Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Domain 2: Access Control > Flashcards

Domain 2: Access Control Flashcards

1
Q

What does “Subject” mean in the Access Control context?

A

An active entity on an information system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does “Object”mean in the access control context?

A

A passive data file

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Discretionary Access Control (DAC)?

A

An access control method that gives subjects full control of objects they have been given access to including sharing the objects with other subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Mandatory Access Control (MAC)?

A

It is a method where the system enforces access control based on subject’s clearances and object labels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Role Based Access Control (RBAC)

A

A type of non-discretionary access control where subjects are given roles and access is granted to roles and not the individual.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does DAC stand for in the Access Control context?

A

Discretionary Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What does MAC stand for in the access control context?

A

Mandatory Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does RBAC stand for in the Access Control context?

A

Roles Based Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the purpose of Access Control?

A

To protect the Confidentiality, Integrity, and Availability (CIA) of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does CIA stand for in the Access Control context?

A

Confidentiality, Integrity, and Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Name two access control concerns.

A

Concern 1: Is the system flexible enough to allow users to run a wide variety of software that is not centrally controlled?

Concern 2: How to manage access control when legacy systems are running mission critical applications?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are the three elements to the Access Control Triad?

A

Involves implementing three strong measures:

1: technical
2: physical
3: Administrative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Name three CIA Characteristics in the access control context.

A

1: All three work together to provide access control.
2: No one of the three is more important than the other two.
3: Every IT system will require a different prioritization of the three depending on the data, the user community and the required timeliness for data access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Draw the CIA Pyramid

A

Confidentiality -> Disclosure

Integrity - Alteration

Availability - Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does DAD stand for in the Access Control context?

A

Disclosure

Alteration

Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Name three examples of Disclosure from DAD.

A

1: Unauthorized access to the system
2: The unencrypted transmission of data across an insecure network
3: A trusted user relaying information to an unauthorized user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Name two kinds of Alteration (DAD)

A

1: Accidental Alteration of data.
2: Purposeful Alteration of data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name on example of Destruction (DAD)

A

The North Korean scorched earth attack against South Korea.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does IAAA stand for in the access control context?

A

Identification and Authentication

Authorization

Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does Identification mean in the IAAA context?

A

Identification: A claim by a subject to be somebody.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Name two characteristics of Indentification in the IAAA contex.

A

1: Must be unique or they cannot be accountable
2: Ideally, user names should not be descriptive: x3345 instead of Richard.howard.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does Authentication mean in the IAAA context?

A

Verifying the Identification claim.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What does Authorization mean in the IAAA context?

A

Allowing the subject access to objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does Accountability mean in the IAAA context?

A

Establishing the ability to determin which actions each subject performed on a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does Access Creep mean in the Access Control context?

A

When one subject maintains old access rights as he moves from one division to another gaining additional access rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

When can a subject and an object refere to the same thing?

A

The IE Browser is a Subject when it is running but is an Object when its executable is stored on the hard drive.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Name the two types of entities in Access Control

A

Subjects

Objects

Keep all access control examples simple by determining which elements are subjects and which elements are objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Name the three primary access control models

A

1: Discretionary Access Control (DAC)
2: Mandatory Access Control (MAC)
3: Non-Discretionary Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Is any one Access Control Model

1: Discretionary Access Control (DAC)
2: Mandatory Access Control (MAC)
3: Non-Discretionary Access Control

better than the other?

A

No one model is better than the other, rather each model is used for a specific information security purpose.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Is Non-Discretionary Access Control a form of Mandatory Access Control (MAC)

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is Discretionary Access Control (DAC)?

A

Gives subjects full control of objects they have been given access to including sharing with other subjects.

DAC allows subjects the ability to grant other subjects access to their files (objects), change their attributes, alter them or delete them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Name two operating systems that use Discretionary Access Control (DAC)

A

1: Windows
2: Linux

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Name one weakness in Discretionary Access Control (DAC)

A

Confidentiality Protection because the system depends on user discretion; a user can mistakenly send a file to someone who has no business of seeing the information in that file.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is Mandatory Access Control (MAC)?

A

A system enforced access control model based on the subject’s clearance and the object’s labels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

In Mandatory Access Control (MAC) systems, Subjects and Objects have

A

labels like SECRET and TOP SECRET.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

In Mandatory Access Control (MAC) systems, when can a subject access an object?

A

A subject may access any object if the subject’s label is equal to or greater than the object’s label.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the main difference in who enforces access to objects between Discretionary Access Control (DAC) and Mandatory Access Control (MAC):

A

MAC uses the system to enforce access control based on the subject’s clearance and the object’s labels.

DAC counts on the Subject to use discretion in providing other subjects access to his objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What part of the CIA model does Mandatory Access Control (MAC) systems focus on?

A

MAC systems focus on protecting Confidentiality in the CIA model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Name two liabilities of Mandatory Access Control (MAC) systems compared to Discretionary Access Control (DAC) systems.

A

1: MAC systems are expensive compared to DAC. Clearing users is expensive.
2: MAC systems are difficult to implement especially when attempting to separate different confidentiality levels within the same interconnected IT system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Name three Mandatory Access Control (MAC) systems

A

1: Honeywell’s SCOMP developed in conjunction with the US and the UK
2: Purple Penelope developed in conjunction with the US and the UK
3: LINUX Intrusion Detection System (Standard LINUX is DAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

What is Non-Discretionary Access Control?

A

A system enforced access control model that cannot be changed at the discretion of ordinary users.

Users do not have discretion regarding the groups of objects they are allowed to access and they are unable to transfer objects to other subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Is Role Based Access Control (RBAC) a type of

Non-Discretionary Access Control

or

Discretionary Access Control (DAC)

or

Mandatory Access Control (MAC)

A

Non-Discretionary Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Name the three characteristics (Rules) of Role Based Access Control (RBAC) ?

A

1: Role Assignment:
2: Role Authorization:
3: Transaction Authorization:

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

In Role Based Access Control systems, is the Identification and Authentication process (Login) considered a transaction.

A

The Identification and Authentication process (Login) is not considered a transaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What does Role Assignement mean as the first Rule of Role Based Acces Control?

A

A subject can execute a transaction only if the subject has been assigned the proper role.

Subjects are grouped into roles. Users can take on only roles for which they authorized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

What does Role Authorization mean as the second rule of Role Based Access Control?

A

A subject’s role must be authorized.

Each role has access permissions based upon the role and not the position.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

What does Transaction Authorization mean as the third rule in Role Based Access Control?

A

A subject can execute a transaction only if the transaction is authorized for the role.

Users can execute only transactions for which they are authorized.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Why is Role Based Access Control (RBAC) a form of Non-Discretionary Access Control and not Discretionary Access Control (DAC)?

A

RBAC is a type of non-discretionary access control becuase subjects do not have the discretion regarding groups of objects they are allaowed to access,and are unable to transfer objects to other subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Why is Role Based Access Control (RBAC) a form of Non-Discretionary Access Control and not Mandatory Access Control (DAC)?

A

There is a superficial similarity between RBAC roles and traditional groups (MAC).

As normally implemented, a MAC group is a collection of users, rather than a collection of permissions

The ability to tie permissions directly to users in a group-based mechanism can be regarded as a “loophole” that makes it difficult to control user-permission relationships.

RBAC requires all access through roles, and permissions are connected only to roles, not directly to users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

What type of access control is Task Based Access Control?

A

Non-Discretionary Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Is Content Dependent Access Control a full fledged access control system like DAC, MAC or RBAC?

A

No

Not full-fledged access controls like MAC and DAC but added in, like defense in depth, for extra protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Is Context Dependent Access Control a full fledged access control system like DAC, MAC or RBAC?

A

No

Not full-fledged access controls like MAC and DAC but added in, like defense in depth, for extra protection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

What is Content Dependent Access Control?

A

They add additional criteria beyond Identification and Authentication. They consider the actual content.

Example: Subjects can view their Timesheet but not the CEOs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

What is Context Dependent Access Controls?

A

Applies additional context before granting access.

Example: Login time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

What is Centralized Access Control?

A

Centralized Access Control concentrates access control in one logical point for a system or organization like Single Sign On.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

What is Decentralized Access Control?

A

Decentralized Access Control (Distributed Access Control) distributes control to local sites and independent systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

What is one advantage to Decentralized Access Control?

A

Provides more local power

Example: A US Soldier in a battlefield situation cannot call back to the help desk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

What is one disadvantage to Decentralized Access Control?

A

One risk is an inconsistent view across the organization even if there is a uniform policy.

Example: A US Soldier in a battlefield situation cannot call back to the help desk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

Can both Centralized Access Control and Decentralized Access Control support remote users authenticating to local systems.

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Are DAC (Discretionary Access Control) and Decentralized Access Control the same thing?

A

No

Decentralized Access Control will always be spelled out in the exam.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

What are the 7 Remote frameworks and protocols to support remote login?

A
  1. RADIUS
  2. Diameter
  3. TACACS
  4. TACACS+
  5. PAP
  6. CHAP
  7. Microsoft Active Directory
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

What does Radius stand for in the Access Control Protocols and Frameworks contrext?

A

Remote Authentication Dial In User Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

What two RFCs describe Radius?

A

RFC 2865 and 2866

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

What protocol and port does Radius officially use for authentication?

A

Radius officially uses the User Datagram Protocol (UDP) on port 1812 (authentication)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

What protocol and port does Radius officially use for accounting?

A

Radius officially uses the User Datagram Protocol (UDP) on port 1813 (accounting).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

What protocol and port does Radius unofficially use for authentication?

A

Some Radius systems unofficially usethe the User Datagram Protocol (UDP) on ports 1645 (authentication) a

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

What protocol and port does Radius unofficially use for accounting?

A

Some Radius systems unofficially use the User Datagram Protocol (UDP) on port 1646 (accounting).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Why do experts consider RADIUS to be an AAA system and not an IAAA?

A

Does not provide any Identiy function.

It does

Authenticate a subject’s credentials against an authentication database.

Authorize users by allowing specific user’s access to specific data objects.

Provide Accountability by creating a log entry for RADIUS connection made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

In Radius,request and response data is carried in what?

A

Attribute Value Pairs (AVP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
70
Q

According to RFC 2865, what are the 8 Radius Attribute Value Pairs (AVPs)?

A

Access-Request

Access-Accept

Access-Reject

Accounting-Request

Accounting-Response

Access-Challenge

Status-Server (Experimental)

Status-Client (Experimental)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
71
Q

In Radius, how large is the field that holds Attribute Value Pairs (AVPs)?

A

Uses an 8-bit field for Attribute Value Pairs (AVPs) which gives a max of 256 total pairs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
72
Q

Iin radius, what is the only element that is encrypted?

A

Radius Only encrypts the password; sends other data (ID for example) in the clear.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
73
Q

Name five problems with Radius.

A

1: Limited Accountability - just logs login transactions
2: Flexibility – limited functionality with 8 bit AVPs
3: Scalability – Decentralized nature makes it hard to scale
4: Reliability – Uses UDP TCP
5: Security – Does not encrypt everything

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
74
Q

Whys is Diameter considered to be an improved successor to Radius?

A

1: Accounability Improved – more robust accounting capability
2: Flexibility Improved - 32 bit field provides for billions AVPs
3: Scalability Improved – Centralized server makes it easier to scale
4: Reliability Improved – Uses TCP
5: Security Improved –End to end encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
75
Q

What is the Draft standard that describes the Diameter protocol?

A

RFC 3588.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
76
Q

What does TACACS stand for?

A

Terminal Access Controller Access Control System (TACACS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
77
Q

What is TACACS?

A

An older authentication protocol common to UNIX networks that allows a remote access server to forward a user’s logon password to an authentication server, sometimes called a TACACS daemon or simply TACACSD, to determine whether access can be allowed to a given system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
78
Q

What does TACACS stand for?

A

Terminal Access Controller Access Control System

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
79
Q

What port does TACACS communicate with?

A

UDP 49

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
80
Q

Why is TACACS less secure than TACACS+ and Radius?

A

It was orignially designed to be an encryption protocol, not an authentication protcol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
81
Q

Is TACACS+ backward compatible with TACACS?

A

No

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
82
Q

Whys is TACACS+ more reliable than TACACS?

A

Because it uses TCP instead of UDP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
83
Q

What port does TACACS+ communicate with?

A

TCP 49

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
84
Q

Why is TACACS+ more secure than TACACS.

A

1: Improves password protection by allowing two-factor authentication;

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
85
Q

Why is TACACS+ more secure than Radius?

A

Encrypts all data below the header (Better security than RADIUS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
86
Q

Name two Sniffers.

A

SNORT
Cain & Abel

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
87
Q

What does PAP stand for?

A

Password Authentication Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
88
Q

What is the Password Authentication Protocol (PAP)?

A

The client authenticates itself by sending a user name and an (optionally encrypted) password to the server, which the server compares to its shared secrets database.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
89
Q

What RFC defines the Password Authentication Protocol (PAP)?

A

Defined by RFC 1334.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
90
Q

Why is security weak with the Password Authentication Protocol (PAP)?

A

Password are sent in the clear; Sniffers can pick them up. This technique is vulnerable to eavesdroppers who may try to obtain the password by listening in on the serial line, and to repeated trial and error attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
91
Q

How does the Challenge Handshake Authentication Protocol (CHAP) work?

A

The server sends a randomly generated ``challenge’’ string to the client, along with its hostname.

The client uses the hostname to look up the appropriate secret, combines it with the challenge, and encrypts the string using a one-way hashing function.

The result is returned to the server along with the client’s hostname. The server now performs the same computation, and acknowledges the client if it arrives at the same result.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
92
Q

What does CHAP stand for?

A

Challenge Handshake Authentication Protocol (CHAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
93
Q

What RFC defines the CHallenge Handshake Authentication Protocol (CHAP)?

A

Defined by RFC 1994

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
94
Q

In the Challenge Handshake Authentication Protocol (CHAP), is authentication one way or both ways?

A

Authentication is one waybut using the same secret, negotiating CHAP in both directions can be facilitate authentication in both directions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
95
Q

Why is the Challenge Handshake Authentication Protocol (CHAP) more secure then the Password Authentication Protocol (PAP)?

A

Depends on a shared secret that is not sent across the wire. Provides protection against Playback Attacks since a Sniffer will not know the shared secret.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
96
Q

What protocol is Microsoft’s Active Directory based on?

A

Kerberos

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
97
Q

What RFC describes the Kerberos protocol ?

A

RFC 1510

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
98
Q

How long has Kerberos been integrated into the Windows Operating system?

A

Since Windows 2000

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
99
Q

In Active Directory (Kerberos) does each domain operate in its own authentication space?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
100
Q

In Active Directory (Kerberos) can each domain contain different users, network assets, and data objects?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
101
Q

In Active Directory (Kerberos) how does Active Directory control access to data objects?

A

!: Users are placed into Groups

2: Each group may be granted access to various domains within the system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
102
Q

In Active Directory (Kerberos), If a two-way trust is established between two domains, can users and data objects from each domain access groups belonging to either domain?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
103
Q

In Active Directory (Kerberos), If a one-way trust is established between two domains, can users from the trusted domain access resources in the trusting domain?

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
104
Q

In Active Directory (Kerberos), can Trusts be either transitive or non-transitive.

A

Yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
105
Q

In Active Directory (Kerberos), non-transitive trusts only exist between

A

two trust partners.and nobody else.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
106
Q

In Active Directory (Kerberos), transitive trusts exist between

A

the two partners and all of their partner domains.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
107
Q

What are the three concepts that affect Access Control but must be addressed by an organizations procedures:

A

1: Least Privilege:
2: Separation of Duties:
3: Rotation of Duties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
108
Q

In the Procedural Issues for Access Control context, what is Least Privilege?

A

Limiting the access of authorized users to data they require to perform their duties only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
109
Q

In the Procedural Issues for Access Control context, what is Separation of Duties?

A

1: Allows an organization to maintain checks and balances among employees for privileged access.
2: Mandating that more than one person is required for a sensitive transaction.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
110
Q

In the Procedural Issues for Access Control context, what is a Separation of Duties example?

A

Nuke Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
111
Q

In the Procedural Issues for Access Control context, what is Rotation of Duties?

A

When leadership rotates the staff through the same duties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
112
Q

In the Procedural Issues for Access Control context, what risk does Rotation of Duties mitigate?

A

Collusion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
113
Q

In an Access Control context, objects have ______ for classification?

A

Labels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
114
Q

In an Access Control context, name three typical labels used by governments.

A

Confidential
Secret
Top Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
115
Q

In an Access Control context,

Unauthorized disclosure of which could reasonably expect to cause damage to national security.

is the definition of which label?

Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret

A

Confidential

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
116
Q

In an Access Control context,

Unauthorized disclosure of which could reasonably expect to cause serious damage to national security.

is the definition of which label?

Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret

A

Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
117
Q

In an Access Control context,

Unauthorized disclosure of which could reasonably expect to cause grave damage to national security.

is the definition of which label?

Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret

A

Top Secret

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
118
Q

In an Access Control context,

Which US executive order defines classification criteria?

A

Executive Order 12356 – National Security Information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
119
Q

In an Access Control context,

Data that is not sensitive

is the definition of which label?

Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret

A

Unclassified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
120
Q

In an Access Control context,

Sensitive but unclassified and is not a matter of national security (Example: Healthcare).

is the definition of which label?

Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret

A

Sensitive But Unclassified (SBU)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
121
Q

In an Access Control context,

Certain types of unclassified information require access and distribution controls;

is the definition of which label?

Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret

A

Controlled Unclassified Information (CUI):

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
122
Q

In an Access Control context,

Unauthorized disclosure of which could adversely impact a person’s privacy or welfare, the conduct of Federal programs, or other programs or operations essential to the national interest.

is the definition of which label?

Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret

A

For Official Use Only (FOUO):

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
123
Q

In an Access Control context,

Labels enforce which CIA (Confidentiality, Integrity, Availability) Concept?

Kneed to Know

ot

Least Privelege

A

Least Privelege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
124
Q

In an Access Control context,

Compartments enforce which CIA (Confidentiality, Integrity, Availability) Concept?

Kneed to Know

ot

Least Privelege

A

Kneed to Know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
125
Q

In an Access Control context,

In the US Government, these programs are examples of what

HCS
COMINT (SI)
GAMMA (G)
TALENT KEYHOLE (TK)

A

Sensitive Compartmented Information (SCI)

126
Q

In an Access Control context,

In the private sector, name two typical compartments of information.

A

Internal Use Only

Proprietary

127
Q

In an Access Control context, subjects have ______ for determining access to certain objects?

A

Clearances

128
Q

In an Access Control context,

What is a subject’s Clearance?

A

1: A determination about whether or not a person can be trusted with a specific level of information.
2: Assesses current and potential trustworthiness.

129
Q

In an Access Control context,

True or False

In many world governments, the clearance name mirrors the object label name.

A

True

130
Q

In an Access Control context,

To receive each level of clearance, subjects must undergo _____

A

A myriad of different investigations and the collection of personal data.

131
Q

In an Access Control context,

Name three areas of investigation that are typically reviewed to get a clearance

A

1: Credit Score
2: Arrest Record
3: Neighbor and friend Interviews

132
Q

In an Access Control context,

Once the clearance investigation is complete, who an makes a determination for approval?

A

administrative judge

133
Q

In an Access Control context,

In a clearance investigation,what are two common reasons to disapprove a clearance?

A

Drug Use

Foreign Influence

134
Q

In an Access Control context,

What is the definition of a Formal Access Approval process?

A

Documented approval from the Data Owner for a subject to access certain objects.

135
Q

In an Access Control context,

In a Formal Access Approval process, name two requirements.

A

1: Requires the subject to understand the rules for accessing data.
2: Requires the subject to understand the consequences should the data become

Lost
Destroyed
Compromised

136
Q

In an Access Control context,

What are two methods that you can use to control subjects access to objects?

A

1: Rule Based Access Controls
2: Access Control Lists

137
Q

In an Access Control context,

What are Rule Based Access Controls?

A

Use a series of defined rules, restrictions and filters for accessing objects.

Uses If-Then statements.

Example: If the subject is authorized to surf the web, and the site is on the authorized list, then allow access.

138
Q

In an Access Control context,

What are Access Control Lists?

A

A list of objects that specific subjects can access.

These technologies use a form of Access Control Lists

139
Q

In an Access Control context,

List three typical technologies that use Access Control Lists.

A

1: Firewalls
2: Routers
3: Border Access Devices

140
Q

In an Access Control context,

For both “Rules Based Access Control” and “Access Control Lists”, what procedure must you have in place?

A

Must plan for and implement a routine update procedure.

141
Q

In an Authentication Method context,

What is a Credential Set?

A

A Credential Set is the combination of the Identification and the Authentication of a subject.

142
Q

What are the three Access Control Categories?

A

1: Administrative or Directive
2: Technical Controls
3: Physical Controls

143
Q

What are five typical programs for the Administrative Category?

A

1: Policy
2: Procedure
3: Regulating
4: Training
5: Awareness

144
Q

What is a Technical Control?

A

automated controls that provide logical restrictions

Routers
Firewalls
Encryption
etc

145
Q

What is a Physical Control?

A

Uses physical devices to provide barriers

Locks
Fences
Gates
Security Guards
Etc

146
Q

In a Access Control Category context, what is a Preventive Control?

A

Prevents actions from occurring.

Applies restrictions to what a potential subject can do.

Potential subjects can be authorized or not

147
Q

In a Access Control Category context,

Give an example of a Administrative Preventive Control?

A

Pre-employment drug screening designed to prevent an organization from hiring a drug user.

148
Q

In a Access Control Category context,

Give an example of a **Technical Preventive ** Control?

A

Establishing privileges on a system for specific subjects.

149
Q

In a Access Control Category context,

Give an example of a **Physical Preventive ** Control?

A

A fence to protect a facility.

150
Q

In a Access Control Category context,

True or False

Preventive and Preventative are synonyms for the test.

A

True

151
Q

In a Access Control Category context,

What is a Detective Control?

A

Controls that alert during or after a successful attack.

152
Q

In a Access Control Category context,

Give two examples of Technical Detective Controls

A

1: Intrusion Detection Systems (IDS)
2: Closed Circuit TV (CCTV)

153
Q

In a Access Control Category context,

What is a Corrective Control?

A

Corrects damaged system or process.

Typically works hand-in-hand with Detective Controls

154
Q

In a Access Control Category context,

What is a Recovery Control?

A

Actions taken to recover from a security incident like

Rebuild the laptop

Restore from tapes

155
Q

In a Access Control Category context,

What is a Administrative Corrective Control exmple?

A

Intrusion Detection System alerts to a possible attack on port 446 and blocks the port (Corrective). Anti-Virus discovers that the target is still infected. You have to rebuild the machine (Recovery).

156
Q

In a Access Control Category context,

What is a Deterrent Control?

A

Deter subjects from performing actions on a system.

157
Q

In a Access Control Category context,

What is a Physical Deterrent Example?

A

Beware of Dog Sign

158
Q

In a Access Control Category context,

What are two Administrative Deterrent Example?

A

1: Large fines for speeding
2: Sanction Policy that says employees will be fired of surfing porn sites.

159
Q

In a Access Control Category context,

What is a Compensating Control?

A

Additional controls put in place to compensate for other control weaknesses.

160
Q

In a Access Control Category context,

Name three types of Authentication Types and an extra

A

Type 1: Something You Know

Type 2: Something You Have

Type 3: Something You Are

Extra: Some Place You Are

161
Q

In a Access Control Category context,

What is Strong Authentication?

A

By using two of the three types of authentication together

Type 1: Something You Know

Type 2: Something You Have

Type 3: Something You Are

Extra: Some Place You Are

162
Q

In a Access Control Category context,

What is Something You Know?

A

Requires testing the subject with some sort of Challenge and Response.

163
Q

In a Access Control Category context,

What are four typical Challenge and Response Mechanisms for Something You Know?

A

1: Static Password
2: Passphrase
3: One Time Password
4: Dynamic Passwords

.

164
Q

In a Access Control Category context,

What is a static password?

A

Reusable and may not expire.

User generated

165
Q

In a Access Control Category context,

What are two weaknesses to a static password?

A

1: Good ones are hard to remember; Subjects may be tempted to write them down in order to remember them.
2: Inherently limited, regardless of the complexity, because it can be stolen.

166
Q

In a Access Control Category context,

What is the easiest and often weakest form of authentication?

Static Passwords
Passphrase
One Time Password
Dynamic Passwords

A

Static Passwords

167
Q

In a Access Control Category context,

What is another name for Strong Autentication?

A

multi-factor authentication

168
Q

In a Access Control Category context,

What is a password hash?

A

Typically – clear text passwords are not store on IT systems; their hashes are.

Hashing is a one-way encryption using an algorithm and no key and cannot be reversed.

169
Q

In a Access Control Category context,

What does Microsoft LanMan do to passwords before it creates the hash?

.

A

converts all passwords to uppercase before hashing

170
Q

In a Access Control Category context,

What is password cracking?

.

A

When the attacker guesses at the password and runs them through the hash algorithm.

171
Q

In a Access Control Category context,

What are three password cracking techniques?

.

A

1: Dictionary Attacks:
2: Brute Force Attacks
3: Hybrid Attacks

172
Q

In a Password Cracking context,

what is a Dictionary Attack?

.

A

The attacker uses a predefined list of words and runs them through the hash algorithm.

173
Q

In a Password Cracking context,

what is a mitigating control against a Dictionary Attack?

.

A

Subjects can thwart dictionary attacks by adding special characters to their password.

174
Q

In a Password Cracking context,

What is a Brute Force attack ?

.

A

The attacker calculates the hash of every possible word and stores them in Rainbow Tables.

175
Q

In a Password Cracking context,

What is a Rainbow Table?

.

A

For Brute Force Attacks, the attacker calculates the hash of every possible word and stores them in Rainbow Tables.

176
Q

In a Password Cracking context,

What is are two weaknesses to Brute Force Attacks?

.

A

1: Take time
2: Rainbow Tables may not be complete.

177
Q

In a Password Cracking context,

What is more effective:

Brute Force Attacks

or

Dictionary Attacks?

A

Brute Force Attacks

178
Q

In a Password Cracking context,

What is a Hybrid Attack?

A

Taking a dictionary list and appending hashes for word combinations like replacing the letter “o” with the number “0.”

179
Q

In a Password Cracking context,

Where does UNIX typicall store password hashes?

A

Typically stores password hashes in /etc/shadow only accessible by root.

180
Q

In a Password Cracking context,

Where does Windows typicall store password hashes?

A

Stores password hashes locally and on the Domain Controller in a file called the Security Account Management (SAM) file.

If a subject cannot reach the Domain Controller, then the local system may use the local hash.

181
Q

In a Password Cracking context,

What is a mitigating control against Brute Force Attacks?

A

Access to the SAM file and the Shadow file should be limited.

182
Q

In a Password Cracking context,

What is the SAM file on Windows Systems?

A

The Security Account Management (SAM) file

183
Q

In a Password Cracking context,

What is the Shadow file on UNIX Systems?

A

Typically stores password hashes

184
Q

In a Password Cracking context,

What are two tools used by hackers to crack the SAM (Security Account Management ) File on Windows?

A

fgdump

“Cain and Abel”

185
Q

In a Password Cracking context,

What is a SALT?

A

UNIX / LINUX systems combine passwords with SALTS so that two subjects using the same password will generate completely different hashes

186
Q

In a Password Cracking context,

What is a Mitigating control for UNIX/LINUX systems to protect against Brute Force Attacks?

A

SALTS

the attacker now has to hash the same password many times with each salt used.

187
Q

In a Password Cracking context,

According to both Microsoft and the US Department of Defense.

What is the number of passwords the OS should remember?

A

24

188
Q

In a Password Cracking context,

According to both Microsoft and the US Department of Defense.

What is the maximum number of days that a password can be used.?

A

90

189
Q

In a Password Cracking context,

According to both Microsoft and the US Department of Defense.

What is the minimum number of days that a password can be used; to ensure that subjects do not cycle through their password history 24 times in one session to get back to their original password.?

A

2

190
Q

In a Password Cracking context,

According to both Microsoft and the US Department of Defense.

What is the minimum number of characters allowed in a password?

A

8

191
Q

In a Password Cracking context,

According to both Microsoft and the US Department of Defense.

True or False

Passwords must meet complexity requirements?

A

True

192
Q

What is Type 2 Authentication: Something You Have

A

Requires something that a user possesses.

193
Q

In a Access Control Category context,

What is Type 1 Authentication?

A

Type 1: Something You Know

194
Q

In a Access Control Category context,

What is Type 2 Authentication?

A

Type 2: Something You Have

195
Q

In a Access Control Category context,

What is Type 3 Authentication?

A

Type 3: Something You Are

196
Q

In a Access Control Category context,

What is an extra type of authentication besides the first three?

A

Extra: Some Place You Are

197
Q

In a Type 2 Authentication (Something You Have) context,

What is a token?

A

An object that helps prove an identity claim.

198
Q

In a Type 2 Authentication (Something You Have) context,

Name three examples of typical tokens

A

Car Keys
Credit Cards
Paper Documents

199
Q

In a Type 2 Authentication (Something You Have) context,

What is a Synchronous Dynamic Token?

A

Uses time or counters to synchronize a displayed token code with the same code on an authentication server.

200
Q

In a Type 2 Authentication (Something You Have) context,

What is a Time-Based Synchronous Dynamic Token?

A

Codes change frequently

The authentication server knows the serial number of each authorized token, the subject associated to it and the time. With these three parameters, it can predict the valid dynamic code for each token.

201
Q

In a Type 2 Authentication (Something You Have) context,

What is a Counter-Based Synchronous Dynamic Token?

A

The Authentication Server expects Token 1 first, then Token 2, then Token 3, etc.

202
Q

In a Type 2 Authentication (Something You Have) context,

With both Time-based and Counter-based Synchronous Dynamic Tokens

What are the typical two factors used?

A

1: Authentication pair (username and password/pin) (Something they know)
2: The dynamic token code (Something they have).

203
Q

In a Type 2 Authentication (Something You Have) context,

What is a Asynchronous Dynamic Token?

A

Not synchronized with a authentication server

204
Q

In a Type 2 Authentication (Something You Have) context,

with a Asynchronous Dynamic Token model, what is the typical method called?

A

A challenge-response Token

205
Q

In a Type 2 Authentication (Something You Have) context,

how does the Asynchronous Dynamic token challenge-response model work?

A

1: Subject enters username (Identity Claim)
2: System sends challenge
3: Subject enters challenge-answer and pin (Something you know [Type 1] and something you Have[Type 2])
4: Token generates response and sends to system

206
Q

What is Type 3 Authentication: Something You Are

A

Biometrics

207
Q

What is Biometrics?

A

Uses physical characteristics as a means of Identification or Authentication.

From the Greek words bios (life) and metric (measurement).

208
Q

What is a weakness in Type 1 Authentication (Something You Know)?

A

The subject has to remember a password.

209
Q

What is one pro of biometrics over Type 1 Authentication (Something You Know)

A

Eliminates the need for the subject to remember a password.

210
Q

True or False

Biometric data is considered PII and should be protected accordingly.

A

True

211
Q

Name 5 characteristics of a good Biometric System

A

1: Must be reliable and resistant to counterfeiting.
2: The data storage requirement (template or file size) should be small (1000 bytes or less).
3: Should not cause undue psychological stress (Retina scans are rairly used for this reason)
4: Must be useable by all staff or compensating controls must exist.
5: Any biometric that facilitates the exchange of body fluids is a serious negative (Retina Scans, Fingerprint scans).

212
Q

In a biometric context,

what is enrollment?

A

A one-time process to register with a biometric system that should take less than two minutes

Creating the account with Identity-Authentication pair associated with the biometric information.

213
Q

In a biometric context,

what is Throughput?

A

Describes the process of authenticating with a biometric system.

214
Q

In a biometric context,

what is good Throughput number?

A

The biometric response time should be no more than 6-10 seconds.

215
Q

What are the three biometric accuracy metrics?

A

1: False Reject Rate (FRR) (Type I Errors)
2: False Accept Rate (FAR) (Type II Errors)
3: Crossover Error Rate (CER)

216
Q

In a biometric accuracy metric context,

what is a FRR

A

False Reject Rate (FRR) (Type I Errors)

217
Q

In a biometric accuracy metric context,

what type of error is Type I Error?

A

False Reject Rate (FRR) (Type I Errors)

218
Q

In a biometric accuracy metric context,

what type of error is Type II Error?

A

False Accept Rate (FAR) (Type II Errors)

219
Q

In a biometric accuracy metric context,

what is a Type II Error?

A

False Accept Rate (FAR) (Type II Errors)

220
Q

In a biometric accuracy metric context,

What is False Reject Rate (FRR) (Type 1 Error)?

A

The rate at which an authorized subject is rejected by the biometric system.

221
Q

In a biometric accuracy metric context,

What are three problems high False Reject Rates (FRR) (Type 1 Errors) cause?

A

1: Authorized subject frustration
2: Reduction in work dueto poor access conditions
3: Expenditure of resources to revalidate authorized users

222
Q

In a biometric accuracy metric context,

What is the main problem with any False Accept Rates (FARs) (Type 2 Errors)?

A

Unauthorized subjects gain access to the system.

223
Q

In a biometric accuracy metric context,

What is worse?

False Reject Rate (FRR) (Type 1 Errors)

False Accept Rates (FARs) (Type 2 Errors)?

A

A False Accept Rate (FAR – Type 2 Error) is worse than a False Reject Rate (FRR – Type 1 Error) because it is better to reject a legitimate subject then it is to accept an imposter.

224
Q

In a biometric accuracy metric context,

What is the Crossover Error Rate (CER)?

A

The point where the False Reject Rate (FRR – Type I Error) and False Accept Rate (FAR – Type 2 Error) are equal.

225
Q

In a biometric accuracy metric context,

What is another name for the Crossover Error Rate (CER)?

A

Equal Error Rate (ERR)

226
Q

In a biometric accuracy metric context,

What is the purpose of the Crossover Error Rate (CER)?

A

Crossover Error Rate (CER) is a comparison metric for different biometric devices and technologies.

227
Q

In a biometric accuracy metric context,

What is the significance of the Crossover Error Rate (CER)?

A

As an identification device becomes more sensitive or accurate, its FAR decreases while its FRR increases. The CER is the point at which these two rates are equal, or cross over.

Using the CER as an impartial judgment of a biometric system helps create standards by which products from different vendors can be fairly judged and evaluated.

228
Q

In a biometric accuracy metric context,

What are 8 typical biometric controls?

A

1: Fingerprints
2: Retina Scan
3: Iris Scan
4: Hand Geometry
5: Keyboard Dynamics
6: Dynamic Signature
7: Voice Prints
8: Facial Scans

229
Q

In a biometric accuracy metric context,

What is the widely used Biometric Control today?

A

1: Fingerprints

230
Q

In a biometric accuracy metric context,

How do fingerprint scans work?

A

The data stored is a mathematical representation of fingerprint minutiae (Friction Ridges) like

Whorls
Ridges
Bifurcation

231
Q

In a biometric accuracy metric context,

How do retina scans work?

A

A laser scan of the capillaries which feed the retina of the back of the eye; Maps the blood vessels of the eye.

232
Q

In a biometric accuracy metric context,

Why are retina scans rarely used?

A

Retina scans are rarely used because of the health risks and invasion-of-privacy issues.

233
Q

In a biometric accuracy metric context,

How do Iris scans work?

A

A passive biometric control where a camera takes a picture of the iris (the colored portion of the eye). The system compares the picture to the stored info in the database.

234
Q

In a biometric accuracy metric context,

Name 4 pros to Iris scans?

A

1: It works through contact lenses and glasses.
2: High accuracy
3: Passive (May be done without the subject knowing)
4: No exchange of body fluids.

235
Q

In a biometric accuracy metric context,

How do Hand Geometry scans work?

A

A passive biometric control that takes measurements from specific points in the hand.

Length

Width

Thickness

Surface Area

236
Q

In a biometric accuracy metric context,

Name one pro for Hand Geometry scans?

A

Simple devices where the stored information (template or file size) is very small.

237
Q

In a biometric accuracy metric context,

How do Keyboard Dynamics systems work?

A

Measures how hard a subject presses each key and the rhythm that each key is pressed.

238
Q

In a biometric accuracy metric context,

Name two pros to Keyboard Dynamics systems?

A

1: Cheap to implement
2: Reliable but not perfect.

239
Q

In a biometric accuracy metric context,

How do Dynamic Signature system work?

A

Measures the process by which a subject signs his name. It is similar to Keyboard Dynamics. It measures

Time
Pressure
Loops
Beginning and end points

240
Q

In a biometric accuracy metric context,

Name two pros to Dynamic Signature systems?

A

1: Cheap to implement
2: Reliable but not perfect.

Similar to Keyboard Dynamics systems

241
Q

In a biometric accuracy metric context,

How do Voice Print systems work?

A

Measures the subject’s tone of voice while saying a specific sentence or phrase

242
Q

In a biometric accuracy metric context,

Name two cons to Voice Print systems?

A

1: Vulnerable to replay attacks
2: Vulnerable to changes in the subject’s voice due to illness.

243
Q

In a biometric accuracy metric context,

Name a countermeasure to Voice Print replay attack?

A

Subjects insert random words.

244
Q

In a biometric accuracy metric context,

How do facial scan systems work?

A

Passively takes a picture of the subject’s face and compares it to other pictures in a stored database.

Uses facial geometry to distinguish between faces.

Measures unique distances between facial features compared to the size of the face.

245
Q

In a biometric accuracy metric context,

Name one pro to facial scan systems?

A

Disguises do not fool it.

246
Q

In a biometric accuracy metric context,

Name one con to facial scan systems?

A

Expensive

247
Q

In a biometric accuracy metric context,

What is a good use facial scan systems?

A

Not typically used for Biometric authentication control because of the high cost but is a good solution for very important systems.

248
Q

In a biometric accuracy metric context,

What is the extra authentication type besides Types 1, 2 and 3?

A

Authentication: Somewhere You Are

249
Q

In a biometric accuracy metric context,

How does Authentication (Somewhere You Are) systems work?

A

Global Positioning System (GPS)
IP-Based Geo-location
Physical location of Point of Sale Devices

To deny access if the subject is in the wrong location.

250
Q

In a Access Control Technologies context,

What is a Single Sign-On (SSO) system?

A

Allows multiple subjects to use a central authentication server (AS) to access and maintain multiple systems.

251
Q

In a Access Control Technologies context,

Name three benefits to Single Sign-On (SSO) systems?

A

1: Improved User Productivity because subjects do not have to remember Identity – Authentication pairs for multiple systems.
2: Improved Developer Productivity because by providing a common authentication framework.
3: Simplified Administration because system admins only have to maintain one system.

252
Q

In a Access Control Technologies context,

Name three disadvantages to Single Sign-On (SSO) systems?

A

1: Difficult to retrofit; especially legacy systems.
2: Unattended Computer: With SSO, if a subject walks away from his computer, then anybody could have access to all of his resources. With a Multiple Sign On system, the damage is limited to only the one device.
3: Single point of Attack: A hacker only has to compromise one system to have the keys to the city.

253
Q

In a Access Control Technologies context,

Name three disadvantages to Single Sign-On (SSO) systems?

A

1: Difficult to retrofit; especially legacy systems.
2: Unattended Computer: With SSO, if a subject walks away from his computer, then anybody could have access to all of his resources. With a Multiple Sign On system, the damage is limited to only the one device.
3: Single point of Attack: A hacker only has to compromise one system to have the keys to the city.

254
Q

In a Access Control Technologies context,

What is Kerberos?

A

It is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schoreder.

255
Q

In a Access Control Technologies context,

What is Kerberos named after in Greek mythology?

A

The name (also called Cerebrus) of the Three Headed Dog in Greek Mythology that guards the entrance to Hades.

256
Q

In a Access Control Technologies context,

What do the three heads of Cerebrus signify in the Kerberos system?

A

Authentication

Authorization

Accountability

but the original Kerberos only provided authentication.

or

The Client

the KDC (Key Distribution Center)

and the server

257
Q

In a Access Control Technologies context,

Name three advantages of the Kerberos system?

A

1: ProvidesAAA while preventing eavesdropping attacks.
2: Provides for data stream integrity (Detection and Modification)
3: Prevents unauthorized Reading

258
Q

In a Access Control Technologies context,

In the Kerberos system, what is a Principlal?

A

Client or Service

259
Q

In a Access Control Technologies context,

In the Kerberos system,

what is a Realm?

A

A logical Kerberos network;

260
Q

In a Access Control Technologies context,

Does the Kerberos system use

Asymmetric or Symmertric encryption?

A

All entities have a common shared secret in order to communicate with trust.

All messages are encrypted using Symmetric Key Encryption (Not PKI).

261
Q

In a Access Control Technologies context,

with the Kerberos system,

what is a Ticket?

A

: Data that authenticates a principal’s identity.

262
Q

In a Access Control Technologies context,

with the Kerberos system,

what is a Credential?

A

A Ticket and a Service Key

263
Q

In a Access Control Technologies context,

with the Kerberos system,

what is the KDC?

A

Key Distribution Center

264
Q

In a Access Control Technologies context,

with the Kerberos system,

what idoes the Key Distribution Center do??

A

Authenticates principals by storing a cryptographic key known only to the security principal and the KDC. This key is used in exchanges between the security principal and the KDC and is known as a long term key.

265
Q

In a Access Control Technologies context,

with the Kerberos system,

How is the Long Term Key derived

A

from a user’s logon password.

266
Q

In a Access Control Technologies context,

with the Kerberos system,

what is the TGT

A

Ticket Granting Ticket

267
Q

In a Access Control Technologies context,

with the Kerberos system,

what does the TGT (Ticket Granting Ticket) do?

A

Allows the client to request service tickets and is analogous to a passport - i.e. it is valid for a certain period after which it expires; however once the TGT has been issued, there is no further use of passwords or other logon factors.

268
Q

In a Access Control Technologies context,

with the Kerberos system,

name two attacks that Kerberos does not protect agasint

A

1: “Denial of service” attacks
2: “Password guessing” attacks

269
Q

In a Access Control Technologies context,

with the Kerberos system,

name three assumptions that Kerberos uses in its design

A

1: Principals must keep their secret keys secret.
2: Each host on the network must have a clock which is “loosely synchronized” to the time of the other hosts
3: Principal identifiers are not recycled on a short-term basis.

270
Q

In a Access Control Technologies context,

with the Kerberos system,

name four reasons why authentication is secure

A

1: Passwords do not appear as plaintext
2: Does not rely on authentication by the host operating system
3: Does not base trust on IP addresses
4: Does not require physical security of the network hosts

271
Q

In a Access Control Technologies context,

with the Kerberos system,

name four strengths

A

1: Provides mutual authentication
2: Defends against Rogue KDCs because passwords are never passed across the network
3: Mitigates replay attacks because of the use of timestamps. .
4: Stateless: credentials issued by the TGS or the KDC are good for the lifetime even if those systems are down.

272
Q

In a Access Control Technologies context,

with the Kerberos system,

name four weaknesses

A

1: The KDC stores the plain text keys of all principlas. (Single Point of Failure)
2: Replay attacks are still possible for the lifetime of the authenticator.
3: In version 4, any user may request a session key. Eve may want to authenticate with Alice. The KDC sends a session key to Eve encrypted with Alice’s secret key. Eve can then try to brute force the key.

In version 5, Kerberos added one additional step. Alice encrypts the current time with her key, thus If the authenticator’s timestamp is off by more than the clock skew (usually set to 5 minutes), the request is rejected.

4: Does not mitigate a malicious local host’; Plaintext keys may exist in memory. A malicious local user ot prpocess may be able to steal locally cached credentials.

273
Q

In a Access Control Technologies context,

with the Kerberos system,

Describe the authentication process

A

Client → KRB_AS_REQ (Authenticator Alice Secret Key, Alice’s SID) → KDC

KDC → Uses Alice’s SID to lookup Alice’s Secret Key

KDC → Decrypts (Authenticator Alice Secret Key) with Alice Secret Key.
If successful,

KDC → KRB_AS_REP (TGT)TGS Secret Key → Client

KDC → KRB_AS_REP (Session Key)Alice Secret Key → Client

If Alice cannot decrypt (Session Key)Alice Secret Key, then the session key in invalid (Rogue KDC)

If Alice can decrypt, Alice now has a valid Session Key.

274
Q

In a Access Control Technologies context,

with the Kerberos system,

Describe The Ticket-Granting Service Exchange

A

Client → KRB_TGS_REQ (TGT)TGS Secret Key , Resource Request → TGS

TGS → Decrypts (TGT)TGS Secret Key , with its own TGS Secret Key.

If successful,
TGS → KRB_TGS_REP (TGT)Resource Secret Key → Client

275
Q

In a Access Control Technologies context,

with the Kerberos system,

Describe Getting access to a resource

A

Client → KRB_AP_REQ (TGT)Resource Secret Key → Resource

Resource → Decrypts (TGT)Resource Secret Key with its own Resource Secret Key

If Successful, the Resource knows the request is authenticated

Resource → Checks if Alice is authorized to use the resource.

276
Q

In a Access Control Technologies context,

with the Kerberos system and Active Directory.

Are the TGS and the KDC on the same server

(True or False)

A

True

277
Q

In a Access Control Technologies context,

with the Kerberos system,

Does the TGS authorize the principal to use a resource?

A

No

Note: The TGS cannot determine if the user will be able to get access to the target server. It simply returns a valid ticket. Authentication does not imply authorization.

278
Q

In a Access Control Technologies context,

what does SESAME stand for?

A

Secure European System for Applications in a Multi-vendor Environment

279
Q

In a Access Control Technologies context,

what isSESAME?

A

A sequel to Kerberos that adds asymmetric public key encryption.

Mitigates Kerbero’s weakness of storing symmetric plain text keys on the KDC.

280
Q

In a Access Control Technologies context,

what does SESAME use in place of the Kerberos Tickets?

A

Uses Privilege Attribute Certificates (PACs) in place of the Kerberos Tickets.

281
Q

In a Access Control Technologies context,

What is one of the easiest way to verify that access controls are working ?

A

Audit security logs

282
Q

In a Access Control Technologies context,

name seven typical hardware and software devices that generate useful security logs

A

1: AV
2: IDS/IPS
3: Remote Access Software
4: Web Proxy
5: Vulnerability Management
6: Authentication Servers
7: Routers and Firewalls

283
Q

In a Access Control Technologies,

name six useful items to log on an operating system

A

1: System Events
2: Audit Records
3: Applications
4: Client Requests and Server Responses
5: Usage Information
6: Significant Operational Actions

284
Q

In a Access Control Technologies,

name five typical mistakes made during log analysis?

A

1: Logs are not reviewed on a timely or regular basis
2: Logs re not stored for long enough periods
3: Logs are not standardized or viewable by correlation toolsets
4: Log entries and alerts are not prioritized.
5: Logs are only reviewed for the bad stuff.

285
Q

What are three general categories to describe attackers?

A

1: White Hat
2: Black Hat
3: Grey Hat

286
Q

In the Assessing Access Control context,

Name three narrow scope tests

A

1: Penetration Tests
2: Vulnerability Assessments
3: Security Audits

287
Q

In the Assessing Access Control context,

What is a Penetration Test?

A

A white hat hacker who receives permission to attempt to break into the system.

Internet
DMZ
Wardialing
Wireless
Physical

288
Q

In the Assessing Access Control context,

What is a

Zero-Knowledge (Black Box) Pen Tests

A

The White hat hacker has no knowledge of the system he is trying to break into.

289
Q

In the Assessing Access Control context,

What kind of box is a Zero-Knowledge Pen Tests

A

Black Box

290
Q

In the Assessing Access Control context,

What kind of box is a Full-Knowledge Pen Tests

A

Crystal Box

291
Q

In the Assessing Access Control context,

What is a Full-Knowledge (Crystal Box) Pen Test?

A

Full-Knowledge (Crystal Box) Pen Tests mean that the White Hat Hacker has inside knowledge

292
Q

In the Assessing Access Control context,

What is a Partial knowledge Pen Test?

A

Partial knowledge means that the white hat hacker has some knowledge.

293
Q

In the Assessing Access Control context,

Name three typical tools used by Pen Testers

A

1: Metasploit
2: CoreImpact
3: Immunity Canvas

294
Q

In the Assessing Access Control context,

Name the five step Pen Test methodology

A

1: Planning
2: Recon
3: Scanning (enumeration)
4: Exploitation
5: Reporting

295
Q

In the Assessing Access Control context,

What must a Pen Tester do If he finds evidence of a previous attack or violation of confidentiality or integrity,

A

stop and escalate to the customers.

A Pen Tester Must protecting the confidentiality and Integrity of the systems they are testing.

296
Q

In the Assessing Access Control context,

Name to Vulnerability Assessment tools

A

1: Nessus
2: OpenVAS

297
Q

In the Assessing Access Control context,

What is a Security Audit?

A

A test against a published standard

298
Q

In the Assessing Access Control context,

Name five Broad Scope areas to assess and three narrow scope areas.

A

1: Policies
2: Procedures
3: Admin Controls
4: Change Management
5: Architectural Review
1: Pen Tests
2: Vuln Assessments
3: Security Audits

299
Q

What type of password cracking will always be successful?

A: Brute Force
B: Dictionary
C: Hybrid
D:Rainbow Table

A

A: Brute Force

300
Q

What is the difference between password cracking and password guessing

A: They are the Same

B: Password guessing attempts to log into the system. Password cracking attempts to determine a password used to create a hash.

C: Password guessing uses Salts, password cracking does not.

D: Password cracking risks account lockout, password cracking does not.

A

B: Password guessing attempts to log into the system. Password cracking attempts to determine a password used to create a hash.

301
Q

The most insidious part of Phishing and Spear Phishing attacks come from which part of the attack anatomy?

A: Each Phishing and Spear Phishing attack is socially engineered to trick the user to provide information to the attacker.

B: Phishing and Spear Phishing attacks always have malicious code downloaded onto the user’s computer.

C: Phishing and Spear Phishing attacks are poorly written.

D: Phishing and Spear Phishing attacks are rarely successful.

A

A: Each Phishing and Spear Phishing attack is socially engineered to trick the user to provide information to the attacker.

302
Q

What is the term used for describing when an attacker, through a command and control network, controls hundreds of, thousands, or even tens of thousands of computers and instructs all of these computers to perform actions all at once

A: Flooding

B: Spamming

C: Phishing

D: Botnets

A

D: Botnets

303
Q

What are the main differences between retina scans iris scans?

A: Retina scans are not invasive and iris scans are

B: Iris scans invade a person’s privacy and retina scans do not.

C: iris scans change depending on the person’s health, retina scans are stable.

D: Retina scans change depending on the person’s health, iris scans are stable.

A

D: Retina scans change depending on the person’s health, iris scans are stable.

304
Q

What is the most important decision an organization needs to make when implementing RBAC?

A: Each user’s security clearance needs to be finalized.

B: The roles users have on the system need to be clearly defined.

C: User’s data need to be clearly labeled.

D: Users must be segregated from one another on the IT system to prevent spillage of sensitive data.

A

B: The roles users have on the system need to be clearly defined.

305
Q

What access control method weighs additional factors such as time of attempted access before granting access?

A: Content-dependent access control

B: Context-dependent access control

C: Role-based access control

D: Task-based access control

A

B: Context-dependent access control

306
Q

An attacker sees a building is protected by security guards, and attacks a building next door with no security guards. What control combination are the security guards?

A: Physical / Compensating

B: Physical / Detective

C: Physical / Deterrent

D: Physical/Preventative

A

C: Physical / Deterrent

307
Q

A Type II biometric is also known as

A: Crossover Error Rate (CER)

B: Equal Error Rate (EER)

C: False Accept Rate (FAR)

D: False Reject Rate (FRR)

A

C: False Accept Rate (FAR)

308
Q

With Kerberos, which part is the single point of failure?

A: The Ticket Granting Ticket

B: The realm

C: The Key Distribution Center

D: The Client-Server session key

A

C: The Key Distribution Center

309
Q

Scenario: Your company has hired a third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are

1: The tests will be conducted on live, business functional, networks. These networks must be functional in order for the business to run and cannot be shutdown, even for an evaluation.
2: The company wants the most in-depth test possible.

What kind of test should be recommended?

A: Zero Knowledge

B: Partial Knowledge

C: Full Knowledge

D: Vulnerability Testing

A

C: Full Knowledge

310
Q

Scenario: Your company has hired a third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are

1: The tests will be conducted on live, business functional, networks. These networks must be functional in order for the business to run and cannot be shutdown, even for an evaluation.
2: The company wants the most in-depth test possible.

While conducting a penetration test, the tester discovers a critical business system is currently compromised. What should the tester do?

A: Note the results in the pen testing report.

B: Immediately end the pen test and call the CIO

C: remove the malware

D: Shut the system down.

A

B: Immediately end the pen test and call the CIO

311
Q

A policy that states a user must have a business requirement to view data before attempting to do so is an example of enforcing what?

A: Least privilege

B: Kneed to know

C: Rotation of duties

D: Separation of duties

A

B: Kneed to know

312
Q

What technique could raise the False Accept Rate (FAR) and lower the False Reject Rate (FRR) in a fingerprint scanning system?

A: Decrease the amount of minutiae that is verified.

B: Increase the amount of minutiae that is verified.

C: Lengthen the enrollment time

D: Lower the throughput time

A

A: Decrease the amount of minutiae that is verified.

CISSP (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions