Questions D2 Access Control Flashcards by Maria Smith

Which one of the following is an example of a nondiscretionary access control system?

A. File ACLs

B. MAC

C. DAC

D. Visitor list

B. MAC

Explanation

A mandatory access control (MAC) scheme is an example of a nondiscretionary approach to access control, as the owner of objects does not have the ability to set permissions on those objects. It is possible for a visitor list or file ACLs to be configured using a nondiscretionary scheme, but these approaches can also be configured as discretionary access control (DAC) implementations.

How well did you know this?

Not at all

Perfectly

Wanda is configuring device‐based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices?

A. IP address

B. MAC address

C. Digital certificate

D. Password

C. Digital certificate

Explanation

Digital certificates are the strongest device‐based access control mechanism listed in this scenario. Administrators may create certificates for each device and tie them to the physical device. Passwords are easily transferred to other devices and are not as strong an approach. IP addresses are easily changed and should not be used. MAC addresses theoretically identify devices uniquely, but it is possible to alter a MAC address, so they should not be relied upon for authentication.

How well did you know this?

Not at all

Perfectly

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?

A. Password

B. Retinal scan

C. Username

D. Token

C. Username

Explanation

Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.

How well did you know this?

Not at all

Perfectly

When a subject claims an identity, what process is occurring?

A. Login

B. Identification

C. Authorization

D. Token presentation

B. Identification

Explanation

The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor such as a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.

How well did you know this?

Not at all

Perfectly

MAC models use three types of environments. Which of the following is not a mandatory access control design?

A. Hierarchical

B. Bracketed

C. Compartmentalized

D. Hybrid

B. Bracketed

Explanation

Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.

How well did you know this?

Not at all

Perfectly

Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?

A. An access control list

B. An implicit denial list

C. A capability table

D. A rights management matrix

C. A capability table

Explanation

Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object‐focused rather than subject‐focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.

How well did you know this?

Not at all

Perfectly

Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt?

A. Kerberos

B. LDAP

C. OpenID

Explanation

OpenID is a widely supported standard that allows a user to use a single account to log into multiple sites, and Google accounts are frequently used with OpenID.

How well did you know this?

Not at all

Perfectly

Ben uses a software‐based token that changes its code every minute. What type of token is he using?

A. Asynchronous

B. Smart card

C. Synchronous

D. Static

C. Synchronous

Explanation

Synchronous soft tokens, such as Google Authenticator, use a time‐based algorithm that generates a constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smartcards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.

How well did you know this?

Not at all

Perfectly

Which of the following multifactor authentication technologies provides both low management overhead and flexibility?

A. Biometrics

B. Software tokens

C. Synchronous hardware tokens

D. Asynchronous hardware tokens

B. Software tokens

Explanation

Software tokens are flexible, with delivery options including mobile applications, SMS, and phone delivery. They have a relatively low administrative overhead, as users can typically self‐manage. Biometrics require significant effort to register users and to deploy and maintain infrastructure, and they require hardware at each authentication location. Both types of hardware tokens can require additional overhead for distribution and maintenance, and token failure can cause support challenges.

How well did you know this?

Not at all

Perfectly

Jim wants to allow a partner organization’s Active Directory forest (B) to access his domain forest’s (A)’s resources but doesn’t want to allow users in his domain to access B’s resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do?

A. Set up a two‐way transitive trust.

B. Set up a one‐way transitive trust.

C. Set up a one‐way nontransitive trust.

D. Set up a two‐way nontransitive trust.

C. Set up a one‐way nontransitive trust.

Explanation

A trust that allows one forest to access another’s resources without the reverse being possible is an example of a one‐way trust. Since Jim doesn’t want the trust path to flow as the domain tree is formed, this trust has to be nontransitive.

How well did you know this?

Not at all

Perfectly

The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third‐party sources to ask questions based on their past credit reports, such as “Which of the following streets did you live on in 2007?” What process is Susan’s organization using?

A. Identity proofing

B. Password verification

C. Authenticating with Type 2 authentication factor

D. Out‐of‐band identity proofing

Explanation

Verifying information that an individual should know about themselves using third‐party factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge‐based authentication and is a type of identity proofing. Out‐of‐band identity proofing would use another means of contacting the user, such as a text message or phone call, and password verification requires a password.

How well did you know this?

Not at all

Perfectly

Lauren’s team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features such as logging and password rotation occur?

A. A credential management system

B. A strong password policy

C. Separation of duties

D. Single sign‐on

A. A credential management system

Explanation

Lauren’s team would benefit from a credential management system. Credential management systems offer features such as password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. Single sign‐on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher‐sensitivity systems.

How well did you know this?

Not at all

Perfectly

Adam is accessing a standalone file server using a username and password provided to him by the server administrator. Which one of the following entities is guaranteed to have information necessary to complete the authorization process?

A. Adam

B. File server

C. Server administrator

D. Adam’s supervisor

B. File server

Explanation

We know that both Adam and the server administrator have the username and password, but this is information used for identification and authentication, not authorization. We do not know what information Adam’s supervisor might have. The server is a standalone file server, so it must have information about the activities that Adam is authorized to perform.

How well did you know this?

Not at all

Perfectly

A. Adam

B. File server

C. Server administrator

D. Adam’s supervisor

B. File server

Explanation

How well did you know this?

Not at all

Perfectly

Adam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create?

A. An access control list

B. An access control entry

C. Role‐based access control

D. Mandatory access control

A. An access control list

Explanation

Adam created a list of individual users that may access the file. This is an access control list, which consists of multiple access control entries. It includes the names of users, so it is not role‐based, and Adam was able to modify the list, so it is not mandatory access control.

How well did you know this?

Not at all

Perfectly

Questions like “What is your pet’s name?” are examples of what type of identity proofing?

A. Knowledge‐based authentication

B. Dynamic knowledge‐based authentication

C. Out‐of‐band identity proofing

D. A Type 3 authentication factor

A. Knowledge‐based authentication

Explanation

Knowledge‐based authentication relies on preset questions such as “What is your pet’s name?” and the answers. It can be susceptible to attacks because of the availability of the answers on social media or other sites. Dynamic knowledge‐based authentication relies on facts or data that the user already knows that can be used to create questions they can answer on an as‐needed basis (for example, a previous address, or a school they attended). Out‐of‐band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or “something you are,” rather than knowledge‐based.

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?

A. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed

B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility

C. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well

D. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility

Explanation

Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control (MAC) system. MAC is more secure because of the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?

A. Log review

B. Manual review of permissions

C. Signature‐based detection

D. Review the audit trail

C. Signature‐based detection

Explanation

While signature‐based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts?

A. Read only

B. Editor

C. Administrator

D. No access

Explanation

The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read‐only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

Enterprise resource planning (ERP) is a software system that helps organizations streamline their core business processes—including finance, HR, manufacturing, supply chain, sales, and procurement—with a unified view of activity and provides a single source of truth.

A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer’s account. What type of biometric factor error occurred?

A. A registration error

B. A Type 1 error

C. A Type 2 error

D. A time‐of‐use, method‐of‐use error

C. A Type 2 error

Explanation

Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 2 errors are also known as false positive errors. Type 1 (or false negative) errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time‐of‐use, method‐of‐use errors are not specific biometric authentication terms.

Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser‐based single sign‐on. What technology is his best option?

A. HTML

B. XACML

C. SAML

D. SPML

C. SAML

Explanation

Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser‐based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.

What access control scheme labels subjects and objects and allows subjects to access objects when the labels match?

A. DAC

B. MAC

C. Rule‐based access control (RBAC)

D. Role‐based access control (RBAC)

B. MAC

Explanation

Mandatory access control (MAC) applies labels to subjects and objects and allows subjects to access objects when their labels match. Discretionary access control (DAC) is controlled by the owner of objects, rule‐based access control applies rules throughout a system, and role‐based access control bases rights on roles, which are often handled as groups of users.

Mandatory access control is based on what type of model?

A. Discretionary

B. Group‐based

C. Lattice‐based

D. Rule‐based

C. Lattice‐based

Explanation

Mandatory access control systems are based on a lattice‐based model. Lattice‐based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role‐based access controls are often group‐based, and rule‐based access controls like firewall ACLs apply rules to all subjects they apply to.

Jim wants to allow cloud‐based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?

A. Kerberos

B. OAuth

C. OpenID

D. LDAP

B. OAuth

Explanation

OAuth provides the ability to access resources from another service and would meet Jim’s needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in‐house services.

Which one of the following activities is an example of an authorization process? A. User providing a password B. User passing a facial recognition check C. System logging user activity D. System consulting an access control list

D. System consulting an access control list Explanation Authorization occurs when a system determines whether an authenticated user is permitted to perform an activity, such as by consulting an access control list. Authentication occurs when a user proves his or her identity to a system, such as by providing a password or completing a facial recognition scan. When a system logs user activity, this is an example of accounting.

Raul is creating a trust relationship between his company and a vendor. He is implementing the system so that it will allow users from the vendor’s organization to access his accounts payable system using the accounts created for them by the vendor. What type of authentication is Raul implementing? A. Federated authentication B. Transitive trust C. Multifactor authentication D. Single sign‐on

A. Federated authentication Explanation This type of authentication, where one domain trusts users from another domain, is called federation. Federation may involve transitive trusts, where the trusts may be followed through a series of domains, but this scenario only describes the use of two domains. The scenario only describes use of credentials for a single system and does not describe a multiple‐system scenario where single sign‐on would be relevant. There is no requirement described for the use of multifactor authentication, which would require the use of two or more diverse authentication techniques.

When you input a user ID and password, you are performing what important identity and access management activity? A. Authorization B. Validation C. Authentication D. Login

C. Authentication Explanation When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren’t the most important identity and access management activity.

Which of the following is a ticket‐based authentication protocol designed to provide secure communication? A. RADIUS B. OAuth C. SAML D. Kerberos

D. Kerberos Explanation Kerberos is an authentication protocol that uses tickets and provides secure communications between the client, key distribution center (KDC), ticket‐granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third‐party websites to rely on credentials from other sites like Google or Microsoft.

What type of token‐based authentication system uses a challenge/response process in which the challenge must be entered on the token? A. Asynchronous B. Smart card C. Synchronous D. RFID

A. Asynchronous Explanation Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time‐based calculation to generate codes. Smart cards are paired with readers and don’t need to have challenges entered, and RFID devices are not used for challenge/response tokens. La Identificación por Radio Frecuencia (RFID) o tecnología RFID, es una tecnología que permite identificar objetos mediante ondas de radio de manera única y pudiendo captar cientos de objetos a la vez.

As part of hiring a new employee, Kathleen’s identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called? A. Registration B. Provisioning C. Population D. Authenticator loading

B. Provisioning Explanation Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.

The U.S. government CAC is an example of what form of Type 2 authentication factor? A. A token B. A biometric identifier C. A smart card D. A PIV

C. A smart card Explanation The U.S. government’s Common Access Card is a smart card. The U.S. government also issues PIV cards, or personal identity verification cards.

Which objects and subjects have a label in a MAC model? A. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label. B. All objects have a label, and all subjects have a compartment. C. All objects and subjects have a label. D. All subjects have a label and all objects have a compartment.

C. All objects and subjects have a label. Explanation In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic‐strip‐based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, several servers have been stolen, but the logs for the pass cards show only valid IDs. What is Kathleen’s best option to make sure that the users of the pass cards are who they are supposed to be? A. Add a reader that requires a PIN for passcard users. B. Add a camera system to the facility to observe who is accessing servers. C. Add a biometric factor. D. Replace the magnetic stripe keycards with smartcards.

C. Add a biometric factor. Explanation Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).

Kathleen is implementing an access control system for her organization and builds the following array: Reviewers: update files, delete files Submitters: upload files Editors: upload files, update files Archivists: delete files What type of access control system has Kathleen implemented? A. Role‐based access control B. Task‐based access control C. Rule‐based access control D. Discretionary access control

A. Role‐based access control Explanation Role‐based access control gives each user an array of permissions based on their position in the organization, such as the scheme shown here. Task‐based access control is not a standard approach. Rule‐based access controls use rules that apply to all subjects, which isn’t something we see in the list. Discretionary access control gives object owners rights to choose how the objects they own are accessed, which is not what this list shows.