Section 1

Question 1

What are some examples of detective access controls?

Answer 1

Security guards, supervising users, incident investigations, and intrusion detections systems

Question 2

What are some examples of physical access controls?

Answer 2

Guards, fences, motion detectors, locked doors, sealed windows, lights, backups, cable protection, laptop locks, swipe cards, CCTV, mantraps, and alarms

Question 3

What are the three commonly recognized authentication factors?

Answer 3

Something you know, something you have, and something you are

Question 4

What is a cognitive password?

Answer 4

A series of questions about facts or predefined responses that only the subject should know (for example, what is your birthdate? What is your mother’s maiden name?)

Question 5

Name at least eight biometric factors

Answer 5

Fingerprints, face scans, iris scan, retina scan, palm topography, palm geography, heart/pulse pattern, voice pattern, signature dynamics, keystroke patterns

Question 6

What are the issues related to user acceptance of biometric enrollment and throughput rate?

Answer 6

Enrollment takes longer than 2 minutes are unacceptable; subjects will typically accept a throughput rate of about 6 seconds or faster

Question 7

What access control technique employs security labels?

Answer 7

Mandatory access controls. Subjects are labeled as to their level of clearance. Objects are labeled as to their level of classification and sensitivity

Question 8

The Bell-LaPadula, Biba, and Clark-Wilson access control models were all designed to protect a single aspect of security. Name the corresponding aspect for each model

Answer 8

Bell-LaPadula protects confidentiality
Biba protects integrity
Clark-Wilson protects Integrity

Question 9

Name the three types of subjects and their roles in a security environment

Answer 9

The user accesses objects on a system to perform a work task
The owner is liable for protection of data
The data custodian is assigned to classify and protect data

Question 10

Explain why the separation of duties and responsibilities is a common security practice

Answer 10

It prevents any single subject from being able to circumvent or disable security mechanisms

Question 11

What is the principle of least privilege?

Answer 11

Subjects should only be granted only the amount of access to objects that is required to accomplish their assigned work tasks

Question 12

Name the four key principles upon which access control relies

Answer 12

Identification, authentication, authorization, accountability

Question 13

How are domains related to decentralized access control?

Answer 13

A domain is a realm of trust that shares a common security policy. The is a form of decentralized access control

Question 14

Why is monitoring an important part of a security policy?

Answer 14

Monitoring is used to watch for security policy violations and to detect unauthorized or abnormal activities

Question 15

What are the functions of an intrusion detection system (IDS)?

Answer 15

An IDS automates the inspection of audit logs and real-time system events, detects intrusion attempts, and watches for violations of confidentiality, integrity, and availability