Chapter 5 Test Bank

Multiple-Choice Questions

1. Which one of the following is an example of a logical access control?

A. Key for a lock

B. Password
C. Access card
D. Fence

Answer: B Reference: Two Types of Access Controls

Explanation: Logical access controls restrict access to a computer system or network and
a password is the most common example. Physical keys, access cards, and fences are all
examples of physical access controls.

Type: Multiple Choice Difficulty: Medium Category: Apply

2. During which phase of the access control process does the system answer the
question, "What can the requestor access?"

A. Identification
B. Authentication
C. Authorization
D. Accountability

Answer: C Reference: Four-Part Access Control

Explanation: During the authorization phase of access control, the system answers the
questions: "What, exactly, can the requestor access?" and "What can they do?"

Type: Multiple Choice Difficulty: Medium Category: Remember

3. Ed wants to make sure that his system is designed in a manner that allows tracing
actions to an individual. Which phase of access control is Ed concerned about?

A. Identification
B. Authentication
C. Authorization
D. Accountability

Answer: D Reference: Four-Part Access Control

Explanation: The process of associating actions with users for later reporting and
research is known as accountability. It ensures that a person who access or makes
changes to data or systems can be identified.

Type: Multiple Choice Difficulty: Medium Category: Apply

4. The ___________ is the central part of a computing environment's hardware,

software, and firmware that enforces access control.

A. security kernel
B. CPU
C. memory
D. co-processor

Answer: A Reference: The Security Kernel

Explanation: The security kernel provides a central point of access control and
implements the reference monitor concept. It mediates all access requests and permits
access only when the appropriate rules or conditions are met.

Type: Multiple Choice Difficulty: Medium Category: Remember

5. Which type of authentication includes smart cards?

A. Knowledge
B. Ownership
C. Location
D. Action

Answer: B Reference: Authentication Types

Explanation: Ownership authentication methods fit the criteria of "something you have."
These include smart cards, keys, badges, and tokens.
Type: Multiple Choice Difficulty: Easy Category: Understand

6. Which one of the following is an example of two-factor authentication?

A. Smart card and personal identification number (PIN)

B. Personal identification number (PIN) and password
C. Password and security questions
D. Token and smart card

Answer: A Reference: Authentication Types

Explanation: Authentication using smart cards and PINs is two-factor authentication

because it combines ownership and knowledge. Using PINs, passwords, and security
questions in any combination is single-factor authentication because all three are
knowledge-based. Tokens and smart cards are both ownership-based.

Type: Multiple Choice Difficulty: Hard Category: Apply

7. Which type of password attack attempts all possible combinations of a password in an

attempt to guess the correct value?

A. Dictionary attack
B. Rainbow table attack
C. Social engineering attack
D. Brute-force attack

Answer: D Reference: Authentication by Knowledge

Explanation: Brute force attacks involve trying every possible combination of characters.
They test low entropy words first followed by passwords with higher entropy.

Type: Multiple Choice Difficulty: Easy Category: Remember

8. Which one of the following is NOT a commonly accepted best practice for password
security?

A. Use at least six alphanumeric characters.

B. Do not include usernames in passwords.
C. Include a special character in passwords.
D. Include a mixture of uppercase characters, lowercase characters, and numbers in
passwords.

Answer: A Reference: Password Account Policies

Explanation: Best practices for passwords dictate the use of passwords containing at
least eight alphanumeric characters. Six-character passwords are insufficient to defeat
modern attacks.

Type: Multiple Choice Difficulty: Medium Category: Understand

9. Which characteristic of a biometric system measures the system's accuracy using a

balance of different error types?

A. False acceptance rate (FAR)

B. False rejection rate (FRR)
C. Crossover error rate (CER)
D. Reaction time

Answer: C Reference: Authentication by Characteristics/Biometrics

Explanation: The CER is the point at which the FAR and FRR are equal. It provides a
balanced look at the accuracy of a biometric system.

Type: Multiple Choice Difficulty: Medium Category: Understand

10. Alan is evaluating different biometric systems and is concerned that users might not
want to subject themselves to retinal scans due to privacy concerns. Which
characteristic of a biometric system is he considering?

A. Accuracy
B. Reaction time
C. Dynamism
D. Acceptability

Answer: D Reference: Concerns Surrounding Biometrics

Explanation: The measure of user comfort is the acceptability of the system. Certain
biometric measurements, such as retinal scans, are more objectionable to some users
than other biometric measurements, such as signature dynamics. It's important to note
that if users are not comfortable using a system, they may refuse to submit to it.

Type: Multiple Choice Difficulty: Medium Category: Apply

11. Which one of the following is NOT an advantage of biometric systems?

A. Biometrics require physical presence.

B. Biometrics are hard to fake.
C. Users do not need to remember anything.
D. Physical characteristics may change.

Answer: D Reference: Advantages and Disadvantages of Biometrics

Explanation: The fact that physical characteristics of a user may change is a disadvantage
of biometric systems because significant changes that affect the access profile will result
in false rejections that require reenrollment of the user.

Type: Multiple Choice Difficulty: Medium Category: Understand

12. What is a single sign-on (SSO) approach that relies upon the use of key distribution
centers (KDCs) and ticket-granting servers (TGSs)?

A. Secure European System for Applications in a Multi-Vendor Environment (SESAME)

B. Lightweight Directory Access Protocol (LDAP)
C. Security Assertion Markup Language (SAML)
D. Kerberos

Answer: D Reference: SSO Processes

Explanation: Kerberos uses both KDCs and TGSs in the authentication and authorization
process to provide legitimate users with access to systems appropriate to their
authorization level.

Type: Multiple Choice Difficulty: Hard Category: Understand

13. Which of the following is an example of a hardware security control?

A. NTFS permission
B. MAC filtering
C. ID badge
D. Security policy

Answer: B Reference: Security Controls

Explanation: Hardware controls include equipment that checks and validates IDs, such as
MAC filtering on network devices, smart card use for two-step authentication, and
security tokens such as radio frequency identification (RFID) tags.

Type: Multiple Choice Difficulty: Medium Category: Understand

14. Gary would like to choose an access control model in which the owner of a resource
decides who may modify permissions on that resource. Which model fits that scenario?

A. Discretionary access control (DAC)

B. Mandatory access control (MAC)
C. Rule-based access control
D. Role-based access control (RBAC)

Answer: A Reference: Formal Models of Access Control

Explanation: In a DAC system, the owner of the resource decides who gets in and
changes permissions as needed. The owner can delegate that responsibility to others.

Type: Multiple Choice Difficulty: Hard Category: Apply

15. Tomahawk Industries develops weapons control systems for the military. The
company designed a system that requires two different officers to enter their access
codes before allowing the system to engage. Which principle of security is this
following?

A. Least privilege
B. Security through obscurity
C. Need to know
D. Separation of duties

Answer: D Reference: Defeating Least Privilege, Separation of Duties, and Need to Know
Explanation: Separation of duties is the process of dividing a task into a series of unique
activities performed by different people, each of whom is allowed to execute only one
part of the overall task.

Type: Multiple Choice Difficulty: Medium Category: Understand

16. Which security model does NOT protect the integrity of information?

A. Bell-LaPadula
B. Clark-Wilson
C. Biba
D. Brewer and Nash

Answer: A Reference: Other Access Control Models

Explanation: The Bell-LaPadula mode focuses on the confidentiality, not the integrity, of
data and helps govern access to classified information.

Type: Multiple Choice Difficulty: Medium Category: Understand

17. Which one of the following principles is NOT a component of the Biba integrity
model?

A. Subjects cannot read objects that have a lower level of integrity than the subject.
B. Subjects cannot change objects that have a lower integrity level.
C. Subjects at a given integrity level can call up only subjects at the same integrity
level or lower.
D. A subject may not ask for service from subjects that have a higher integrity level.

Answer: B Reference: Other Access Control Models

Explanation: The Biba integrity model does not allow subjects to change objects that
have a higher integrity level than the subject.

Type: Multiple Choice Difficulty: Hard Category: Understand

18. Which of the following does NOT offer authentication, authorization, and accounting
(AAA) services?
A. Remote Authentication Dial-In User Service (RADIUS)
B. Terminal Access Controller Access Control System Plus (TACACS+)
C. Redundant Array of Independent Disks (RAID)
D. DIAMETER

Answer: C Reference: Types of AAA Servers

Explanation: RAID is a business continuity technology, not an authentication,

authorization, and accounting service. RADIUS, TACACS+, and DIAMETER are all AAA
services.

Type: Multiple Choice Difficulty: Medium Category: Remember

19. What is an XML-based open standard for exchanging authentication and

authorization information and is commonly used for web applications?

A. Security Assertion Markup Language (SAML)

B. Secure European System for Applications in a Multi-Vendor Environment (SESAME)
C. User Datagram Protocol (UDP)
D. Password Authentication Protocol (PAP)

Answer: A Reference: Types of AAA Servers

Explanation: SAML is an open standard used for exchanging both authentication and
authorization data. SAML is based on XML and was designed to support access control
needs for distributed systems. SAML is often used in web application access control.

Type: Multiple Choice Difficulty: Medium Category: Remember

20. Which of the following is NOT a benefit of cloud computing to organizations?

A. On-demand provisioning
B. Improved disaster recovery
C. No need to maintain a data center
D. Lower dependence on outside vendors

Answer: D Reference: Cloud Computing

Explanation: Cloud computing increases the need to rely upon outside vendors.
Releasing private data to a cloud service provider requires some level of trust in that
provider.

Type: Multiple Choice Difficulty: Medium Category: Understand

True/False Questions

1. A trusted operating systems (TOS) provides features that satisfy specific government
requirements for security.

A. True
B. False

Answer: A Reference: The Security Kernel

Explanation:

Type: True/False

2. The four central components of access control are users, resources, actions, and
features.

A. True
B. False

Answer: B Reference: Access Control Policies

Explanation: The four central components of access control are users, resources, actions,
and relationships, not features.

Type: True/False

3. Common methods used to identify a user to a system include username, smart card,
and biometrics.

A. True
B. False
Answer: A Reference: Methods and Guidelines for Identification

Explanation:

Type: True/False

4. A dictionary attack works by hashing all the words in a dictionary and then comparing
the hashed value with the system password file to discover a match.

A. True
B. False

Answer: A Reference: Authentication by Knowledge

Explanation:

Type: True/False

5. Passphrases are less secure than passwords.

A. True
B. False

Answer: B Reference: Authentication by Knowledge

Explanation: A passphrase is longer and generally harder to guess, so it's considered

more secure than a password.

Type: True/False

6. The number of failed logon attempts that trigger an account action is called an audit
logon event.

A. True
B. False

Answer: B Reference: Authentication by Knowledge

Explanation: The number of failed logon attempts that trigger an account action is called
the threshold. Audit logon events provide you with a record of when every user logs on
or off a computer.

Type: True/False

7. You should use easy-to-remember personal information to create secure passwords.

A. True
B. False

Answer: B Reference: Authentication by Knowledge

Explanation: Passwords must never use an employee's ID number, Social Security

number, birth date, telephone number, or any personal information that can be easily
guessed.

Type: True/False

8. A smart card is a token shaped like a credit card that contains one or more
microprocessor chips that accept, store, and send information through a reader.

A. True
B. False

Answer: A Reference: Authentication by Ownership

Explanation:

Type: True/False

9. Voice pattern biometrics are accurate for authentication because voices can't easily be
replicated by computer software.

A. True
B. False

Answer: B Reference: Authentication by Characteristics/Biometrics

Explanation: Voice pattern is NOT accurate for authentication because voices can be too
easily replicated by computer software.

Type: True/False

10. Fingerprints, palm prints, and retina scans are types of biometrics.

A. True
B. False

Answer: A Reference: Authentication by Characteristics/Biometrics

Explanation:

Type: True/False

11. Single sign-on (SSO) can provide for stronger passwords because with only one
password to remember, users are generally willing to use stronger passwords.

A. True
B. False

Answer: A Reference: Advantages and Disadvantages of SSO

Explanation:

Type: True/False

12. DIAMETER is a research and development project funded by the European

Commission.

A. True
B. False

Answer: B Reference: SSO Processes

Explanation: SESAME is a research and development project funded by the European

Commission. DIAMETER is a type of AAA server.

Type: True/False

13. Log files are records that detail who logged on to a system, when they logged on,
and what information or resources they used.

A. True
B. False

Answer: A Reference: Log Files

Explanation:

Type: True/False

14. A degausser creates a magnetic field that erases data from magnetic storage media.

A. True
B. False

Answer: A Reference: Media Disposal Requirements

Explanation:

Type: True/False

15. User-based permission levels limit a person to executing certain functions and often
enforces mutual exclusivity.

A. True
B. False

Answer: B Reference: Permission Levels

Explanation: User-based permission levels are where the permissions granted to a user
are often specific to that user. In this case, the rules are set according to a user ID or
other unique identifier. Task-based access control limits a person to executing certain
functions and often enforces mutual exclusivity.

Type: True/False

16. Temporal isolation is commonly used in combination with rule-based access control.

A. True
B. False

Answer: B Reference: Mandatory Access Control (MAC)

Explanation: Temporal isolation restricts access to specific times and is commonly used
in combination with role-based access control, not rule-based access control.

Type: True/False

17. Content-dependent access control requires the access control mechanism to look at
the data to decide who should get to see it.

A. True
B. False

Answer: A Reference: Content-Dependent Access Control

Explanation:

Type: True/False

18. A Chinese wall security policy defines a barrier and develops a set of rules that
makes sure no subject gets to objects on the other side.

A. True
B. False

Answer: A Reference: Brewer and Nash Integrity Model

Explanation:
Type: True/False

19. An example of a threat to access control is in a peer-to-peer (P2P) arrangement in

which users share their My Documents folder with each other by accident.

A. True
B. False

Answer: A Reference: Threats to Access Controls

Explanation:

Type: True/False

20. Terminal Access Controller Access Control System Plus (TACACS+) is an

authentication server that uses client and user configuration files.

A. True
B. False

Answer: B Reference: Types of AAA Servers

Explanation: Remote Authentication Dial-In User Service (RADIUS) is an authentication

server that uses client and user configuration files. TACACS+ is an Internet Engineering
Task Force (IETF) standard that uses a single configuration file.

Type: True/False

True/False Question Stats

Total True/False Questions: 20

Multiple-Choice Question Stats

Total Multiple-Choice Questions: 20

Category Stats
Analyze: 0
Apply: 5
Evaluate: 0
Remember: 5
Understand: 10

Difficulty Stats
Easy: 2 Medium: 14 Hard: 4

Total Questions in Test Bank: 40