Access

Question 1

QUESTION NO: 235 Which of the following will you consider as the MOST secure way of authentication? A. Biometric B. Password C. Token D. Ticket Granting

Answer 1

Answer: A Explanation: Biometric authentication systems take advantage of an individual’s unique physical characteristics in order to authenticate that person’s identity. Various forms of biometric authentication include face, voice, eye, hand, signature, and fingerprint, each have their own advantages and disadvantages. When combined with the use of a PIN it can provide two factors authentication.

Question 2

QUESTION NO: 236 In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessicity of answering 2 questions: A. what was the sex of a person and his age B. what part of the body to be used and how to accomplish identification to be viable C. what was the age of a person and his income level D. what was the tone of the voice of a person and his habits

Answer 2

Answer: B

Question 3

QUESTION NO: 237 What is called the percentage of invalid subjects that are falsely accepted? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. True Acceptance Rate (TAR) or Type III error

Answer 3

Answer: B

Question 4

QUESTION NO: 238 Which of the following biometrics devices has the highs Crossover Error Rate (CER)? A. Iris scan B. Hang Geometry C. Voice pattern D. Fingerprints

Answer 4

Answer: C

Question 5

QUESTION NO: 239 Which of the following biometric parameters are better suited for authentication use over a long period of time? A. Iris pattern B. Voice pattern C. Signature dynamics D. Retina pattern

Answer 5

Answer: A

Question 6

QUESTION NO: 240 Which one of the following is the MOST critical characteristic of a biometrics system? A. Acceptability B. Accuracy C. Throughput D. Reliability

Answer 6

Answer: B Explanation: We don’t agree with the original answer, which was throughput. Granted throughput is vital but Krutz lists accuracy is most important. In addition to the accuracy of the biometric systems, there are OTHER factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability.

Question 7

QUESTION NO: 241 Which of the following biometric devices has the lowest user acceptance level? A. Voice recognition B. Fingerprint scan C. Hand geometry D. Signature recognition

Answer 7

Answer: B

Question 8

QUESTION NO: 242 Biometric performance is most commonly measured in terms of: A. FRR and FAR B. FAC and ERR C. IER and FAR D. FRR and GIC

Answer 8

Answer: A Explanation: Biometric performance is most commonly measured in two ways: False Rejection Rate (FRR), and False Acceptance Rate (FAR). The FRR is the probability that you are not authenticated to access your account. A strict definition states that the FRR is the probability that a mated comparison (i.e. 2 biometric samples of the same finger) incorrectly determines that there is no match.

Question 9

QUESTION NO: 243 What is the most critical characteristic of a biometric identifying system? A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Reliability

Answer 9

Answer: C

Question 10

QUESTION NO: 244 Which of the following biometric characteristics cannot be used to uniquely authenticate an individual’s identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans

Answer 10

Answer: D Explanation: Biometrics: Fingerprints Palm Scan Hand Geometry Retina Scan Iris Scan Signature Dynamics Keyboard Dynamic Voice Print Facial Scan Hand Topology

Question 11

QUESTION NO: 245 In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessicity of answering 2 questions: A. What was the sex of a person and his age B. what part of body to be used and how to accomplish identification to be viable C. what was the age of a person and his income level D. what was the tone of the voice of a person and his habits

Answer 11

Answer: B

Question 12

QUESTION NO: 246 You are comparing biometric systems. Security is the top priority. A low ________ is most important in this regard. A. FAR B. FRR C. MTBF D. ERR

Answer 12

Answer: A Explanation: When comparing biometric systems, a low false acceptance rate is most important when security is the priority. Whereas, a low false rejection rate is most important when convenience is the priority. All biometric implementations balance these two criteria. Some systems use very high FAR’s such as 1 in 300. This means that the likelihood that the system will accept someone other than the enrolled user is 1 in 300. However, the likelihood that the system will reject the enrolled user (its FRR) is very low, giving them ease of use, but with low security. Most fingerprint systems should be able to run with FARs of 1 in 10,000 or better.

Question 13

QUESTION NO: 247 Almost all types of detection permit a system’s sensitivity to be increased or decreased during an inspection process. To have a valid measure of the system performance: A. The CER is used. B. the FRR is used C. the FAR is used D. none of the above choices is correct

Answer 13

Answer: A Explanation: “When a biometric system reject an authorized individual, it is called a Type 1 error. When the system accepts impostors who should be rejected, it is called a Type II error. The goal is to obtain low numbers for each type of error. When comparing different biometric systems, many different variables are used, but one of the most important variables is the crossover error rate (CER). This rating is stated in a percentage and represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining the system’s accuracy.”

Question 14

QUESTION NO: 248 The quality of finger prints is crucial to maintain the necessary: A. FRR B. ERR and FAR C. FAR D. FRR and FAR

Answer 14

Answer: D Explanation: Another factor that must be taken into account when determining the necessary FAR and FRR for your organization is the actual quality of the fingerprints in your user population. ABC’s experience with several thousand users, and the experience of its customers, indicates that a percentage of the populations do not have fingerprints of sufficient quality to allow for authentication of the individual. Approximately 2.5% of employees fall into this group in the general office worker population. For these users, a smart card token with password authentication is recommended.

Question 15

QUESTION NO: 249 By requiring the user to use more than one finger to authenticate, you can: A. Provide statistical improvements in EAR. B. Provide statistical improvements in MTBF. C. Provide statistical improvements in FRR. D. Provide statistical improvements in ERR.

Answer 15

Answer: C Explanation: Statistical improvements in false rejection rates can also be achieved by requiring the user to use more than one finger to authenticate. Such techniques are referred to as flexible verification.

Question 16

QUESTION NO: 250 Which of the following is being considered as the most reliable kind of personal identification? A. Token B. Finger print C. Password D. Ticket Granting

Answer 16

Answer: B Explanation: Every person’s fingerprint is unique and is a feature that stays with the person throughout his/her life. This makes the fingerprint the most reliable kind of personal identification because it cannot be forgotten, misplaced, or stolen. Fingerprint authorization is potentially the most affordable and convenient method of verifying a person’s identity.

Question 17

QUESTION NO: 251 Which of the following methods is more microscopic and will analyze the direction of the ridges of the fingerprints for matching? A. None of the choices. B. Flow direct C. Ridge matching D. Minutia matching

Answer 17

Answer: D Explanation: There are two approaches for capturing the fingerprint image for matching: minutia matching and global pattern matching. Minutia matching is a more microscopic approach that analyzes the features of the fingerprint, such as the location and direction of the ridges, for matching. The only problem with this approach is that it is difficult to extract the minutiae points accurately if the fingerprint is in some way distorted. The more macroscopic approach is global pattern matching where the flow of the ridges is compared at all locations between a pair of fingerprint images; however, this can be affected by the direction that the image is rotated.

Question 18

QUESTION NO: 252 Which of the following are the types of eye scan in use today? A. Retinal scans and body scans. B. Retinal scans and iris scans. C. Retinal scans and reflective scans. D. Reflective scans and iris scans.

Answer 18

Answer: B Explanation: There are two types of eye scan in use today for authentication purposes: retinal scans and iris scans. Retinal Scan technology maps the capillary pattern of the retina, a thin (1/50th inch) nerve on the back of the eye. To enroll, a minimum of five scans is required, which takes 45 seconds. The subject must keep his head and eye motionless within 1/2” of the device, focusing on a small rotating point of green light. 320 - 400 points of reference are captured and stored in a 35-byte field, ensuring the measure is accurate with a negligible false rejection rate. This compares to 30-70 points of reference for a finger scan. Unfortunately a retinal scan is considerably more intrusive than an iris scans and many people are hesitant to use the device [Retina-scan]. In addition a significant number of people may be unable to perform a successful enrolment, and there exist degenerative diseases of the retina that alter the scan results over time. Despite these disadvantages, there are several successful implementations of this technology [Retina-scan].

Question 19

QUESTION NO: 253 Which of the following eye scan methods is considered to be more intrusive? A. Iris scans B. Retinal scans C. Body scans D. Reflective scans

Answer 19

Answer: B Explanation: There are two types of eye scan in use today for authentication purposes: retinal scans and iris scans. Retinal Scan technology maps the capillary pattern of the retina, a thin (1/50th inch) nerve on the back of the eye. To enroll, a minimum of five scans is required, which takes 45 seconds. The subject must keep his head and eye motionless within 1/2” of the device, focusing on a small rotating point of green light. 320 - 400 points of reference are captured and stored in a 35-byte field, ensuring the measure is accurate with a negligible false rejection rate. This compares to 30-70 points of reference for a finger scan. Unfortunately a retinal scan is considerably more intrusive than an iris scans and many people are hesitant to use the device [Retina-scan]. In addition a significant number of people may be unable to perform a successful enrolment, and there exist degenerative diseases of the retina that alter the scan results over time. Despite these disadvantages, there are several successful implementations of this technology [Retina-scan].

Question 20

QUESTION NO: 254 Which of the following offers greater accuracy then the others? A. Facial recognition B. Iris scanning C. Finger scanning D. Voice recognition

Answer 20

Answer: B Explanation: Iris scanning offers greater accuracy than finger scanning, voice or facial recognition, hand geometry or keystroke analysis. It is safer and less invasive than retinal scanning, an important legal consideration [Nuger]. Any company thinking of using biometrics would do well to ensure that they comply with existing privacy laws.

Question 21

QUESTION NO: 255 In addition to the accuracy of the biometric systems, there are other factors that must also be considered: A. These factors include the enrollment time and the throughput rate, but not acceptability. B. These factors do not include the enrollment time, the throughput rate, and acceptability. C. These factors include the enrollment time, the throughput rate, and acceptability. D. These factors include the enrollment time, but not the throughput rate, neither the acceptability.

Answer 21

Answer: C Explanation: In addition to the accuracy of the biometric systems, there are OTHER factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability.

Question 22

QUESTION NO: 256 What physical characteristics does a retinal scan biometric device measure? A. The amount of light reaching the retina B. The amount of light reflected by the retina C. The size, curvature, and shape of the retina D. The pattern of blood vessels at the back of the eye

Answer 22

Answer: D

Question 23

QUESTION NO: 257 Type II errors occur when which of the following biometric system rates is high? A. False accept rate B. False reject rate C. Crossover error rate D. Speed and throughput rate

Answer 23

Answer: A Explanation: There are three main performance issues in biometrics. These measures are as follows: False Rejection Rate (FRR) or Type 1 Error. The percentage of valid subjects that are falsely rejected. False Acceptance Rate (FAR) or Type 2 Error. The percentage of invalid subjects that are falsely accepted. Crossover Error Rate (CER). The percent in which the False Rejection Rate equals the False Acceptance Rate.

Question 24

QUESTION NO: 258 Which of the following are the valid categories of hand geometry scanning? A. Electrical and image-edge detection. B. Mechanical and image-edge detection. C. Logical and image-edge detection. D. Mechanical and image-ridge detection.

Answer 24

Answer: B Explanation: Hand geometry reading (scanning) devices usually fall into one of two categories: mechanical or image-edge detection. Both methods are used to measure specific characteristics of a person’s hand such as length of fingers and thumb, widths, and depth.

Question 25

QUESTION NO: 259 In the world of keystroke dynamics, what represents the amount of time you hold down in a particular key? A. Dwell time B. Flight time C. Dynamic time D. Systems time

Answer 25

Answer: A Explanation: Keystroke dynamics looks at the way a person types at a keyboard. Specifically, keyboard dynamics measures two distinct variables: “dwell time” which is the amount of time you hold down a particular key and “flight time” which is the amount of time it takes a person to switch between keys. Keyboard dynamics systems can measure one’s keyboard input up to 1000 times per second.

Question 26

QUESTION NO: 260 In the world of keystroke dynamics, what represents the amount of time it takes a person to switch between keys? A. Dynamic time B. Flight time C. Dwell time D. Systems time.

Answer 26

Answer: B Explanation: Keystroke dynamics looks at the way a person types at a keyboard. Specifically, keyboard dynamics measures two distinct variables: “dwell time” which is the amount of time you hold down a particular key and “flight time” which is the amount of time it takes a person to switch between keys. Keyboard dynamics systems can measure one’s keyboard input up to 1000 times per second.

Question 27

QUESTION NO: 261 Which of the following are the benefits of Keystroke dynamics? A. Low cost B. Unintrusive device C. Transparent D. All of the choices.

Answer 27

Answer: D Explanation: Keystroke dynamics is behavioral in nature. It works well with users that can “touch type”. Key advantages in applying keyboard dynamics are that the device used in this system, the keyboard, is unintrusive and does not detract from one’s work. Enrollment as well as identification goes undetected by the user. Another inherent benefit to using keystroke dynamics as an identification device is that the hardware (i.e. keyboard) is inexpensive. Currently, plug-in boards, built-in hardware and firmware, or software can represent keystroke dynamics systems.

Question 28

QUESTION NO: 262 DSV as an identification method check against users: A. Fingerprints B. Signature C. Keystrokes D. Facial expression

Answer 28

Answer: B Explanation: Signature identification, also known as Dynamic Signature Verification (DSV), is another natural fit in the world of biometrics since identification through one’s signature occurs during many everyday transactions. Any process or transaction that requires an individual’s signature is a prime contender for signature identification.

Question 29

QUESTION NO: 263 Signature identification systems analyze what areas of an individual’s signature? A. All of the choices EXCEPT the signing rate. B. The specific features of the signature. C. The specific features of the process of signing one’s signature. D. The signature rate.

Answer 29

Answer: A Explanation: Signature identification systems analyze two different areas of an individual’s signature: the specific features of the signature and specific features of the process of signing one’s signature. Features that are taken into account and measured include speed, pen pressure, directions, stroke length, and the points in time when the pen is lifted from the paper.

Question 30

QUESTION NO: 264 What are the advantages to using voice identification? A. All of the choices. B. Timesaving C. Reliability D. Flexibility

Answer 30

Answer: A Explanation: The many advantages to using voice identification include: Considered a “natural” biometric technology Provides eyes and hands-free operation Reliability Flexibility Timesaving data input Eliminate spelling errors Improved data accuracy

Question 31

QUESTION NO: 265 What are the methods used in the process of facial identification? A. None of the choices. B. Detection and recognition. C. Scanning and recognition. D. Detection and scanning.

Answer 31

Answer: B Explanation: The process of facial identification incorporates two significant methods: detection and recognition.

Question 32

QUESTION NO: 266 In the process of facial identification, the basic underlying recognition technology of facial identification involves: A. Eigenfeatures of eigenfaces. B. Scanning and recognition. C. Detection and scanning. D. None of the choices.

Answer 32

Answer: A Explanation: Recognition is comparing the captured face to other faces that have been saved and stored in a database. The basic underlying recognition technology of facial feature identification involves either eigenfeatures (facial metrics) or eigenfaces. The German word “eigen” refers to recursive mathematics used to analyze unique facial characteristics.

Question 33

QUESTION NO: 267 What is known as the probability that you are not authenticated to access your account? A. ERR B. FRR C. MTBF D. FAR

Answer 33

Answer: B Explanation: Biometric performance is most commonly measured in two ways: False Rejection Rate (FRR), and False Acceptance Rate (FAR). The FRR is the probability that you are not authenticated to access your account. A strict definition states that the FRR is the probability that a mated comparison (i.e. 2 biometric samples of the same finger) incorrectly determines that there is no match.

Question 34

QUESTION NO: 268 What is known as the chance that someone other than you is granted access to your account? A. ERR B. FAR C. FRR D. MTBF

Answer 34

Answer: B Explanation: The FAR is the chance that someone other than you is granted access to your account, in other words, the probability that a non-mated comparison (i.e. two biometric samples of different fingers) match. FAR and FRR numbers are generally expressed in terms of probability. Note: false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. * false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. FRR is a Type 1 error FAR is a Type 2 error

Question 35

QUESTION NO: 269 What is typically used to illustrate the comparative strengths and weaknesses of each biometric technology? A. Decipher Chart B. Zephyr Chart C. Cipher Chart D. Zapper Chart

Answer 35

Answer: B Explanation: The Zephyr Chart illustrates the comparative strengths and weaknesses of each biometric technology. The eight primary biometric technologies are listed around the outer border, and for each technology the four major evaluation criteria are ranked from outside (better) to inside (worse). Looking at dynamic signature verification (DSV) will illustrate how the Zephyr Chart works.

Question 36

QUESTION NO: 270 In terms of the order of effectiveness, which of the following technologies is the most affective? A. Fingerprint B. Iris scan C. Keystroke pattern D. Retina scan

Answer 36

Answer: B Explanation: The order of effectiveness has not changed for a few years. It is still the same today as it was three years ago. The list below present them from most effective to list effective: Iris scan Retina scan Fingerprint Hand geometry Voice pattern Keystroke pattern Signature

Question 37

QUESTION NO: 271 In terms of the order of effectiveness, which of the following technologies is the least effective? A. Voice pattern B. Signature C. Keystroke pattern D. Hand geometry

Answer 37

Answer: B Explanation: The order of effectiveness has not changed for a few years. It is still the same today as it was three years ago. The list below present them from most effective to list effective: Iris scan Retina scan Fingerprint Hand geometry Voice pattern Keystroke pattern Signature

Question 38

QUESTION NO: 272 In terms of the order of acceptance, which of the following technologies is the MOST accepted? A. Hand geometry B. Keystroke pattern C. Voice Pattern D. Signature

Answer 38

Answer: C Explanation: The order of acceptance has slightly changed in the past years. It was Iris that was the most accepted method three years ago but today we have Voice Pattern that is by far the most accepted. Here is the list from most accepted first to least accepted at the bottom of the list: Voice Pattern Keystroke pattern Signature Hand geometry Handprint Fingerprint Iris Retina pattern

Question 39

QUESTION NO: 273 In terms of the order of acceptance, which of the following technologies is the LEAST accepted? A. Fingerprint B. Iris C. Handprint D. Retina patterns

Answer 39

Answer: D Explanation: The order of acceptance has slightly changed in the past years. It was Iris that was the most accepted method three years ago but today we have Voice Pattern that is by far the most accepted. Here is the list from most accepted first to least accepted at the bottom of the list: Voice Pattern Keystroke pattern Signature Hand geometry Handprint Fingerprint Iris Retina pattern

Question 40

QUESTION NO: 274 Which of the following biometric characteristics cannot be used to uniquely authenticate an individual’s identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans

Answer 40

Answer: D

Question 41

QUESTION NO: 275 Which of the following is true of two-factor authentication? A. It uses the RSA public-key signature based algorithm on integers with large prime factors B. It requires two measurements of hand geometry C. It does not use single sign-on technology D. It relies on two independent proofs of identity

Answer 41

Answer: D

Question 42

QUESTION NO: 276 What is Kerberos? A. A three-headed dog from Egyptian Mythology B. A trusted third-party authentication protocol C. A security model D. A remote authentication dial in user server

Answer 42

Answer: B

Question 43

QUESTION NO: 277 Which of the following is true about Kerberos? A. It utilized public key cryptography B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text C. It depends upon symmetric ciphers D. It is a second party authentication system

Answer 43

Answer: C Explanation: “Kerberos relies upon symmetric key cryptography, specifically Data Encryption Standard (DES), and provides end-to-end security for authentication traffic between the client and the Key Distribution Center (KDC).”

Question 44

QUESTION NO: 278 Kerberos depends upon what encryption method? A. Public Key cryptography B. Private Key cryptography C. El Gamal cryptography D. Blowfish cryptography

Answer 44

Answer: B Explanation: Kerberos uses symmetric key cryptography and provides end-to-end security, meaning that information being passed between a user and a service is protected without the need of an intermediate component. Although it allows the use of passwords for authentication, it was designed specifically to eliminate the need for transmitting passwords over the network. Most Kerberos implementations work with cryptography keys and shared secret keys (private keys) instead of passwords.

Question 45

QUESTION NO: 279 The primary service provided by Kerberos is which of the following? A. non-repudiation B. confidentiality C. authentication D. authorization

Answer 45

Answer: C

Question 46

QUESTION NO: 280 Which of the following are authentication server systems with operational modes that can implement SSO? A. Kerberos, SESAME and KryptoKnight B. SESAME, KryptoKnight and NetSP C. Kerberos and SESAME D. Kerberos, SESAME, KryptoKnight, and NetSP

Answer 46

Answer: D Explanation: “Scripts, directory services, thin clients, Kerberos, SESAME, NetSP, scripted access, and KrtyptoKnight are examples of SSO(single sign on) mechanisms.”

Question 47

QUESTION NO: 281 Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT? A. Kerberos B. SESAME C. KryptoKnight D. NetSP

Answer 47

Answer: A Explanation: “Kerberos is an authentication protocol and was designed in the mid-1980s as part of MIT’s Project Athena.”

Question 48

QUESTION NO: 282 Which of the following is true about Kerberos? A. It utilizes public key cryptography B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text. C. It depends upon symmetric ciphers D. It is a second party authentication system

Answer 48

Answer: C

Question 49

QUESTION NO: 283 One of the differences between Kerberos and KryptoKnight is that there is: A. a mapped relationship among the parties takes place B. there is a peer-to-peer relationship among the parties with themselves. C. there is no peer-to-peer relationship among the parties and the KDC D. a peer-to-peer relationship among the parties and the KDC

Answer 49

Answer: D Explanation: “Krytponight The IBM Kryptonight system provides authentication, SSO, and key distribution services. It was designed to support computers with widely varying computational capabilities. KryptoKnight uses a trusted Key Distribution Center (KDC) that knows the secret key of each party. One of the differences between kerberos and KrytoKnight is that there is a peer-to-peer relationship among the parties and the KDC.”

Question 50

QUESTION NO: 284 Which of the following is the MOST secure network access control procedure to adopt when using a callback device? A. The user enters a userid and PIN, and the device calls back the telephone number that corresponds to the userid. B. The user enters a userid, PIN, and telephone number, and the device calls back the telephone number entered. C. The user enters the telephone number, and the device verifies that the number exists in its database before calling back. D. The user enters the telephone number, and the device responds with a challenge.

Answer 50

Answer: A Explanation: Usually a request for a username and password takes place and the NAS may hang up the call in order to call the user back at a predefined phone number. This is a security activity that is used to try and ensure that only authenticated users are given access to the network and it reverse the long distance charges back to the company…However, this security measure can be compromised if someone implements call forwarding. - Shon Harris All-in-one CISSP Certification Guide pg 463

Question 51

QUESTION NO: 285 What is called the access protection system that limits connections by calling back the number of a previously authorized location? A. Sendback system B. Callback forward systems C. Callback systems D. Sendback forward systems

Answer 51

Answer: C Explanation: “Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding.”

Question 52

QUESTION NO: 286 A confidential number to verify a user’s identity is called a: A. PIN B. userid C. password D. challenge

Answer 52

Answer: A

Question 53

QUESTION NO: 287 How are memory cards and smart cards different? A. Memory cards normally hold more memory than smart cards B. Smart cards provide a two-factor authentication whereas memory cards don’t C. Memory cards have no processing power D. Only smart cards can be used for ATM cards

Answer 53

Answer: C Explanation: “The main difference between memory cards and smart cards is the processing power. A memory card holds information, but does not process information. A smart card has the necessary hardware and logic to actually process information.”

Question 54

QUESTION NO: 288 They in form of credit card-size memory cards or smart cards, or those resembling small calculators, are used to supply static and dynamic passwords are called: A. Tickets B. Tokens C. Token passing networks D. Coupons

Answer 54

Answer: B

Question 55

QUESTION NO: 289 Tokens, as a way to identify users are subject to what type of error? A. Token error B. Decrypt error C. Human error D. Encrypt error

Answer 55

Answer: C Explanation: Tokens are a fantastic way of ensuring the identity of a user. However, you must remember that no system is immune to “human error”. If the token is lost with it’s pin written on it, or if it were loaned with the corresponding pin it would allow for masquerading. This is one of the greatest threats that you have with tokens.

Question 56

QUESTION NO: 290 Which of the following factors may render a token based solution unusable? A. Token length B. Card size C. Battery lifespan D. None of the choices.

Answer 56

Answer: C Explanation: Another limitation of some of the tokens is their battery lifespan. For example, in the case of SecurID you have a token that has a battery that will last from 1 to 3 years depending on the type of token you acquired. Some token companies such as Cryptocard have introduced tokens that have a small battery compartment allowing you to change the battery when it is discharged.

Question 57

QUESTION NO: 291 Memory only cards work based on: A. Something you have. B. Something you know. C. None of the choices. D. Something you know and something you have.

Answer 57

Answer: D Explanation: Memory Only Card - This type of card is the most common card. It has a magnetic stripe on the back. These cards can offer two-factor authentication, the card itself (something you have) and the PIN (something you know). Everyone is familiar with the use of an ATM (Automated Teller Machine) card. These memory cards are very easy to counterfeit. There was a case in Montreal where a storeowner would swipe the card through for the transaction; he would then swipe it through a card reader to get a copy, while a small hidden camera was registering the PIN as the user was punching it on the pad. This scheme was quickly identified as the victims had one point in common; they all visited the same store.

Question 58

QUESTION NO: 292 Which of the following is a disadvantage of a memory only card? A. High cost to develop. B. High cost to operate. C. Physically infeasible. D. Easy to counterfeit.

Answer 58

Answer: D Explanation: Memory Only Card - This type of card is the most common card. It has a magnetic stripe on the back. These cards can offer two-factor authentication, the card itself (something you have) and the PIN (something you know). Everyone is familiar with the use of an ATM (Automated Teller Machine) card. These memory cards are very easy to counterfeit. There was a case in Montreal where a storeowner would swipe the card through for the transaction; he would then swipe it through a card reader to get a copy, while a small hidden camera was registering the PIN as the user was punching it on the pad. This scheme was quickly identified as the victims had one point in common; they all visited the same store.

Question 59

QUESTION NO: 293 The word “smart card” has meanings of: A. Personal identity token containing IC-s. B. Processor IC card. C. IC card with ISO 7816 interface. D. All of the choices.

Answer 59

Answer: D Explanation: The word “smart card” has four different meanings (in order of usage frequency): IC card with ISO 7816 interface Processor IC card Personal identity token containing IC-s Integrated Circuit(s) Card is ad ID-1 type (specified in ISO 7810) card, into which has been inserted one or more integrated circuits. [ISO 7816]

Question 60

QUESTION NO: 294 Processor card contains which of the following components? A. Memory and hard drive. B. Memory and flash. C. Memory and processor. D. Cache and processor.

Answer 60

Answer: C Explanation: Processor cards contain memory and a processor. They have remarkable data processing capabilities. Very often the data processing power is used to encrypt/decrypt data, which makes this type of card a very unique personal identification token. Data processing also permits dynamic storage management, which enables the realization of flexible multifunctional cards.

Question 61

QUESTION NO: 295 Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, and faster resource access? A. Smart cards B. Single Sign-on (SSO) C. Kerberos D. Public Key Infrastructure (PKI)

Answer 61

Answer: B

Question 62

QUESTION NO: 296 What is the main concern with single sign-on? A. Maximum unauthorized access would be possible if a password is disclosed B. The security administrator’s workload would increase C. The users’ password would be to hard to remember D. User access rights would be increased

Answer 62

Answer: A

Question 63

QUESTION NO: 297 Which of the following describes the major disadvantage of many SSO implementations? A. Once a user obtains access to the system through the initial log-on they can freely roam the network resources without any restrictions B. The initial logon process is cumbersome to discourage potential intruders C. Once a user obtains access to the system through the initial log-on, they only need to logon to some applications. D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems

Answer 63

Answer: A Reference: “The major disadvantage of many SSO implementations is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions.”

Question 64

QUESTION NO: 298 Which of the following addresses cumbersome situations where users need to log on multiple times to access different resources? A. Single Sign-On (SSO) systems B. Dual Sign-On (DSO) systems C. Double Sign-On (DS0) systems D. Triple Sign-On (TSO) systems

Answer 64

Answer: A

Question 65

QUESTION NO: 299 A method for a user to identify and present credentials only once to a system is known as: A. SEC B. IPSec C. SSO D. SSL

Answer 65

Answer: C Explanation: Single Sign-On (SSO) - This is a method for a users to identify and present credentials only once to a system. Information needed for future system access to resources is forwarded by the initial System. BENEFITS More efficient user log-on process Users select stronger passwords Inactivity timeout and attempt thresholds applied uniformly closer to user point of entry Improved timely disabling of all network/computer accounts for terminated users

Question 66

QUESTION NO: 300 Which of the following correctly describe the features of SSO? A. More efficient log-on. B. More costly to administer. C. More costly to setup. D. More key exchanging involved.

Answer 66

Answer: A Explanation: Single Sign-On (SSO) - This is a method for a users to identify and present credentials only once to a system. Information needed for future system access to resources is forwarded by the initial System. BENEFITS More efficient user log-on process Users select stronger passwords Inactivity timeout and attempt thresholds applied uniformly closer to user point of entry Improved timely disabling of all network/computer accounts for terminated users

Question 67

QUESTION NO: 301 What is the PRIMARY advantage of using a separate authentication server (e.g., Remote Access Dial-In User System, Terminal Access Controller Access Control System) to authenticate dial-in users? A. Single user logons are easier to manage and audit. B. Each session has a unique (one-time) password assigned to it. C. Audit and access information are not kept on the access server. D. Call-back is very difficult to defeat.

Answer 67

Answer: C Explanation: TACACS integrates the authentication and authorization processes. XTACACS keeps the authentication, authorization and accounting processes separate. TACACS+ improves XTACACS by adding two-factor authentication.

Question 68

QUESTION NO: 302 Within the Open Systems Interconnection (OSI) Reference Model, authentication addresses the need for a network entity to verify both A. The identity of a remote communicating entity and the authenticity of the source of the data that are received. B. The authenticity of a remote communicating entity and the path through which communications are received. C. The location of a remote communicating entity and the path through which communications are received. D. The identity of a remote communicating entity and the level of security of the path through which data are received.

Answer 68

Answer: A Explanation: OSI model needs to know the source of the data and that it is who it says it is. Path it the data take is not cared about unless source routing is used. The level of security is not cared about inherently by the receiving node (in general) unless configured. A is the best option in this question.

Question 69

QUESTION NO: 303 Which of the following is the most reliable authentication device? A. Variable callback system B. Smart card system C. fixed callback system D. Combination of variable and fixed callback system

Answer 69

Answer: B

Question 70

QUESTION NO: 304 Which of the following are proprietarily implemented by CISCO? A. RADIUS+ B. TACACS C. XTACACS and TACACS+ D. RADIUS

Answer 70

Answer: C Explanation: Cisco implemented an enhanced version of TACACS, known as XTACACS (extended TACACS), which was also compatible with TACACS. It allowed for UDP and TCP encoding. XTACACS contained several improvements: It provided accounting functionality to track length of login and which hosts a user connected to, and it also separated the authentication, authorization, and accounting processes such that they could be independently implemented. None of the three functions are mandatory. XTACACS is described in RFC 1492. TACACS+ is the latest Cisco implementation. It is best described as XTACACS with improved attribute control (authorization) and accounting.

Question 71

QUESTION NO: 305 What is a protocol used for carrying authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server? A. IPSec B. RADIUS C. L2TP D. PPTP

Answer 71

Answer: B Explanation: RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS is a standard published in RFC2138 as mentioned above.

Question 72

QUESTION NO: 306 RADIUS is defined by which RFC? A. 2168 B. 2148 C. 2138 D. 2158

Answer 72

Answer: C Explanation: RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS is a standard published in RFC2138 as mentioned above.

Question 73

QUESTION NO: 307 In a RADIUS architecture, which of the following acts as a client? A. A network Access Server. B. None of the choices. C. The end user. D. The authentication server.

Answer 73

Answer: A Explanation: A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response, which is returned.

Question 74

QUESTION NO: 308 In a RADIUS architecture, which of the following can act as a proxy client? A. The end user. B. A Network Access Server. C. The RADIUS authentication server. D. None of the choices.

Answer 74

Answer: C Explanation: A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.

Question 75

QUESTION NO: 309 Which of the following statements pertaining to RADIUS is incorrect? A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains. B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy C. Most RADIUS servers have built-in database connectivity for billing and reporting purposes D. Most RADIUS servers can work with DIAMETER servers.

Answer 75

Answer: D

Question 76

QUESTION NO: 310 Which of the following is the weakest authentication mechanism? A. Passphrases B. Passwords C. One-time passwords D. Token devices

Answer 76

Answer: B

Question 77

QUESTION NO: 311 What is the PRIMARY use of a password? A. Allow access to files B. Identify the user C. Authenticate the user D. Segregate various user’s accesses

Answer 77

Answer: C

Question 78

QUESTION NO: 312 Software generated passwords have what drawbacks? A. Passwords are not easy to remember. B. Password are too secure. C. None of the choices. D. Passwords are unbreakable.

Answer 78

Answer: A Explanation: Passwords generated by a software package or some operating systems. These password generators are good at producing unique and hard to guess passwords, however you must ensure that they are not so hard that people can’t remember them. If you force your users to write their passwords down then you are defeating the purpose of having strong password management.

Question 79

QUESTION NO: 313 What are the valid types of one time password generator? A. All of the choices. B. Transaction synchronous C. Synchronous/PIN synchronous D. Asynchronous/PIN asynchronous

Answer 79

Answer: A Explanation: One-time Passwords are changed after every use. Handheld password generator (tokens) 3 basic types: Synchronous/PIN synchronous, Transaction synchronous, Asynchronous/PIN asynchronous.

Question 80

QUESTION NO: 314 Which of the following will you consider as most secure? A. Password B. One time password C. Login phrase D. Login ID

Answer 80

Answer: B Explanation: Each time the user logs in, the token generates a unique password that is synchronized with the network server. If anyone tries to reuse this dynamic password, access is denied, the event is logged and the network remains secure.

Question 81

QUESTION NO: 315 What type of password makes use of two totally unrelated words? A. Login phrase B. One time password C. Composition D. Login ID

Answer 81

Answer: C Explanation: Usage of two totally unrelated words or a series of unrelated characters, such as pizza!wood for example. Such a password is easy to remember but very hard to guess. It would require a cracker quite a bit of time to do a brute force attack on a password that is that long and that uses an extended character as well.

Question 82

QUESTION NO: 316 Which of the following is the correct account policy you should follow? A. All of the choices. B. All active accounts must have a password. C. All active accounts must have a long and complex pass phrase. D. All inactive accounts must have a password.

Answer 82

Answer: B Explanation: All active accounts must have a password. Unless you are using an application or service designed to be accessed without the need of a proper ID and password. Such service must however be monitored by other means (not a recommended practicE.)

Question 83

QUESTION NO: 317 Which of the following are the advantages of using passphrase? A. Difficult to crack using brute force. B. Offers numerous characters. C. Easier to remember. D. All of the choices.

Answer 83

Answer: D Explanation: The use of passphrases is a good way of having very strong passwords. A passphrase is easier to remember, it offers numerous characters, and it is almost impossible to crack using brute force with today’s processing power. An example of a passphrase could be: “Once upon a time in the CISSP world”

Question 84

QUESTION NO: 318 Which of the following are the correct guidelines of password deployment? A. Passwords must be masked. B. All of the choices. C. Password must have a minimum of 8 characters. D. Password must contain a mix of both alphabetic and non-alphabetic characters.

Answer 84

Answer: B Explanation: Passwords must not be displayed in plain text while logging on. Passwords must be masked. Password must have a minimum of 8 characters. Password must contain a mix of both alphabetic and non-alphabetic characters. Passwords must be kept private, e.g. not shared, coded into programs, or written down.

Question 85

QUESTION NO: 319 Why would a 16 characters password not desirable? A. Hard to remember B. Offers numerous characters. C. Difficult to crack using brute force. D. All of the choices.

Answer 85

Answer: A Explanation: When the password is too hard to memorize, the user will actually write it down, which is totally insecure and unacceptable.

Question 86

QUESTION NO: 320 Which of the following is NOT a good password deployment guideline? A. Passwords must not be he same as user id or login id. B. Password aging must be enforced on all systems. C. Password must be easy to memorize. D. Passwords must be changed at least once every 60 days, depending on your environment.

Answer 86

Answer: C Explanation: Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).

Question 87

QUESTION NO: 321 Rotating password can be restricted by the use of: A. Password age B. Password history C. Complex password D. All of the choices

Answer 87

Answer: B Explanation: Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).

Question 88

QUESTION NO: 322 What should you do immediately if the root password is compromised? A. Change the root password. B. Change all passwords. C. Increase the value of password age. D. Decrease the value of password history.

Answer 88

Answer: B Explanation: All passwords must be changed if the root password is compromised or disclosure is suspected. (This is a separate case; the optimal solution would be to reload the compromised computer. A computer that has been downgraded can never be upgraded to higher security level)

Question 89

QUESTION NO: 323 Which of the following is the most secure way to distribute password? A. Employees must send in an email before obtaining a password. B. Employees must show up in person and present proper identification before obtaining a password. C. Employees must send in a signed email before obtaining a password. D. None of the choices.

Answer 89

Answer: B Explanation: Employees must show up in person and present proper identification before obtaining a new or changed password (depending on your policy). After three unsuccessful attempts to enter a password, the account will be locked and only an administrator or the help desk can reactivate the involved user ID.

Question 90

QUESTION NO: 324 Which of the following does not apply to system-generated passwords? A. Passwords are harder to remember for users B. If the password-generating algorithm gets to be known, the entire system is in jeopardy C. Passwords are more vulnerable to brute force and dictionary attacks. D. Passwords are harder to guess for attackers

Answer 90

Answer: C

Question 91

QUESTION NO: 325 Passwords can be required to change monthly, quarterly, or any other intervals: A. depending on the criticality of the information needing protection B. depending on the criticality of the information needing protection and the password’s frequency of use C. depending on the password’s frequency of use D. not depending on the critica

Answer 91

Answer: B

Question 92

QUESTION NO: 326 In SSL/TLS protocol, what kind of authentication is supported? A. Peer-to-peer authentication B. Only server authentication (optional) C. Server authentication (mandatory) and client authentication (optional) D. Role based authentication scheme

Answer 92

Answer: C Explanation: “The server sends a message back to the client indicating that a secure session needs to be established, and the client sends it security parameters. The server compares those security parameters to its own until it finds a match. This is the handshaking phase. The server authenticates to the client by sending it a digital certificate, and if the client decides to trust the server the process continues. The server can require the client to send over a digital certificate for mutual authentication, but that is rare.”

Question 93

QUESTION NO: 327 Which of the following correctly describe the difference between identification and authentication? A. Authentication is a means to verify who you are, while identification is what you are authorized to perform. B. Identification is a means to verify who you are, while authentication is what you are authorized to perform. C. Identification is another name of authentication. D. Identification is the child process of authentication.

Answer 93

Answer: D Explanation: Not B: Authentication is not what you are authorized to perform

Question 94

QUESTION NO: 328 Identification establishes: A. Authentication B. Accountability C. Authorization D. None of the choices.

Answer 94

Answer: B Explanation: Identification is a means to verify who you are. Authentication is what you are authorized to perform, access, or do. User identification enables accountability. It enables you to trace activities to individual users that may be held responsible for their actions. Identification usually takes the form of Logon ID or User ID. Some of the Logon ID characteristics are: they must be unique, not shared, and usually non descriptive of job function.

Question 95

QUESTION NO: 329 Identification usually takes the form of: A. Login ID. B. User password. C. None of the choices. D. Passphrase

Answer 95

Answer: A Explanation: Identification is a means to verify who you are. Authentication is what you are authorized to perform, access, or do. User identification enables accountability. It enables you to trace activities to individual users that may be held responsible for their actions. Identification usually takes the form of Logon ID or User ID. Some of the Logon ID characteristics are: they must be unique, not shared, and usually non descriptive of job function

Question 96

QUESTION NO: 330 What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? A. Authentication B. Identification C. Integrity D. Confidentiality

Answer 96

Answer: B Explanation: “Identification is the act of a user professing an identity to a system, usually in the form of a logon ID to the system.” Pg 49 Krutz The CISSP Prep Guide. “Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token.” Pg 110 Shon Harris: All-in-One CISSP Certification

Question 97

QUESTION NO: 331 What is called the verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time? A. Authentication B. Identification C. Integrity D. Confidentiality

Answer 97

Answer: A

Question 98

QUESTION NO: 332 Identification and authentication are the keystones of most access control systems. Identification establishes: A. user accountability for the actions on the system B. top management accountability for the actions on the system C. EDP department accountability for the actions of users on the system D. authentication for actions on the system

Answer 98

Answer: A

Question 99

QUESTION NO: 333 Which one of the following authentication mechanisms creates a problem for mobile users? A. address-based mechanism B. reusable password mechanism C. one-time password mechanism D. challenge response mechanism

Answer 99

Answer: A

Question 100

QUESTION NO: 334 Which of the following centralized access control mechanisms is not appropriate for mobile workers access the corporate network over analog lines? A. TACACS B. Call-back C. CHAP D. RADIUS

Answer 100

Answer: B

Question 101

QUESTION NO: 335 Authentication is typically based upon: A. Something you have. B. Something you know. C. Something you are. D. All of the choices.

Answer 101

Answer: D Explanation: Authentication is a means of verifying the eligibility of an entity to receive specific categories of information. The entity could be individual user, machine, or software component. Authentication is typically based upon something you know, something you have, or something you are.

Question 102

QUESTION NO: 336 A password represents: A. Something you have. B. Something you know. C. All of the choices. D. Something you are.

Answer 102

Answer: B Explanation: The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.

Question 103

QUESTION NO: 337 A smart card represents: A. Something you are. B. Something you know. C. Something you have. D. All of the choices.

Answer 103

Answer: C Explanation: Another form of authentication requires possession of something such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to possess multiple things to guarantee authenticity.

Question 104

QUESTION NO: 338 Which of the following is the most commonly used check on something you know? A. One time password B. Login phrase C. Retinal D. Password

Answer 104

Answer: D Explanation: Passwords even though they are always mentioned as being unsecured, necessary evils, that put your infrastructure at risk, are still commonly used and will probably be used for quite a few years. Good passwords can provide you with a good first line of defense. Passwords are based on something the user knows. They are used to authenticate users before they can access specific resources.

Question 105

QUESTION NO: 339 Retinal scans check for: A. Something you are. B. Something you have. C. Something you know. D. All of the choices.

Answer 105

Answer: A Explanation: Something you are is really a special case of something you have. The usual examples given include fingerprint, voice, or retinal scans.

Question 106

QUESTION NO: 340 What type of authentication takes advantage of an individuals unique physical characteristics in order to authenticate that persons identity? A. Password B. Token C. Ticket Granting D. Biometric

Answer 106

Answer: D Explanation: Biometric authentication systems take advantage of an individual’s unique physical characteristics in order to authenticate that person’s identity. Various forms of biometric authentication include face, voice, eye, hand, signature, and fingerprint, each have their own advantages and disadvantages. When combined with the use of a PIN it can provide two factors authentication.

Question 107

QUESTION NO: 341 What is called an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics? A. Biometrics B. Micrometrics C. Macrometrics D. MicroBiometrics

Answer 107

Answer: A

Question 108

QUESTION NO: 342 Which of the following forms of authentication would most likely apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier? A. Dynamic authentication B. Continuous authentication C. Encrypted authentication D. Robust authentication

Answer 108

Answer: B Explanation: See also www.rxn.com/services/faq/internet/ISPTG-5.html Continuous Authentication This type of authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. These are typically referred to as active attacks, since they assume that the imposter can actively influence the connection between claimant and verifier. One way to provide this form of authentication is to apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier.

Question 109

QUESTION NO: 343 In which situation would TEMPEST risks and technologies be of MOST interest? A. Where high availability is vital. B. Where the consequences of disclose are very high. C. Where countermeasures are easy to implement D. Where data base integrity is crucial

Answer 109

Answer: B Explanation: Emanation eavesdropping. Receipt and display of information, which is resident on computers or terminals, through the interception of radio frequency (RF) signals generated by those computers or terminals. The US government established a program called TEMPEST that addressed this problem by requiring a shielding and other emanation-reducing mechanisms to be employed on computers processing sensitive and classified government information.

Question 110

QUESTION NO: 344 Which one of the following addresses the protection of computers and components from electromagnetic emissions? A. TEMPEST B. ISO 9000 C. Hardening D. IEEE 802.2

Answer 110

Answer: A Explanation: Receipt and Display of information, which is resident on computers or terminals, thorugh the interception of Radio Frequency (RF) signals generated by those computers or terminals. The US government established a program called Tempest that addressed this problem by requiring shielding and other emanation-reducing mechanisms to be employed on computers processing sensitive and classified government information.

Question 111

QUESTION NO: 345 Monitoring electromagnetic pulse emanations from PCs and CRTs provides a hacker with that significant advantage? A. Defeat the TEMPEST safeguard B. Bypass the system security application. C. Gain system information without trespassing D. Undetectable active monitoring.

Answer 111

Answer: D Explanation: Tempest equipment is implemented to prevent intruders from picking up information through the airwaves with listening devices. - Shon Harris All-in-one CISSP Certification Guide pg 192. In Harris’s other book CISSP PASSPORT, she talks about tempest in terms of spy movies and how a van outside is listening or monitoring to the activities of someone. This lends credence to the answer of C (trespassing) but I think D is more correct. In that all the listener must do is listen to the RF. Use your best judgment based on experience and knowledge.

Question 112

QUESTION NO: 346 What name is given to the study and control of signal emanations from electrical and electromagnetic equipment? A. EMI B. Cross Talk C. EMP D. TEMPEST

Answer 112

Answer: D

Question 113

QUESTION NO: 347 TEMPEST addresses A. The vulnerability of time-dependent transmissions. B. Health hazards of electronic equipment. C. Signal emanations from electronic equipment. D. The protection of data from high energy attacks.

Answer 113

Answer: C Explanation: “Tempest is the study and control of spurious electrical signals that are emitted by electrical equipment.”

Question 114

QUESTION NO: 348 Which one of the following is the MOST solid defense against interception of a network transmission? A. Frequency hopping B. Optical fiber C. Alternate routing D. Encryption

Answer 114

Answer: B Explanation: An alternative to conductor-based network cabling is fiber-optic cable. Fiber-optic cables transmit pulses of light rather than electricity. This has the advantage of being extremely fast and near impervious to tapping.

Question 115

QUESTION NO: 349 Which of the following media is MOST resistant to tapping? A. Microwave B. Twisted pair C. Coaxial cable D. Fiber optic

Answer 115

Answer: D

Question 116

QUESTION NO: 350 What type of wiretapping involves injecting something into the communications? A. Aggressive B. Captive C. Passive D. Active

Answer 116

Answer: D Explanation: Most communications are vulnerable to some type of wiretapping or eavesdropping. It can usually be done undetected and is referred to as a passive attack versus an active attack. - Shon Harris All-in-one CISSP Certification Guide pg 649 “(I) An attack that intercepts and accesses data and other information contained in a flow in a communication system. (C) Although the term originally referred to making a mechanical connection to an electrical conductor that links two nodes, it is now used to refer to reading information from any sort of medium used for a link or even directly from a node, such as gateway or subnetwork switch. (C) “Active wiretapping” attempts to alter the data or otherwise affect the flow; “passive wiretapping” only attempts to observe the flow and gain knowledge of information it contains. (See: active attack, end-to-end encryption, passive attack.)” http://www.linuxsecurity.com/dictionary/dict-455.html

Question 117

QUESTION NO: 351 Why would an Ethernet LAN in a bus topology have a greater risk of unauthorized disclosure than switched Ethernet in a hub-and-spoke or star topology? A. IEEE 802.5 protocol for Ethernet cannot support encryption. B. Ethernet is a broadcast technology. C. Hub and spoke connections are highly multiplexed. D. TCP/IP is an insecure protocol.

Answer 117

Answer: B Explanation: Ethernet is broadcast and the question asks about a bus topology vs a SWITCHED Ethernet. Most switched Ethernet lans are divided by vlans which contain broadcasts to a single vlan, but remember only a layer 3 device can stop a broadcast.

Question 118

QUESTION NO: 352 What type of attacks occurs when a smartcard is operating under normal physical conditions, but sensitive information is gained by examining the bytes going to and from the smartcard? A. Physical attacks. B. Logical attacks. C. Trojan Horse attacks. D. Social Engineering attacks.

Answer 118

Answer: B Explanation: Logical attacks occur when a smartcard is operating under normal physical conditions, but sensitive information is gained by examining the bytes going to and from the smartcard. One example is the so-called “timing attack” described by Paul Kocher. In this attack, various byte patterns are sent to the card to be signed by the private key. Information such as the time required to perform the operation and the number of zeroes and ones in the input bytes are used to eventually obtain the private key. There are logical countermeasures to this attack but not all smartcard manufacturers have implemented them. This attack does require that the PIN to the card be known, so that many private key operations can be performed on chosen input bytes.

Question 119

QUESTION NO: 353 What is an effective countermeasure against Trojan horse attack that targets smart cards? A. Singe-access device driver architecture. B. Handprint driver architecture. C. Fingerprint driver architecture. D. All of the choices.

Answer 119

Answer: A Explanation: The countermeasure to prevent this attack is to use “single-access device driver” architecture. With this type of architecture, the operating system enforces that only one application can have access to the serial device (and thus the smartcard) at any given time. This prevents the attack but also lessens the convenience of the smartcard because multiple applications cannot use the services of the card at the same time. Another way to prevent the attack is by using a smartcard that enforces a “one private key usage per PIN entry” policy model. In this model, the user must enter their PIN every single time the private key is to be used and therefore the Trojan horse would not have access to the key.

Question 120

QUESTION NO: 354 Which of the following could illegally capture network user passwords? A. Data diddling B. Sniffing C. Spoofing D. Smurfing

Answer 120

Answer: B

Question 121

QUESTION NO: 355 Which of the following statements is incorrect? A. Since the early days of mankind humans have struggled with the problems of protecting assets B. The addition of a PIN keypad to the card reader was a solution to unreported card or lost cards problems C. There has never been a problem of lost keys D. Human guard is an inefficient and sometimes ineffective method of protecting resources

Answer 121

Answer: C

Question 122

QUESTION NO: 356 A system uses a numeric password with 1-4 digits. How many passwords need to be tried before it is cracked? A. 1024 B. 10000 C. 100000 D. 1000000

Answer 122

Answer: B Explanation: The largest 4 digit number is 9999. So 0000 – 9999 provides 10000 possible combinations.

Question 123

QUESTION NO: 357 Which of the following can be used to protect your system against brute force password attack? A. Decrease the value of password history. B. Employees must send in a signed email before obtaining a password. C. After three unsuccessful attempts to enter a password, the account will be locked. D. Increase the value of password age.

Answer 123

Answer: C Explanation: Employees must show up in person and present proper identification before obtaining a new or changed password (depending on your policy). After three unsuccessful attempts to enter a password, the account will be locked and only an administrator or the help desk can reactivate the involved user ID.

Question 124

QUESTION NO: 358 Which of the following is an effective measure against a certain type of brute force password attack? A. Password used must not be a word found in a dictionary. B. Password history is used. C. Password reuse is not allowed. D. None of the choices.

Answer 124

Answer: A Explanation: Password reuse is not allowed (rotating passwords). Password history must be used to prevent users from reusing passwords. On all systems with such a facility the last 12 passwords used will be kept in the history. All computer system users must choose passwords that cannot be easily guessed. Passwords used must not be a word found in a dictionary.

Question 125

QUESTION NO: 359 Which type of attack will most likely provide an attacker with multiple passwords to authenticate to a system? A. Password sniffing B. Dictionary attack C. Dumpster diving D. Social engineering

Answer 125

Answer: A

Question 126

QUESTION NO: 360 Which of the following are measures against password sniffing? A. Passwords must not be sent through email in plain text. B. Passwords must not be stored in plain text on any electronic media. C. You may store passwords electronically if it is encrypted. D. All of the choices.

Answer 126

Answer: D Explanation: Passwords must not be sent through email in plain text. Passwords must not be stored in plain text on any electronic media. It is acceptable to store passwords in a file if it is encrypted with PGP or equivalent strong encryption (once again depending on your organization policy). All vendor supplied default passwords must be changed.

Question 127

QUESTION NO: 361 Which one of the following conditions is NOT necessary for a long dictionary attack to succeed? A. The attacker must have access to the target system. B. The attacker must have read access to the password file. C. The attacker must have write access to the password file. D. The attacker must know the password encryption mechanism and key variable.

Answer 127

Answer: C Explanation: The program encrypts the combination of characters and compares them to the encrypted entries in the password file. If a match is found, the program has uncovered a password.

Question 128

QUESTION NO: 362 What is an important factor affecting the time required to perpetrate a manual trial and error attack to gain access to a target computer system? A. Keyspace for the password. B. Expertise of the person performing the attack. C. Processing speed of the system executing the attack. D. Encryption algorithm used for password transfer.

Answer 128

Answer: A Explanation: I am not sure of the answer on this question. B seems good but the reference below states that Keyspace (or length of password) is the main deterrent. I did not come across something that directly relates in my readings. “If an attacker mounts a trial-and-error attack against your password, a longer password gives the attacker a larger number of alternatives to try. If each character in the password may take on 96 different values (typical of printable ASCII characters) then each additional character presents the attacker with 96 times as many passwords to try. If the number of alternatives is large enough, the trial-and-error attack might discourage the attacker, or lead to the attacker’s detection.” http://www.smat.us/sanity/riskyrules.html

Question 129

QUESTION NO: 363 Which one of the following BEST describes a password cracker? A. A program that can locate and read a password file. B. A program that provides software registration passwords or keys. C. A program that performs comparative analysis. D. A program that obtains privileged access to the system.

Answer 129

Answer: C Explanation: In a dictionary crack, L0phtCrack encrypts (i.e., hashes) all the passwords in a dictionary file you specify and compares every result with the password hash. If L0phtCrack finds any matches, it knows the password is the dictionary word. L0phtCrack comes with a default dictionary file, wordsenglish. You can download additional files from the Internet or create a custom file. In the Tools Options dialog box, you can choose to run the dictionary attack against the LANMAN password hash, the NT LAN Manager (NTLM) password hash, or both (which is the default). In a hybrid crack, L0phtCrack extends the dictionary crack by appending numbers or symbols to each word in the dictionary file. For example, in addition to trying “Galileo,” L0phtCrack also tries “Galileo24,” “13Galileo,” “?Galileo,” “Galileo!,” and so on. The default number of characters L0phtCrack tries is two, and you can change this number in the Tools Options dialog box. In a brute-force crack, L0phtCrack tries every possible combination of characters in a character set. L0phtCrack offers four character sets, ranging from alpha only to all alphanumeric plus all symbol characters. You can choose a character set from the Character Set drop-down box in the Tools Options dialog box or type a custom character set in the Character Set drop-down box. L0phtCrack saves custom sets in files with an .lc extension. You can also specify a character set in the password file, as the example in Figure 2 shows. Not B: A key generator is what is being described by the registration password or key answer.

Question 130

QUESTION NO: 364 If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible? A. Birthday B. Brute force C. Man-in-the-middle D. Smurf

Answer 130

Answer: B Explanation: Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Pg 134 Shon Harris CISSP All-In-One Certification Exam Guide. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.

Question 131

QUESTION NO: 365 Which of the following actions can increase the cost of an exhaustive attack? A. Increase the age of a password. B. Increase the length of a password. C. None of the choices. D. Increase the history of a password.

Answer 131

Answer: B Explanation: Defenses against exhaustive attacks involve increasing the cost of the attack by increasing the number of possibilities to be exhausted. For example, increasing the length of a password will increase the cost of an exhaustive attack. Increasing the effective length of a cryptographic key variable will make it more resistant to an exhaustive attack.

Question 132

QUESTION NO: 366 Which of the following attacks focus on cracking passwords? A. SMURF B. Spamming C. Teardrop D. Dictionary

Answer 132

Answer: D Explanation: Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack.

Question 133

QUESTION NO: 367 Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector? A. Using TACACS+ server B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall. C. Setting modem ring count to at least 5 D. Only attaching modems to non-networked hosts.

Answer 133

Answer: B

Question 134

QUESTION NO: 368 What is known as decoy system designed to lure a potential attacker away from critical systems? A. Honey Pots B. Vulnerability Analysis Systems C. File Integrity Checker D. Padded Cells

Answer 134

Answer: A Explanation: Honey pots are decoy systems that are designed to lure a potential attacker away from critical systems. Honey pots are designed to: Divert an attacker from accessing critical systems, Collect information about the attacker’s activity, and encourage the attacker to stay on the system long enough for administrators to respond.

Question 135

QUESTION NO: 369 Which of the following will you consider as a program that monitors data traveling over a network? A. Smurfer B. Sniffer C. Fragmenter D. Spoofer

Answer 135

Answer: B Explanation: A sniffer is a program and/or device that monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network’s security because they are virtually impossible to detect

Question 136

QUESTION NO: 370 Which of the following is NOT a system-sensing wireless proximity card? A. magnetically striped card B. passive device C. field-powered device D. transponder

Answer 136

Answer: A

Question 137

QUESTION NO: 371 Attacks on smartcards generally fall into what categories? A. Physical attacks. B. Trojan Horse attacks. C. Logical attacks. D. All of the choices, plus Social Engineering attacks.

Answer 137

Answer: D Explanation: Attacks on smartcards generally fall into four categories: Logical attacks, Physical attacks, Trojan Horse attacks and Social Engineering attacks.

Question 138

QUESTION NO: 372 Which of the following attacks could be the most successful when the security technology is properly implemented and configured? A. Logical attacks B. Physical attacks C. Social Engineering attacks D. Trojan Horse attacks

Answer 138

Answer: C Explanation: Social Engineering attacks - In computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a low-level employee and requests their password for network servicing purposes. With smartcards, this type of attack is a bit more difficult. Most people would not trust an impersonator wishing to have their smartcard and PIN for service purposes.

Question 139

QUESTION NO: 373 What type of attacks occurs when normal physical conditions are altered in order to gain access to sensitive information on the smartcard? A. Physical attacks B. Logical attacks C. Trojan Horse attacks D. Social Engineering attacks

Answer 139

Answer: A Explanation: Physical attacks occur when normal physical conditions, such as temperature, clock frequency, voltage, etc, are altered in order to gain access to sensitive information on the smartcard. Most smartcard operating systems write sensitive data to the EEPROM area in a proprietary, encrypted manner so that it is difficult to obtain clear text keys by directly hacking into the EEPROM. Other physical attacks that have proven to be successful involve an intense physical fluctuation at the precise time and location where the PIN verification takes place. Thus, sensitive card functions can be performed even though the PIN is unknown. This type of attack can be combined with the logical attack mentioned above in order to gain knowledge of the private key. Most physical attacks require special equipment.

Question 140

QUESTION NO: 374 Which one of the following is an example of electronic piggybacking? A. Attaching to a communications line and substituting data. B. Abruptly terminating a dial-up or direct-connect session. C. Following an authorized user into the computer room. D. Recording and playing back computer transactions.

Answer 140

Answer: C Explanation: Ok this is a weird little question. The term electronic is kinda of throwing me a bit. A lot of times piggybacking can be used in terms of following someone in a building. Piggyback - Gaining unauthorized access to a system via another user’s legitimate connection. (see between-the-lines entry) Between-the-lines entry 0 Unauthorized access obtained by tapping the temporarily inactive terminal of a legitimate user.

Question 141

QUESTION NO: 375 A system using Discretionary Access Control (DAC) is vulnerable to which one of the following attacks? A. Trojan horse B. Phreaking C. Spoofing D. SYN flood

Answer 141

Answer: C Explanation: An attempt to gain access to a system by posing as an authorized user. Synonymous with impersonating, masquerading, or mimicking. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 921 “Spoofing - The act of replacing the valid source and/or destination IP address and node numbers with false ones. Spoofing attack - any attack that involves spoofed or modified packets.” - Ed Tittle CISSP Study Guide (sybex)

Question 142

QUESTION NO: 376 Which of the following is an example of an active attack? Select one. A. Traffic analysis B. Masquerading C. Eavesdropping D. Shoulder surfing

Answer 142

Answer: B Explanation: Shoulder surfing is passive, like eavesdropping and traffic analysis. Masquerading is the only one where you are actually doing something by changing something – actively doing something.

Question 143

QUESTION NO: 377 What attack involves actions to mimic one’s identity? A. Brute force B. Exhaustive C. Social engineering D. Spoofing

Answer 143

Answer: D Explanation: Spoofing is an attack in which one person or process pretends to be a person or process that has more privileges. For example, user A can mimic behavior to make process B believe user A is user C. In the absence of any other controls, B may be duped into giving to user A the data and privileges that were intended for user C.

Question 144

QUESTION NO: 378 Which access control model enables the owner of the resource to specify what subjects can access specific resources? A. Discretionary Access Control B. Mandatory Access Control C. Sensitive Access Control D. Role-based Access Control

Answer 144

Answer: A

Question 145

QUESTION NO: 379 The type of discretionary access control that is based on an individual’s identity is called: A. Identity-based access control B. Rule-based access control C. Non-Discretionary access control D. Lattice-based access control

Answer 145

Answer: A

Question 146

QUESTION NO: 380 Which of the following access control types gives “UPDATE” privileges on Structured Query Language (SQL) database objects to specific users or groups? A. Supplemental B. Discretionary C. Mandatory D. System

Answer 146

Answer: C Explanation: Supplemental and System are not access control types. The most correct answer is mandatory opposed to discretionary. The descriptions below sound typical of how a sql accounting database controls access. “In a mandatory access control (MAC) model, users and data owners do not have as much freedom to determine who can access their files. Data owners can allow others to have access to their files, but it is the operating system that will make the final decision and can override the data owner’s wishes.” Pg. 154 Shon Harris CISSP All-In-One Certification Exam Guide “Rule-based access controls are a variation of mandatory access controls. A rule based systems uses a set of rules, restrictions or filters to determine what can and cannot occur on the system, such as granting subject access, performing an action on an object, or accessing a resource.

Question 147

QUESTION NO: 381 With Discretionary access controls, who determines who has access and what privilege they have? A. End users. B. None of the choices. C. Resource owners. D. Only the administrators.

Answer 147

Answer: C Explanation: Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects’ rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended. Under this type of control, the owner determines who has access and what privilege they have.

Question 148

QUESTION NO: 382 What defines an imposed access control level? A. MAC B. DAC C. SAC D. CAC

Answer 148

Answer: A Explanation: MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.

Question 149

QUESTION NO: 383 Under MAC, who can change the category of a resource? A. All users. B. Administrators only. C. All managers. D. None of the choices.

Answer 149

Answer: B Explanation: MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.

Question 150

QUESTION NO: 384 Under MAC, who may grant a right of access that is explicitly forbidden in the access control policy? A. None of the choices. B. All users. C. Administrators only. D. All managers.

Answer 150

Answer: A Explanation: MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.

Question 151

QUESTION NO: 385 You may describe MAC as: A. Opportunistic B. Prohibitive C. None of the choices. D. Permissive

Answer 151

Answer: B Explanation: It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

Question 152

QUESTION NO: 386 Under MAC, which of the following is true? A. All that is expressly permitted is forbidden. B. All that is not expressly permitted is forbidden. C. All that is not expressly permitted is not forbidden. D. None of the choices.

Answer 152

Answer: B Explanation: It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

Question 153

QUESTION NO: 387 Under MAC, a clearance is a: A. Sensitivity B. Subject C. Privilege D. Object

Answer 153

Answer: C Explanation: It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

Question 154

QUESTION NO: 388 Under MAC, a file is a(n): A. Privilege B. Subject C. Sensitivity D. Object

Answer 154

Answer: D Explanation: It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

Question 155

QUESTION NO: 389 Under MAC, classification reflects: A. Sensitivity B. Subject C. Privilege D. Object

Answer 155

Answer: A Explanation: It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

Question 156

QUESTION NO: 390 MAC is used for: A. Defining imposed access control level. B. Defining user preferences. C. None of the choices. D. Defining discretionary access control level.

Answer 156

Answer: A Explanation: As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.

Question 157

QUESTION NO: 391 With MAC, who may make decisions that bear on policy? A. None of the choices. B. All users. C. Only the administrator. D. All users except guests.

Answer 157

Answer: C Explanation: As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.

Question 158

QUESTION NO: 392 With MAC, who may NOT make decisions that derive from policy? A. All users except the administrator. B. The administrator. C. The power users. D. The guests.

Answer 158

Answer: A Explanation: As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.

Question 159

QUESTION NO: 393 Under the MAC control system, what is required? A. Performance monitoring B. Labeling C. Sensing D. None of the choices

Answer 159

Answer: B Explanation: It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

Question 160

QUESTION NO: 394 Access controls that are not based on the policy are characterized as: A. Secret controls B. Mandatory controls C. Discretionary controls D. Corrective controls

Answer 160

Answer: C Explanation: Access controls that are not based on the policy are characterized as discretionary controls by the US government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.

Question 161

QUESTION NO: 395 DAC are characterized by many organizations as: A. Need-to-know controls B. Preventive controls C. Mandatory adjustable controls D. None of the choices

Answer 161

Answer: A Explanation: Access controls that are not based on the policy are characterized as discretionary controls by the US government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.

Question 162

QUESTION NO: 396 Which of the following correctly describe DAC? A. It is the most secure method. B. It is of the B2 class. C. It can extend beyond limiting which subjects can gain what type of access to which objects. D. It is of the B1 class.

Answer 162

Answer: C Explanation: With DAC, administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects’ rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended.

Question 163

QUESTION NO: 397 Under DAC, a subjects rights must be ________ when it leaves an organization altogether. A. recycled B. terminated C. suspended D. resumed

Answer 163

Answer: B Explanation: Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects’ rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended.

Question 164

QUESTION NO: 398 In a discretionary mode, which of the following entities is authorized to grant information access to other people? A. manager B. group leader C. security manager D. user E. Data Owner

Answer 164

Answer: E

Question 165

QUESTION NO: 399 With RBAC, each user can be assigned: A. One or more roles. B. Only one role. C. A token role. D. A security token.

Answer 165

Answer: A Explanation: With RBAC, security is managed at a level that corresponds closely to the organization’s structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Roles can be hierarchical.

Question 166

QUESTION NO: 400 With RBAC, roles are: A. Based on labels. B. All equal C. Hierarchical D. Based on flows.

Answer 166

Answer: C Explanation: With RBAC, security is managed at a level that corresponds closely to the organization’s structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Roles can be hierarchical.

Question 167

QUESTION NO: 401 With __________, access decisions are based on the roles that individual users have as part of an organization. A. Server based access control. B. Rule based access control. C. Role based access control. D. Token based access control.

Answer 167

Answer: C Explanation: With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

Question 168

QUESTION NO: 402 Under Role based access control, access rights are grouped by: A. Policy name B. Rules C. Role name D. Sensitivity label

Answer 168

Answer: C Explanation: With role-based access control, access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.

Question 169

QUESTION NO: 403 Which of the following will you consider as a “role” under a role based access control system? A. Bank rules B. Bank computer C. Bank teller D. Bank network

Answer 169

Answer: C Explanation: With role-based access control, access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.

Question 170

QUESTION NO: 404 Role based access control is attracting increasing attention particularly for what applications? A. Scientific B. Commercial C. Security D. Technical

Answer 170

Answer: B Explanation: Role based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications.

Question 171

QUESTION NO: 405 What is one advantage of deploying Role based access control in large networked applications? A. Higher security B. Higher bandwidth C. User friendliness D. Lower cost

Answer 171

Answer: D Explanation: Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization’s structure. Traditionally, managing security has required mapping an organization’s security policy to a relatively low-level set of controls, typically access control lists.

Question 172

QUESTION NO: 406 DAC and MAC policies can be effectively replaced by: A. Rule based access control. B. Role based access control. C. Server based access control. D. Token based access control

Answer 172

Answer: B Explanation: Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization’s structure. Traditionally, managing security has required mapping an organization’s security policy to a relatively low-level set of controls, typically access control lists.

Question 173

QUESTION NO: 407 Which of the following correctly describe Role based access control? A. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your user profile groups. B. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your organizations structure. C. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your ticketing system. D. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your ACL.

Answer 173

Answer: B Explanation: Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization’s structure. Traditionally, managing security has required mapping an organization’s security policy to a relatively low-level set of controls, typically access control lists.

Question 174

QUESTION NO: 408 Which of the following RFC talks about Rule Based Security Policy? A. 1316 B. 1989 C. 2717 D. 2828

Answer 174

Answer: D Explanation: The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A security policy based on global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.

Question 175

QUESTION NO: 409 With Rule Based Security Policy, a security policy is based on: A. Global rules imposed for all users. B. Local rules imposed for some users. C. Global rules imposed for no body. D. Global rules imposed for only the local users.

Answer 175

Answer: A Explanation: The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A security policy based on global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.

Question 176

QUESTION NO: 410 With Rule Based Security Policy, global rules usually rely on comparison of the _______ of the resource being accessed. A. A group of users. B. Users C. Sensitivity D. Entities

Answer 176

Answer: C Explanation: The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A security policy based on global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.