Chapter 5
27) Long passwords that use several types of keyboard characters are called ________ passwords. A) complex B) reusable C) dictionary D) one-time
A Diff: 1 Page Ref: 266-268 Question: 7a
42) ________ can be much shorter than ________. A) PINs, passwords B) Passwords, PINs C) there is no general length difference between passwords and PINs D) None of the above
A Diff: 1 Page Ref: 272
49) For computer access, a false ________ means that a legitimate user is denied access to a resource. A) rejection B) acceptance C) Both A and B D) Neither A nor B
A Diff: 1 Page Ref: 276-277 Question: 16d
60) When an attacker deliberately attempts to fool the system, this is called ________. A) deception B) a false acceptance C) a false rejection D) All of the above.
A Diff: 1 Page Ref: 280 Question: 21a
76) In the context of PKI, ________ is the process of accepting public keys and providing new digital certificates to the users. A) provisioning B) reflection C) coordination D) certification
A Diff: 1 Page Ref: 290 Question: 24g
94) In directory servers, information is organized ________. A) hierarchically B) rhizomatically C) relationally D) None of the above
A Diff: 1 Page Ref: 297 Question: 29a
95) In directory servers, ________. A) there can only be one O in a directory server B) there can only be one OU in a directory server C) Both A and B D) Neither A nor B
A Diff: 1 Page Ref: 297 Question: 29b
106) If Directory Server A trusts Directory Server Band Directory Server B trusts Directory Server A, this is ________ trust. A) mutual B) one-way C) transitive D) intransitive
A Diff: 1 Page Ref: 300-301 Question: 33b
8) Compared to access control based on individual accounts, RBAC is ________. A) less prone to error B) more expensive C) Both A and B D) Neither A nor B
A Diff: 2 Page Ref: 248 Question: 1g
41) A ________ does not require a special reader to be added to a PC for access control. A) USB token B) magnetic stripe card C) smart card D) All of the above
A Diff: 2 Page Ref: 270 Question: 12e
91) The ________ gives the verifier a symmetric session key. A) ticket-granting ticket B) service ticket C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 295-296 Question: 28b
100) In Active Directory, a domain controller contains ________. A) a RADIUS authentication server program B) an Active Directory database C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 298-299 Question: 32c
103) Replication between a domain controller in a child domain and a domain controller in its parent domain is ________. A) total B) partial C) nonexistent D) intransitive
B Diff: 2 Page Ref: 299 Question: 32i
110) In federated identity management, firms ________. A) query one another's identity management databases B) send assertions to one another C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 302 Question: 35b
58) Which is more likely to generate a false acceptance? A) verification B) identification C) Both verification and identification are equally likely to generate a false acceptance. D) None of the above
B Diff: 3 Page Ref: 280
83) If a firewall lacks the processing power to handle incoming traffic, it will drop any packets it cannot process. This is ________. A) a security failure B) failing safely C) Both A and B D) Neither A nor B
B Diff: 3 Page Ref: 291 Question: 25f
88) In Kerberos, the ________ is an encrypted session key that only the verifier can decrypt. A) ticket granting ticket B) service ticket C) Both A and B D) Neither A nor B
B Diff: 3 Page Ref: 295 Question: 28a
1) Which of the following is not one of the AAA controls? A) authentication B) auditing C) accuracy D) authorizations
C Diff: 1 Page Ref: 246 Question: 1a
10) In ________ the department has discretion over giving access to individuals, within policy standards set by higher authorities. A) policy-based access control B) mandatory access control C) discretionary access control D) delegated access control
C Diff: 1 Page Ref: 250 Question: 2a
17) Which of the following should be forbidden in secure areas? A) cameras B) USB flash drives C) Both A and B D) Neither A nor B
C Diff: 1 Page Ref: 256 Question: 3h
69) Hand geometry recognition is used heavily for ________. A) PC access B) watch list access C) door access D) server access
C Diff: 1 Page Ref: 283 Question: 23c
70) The most widely used form of biometrics is ________. A) retinal scanning B) iris scanning C) fingerprint scanning D) face recognition
C Diff: 1 Page Ref: 283 Question: 23f
84) ________ record(s) and analyzes what a person or program actually did. A) Authentication B) Authorizations C) Auditing D) All of the above
C Diff: 1 Page Ref: 292 Question: 26a
105) If Directory Server A trusts Directory Server B, Directory Server B trusts Directory Server C, and Directory Server A trusts Directory Server C, this is ________ trust. A) mutual B) one-way C) transitive D) intransitive
C Diff: 1 Page Ref: 300-301 Question: 33b
15) On loading docks, outgoing shipments should be separated from incoming shipments ________. A) to ensure the segregation of duties B) to avoid confusion C) to reduce the risk of theft D) All of the above
C Diff: 2 Page Ref: 252 Question: 3f
16) Which of the following is not one of the rules for working in secure areas? A) Unsupervised work in secure areas should be avoided. B) When no one is in a secure area, it should be locked and verified periodically. C) No one should be allowed to work in secure areas for more than four hours in a row. D) Electronic devices that can record or copy mass amounts of information should be forbidden in secure areas.
C Diff: 2 Page Ref: 252 Question: 3h
38) A ________ card stores authentication data. A) magnetic stripe B) smart C) Both A and B D) Neither A nor B
C Diff: 2 Page Ref: 268-269 Question: 12a
89) In Kerberos, the ________ is sent from the Kerberos server to the supplicant. A) ticket granting ticket B) service ticket C) Both A and B D) Neither A nor B
C Diff: 2 Page Ref: 295 Question: 28a
97) LDAP can be used ________. A) to update information in the directory server B) to retrieve data from the directory server C) Both A and B D) Neither A nor B
C Diff: 2 Page Ref: 298 Question: 30
119) ________ is possible today. A) Single sign-on B) Reduced sign-on C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 305 Question: 36e
122) Self-service identity management should be used to change a ________ in the identity database. A) password B) telephone number C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 306 Question: 37d
116) ________ is the centralized policy-based management of all information required for access to corporate systems by people, machines, programs, or other resources. A) Directory service B) Meta-directory service C) Identity management D) Meta-identity management
C Diff: 1 Page Ref: 304 Question: 36a
7) Two-factor authentication can be defeated if ________. A) the user's computer is compromised B) the attacker uses a man-in-the-middle attack C) Both A and B D) Neither A nor B
C Diff: 2 Page Ref: 247 Question: 1c
14) In CobiT, entry must be ________. A) justified B) logged C) Both A and B D) Neither A nor B
C Diff: 2 Page Ref: 252 Question: 3d
104) If Directory Server A trusts Directory Server B and Directory Server B trusts Directory Server C then Directory Server A MUST trust Directory Server C.
FALSE Diff: 3 Page Ref: 300-301 Question: 33a
12) In military security, SBU documents are unclassified.
TRUE Diff: 1 Page Ref: 249 Question: 2c
25) PCs should require login screens with complex passwords.
TRUE Diff: 1 Page Ref: 260
24) Most users who have access to servers use reusable passwords for authentication.
TRUE Diff: 1 Page Ref: 260 Question: 6a
30) It is very important for testers to get permission before running a password cracking program on their company's computers to check for weak passwords, even if such testing is in their job definitions.
TRUE Diff: 1 Page Ref: 266-267 Question: 9c
43) The major promise of biometrics is to replace reusable passwords
TRUE Diff: 1 Page Ref: 273-274 Question: 14c
64) Fingerprint recognition is easily deceived.
TRUE Diff: 1 Page Ref: 282 Question: 22b
73) A firm can be its own certificate authority for internal users.
TRUE Diff: 1 Page Ref: 288 Question: 24c
123) Identity management is really just another form of risk management.
TRUE Diff: 1 Page Ref: 305-306 Question: 38a
124) The amount of money companies should spend on identity management can be measured through risk analysis.
TRUE Diff: 1 Page Ref: 306-307 Question: 38c
34) In high-risk environments, password reset risks are reduced by requiring the user's physical presence.
TRUE Diff: 2 Page Ref: 265 Question: 10h
82) When assigning initial permissions, it is good to give the least permissions believed to be necessary and then add permissions if appropriate.
TRUE Diff: 2 Page Ref: 291 Question: 25d
121) As far as possible, identities should be managed by people closest to the situation.
TRUE Diff: 2 Page Ref: 305-306 Question: 37b
39) A ________ is a small device with a display that has a number that changes frequently. A) one-time-password token B) USB token C) magnetic stripe card D) None of the above
Answer: A Diff: 1 Page Ref: 270 Question: 12b
79) Authorizations are also called ________. A) permissions B) verifications C) Both A and B D) Neither A nor B
Answer: A Diff: 1 Page Ref: 290-291 Question: 25b
74) A private key/public key pair is usually created by the ________. A) client B) PKI server C) Both A and B D) Neither A nor B
Answer: A Diff: 2 Page Ref: 289 Question: 24e
44) During enrollment, the scanner sends ________ to the authentication system. A) scan data B) key features C) Both A and B D) Neither A nor B
Answer: B Diff: 2 Page Ref: 274 Question: 15a
52) For watch lists of criminals, a false acceptance is worse than a false rejection from a security viewpoint.
FALSE Diff: 3 Page Ref: 276-277 Question: 17b
6) Which of the following is one of the four bases for authentication credentials? A) what you know B) what you have C) Both A and B D) Neither A nor B
Answer: C Diff: 1 Page Ref: 246
96) Directory servers can hold information about ________. A) people B) computers C) Both A and B D) Neither A nor B
Answer: C Diff: 1 Page Ref: 297 Question: 29c
108) ________ servers synchronize directory servers from different vendors. A) Synchronization B) LDAP C) Metadirectory D) Central authentication
Answer: C Diff: 1 Page Ref: 302 Question: 34b
85) Which of the following statements is true about log files? A) Log files should be read regularly. B) External auditing should be conducted periodically. C) Automatic alerts should be established. D) All of the above
Answer: D Diff: 2 Page Ref: 292-293 Question: 26d
90) In Kerberos, the ________ is sent from the Kerberos server to the verifier. A) ticket granting ticket B) service ticket C) Both A and B D) Neither A nor B
Answer: D Diff: 3 Page Ref: 295 Question: 28a
18) Placing sensitive equipment in secure areas to minimize potential threats and damage is called siting.
Answer: TRUE Diff: 1 Page Ref: 256 Question: 4a
32) Passwords should be changed frequently.
Answer: TRUE Diff: 1 Page Ref: 262 Question: 10c
102) Microsoft domains can be organized into trees, and trees can be organized into forests.
Answer: TRUE Diff: 2 Page Ref: 299-300 Question: 32g
118) ________ allows a user to authenticate him or herself to the identity management server once; thereafter, whenever the user asks for access to another server, no additional logins are required. A) RSO B) SSO C) TSO D) None of the above
B Diff: 1 Page Ref: 305 Question: 36a
117) Which of the following are benefits of using identity management? A) reduced costs B) centralized auditing of all an employee's access permission across a firm C) Both A and B D) Neither A nor B
C Diff: 2 Page Ref: 304 Question: 36b
120) A(n) ________ is the set of attributes about a person or resource that must be revealed in a particular context. A) template B) subtemplate C) identity D) None of the above
C Diff: 2 Page Ref: 305 Question: 36f
115) XML makes SAML platform-dependent.
FALSE Diff: 2 Page Ref: 304 Question: 35h
5) Authentication is the process of collecting information about the activities of each individual in log files for immediate and later analysis.
FALSE Diff: 1 Page Ref: 246
23) It is illegal to go through a company's trash bins even if the trash bins are outside the corporation.
FALSE Diff: 1 Page Ref: 259-260 Question: 5e
26) Password cracking is usually done over the network by trying many passwords to log into an account.
FALSE Diff: 1 Page Ref: 260-261 Question: 6b
31) Users should select very long and complex passwords and use the same password at all sites for auditability.
FALSE Diff: 1 Page Ref: 261 Question: 10a
35) Passwords offer reasonable security at reasonable cost and will likely continue to increase in importance in the future.
FALSE Diff: 1 Page Ref: 267 Question: 11
37) A magnetic stripe card is an access card that has a built-in microprocessor and memory.
FALSE Diff: 1 Page Ref: 268-269 Question: 12a
113) The main standards used by firms to send security assertions to one another is LDAP.
FALSE Diff: 1 Page Ref: 303 Question: 35g
11) In military security, the term multilevel security means multifactor security.
FALSE Diff: 2 Page Ref: 250 Question: 2b
65) Fingerprint recognition should be used as a security measure for access to ________. A) a non-essential supply cabinet B) a notebook containing sensitive information C) Both A and B D) Neither A nor B
A Diff: 2 Page Ref: 282 Question: 22c
67) Iris recognition technology is ________ and ________. A) expensive, has low FARs B) expensive, has high FARs C) inexpensive, has low FARs D) inexpensive, has high FARs
A Diff: 2 Page Ref: 282 Question: 22d
75) CAs distribute public keys ________. A) in digital certificates B) only in ways using encryption for confidentiality C) Both A and B D) Neither A nor B
A Diff: 2 Page Ref: 289 Question: 24f
87) In Kerberos, the ________ is the supplicant's proof that it has already authenticated itself with the Kerberos Server. A) ticket granting ticket B) service ticket C) Both A and B D) Neither A nor B
A Diff: 2 Page Ref: 295 Question: 28a
51) For watch lists of criminals, a false ________ means that an innocent person is identified as a criminal. A) acceptance B) rejection C) Both A and B D) Neither A nor B
A Diff: 3 Page Ref: 276-277 Question: 17a
66) Which of the following statements accurately describes iris recognition? A) iris recognition has high FARs B) iris recognition technology is expensive C) iris recognition scans the eye with lasers D) All of the above
B Diff: 2 Page Ref: 282 Question: 22d
86) Which of the following is not one of the devices in RADIUS central authentication? A) the supplicant B) the verifier C) the authenticator D) the RADIUS central authentication server
B Diff: 2 Page Ref: 294 Question: 27a
2) ________ is the process of assessing the identity of each individual claiming to have permission to use a resource. A) Authorizations B) Authentication C) Accuracy D) Auditing
B Diff: 1 Page Ref: 246 Question: 1b
3) ________ is the process of assessing the identity of each individual claiming to have permission to use a resource. A) Authorizations B) Authentication C) Both A and B D) Neither A nor B
B Diff: 1 Page Ref: 246 Question: 1b
9) In the military, departments do not have the ability to alter access control rules set by higher authorities in ________. A) policy-based access control B) mandatory access control C) discretionary access control D) multilevel access control
B Diff: 1 Page Ref: 249 Question: 2a
28) The book recommends that passwords be at least ________ characters long. A) 6 B) 8 C) 20 D) 100
B Diff: 1 Page Ref: 266 Question: 9a
40) A ________ is a small device that plugs into a standard computer port to identify the owner. A) one-time-password token B) USB token C) magnetic stripe card D) smart card
B Diff: 1 Page Ref: 270 Question: 12c
46) In biometric, a match occurs when a ________ meets the decision criteria. A) set of key features B) match index C) Both A and B D) Neither A nor B
B Diff: 1 Page Ref: 276 Question: 16a
59) ________ is a form of identification that identifies a person as being a member of a group. A) RBAC B) Watch list matching C) Group ID matching D) Group acceptance
B Diff: 1 Page Ref: 279-280 Question: 19d
71) The strongest form of authentication is ________. A) biometrics B) cryptographic authentication C) reusable passwords D) smart cards
B Diff: 1 Page Ref: 287-288 Question: 24a
77) The ________ authentication problem is that unless individuals are carefully vetted before being allowed in a system, imposters can simply enroll through social engineering. A) core B) prime C) final D) human
B Diff: 1 Page Ref: 290 Question: 24h
78) Giving a user permissions to use a certain resource is ________. A) authentication B) authorization C) Both A and B D) Neither A nor B
B Diff: 1 Page Ref: 290-291 Question: 25a
80) The principle of ________ states that each person should only get the permissions that he or she absolutely needs to do his or her job. A) appropriate authorizations B) least permissions C) minimization D) All of the above
B Diff: 1 Page Ref: 291 Question: 25c
99) Microsoft's directory server product is ________. A) Kerberos B) Active Directory C) LDAP D) MS Directory
B Diff: 1 Page Ref: 298-299 Question: 32a
111) A(n) ________ is a statement from Firm A that Firm B should accept as true if Firm B trusts Firm A. A) certification B) assertion C) certificate D) attribute
B Diff: 1 Page Ref: 303 Question: 35e
19) ________ can be used to supply power during long power outages. A) Uninterruptable power supplies B) Electrical generators C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 257 Question: 4b
33) Which of the following is true? A) human password resets are dangerous B) automated password resets are dangerous C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 264 Question: 10e
36) A ________ card is an access card that has a built-in microprocessor and memory. A) magnetic stripe B) smart C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 268-269 Question: 12a
45) The template is based on ________ generated during the enrollment scan. A) scan data B) key features C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 274 Question: 15d
55) The verifier itself determines the identity of the supplicant in ________. A) verification B) identification C) Both A and B D) Neither A nor B
B Diff: 2 Page Ref: 278 Question: 19a
63) Which of the following statements accurately describes fingerprint recognition? A) fingerprint recognition scanners are very expensive B) fingerprint recognition is easily deceived C) fingerprint recognition is rarely used D) All of the above
B Diff: 2 Page Ref: 282 Question: 22a
98) ________ often get their authentication information from ________. A) Directory servers, central authentication servers B) Central authentication servers, metadirectory servers C) Central authentication servers, directory servers D) Metadirectory servers, central authentication servers
C Diff: 2 Page Ref: 299 Question: 31
112) A security assertion may contain ________. A) authenticity information B) attributes, such as spending limits for purchasers C) Both A and B D) Neither A nor B
C Diff: 2 Page Ref: 303 Question: 35f
4) ________ is the process of collecting information about the activities of each individual in log files for immediate and later analysis. A) Authorizations B) Authentication C) Accuracy D) Auditing
D Diff: 1 Page Ref: 246 Question: 1b
22) ________ is a social engineering trick where an intruder may follow an authorized user through a door that the authorized user opens with an access device. A) Shoulder surfing B) Shadowing C) Trailing D) Piggybacking
D Diff: 1 Page Ref: 258 Question: 5b
20) If a laptop needs to be taken off premises, ________. A) it should first be logged out. B) it should be logged in when returned C) all sensitive information should be removed D) All of the above
D Diff: 2 Page Ref: 257 Question: 4d
21) Buildings should be set back from streets and protected with rolling hill landscaping to reduce threats from ________. A) wireless eavesdropping B) industrial espionage C) casual observation D) terrorism
D Diff: 2 Page Ref: 258 Question: 5a
107) Directory servers from different vendors are synchronized through ________. A) LDAP B) central authentication servers C) AD servers D) None of the above
D Diff: 2 Page Ref: 301-302 Question: 34a
13) All unattended exits should be locked to bar exit.
FALSE Diff: 2 Page Ref: 252 Question: 3c
47) A false rejection occurs when a person is improperly matched to a template.
FALSE Diff: 2 Page Ref: 276-277 Question: 16b
50) From a security viewpoint, a false acceptance is always worse than a false rejection.
FALSE Diff: 2 Page Ref: 276-277 Question: 16f
54) Verification is the process where the verifier determines the identity of the supplicant.
FALSE Diff: 2 Page Ref: 278 Question: 19a
56) Verification requires more matches against templates than does identification.
FALSE Diff: 2 Page Ref: 278-279 Question: 19b
68) Iris scanning usually is done surreptitiously.
FALSE Diff: 2 Page Ref: 283 Question: 23a
72) Biometric authentication is the strongest form of authentication.
FALSE Diff: 2 Page Ref: 287 Question: 24a
81) When assigning initial permissions, it is good to add more permissions than strictly necessary and then remove permissions if appropriate.
FALSE Diff: 2 Page Ref: 291 Question: 25d
29) According to the book, r%Dv$ is a strong password.
FALSE Diff: 3 Page Ref: 266 Question: 9a
53) Identification is the process where the verifier determines whether the supplicant is a particular person that the supplicant claims who he or she is.
FALSE Diff: 3 Page Ref: 277 Question: 19a
62) Because fingerprint scanning is often deceived, it should never be used as a security measure.
FALSE Diff: 3 Page Ref: 280 Question: 21b
93) In Kerberos, the verifier is explicitly notified that the supplicant has been authenticated.
FALSE Diff: 3 Page Ref: 295-296 Question: 28d
101) A Microsoft domain can have multiple domain controllers.
TRUE Diff: 1 Page Ref: 299 Question: 32d
109) In federated identity management, firms do not query one another's identity management databases.
TRUE Diff: 1 Page Ref: 302 Question: 35a
48) A false acceptance occurs when a person is improperly matched to a template.
TRUE Diff: 2 Page Ref: 276-277 Question: 16b
57) Identification requires more matches against templates than does verification.
TRUE Diff: 2 Page Ref: 279-280 Question: 19b
61) Fingerprint scanning, which is often deceived, may be acceptable for entry into a non-sensitive supplies cabinet.
TRUE Diff: 2 Page Ref: 280 Question: 21b
92) In Kerberos, the Kerberos server sends the Service Ticket directly to the supplicant rather than directly to the verifier.
TRUE Diff: 2 Page Ref: 295-296 Question: 28c