Domain 1 - Access Control Flashcards

Question 1

Q

Is an active entity in an Information System

Question 2

Q

A Passive data file

Question 3

Q

Is an access control that gives subjects full control of objects they
have been given access to, including sharing the objects with other subjects

Answer

A

Discretionary Access Control - DAC

Question 4

Q

System-enforced access control based on

subject’s clearances and object’s labels

Answer

A

Mandatory Access Control - MAC

Question 5

Q

Is an access control where subjects are grouped into roles and each
defined role has access permissions based upon the role, not the individual

Answer

A

Role-Based Access Control - RBAC

Question 6

Q

Its purpose is to allow authorized users access to appropriate data and
deny access to unauthorized users.

Answer

A

Access Control

Question 7

Q

is keeping data secret. Data must only be accessible to users who
have the clearance, formal access approval, and the need to know

Answer

A

Confidentiality

Question 8

Q

Threat to confidentiality

Answer

A

Disclosure of Information

Question 9

Q

Protects against unauthorized alteration of data

Answer

A

Integrity

Question 10

Q

Ensures that information is readily accessible to authorized users or
programs as the information is needed

Answer

A

Availability

Question 11

Q

Occurs when subjects not only maintain old access rights but gain new
ones as they move from one division to another within an organization.

Answer

A

Authorization Creep

Question 12

Q

is another non-discretionary access control model, related to RBAC. It is is based on the tasks each subject must
perform, such as writing prescriptions, or restoring data from a backup tape, or
opening a help desk ticket.

Answer

A

Task-based Access Control

Question 13

Q

Concentrates access control in one logical point for a system or organization.

Answer

A

Centralized Access Control

Question 14

Q

Local sites support and maintain

independent systems, access control databases, and data.

Answer

A

Decentralized Access Control

Question 15

Q

Is a 3rd party authentication system described in RFC 2865, 2866. Its uses UDP ports 1812 and 1813.

Answer

A

Remote Authentication Dial In User Service (RADIUS)

Question 16

Q

is RADIUS’ successor, designed to provide an improved (AAA) framework. RADIUS provides limited accountability, and has problems with flexibility, scalability, reliability, and security.

Question 17

Q

What are the number of Attribute Value Pairs (AVP) of Radius and Diameter.

Answer

A

Radius = 8
Diameter = 32

Question 18

Q

The cornerstone concept of InfoSecurity

Answer

A

The CIA triad

Question 19

Q

Opposing forces to CIA

Answer

A

DAD - Disclosure, Alteration and destruction

Question 20

Q

True or false. Our mission as information security professionals is to balance the needs of CIA and make trade offs as needed

Question 21

Q

Is the unauthorised disclosure of information

Answer

A

Disclosure

Question 22

Q

Is the unauthorised modification of data

Answer

A

Alteration

Question 23

Q

Making systems in available

Answer

A

Destruction

Question 24

Q

—— is a claim of who you are

Question 25

Q

Proving an identity is called ——

Answer

A

Authentication

Question 26

Q

—— describes the actions you can perform on a system once you have identified and authenticated. Actions may include reading, writing, or executing files or programs

Answer

A

Authorisation

Question 27

Q

—– holds a user accountable of his actions. This is typically done by logging and analysing audit data

Answer

A

Accountability

Question 28

Q

It means a user cannot deny having performed a transaction. It combined authentication and integrity

Answer

A

Non repudiation

Question 29

Q

True of false. You must have both authentication and integrity to have non repudiation

Question 30

Q

It means users should be granted the minimum amount of access (authorisation) required to do their jobs

Answer

A

Least Privilege

Question 31

Q

Is an active entity on a data system

Question 32

Q

This applies multiple safeguards also called controls, measures taken to reduce risk to protect an asset

Answer

A

Defence in depth or layered defenses

Question 33

Q

True or false. All controls can fail, and sometimes multiple control will fail. Deploying a range of different Defense in depth safeguards in your your organisation lowers the chance that all control will fail.

Question 34

Q

—- give subjects full control of objects they have been given access to, including sharing the objects with other subjects

Answer

A

Discretionary Access Control - DAC

Question 35

Q

Is a system enforced access control based on subject clearances and object labels

Answer

A

Mandatory Access Control -MAC

Question 36

Q

True or false. A subject may access an object only if the subjects clearance is equal to or greater than the objects label.

Question 37

Q

It defines how information is accessed on a system based on the role of the object

Answer

A

Role Based Access Control - RBAC

Question 38

Q

True or false. RBAC is a type of non discretionary access control because users do not have discretion regarding the group of objects they are allowed to access and are unable to transfer objects to other subjects.

Question 39

Q

Is another non discretionary access control model, related to RBAC based on the tasks each subject must perform, such as writing prescriptions, restoring data from a backup tape, or opening a help a help desk ticket.

Answer

A

Task Based Access Control

Question 40

Q

Concentrates access control in one logical point for a system or organisation

Answer

A

Centralised Access Control

Question 41

Q

Is an access control where organisations spans to multiple location. The local sites support and maintain independent systems, access control database and data

Answer

A

Decentralised Access Control

Question 42

Q

This occurs as individual users gain more access to more systems

Answer

A

Access aggregation

Question 43

Q

Users gain more entitlements without shedding the old ones.

Answer

A

Authorisation creep

Question 44

Q

Is a centralised access control system that requires users to send an ID and static (reusable) password for authentication. It uses UDP or TCP port 49.

Question 45

Q

In Microsoft trust relationship, if A trust B, then A will trust all B’s trusted partners. What type of relationship is this?

Answer

A

Transitive trust

Question 46

Q

This means limiting the access of authorised users to data they require to perform their duties

Answer

A

Least Privilege

Question 47

Q

This allows an organisation to maintain checks and balances among the employees with privileged access by having more than one individual to perform part of a sensitive transaction.

Answer

A

Separation of Duties

Question 48

Q

This describes a process that requires different staff perform the same duty.

Answer

A

Rotation of Duties

Question 49

Q

Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause exceptionally grave damage to the national security.

Answer

A

Top Secret

Question 50

Q

Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause serious damage to the national security.

Question 51

Q

Is a label that shall be applied to information,the unauthorised disclosure of which reasonably could be effected to cause damage to the national security.

Answer

A

Confidential

Question 52

Q

Is a determination about whether or not a user can be trusted with a specific level of information

Answer

A

Clearance.

Remember objects have labels, subject have clearances

Question 53

Q

Is documented approval from data owner for a subject to access certain objects, requiring the subject to understand all of the rules , and requirements for accessing data and consequences should the data become lost, destroyed or compromised

Answer

A

Formal Access Approval

Question 54

Q

What are the six access control types?

Answer

A

Preventive
Detective
Corrective
Recovery
Deterrent
Compensating

Question 55

Q

Three access control categories

Answer

A

Administrative
Technical
Physical

Question 56

Q

Is a type of access control that prevents actions from occurring.

Answer

A

Preventive

Question 57

Q

Are controls that alert during or after a successful attack

Answer

A

Detective

Question 58

Q

Is control that works by correcting a damaged system or process

Answer

A

Corrective

Question 59

Q

After a security incident has occurred, this control may have to be taken in order to restore the functionality of the system and organisation.

Question 60

Q

This control deter users from performing an actions on a system

Answer

A

Deterrent

Question 61

Q

Is an additional security control put in place to compensate for weaknesses in other control

Answer

A

Compensating

Question 62

Q

These controls are implemented by creating and following organisational policy, procedure, or regulation. User training and awareness also fall into this category

Answer

A

Administrative

Question 63

Q

These controls are implemented using software, hardware, or firmware that restricts logical access on an information technology system . Examples includes firewalls, routers, encryption, etc

Answer

A

Technical

Question 64

Q

These controls are implemented with physical devices such as locks, fences, gates, security guards, etc…

Answer 51

A

Credential set

Answer 52

A

Type 1 - something that you know
Type 2 - something that you have
Type 3 - something you are

Answer 53

A

Static password

Answer 54

A

Passphrase

Answer 55

A

One time password

Answer 56

A

Dynamic Passwords

Answer 57

A

Strong authentication or multifactor authentication

Brainscape's Knowledge GenomeTM

Domain 1 - Access Control Flashcards

Brainscape's Knowledge Genome^TM