QUESTION DRILL ACCESS CONTROL 020504 - Answers
advertisement
QUESTION DRILL ACCESS CONTROL 020504 - Answers 1. Authorization is often characterized by? C: Authorization is often characterized by a security label or classification. 2. Which of the following can be used as either an identification or authentication factors? D: A biometric can be used as either an identification or an authentication factor. 3. A fingerprint is an example of what type of authentication factor? C: A fingerprint is an example of a Type 3 authentication factor - something you are. 4. Something you have is what type of authentication factor? B: Something you have is a Type 2 authentication factor. 5. What are the three fundamental principles of security? A: The three fundamental principles of security are Confidentiality, Integrity, and Availability. 6. What is the process of verifying the identify of a subject? B: The process of identify verification is authentication. 7. The most secure form of password is which of the following? C: A one time password is the most secure type of password, since it is used only once then it becomes invalid. One-time passwords are a form of dynamic passwords. However, not all types of dynamic passwords are as secure as a one-time password. 8. The False Acceptance Rate (Type II) error of a biometric device indicates what? D: A False Acceptance Rate (a Type II) error of a biometric device indicates the rate at which unauthorized users are granted access. 9. A secure access control mechanism will default to? A: A secure access control mechanism will default to no access. 10. What is the primary disadvantage of single sign on? B: The primary disadvantage of single sign on is that users can roam the network without restrictions. 11. A Type 1 authentication factor is also known as? A: A Type 1 authentication factor is something you know. 12. Auditing is dependant upon all but which of the following? B: Auditing is not dependant upon accountability. In fact, accountability is dependant upon auditing. Accountability is the result of the mechanisms of identification, authentication, authorization, access control, and auditing which is used to hold people responsible for their online activities. 13. When two types of authentication are employed to provide improved security, this is known as? D: The use of two forms of authentication is known as two-factor authentication. 14. What type of password offers the best security possible for password-based authentication? A: One-time passwords offer the best security for password based authentication. 15. Authorization can be illustrated by all but which of the following? D: A password is an example of an authentication factor, not an authorization method. 16. Which of the following is not an example of a logical access control? A: Perimeter pad locked gates is an example of physical access control. 17. Which of the following is not typically considered an identification factor? B: A password is usually considered an authentication factor. 18. Which of the following is usually not labeled as an entity that serves as either a subject and an object? A: Users are usually labeled only as subjects. 19. Which of the follow is the act of providing the who of a subject and is the first step in establishing accountability? B: Identification establishes the who of a subject and is the first step in establishing accountability. 20. Which of the following represents the activity of verifying the claimed identity of a subject? C: Authentication represents the activity of verifying the claimed identity of a subject. 21. A password is an example of what type of authentication factor? A: A password is an example of a Type 1: something you know authentication factor. 22. A Type 3 authentication factor is? B: A fingerprint is an example of a Type 3: something you are authentication factor. 23. Which form of password may require unique or different interactions or responses from the subject each time they attempt to logon? C: A cognitive password is a collection of question and answers that only the subject will know. A random Selection from the databank of available queries will be employed at each logon. 24. Which of the following is also a dynamic password? D: A one time password is a form of dynamic password. 25. Biometrics can be used directly for all but which of the following purposes? C: Biometrics cannot be used directly to provide for accountability. Biometrics are used indirectly for accountability if they are employed as a means of identification or authentication. 26. When used as an ____________ method, biometrics function as a one to one function. D: When used as an authentication method, biometrics function as a one to one function. 27. A Type I biometric error indicates what? A: A False Rejection Rate (Type I) error of a biometric device indicates the rate at which authorized users are not granted access. 28. The primary use of the crossover error rate is what? B: The primary use of the crossover error rate is to compare similar biometric devices. 29. Which of the following provides the greatest level of authentication security? D: Two factor authentication provides the greatest level of authentication security. 30. Which of the following is converted to a virtual password before being sent to the authentication server for processing? A: A passphrase is converted to a virtual password, usually encrypted, before being sent to the authentication server for processing. 31. An example of a Type 3 authentication factor is? C: A fingerprint is an example of a Type 3: something you are authentication factor. 32. What type of authentication token requires the subject to authenticate themselves to the token, then the token authenticates to the system? B: A static password token requires the subject to authenticate themselves to the token, then the token authenticates to the system. 33. What type of access control is based on job description? B: Role based access controls are based on job descriptions. 34. Which of the following is the odd element in this set of items? C: Data classification is different from the others. Access under data classification controls is based on defined strata of confidentiality for both objects (i.e. assets) and subjects. 35. Which of the following is a disadvantage of single sign on from the perspective of security? D: Being able to roam the network without restrictions is a disadvantage of single sign on. 36. Which of the following is not an example of a single sign on technology? A: TACACS is an example of a centralized remote access authentication technology, not single sign on. 37. What is the maximum enrollment time required at which a biometric device is generally considered unacceptable to most users? C: A maximum of 2 minutes for enrollment will ensure that the majority of users will accept the use of biometric devices for used in a secure environment. 38. At what rate of subject processing is a biometric device considered by users to be unacceptable? D: Any less than 10 subjects per minute is generally considered unacceptable as a rate of throughput processing. 39. ______________ is what allows you to do what you are requesting from the system based on access criteria. A: Authorization is what allows you to do what you are requesting from the system based on access criteria. 40. What form of access control is not centrally managed? A: Discretionary access control is not centrally managed. 41. The most useful form of access control for environments with a high rate of personnel turnover is? B: Role based or nondiscretionary access control is the most useful form of access control for environments with a high rate of personnel turnover. 42. Which of the following is not considered a technique for controlling access? A: Encryption is not used as an access control technique, rather it is used to prevent disclosure. 43. Role based access control is also known as? C: Role based access control is also known as nondiscretionary. 44. ACLs are the most common implementation of what form of access control? D: ACLs are the most common implementation of discretionary access control. 45. What form of single sign on technology employs symmetric key cryptography and DES encryption to provide end-to-end security? B: Kerberos employs symmetric key cryptography and DES encryption to provide end-to-end security. 46. Which form of TACACS (Terminal Access Controller Access Control System) uses tokens for two factor authentication and supports dynamic password authentication? D: TACACS+ (Terminal Access Controller Access Control System Plus) uses tokens for two factor authentication and supports dynamic password authentication. 47. Which of the following is not an administrative access control method? A: Work area separation is a physical access control method. 48. Which of the following is not a form of a centralized access control mechanism? C: Security domains are decentralized access control mechanisms. Security domains are based on a realm of trust rather than a centralized or single trusted system. 49. Which of the following is not a form of access control administration? B: Delegation is not a form of access control administration. Delegation is often used to place responsibility for an activity onto another person. 50. Which of the following is not an element of personnel controls? C: Stipulating laws and regulations is an element of policies and procedures, not personnel controls. 51. The primary element in the supervisory structure access control method is? D: Every employee has a boss is the primary element of the supervisory structure access control method. Every employee has to report to someone who oversees their activities. 52. Which of the following directly protects against physical computer theft? A: Computer controls are physical mechanisms to prevent physical computer theft. 53. Which of the following is a physical access control method? D: Computer controls is a physical access control method. 54. Which of the following is not a technical/logical access control method? A: Network segregation is a physical access control method. 55. Which of the following is an administrative access control method? B: Security awareness training is an administrative access control method. 56. Which of the follow is not a physical access control method? C: Testing is an administrative access control method. 57. Which of the following is a technical/logical access control method? B: Auditing is a technical/logical access control method. 58. Which of the following is not an example of a preventative access control? A: Backups are not considered a form of preventative access control. Backups are a form of recovery access control. 59. Which of the following is not considered a detective security control? B: Separation of duties is not a detective security control, rather it is a preventative and deterrent security control. 60. Which of the following is an example of a recovery security control? C: Anti-virus software is an example of a recovery security control. 61. What access control method is used to ensure confidentiality and integrity? B: Encryption is used to ensure confidentiality and integrity. 62. What types of access controls serve as a deterrent? C: Preventative access controls serve as a deterrent. 63. A biometric scanner for facility access is considered all but which of the follow type of access control? D: A biometric scanner for facility access is not considered a type of recovery access control. 64. Which of the following is used to ensure that users are held responsible for their actions? D: Accountability is used to ensure that users are held responsible for their actions. 65. Auditing allows for all but which of the following? A: Auditing is not related to controlling data classifications. Data classification is assigned by the data owner. 66. What is a clipping level? B: A clipping level is the baseline of normal activity. Events above the clipping level are more likely to be abnormal or unauthorized. 67. Which of the following is not an example of a preventative administrative access control? D: Alarms are an example of a preventative physical access control. 68. Which of the following is not an example of a preventative physical access control? A: Clipping levels is a preventative logical/technical access control that is the baseline of normal activity on a system. 69. Which of the following is not an example of a preventative technical/logical access control? B: Motion detectors are an example of a preventative physical access control. 70. Which of the following is not a preventative physical access control? C: Call back systems are preventive technical access controls. 71. The act of a hacker cleaning out all traces of their activities from audit logs is known as? C: Scrubbing is the act of cleaning out all traces of activities from audit logs. 72. Which of the following methods is effective in maintaining the integrity of audit logs? D: Digital signatures provide a means to maintain the integrity of audit logs. 73. What means can be used to protect the confidentiality of audit logs? A: Encryption can be used to protect the confidentiality of audit logs. 74. Which of the following is not a repetitive mistake that will exceed clipping levels? D: Failing to submit logon credentials to access resources is a failure to transmit anything. The absence of activity will not exceed the clipping level. 75. Which of the following is not considered an audit analysis tool? A: A malicious code scanning tool, such as anti-virus or anti-trojan software, is not a type of audit analysis tool. 76. Which of the following is a method by which accountability can be enforced? B: Keystroke logging is a method by which accountability can be enforced. 77. At what point are violation records recorded? C: A violation record is recorded when the clipping level is exceeded. 78. The act of using a bad sector on a hard drive to store data which can be located and used by an unauthorized recipient is known as? C: Data hiding is the use of a covert channel, such as a fake bad sector on a hard drive, to store and transmit data. 79. TEMPEST is what? D: TEMPEST is the study and control of stray electrical signals. 80. What type of token requires the owner to authenticate to the token itself and then allows the token to authenticate with the system? B: A static password token requires the owner to authenticate to the token itself and then allows the token to authenticate with the system. 81. What token generates unique passwords at fixed time intervals which must be provided to the authenticating system with the appropriate PIN within a valid time window? C: A Synchronous Dynamic Password Token generates unique passwords at fixed time intervals that must be provided to the authenticating system with the appropriate PIN within a valid time window. 82. Audit logs can be used for all but which of the following? B: Audit logs may provide clues, but they cannot accurately predict the source of the next intrusion attempt. 83. Which of the following is not a means by which data is disclosed unintentionally? C: Espionage is the deliberate and intentional act of gathering and disclosing confidential data. 84. The process of removing data from a media so it can be re-used within the same security environment is known as? A: Clearing is the process of removing data from a media so it can be re-used within the same security environment. 85. Which of the following will never result in data remanance B: Cremation of media (i.e. complete destruction) is the only assured means to prevent remanance. 86. The act of recycling a backup tape for another purpose is known as? D: The act of recycling a backup tape for another purpose is known as object reuse. 87. Which of the following does not represent a reason a biometric device would be rejected by a majority of users? C: A low enrollment time is typically not a reason to reject a biometric device. 88. What aspect of access control is responsible for verifying that you are allowed to perform the activities or actions you request on a system? D: Authorization is the aspect of access control that is responsible for verifying that you are allowed to perform the activities or actions you request on a system. 89. Which of the following is not true in regards to roles? A: This does not describe roles, it describes groups. 90. Access criteria are used to add need-to-know and trust level to the access control mechanisms. Which of the following is not a form of access criteria? B: The authentication factor used is not a form of access criteria. 91. When a biometric is used and a valid user is rejected, what type of error has occurred? A: A Type 1 error or False Rejection error fails to authenticate a valid user. 92. In regards to a biometric device, what is the crossover error rate (CER) used for? B: The crossover error rate is most useful as a comparison point between similar devices. 93. What authentication technology was developed to address weaknesses in Kerberos? C: SESAME was designed to address weaknesses in Kerberos. 94. Role based access control is also known as? D: Role based access control is also known as nondiscretionary access control. 95. Which of the following is not one of the three mechanisms that must be in place in order to audit the activity of subjects? C: Accountability is available only after auditing is established, it is not a prerequisite for auditing. 96. The security principle or axiom that restricts a person's access to resources or data even if they have sufficient security clearance is known as? D: Need to know is the security principle or axiom that restricts a person's access to resources or data even if they have sufficient security clearance. 97. What is the primary disadvantage of a single sign-on? A: Users can rove the network without re-authenticating is the primary disadvantage of single sign-on. 98. Which of the following is the golden rule of access control? C: If access is not explicating granted, it should be implicitly denied. 99. Which of the following is not an example of a single sign-on technology? B: TACACS is not a single sign-on technology, it is a centrally managed remote access authentication service. 100.Which of the following is not a weakness of Kerberos? C: This is a strength of Kerberos. 101.What type of area on a network is created so that it would attract intruders but which no valid user would enter? B: A honey pot is designed to attract intruders, but since it holds no real or useful data or resources, valid users don't enter it. 102.Audit logs can be used for all but which of the following? A: Audit logs can be used to create a safeguard against a recorded intrusion, but playing back an audit trail against another system will not patch it, more likely it will cause the same security violation. 103.Which of the following is not true regarding clipping levels? C: This is incorrect. Many abnormal activities, including intrusions, will not generate sufficient effect to cross a clipping level. 104.What is a capability table? D: A capability table is a single row of an access control matrix. 105.Which of the following is the action of overwriting media that is intended for use outside of the protected environment to prevent remanence gathering? A: Purging is the action of overwriting media that is intended for use outside of the protected environment to prevent remanence gathering. 106.Which of the following is not a physical access control method? B: Separation of duties is an example of administrative not physical access control method. 107.Which of the following is an example of an administrative access control method? A: Policies and procedures are examples of an administrative access control method. 108.The act of an intruder erasing their tracks by tampering with audit logs is known as? D: Modifying audit logs to hide access trails is known as scrubbing. 109.The standard requirement to ensure properly purging of media before re-use outside of the secured environment is to format or overwrite the media ________ times? C: The standard is to overwrite media 7 times before re-use. 110.Which of the following is an example of data hiding? C: This is an example of data hiding since the data is hidden. This is also an example of a covert channel. 111.The aspect of access control that holds subjects responsible for the activities they perform within a secured environment is known as? B: Accountability is the aspect of access control that holds subjects responsible for the activities they perform within a secured environment. 112.Which of the following is labeled as a technical or logical access control method but which does not prevent attacks but is used to pinpoint weaknesses in a system? D: Auditing is labeled as a technical or logical access control method but which does not prevent attacks but is used to pinpoint weaknesses in a system. 113.Discretionary access control is most often implemented using what mechanism? A: Discretionary access control is most often implemented using ACLs. 114.Mandatory access controls relies on what mechanism? B: Mandatory access control relies on security labels (i.e. classifications) 115.The greatest security is maintained by organizations that perform which of the following? B: The greatest security is maintained if no media is ever re-used and all used media are destroyed. 116.Which one of the following examples of access control methods is of a different type than the other three? C: This is a logical or technical access control method. It differs that the other three which are physical access control methods. 117.Which of the following is not a benefit or drawback of network based IDS? A: Network based IDS is passive. 118.Which of the following is not a type or classification of access control methods? A: Authoritative is not a type of access control method. 119.What is TEMPEST? D: TEMPEST is the study and control of EM signals. 120.What type of IDS has the most number of false detections? B: Statistical Anomaly based IDS have the most false detections. 121.What access control method is best suited for an organization with a high rate of personnel turnover and change? C: Role based access controls is best suited for high-turnover organizations. 122.Unauthorized or unintentional disclosure can occur when all but which of the following take place? D: Encryption is a security mechanism to protect confidentiality. 123.What authentication mechanism supports two factor authentication for remote access clients? A: TACACS+ supports two-factor authentication for remote access clients. 124.The act of providing the opportunity for a person to commit a crime without coercion is known as? C: Enticement is the act of providing the opportunity for a person to commit a crime without coercion.
