Exploring Control Types and Methods

Question 1

Of the following choices, what type of control is least privilege?      
A. Corrective      
B. Technical      
C. Detective      
D. Preventative

Answer 1

B. The principle of least privilege is a technical control and ensures that users have only the rights and permissions needed to perform the job, and no more. A corrective control attempts to reverse the effects of a problem. A detective control (such as a security audit) detects when a vulnerability has been exploited. A preventative control attempts to prevent an incident from occurring.

Question 2

Of the following choices, what type of control is a vulnerability assessment?      
A. Corrective      
B. Management      
C. Detective      
D. Technical 3. Which of the

Answer 2

B. A vulnerability assessment is a management control and attempts to discover weaknesses in systems. A corrective control attempts to reverse the effects of a problem. A detective control (such as a security audit) detects when a vulnerability has been exploited. A technical control (such as the principle of least privilege) enforces security using technical means.

Question 3

Which of the following is a preventative control that can prevent outages due to ad-hoc configuration errors?
A. Least privilege
B. A periodic review of user rights
C. Change management plan
D. Security audit

Answer 3

C. A change management strategy can prevent outages by ensuring that configuration changes aren’t made on an as-needed (ad-hoc) basis, but instead are examined prior to making the change; change management is also known as an operational control. The principle of least privilege is a technical control and ensures that users have only the rights and permissions needed to perform the job, and no more. A security audit is a detective control and a periodic review of user rights is a specific type of detective control.

Question 4

Which of the following is a preventative control? 
A. Least privilege      
B. Security audit      
C. Security guard      
D. Periodic review of user rights

Answer 4

C. A security guard (armed or not armed) is a preventative physical security control. The principle of least privilege is a technical control and ensures that users have only the rights and permissions needed to perform the job, and no more. A security audit is a detective control and a periodic review of user rights is a specific type of detective control.

Question 5

Your organization regularly performs routine security audits to assess the security posture. What type of control is this?      
A. Corrective      
B. Technical      
C. Detective     
D. Preventative

Answer 5

C. A security audit is a form of detective control, since it will detect when a vulnerability has been exploited after the fact. A corrective control attempts to reverse the effects of a problem. A technical control (such as the principle of least privilege) enforces security using technical means. A preventative control attempts to prevent an incident from occurring.

Question 6

Of the following choices, what is a detective security control?      
A. Change management      
B. HVAC      
C. CCTV      
D. User training

Answer 6

C. A closed-circuit television (CCTV) system can record activity and can detect what occurred as a detective security control. Change management is a preventative control. HVAC is an environmental control that is preventative. User training is preventative.

Question 7

An administrator is assigning access to users in different departments based on their job functions. What access control model is the administrator using?      
A. DAC      
B. MAC      
C. RBAC      
D. CAC

Answer 7

C. In a role-based access control (RBAC) model, roles are used to define rights and permissions for users. The DAC model specifies that every object has an owner, and the owner has full, explicit control of the object. The MAC model uses sensitivity labels for users and data. A CAC is an identification card that includes smart-card capabilities.

Question 8

You manage user accounts for a sales department. You have created a sales user account template to comply with the principle of least privilege. What access control model are you following?      
A. DAC      
B. MAC      
C. RBAC      
D. DACL

Answer 8

C. The role-based access control (RBAC) model can use groups (as roles) with a user account template assigned to a group to ensure new users are granted access only to what they need, and no more. The DAC model specifies that every object has an owner, and the owner has full, explicit control of the object. The MAC model uses sensitivity labels for users and data. A DACL is an access control list used in the DAC model.

Question 9

Windows systems protect files and folders with New Technology File System (NTFS). What access control model does NTFS use?
A. Mandatory access control (MAC)
B. Discretionary access control (DAC)
C. Rule-based access control (RBAC)
D. Implicit allow

Answer 9

B. Windows systems use the discretionary access control (DAC) model by default for NTFS files and folders. The MAC model uses labels. Rule-based access control uses rules to determine access. There is no such access control model as implicit allow. However, implicit deny is commonly used as the last rule in a firewall to indicate that all traffic not explicitly allowed is implicitly denied.

Question 10

What is the purpose of a cipher lock system?
A. Control door access with a keypad
B. Control door access with a proximity card C. Control access to a laptop with biometrics D. Control access to laptop with a smart card

Answer 10

A. A cipher lock system is a door access security method and only opens after a user has entered the correct code into the cipher lock. A proximity card uses a proximity card reader, not a cipher lock. Biometric readers (such as a fingerprint reader) and smart cards can be used as authentication for systems such as laptop systems.

Question 11

What can you use to electronically unlock a door for specific users?      
A. Token      
B. Proximity card      
C. Physical key      
D. Certificate

Answer 11

B. Proximity cards are used as an additional access control in some areas to electronically unlock doors. A token (such as an RSA token) provides a rolling password for one-time use. A physical key does not electronically unlock a door. A certificate can be embedded in a smart card but, by itself, it would not electronically unlock a door.

Question 12

An organization wants to prevent unauthorized personnel from entering a secure workspace. Of the following choices, what can be used? (Choose two).      
A. Security guard      
B. Piggybacking      
C. CCTV     
D. Proximity cards

Answer 12

A, D. Security guards and proximity cards are valid methods to prevent unauthorized personnel from entering a secure workspace, such as a secure datacenter. Piggybacking (also called tailgating) occurs when one user follows closely behind another user without using credentials; it can be prevented with a mantrap. A CCTV can detect if an unauthorized entry occurred and provide reliable proof of the entry, but it can’t prevent it.

Question 13

A company hosts a datacenter with highly sensitive data. Of the following choices, what can provide the best type of physical security to prevent unauthorized entry?      
A. Proximity card      
B. CCTV      
C. ID badges      
D. Mantrap

Answer 13

D. A mantrap is highly effective at preventing unauthorized entry and can also be used to prevent tailgating. A proximity card is useful as an access control mechanism, but it won’t prevent tailgating so it isn’t as useful as a mantrap. CCTV provides video surveillance, and it can record unauthorized entry, but it can’t prevent it. ID badges are useful if the entry is staffed with security guards, but won’t prevent unauthorized entry if used without security guards.

Question 14

Two employees have entered a secure datacenter. However, only one employee provided credentials. How did the other employee gain entry?      
A. Mantrap      
B. HVAC      
C. Vishing      
D. Tailgating

Answer 14

D. Tailgating (also called piggybacking) occurs when one user follows closely behind another user without using credentials. A mantrap prevents tailgating. A heating, ventilation, and air-conditioning (HVAC) system can increase availability by ensuring that equipment doesn’t fail due to overheating. Vishing is a variant of phishing techniques and often combines social engineering tactics with Voice over IP (VoIP).

Question 15

Your organization has several portable USB drives that users are able to use to transfer large video files instead of copying them over the network. What should be used to prevent the theft of these drives when they are not being used?    
A. HSM      
B. TPM      
C. Video surveillance      
D. Locked cabinet

Answer 15

D. A locked cabinet should be used to help prevent the theft of unused assets. A hardware security module (HSM) is used to create and store encryption keys. A TPM is used for hardware encryption of entire drives. Video surveillance is useful to provide proof of someone entering or exiting a secure space, but is not needed to protect unused assets.

Question 16

Your organization requires users to create passwords of at least ten characters for their user accounts. Which of the following is being enforced?      
A. Password length      
B. Password complexity      
C. Password masking      
D. Password history

Answer 16

A. Requiring passwords of a specific number of characters is the password length element of a password policy. Password complexity requires the characters to be different types, such as uppercase, lowercase, numbers, and special characters. Password masking displays a special character, such as *, when users type in their password, instead of showing the password in clear text. Password history prevents users from reusing passwords.

Question 17

Your password policy includes a password history. What else should be configured to ensure that users aren’t able to easily reuse the same password?      
A. Maximum age      
B. Minimum age      
C. Password masking      
D. Password complexity

Answer 17

B. The minimum password age prevents users from changing the password again until some time has passed, such as one day. The maximum age forces users to periodically change their password, such as after sixty or ninety days. Password masking displays a special character, such as *, when users type in their password instead of showing the password in clear text. Password complexity ensures the password has a mixture of different character types and is sufficiently long.

Question 18

Your organization has a password policy that requires employees to change their passwords at least every forty-five days and prevents users from reusing any of their last five passwords. However, when forced to change their passwords, users are changing their passwords five more times to keep their original password. What can resolve this security vulnerability?
A. Modify the password policy to prevent users from changing the password until a day has passed
B. Modify the password policy to require users to change their password after a day has passed C. Modify the password policy to remember the last twelve passwords
D. Modify the password policy to remember the last twenty-four passwords

Answer 18

A. Password policies have a minimum password age setting, and if set to one day it will prevent users from changing their passwords until a day has passed. Requiring users to change their passwords every day wouldn’t resolve the problem and is not reasonable. The password history is currently set to remember the last five passwords. If you change the password history to remember the last twelve or twenty-four passwords, they can do the same thing described in the scenario to get back to their original password.

Question 19

A user has forgotten his password and calls the help desk for assistance. The help-desk professional will reset the password and tell the user the new password. What should the help desk professional configure to ensure the user immediately resets the password?      
A. Password complexity      
B. Password masking      
C. Password history      
D. Password expiration

Answer 19

D. Password expiration should be configured so that the user is forced to change the password the first time he logs on. This ensures the help-desk professional doesn’t know the user’s password once the user logs on. Password complexity ensures the password has a mixture of different character types and is sufficiently long. Password masking displays a special character, such as *, when users type in their password instead of showing the password in clear text. Password history prevents users from reusing passwords.

Question 20

Users in your network are required to change their passwords every sixty days. What is this an example of?
A. Password expiration requirement
B. Password history requirement
C. Password length requirement
D. Password strength requirement

Answer 20

A. A password policy can include a password expiration requirement (or a maximum age) that ensures that users change their passwords periodically, such as every sixty days or every ninety days. Password history prevents users from using previously used passwords. Password length ensures the password includes a minimum number of characters, such as at least eight characters. Password strength ensures the password uses a mixture of character types.

Question 21

Your company has hired a temporary contractor that needs a computer account for sixty days. You want to ensure the account is automatically disabled after sixty days. What feature would you use?
A. Account lockout
B. Account expiration
C. Deletion through automated scripting
D. Manual deletion

Answer 21

B. Most systems include a feature that allows you to set the expiration of an account when a preset deadline arrives. Account lockout locks out an account if an incorrect password is entered too many times. The scenario states you want to disable the account, not delete it.

Question 22

After an employee is terminated, what should be done to revoke the employee’s access?      
A. Expire the password      
B. Lock out the account      
C. Delete the account      
D. Disable the account

Answer 22

D. An account disablement policy would ensure that a terminated employee’s account is disabled to revoke the employee’s access. Expiring the password forces the user to change the password at the next logon. An account lockout policy locks out an account if an incorrect password is entered too many times. The account may be needed to access the user’s resources, so it is recommended to disable the account instead of deleting it.

Question 23

Management wants to prevent users in the Marketing Department from logging onto network systems between 6 p.m. and 5 a.m. How can this be accomplished?
A. Use time-of-day restrictions
B. Account expiration
C. Password expiration
D. Implement a detective control

Answer 23

A. Time-of-day restrictions can be used to prevent users from logging in at certain times, or even from making connections to network resources at certain times. Account expiration refers to when a temporary account is automatically disabled (such as expiring a temporary account after sixty days). Password expiration refers to the practice of setting a password to immediately expire after resetting it. A detective control won’t prevent a user from logging on but can detect it after it occurred.

Question 24

You have recently added a server to your network that will host data used and updated by employees. You want to monitor security events on the system. Of the following, what is the most important security event to monitor?      
A. Data modifications      
B. TCP connections      
C. UDP connections      
D. Account logon attempts

Answer 24

D. Of the choices, account logon attempts are the most important. Since the purpose of the system is to host data that is read and updated by employees, data modifications are not critical because they are expected to occur regularly. TCP and UDP are the primary protocols used when users connect to a server over a network, but it’s not important from a security perspective to monitor these events.