Chapter 1

Question 1

Name at least seven access control types.

Answer 1

1. Preventive
2. Deterrent
3. Detective
4. Corrective
5. Recovery
6. Compensation
7. Directive

Question 2

Describe the three primary authentication factor types

Answer 2

Type 1. Something you know
Type 2. Something you have
Type 3. Something you are

Question 3

Name the method that allows users to log on once and access resources in multiple organizations without authenticating again.

Answer 3

Single Sign On (SSO)

examples: Kerberos, SESAME, Directory, SESAME

Question 4

Identify the three primary elements within the identity and access provisioning life cycle.

Answer 4

1. Provisioning accounts
2. Periodically reviewing and managing accounts
3. Revocation of accounts when they are no longer being used.

Question 5

1. Which of the following is true related to a subject?
   A. A subject is always a user account.
   B. The subject is always the entity that provides or hosts the information or data.
   C. The subject is always the entity that receives information about or data from the object.
   D. A single entity can never change roles between subject and object

Answer 5

C. The subject is active and is always the entity that receives information about or data from the object.

Question 6

2. Which of the following is considered a primary goal of access control?
   A. Preserve confidentiality, integrity, and availability of systems.
   B. Ensure that only valid objects can authenticate on a system.
   C. Prevent unauthorized access to subjects.
   D. Ensure that all subjects are authenticated.

Answer 6

A. Access control mechanisms help to prevent losses, including any loss of confidentiality, loss of availability, or loss of integrity.

Question 7

3. Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?
A. Preventive
B. Detective
C. Corrective
D. Authoritative

Answer 7

A. A preventive access control is deployed to stop an unwanted or unauthorized activity from occurring

Question 8

4. What type of access controls are hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems?
A. Administrative
B. Logical/technical
C. Physical
D. Preventive

Answer 8

4. B. Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems.

Question 9

5. All of the following are needed for system accountability except for one. Which one is not needed?
A. Identification
B. Authentication
C. Auditing
D. Authorization

Answer 9

D. Authorization is not needed for accountability. However, users must be identified and authenticated and their actions logged using some type of auditing to provide accountability.

Question 10

6. Which of the following is an example of a Type 2 authentication factor?
   A. “Something you have,” such as a smart card, ATM card, token device, and memory card
   B. “Something you are,” such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, and hand geometry
   C. “Something you do,” such as typing a passphrase, or signing your name
   D. “Something you know,” such as a password, personal identification number (PIN), lock combination, passphrase, mother’s maiden name, and favorite color

Answer 10

6. A. A Type 2 authentication factor is “something you have,” including a smart card, token device, or memory card.

Question 11

7. Users are given a device that generates one-time passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?
A. Synchronous token
B. Asynchronous token
C. Smart card
D. Common access card

Answer 11

7. A. A synchronous token generates one-time passwords and displays them in an LCD, and this password is synchronized with an authentication server

Question 12

8. What can be used as an authentication factor that is a behavioral or physiological characteristic unique to a subject?
A. Account ID
B. Biometric factor
C. Token
D. PIV

Answer 12

8. B. A biometric factor is a behavioral or physiological characteristic that is unique to a subject, such as fingerprints and face scans, and is also known as a Type 3 authentication factor.

Question 13

9. What does the crossover error rate (CER) for a biometric device indicate?
   A. It indicates that the sensitivity is tuned too high.
   B. It indicates that the sensitivity is tuned too low.
   C. It indicates the point where false rejection rate and the false acceptance rate are equal.
   D. It indicates that the biometric device is not properly configured.

Answer 13

9. C. The point at which biometric Type 1 errors (false rejection rate) and Type 2 errors (false acceptance rate) are equal is the crossover error rate (CER).

Question 14

10. A biometric system has falsely rejected a valid user, indicating that the user is not recognized. What type of error is this?
A. Type 1 error
B. Type 2 error
C. Crossover error rate
D. Equal error rate

Answer 14

10. A. A Type 1 error occurs when a valid subject is not authenticated and is also known as a false negative authentication.

A Type 2 error occurs when an invalid subject is authenticated. This is also known as a false positive authentication.

The crossover error rate (also called equal error rate) compares the rate of Type 1 errors to Type 2 errors and provides a measurement of the accuracy of the biometric system.

Question 15

11. A large table includes multiple subjects and objects. It identifies the specific access each subject has to different objects. What is this table called?
A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege

Answer 15

11. B. An access control matrix includes multiple subjects and objects and lists subjects’ access to various objects.

A single list of subjects for any specific object within an access control matrix is an access control list.

Question 16

12. What is an access control list (ACL) based on?
A. An object
B. A subject
C. A role
D. An account

Answer 16

12. A. An ACL is based on an object and includes a list of subjects that are granted access

Question 17

13. What type of access controls rely upon the use of labels?
A. Discretionary
B. Nondiscretionary
C. Mandatory
D. Role based

Answer 17

13. C. Mandatory access controls rely on use of labels for subjects and objects.

Discretionary access control systems allow an owner of an object to control access to the object.

Nondiscretionary access controls have centralized management such as a rule-based access control deployed on a firewall.

Role-based access controls define a subject’s access based on job-related roles.

Question 18

14. An organization has created an access control policy that grants specific privileges to accountants. What type of access control is this?
A. Discretionary
B. Mandatory
C. Rule based
D. Role based

Answer 18

14. D. A role-based access control policy grants specific privileges based on roles, and roles are frequently job based or task based.

Question 19

15. Which of the following is not used to support single sign-on?
A. Kerberos
B. Federated identity management system
C. TACACS+
D. SPML

Answer 19

15. C. TACACS+ is a centralized authentication service used for remote access clients but not for single sign-on.

Kerberos and federated identity management systems are used to support single sign-on. Service Provisioning Markup Language (SPML) is a language used with some federated identity systems.

Question 20

16. Which of the following is the best choice to support federated identity management systems?
    A. Kerberos
    B. Hypertext Markup Language (HTML)
    C. Extensible Markup Language (XML)
    D. Service Provisioning Markup Language (SPML)

Answer 20

16. D. SPML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system

Question 21

An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he’s had during his tenure. Recently, he has been admonished for making unauthorized changes to systems. He once again made an unauthorized change and this change resulted in an unexpected outage. Management decided to terminate his employment at the company. He was allowed to come back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the data center.

18. Which of the following basic principles was violated while the administrator was employed?
A. Implicit deny
B. Loss of availability
C. Defensive privileges
D. Least privilege

19. Which of the following concepts was not adequately addressed for the identity and access provisioning life cycle?
A. Provisioning
B. Separation of duties
C. Revocation
D. Authentication methods

20. What could have discovered problems with this user’s account while he was employed?
    A. Policy requiring strong authentication
    B. Multifactor authentication
    C. Logging
    D. Account review

Answer 21

18. D. The principle of least privilege was violated because he retained privileges from all his previous administrator positions in different divisions.
19. C. The life cycle of accounts includes provisioning, review, and revocation, and his account should have been disabled as soon as his employment was terminated to ensure that his access was revoked
20. D. Account review can discover when users have more privileges than they need and could have been used to discover that this employee had permissions from several positions

Question 22

What is Preventive Access Control, and examples

Answer 22

A preventive access control is deployed to stop unwanted or unauthorized activity from occurring

Examples of preventive access controls include

fences and locks
biometrics
alarm systems 
separation of duties and job rotation
data classification
encryption
security cameras or closed circuit television (CCTV)
security policies

Question 23

What is Deterrent Access Control, and examples

Answer 23

A deterrent access control is deployed to discourage violation of security policies

Deterrent controls pick up where prevention leaves off

A deterrent doesn’t stop with trying to prevent an action, but implies certain consequences in the event of an attempted or successful violation

Examples of deterrent access controls include 
security badges
security guards
security cameras
trespass or intrusion alarms
firewalls

Question 24

What is Detective Access Control, and examples

Answer 24

A detective access control is deployed to discover unwanted or unauthorized activity

Often detective controls operate after the fact

Examples of detective access controls include
intrusion detection systems
security guards, guard dogs
motion detectors
review of recordings captured by security cameras
audit trails
honeypots or honeynets
incident investigations

Question 25

What is Corrective Access Control, and examples

Answer 25

A corrective access control is deployed to restore systems to normal after an unwanted or unauthorized activity has occurred Usually corrective controls are simple, such as terminating access or rebooting a system have only minimal capability to respond to access violations ``` Examples of corrective access controls include antivirus solutions alarms business continuity planning security policies ```

Question 26

What is Recovery Access Control, and examples

Answer 26

A recovery access control is deployed to repair or restore resources, functions, and capabilities after a violation of security policies Recovery controls have more advanced or complex capabilities to respond to access violations than corrective access controls ``` Examples of recovery access controls include backups and restores fault-tolerant drive systems server clustering antivirus software database or virtual machine shadowing ```

Question 27

What is Compensation Access Control

Answer 27

A compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of security policy Examples of compensation access controls include security policy requirements or criteria personnel supervision, monitoring, and work task procedures Compensation controls can also include controls used instead of more desirable or damaging controls For example, if a guard dog cannot be deployed due to proximity of a residential area, a motion detector with a spotlight and a barking sound playback device can be used instead

Question 28

What is Directive Access Control

Answer 28

A directive access control is deployed to direct, confine, or control the actions of subjects to force or encourage compliance with security policies ``` Examples of directive access controls include security guards and guard dogs posted notifications supervision and work task procedures awareness training ```

Question 29

What are Administrative Access Controls

Answer 29

Administrative access controls are the procedures defined by an organization’s security policy to implement and enforce overall access control Administrative access controls focus on two areas Personnel Business practices ``` Examples of administrative access controls include hiring practices and background checks data classification security training work supervision ```

Question 30

What are Logical/Technical Access Control

Answer 30

Logical access controls and technical access controls are the hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems ``` Examples of logical or technical access controls include encryption smart cards, passwords, and biometrics access control lists (ACLs) protocols firewalls and routers intrusion detection systems clipping levels (e.g., report more than 3 consecutive failed logon attempts ) ```

Question 31

Physical Access Control

Answer 31

Physical access controls are physical barriers deployed to prevent direct contact with systems or areas within a facility ``` Examples of physical access controls include guards fences and locks swipe cards video cameras mantraps alarms ```

Question 32

Describe Kerberos Logon Process

Answer 32

- The user types a username and password into the client - The client encrypts the credentials with AES for transmission to the KDC - The KDC verifies the user credentials - The KDC generates a ticket granting ticket (TGT) by hashing the user’s password - The TGT is encrypted with AES for transmission to the client - The client installs the TGT for use until it expires

Question 33

Describe Kerberos Service Access Process

Answer 33

- The client sends its TGT back to the KDC with a request for access to a server or service - The KDC verifies the validity of the TGT and verifies that the user has sufficient privileges to access the requested resource - A service ticket (ST) is generated and sent to the client - The client sends the ST to the server or service host - The server verifies the validity of the ST with the KDC Once identity and authorization is verified, Kerberos activity is complete - The server or service host then opens a session with the client

Question 34

What is Kerberos

Answer 34

- Relies upon symmetric-key (private-key) cryptography Advanced Encryption Standard (AES) - Provides end-to-end security for authentication traffic between clients and the key distribution center (KDC) - Relies on a trusted server hosting the functions of the KDC, a ticket-granting service (TGS), and an authentication service (AS) - An exchange of tickets (cryptographic messages) between clients, network servers, and the KDC