Domain 1 - Access Control Flashcards
- Crackers are defined as:
a. Software programs designed to compromise password and other files.
b. People who violate systems for monetary or personal gain.
c. Automated scripts used to perform penetration tests on external environments.
d. Tools used to exploit online sessions by sniffing packets and obtaining unencrypted information.
Explanation: Answer b is correct. Crackers and hackers (though the term is used interchangeably within the industry at times) are people, not software tools. This leaves the other answers incorrect.
- The Clark-Wilson model relies on four requirements:
a. Integrity; confidentiality; availability; and recoverability.
b. Recoverability; auditability; reproducabilty; and reporting capacity.
c. Integrity; serviceability; auditability; and stability.
d. External consistency; separation of duty; internal consistency; and error recovery.
Explanation: Answer d is correct. The other answers are simply misleading terms.
- The industry best practice for password selection by clients is:
a. 6 characters in length, changed every 60 days, frozen after 5 invalid access attempts.
b. 8 characters in length, changed every 90 days, frozen after 3 invalid access attempts.
c. 6 characters in length, changed every 90 days, frozen after 3 invalid access attempts.
d. 8 characters in length, changed every 60 days, frozen after 5 invalid access attempts.
Explanation: Answer c is correct. The other answers, though perhaps applicable in certain instances, are not considered best practice at this time.
- Penetration testing stresses a system to identify security flaws in the following manner:
a. Through interviews and access to applications, access risks are identified.
b. Using commercial and public tools, an attack is simulated on a network.
c. Using commercial and public tools, reports are run to determine policy compliance.
d. Using password-cracking tools, an attack is simulated on an application.
Explanation: Answer b is correct. A classic “pen test” is dedicated to examining open ports on a network for exploit potential. The other answers are applicable within a full vulnerability assessment, of which a pen test is a component.
- Accountability is defined as:
a. Meeting schedules and budgets in a fiscally secure manner.
b. Gathering and retaining records pertaining to financial matters.
c. Performing actions within a job role that are governed by security policy.
d. Ensuring that access to information is consistent and correct.
Explanation: Answer b is the correct answer. Accountability is the concept of making employees directly responsible for actions taken during their daily job assignments. Answer a is incorrect because meeting fiscal requirements is within financial policy, not security policy. Answer b is incorrect because record retention is a legal or internal requirement. Answer d is consistent with the concept of availability.
- The “principle of least privilege” supports which domain implementation method?
a. Providing protected entry points into a network.
b. Providing privilege checking within a system or application access.
c. Providing hardware that allows access to certain functions.
d. Providing many small domains.
Explanation: Answer d is correct. Access permissions change within each domain as different information is required. The other answers are related in that they provide support within the domain. The overall question is asking about the principle, not the supporting functions of the principle.
- Access control supports the principles of:
a. Ownership, need-to-know, and data classification.
b. Authorization, least privilege, and separation of duty.
c. Connectivity, password controls, and session controls.
d. Privacy, monitoring, and compliance.
Explanation: Answer b is the correct answer. Users of computing resources must be properly authorized, have the minimum access allowed to perform necessary job functions, and be controlled within job function (i.e., not doing accounting payable and receivable functions within the same job role). Answer a is incorrect because these are attributes of the information being accessed. Answer c, though important, addresses policy surrounding processes used to control access, not the access control principle. Answer d is incorrect because the privacy of the user accessing data is not connected to the action of accessing information in an authorized manner.
- There are generally two types of denial-of-service attacks that are the most prevalent. They are:
a. Planting and Trojan Horses.
b. TCP Hijacking and IP Address Spoofing.
c. TCP SYN Attack and ICMP Ping Flood.
d. Buffer Overflow and Sniffing
Explanation: Answer c is correct. All the other answers are relevant to types of attacks (the closest being buffer overflow), but not specific to denial-of-service attacks.
- The best technique to identify and authenticate a person to a system is:
a. Establishing biometric access through a secured server or website.
b. Making sure the person knows something to identify and authenticate him/herself, and has something to do the same.
c. Maintaining correct and accurate ACLs (access control lists) to allow access to applications.
d. Allowing access only through userid and password.
Explanation: Although all are acceptable, answer b is correct. “Something you know” and “something you have” is a widely accepted best practice for identification and authentication. This could be a combination of a personal PIN and a smart card or other token. The other answers are misleading (answer a indicates biometrics only; answer c assumes that a client has already accessed a host system; and answer d is a weak, yet common security design).
- Which of the following are generally not characteristic of biometric systems?
a. Accuracy, speed, and throughput rate.
b. Uniqueness of the biometric organ and action.
c. Subject and system contact requirements.
d. Increased overhead of administration and support time.
Explanation: Answer d is correct. If implemented in a structured design, biometric authentication can be cost-effective because token inventories and token maintenance functions can be decreased. Answers a through c are all characteristics of biometric systems.
- “Spoofing”, or “masquerading”, is a means of tampering with communications by:
a. Changing data fields in financial transactions.
b. Convincing a user to submit information to an alias system.
c. Pretending to be someone in order to access specific information.
d. Allowing packets to be sent from one host to another trusted host.
Explanation: Answer c is the closest definition. Spoofing can be done in a variety of methods. Answer a is true once a person has obtained access to a system through falsifying credentials needed to access that system. Answer b also is somewhat true, but would happen to a user unbeknownst to that user. Answer d is truer of an IP spoofing technique, but is not asked specifically in the test question.
- Discretionary access control (DAC) refers to what common configuration requirement of TCSEC levels C2 through D?
a. Objects in a computer system must meet minimum security requirements.
b. Owners of objects in a computer system can determine the ability of users to access the objects.
c. Object access control lists can be modified depending on the criticality of the object.
d. Objects in a computer system must be secured in the strictest method possible.
Explanation: Answer c is correct. The concept of DAC is that every object has an owner, and that owner alone can determine or modify access to that object. Answer a is incorrect, as it is too broad a statement for this issue. Answer b is somewhat correct, but the owner holds final control over object access rights. Answer d is more attuned to the concept of mandatory access control.
- The custodian of information has the primary responsibility for:
a. Logically ensuring that information is properly safeguarded from unauthorized access, modification, or disclosure.
b. Implementing safeguards such as ACLs to protect information.
c. Accessing information in a manner controlled by ACL safeguards and supported by policy.
d. Physically ensuring that information is safeguarded and maintained in a secure manner.
Explanation: Answer b is correct. The custodian is generally an application administrator or system administrator. Answer a is incorrect because it is the best-practice definition of information ownership. Answer c is more typical of a user or client than a custodian. Answer d, though it could be part of a custodial function, refers more to an infrastructure support service, such as a data center operations function.
- The NSA (National Security Agency) has published the TCSEC, often referred to as the “Orange Book”. What does the acronym TCSEC stand for?
a. Total Computer Security Enhancement Conventions.
b. Trusted Compliant Security Evaluation Classification.
c. Total Confidential System Examination Considerations.
d. Trusted Computer System Evaluation Criteria.
Explanation: The correct answer is d. The TCSEC, as published by the Department of Defense, is commonly accepted as the standard in the US for system certification in a number of classes (A1 through D). The other answers are simply different acronyms.
- A non-interference access control model is best suited for:
a. Systems that require strict access flow and do not easily accommodate flexibility in information flow.
b. Systems that are standalone and do not communicate with others in a networking capacity.
c. Systems that do not require classification schemes and have all public information.
d. Systems that rely on state machine architectures and capabilities.
Explanation: The concept of non-interference is that one group of users is non-interfering with another group if the actions of the first group have no effect on what the second group can see. Therefore, answer a is correct. Answer b is incorrect because it illustrates the concept of a decidedly trusted system. Answer c is incorrect because principals of data classification contribute to access control definition, but are not applicable to this question. Answer d is incorrect because a state machine model is another form of access control model.