Chapter 4. Introduction to Access Controls
11. Which of the following are part of a security label used in the mandatory access control model? (Select all that apply.) a. Classification b. Category c. Role d. Location
A and B. Classification and category are typically found in a security label.
8. Which type of access controls are used to protect an asset before a breach occurs? (Select all that apply.) a. Preventive b. Deterrent c. Corrective d. Recovery
A and B. Preventive and Deterrent access controls are controls used to prevent a breach.
1. What entity requests access to a resource? a. Object b. Subject c. File d. Database
B. A subject is the active entity that requests access to a resource.
12. Which port access control technology allows dynamic authorization policy to be downloaded from the authentication server? a. VLAN map b. Port security c. 802.1x d. MAC access list
C. 802.1x allows authorization policy to be downloaded and enforced at the access device.
8. Which type of controls best describe a fence? a. Administrative, preventive b. Administrative, logical c. Physical, deterrent d. Logical, compensating
C. A fence is an example of physical deterrent control.
15. Which type of access list works better when implementing RBAC? a. Layer 2 access list b. MAC access list c. VLAN map d. Security group access list
D. A security group access list (SGACL) implements access control based on a security group tag (SGT) assigned to a packet. The SGT could be assigned, for example, based on the role of the user.
15. A host on an isolated port can communicate with which of the following? a. A host on another isolated port b. A host on a community port c. A server on a community port d. With the promiscuous port only
D. An isolated port can only communicate with the promiscuous port.
Mandatory access control (MAC)
Access decision is enforced by the access policy enforcer. It uses security label. Combination of Classification + Category Classification Example: Top Secret, Secret, Confidential, Category: Engineering, Accounting
Role-based access control (RBAC)
Access decisions are based on the role or function of the subject.
16. What is a disadvantage of using an IPS compared to an IDS? a. It may add latency due to packet processing. b. It is not able to drop a packet. c. To stop an attack, it relies on external devices such as a firewall. d. It is more difficult to maintain.
A. An IPS may add latency due to its packet-processing engine.
17. What is used in the Cisco TrustSec architecture to provide link-level encryption? a. MACSec b. IPSec c. TLS d. EAP
A. Cisco TrustSec uses MACSec to provide link-level encryption.
5. Which technique ensures protection against simple and noninvasive data-recovery techniques? a. Clearing b. Purging c. Destroying d. Erasing
A. Clearing ensures protection against simple and noninvasive data-recovery techniques.
7. Which type of control best describes an IPS dropping a malicious packet? a. Preventive b. Corrective c. Compensating d. Recovery
A. Dropping a packet prevents a security incident from occurring.
21. In a discretionary access control (DAC) model, who can authorize access to an object? a. The object owner b. The subject c. The system d. None of the above
A. In a DAC model, the object owner grants authorization permission over the objects he owns.
18. According to the attribute-based access control (ABAC) model, what is the subject location considered? a. Part of the environmental attributes b. Part of the object attributes c. Part of the access control attributes d. None of the above
A. Location is part of the environmental attributes.
10. What is the main advantage of using a mandatory access control (MAC) model instead of a discretionary access control (DAC) model? a. MAC is more secure because the operating system ensures security policy compliance. b. MAC is more secure because the data owner can decide which user can get access, thus providing more granular access. c. MAC is more secure because permissions are assigned based on roles. d. MAC is better because it is easier to implement.
A. MAC offers better security compared to DAC because the operating system ensures compliance with the organization's security policy.
6. Which type of control includes security training? a. Administrative b. Physical c. Logical d. None of the above
A. Security training is a type of administrative control.
9. Which access control model uses environmental information to make an access decision? a. Discretionary access control b. Attribute-based access control c. Role-based access control d. Mandatory access control
B. Attribute-based access control (ABAC) uses subject, object, and environmental attributes to make an access decision.
2. In which phase of the access control does a user need to prove his or her identity? a. Identification b. Authentication c. Authorization d. Accounting
B. Authentication is the process of proving one's identity.
13. Where is EAPoL traffic seen? a. Between the supplicant and the authentication server b. Between the supplicant and the authenticator c. Between the authenticator and the authentication server d. None of the above
B. EAPoL messages are transmitted between the supplicant and the authenticator.
14. Which of the following is not a disadvantage of host-based antimalware? a. It requires updating multiple endpoints. b. It does not have visibility into encrypted traffic. c. It does not have visibility of all events happening in the network. d. It may require working with different operating systems.
B. Host-based antimalware can detect attacks using encryption, because it can see the decrypted payload on the host.
5. In military and governmental organizations, what is the classification for an asset that, if compromised, would cause severe damage to the organization? a. Top Secret b. Secret c. Confidential d. Unclassified
B. In military classification, the Secret label is usually associated with severe damage to the organization.
19. Which of the following access control models use security labels to make access decisions? a. Discretionary access control (DAC) b. Mandatory access control (MAC) c. Role-based access control (RBAC) d. Identity-based access control (IBAC)
B. MAC uses security labels for access decisions.
14. What is the Security Group Tag Exchange (SXP) protocol used for? a. To transmit SGT to the egress point for enforcement b. To send SGT information to a hardware-capable Cisco TrustSec device for tagging c. To send SGT information from the authentication server to the authenticator d. To send SGT information to the supplicant
B. SXP can be used to exchange SGT between an access device with only Cisco TrustSec capability on software and a device with Cisco TrustSec hardware support.
20. What is one of the advantages of the mandatory access control (MAC) model? a. Complex to administer. b. Stricter control over the information access. c. Easy and scalable. d. The owner can decide whom to grant access to.
B. Strict control over the access to resources is one of the main advantages of MAC.
10. Where does the RADIUS exchange happen? a. Between the user and the network access server b. Between the network access server and the authentication server c. Between the user and the authentication server d. None of the above
B. The RADIUS exchange happens between the NAS and the authentication server.
11. Which AAA protocol allows for capabilities exchange? a. RADIUS b. TACACS+ c. Diameter d. Kerberos
C. Diameter allows for the exchange of nodes' capabilities.
4. When a biometric authentication system rejects a valid user, which type of error is generated? a. True positive b. False positive c. False rejection d. Crossover error
C. False rejection rate (FRR) refers to when the system rejects a valid user that should have been authenticated.
13. Which IDS system can detect attacks using encryption? a. Network IDS deployed in inline mode b. Network IDS deployed in promiscuous mode c. Host-based IDS d. Network IPS deployed in inline mode
C. Host-based IDS can detect attacks using encryption, because it can see the decrypted payload on the host.
1. In which phase of access control is access granted to a resource with specific privileges? a. Identification b. Authentication c. Authorization d. Accounting
C. In the authorization phase, access is granted to a resource.
12. Which access control model uses the function of a subject in an organization? a. Discretionary access control b. Attribute-based access control c. Role-based access control d. Mandatory access control
C. Role-based access control (RBAC) uses the role or function of a subject to make access decisions.
16. Which of the following is not a true statement about TACACS+? a. It offers command-level authorization. b. It is proprietary to Cisco. c. It encrypts the TACACS+ header. d. It works over TCP.
C. TACACS+ encrypts the TACACS+ message payload.
Data Disposal
Clearing: This technique should ensure protection against simple and noninvasive data-recovery techniques. Purging: This technique should ensure protection against recovery attempts using state-of-the-art laboratory techniques. Destroying: This technique should ensure protection against recovery attempts using state-of-the-art laboratory techniques and should also make the storage media unusable.
3. Which of the following authentication methods is considered strong? a. Authentication by knowledge b. Authentication by characteristic c. Authentication by ownership d. Any combination of these methods
D. Strong authentication is obtained by the combination of at least two methods.
Access Control Policy
Data at rest refers to data that resides in a storage device such as a hard drive, CD or DVD, or magnetic drive. Data in motion refers to data moving between two parties, meaning it is in transit. Data in use refers to data being processed by applications or programs and stored in a temporary or volatile memory such as random access memory (RAM), a CPU register, and so on.
7. Who is ultimately responsible for security control of an asset? a. Senior management b. Data custodian c. User d. System administrator
A. The asset owner and senior management are ultimately responsible for the security of the assets.
4. Who assigns a security classification to an asset? a. Asset owner b. Senior management c. Asset custodian d. Security administrator
A. The asset owner assigns the classification.
3. Which of the following authentication methods can be considered examples of authentication by knowledge? (Select all that apply.) a. Password b. Token c. PIN d. Fingerprint
A and C. Password and PIN code are examples of authentication by knowledge.
2. Which of the following are characteristics of a secure identity? (Select all that apply.) a. Uniqueness b. Nondescriptiveness c. Secured issuance d. Length
A, B, C. Uniqueness, nondescriptiveness, and secured issuance are characteristics of a secure identity.
9. What is included in a capability table? a. Several objects with user access rights b. Several subjects with user access rights c. Objects and subjects with their access rights d. Access rights
A. A capability table is user centric and includes several objects with user access rights.
6. What is a common way to protect "data at rest"? a. Encryption b. Transport Layer Security c. Fingerprint d. IPSec
A. Encryption and storage media access controls are commonly used to protect data at rest.
17. What is an advantage of network-based antimalware compared to a host-based solution? a. It can block malware at the entry point. b. It can check the integrity of a file on the host. c. It can receive a signature and reputation from the cloud. d. It can use a heuristic engine for malware detection.
A. Network-based antimalware can block malware before it enters the network. Answers C and D are true for host-based antimalware as well. Answer B applies only to host-based antimalware.
Discretionary access control (DAC)
Access decisions and permission are didiced by the object owner. Example: file permission rwx
Attribute-based access control (ABAC)
Access decisions are based on the attributes or characteristics of the subject, object, and environment. Environment Example: over VPN, Building A, Time.
Type of Events
False Positive: Alert on Legitimate False Negative: No Alert on Threat True Positive: Alert on Threat True Negative: No Alert on no Theat