Domain 1: Access Control

Question 0

Access aggregation security considers are: 
1.
2. 
3.
4.

Answer 0

1. Need for controlled inheritance of all access privileges
2. Support for separation of duties
3. Need to maintain the principle of least privilege and monitoring to make sure authorization creep doe snot occur as job roles change.
4. Need to maintain security of access permissions so that unauthorized individiuals cannot gain access to multiple network resources through single login

Question 1

Access Aggregation

Answer 1

Combining permissions from a. Single computer or various networked resources so multiple logins not required.

Question 2

What is Single Sign-On

Answer 2

SSO. Requires user to complete the authentication process only once to access multiple applications.

Question 3

Advantages of SSO:

Answer 3

1. logon process efficient
2. eliminates need for writing down mulitiple passwords on paper. Users can use strong PWs.
3. System admins can streamline user accoutn management and used centralized control mechanisms
4. User authentication time reduced

Question 4

Disadvantages of SSO:

Answer 4

1 - user granted intiial access to a network can access all organizational resources
2 - if attacker gains access, they can get all resources
3 - difficult to implement because of diverse apps, OS, and networks

Question 5

Weaknesses of passwords

Answer 5

Easily guessed. Name DOB
broken by programs like crack, SmartPass can decrypt Unix etc PWs
forgotten. Long/ complex. Users write them down

Question 6

PWs should avoid using:

Answer 6

• common names, DOB, spouse name
• words found easily in dictionary
• system default (hackers know)
• password

Question 7

Strong PW characteristics

Answer 7

8-10 characters
Alphanumeric and special characters
Lower and upper case letters
Difficult to crack but easy doe user to remember.

Question 8

System admin controls that can be added to fortify

Answer 8

Set expiry dates for PWs
Accept only combo alpha and special PWs
Set minimum length
Prevent reuse of old PWs
Track unsuccessful login attempts
Identify weak PWs through auditing and replace.

Question 9

For access control to be effective an org must have a dedicated _____ who ______.

Answer 9

Designated owner who determines appropriate classification and access controls for the data.

Question 10

Data Owner Roles and Responsibilities of Data Owner

Answer 10

1. Classify data and reiew classification categories and accommodate changing business needs
2. Ensue security controls for the classified data
3. Review and ensure the owners access rights match the information assets the owner holds
4. Determine security and backup requirements and access criteria
5. Perform or delegat approval authority for access requests from other orgs
6. Delegate bacup and recovery duties
7. Approve information disclosure
8. Act on security violation notifications

Question 11

Who is responsible for Performing backup to ensure they meet the backup requirements to restore lost data in case of system failure? They also ensure availability of information and and ensure record retention.

Answer 11

Data custodian

Question 12

What are the steps to define an effective data management system?

Answer 12

1. Define data as the organizations assets
2. Delegat local business managers as data owners.
3. Delegation formation systems personnel as data custodians
4. Define roles and responsibilities
5. Determine data classification criteria
6. Determine controls for each classification

Question 13

Different types of attacks used agains passwords and password files (5)

Answer 13

Brute force
Dictionary
Denial of service
Sniffing
Spoofing

Question 14

What type of attack is also known as an exhaustive attack?

Answer 14

Brute force

Question 15

What are brute force attacks?

Answer 15

PW attacks that involve trying to input different combinations to find a correct PW.

Question 16

How do you reduce brute force attacks?

Answer 16

• ensuring PWs at sufficient length
• specify a time limit for logging into a particular account
• lock an account aft specified number of unsuccessful attempts

Question 17

L0phtCrack
Brutus
webCracker are common examples of what kind of attack?

Answer 17

brute Force PW attacks

Question 18

What are dictionary attacks?

Answer 18

Trying a list of possibly passwords which ar located in a dictionary file or a word list in an attempt to find a valid password.

Frequently these succeed because users often use words that are in the dictionary.

Question 19

How do you prevent dictionary attacks?

Answer 19

Ensure use of strong passwords

Use pass phrases instead of words.

Question 20

Crack, John the Ripper, UnSecure, and Brutus are attack programs for what type of attack?

Answer 20

dictionary attack

Question 21

What is an example off DoS attack against a password system?

Answer 21

Attack on the Remote Authenticaiton Dian in User Service (RADIUS) using Windows NT, Linux, UNIX.

Attacker appends spaces after a username so that the RADIUS system crashes and valid users can’t log on.

Question 22

How do you mitigate DoS PW attacks?

Answer 22

Input checkin in the login system.

Question 23

What is a sniffing attack?

Answer 23

A program or device monitors data as it travels over a network and capture sensitive information like passwords.

Question 24

How do you mitigate Sniffing Pw attacks?

Answer 24

Using a switched infrastructure
OTPs
Enabling encryption

Question 25

What is a spoofing attack?

Answer 25

Fake user logon screen is presented to a user who is tricked to prix de a np username and password which then becomes known to the attacker. The program exits and th OS prompts the user for a username and password. The user assumes the initial credential wa rejected due to input error.

Question 26

How to mitigate spoofing attacks

Answer 26

1. Configure he OS to display the number of failed login attacks
2. Configure th operating system to recognize a guaranteed trusted path between the user and the kernel.

Kernel = part of the Os that handles resource management and memory allocation

Question 27

Strategies for protecting passwords

Answer 27

1. Encrypting passwords before they’re transmitted across a network
2. Using OTPS tokens
3. Strong PWs
4. IDS to detect suspicious behavior
5. Dictionary cracking tools to find weak passwords
6. Protecting password files.

Question 28

Access control refers to

Answer 28

Purposes of granting or denying user requests for accessing specific resources.

Question 29

Access control process makes it possible for the management of an organization to

Answer 29

Specify which objects particular users can access and what those users are permitted to do.

Question 30

Access control model provides

Answer 30

Technological frame work for implementing access control.

Question 31

What are th two types of access control models?

Answer 31

DAC. Discretionary Access Control

MAC. Mandatory access control.

Question 32

How does the DAC model work?

Answer 32

restricts access to objects based on the identiy of the subjects and the groups, like sales and purchases, to which those subjects belong.

Data or resource owner has the discretion either to allow or deny users access to the owned resources like files and printer

Question 33

DAC model features.

Answer 33

Access to resources based on user identity and authorization grants to the user.

• unauthorized users have no access to file characteristics like file name size and directory path.
• prime users are spectate du and protected from unauthorized data
• used by Linux Unix, Mac

Question 34

Implement DAC using ______. They contain ______.

Answer 34

Access control lists.

They contain identities of the system users who have access to specific resources. You can apply to the file and folders they contain.