Domain 1 - Access Control

Question 1

Crackers are defined as:

a. Software programs designed to compromise password and other files.
b. People who violate systems for monetary or personal gain.
c. Automated scripts used to perform penetration tests on external environments.
d. Tools used to exploit online sessions by sniffing packets and obtaining unencrypted information.

Answer 1

b. People who violate systems for monetary or personal gain.

Crackers and hackers (though the term is used interchangeably within the industry at times) are people, not software tools. This leaves the other answers incorrect.

Question 2

The Clark-Wilson model relies on four requirements:

a. Integrity; confidentiality; availability; and recoverability.
b. Recoverability; auditability; reproducabilty; and reporting capacity.
c. Integrity; serviceability; auditability; and stability.
d. External consistency; separation of duty; internal consistency; and error recovery.

Answer 2

d. External consistency; separation of duty; internal consistency; and error recovery.

Question 3

The industry best practice for password selection by clients is:

a. 6 characters in length, changed every 60 days, frozen after 5 invalid access attempts.
b. 8 characters in length, changed every 90 days, frozen after 3 invalid access attempts.
c. 6 characters in length, changed every 90 days, frozen after 3 invalid access attempts.
d. 8 characters in length, changed every 60 days, frozen after 5 invalid access attempts.

Answer 3

c. 6 characters in length, changed every 90 days, frozen after 3 invalid access attempts.

The other answers, though perhaps applicable in certain instances, are not considered best practice at this time.

Question 4

Penetration testing stresses a system to identify security flaws in the following manner:

a. Through interviews and access to applications, access risks are identified.
b. Using commercial and public tools, an attack is simulated on a network.
c. Using commercial and public tools, reports are run to determine policy compliance.
d. Using password-cracking tools, an attack is simulated on an application.

Answer 4

b. Using commercial and public tools, an attack is simulated on a network.

A classic “pen test” is dedicated to examining open ports on a network for exploit potential. The other answers are applicable within a full vulnerability assessment, of which a pen test is a component.

Question 5

Accountability is defined as:

a. Meeting schedules and budgets in a fiscally secure manner.
b. Gathering and retaining records pertaining to financial matters.
c. Performing actions within a job role that are governed by security policy.
d. Ensuring that access to information is consistent and correct.

Answer 5

b. Gathering and retaining records pertaining to financial matters.

Accountability is the concept of making employees directly responsible for actions taken during their daily job assignments. Answer a is incorrect because meeting fiscal requirements is within financial policy, not security policy. Answer b is incorrect because record retention is a legal or internal requirement. Answer d is consistent with the concept of availability.

Question 6

The “principle of least privilege” supports which domain implementation method?

a. Providing protected entry points into a network.
b. Providing privilege checking within a system or application access.
c. Providing hardware that allows access to certain functions.
d. Providing many small domains.

Answer 6

d. Providing many small domains.

Explanation: Answer d is correct. Access permissions change within each domain as different information is required. The other answers are related in that they provide support within the domain. The overall question is asking about the principle, not the supporting functions of the principle.

Question 7

Access control supports the principles of:

a. Ownership, need-to-know, and data classification.
b. Authorization, least privilege, and separation of duty.
c. Connectivity, password controls, and session controls.
d. Privacy, monitoring, and compliance.

Answer 7

b. Authorization, least privilege, and separation of duty.
Explanation:

Users of computing resources must be properly authorized, have the minimum access allowed to perform necessary job functions, and be controlled within job function (i.e., not doing accounting payable and receivable functions within the same job role).

Answer a is incorrect because these are attributes of the information being accessed.
Answer c, though important, addresses policy surrounding processes used to control access, not the access control principle.
Answer d is incorrect because the privacy of the user accessing data is not connected to the action of accessing information in an authorized manner.

Question 8

There are generally two types of denial-of-service attacks that are the most prevalent. They are:

a. Planting and Trojan Horses.
b. TCP Hijacking and IP Address Spoofing.
c. TCP SYN Attack and ICMP Ping Flood.
d. Buffer Overflow and Sniffing

Answer 8

c. TCP SYN Attack and ICMP Ping Flood.

Explanation: All the other answers are relevant to types of attacks (the closest being buffer overflow), but not specific to denial-of-service attacks.

Question 9

The best technique to identify and authenticate a person to a system is:

a. Establishing biometric access through a secured server or website.
b. Making sure the person knows something to identify and authenticate him/herself, and has something to do the same.
c. Maintaining correct and accurate ACLs (access control lists) to allow access to applications.
d. Allowing access only through userid and password.

Answer 9

b. Making sure the person knows something to identify and authenticate him/herself, and has something to do the same.

Explanation: Although all are acceptable, answer b is correct.

“Something you know” and “something you have” is a widely accepted best practice for identification and authentication. This could be a combination of a personal PIN and a smart card or other token. The other answers are misleading (answer a indicates biometrics only; answer c assumes that a client has already accessed a host system; and answer d is a weak, yet common security design).

Question 10

Which of the following are generally not characteristic of biometric systems?

a. Accuracy, speed, and throughput rate.
b. Uniqueness of the biometric organ and action.
c. Subject and system contact requirements.
d. Increased overhead of administration and support time.

Answer 10

d. Increased overhead of administration and support time.

Explanation: Answer d is correct. If implemented in a structured design, biometric authentication can be cost-effective because token inventories and token maintenance functions can be decreased. Answers a through c are all characteristics of biometric systems.

Question 11

“Spoofing”, or “masquerading”, is a means of tampering with communications by:

a. Changing data fields in financial transactions.
b. Convincing a user to submit information to an alias system.
c. Pretending to be someone in order to access specific information.
d. Allowing packets to be sent from one host to another trusted host.

Answer 11

c. Pretending to be someone in order to access specific information.

Explanation: Answer c is the closest definition.

Spoofing can be done in a variety of methods. Answer a is true once a person has obtained access to a system through falsifying credentials needed to access that system.
Answer b also is somewhat true, but would happen to a user unbeknownst to that user.
Answer d is truer of an IP spoofing technique, but is not asked specifically in the test question.

Question 12

Discretionary access control (DAC) refers to what common configuration requirement of TCSEC levels C2 through D?

a. Objects in a computer system must meet minimum security requirements.
b. Owners of objects in a computer system can determine the ability of users to access the objects.
c. Object access control lists can be modified depending on the criticality of the object.
d. Objects in a computer system must be secured in the strictest method possible.

Answer 12

c. Object access control lists can be modified depending on the criticality of the object.

Explanation: Answer c is correct. The concept of DAC is that every object has an owner, and that owner alone can determine or modify access to that object.
Answer a is incorrect, as it is too broad a statement for this issue.
Answer b is somewhat correct, but the owner holds final control over object access rights.
Answer d is more attuned to the concept of mandatory access control.

Question 13

The custodian of information has the primary responsibility for:

a. Logically ensuring that information is properly safeguarded from unauthorized access, modification, or disclosure.
b. Implementing safeguards such as ACLs to protect information.
c. Accessing information in a manner controlled by ACL safeguards and supported by policy.
d. Physically ensuring that information is safeguarded and maintained in a secure manner.

Answer 13

b. Implementing safeguards such as ACLs to protect information.

Explanation: Answer b is correct. The custodian is generally an application administrator or system administrator. Answer a is incorrect because it is the best-practice definition of information ownership. Answer c is more typical of a user or client than a custodian. Answer d, though it could be part of a custodial function, refers more to an infrastructure support service, such as a data center operations function.

Question 14

The NSA (National Security Agency) has published the TCSEC, often referred to as the “Orange Book”. What does the acronym TCSEC stand for?

a. Total Computer Security Enhancement Conventions.
b. Trusted Compliant Security Evaluation Classification.
c. Total Confidential System Examination Considerations.
d. Trusted Computer System Evaluation Criteria.

Answer 14

d. Trusted Computer System Evaluation Criteria.

Explanation: The correct answer is d. The TCSEC, as published by the Department of Defense, is commonly accepted as the standard in the US for system certification in a number of classes (A1 through D). The other answers are simply different acronyms.

Question 15

A non-interference access control model is best suited for:

a. Systems that require strict access flow and do not easily accommodate flexibility in information flow.
b. Systems that are standalone and do not communicate with others in a networking capacity.
c. Systems that do not require classification schemes and have all public information.
d. Systems that rely on state machine architectures and capabilities.

Answer 15

a. Systems that require strict access flow and do not easily accommodate flexibility in information flow.

Explanation: The concept of non-interference is that one group of users is non-interfering with another group if the actions of the first group have no effect on what the second group can see. Therefore, answer a is correct. Answer b is incorrect because it illustrates the concept of a decidedly trusted system.
Answer c is incorrect because principals of data classification contribute to access control definition, but are not applicable to this question.
Answer d is incorrect because a state machine model is another form of access control model.

Question 16

The following is a generally accepted implementation of a role-based authentication model?

a. People are assigned access to an application through certain communications paths.
b. People are assigned access to an application by group identifiers, not individual accounts.
c. People are assigned access to an application through groups by job function or location.
d. People are assigned access to an application directly by their own account.

Answer 16

c. People are assigned access to an application through groups by job function or location.

Explanation: Answer c is correct. People are assigned to roles that are assigned to application access rights. This simplifies administration and maintenance when people change job roles.
Answer a is incorrect, because the access is not controlled through a role, though certainly, access control can support a role-based model.
Answers b and d are incorrect, because they infer generic or personal accounts, not assignment by job function.

Question 17

Which of the following should clients consider “best practice” for password selection?

a. Using randomly generated passwords during a login sequence.
b. Not reusing passwords when expiration is indicated.
c. Selecting 6-character passwords with special characters included.
d. Using the same 8-character password on all systems that access is allowed to.

Answer 17

c. Selecting 6-character passwords with special characters included.

Explanation: Answer c is considered the best practice for clients selecting their password (the keyword here being selection).
Answer a is incorrect because randomly generated passwords are not selected by clients, but by software.
Answer b is incorrect because that is a system parameter that is set by an administrator.
Answer d is a more secure implementation of passwords simply because of the length of characters, but should not be used on all systems unless risks on those systems have been clearly identified.

Question 18

What is the proper definition of a lattice-based access control environment?

a. A lattice security structure is mathematically based and represents the meaning of security levels within a flow model.
b. A lattice security structure defines access control lists needed for TCSEC compliance.
c. A lattice security model does not change once requirements have been defined.
d. Lattice models support military definitions of clearance and need-to-know processes.

Answer 18

a. A lattice security structure is mathematically based and represents the meaning of security levels within a flow model.

Explanation: Answer a is correct. The lattice-based access control model was established in 1976 by Dorothy Denning, and refers to business process flow and identification as opposed to specific access controls. Answer b is incorrect because information flow helps build the access control list, and has nothing to do with TCSEC.
Answer c is incorrect because security requirements are continually changing, and all models must take that into account.
Answer d is non-applicable in this instance.

Question 19

A sniffer attack has the following characteristics:

a. It uses hardware called a sniffer to intercept packets being transferred in a telecommunications session.
b. It uses pen test capabilities to access a system and then gather passwords for continued access.
c. It uses a technique called tunneling to get under a certain safeguard within a system.
d. It uses transportation procedures in order to convert information within an application.

Answer 19

b. It uses pen test capabilities to access a system and then gather passwords for continued access.

Explanation: Answer b is correct. Vulnerabilities are exploited from the outside into a network by a sniffer attack.
Answer a is incorrect, even though a sniffer is a commonly used tool for network diagnostics.
Answer c is incorrect, because tunneling is another form of intrusion technique.
Answer d is incorrect because the term “transportation procedures” pertains to a process within a specific integrity model (Clark-Wilson).

Question 20

The closest definition of the principle of least privilege is:

a. People should perform job roles based on clearly-written job descriptions.
b. People should know how to execute all functions in an application or department.
c. People should be authorized only to the resources they need to do their jobs.
d. People performing increasingly more responsible job functions should have increased system access rights.

Answer 20

c. People should be authorized only to the resources they need to do their jobs.

Explanation: Answer c is correct. Keeping access restricted to a minimum results in lesser opportunity for misuse (accidental or intentional), but also assists with access rights administration.
Answer a is incorrect because job roles do not necessarily constitute access rights.
Answer b is incorrect because it refers to non-adherence of the separation of duty principle.
Answer d is incorrect because job or grade advancement does not necessarily mean additional access rights to systems or applications.

Question 21

Authentication protocols can combine certain elements that can be effective against “man-in-the-middle” attacks. What is the definition of such an attack?

a. Active sniffers are used to inspect packets being transmitted from one system to another.
b. Active spoofing is used to masquerade an intruder’s whereabouts on a system.
c. Active session hijacking moves the destination of one session to another location.
d. Active attackers intercede in protocol exchange that modifies data moving in both directions.

Answer 21

d. Active attackers intercede in protocol exchange that modifies data moving in both directions.

Explanation: Answer d is the correct answer. The concept is that there is active modification of data in lateral directions is key here.
Answer a refers to the use of physical devices used to inspect data transfer.
Answer b is relevant to another form of attack method. Answer c is incorrect because the definition is inaccurate and pertains to another form of attack.

Question 22

Behavior that is unexpected is referred to as an anomaly. An example of an anomaly detection system would be:

a. Using statistical profiles to measure behavior.
b. Using misuse signatures to measure activity.
c. Using checksums to measure quantity.
d. Using probes to measure traffic.

Answer 22

a. Using statistical profiles to measure behavior.

Explanation: Answer a is correct. Statistical profiles will determine if clients are accessing resources at the proper time, in the correct Volume, and with predictable frequency.
Answer b is applicable to misuse detection systems, another type of IDS configuration.
Answers c and d are IDS terms interchanged and irrelevant to the question.

Question 23

The information flow model is also known as:

a. The noninterference model.
b. The lattice-based access control model.
c. The risk-acceptance model.
d. The discrete model.

Answer 23

b. The lattice-based access control model.

Explanation: Answer b is correct. The lattice-based access control model was established in 1976 by Dorothy Denning, and refers to business process flow and identification as opposed to specific access controls.
Answer a is incorrect, as it is an alternative model. Answers c and d are intentionally misleading answers and have no relevance.

Question 24

Which of the following are incorrect when access to an application or process is changed?

a. Revocation of rights to an application or process should be automatic when a role changes within an ACL.
b. Revocation of rights to an application or process should be automatic when an employee leaves the company.
c. Revocation of rights to an application or process should be automatic when a security breach has been observed.
d. Revocation of rights to an application or process should be automatic based on job rotation.

Answer 24

c. Revocation of rights to an application or process should be automatic when a security breach has been observed.

Explanation: Answer c is correct. When a security breach is observed, certain controlled processes and investigations are initiated. Revoking access rights is always done in a controlled manner, as reflected in the other answers.

Question 25

Mandatory access control (MAC) techniques are usually used for highly secured, non-commercial computing systems. What are the characteristics of a MAC-compliant system?

a. Internal and external controls (physical and software) must be employed to be certified as a MAC-compliant system
b. MAC-implemented systems enforce policy about which computers connect to one another and what data can pass on a connection.
c. Access control lists (ACLs) and user authentication constitute a MAC environment.
d. Mandatory access is only permitted if allowed by mandatory rules and discretionary rights.

Answer 25

b. MAC-implemented systems enforce policy about which computers connect to one another and what data can pass on a connection.

Explanation: Answer b is correct. Answer a is incorrect, because physical controls are not normally employed in a MAC-designed environment. Answer c is incorrect, because user authentication is not a factor in MAC definition. Answer d is partially correct in this context, but is too detailed for the purposes of the question.