IAM QCM
Which of the following models is also known as an identity-based access control model? A. Discretionary access control B. Role-based access control C. Rule-based access control D. Mandatory access control
Answer: A A discretionary access control model is an identity-based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the owner. The role-based access control model is based on role or group membership. The rule-based access control model is based on rules within an ACL. The mandatory access control model uses assigned labels to identify access.
Which of the following statements is true related to the role-based access control (role-BAC) model? A. A role-BAC model allows users membership in multiple groups. B. A role-BAC model allows users membership in a single group. C. A role-BAC model is non-hierarchical. D. A role-BAC model uses labels.
Answer: A The role-BAC model is based on role or group membership and users can be members of multiple groups. Users are not limited to only a single role. Role-BAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control model uses assigned labels to identify access.
A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table? A. Access control list B. Access control matrix C. Federation D. Creeping privilege
Answer: B An access control matrix includes multiple objects, and it lists subjects' access to each of the objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to the excessive privileges a subject gathers over time.
Which of the following can help mitigate the success of an online brute-force attack? A. Rainbow table B. Account lockout C. Salting passwords D. Encryption of password
Answer: B An account lockout policy will lock an account after a user has entered an incorrect password too many times, and this blocks an online brute-force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the password, but not against a brute-force attack.
Which of the following best describes an explicit deny principle? A. All actions that are not expressly denied are allowed. B. All actions that are not expressly allowed are denied. C. All actions must be expressly denied. D. None of the above
Answer: B The implicit deny principle ensures that access to an object is denied unless access has been expressly allowed (or explicitly granted) to a subject. It does not allow all actions that are not denied, and it doesn't require all actions to be denied.
What would an organization do to identify weaknesses? A. Asset valuation B. Threat modeling C. Vulnerability analysis D. Access review
Answer: C A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, but threat modeling doesn't identify weaknesses. An access review audits account management and object access practices.
What type of access control model is used on a firewall? A. Mandatory access control model B. Discretionary access control model C. Rule-based access control model D. Role-based access control model
Answer: C Firewalls use a rule-based access control model with rules expressed in an access control list. A mandatory access control model uses labels. A discretionary access control model allows users to assign permissions. A role-based access control model organizes users in groups.
What type of access controls rely on the use of labels? A. Discretionary B. Nondiscretionary C. Mandatory D. Role based
Answer: C Mandatory access controls rely on the use of labels for subjects and objects. Discretionary access control systems allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management such as a rule-based access control deployed on a firewall. Role-based access controls define a subject's access based on job-related roles.
What is the intent of least privilege? A. Enforce the most restrictive rights required by users to run system processes. B. Enforce the least restrictive rights required by users to run system processes. C. Enforce the most restrictive rights required by users to complete assigned tasks. D. Enforce the least restrictive rights required by users to complete assigned tasks.
Answer: C The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don't execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.
A central authority determines which files a user can access. Which of the following best describes this? A. An access control list (ACL) B. An access control matrix C. Discretionary access control model D. Nondiscretionary access control model
Answer: D A non-discretionary access control model uses a central authority to determine which objects (such as files) that users (and other subjects) can access. In contrast, a discretionary access control model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model. An access control matrix includes multiple objects, and it lists the subject's access to each of the objects.
Which of the following is the best choice for a role within an organization using a role-based access control model? A. Webserver B. Application C. Database D. Programmer
Answer: D A programmer is a valid role in a role-based access control model. Administrators would place programmers' user accounts into the Programmer role and assign privileges to this role. Roles are typically used to organize users, and the other answers are not users.
A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this? A. Discretionary access control model B. An access control list (ACL) C. Rule-based access control model D. Role-based access control model
Answer: D A role-based access control model can group users into roles based on the organization's hierarchy and it is a nondiscretionary access control model. A non-discretionary access control model uses a central authority to determine which objects that subjects can access. In contrast, a discretionary access control model allows users to grant or reject access to any objects they own. An ACL is an example of a rule-based access control model that uses rules, not roles.
Which of the following best describes a rule-based access control model? A. It uses local rules applied to users individually. B. It uses global rules applied to users individually. C. It uses local rules applied to all users equally. D. It uses global rules applied to all users equally.
Answer: D A rule-based access control model uses global rules applied to all users and other subjects equally. It does not apply rules locally, or to individual users.
Which of the following is not a valid access control model? A. Discretionary access control model B. Nondiscretionary access control model C. Mandatory access control model D. Lettuce-based access control model
Answer: D Lettuce-based access control model is not a valid type of access control model. The other answers list valid access control models. A lattice-based (not lettuce-based) access control model is a type of mandatory access control model.
Who, or what grants permissions to users in a discretionary access control model? A. Administrators B. Access control list C. Assigned labels D. The data custodian
Answer: D The data custodian (or owner) grants permissions to users in a discretionary access control (DAC) model. Administrators grant permissions for resources they own, but not for all resources in a DAC model. A rule-based access control model uses an access control list. The mandatory access control model uses labels. Administrators
Which of the following best describes a characteristic of the mandatory access control model? A. Employs explicit-deny philosophy B. Permissive C. Rule-based D. Prohibitive
Answer: D The mandatory access control model is prohibitive and it uses an implicit-deny philosophy (not an explicit-deny philosophy). It is not permissive and it uses labels rather than rules.