Access Control Flashcards Preview

CISSP > Access Control > Flashcards

Flashcards in Access Control Deck (77)
Loading flashcards...
1
Q

A preliminary step in managing resources is
A. Conducting a risk analysis
B. Defining who can access a given system or information
C. Performing a business impact analysis
D. Obtaining top management support

A

B. Defining who can access a given system or information

2
Q

Which best describes access controls?
A. Access controls are a collection of technical controls that permit access to authorized users, systems, and applications.
B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.
C. Access control is the employment of encryption solutions to protect authentication information during logon.
D. Access controls help protect against vulnerabilities by controlling unauthorized access to systems and information by employees, partners, and customers.

A

B. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.

3
Q
\_\_\_\_\_\_\_ requires that a user or process be granted access to only those resources necessary to perform assigned functions
A. Discretionary access control
B. separation of duties
C. Least privilege
D. Rotation of duties
A

C. Least privilege

4
Q

What are the seven main categories of access control?
A. Detective, corrective, monitoring, logging, recovery, classification, and directive
B. Directive, deterrent, preventative, detective, corrective, compensating, recovery
C. authorization, identification, factor, corrective, privilege, detective, directive
D. identification, authentication, authorization, detective, corrective, recovery, directive,

A

B. Directive, deterrent, preventative, detective, corrective, compensating, recovery

5
Q

What are the 3 types of access control?
A. administrative, physical, technical
B. identification, authentication, authorization
C. mandatory, discretionary, least privilege
D. access, management, monitoring

A

A. administrative, physical, technical

6
Q
Which approach revolutionized the cracking of passwords?
A. brute force
B. rainbow table
C. memory tabling
D one-time hashing
A

B. rainbow table

7
Q
What best describes 2-factor authentication?
A. hard token and smart card
B. username and pin
C. password and pin
D. pin and hard token
A

D. pin and hard token

8
Q

A potential vulnerability of the kerberos authentication server is
A. single point of failure
B. asymmetric key compromise
C. use of dynamic passwords
D. limited lifetimes for authentication credentials.

A

A. single point of failure

9
Q
In mandatory access control the system controls access and the owner determines
A. validation
B. need to know
C. consensus
D. verification
A

B. need to know

10
Q
Which is the least significant issue when considering biometrics?
A. resistance to counterfeiting
B. technology type
C. user acceptance
D. reliability and accuracy
A

B. technology type

11
Q
Which is a fundamental disadvantage of biometrics?
A. revoking credentials
B. encryption
C. communications
D. Placement
A

A. revoking credentials

12
Q
role based access control
A. is unique to mandatory access control
B. is independent of owner input
C. is based on job functions
D. can be compromised by inheritance
A

C. is based on job functions

13
Q

Identity management is
A. another name for access controls
B. technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment
C. Technologies and processes focused on the provisioning and decommissioning of user credentials.
D. Technologies and processes used to establish trust relationships with disparate systems.

A

B. technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment

14
Q

A disadvantage of single sign on is
A. consistent time-out enforcement across platforms
B. A compromised password exposes all authorized resources
C. Use of multiple passwords to remember
D. password change control

A

B. technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment

15
Q

Which of the following is incorrect when considering privilege management?
A. privileges associated with each system, service, or application, and the defined roles within the organization to which they are needed should be identified and clearly documented.
B. Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group, or role.
C. An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated.
D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.

A

D. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.

16
Q

Threat modeling is the process of
A. determining which threats to neutralize first.
B. developing access controls which will compensate for vulnerabilities.
C. a risk assessment approach in which decisions are based on risk and value.
D. scenario analysis targeted towards determining the best approach for threat elimination.

A

C. a risk assessment approach in which decisions are based on risk and value.

17
Q

When reviewing user entitlement the security professional must be most aware of
A. identity management and disaster recovery capability.
B. business or organization processes and access aggregation
C. The organizational tenure of the user requesting entitlement
D. Automated processes which grant user access to resources.

A

B. business or organization processes and access aggregation

18
Q
Which formula represents ALE or annual loss exposure?
A. ALE = SLE x ARO
B. SLE = ARO x ALE
C. SLE = ARO x EF
D. ALE = EF x SLE
A

A. ALE = SLE x ARO

19
Q

In constructing a continuous monitoring system, numerous feeds from several systems must be correlated and analyzed. Which of the following best provides this capability?
A. IPS
B. Identity management and access control system
C. IDS
D. Security Information and event management SIEM.

A

D. Security Information and event management SIEM.

20
Q
A guard dog patrolling the perimeter of a data center is what type of control?
A. recovery
B. administrative
C. logical
D. physical
A

D. physical

21
Q

Define access controls

A

the collection of mechanisms, processes that work together to protect the assets of an organization.

22
Q

3 core security principles

A

confidentiality
integrity
availability

23
Q

define defense in depth

A

practice of applying multiple layers of security protection

24
Q

7 categories of access control

A
directive
deterrent
preventative
compensating
detective
corrective
recovery
25
Q

define directive control

A

designed to specify acceptable rules of behavior within an organization

26
Q

define deterrent control

A

designed to discourage people from violating security directives

27
Q

define preventative control

A

implemented to prevent a security incident

28
Q

define compensating control

A

implemented to substitute for the loss of primary control

29
Q

define detective control

A

designed to signal a warning when a security control has been breached

30
Q

define corrective control

A

implemented to remedy circumstance, mitigate damage

31
Q

define recovery control

A

implemented to restore conditions to normal

32
Q

3 access control types

A

administrative
logical/technical
physical

33
Q

2 access control techniques

A

discretionary

mandatory

34
Q

define discretionary access control

A

control placed on data by the owner of the data.

35
Q

define mandatory access control

A

controls determined by the system and based on organizational policy.

36
Q

3 factors in authentication

A

something you know
something you have
something you are

37
Q

Does Kerberos use symmetric or asymmetric encryption?

A

symmetric

38
Q

What is SESAME?

Secure European System for Applications in a Multi-vendor Environment

A

Extension to Kerberos to overcome limitations

39
Q

What encryption types are used by SESAME?

A

symmetric, asymmetric

40
Q

Which of the following does not correctly describe a directory service?
A. It manages objects within a directory by using namespaces.
B. It enforces security policy by carrying out access control and identity management functions.
C. It assigns namespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP.
D. It allows an administrator to configured and manage how identification takes place within the network.

A

C. It assigns namespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP.

41
Q

Hannah has been assigned the task of installing web access management (WAM) software. What is the best description for what WAM is commonly used for?
A. Control external entities requesting access through X.500 databases.
B. Control external entities requesting access to internal objects.
C. Control internal entities requesting access through X.500 databases.
D. Control internal entities requesting access to external objects.

A

B. Control external entities requesting access to internal objects.

42
Q
There are several types of password management approaches used by identity management systems.  Which of the following reduces help desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised?
A.  Management password reset
B. self service password reset
C. Password synchronization
D. Assisted password reset
A

C. Password synchronization

43
Q
A number of attacks can be performed against smart cards.  Side channel is a class of attacks that doesn't try to compromise a flaw or weakness.  Which of the following is not a side-channel attack?
A. Differential power analysis
B. Microprobing analysis
C. Timing analysis
D. Electromagentic analysis
A

B. Microprobing analysis

44
Q

Which of the following does not describe privacy aware role based access control?
A. It is an example of a discretionary access control model
B. Detailed access controls indicate the type of data that users can access based on the data’s level of privacy sensitivity.
C. It is an extension of role-based access control
D. It should be used to integrate privacy policies and access control policies.

A

A. It is an example of a discretionary access control model

45
Q
What was the direct predecessor to Standard Generalized Markup Language?
A. HTML
B. XML
C. LaTex
D. GML
A

D. GML

46
Q

Brian has been asked to work on the virtual directory of his company’s new identity management system. Which of the following best describes a virtual directory?
A. Meta-directory
B. User attribute information stored in an HR database
C. Virtual container for data from multiple sources
D. A service that allows an administrator to configure and manage how identification takes place.

A

C. Virtual container for data from multiple sources

47
Q
Emily is listening to network traffic and capturing passwords as they are sent to the authentication server.  She plans to use the passwords as part of a future attack.  What type of attack is this?
A. Brute-force
B. Dictionary
C. Social engineering
D. Replay
A

D. Replay

48
Q

Which of the following correctly describes a federated identity and its role within identity management processes?
A. A non-portable identity that can be used across business boundaries
B. A portable identity that can be used across business boundaries
C. An identity that can be used within intranet virtual directories and identity stores.
D. An identity specified by domain names that can be used across business boundaries.

A

B. A portable identity that can be used across business boundaries

49
Q

Phishing and pharming are similar. Which of the following correctly describes the difference?
A. Personal information is collected from victims through legitimate looking web sites in phishing attacks, while personal information is collected from victims via email in pharming attacks.
B. Phishing attacks point email recipients to a from where victims input personal information, while pharming attacks use pop-up forms at legitimate web sites to collect personal information from victims.
C. Victims are pointed a fake web site with a domain name that looks similar to a legitimate site’s in a phishing attack, while victims are directed to a fake web site as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack.
D. Phishing is a technical attack, while pharming is a type of social engineering.

A

C. Victims are pointed a fake web site with a domain name that looks similar to a legitimate site’s in a phishing attack, while victims are directed to a fake web site as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack.

50
Q

Security countermeasures should be transparent to users and attackers. Which of the following does not describe transparency?
A. User activities are monitored and tracked without negatively affecting system performance.
B. User activities are monitored and tracked without the user knowing about the mechanism that is carrying this out.
C. Users are allowed access in a manner that does not negatively affect business processes.
D. Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is carrying this out.

A

A. User activities are monitored and tracked without negatively affecting system performance.

51
Q
What markup language allows for the sharing of application security policies to ensure that all applications are following the same security rules?
A. XML
B. SPML
C. XACML
D. GML
A

C. XACML

52
Q

The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of today’s regulations. Which of the following does not explain why audit logs should be protected?
A. If not properly protected, these logs may not be admissible during a prosecution.
B. Audit logs contain sensitive data and should only be accessible to certain subset of people.
C. Intruders may attempt to scrub the logs to hide their activities.
D. The format of the logs should be unknown and unavailable to the intruder.

A

D. The format of the logs should be unknown and unavailable to the intruder.

53
Q

Harrison is evaluating access control products for his company. Which of the following is not a factor he needs to consider when choosing products?
A. Classification level of data
B. Level of training that employees have received
C. Logical access controls provided by products
D. Legal and regulation issues

A

B. Level of training that employees have received

54
Q
There are several types of intrusion detection systems.  What type of IDS builds a profile of an environment's normal activities and assigns an anomaly score to packets based on the profile?
A. state based
B. statistical anomaly based
C. misuse detection
D. protocol signature
A

B. statistical anomaly based

55
Q

A rule based IDS takes a different approach than signature based or anomaly based system. Which of the following is characteristic of a rule based IDS?
A. Uses if/then programming within expert systems
B. Identifies protocols used outside of their common bounds
C. Compares patterns to several activities at once.
D. Can detect new attacks

A

A. Uses if/then programming within expert systems

56
Q
Sam plans to establish mobile phone service using the information he has stolen from his former boss.  What type of identity theft is this?
A. Phishing
B. True name
C. Pharming
D. Account takeover
A

B. True name

57
Q
Of the following, what is the primary item that a capability list is based on?
A. A subject
B. An object
C. A product
D. An application
A

A. A subject

58
Q

Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures?
A. They are the same thing with different titles
B. They are administrative controls that enforce access control and protect the company’s resources
C. Separation of duties ensures that one person can’t perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position.
D. Job rotation ensures that one person can’t perform a high risk task alone, and separation of duties can uncover fraud because more than one person knows the tasks of a position.

A

C. Separation of duties ensures that one person can’t perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position.

59
Q
What type of markup language allows company interfaces to pass service requests and the receiving company provision access to these services?
A. XML
B. SPML
C. SGML
D. HTML
A

B. SPML (Service Provision Markup Language)

60
Q
Sally is carrying out a software analysis on her company's proprietary application.  She has found out that it is possible for an attacker to force an authorization step to take place before the authentication step is completed successfully.  What type of issue would allow for this type of compromise to take place?
A. Backdoor
B. Maintenance hook
C. Race condition
D. Data validation error
A

C. Race condition

61
Q

Which of the following best describes how SAML, SOAP, and HTTP commonly work together in an environment that provides web services?
A. Security attributes are put into SAML format. Web service request and authentication data are encrypted in a SOAP message. Message is transmitted in a HTTP connection.
B. Security attributes are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in a HTTP connection over TLS.
C. Authentication data are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in a HTTP connection.
D. Authentication data are put into SAML format. HTTP request and authentication data are encapsulated in a SOAP message. Message is transmitted in a HTTP connection.

A

C. Authentication data are put into SAML format. Web service request and authentication data are encapsulated in a SOAP message. Message is transmitted in a HTTP connection.

62
Q

Tom has found out that malicious customers have carried out attacks on the RFID technology to reduce the amount they pay on store items. Which of the following is the most likely reason for the existence of this type of vulnerability?
A. The company’s security team does not understand how to secure this type of technology
B. The cost of integrating security within RFID is cost prohibitive
C. The technology has low processing capabilities, and encryption is very processor intensive
D. RFID is a new and emerging technology, the industry does not currently have ways to secure it.

A

C. The technology has low processing capabilities, and encryption is very processor intensive

63
Q

The security staff have become overwhelmed with trying to review all of the log files when attempting to identify if anything suspicious is taking place within the network. What is the best solution for this company to implement?
A. Security information and event management
B. Event correlation tools
C. Intrusion detection systems
D. Security event correlation management tools

A

A. Security information and event management

64
Q

The CISO has asked that a threat model be developed for the network. Which of the following best describes what this model is and what it would be used for?
A. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats.
B. A threat model combines the output of the various vulnerability tests and the penetration tests carried out to understand the security posture of the network as a whole.
C. A threat model is a risk based model that is used to calculate the probabilities of the various risks identified during the vulnerability tests.
D. A threat model is used in software development practices to uncover programming errors.

A

A. A threat model can help to assess the probability, the potential harm, and the priority of attacks, and thus help to minimize or eradicate the threats.

65
Q

5 types of side-channel attacks

A
fault generation
differential power analysis
electromagnetic analysis
timing
software
66
Q

What is a side-channel attack?

A

A class of attack that doesn’t try to compromise a flaw or weakness.

67
Q

What is involved in a differential power analysis?

A

Examine power emissions released during processing. By statistically analyzing data from multiple cryptographic operations, for example, an attacker can determine the intermediate values within cryptographic computations.

68
Q

What is involved in a timing attack?

A

Calculating the time a specific function takes to complete a task.

69
Q

What is involved in an electromagnetic analysis?

A

Examine frequencies emitted to make correlations between the data and the EM emanations in an effort to uncover cryptographic keys or other sensitive info.

70
Q

What are the predecessors to HTML?

A

SGML and GML

71
Q

What was the purpose of the XML standard?

A

Developed as a specification to create various mark up languages.

72
Q

What is XACML - eXtensible Access Control Markup Language?

A

A markup language and processing model that is implemented in XML. It declares access control policies and how to interpret them.

73
Q

Is security information shared through XML?

A

no

74
Q

What is SPML - Service Provisioning Markup Language used for?

A

Used to exchange user, resource, and service provisioning information.

75
Q

What was GML - Generalized Markup Language used for?

A

Formatting documents

76
Q

What is the diameter protocol used for?

A

authentication, authorization, and auditing

77
Q

What is a watchdog timer used for?

A

detect software faults