CHAPTER 14 Questions

Question 1

Which of the following best describes an implicit deny principle?

A. All actions that are not expressly denied are allowed.
B. All actions that are not expressly allowed are denied.
C. All actions must be expressly denied.
D. None of the above.

Answer 1

B. All actions that are not expressly allowed are denied.

The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn’t require all actions to be denied.

Question 2

A table includes multiple objects and subjects, and it identifies the specific access each subject has to different objects. What is this table?

A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege

Answer 2

B. Access control matrix

An access control matrix includes multiple objects and subjects. It identifies access granted to subjects (such as users) to objects (such as files). A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management (FIM) system for single sign-on (SSO). Creeping privileges refers to excessive privileges a subject gathers over time.

Question 3

You are reviewing access control models and want to implement a model that allows the owner of an object to grant privileges to other users. Which of the following meets this requirement?

A. Mandatory Access Control (MAC) model
B. Discretionary Access Control (DAC) model
C. Role-Based Access Control (RBAC) model
D. Rule-based access control model3.

Answer 3

B. Discretionary Access Control (DAC) model

A discretionary access control model allows the owner (or data custodian) of a resource to grant permissions at the owner’s discretion. The other answers (MAC, RBAC, and rule-based access control) are nondiscretionary models.

Question 4

Which of the following access control models allows the owner of data to modify permissions?

A. Discretionary Access Control (DAC)
B. Mandatory Access Control (MAC)
C. Rule-based access control
D. Risk-based access control

Answer 4

A. Discretionary Access Control (DAC)

The DAC model allows the owner of data to modify permissions on the data. In the DAC model, objects have owners, and the owners can grant or deny access to objects that they own. The MAC model uses labels to assign access based on a user’s need to know and organization policies. A rule-based access control model uses rules to grant or block access. A risk-based access control model examines the environment, the situation, and policies coded in software to determine access.

Question 5

A central authority determines which files a user can access based on the organization’s hierarchy. Which of the following best describes this?

A. DAC model
B. An access control list (ACL)
C. Rule-based access control model
D. RBAC model

Answer 5

D. RBAC model

A role-based access control (RBAC) model can group users into roles based on the organization’s hierarchy, and it is a nondiscretionary access control model. A nondiscretionary access control model uses a central authority to determine which objects subjects can access. In contrast, a Discretionary Access Control (DAC) model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.

Question 6

Which of the following statements is true related to the RBAC model?

A. A RBAC model allows users membership in multiple groups.
B. A RBAC model allows users membership in a single group.
C. A RBAC model is nonhierarchical.
D. A RBAC model uses labels.

Answer 6

A. A RBAC model allows users membership in multiple groups.

The role-based access control (RBAC) model is based on role or group membership, and users can be members of multiple groups. Users are not limited to only a single role. RBAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control (MAC) model uses assigned labels to identify access.

Question 7

You are reviewing different access control models. Which of the following best describes a rule-based access control model?

A. It uses local rules applied to users individually.
B. It uses global rules applied to users individually.
C. It uses local rules applied to all users equally.
D. It uses global rules applied to all users equally.

Answer 7

D. It uses global rules applied to all users equally.

A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally or to individual users.

Question 8

Your organization is considering deploying a software-defined network (SDN) in the data center. Which of the following access control models is commonly used in a SDN?

A. Mandatory Access Control (MAC) model
B. Attribute-Based Access Control (ABAC) model
C. Role-Based Access Control (RBAC) model
D. Discretionary Access Control (DAC) model

Answer 8

B. Attribute-Based Access Control (ABAC) model

The ABAC model is commonly used in SDNs. None of the other answers are normally used in SDNs. The MAC model uses labels to define access, and the RBAC model uses groups. In the DAC model, the owner grants access to others.

Question 9

The MAC model supports different environment types. Which of the following grants users access using predefined labels for specific labels?

A. Compartmentalized environment
B. Hierarchical environment
C. Centralized environment
D. Hybrid environment

Answer 9

B. Hierarchical environment

In a hierarchical environment, the various classification labels are assigned in an ordered structure from low security to high security. The mandatory access control (MAC) model supports three environments: hierarchical, compartmentalized, and hybrid. A compartmentalized environment ignores the levels, and instead only allows access for individual compartments on any level. A hybrid environment is a combination of a hierarchical and compartmentalized environment. A MAC model doesn’t use a centralized environment.

Question 10

Which of the following access control models identifies the upper and lower bounds of access for subjects with labels?

A. Nondiscretionary access control
B. Mandatory Access Control (MAC)
C. Discretionary Access Control (DAC)
D. Attribute-Based Access Control (ABAC)

Answer 10

B. Mandatory Access Control (MAC)

The MAC model uses labels to identify the upper and lower bounds of classification levels, and these define the level of access for subjects. MAC is a nondiscretionary access control model that uses labels. However, not all nondiscretionary access control models use labels. DAC and ABAC models do not use labels.

Question 11

Which of the following access control models uses labels and is commonly referred to as a lattice-based model?

A. DAC
B. Nondiscretionary
C. MAC
D. RBAC

Answer 11

C. MAC

Mandatory access control (MAC) models rely on the use of labels for subjects and objects. They look similar to a lattice when drawn, so the MAC model is often referred to as a lattice-based model. None of the other answers use labels. Discretionary Access Control (DAC) models allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management, such as a rule-based access control model deployed on a firewall. Role-based access control (RBAC) models define a subject’s access based on job-related roles.

Question 12

Management wants users to use multifactor authentication any time they access cloud-based resources. Which of the following access control models can meet this requirement?

A. Risk-based access control
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Discretionary Access Control (DAC)

Answer 12

A. Risk-based access control

A risk-based access control model can require users to authenticate with multifactor authentication. None of the other access control models listed can evaluate how a user has logged on. A MAC model uses labels to grant access. An RBAC model grants access based on job roles or groups. In a DAC model, the owner grants access to resources.

Question 13

Which of the following access control models determines access based on the environment and the situation?

A. Risk-based access control
B. Mandatory Access Control (MAC)
C. Role-Based Access Control (RBAC)
D. Attribute-Based Access Control (ABAC)

Answer 13

A. Risk-based access control

A risk-based access control model evaluates the environment and the situation and then makes access decisions based on coded policies. A MAC model grants access using labels. An RBAC model uses a well-defined collection of named job roles for access control. Administrators grant each job role with the privileges they need to perform their jobs. An ABAC model uses attributes to grant access and is often used in software-defined networks (SDNs).

Question 14

A cloud-based provider has implemented an SSO technology using JSON Web Tokens. The tokens provide authentication information and include user profiles. Which of the following best identifies this technology?

A. OIDC
B. OAuth
C. SAML
D. OpenID

Answer 14

A. OIDC

OpenID Connect (OIDC) uses a JavaScript Object Notation (JSON) Web Token (JWT) that provides both authentication and profile information for internet-based single sign-on (SSO). None of the other answers use tokens. OIDC is built on the OAuth 2.0 framework. OpenID provides authentication but doesn’t include profile information.

Question 15

Some users in your network are having problems authenticating with a Kerberos server. While troubleshooting the problem, you verified you can log on to your regular work computer. However, you are unable to log on to the user’s computer with your credentials. Which of the following is most likely to solve this problem?

A. Advanced Encryption Standard (AES)
B. Network Access Control (NAC)
C. Security Assertion Markup Language (SAML)
D. Network Time Protocol (NTP)

Answer 15

D. Network Time Protocol (NTP)

Configuring a central computer to synchronize its time with an external NTP server and all other systems to synchronize their time with the NTP will likely solve the problem and is the best choice of the available options. Kerberos requires computer times to be within 5 minutes of each other and the scenario, along with the available answers, suggested the user’s computer is not synchronized with the Kerberos server. Kerberos uses AES. However, because a user successfully logs on to one computer, it indicates Kerberos is working, and AES is installed. NAC checks a system’s health after the user authenticates. NAC doesn’t prevent a user from logging on. Some federated systems use SAML, but Kerberos doesn’t require SAML.

Question 16

Your organization has a large network supporting thousands of employees, and it utilizes Kerberos. Of the following choices, what is the primary purpose of Kerberos?

A. Confidentiality
B. Integrity
C. Authentication
D. Accountability

Answer 16

C. Authentication

The primary purpose of Kerberos is authentication, since it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.

Question 17

What is the function of the network access server within a RADIUS architecture?

A. Authentication server
B. Client
C. AAA server
D. Firewall

Answer 17

B. Client

The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server, and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn’t the primary function.

Question 18

Larry manages a Linux server. Occasionally, he needs to run commands that require root-level privileges. Management wants to ensure that an attacker cannot run these commands if the attacker compromises Larry’s account. Which of the following is the best choice?

A. Grant Larry sudo access.
B. Give Larry the root password.
C. Add Larry’s account to the administrator’s group.
D. Add Larry’s account to the LocalSystem account.

Answer 18

B. Give Larry the root password.

The best choice is to give the administrator the root password. The administrator would enter it manually when running commands that need elevated privileges by running the su command. If the user is granted sudo access, it would allow the user to run commands requiring root-level privileges, under the context of the user account. If an attacker compromised the user account, the attacker could run the elevated commands with sudo. Linux systems don’t have an administrator group or a LocalSystem account.

Question 19

An attacker used a tool to exploit a weakness in NTLM. They identified an administrator’s user account. Although the attacker didn’t discover the administrator’s password, they did access remote systems by impersonating the administrator. Which of the following best identifies this attack?

A. Pass the ticket
B. Golden ticket
C. Rainbow table
D. Pass the hash

Answer 19

D. Pass the hash

NTLM is known to be susceptible to pass-the-hash attacks, and this scenario describes a pass-the-hash attack. Kerberos attacks attempt to manipulate tickets, such as in pass-the-ticket and golden ticket attacks, but these are not NTLM attacks. A rainbow table attack uses a rainbow table in an offline brute-force attack.

Question 20

Your organization recently suffered a major data breach. After an investigation, security analysts discovered that attackers were using golden tickets to access network resources. Which of the following did the attackers exploit?

A. RADIUS
B. SAML
C. Kerberos
D. OIDC

Answer 20

C. Kerberos

Attackers can create golden tickets after successfully exploiting Kerberos and obtaining the Kerberos service account (KRBTGT). Golden tickets are not associated with Remote Authentication Dial-in User Service (RADIUS), Security Assertion Markup Language (SAML), or OpenID Connect (OIDC).