Wiley. Kindle Edition.

A

C. Enforce the most restrictive rights required by users to complete assigned tasks.

Explanation:
The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don’t execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table?

A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 657). Wiley. Kindle Edition.

A

B. Access control matrix

Explanation:
An access control matrix includes multiple objects, and it lists subjects’ access to each of the objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to the excessive privileges a subject gathers over time.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Who, or what, grants permissions to users in a DAC model?

A. Administrators
B. Access control list
C. Assigned labels
D. The data custodian

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 657). Wiley. Kindle Edition.

A

D. The data custodian

Explanation:
The data custodian (or owner) grants permissions to users in a Discretionary Access Control (DAC) model. Administrators grant permissions for resources they own, but not for all resources in a DAC model. A rule-based access control model uses an access control list. The Mandatory Access Control (MAC) model uses labels.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 971). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following models is also known as an identity-based access control model?

A. DAC
B. RBAC
C. Rule-based access control
D. MAC

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 657). Wiley. Kindle Edition.

A

A. DAC

Explanation:
A Discretionary Access Control (DAC) model is an identity-based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the owner. The Role Based Access Control (RBAC) model is based on role or group membership. The rule-based access control model is based on rules within an ACL. The Mandatory Access Control (MAC) model uses assigned labels to identify access.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

A central authority determines which files a user can access. Which of the following best describes this?

A. An access control list (ACL)
B. An access control matrix
C. Discretionary Access Control model
D. Nondiscretionary access control model

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 657). Wiley. Kindle Edition.

A

D. Nondiscretionary access control model

Explanation:
A nondiscretionary access control model uses a central authority to determine which objects (such as files) that users (and other subjects) can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model. An access control matrix includes multiple objects, and it lists the subject’s access to each of the objects.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

A central authority determines which files a user can access based on the organization’s hierarchy. Which of the following best describes this?

A. DAC model
B. An access control list (ACL)
C. Rule-based access control model
D. RBAC model

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 658). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 658). Wiley. Kindle Edition.

A

D. RBAC model

Explanation:
A Role Based Access Control (RBAC) model can group users into roles based on the organization’s hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects that subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following statements is true related to the RBAC model?

A. A RBAC model allows users membership in multiple groups.
B. A RBAC model allows users membership in a single group.
C.A RBAC model is nonhierarchical.
D. A RBAC model uses labels.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 658). Wiley. Kindle Edition.

A

A. A RBAC model allows users membership in multiple groups.

Explanation:
The Role Based Access Control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchybased. The Mandatory Access Control (MAC) model uses assigned labels to identify access.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following is the best choice for a role within an organization using a RBAC model?

A. Web server
B. Application
C. Database
D. Programmer

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 658). Wiley. Kindle Edition.

A

D. Programmer

Explanation:
A programmer is a valid role in a Role Based Access Control (RBAC) model. Administrators would place programmers’ user accounts into the Programmer role and assign privileges to this role. Roles are typically used to organize users, and the other answers are not users.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following best describes a rule-based access control model?

A. It uses local rules applied to users individually.
B. It uses global rules applied to users individually.
C. It uses local rules applied to all users equally.
D. It uses global rules applied to all users equally.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 658). Wiley. Kindle Edition.

A

D. It uses global rules applied to all users equally.

Explanation:
D. A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What type of access control model is used on a firewall?

A. MAC model
B. DAC model
C. Rule-based access control model
D. RBAC Model

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 658). Wiley. Kindle Edition.

A

C. Rule-based access control model

Explanation:
Firewalls use a rule-based access control model with rules expressed in an access control list. A Mandatory Access Control (MAC) model uses labels. A Discretionary Access Control (DAC) model allows users to assign permissions. A Role Based Access Control (RBAC) model organizes users in groups.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What type of access controls rely on the use of labels?

A. DAC
B. Nondiscretionary
C. MAC
D. RBAC

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 658). Wiley. Kindle Edition.

A

C. MAC

Explanation:
Mandatory Access Control (MAC) models rely on the use of labels for subjects and objects. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management suchas a rule-based access control model deployed on a firewall. Role Based Access Control (RBAC) models define a subject’s access based on job-related roles.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following best describes a characteristic of the MAC model?

A. Employs explicit-deny philosophy
B. Permissive
C. Rule-based
D. Prohibitive

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (pp. 658-659). Wiley. Kindle Edition.

A

D. Prohibitive

Explanation:
The Mandatory Access Control (MAC) model is prohibitive, and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following is not a valid access control model?

A. Discretionary Access Control model
B. Nondiscretionary access control model
C. Mandatory Access Control model
D. Compliance-based access control model

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 659). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 659). Wiley. Kindle Edition.

A

D. Compliance-based access control model

Explanation:
D. Compliance-based access control model is not a valid type of access control model. The other answers list valid access control models.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 972). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What would an organization do to identify weaknesses?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Access review

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 659). Wiley. Kindle Edition.

A

C. Vulnerability analysis

Explanation:
A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, but threat modeling doesn’t identify weaknesses. An access review audits account management and object access practices.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 973). Wiley. Kindle Edition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following can help mitigate the success of an online brute-force attack?

A. Rainbow table
B. Account lockout
C. Salting passwords
D. Encryption of password

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 659). Wiley. Kindle Edition.

A

B. Account lockout

Explanation:
An account lockout policy will lock an account after a user has entered an incorrect password too many times, and this blocks an online brute-force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the stored password but isn’t effective against a brute-force attack without an account lockout.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 973). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 973). Wiley. Kindle Edition.

17
Q

Which of the following would provide the best protection against rainbow table attacks?

A. Hashing passwords with MD5
B. Salt and pepper with hashing
C. Account lockout
D. Implement RBAC

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 659). Wiley. Kindle Edition.

A

B. Salt and pepper with hashing

Explanation:
Using both a salt and pepper when hashing passwords provides strong protection against rainbow table attacks. MD5 is no longer considered secure, so it isn’t a good choice for hashing passwords. Account lockout helps thwart online password brute-force attacks, but a rainbow table attack is an offline attack. Role Based Access Control (RBAC) is an access control model and unrelated to password attacks.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 973). Wiley. Kindle Edition.

18
Q

What type of attack uses email and attempts to trick high-level executives?

A. Phishing
B. Spear phishing
C. Whaling
D.Vishing

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 659). Wiley. Kindle Edition.

A

C. Whaling

Explanation:
Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 973). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 973). Wiley. Kindle Edition.

19
Q

Refer to the following scenario when answering questions 19 and 20: An organization has recently suffered a series of security breaches that have damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company’s web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks.
What would the consultant use to identify potential attackers?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Access review and audit

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (pp. 659-660). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 659). Wiley. Kindle Edition.

A

B. Threat modeling

Explanation:
B. Threat modeling helps identify, understand, and categorize potential threats. Asset valuation identifies the value of assets, and vulnerability analysis identifies weaknesses that can be exploited by threats. An access review and audit ensures that account management practices support the security policy.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 973). Wiley. Kindle Edition.

20
Q

Management wants to ensure that the consultant has the correct priorities while doing her research. Of the following, what should be provided to the consultant to meet this need?

A. Asset valuation
B. Threat modeling results
C. Vulnerability analysis reports
D. Audit trails

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 660). Wiley. Kindle Edition.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 660). Wiley. Kindle Edition.

A

A. Asset valuation

Explanation:
Asset valuation identifies the actual value of assets so that they can be prioritized. For example, it will identify the value of the company’s reputation from the loss of customer data compared with the value of the secret data stolen by the malicious employee. None of the other answers is focused on high-value assets. Threat modeling results will identify potential threats. Vulnerability analysis identifies weaknesses. Audit trails are useful to re-create events leading up to an incident.

Chapple, Mike; Stewart, James Michael; Gibson, Darril. (ISC)2 CISSP Certified Information Systems Security Professional Official Study Guide (p. 973). Wiley. Kindle Edition.

CISSP (43 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions