Access Control1_1.doc

Access Control Part 1 Your quiz results: Hide details in all questions.    Hide correct questions. Top of Form 1. Question: 216 | Difficulty: 4/5 | Relevancy: 3/3 There are parallels between the trust models in Kerberos and in PKI. When we compare them side by side, Kerberos tickets correspond most closely to which of the following? o  public keys o  private keys o public-key certificates o  private-key certificates C. A Kerberos ticket is issued by a trusted third party; it is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate. However, the ticket is not a key. And there is no such thing as a private key certificate. Study areas: CISSP CBK domain #1 - Access Control, CISSP CBK domain #5 - Cryptography Covered topics (2): Kerberos, X.509 Digital certificates This question © Copyright 2003–2009 cccure.org. 2. Question: 423 | Difficulty: 1/5 | Relevancy: 3/3 What is called a password that is the same for each log-on session? o  "one-time password" o  "two-time password" o static password o  dynamic password C. A password that is the same for each log-on is called a static password. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. Contributor: Rakesh Sud Study area: CISSP CBK domain #1 - Access Control Covered topic: Passwords This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 3. Question: 88 | Difficulty: 1/5 | Relevancy: 3/3 A timely review of system access audit records would be an example of which of the basic security functions? o  avoidance. o  deterrence. o  prevention. o detection. D. The correct answer is: detection. By reviewing system logs you can detect events that have occured. The following answers are incorrect: avoidance. This is incorrect, avoidance is a distractor. By reviewing system logs you have not avoided anything. deterrence. This is incorrect because system logs are a history of past events. You cannot deter something that has already occurred. prevention. This is incorrect because system logs are a history of past events. You cannot prevent something that has already occurred. Last modified 6/08/2007 - J. Hajec Comment: A timely review of the audit logs would provide early detection of possible and intentional abuses but does nothing to prevent occurrence of abuses, if any. An early detection would lead to prevention of much serious abuses later on. Auditing can be seen as a detection exercise more than a preventive exercise. References: OIG CBK Glossary (page 791) Contributor: Kamren Lee Study area: CISSP CBK domain #1 - Access Control Covered topic: Account, log and journal monitoring This question © Copyright 2003–2009 cccure.org. 4. Question: 1241 | Difficulty: 2/5 | Relevancy: 3/3 Identification and authentication are the keystones of most access control systems. Identification establishes: o user accountability for the actions on the system. o  top management accountability for the actions on the system. o  EDP department accountability for the actions of users on the system. o  authentication for actions on the system A. Identification and authentication are the keystones of most access control systems. Identification establishes user accountability for the actions on the system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. Contributors: Rakesh Sud, Sasa Vidanovic Study area: CISSP CBK domain #1 - Access Control Covered topic: Access control objectives This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 5. Question: 438 | Difficulty: 2/5 | Relevancy: 3/3 Which of the following biometric characteristics cannot be used to uniquely authenticate an individual's identity? o  Retina scans o  Iris scans o  Palm scans o Skin scans D. The following are typical biometric characteristics that are used to uniquely authenticate an individual's identity: - Fingerprints - Retina scans - Iris scans - Facial scans - Palm scans - Hand geometry - Voice - Handwritten signature dynamics Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 39. And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 127-131). Contributors: Rakesh Sud, Christian Vezina, don murdoch Study area: CISSP CBK domain #1 - Access Control Covered topic: Biometrics This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 6. Question: 408 | Difficulty: 1/5 | Relevancy: 3/3 What is called the access protection system that limits connections by calling back the number of a previously authorized location? o  Sendback systems o  Callback forward systems o Callback systems o  Sendback forward systems C. Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35. Contributors: Rakesh Sud, Christian Vezina Study area: CISSP CBK domain #1 - Access Control Covered topic: Callback systems This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 7. Question: 1227 | Difficulty: 3/5 | Relevancy: 3/3 Three key things that must be considered for the planning and implementation of access control mechanisms do NOT include: o  threats to the system o  the system's vulnerability to threats to the system o the system's vulnerability to viruses o  the risk that the threat may materialize C. Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system's vulnerability to these threats, and the risk that the threat may materialize Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 32. Contributors: Rakesh Sud, Sasa Vidanovic Study areas: CISSP CBK domain #3 - Information Security and Risk Management, CISSP CBK domain #1 - Access Control Covered topics (2): Threats and vulnerabilites, Access control methodologies and implementation This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 8. Question: 380 | Difficulty: 3/5 | Relevancy: 3/3 The following is not a characteristic we need to consider with respect to a biometric identification systems: o  data acquisition process o counterfeit information o  enrolment process o  speed and user interface B. Today implementation of fast, accurate reliable and user-acceptable biometric identification systems is already under way. From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Pages 5-6. Contributor: Rakesh Sud Study area: CISSP CBK domain #1 - Access Control Covered topic: Biometrics This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 9. Question: 748 | Difficulty: 2/5 | Relevancy: 3/3 Which of the following statements pertaining to access control is false? o  Users should only access data on a need-to-know basis. o If access is not explicitly denied, it should be implicitly allowed. o  Access rights should be granted based on the level of trust a company has on a subject. o  Roles can be an efficient way to assign rights to a type of user who performs certain tasks. B. Access control mechanisms should default to no access to provide the necessary level of security and ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied. Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 143). Contributor: Christian Vezina Study area: CISSP CBK domain #1 - Access Control Covered topic: Access control techniques This question © Copyright 2003–2009 Christian Vezina, cccure.org. 10. Question: 1110 | Difficulty: 5/5 | Relevancy: 3/3 Which biometric system typically uses the smallest file size for user data? o  Fingerprint o Hand geometry o  Retina pattern o  Voice pattern B. The hand geometry pattern can be stored in only 9 bytes. Retina pattern uses 96 bytes whereas the fingerprint uses between 0.5 and 1.5 kb and the voice pattern typically uses between 1 and 10 kb. Source: FERREL, Robert G, Questions and Answers for the CISSP Exam, domain 1 (derived from the Information Security Management Handbook, 4th Ed., by Tipton & Krause). Available at http://www.cccure.org. Contributor: Christian Vezina Study area: CISSP CBK domain #1 - Access Control Covered topic: Biometrics This question © Copyright 2003–2009 Christian Vezina, cccure.org. 11. Question: 1245 | Difficulty: 2/5 | Relevancy: 3/3 An alternative to using passwords for authentication in logical or technical access control is: o  manage without passwords o biometrics o  not there o  use of them for physical access control B. An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism-something you are. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37. Contributors: Rakesh Sud, Sasa Vidanovic Study area: CISSP CBK domain #1 - Access Control Covered topic: Biometrics This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 12. Question: 1239 | Difficulty: 2/5 | Relevancy: 3/3 Using clipping levels refers to: o setting allowable thresholds on a reported activity o  limiting access to top management staff o  setting personnel authority limits based on need-to-know basis o  encryption of data so that it cannot be stolen A. Using clipping levels refers to setting allowable thresholds on a reported activity. For example, a clipping level of three can be set for reporting failed log-on attempts at a workstation. Thus, three or fewer log-on attempts by an individual at a workstation will not be reported as a violation, thus eliminating the need for reviewing normal log-on entry errors. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. Contributors: Rakesh Sud, Sasa Vidanovic Study area: CISSP CBK domain #1 - Access Control Covered topic: Clipping level This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 13. Question: 418 | Difficulty: 2/5 | Relevancy: 3/3 What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? o  Authentication o Identification o  Integrity o  Confidentiality B. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system. Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36. Contributors: Rakesh Sud, Christian Vezina Study area: CISSP CBK domain #1 - Access Control Covered topic: Identification and authentication techniques This question © Copyright 2003–2009 Rakesh Sud, cccure.org. 14. Question: 7 | Difficulty: 2/5 | Relevancy: 3/3 Which of the following is true in a system with Mandatory Access Control? o The system determines which users or groups may access a file. o  A user can set up an access list for the file(s), and the system checks both users and groups against this list before granting access. o  A user can specify which groups of users can access their files, but the system determines group membership. o  No control is being enforced on this model. A. The correct answer is: The system determines which users or groups may access a file. Access in a MAC environment is controlled by the system based upon the sensitivity levels of the subjects and objects. The following answers are incorrect: A user can set up an access list for the file(s), and the system checks both users and groups against this list before granting access. With MAC it is the data owner and the system administrator and not the user who can specify which groups of users can access their files. A user can specify which groups of users can access their files, but the system determines group membership. A user cannot set up an access list for the file(s), and the system checks both users and groups against this list before granting access. No control is being enforced on this model. No control is being enforced on this model is a false answer because  using MAC, the system enforces the security based upon the sensitivity levels of the subjects and objects. Last modified 6/06/2007 - J. Hajec QA checked by M. Zagorski Comment: Mandatory Access Control (MAC) is a policy based control. All objects and systems have a sensitivity level assigned to them. A particular subject can only acces a given object if the object's sensitivity level allows for it and the subject has the proper need-to-know. The sensitivity levels are determinded by the data owner and the system administrator. Then based on the sensitivity level of both the subjects and objects the systems determines what subject has access to particular objects.  Rerferences: OIG CBK Access Control (pages 186 - 188) AIOv3 Access Control (pages 162 - 163) Study area: CISSP CBK domain #1 - Access Control Covered topic: Mandatory access control This question © Copyright 2003–2009 cccure.org. 15. Question: 1261 | Difficulty: 4/5 | Relevancy: 3/3 Which of the following is not a valid certification rule, ensuring integrity monitoring in the Clark-Wilson access control model? o  Constrained data items are consistent. o Transformational procedures operate only on unconstrained data items. o  Duties are separated. o  Accesses are logged. B. In the Clark-Wilson model, data that transformational procedures modify are called constrained data items (not unconstrained data items) because they are constrained in the sense that only transformational procedures may modify them and that integrity verification procedures exercise constraints on them to ensure that they have certain properties, of which consistency and conformance to the real world are two of the most significant. Unconstrained data items are all other data, chiefly the keyed input to transformational procedures. Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 40). Available at http://www.cccure.org. Contributor: Christian Vezi