Term
Which access control mechanism provides the owner of an object the opportunity to determine the access control permissions for other subjects?
A) Mandatory
B) Role-Based
C) Discretionary
D) Token-Based |
|
Definition
C,
Discretionary access control provides the owner of an object the opportunity to determine the access control permissions for other subjects. |
|
|
Term
What is the most common form of authentication used?
A) Biometrics
B) Tokens
C) Access cards
D) Username/Password |
|
Definition
D,
Username/Password is the single most common authentication mechanism in use today. |
|
|
Term
A retinal scan device is an example of what type of authentication mechanism?
A) Something you know
B) Something you have
C) Something about you/something you are
D) Multifactor Authentication |
|
Definition
C,
A retinal scan is an example of a biometric device, which falls into the category of something about you/something you are. |
|
|
Term
From a security standpoint, what are the benefits of job rotation?
A) It keeps employees from becoming bored with mundane tasks that might make it easier for them to make a mistake without noticing.
B) It provides everybody with a better perspective of the issues surrounding security and lessens the impact of losing any individual employee since others can assume their duties.
C) It keeps employees from learning too many details related to any one position thus making it more difficult for them to exploit that position.
D) It ensures that no employee has the opportunity to exploit a specific position for any length of time without the risk of being discovered. |
|
Definition
B,
While both C and D may indeed bear a semblance of truth, they are not the primary reasons given as benefits of rotating employees through jobs in an organization. The reasons discussed included ensuring that no single individual alone can perform security operations, plus the benefit of having more employees understand the issues related to security. |
|
|
Term
What was described in the chapter as being essential in order to implement mandatory access controls?
A) Tokens
B) Certificates
C) Labels
D) Security classifications |
|
Definition
C,
Labels were discussed as being required for both objects and subjects in order to implement mandatory access controls. D is not the correct answer, because mandatory access controls are often used to implement various levels of security classification but security classifications are not needed in order to implement MAC. |
|
|
Term
The CIA of security includes
A) Confidentiality, Integrity, Authentication
B) Certificates, Integrity, Availability
C) Confidentiality, Inspection, Authentication
D) Confidentiality, Integrity, Availability |
|
Definition
D,
Don't forget that even though authentication was described at great length in this chapter, the A in the CIA of security represents availability, which refers to the hardware and data being accessible when the user wants it. |
|
|
Term
Security through obscurity is an approach to security that is sometimes used but that is dangerious to rely on. It attempts to do the following:
A) protect Systems and networks by using confusing URLs to make them difficult to remember
B) Protect data by relying on attackers not being able to discover the hidden, confusing, or obscuring mechanisms being used as opposed to employing any real security measures.
C) Hide data in plain sight through the use of cryptography.
D) Make data hard to access by restricting the availability to a select group of users. |
|
Definition
B,
Answer B describes the more general definition of this flawed approach, which relies on attackers not being able to discover the mechanisms being used in the belief that if it is confusing or obscure enough, it will remain safe. The problem with this approach is that once the confusing or obscure technique is discovered, the security of the system and data can be compromised. Security must rely on more than just obscurity to be effective. Answer A does at some level describe activity that is similar to the concept of security through obscurity, but it is not the best answer. |
|
|
Term
The fundamental approach to security in which an object has only the necessary rights and privileges to perform its task with no additional permissions is a description of
A) Layered Security
B) Least Privilege
C) Role-Based Security
D) Kerberos |
|
Definition
B,
This description describes Least Privilege. Layered security refers to using multiple layers of security (such as the host and network layers) so that if any intruder penetrates one layer, they still will have to face additional security mechanisms before gaining access to sensitive information. |
|
|
Term
Which access control technique discussed relies on a set of rules to determine whether access to an object will be granted or not?
A) Role-based access control
B) Obejct and rule instantiation access control
C) Rule-based access control
D) Discretionary access control |
|
Definition
C,
Rule-based access control relies on a set of rules to determine whether access to an object will be granted or not. |
|
|
Term
The security principle that ensures that no critical function can be executed by any single individual (by dividing the function into multiple tasks that can't all be executed by the same individual) is known as
A) Discretionary access control
B) Security through obscurity
C) Separation of duties
D) Implicit deny |
|
Definition
C,
The separation of duties principle ensures that no critical function can be executed by any single individual. |
|
|
Term
The ability of a subject to interact with an object is described as
A) Authentication
B) Access
C) Confidentiality
D) Mutual authentication |
|
Definition
B,
Access is the ability of a subject to interact with an object. |
|
|
Term
Information security places the focus of security efforts on
A) The system hardware
B) The software
C) The user
D) The data |
|
Definition
D,
Information security places the focus of the security efforts on the data (information). |
|
|
Term
In role-based access control, which of the following is true?
A) The user is responsible for providing both a password and a digital certificate in order to access the system or network.
B) A set of roles that the user may perform will be assigned to each user, thus controlling what the user can and can't do with the information he or she can access.
C) The focus is on the confidentiality of the data the system protects and not its integrity.
D) Authentication and nonrepudiation are the central focus. |
|
Definition
B,
In role-based access controls, roles are assigned to the user. Each role will describe what the user can do and the data or information that can be accessed to accomplish the role. |
|
|
Term
Using different types of firewalls to protect various internal subnets is an example of
A) Layered security
B) Security through obscurity
C) Diversity of defense
D) Implementing least privilege for access control |
|
Definition
C,
This is an example of diversity of defense. The idea is to provide different types of security and not rely too heavily on any one type of product. |
|
|
Term
Which of the following is true about the security principle of implicit deny?
A) In a given access control situation, if a rule does not specifically allow the access, it is by default denied.
B) It incorporates both access-control and authentication mechanisms into a single device.
C) It allows for only one user to an object at a time; all others are denied access.
D) It bases access decisions on the role of the user. |
|
Definition
A,
The basic premise of implicit deny is that an action is allowed only if a specific rule states that it is acceptable, making A the most correct answer. |
|
|
Term
What is the difference betweenDue Care and Due Dilligence ? |
|
Definition
Due Care = You act responsibly.
Due Dilligence = You looked and examined all of the potential risks; did your job thoroughly. |
|
|
Term
Which are bad:
Hackers Crackers |
|
Definition
Hackers are good.
Crackers are bad. |
|
|