Flashcards in CISSP: Access Control Deck (18)
1. General-purpose control types include all the following except
Control types identified by purpose include preventive, detective, corrective, deterrent, recovery, and compensating controls. Review “Control types.”
2. Violation reports and audit trails are examples of what type of control?
A. Detective technical
B. Preventive technical
C. Detective administrative
D. Preventive administrative
A. Detective technical.
Preventive technical controls include access control mechanisms and protocols. Review of audit trails is a detective administrative control, but the actual generating of audit trails is a technical function (control). Review “Technical controls.”
3. “A user cannot deny an action” describes the concept of
D. Plausible deniability
Authentication and accountability are related to but aren’t the same as non-repudiation. Plausible deniability is a bogus answer. Review “Accountability.”
4. Authentication can be based on any combination of the following factors except
A. Something you know
B. Something you have
C. Something you need
D. Something you are
C. Something you need.
The three factors of authentication are something you know, something you have, and something you are. Review “System access controls.”
5. Unauthorized users that are incorrectly granted access in biometric systems are described as the
A. False Reject Rate (Type II error)
B. False Accept Rate (Type II error)
C. False Reject Rate (Type I error)
D. False Accept Rate (Type I error)
B. False Accept Rate (Type II error).
You should know the biometric error types by both the name (False Accept Rate) and the classification (Type II). The False Reject Rate is a Type I error and describes the percentage of authorized users that are incorrectly denied access. Review “Biometrics and behavior.”
6. All the following devices and protocols can be used to implement one-time passwords except
Kerberos is a ticket-based authentication protocol. Although the tickets that are generated are unique for every log-on, Kerberos relies on shared secrets that are static. Therefore, Kerberos isn’t considered a one-time password protocol. Review these three sections: “One-time passwords,” “Tokens,” and “Single sign-on (SSO).”
7. Which of the following PPP authentication protocols transmits passwords in clear text?
The Password Authentication Protocol (PAP) transmits passwords in clear text. CHAP and MS-CHAP authenticate by using challenges and responses that are calculated, using a one-way hash function. FTP transmits passwords in clear text but isn’t a PPP authentication protocol. Review “Centralized access controls.”
8. Which of the following is not considered a method of attack against access control systems?
A. Brute force
C. Denial of Service
D. Buffer overflow
C. Denial of Service.
The purpose of an attack against access controls is to gain access to a system. Brute-force and dictionary attacks are both password-cracking methods. Although commonly used in Denial of Service attacks, a buffer overflow attack can exploit vulnerabilities or flaws in certain applications and protocols that will allow unauthorized access. Review “Methods of attack.”
9. Sensitivity labels are a fundamental component in which type of access control systems?
A. Mandatory access control
B. Discretionary access control
C. Access control lists
D. Role-based access control
A. Mandatory access control.
The fundamental components in discretionary access controls are file (and data) ownership and access rights and permissions. Access control lists and role-based access control are types of discretionary access control systems. Review “Access control techniques.”
10. Which of the following access control models addresses availability issues?
A. Bell-La Padula
D. None of the above
D. None of the above.
Bell-La Padula addresses confidentiality issues. Biba and Clark-Wilson address integrity issues. Review “Access control models.”
Which type of control describes the attacker seeing the guard dogs and deciding not to attack?
a. Physical deterrent
b. Subject preventive
c. Technical detective
d. Physical corrective
A. The guard dog is physical, and the attacker's awareness of the dog convincing him not to attack is a deterrent.
Authentication in the AAA services includes which of the following functions?
a. One-time password
c. Integrity verification
d. A transponder
B. The subject first claims an identity, and then the back-end authentication service verifies that claim. Identification is the first stage of authentication.
Which of the following is convincing the authentication service you know the password without revealing the password?
a. A Type I error
c. A privilege attribute certificate (PAC)
d. The zero-knowledge proof
D. The zero-knowledge proof is used to prove to the authentication service that you know the password without ever revealing the password.
A network intrusion prevention system (IPS) sensor must be connected to the segment using which of the following?
b. A hybrid card
c. A supplicant
d. A span port
D. A span port receives all packets that flow through the switch.
Which of the following controls depends on the attacker being unaware of the asset or vulnerability?
b. Subject deterrent
c. Security through obscurity
d. Separation of duties
C. Security through obscurity relies on the attacker being unaware that an asset or vulnerability exists.
If there is a concern that the use of separation of duties is becoming ineffective due to the length of time coworkers have worked together, which of the following should be implemented to help manage fraud?
a. Dual control
b. The principle of least privilege
c. Dynamic separation of duties
d. Job rotation
D. Job rotation cycles a new worker into a process. If workers had entered into collusion to commit fraud, this new worker would likely recognize the anomalies, have no relationship with the other workers (yet), and therefore be likely to report the anomalies.
Which of the following uses only symmetric keys and tickets to perform authentication services?
d. The extensible authentication protocol (EAP)
B. Kerberos is a single sign on (SSO) authentication scheme used in network operating systems. It uses only symmetric keys and authentication data on tickets.