Chapter 5
Chapter 5
Multiple-Choice Questions
Explanation: Logical access controls restrict access to a computer system or network and
a password is the most common example. Physical keys, access cards, and fences are all
examples of physical access controls.
2. During which phase of the access control process does the system answer the
question, "What can the requestor access?"
A. Identification
B. Authentication
C. Authorization
D. Accountability
Explanation: During the authorization phase of access control, the system answers the
questions: "What, exactly, can the requestor access?" and "What can they do?"
3. Ed wants to make sure that his system is designed in a manner that allows tracing
actions to an individual. Which phase of access control is Ed concerned about?
A. Identification
B. Authentication
C. Authorization
D. Accountability
Explanation: The process of associating actions with users for later reporting and
research is known as accountability. It ensures that a person who access or makes
changes to data or systems can be identified.
A. security kernel
B. CPU
C. memory
D. co-processor
Explanation: The security kernel provides a central point of access control and
implements the reference monitor concept. It mediates all access requests and permits
access only when the appropriate rules or conditions are met.
A. Knowledge
B. Ownership
C. Location
D. Action
Explanation: Ownership authentication methods fit the criteria of "something you have."
These include smart cards, keys, badges, and tokens.
Type: Multiple Choice Difficulty: Easy Category: Understand
A. Dictionary attack
B. Rainbow table attack
C. Social engineering attack
D. Brute-force attack
Explanation: Brute force attacks involve trying every possible combination of characters.
They test low entropy words first followed by passwords with higher entropy.
8. Which one of the following is NOT a commonly accepted best practice for password
security?
Explanation: Best practices for passwords dictate the use of passwords containing at
least eight alphanumeric characters. Six-character passwords are insufficient to defeat
modern attacks.
Explanation: The CER is the point at which the FAR and FRR are equal. It provides a
balanced look at the accuracy of a biometric system.
10. Alan is evaluating different biometric systems and is concerned that users might not
want to subject themselves to retinal scans due to privacy concerns. Which
characteristic of a biometric system is he considering?
A. Accuracy
B. Reaction time
C. Dynamism
D. Acceptability
Explanation: The measure of user comfort is the acceptability of the system. Certain
biometric measurements, such as retinal scans, are more objectionable to some users
than other biometric measurements, such as signature dynamics. It's important to note
that if users are not comfortable using a system, they may refuse to submit to it.
Explanation: The fact that physical characteristics of a user may change is a disadvantage
of biometric systems because significant changes that affect the access profile will result
in false rejections that require reenrollment of the user.
12. What is a single sign-on (SSO) approach that relies upon the use of key distribution
centers (KDCs) and ticket-granting servers (TGSs)?
Explanation: Kerberos uses both KDCs and TGSs in the authentication and authorization
process to provide legitimate users with access to systems appropriate to their
authorization level.
A. NTFS permission
B. MAC filtering
C. ID badge
D. Security policy
Explanation: Hardware controls include equipment that checks and validates IDs, such as
MAC filtering on network devices, smart card use for two-step authentication, and
security tokens such as radio frequency identification (RFID) tags.
14. Gary would like to choose an access control model in which the owner of a resource
decides who may modify permissions on that resource. Which model fits that scenario?
Explanation: In a DAC system, the owner of the resource decides who gets in and
changes permissions as needed. The owner can delegate that responsibility to others.
15. Tomahawk Industries develops weapons control systems for the military. The
company designed a system that requires two different officers to enter their access
codes before allowing the system to engage. Which principle of security is this
following?
A. Least privilege
B. Security through obscurity
C. Need to know
D. Separation of duties
Answer: D Reference: Defeating Least Privilege, Separation of Duties, and Need to Know
Explanation: Separation of duties is the process of dividing a task into a series of unique
activities performed by different people, each of whom is allowed to execute only one
part of the overall task.
16. Which security model does NOT protect the integrity of information?
A. Bell-LaPadula
B. Clark-Wilson
C. Biba
D. Brewer and Nash
Explanation: The Bell-LaPadula mode focuses on the confidentiality, not the integrity, of
data and helps govern access to classified information.
17. Which one of the following principles is NOT a component of the Biba integrity
model?
A. Subjects cannot read objects that have a lower level of integrity than the subject.
B. Subjects cannot change objects that have a lower integrity level.
C. Subjects at a given integrity level can call up only subjects at the same integrity
level or lower.
D. A subject may not ask for service from subjects that have a higher integrity level.
Explanation: The Biba integrity model does not allow subjects to change objects that
have a higher integrity level than the subject.
18. Which of the following does NOT offer authentication, authorization, and accounting
(AAA) services?
A. Remote Authentication Dial-In User Service (RADIUS)
B. Terminal Access Controller Access Control System Plus (TACACS+)
C. Redundant Array of Independent Disks (RAID)
D. DIAMETER
Explanation: SAML is an open standard used for exchanging both authentication and
authorization data. SAML is based on XML and was designed to support access control
needs for distributed systems. SAML is often used in web application access control.
A. On-demand provisioning
B. Improved disaster recovery
C. No need to maintain a data center
D. Lower dependence on outside vendors
Explanation: Cloud computing increases the need to rely upon outside vendors.
Releasing private data to a cloud service provider requires some level of trust in that
provider.
True/False Questions
1. A trusted operating systems (TOS) provides features that satisfy specific government
requirements for security.
A. True
B. False
Explanation:
Type: True/False
2. The four central components of access control are users, resources, actions, and
features.
A. True
B. False
Explanation: The four central components of access control are users, resources, actions,
and relationships, not features.
Type: True/False
3. Common methods used to identify a user to a system include username, smart card,
and biometrics.
A. True
B. False
Answer: A Reference: Methods and Guidelines for Identification
Explanation:
Type: True/False
4. A dictionary attack works by hashing all the words in a dictionary and then comparing
the hashed value with the system password file to discover a match.
A. True
B. False
Explanation:
Type: True/False
A. True
B. False
Type: True/False
6. The number of failed logon attempts that trigger an account action is called an audit
logon event.
A. True
B. False
Type: True/False
A. True
B. False
Type: True/False
8. A smart card is a token shaped like a credit card that contains one or more
microprocessor chips that accept, store, and send information through a reader.
A. True
B. False
Explanation:
Type: True/False
9. Voice pattern biometrics are accurate for authentication because voices can't easily be
replicated by computer software.
A. True
B. False
Type: True/False
10. Fingerprints, palm prints, and retina scans are types of biometrics.
A. True
B. False
Explanation:
Type: True/False
11. Single sign-on (SSO) can provide for stronger passwords because with only one
password to remember, users are generally willing to use stronger passwords.
A. True
B. False
Explanation:
Type: True/False
A. True
B. False
Type: True/False
13. Log files are records that detail who logged on to a system, when they logged on,
and what information or resources they used.
A. True
B. False
Explanation:
Type: True/False
14. A degausser creates a magnetic field that erases data from magnetic storage media.
A. True
B. False
Explanation:
Type: True/False
15. User-based permission levels limit a person to executing certain functions and often
enforces mutual exclusivity.
A. True
B. False
Explanation: User-based permission levels are where the permissions granted to a user
are often specific to that user. In this case, the rules are set according to a user ID or
other unique identifier. Task-based access control limits a person to executing certain
functions and often enforces mutual exclusivity.
Type: True/False
16. Temporal isolation is commonly used in combination with rule-based access control.
A. True
B. False
Explanation: Temporal isolation restricts access to specific times and is commonly used
in combination with role-based access control, not rule-based access control.
Type: True/False
17. Content-dependent access control requires the access control mechanism to look at
the data to decide who should get to see it.
A. True
B. False
Explanation:
Type: True/False
18. A Chinese wall security policy defines a barrier and develops a set of rules that
makes sure no subject gets to objects on the other side.
A. True
B. False
Explanation:
Type: True/False
A. True
B. False
Explanation:
Type: True/False
A. True
B. False
Type: True/False
Category Stats
Analyze: 0
Apply: 5
Evaluate: 0
Remember: 5
Understand: 10
Difficulty Stats
Easy: 2 Medium: 14 Hard: 4