Ch 14 Flashcards Preview

SP7 - R/Q > Ch 14 > Flashcards

Flashcards in Ch 14 Deck (20)
Loading flashcards...
1

1. Which of the following best describes an explicit deny principle?

A. All actions that are not expressly denied are allowed.
B. All actions that are not expressly allowed are denied.
C. All actions must be expressly denied.
D. None of the above

Answer: B

The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn't require all actions to be denied.

2

2. What is the intent of least privilege?

A. Enforce the most restrictive rights required by users to run system processes.
B. Enforce the least restrictive rights required by users to run system processes.
C. Enforce the most restrictive rights required by users to complete assigned tasks.
D. Enforce the least restrictive rights required by users to complete assigned tasks.

Answer: C

The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don't execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.

3

3. A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table?

A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege

Answer: B

An access control matrix includes multiple objects, and it lists subjects' access to each of the objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to the excessive privileges a subject gathers over time.

4

4. Who, or what, grants permissions to users in a discretionary access control model?

A. Administrators
B. Access control list
C. Assigned labels
D. The data custodian

Answer: D

The data custodian (or owner) grants permissions to users in a discretionary access control (DAC) model. Administrators grant permissions for resources they own, but not for all resources in a DAC model. A rule-based access control model uses an access control list. The mandatory access control model uses labels. Administrators

5

5. Which of the following models is also known as an identity-based access control model?

A. Discretionary access control
B. Role-based access control
C. Rule-based access control
D. Mandatory access control

Answer: A

A discretionary access control model is an identity-based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the owner. The role-based access control model is based on role or group membership. The rule-based access control model is based on rules within an ACL. The mandatory access control model uses assigned labels to identify access.

6

6. A central authority determines which files a user can access. Which of the following best describes this?

A. An access control list (ACL)
B. An access control matrix
C. Discretionary access control model
D. Nondiscretionary access control model

Answer: D

A nondiscretionary access control model uses a central authority to determine which objects (such as files) that users (and other subjects) can access. In contrast, a discretionary access control model allows users to grant or reject access to any objects they own. An ACL is an example or rule-based access control model. An access control matrix includes multiple objects, and it lists the subject's access to each of the objects.

7

7. A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this?

A. Discretionary access control model
B. An access control list (ACL)
C. Rule-based access control model
D. Role-based access control model

Answer: D

A role-based access control model can group users into roles based on the organization's hierarchy and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects that subjects can access. In contrast, a discretionary access control model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

8

8. Which of the following statements is true related to the role-based access control (role-BAC) model?

A. A role-BAC model allows users membership in multiple groups.
B. A role-BAC model allows users membership in a single group.
C. A role-BAC model is non-hierarchical.
D. A role-BAC model uses labels.

Answer: A

The role-BAC model is based on role or group membership and users can be members of multiple groups. Users are not limited to only a single role. Role-BAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control model uses assigned labels to identify access.

9

9. Which of the following is the best choice for a role within an organization using a role-based access control model?

A. Web server
B. Application
C. Database
D. Programmer

Answer: D

A programmer is a valid role in a role-based access control model. Administrators would place programmers' user accounts into the Programmer role and assign privileges to this role. Roles are typically used to organize users, and the other answers are not users.

10

10. Which of the following best describes a rule-based access control model?

A. It uses local rules applied to users individually.
B. It uses global rules applied to users individually.
C. It uses local rules applied to all users equally.
D. It uses global rules applied to all users equally.

Answer: D

A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.

11

11. What type of access control model is used on a firewall?

A. Mandatory access control model
B. Discretionary access control model
C. Rule-based access control model
D. Role-based access control model

Answer: C

Firewalls use a rule-based access control model with rules expressed in an access control list. A mandatory access control model uses labels. A discretionary access control model allows users to assign permissions. A role-based access control model organizes users in groups.

12

12. What type of access controls rely on the use of labels?

A. Discretionary
B. Nondiscretionary
C. Mandatory
D. Role based

Answer: C

Mandatory access controls rely on the use of labels for subjects and objects. Discretionary access control systems allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management such as a rule-based access control deployed on a firewall. Role-based access controls define a subject's access based on job-related roles.

13

13. Which of the following best describes a characteristic of the mandatory access control model?

A. Employs explicit-deny philosophy
B. Permissive
C. Rule-based
D. Prohibitive

Answer: D

The mandatory access control model is prohibitive and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules.

14

14. Which of the following is not a valid access control model?

A. Discretionary access control model
B. Nondiscretionary access control model
C. Mandatory access control model
D. Lettuce-based access control model

Answer: D

Lettuce-based access control model is not a valid type of access control model. The other answers list valid access control models. A lattice-based (not lettuce-based) access control model is a type of mandatory access control model.

15

15. What would an organization do to identify weaknesses?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Access review

Answer: C

A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, but threat modeling doesn't identify weaknesses. An access review audits account management and object access practices.

16

16. Which of the following can help mitigate the success of an online brute-force attack?

A. Rainbow table
B. Account lockout
C. Salting passwords
D. Encryption of password

Answer: B

An account lockout policy will lock an account after a user has entered an incorrect password too many times, and this blocks an online brute-force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the password, but not against a brute-force attack.

17

17. What is an attack that attempts to detect flaws in smartcards?

A. Whaling
B. Side-channel attack
C. Brute-force
D. Rainbow table attack

Answer: B

A side-channel attack is a passive, noninvasive attack to observe the operation of a device, and can be used against some smartcards. Methods include power monitoring, timing, and fault analysis attacks. Whaling is a type of phishing attack that targets high-level executives. A brute-force attack attempts to discover passwords by using all possible character combinations. A rainbow table attack is used to crack passwords.

18

18. What type of attack uses email and attempts to trick high-level executives?

A. Phishing
B. Spear phishing
C. Whaling
D. Vishing

Answer: C

Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).

19

19. Scenario: An organization has recently suffered a series of security breaches that have significantly damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks.

What would the consultant use to identify potential attackers?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Access review and audit

Answer: B

Threat modeling helps identify, understand, and categorize potential threats. Asset valuation identifies the value of assets, and vulnerability analysis identifies weaknesses that can be exploited by threats. An access review and audit ensures that account management practices support the security policy.

20

20. Scenario: An organization has recently suffered a series of security breaches that have significantly damaged its reputation. Several successful attacks have resulted in compromised customer database files accessible via one of the company's web servers. Additionally, an employee had access to secret data from previous job assignments. This employee made copies of the data and sold it to competitors. The organization has hired a security consultant to help them reduce their risk from future attacks.

What would need to be completed to ensure that the consultant has the correct focus?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Creation of audit trails

Answer: A

Asset valuation identifies the actual value of assets so that they can be prioritized. This will ensure that the consultant focuses on high-value assets. Threat modeling identifies threats, but asset valuation should be done first so that the focus is on threats to high-value assets. Vulnerability analysis identifies weaknesses but should be focused on high-value assets. Audit trails are useful to re-create events leading up to an incident, but if they aren't already created, creating them now won't help unless the organization is attacked again.