CISSP HW2
9. Which one of the following access control techniques treats users and owners as the same? a. DAC b. MAC c. RBAC d. ACLs
Choice (a) is the correct answer. A discretionary access control (DAC) mechanism allows users to grant or revoke access to any of the objects under their control. As such, users are said to be the owners of the objects under their control.
7. Which one of the following access techniques uses an access control matrix for its implementation? a. DAC b. MAC c. RBAC d. ACLs
Choice (a) is the correct answer. A discretionary access control (DAC) model uses access control matrix where it places the name of users (subjects) in each row and the names of objects (files or programs) in each column of a matrix.
94. The principle of least privilege refers to the security objective of granting users only those accesses they need to perform their job duties. Which of the following actions is inconsistent with the principle of least privilege? a. Authorization creep b. Re-authorization when employees change positions c. Users have little access to systems d. Users have significant access to systems
Choice (a) is the correct answer. Authorization creep occurs when employees continue to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege. Choices (b), (c), and (d) are incorrect because they are consistent with the principle of least privilege. Reauthorization will eliminate authorization creep, and it does not matter how many users have access to the system as long as their access is based on need to know.
85. An access control matrix is placing the names of: a. Users in each row and the names of objects in each column b. Programs in each row and the names of users in each column c. Users in each column and the names of devices in each row d. Subjects in each column and the names of process in each row
Choice (a) is the correct answer. Discretionary access control is a process of identifying users and objects. An access control matrix can be used to implement a discretionary access control mechanism where it places the names of users (subject) in each row and the names of objects in each column of a matrix. A subject is an active entity, generally in the form of a person, process, or device that causes information to flow among objects or changes the system state. An object is a passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects are: records, programs, pages, files, directories, etc. An access control matrix describes an association of objects and subjects for authentication of access rights.
86. Kerberos is used in all of the following situations except: a. Managing distributed access rights b. Managing encryption keys c. Managing centralized access rights d. Managing access permissions
Choice (a) is the correct answer. Kerberos is a private key authentication system that uses a central database to keep a copy of all users' private keys. The entire system can be compromised due to the central database. Kerberos is used to centrally manage access rights, encryption keys, and access permissions
112. The more simple and basic login controls include: a. Validating user name and password b. Monitoring unsuccessful logins c. Sending alerts to the system operators d. Disabling accounts when a break-in occurs
Choice (a) is the correct answer. Login controls specify the conditions users must meet for gaining access to a computer system. In most simple and basic cases, access will be permitted only when both a user-name and password are provided. More complex systems grant or deny access based on the type of computer login, i.e., local, dial-up, remote, network, batch, or subprocess. The security system can restrict access based on the type of terminal or remote computer.access will only be granted when the user or program is located at a designated terminal or remote system. Also, access can be defined by the time of day and the day of the week. As a further precaution, the more complex and sophisticated systems monitor unsuccessful logins (choice b), send messages or alerts to the system operator (choice c), and disable accounts when a break-in occurs (choice d).
102. All of the following types of logical access control mechanisms rely on physical access controls except: a. Encryption controls b. Application system access controls c. Operating system access controls d. Utility programs
Choice (a) is the correct answer. Most systems can be compromised if someone can physically access the CPU machine or major components by, for example, restarting the system with different software. Logical access controls are, therefore, dependent on physical access controls (with the exception of encryption, which can depend solely on the strength of the algorithm and the secrecy of the key). Application systems, operating systems, and utility programs are heavily dependent on logical access controls to protect against unauthorized use.
50. What does the Bell-LaPadula star.property (*.property) means? a. No write-down is allowed b. No write-up is allowed c. No read-up is allowed d. No read-down is allowed
Choice (a) is the correct answer. One cannot write anything below that subject level.
116. Impersonation can be achieved by all of the following except: a. Packet replay b. Forgery c. Relay d. Interception
Choice (a) is the correct answer. Packet replay is one of the most common security threats to network systems similar to impersonation and eavesdropping. Packet replay refers to the recording and retransmission of message packets in the network. It is a significant threat for programs that require authentication sequences because an intruder could replay legitimate authentication sequence messages to gain access to a system. Packet replay is frequently undetectable but can be prevented by using packet time-stamping and packet-sequence counting. Choice (b) is incorrect because forgery is one of the ways impersonation is achieved. Forgery is attempting to guess or otherwise fabricate the evidence that the impersonator knows or possesses. Choice (c) is incorrect because relay is one of the ways impersonation is achieved. Relay is where one can eavesdrop upon another's authentication exchange and learn enough to impersonate a user. Choice (d) is incorrect because interception is one of the ways impersonation is achieved. Interception is where one is able to slip in between the communications and "hijack" the communications channel.
107. Which of the following controls provide a first line of defense against potential security threats, risks, or losses to the network? a. Passwords and user IDs b. Software testing c. Dial-back modem d. Transaction logs
Choice (a) is the correct answer. Passwords and user identifications are the first line of defense against a breach to a network's security. Several restrictions can be placed on passwords to improve their effectiveness. These restrictions may include minimum length and format and forced periodic password changes. Switched ports are among the most vulnerable security points on a network. These allow dial-in and dial-out access. They are security risks because they allow users with telephone terminals to access systems. Although call-back or dial-back (choice c) is a potential control as a first line of defense, it is not necessarily the most effective because of the call- forwarding capability of telephone circuits. Software testing (choice b) is the last line of defense to ensure data integrity and security. Therefore, the software must be tested thoroughly by end users, information systems staff, and computer operations staff. For on-line applications, the logging of all transactions (choice d) processed or reflected by input programs provides a complete audit trail of actual and attempted entries, thus providing a last line of defense. The log can be stored on tape or disk files for subsequent analysis. The logging control should include the date, time, user ID and password used, the location, and number of unsuccessful attempts made.
91. Some security authorities believe that re-authentication of every transaction provides stronger security procedures. Which of the following security mechanisms is least efficient and least effective for reauthentication? a. Recurring passwords b. Non-recurring passwords c. Memory tokens d. Smart tokens
Choice (a) is the correct answer. Recurring passwords are static passwords with reuse and are considered to be a relatively weak security mechanism. Users tend to use easily guessed passwords. Other weaknesses include spoofing users, users stealing passwords through observing key strokes, and users sharing passwords. The unauthorized use of passwords by outsiders (hackers) or insiders is a primary concern and is considered the least efficient and least effective security mechanism for re-authentication. Non-recurring passwords (choice b) is incorrect because they provide a strong form of re- authentication. Examples include a challenge-response protocol or a dynamic password generator where a unique value is generated for each session. These values are not repeated and are good for that session only. Tokens can help in re-authenticating a user or transaction. Memory tokens (choice c) store but do not process information. Smart tokens (choice d) expand the functionality of a memory token by incorporating one or more integrated circuits into the token itself. In other words, smart tokens store and process information. Except for passwords, all the other methods listed in the question are examples of advanced authentication methods that can be applied to re-authentication.
100. Which of the following internal access control methods offers a strong form of access control and is a significant deterrent to its use? a. Security labels b. Passwords c. Access control lists d. Encryption
Choice (a) is the correct answer. Security labels are a very strong form of access control. Unlike access control lists (choice c), labels cannot ordinarily be changed. Since labels are permanently linked to specific information, data cannot be disclosed by a user copying information and changing the access to that file so that the information is more accessible than the original owner intended. Labels are well suited for consistently and uniformly enforcing access restrictions, although their administration and inflexibility can be a significant deterrent to their use. Passwords (choice b) are a weak form of access control although they are easy to use and administer. Although encryption (choice d) is a strong form of access control, it is not a deterrent to its use when compared to labels.
96. All user identification and authentication methods require some amount of security administration. Which of the following authentication techniques require additional work in administering the security? a. Cryptography b. Smart tokens c. Passwords d. Memory tokens
Choice (a) is the correct answer. Smart tokens (choice b), passwords (choice c), and memory tokens (choice d) all require strong administrative support such as assigning and maintaining users. For tokens that use cryptography, this includes key management. Passwords do not use keys. The proper management of cryptographic keys is essential to the effective use of cryptography for security. Ultimately, the security of information protected by cryptography directly depends upon the protection afforded to keys. This includes the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys.
11. Spoofing is a(n): a. active attack b. passive attack c. surveillance attack d. exhaustive attack
Choice (a) is the correct answer. Spoofing is a tampering activity and is an active attack. Sniffing is a surveillance activity and is a passive attack.
53. Confidentiality is covered by which of the following security models? a. Bell-LaPadula model b. Biba model c. Information flow model d. Take-grant model
Choice (a) is the correct answer. The Bell-LaPadula model addresses confidentiality by describing different security levels of security classifications for documents. These classification levels, from least sensitive to most insensitive, include Unclassified, Confidential, Secret, and Top Secret.
36. Countermeasures against Man-In-the-Middle (MIM) attacks include which of the following? 1. Implement digital signatures 2. Use split knowledge procedures 3. Use faster hardware 4. Use packet filters a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1 and 4
Choice (a) is the correct answer. The MIM attack takes advantage of the store-and-forward mechanism used by insecure networks such as the Internet. Digital signatures and split knowledge procedures are effective against such attacks. Items 3. and 4. are effective against denial-of-service attacks.
77. What is not a database administrator's responsibility? a. Establishing data usage and database usage standards b. Recovering databases c. Reorganizing databases d. Maintaining databases
Choice (a) is the correct answer. The data administrator (DA) is responsible for establishing data usage and database usage standards. The data administration function stays independent of a particular database and has responsibilities for the data of the organization as a whole. The function is, ideally, involved in long-term IS planning that spans across all the organization's automated and manual systems. The other three items are the responsibility of the database administrator (DBA). The database administration function is concerned with short-term development and use of databases and is responsible for the data of one or several specific databases. In other words, the DA's job is more administrative in nature, while the DBA's job is more technical.
81. The objective of separation of duties is that: a. No one person has complete control over a transaction or an activity b. Employees from different departments do not work together c. Controls are available to protect all supplies d. Controls are in place to operate all equipment
Choice (a) is the correct answer. The objective is to limit what people can do, especially in conflict situations or incompatible functions, in such a way that no one person has complete control over a transaction or an activity from start to finish. The goal is to limit the possibility of hiding irregularities. Choice (b) is incorrect because employees from different departments should work together. Choices (c) and (d) are incorrect because separation of duties is a subset of controls.
24. "Each user is granted the lowest clearance needed to perform authorized tasks" is called which of the following? a. The principle of least privilege b. The principle of separation of duties c. The principle of system clearance d. The principle of system accreditation
Choice (a) is the correct answer. The principle of least privilege requires that each subject (user) in a system be granted the most restrictive set of privileges (or lowest clearances) needed to perform authorized tasks. The application of this principle limits the damage that can result from accident, error, and or unauthorized use. The principle of separation of duties (choice b) states that no single person will have complete control over a business transaction or task. Choices (c) and (d) are distracters.
117. Which of the following security features is not supported by the principle of least privilege? a. "All or nothing" approach to privilege b. The granularity of privilege c. The time bounding of privilege d. Privilege inheritance
Choice (a) is the correct answer. The purpose of a privilege mechanism is to provide a means of granting specific users or processes the ability to perform security-relevant actions for a limited time and under a restrictive set of conditions, while still permitting tasks properly authorized by the system administrator. This is the underlying theme behind the security principle of least privilege. It does not imply an "all or nothing" approach to privilege.
45. Locking-based attacks result in which of the following? a. Denial of service b. Degradation of service c. Destruction of service d. Distribution of service
Choice (b) is the correct answer. Locking-based attack is used to hold a critical system lock most of the time, releasing it only briefly and occasionally. The result would be a slow running browser without stopping it. This results in a degradation of service. The degradation of service is a mild form of denial of service. Choices (c) and (d) are distracters.
108. Below is a list of pairs, which are related to one another. Select the pair of items, which represent the integral reliance on the first item to enforce the second: a. The separation of duties principle, the "least privilege" principle b. The parity check, the limit check c. The single-key system, the Rivest-Shamir-Adelman (RSA) algorithm d. The two-key system, the Data Encryption Standard (DES) algorithm
Choice (a) is the correct answer. The separation of duties principle is related to the "least privilege" principle; that is, users and processes in a system should have the least number of privileges and for the minimal period of time necessary to perform their assigned tasks. The authority and capacity to perform certain functions should be separated and delegated to different individuals. This principle is often applied to split the authority to write and approve monetary transactions between two people. It can also be applied to separate the authority to add users to a system and other system administrator duties from the authority to assign passwords, conduct audits, and perform other security administrator duties. Choice (b) is incorrect. The parity check is a check that tests whether the number of ones or zeros in an array of binary digits is odd or even. Odd parity is standard for synchronous transmission and even parity for asynchronous transmission. In the limit check, a program tests specified data fields against defined high or low value limits for acceptability before further processing. There is no relation between these two checks because a parity check is hardware- based and the limit check is a software-based application. Choice (c) is incorrect because the RSA algorithm uses two keys: private and public. Choice (d) is incorrect because the DES algorithm uses only one key for both encryption and decryption (secret or private key).
32. Which of the following is the primary technique used by commercial systems to analyze events to detect attacks? a. Signature-based IDS b. Anomaly-based IDS c. Behavior-based IDS d. Statistical-based IDS
Choice (a) is the correct answer. There are two primary approaches to analyzing events to detect attacks: signature detection and anomaly detection. Signature detection is the primary technique used by most commercial systems; however, anomaly detection is the subject of much research and is used in a limited form by a number of IDS. Choices (c) and (d) are part of choice (b).
22. Which of the following can co-exist in providing strong access control mechanisms? a. Kerberos authentication and single sign-on system b. Kerberos authentication and digital signature system c. Kerberos authentication and asymmetric key system d. Kerberos authentication and digital certificate system
Choice (a) is the correct answer. When Kerberos authentication is combined with single sign-on systems, it requires establishment of and operating the privilege servers. Kerberos uses symmetric key cryptography and choices (b), (c), and (d) are examples of asymmetric key cryptography.
88. An access control policy for a bank teller is an example of the implementation of a(n): a. Role-based policy b. Identity-based policy c. User-directed policy d. Rule-based policy
Choice (a) is the correct answer. With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, bank teller, manager). Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. The use of roles to control access can be an effective means for developing and enforcing enterprise-specific security policies and for streamlining the security management process. Choices (b) and (c) are incorrect because they are examples of discretionary access control. Identity-based access control is based only on the identity of the subject and object. In user-directed access controls a subject can alter the access rights with certain restrictions. Choice (d) is incorrect because rule-based access control is an example of a mandatory type of access control and is based on specific rules relating to the nature of the subject and object.
8. Which one of the following access control techniques requires security clearances for subjects? a. DAC b. MAC c. RBAC d. ACLs
Choice (b) is the correct answer. A mandatory access control (MAC) restricts access to objects based on the sensitivity of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.
95. Accountability is important to implementing security policies. Which of the following is least effective in exacting accountability from system users? a. Auditing requirements b. Passwords c. Identification controls d. Authentication controls
Choice (b) is the correct answer. Accountability means holding individual users responsible for their actions. Due to several problems with passwords they are considered to be the least effective in exacting accountability. These problems include easy to guess passwords, easy to spoof users for passwords, easy to steal passwords, and easy to share passwords. The most effective controls for exacting accountability include a policy, authorization scheme, identification and authentication controls (choices c and d), access controls, audit trails, and auditing (choice a).
89. Which of the following access mechanisms creates a potential security problem? a. Location-based access mechanism b. Address-based access mechanism c. Token-based access mechanism d. Web-based access mechanism
Choice (b) is the correct answer. Address-based access mechanisms use Internet Protocol (IP) source addresses, which are not secure and subject to IP address spoofing attacks. The IP address deals with identification only, not authentication. Choice (a) is incorrect because location-based access mechanism deals with a physical address, not IP address. Choice (c) is incorrect because token-based access mechanism uses tokens as a means of identification and authentication. Choice (d) is incorrect because web-based access mechanism uses secure protocols to accomplish authentication. Choices (a), (c), and (d) accomplish both identification and authentication.
3. Which of the following access control techniques provide a straightforward way of granting or denying access for a specified user? a. RBAC b. ACLs c. MAC d. DAC
Choice (b) is the correct answer. An access control list (ACL) is an object associated with a file and containing entries specifying the access that individual users or groups of users have to the file. ACLs provide a straightforward way of granting or denying access for a specified user or groups of users. Other choices are not that straightforward in that they use labels, tags, and roles.
101. It is vital that access controls protecting a computer system work together. Which of the following types of access controls should be most specific? a. Physical access controls b. Application system access controls c. Operating system access controls d. Communication system access controls
Choice (b) is the correct answer. At a minimum, four basic types of access controls should be considered: physical, operating system, communications, and application. In general, access controls within an application are the most specific. However, for application access controls to be fully effective they need to be supported by operating system and communications system access controls (choices c and d). Otherwise, access can be made to application resources without going through the application. Operating system, communication, and application access controls need to be supported by physical access controls such as physical security and contingency planning (choice a).
120. Use of login IDs and passwords is the most commonly used mechanism for: a. Providing dynamic verification of a user b. Providing static verification of a user c. Providing a strong user authentication d. Batch and on-line computer systems alike
Choice (b) is the correct answer. By definition, a static verification takes place only once at the start of each login session. Passwords may or may not be reusable. Dynamic verification of a user (choice a) takes place when a person types on a keyboard and leaves an electronic signature in the form of key stroke latencies in the elapsed time between keystrokes. For well-known, regular type strings, this signature can be quite consistent. Here is how a dynamic verification mechanism works: When a person wants to access a computer resource, he is required to identify himself by typing his name. The latency vector of the keystrokes of this name is compared with the reference signature that is stored in the computer. If this claimant's latency vector and the reference signature are statistically similar, the user is granted access to the system. The user is asked to type his name a number of times to provide a vector of mean latencies to be used as a reference. This can be viewed as an electronic signature of the user. Choice (c) is incorrect because passwords do not provide a strong user authentication. If it were true, there would not be a 'hacker' problem today. In fact, passwords provide the weakest user authentication due to their sharing and guessable nature. Choice (d) is incorrect because only on-line systems require a user ID and password from a user due to their interactive nature. Only batch jobs and files require a user ID and password when submitting a job or modifying a file. Batch systems are not interactive.
39. Which of the following security models address "separation of duties" concept? a. Biba model b. Clark and Wilson model c. Bell-LaPadula model d. Sutherland model
Choice (b) is the correct answer. Clark and Wilson security model address the separation of duties concept along with well-formed transactions. Separation of duties attempts to ensure the external consistency of data objects. It also addresses the specific integrity goal of preventing authorized users from making improper modifications. The other models do not address the separation of duties concept.
115. Controlling access to the network is provided by which of the following pair of high-level system services? a. Access control lists and access privileges b. Identification and authentication c. Certification and accreditation d. Accreditation and assurance
Choice (b) is the correct answer. Controlling access to the network is provided by the network's identification and authentication service. This service is pivotal in providing controlled access to the resources and services offered by the network and in verifying that the mechanisms provide proper protection. Identification is the process that enables recognition of an entity by a computer system, generally by the use of unique machinereadable user names. Authentication is the verification of the entity's identification. That is when the host, to whom the entity must prove his identity, trusts (through an authentication process) that the entity is in fact who he claims to be. The threat to the network that the identification and authentication service must protect against is impersonation. Choice (a) is incorrect. Access control list is a list of the subjects that are permitted to access an object and the access rights (privileges) of each subject. This service comes after initial identification and authentication service. Choice (c) is incorrect. Certification is the administrative act of approving a computer system for use in a particular application. Accreditation is the management's formal acceptance of the adequacy of a computer system's security. Certification and accreditation are similar in concept. This service comes after initial identification and authentication service. Choice (d) is incorrect. Accreditation is the management's formal acceptance of the adequacy of a computer system's security. Assurance is confidence that a computer system design meets its requirements. Again, this service comes after initial identification and authentication service.
1. Which of the following does not complement intrusion detection systems (IDS)? a. Honey pots b. Inference cells c. Padded cells d. Vulnerability analysis
Choice (b) is the correct answer. Honey pot systems, padded cell systems, and vulnerability analysis complement IDS to enhance an organization's ability to detect intrusion. Inference cells (choice b) is a meaningless term here.
19. Intrusion detection systems (IDS) look at security policy violations: a. Statically b. Dynamically c. Linearly d. Non-linearly
Choice (b) is the correct answer. IDS look for specific symptoms of intrusions and security policy violations dynamically. IDS are analogous to security monitoring cameras. Vulnerability analysis systems take a static view of symptoms. Choices (c) and (d) are distracters.
18. Intrusion detection systems (IDS) serve as which of the following? a. Barrier mechanism b. Monitoring mechanism c. Accountability mechanism d. Penetration mechanism
Choice (b) is the correct answer. IDS serve as monitoring mechanisms, watching activities, and making decisions about whether the observed events are suspicious. IDS can spot attackers circumventing firewalls and report them to system administrators, who can take steps to prevent damage. Firewalls serve as barrier mechanisms, barring entry to some kinds of network traffic and allowing others, based on a firewall policy (choice a). Choices (c) and (d) are distracters.
34. Which of the following is not an example of denial of service attacks? a. Flaw exploitation attacks b. Information attacks c. Flooding attacks d. Distributed attacks
Choice (b) is the correct answer. Information attack is a vague term here and a distracter. Flaw exploitation attacks (choice a) take advantage of a flaw in the target system's software in order to cause a processing failure or to cause it to exhaust system resources. Flooding attacks (choice c) simply send a system more information than it can handle. Distributed attack is a subset of denial of service attacks, where the attacker uses multiple computers to launch the attack and flood the system.
17. Lattice security model is an example of which of the following access control models? a. DAC b. Non-DAC c. MAC d. Non-MAC
Choice (b) is the correct answer. Lattice security model is based on non-discretionary access control model. A lattice model is a partially ordered set for which every pair of elements (subjects and objects) has a greatest lower bound and a least upper bound. The subject has the greatest lower bound, and the object has the least upper bound.
87. Which of the following security control mechanisms is simplest to administer? a. Discretionary access control b. Mandatory access control c. Access control list d. Logical access control
Choice (b) is the correct answer. Mandatory access controls are the simplest to use because they can be used to grant broad access to large sets of files and to broad categories of information. Discretionary access controls are not simple to use due to their finer level of granularity in the access control process. Both the access control list and logical access control require a significant amount of administrative work because they are based on the details of each individual user.
109. Which of the following is the most effective method for password creation? a. Using password generators b. Using password "advisors" c. Assigning passwords to users d. Implementing user selected passwords
Choice (b) is the correct answer. Password advisors are computer programs that examine user choices for passwords and inform the users if the passwords are weak. Passwords produced by password generators are difficult to remember (choice a) while user selected passwords are easy to guess (choice d). Users write the password down on a paper when it is assigned to them (choice c).
5. Password management is an example of a: a. Directive control b. Preventive control c. Detective control d. Corrective control
Choice (b) is the correct answer. Password management is an example of preventive controls in that passwords deter unauthorized users accessing a system unless they know the password through some other means.
105. An inherent risk is associated with logical access which is difficult to prevent or mitigate but can be identified via a review of audit trails. This risk is associated with which of the following types of access? a. Properly used authorized access b. Misused authorized access c. Unsuccessful unauthorized access d. Successful unauthorized access
Choice (b) is the correct answer. Properly authorized access, as well as misused authorized access, can use audit trail analysis. While users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions. Similarly, unauthorized access attempts whether successful or not can be detected through the analysis of audit trails.
30. Which of the following does not lead to penetration attacks? a. Scanning b. Spamming c. Snooping d. Sniffing
Choice (b) is the correct answer. Scanning, snooping, and sniffing are attacks searching for required information. These attacks are preparatory actions prior to serious penetration attacks. Spamming is posting identical messages to multiple newsgroups on the Internet and is not relevant here.
14. Which one of the following access control mechanisms uses security labels? a. DAC b. MAC c. RBAC d. ACLs
Choice (b) is the correct answer. Security labels and interfaces are used to determine access based on the mandatory access control policy.
122. Which of the following lists a pair of compatible functions within the IS organization? a. Systems programming and tape librarian b. Problem/change management and quality assurance c. Job control analysis and application programming d. Job control analysis and systems programming
Choice (b) is the correct answer. Separation of duties is the first line of defense against the prevention, detection, and correction of errors, omissions, and irregularities. The objective is to ensure that no one person has complete control over a transaction throughout its initiation, authorization, recording, processing, and reporting. If the total risk is acceptable, then two different jobs can be combined. If the risk is unacceptable, the two jobs should not be combined. Here, it is safe to combine the problem/change management function with the quality assurance function since both are staff positions. Choices (a), (c), and (d) are incorrect because they are examples of incompatible functions. The rationale is to minimize such functions that are not conducive to good internal control structure. For example, a systems programmer could change the job control parameters to run his own personal jobs.
37. Which one of the following does not help in preventing fraud? a. Separation of duties b. Job enlargement c. Job rotation d. Mandatory vacations
Choice (b) is the correct answer. Separation of duties, job rotation, and mandatory vacations are management controls that can help in preventing fraud. Job enlargement does not prevent fraud because it is not a control and its purpose is to expand the scope of an employee's work.
10. Sniffing precedes which of the following? a. Spamming b. Spoofing c. Snooping d. Cracking
Choice (b) is the correct answer. Sniffing precedes either spoofing or hijacking. Sniffing and snooping are the same. Sniffing is observing packet's passing by on the network. Cracking is breaking for passwords.
35. Use of e-mail filters is effective against which of the following? a. Sniffing attacks b. Spamming attacks c. Spoofing attacks d. Snooping attacks
Choice (b) is the correct answer. Spamming is posting identical messages to multiple unrelated newsgroups over the Internet. E-mail filters are effective against spamming attacks. Sniffing and snooping are same, where an attacker is looking for valuable information. Spoofing is using various techniques to subvert IP-based access control by masquerading as another system by using their IP address.
6. Impersonating a user or system is called a: a. Snooping attack b. Spoofing attack c. Sniffing attack d. Spamming attack
Choice (b) is the correct answer. Spoofing is an unauthorized use of legitimate identification and authentication data such as user IDs and passwords. Intercepted user names and passwords can be used to impersonate the user on the login or file transfer server host that the user is accessing. Spamming is posting identical messages to multiple unrelated newsgroups on the Internet. Sniffing and snooping are the same in that sniffing is observing packet's passing by on the network.
26. Which of the following is not a classification of intrusion detection systems (IDS)? a. Network-based IDS b. Host-based IDS c. Interval-based IDS d. Application-based IDS
Choice (c) is the correct answer. Choices (a), (b), and (d) are the most common ways to classify IDS based on information sources. The interval-based IDS (choice c) is based on timing, which refers to the elapsed time between the events that are monitored and the analysis of those events.
55. Which of the following models are used to protect the confidentiality of classified information? a. Biba model and Bell-LaPadula model b. Bell-LaPadula model and information flow model c. Bell-LaPadula model and Clark-Wilson model d. Clark-Wilson model and information flow model
Choice (b) is the correct answer. The Bell-LaPadula model is used for protecting the confidentiality of classified information, based on multilevel security classifications. The information flow model, a basis for the Bell-LaPadula model, ensures that information at a given security level flows only to an equal or higher level. Each object has an associated security level. An object's level indicates the security level of the data it contains. These two models will ensure the confidentiality of classified information. The Biba model is similar to the Bell-LaPadula model but protects the integrity of information instead of its confidentiality. The Clark-Wilson model is a less formal model aimed at ensuring the integrity of information, not confidentiality. This model implements traditional accounting controls including segregation of duties, auditing, and well-formed transactions such as double-entry bookkeeping. Both the Biba and Clark-Wilson models are examples of integrity models.
52. Integrity is covered by which of the following security models? a. Bell-LaPadula model b. Biba model c. Information flow model d. Take-Grant model
Choice (b) is the correct answer. The Biba model is an example of integrity model. Bell-LaPadula model is a formal state transition model of computer security policy that describes a set of access control rules. Both the Bell-LaPadula and the Take-Grant models are part of access control models.
28. The Biba security model focuses on which of the following? a. Confidentiality b. Integrity c. Availability d. Accountability
Choice (b) is the correct answer. The Biba security model is an integrity model in which no subject may depend on a less trusted object, including another subject.
27. The Clark-Wilson security model focuses on which of the following? a. Confidentiality b. Integrity c. Availability d. Accountability
Choice (b) is the correct answer. The Clark-Wilson security model is an approach to providing data integrity for common commercial activities.
51. What is the bit size of Kerberos? a. 40 b. 56 c. 64 d. 128
Choice (b) is the correct answer. The bit size of Kerberos is the same as that of DES, which is 56 bits because Kerberos uses a symmetric key algorithm similar to DES.
31. The correct sequence of conducting penetration tests is which of the following? 1. Develop a test plan 2. Conduct the test 3. Inform management about the test 4. Report the test results a. 1, 2, 3, and 4 b. 3, 1, 2, and 4 c. 2, 1, 3, and 4 d. 3, 2, 1, and 4
Choice (b) is the correct answer. The correct sequence of penetration test is informing management about the test, developing a test plan, conducting the test, and reporting the test results. Management should be informed first to obtain their permission and to learn about their concerns and objectives.
83. Job control analyst should not be given access to which of the following? a. Test job control files b. Production data files c. Job scheduling files d. Job control documentation
Choice (b) is the correct answer. The job control analyst is responsible for the overall quality of production job control language and conformance to standards. The appropriate level of access is access to test job control files, job scheduling files, job control documentation, and the problem/change management system. He should not be given access to production data files because he could perform maintenance to production application programs and production job control files. This is risky.
25. Use of Honey Pots and Padded Cells have which of the following? a. Social implications b. Legal implications c. Technical implications d. Psychological implications
Choice (b) is the correct answer. The legal implications of using Honey Pot and Padded Cell systems are not well defined. It is important to seek guidance from legal counsel before deciding to use either of these systems.
33. The principle of least privilege is most closely linked to which of the following security services? a. Confidentiality b. Integrity c. Availability d. Non-repudiation
Choice (b) is the correct answer. The principle of least privilege deals with access control mechanisms, and as such they ensure integrity of data and systems by limiting access to computer systems.
123. How does a role-based access control mechanism work? a. It is based on job enlargement concept b. It is based on job duties concept c. It is based on job enrichment concept d. It is based on job rotation concept
Choice (b) is the correct answer. Users take on assigned roles such as doctor, nurse, teller, and manager. With role-based access control mechanism, access decisions are based on the roles that individual users have as part of an organization, that is, job duties. Job enlargement means adding width to a job, job enrichment means adding depth to a job, while job rotation makes a person well-rounded.
54. Which one of the following is not an authentication mechanism? a. What the user knows b. What the user has c. What the user can do d. What the user is
Choice (c) is the correct answer. "What the user can do" is defined in access rules or user profiles, which comes after a successful authentication. The other three choices are part of an authentication process.
99. Logical access controls provide a technical means of controlling access to computer systems. Which of the following is not a benefit of logical access controls? a. Integrity b. Availability c. Reliability d. Confidentiality
Choice (c) is the correct answer. Computer-based access controls are called logical access controls. These controls can prescribe not only who or what is to have access to a specific system resource but also the type of access that is permitted, usually in software. Reliability is more of a hardware issue. Logical access controls can help protect: (1) operating systems and other systems software from unauthorized modification or manipulation (and thereby help ensure the system's integrity and availability), (2) the integrity and availability of information by restricting the number of users and processes with access, and (3) confidential information from being disclosed to unauthorized individuals.
23. Which of the following is not a good measure of performance of biometric-based identification and authentication technique? a. False rejection rate b. False acceptance rate c. Cross boundary rate d. Cross over error rate
Choice (c) is the correct answer. Cross over error rate occurs when the false rejection rate and the false acceptance rate are equal. Choices (a), (b), and (d) are example of good measures while choice (c) is a distracter.
90. Rank the following authentication mechanisms providing most to least protection against replay attacks? a. Password only, password and PIN, challenge response, and one- time password b. Password and PIN, challenge response, one-time password, and password only c. Challenge response, one-time password, password and PIN, and password only d. Challenge-response, password and PIN, one-time password, and password only
Choice (c) is the correct answer. A challenge-response protocol is based on cryptography and works by having the computer generate a challenge, such as a random string of numbers. The smart token then generates a response based on the challenge. This is sent back to the computer, which authenticates the user based on the response. Smart tokens that use either challenge-response protocols or dynamic password generation can create one-time passwords that change periodically (e.g., every minute). If the correct value is provided, the log-in is permitted, and the user is granted access to the computer system. Electronic monitoring is not a problem with one-time passwords because each time the user is authenticated to the computer, a different "password" is used. A hacker could learn the one-time password through electronic monitoring, but it would be of no value. Passwords and personal identification numbers (PINs) have weaknesses such as disclosing and guessing. Passwords combined with PINs are better than passwords only. Both passwords and PINs are subject to electronic monitoring. Simple encryption of a password that will be used again does not solve the monitoring problem because encrypting the same password will create the same ciphertext; the ciphertext becomes the password.
113. There are trade-offs among controls. A security policy would be most useful in which of the following areas? 1. System-generated passwords versus user-generated passwords 2. Access versus confidentiality 3. Technical controls versus procedural controls 4. Manual controls versus automated controls a. 1 and 2 b. 3 and 4 c. 2 and 3 d. 2 and 4
Choice (c) is the correct answer. A security policy is the framework within which an organization establishes needed levels of information security to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organizational commitment for a computer system. It is a set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. There are trade-offs among controls such as technical controls and procedural controls (item 3). If technical controls are not available, procedural controls might be used until a technical solution is found. Nevertheless, technical controls are useless without procedural controls and a robust, security policy. Similarly, there is a trade- off between access and confidentiality, that is, a system meeting standards for access allows authorized users access to information resources on an ongoing basis (item 2). The emphasis given to confidentiality, integrity, and access depends on the nature of the application. An individual system may sacrifice the level of one requirement to obtain a greater degree of another. For example, to allow for increased levels of availability of information, standards for confidentiality may be lowered. Thus, the specific requirements and controls for information security can vary. Items (1) and (4) also involve trade-offs, but at a lower level. Item (1) requires deciding between system-generated passwords, which can offer more security than user-generated passwords because they are randomly generated pseudo words not found in the dictionary. However, system-generated passwords are harder to remember, forcing users to write them down, thus defeating the purpose. Item 4 requires selecting between a manual and automated control or selecting a combination of manual and automated controls. One can work as a compensating control for the other.
13. Access control mechanisms include which of the following? a. Directive, preventive, and detective controls b. Corrective, recovery, and preventive controls c. Logical, physical, and administrative controls d. Management, operational, and technical controls
Choice (c) is the correct answer. Access control mechanisms include logical (passwords and encryption), physical (keys and tokens), and administrative (forms and procedures) controls. Directive, preventive, detective, corrective, and recovery controls are controls by action. Management, operational, and technical controls are controls by nature.
40. From a computer security viewpoint, the "Chinese Wall" policy is related to which of the following? a. Aggregation problem b. Data classification problem c. Access control problem d. Inference problem
Choice (c) is the correct answer. As presented by Brewer and Nash, the "Chinese Wall" policy is a mandatory access control policy for stock market analysts. According to the policy, a market analyst may do business with any company. However, every time the analyst receives sensitive "inside" information from a new company, the policy prevents him from doing business with any other company in the same industry because that would involve him in a conflict of interest situation. In other words, collaboration with one company places "Chinese wall" between him and all other companies in the same industry. The Chinese Wall policy does not meet the definition of an aggregation problem; there is no notion of some information being sensitive with the aggregate being more sensitive. The Chinese Wall policy is an access control policy where the access control rule is not based just on the sensitivity of the information, but is based on the information already accessed. It is neither an inference nor a data classification problem.
118. Authentication is a protection against fraudulent transactions. Which of the following is not assumed by the authentication process? a. The validity of message location being sent b. The validity of the workstations that sent the message c. The integrity of the message that is being transmitted d. The validity of the message originator
Choice (c) is the correct answer. Authentication assures that the data received comes from the supposed origin. It is not extended to include the integrity of the data or messages that are being transmitted. However, authentication is a protection against fraudulent transactions by establishing the validity of messages being sent (choice a), validity of the workstations that sent the message (choice b), and the validity of the message originators (choice d). Invalid messages can come from a valid origin and authentication cannot prevent it.
98. System administrators pose a threat to computer security due to their access rights and privileges. Which of the following statements is true for an organization with one administrator? a. Masquerading by system administrators can be prevented b. System administrator's access to the system can be limited c. Actions by the system administrators can be detected d. System administrators cannot compromise system integrity
Choice (c) is the correct answer. Authentication data needs to be stored securely, and its value lies in the data's confidentiality, integrity, and availability. If confidentiality is compromised, someone may be able to use the information to masquerade as a legitimate user. If system administrators can read the authentication file, they can masquerade as another user. Many systems use encryption to hide the authentication data from the system administrators. Masquerading by system administrators cannot be entirely prevented (choice a). If integrity is compromised, authentication data can be added, or the system can be disrupted. If availability is compromised, the system cannot authenticate users, and the users may not be able to work. Controls can be set up so that improper actions by the system administrator can be detected in audit records. Due to their broader responsibilities, the system administrator's access to the system cannot be limited (choice b). They can compromise a system's integrity (choice d); again their actions can be detected in audit records. It makes a big difference whether an organization has one or more than one system administrator for separation of duties or for least privilege principle to work. With several system administrators, a system administrator account could be set up for one person to have the capability to add accounts. Another administrator could have the authority to delete them. When there is only one system administrator employed, breaking up the duties is not possible.
2. An organization is experiencing excessive turnover of employees. Which of the following is the best access control technique under these situations? a. Rule-based access control b. Mandatory access control c. Role-based access control d. Discretionary access control
Choice (c) is the correct answer. Employees can come and go but their roles will not change such as a doctor or nurse in a hospital. With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Employee names may change but the roles will not. This access control is the best for organizations experiencing excessive employee turnover. Rule-based access control and mandatory access control are the same since they are based on specific rules relating to the nature of the subject and object. Discretionary access control is a means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
46. Which of the following statements is true about intrusion detection systems (IDS) and firewalls? a. Firewalls are a substitution for IDS b. Firewalls are an alternative to IDS c. Firewalls are a complement to IDS d. Firewalls are a replacement for IDS
Choice (c) is the correct answer. IDS should be used as a complement to a firewall, not a substitute for it. Together, they provide a synergistic effect.
44. Which of the following is the correct sequence of actions in access control mechanisms? a. Access profiles, authentication, authorization, and identification b. Security rules, identification, authorization, and authentication c. Identification, authentication, authorization, and accountability d. Audit trails, authorization, accountability, and identification
Choice (c) is the correct answer. Identification comes before authentication, and authorization comes after authentication. Accountability is last where user actions are recorded.
41. Security clearances and sensitivity classifications are promoted by which of the following security models? a. Biba model b. Clark and Wilson model c. Bell-LaPadula model d. Sutherland model
Choice (c) is the correct answer. In Bell-LaPadula model, the clearance/classification scheme is expressed in terms of a lattice. In order to determine whether or not a specific access model is allowed, the clearance of a subject is compared to the classification of the object and a determination is made as to whether the subject is authorized for the specific access mode. The other models do not deal with security clearances and sensitivity classifications.
20. Which of the following is an example of input validation error? a. Access validation error b. Configuration error c. Buffer overflow error d. Race condition error
Choice (c) is the correct answer. In an input validation error, the input received by a system is not properly checked, resulting in a vulnerability that can be exploited by sending a certain input sequence. In a buffer overflow, the input received by a system is longer than the expected input length, but the system does not check for this condition. In an access validation error (choice a), the system is vulnerable because the access control mechanism is faulty. A configuration error (choice b) occurs when user controllable settings in a system are set such that the system is vulnerable. Race condition error (choice d) occurs when there is a delay between the time when a system checks to see if an operation is allowed by the security model and the time when the system actually performs the operation.
97. Location-based authentication technique can be effectively used to provide which of the following? a. Static authentication b. Intermittent authentication c. Continuous authentication d. Robust authentication
Choice (c) is the correct answer. Location-based authentication techniques can be used continuously, as there are no time and resource limits. It does not require any secret information to protect at either the host or user end. Continuous authentication is better than robust authentication, where the latter can be intermittent.
16. Passwords and personal identification numbers (PINs) are examples of which of the following? a. Procedural access controls b. Physical access controls c. Logical access controls d. Administrative access controls
Choice (c) is the correct answer. Logical, physical, and administrative controls are examples of access control mechanisms. Choices (a) and (d) are the same. Passwords, PINs, and encryption are examples of logical access controls.
80. Which of the following protective measures is ineffective against multiple threats? a. Access logs b. Encryption c. Passwords d. Audit trails
Choice (c) is the correct answer. Most measures are effective against multiple threats. For example, maintaining facility access logs is a method of controlling who goes into a facility, of knowing who is in a facility at a given time, and of preventing unauthorized removal of material from a facility. Encryption protects data both during transmission and while in storage. Audit trails furnish information for backup and recovery and also provide a basis for variance detection. A password is effective against a single threat, that is, authentication and identification of a person or subject.
119. Passwords are used as a basic mechanism to identify and authenticate a system user. Which of the following password-related factors cannot be tested with automated vulnerability testing tools? a. Password length b. Password lifetime c. Password secrecy d. Password storage
Choice (c) is the correct answer. No automated vulnerability testing tool can ensure that system users have not disclosed their passwords, thus secrecy cannot be guaranteed. Password length (choice a) can be tested to ensure that short passwords are not selected. Password lifetime (choice b) can be tested to ensure that they have a limited lifetime. Passwords should be changed regularly or whenever they may have been compromised. Password storage (choice d) can be tested to ensure that they are protected to prevent disclosure or unauthorized modification.
125. Passwords can be stored safely in which of the following places? a. Initialization file b. Script file c. Password file d. Batch file
Choice (c) is the correct answer. Passwords should not be included in initialization files, script files, or batch files due to possible compromise. Instead, they should be stored in a password file, preferably encrypted.
124. Which of the following is inconsistent with the principle of least privilege? a. Requirements creep b. Design creep c. Authorization creep d. Analysis creep
Choice (c) is the correct answer. Permanent changes are necessary when employees change positions within an organization. In this case, the process of granting account authorizations will occur again. At this time, however, it is also important that access authorizations of the prior position be removed. Many instances of "authorization creep" have occurred with employees continuing to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege, and it is a security vulnerability.
114. Ensuring data and program integrity is important. Which of the following controls best applies the "separation of duties" principle in an automated computer operations environment? a. File placement controls b. Data file naming conventions c. Program library controls d. Program and job naming conventions
Choice (c) is the correct answer. Program library controls allow only assigned programs to run in production and eliminate the problem of test programs accidentally entering the production environment. They also separate production and testing data to ensure that no test data are used in normal production. This practice is based on the "separation of duties" principle. File placement controls (choice a) ensure that files reside on the proper direct access storage device so that data sets do not go to a wrong device by accident. Data file, program, and job naming conventions (choices b and d) implement the separation of duties principle by uniquely identifying each production and test data file names, program names, and job names, and terminal usage.
92. Which of the following lists a pair of compatible functions within the IS organization? a. Computer operations and applications programming b. Systems programming and data security administration c. Quality assurance and data security administration d. Production job scheduling and computer operations
Choice (c) is the correct answer. Separation of duties is the first line of defense against the prevention, detection, and correction of errors, omissions, and irregularities. The objective is to ensure that no one person has complete control over a transaction throughout its initiation, authorization, recording, processing, and reporting. If the total risk is acceptable, then two different jobs can be combined. If the risk is unacceptable, the two jobs should not be combined. Both quality assurance and data security are staff functions and would not handle the day-to-day operations tasks. Choices (a), (b), and (d) are incorrect because they are examples of incompatible functions. The rationale is to minimize such functions that are not conducive to good internal control structure. For example, if a computer operator is also responsible for production job scheduling, he could submit unauthorized production jobs.
111. An example of a drawback of smart cards includes: a. A means of access control b. A means of storing user data c. A means of gaining unauthorized access d. A means of access control and data storage
Choice (c) is the correct answer. Since valuable data is stored on a smart card, the card is useless if lost, damaged, or forgotten. An unauthorized person can gain access to a computer system in the absence of other strong controls. A smart card is a credit card-sized device containing one or more integrated circuit chips, which performs the functions of a microprocessor, memory, and an input\output interface. Smart cards can be used: (1) as a means of access control (choice a), (2) as a medium for storing and carrying the appropriate data (choice b), and (3) a combination of 1 and 2 (choice d).
43. Which of the following is not synonymous with spoofing? a. Mimicking b. Impersonating c. Sniffing d. Masquerading
Choice (c) is the correct answer. Spoofing is an attempt to gain access to a system by posing as an authorized user. It is synonymous with impersonating, masquerading, or mimicking. Sniffing is monitoring network traffic.
12. Which of the following is not an example of attacks on data and information? a. Hidden code b. Inference c. Spoofing d. Traffic analysis
Choice (c) is the correct answer. Spoofing is using various techniques to subvert IP-based access control by masquerading as another system by using its IP address. Attacks such as hidden code, inference, and traffic analysis are based on data and information.
42. An access triple used in the implementation of Clark and Wilson security model includes which of the following? a. Policy, procedure, and object b. Class, domain, and subject c. Subject, program, and data d. Level, label, and tag
Choice (c) is the correct answer. The Clark and Wilson model partitions objects into programs and data for each subject forming a subject/program/data access triple.
15. Honey Pot systems do not contain which of the following? a. Event triggers b. Sensitive monitors c. Sensitive data d. Event loggers
Choice (c) is the correct answer. The Honey Pot system is instrumented with sensitive monitors, event triggers, and event loggers that detect unauthorized accesses and collect information about the attacker's activities. These systems are filled with fabricated data designed to appear valuable.
38. Which of the following uses a ticket and a password to authenticate a system user? a. Secure RPC b. SPX c. Kerberos d. SecurID
Choice (c) is the correct answer. The Kerberos identification and authentication technique involves a ticket that is linked to a user's password. Both the ticket and the password must be protected against loss or theft. Secure RPC and SPX provide a robust authentication mechanism over distributed computing environments. SecurID is a token from RSA, Inc.
84. Computer operators should not be given access to which of the following? a. Computer console terminal b. Operations documentation c. Programming documentation d. Disk drives
Choice (c) is the correct answer. The appropriate level of access for the computer operator is access to the computer console terminal, tape/disk drives, printers, operations documentation, and the problem/change management system. He should not be given access to programming documentation and production data files since he could perform maintenance to them for unauthorized purposes. This is risky.
4. The "principle of least privilege" supports which of the following? a. All or nothing privileges b. Super-user privileges c. Appropriate privileges d. Creeping privileges
Choice (c) is the correct answer. The principle of least privilege refers to granting users only those accesses required to perform their duties. Only the concept of "appropriate privilege" is supported by the principle of least privilege.
73. From an access control viewpoint, which of the following is computed from a passphrase? a. Access password b. Personal password c. Valid password d. Virtual password
Choice (d) is the correct answer. A virtual password is a password computed from a passphrase that meets the requirements of password storage (e.g., 56 bits for DES). A passphrase is a sequence of characters, longer than the acceptable length of a regular password, which is transformed by a password system into a virtual password of acceptable length. An access password (choice a) is a password used to authorize access to data and is distributed to all those who are authorized similar access to that data. A personal password (choice b) is a password that is known by only one person and is used to authenticate that person's identity. A valid password (choice c) is a personal password that will authenticate the identity of an individual when presented to a password system. It is also an access password that will allow the requested access when presented to a password system.
21. Which of the following is not commonly detected and reported by intrusion detection systems (IDS)? a. System scanning attacks b. Denial of service attacks c. System penetration attacks d. IP address spoofing attacks
Choice (d) is the correct answer. An attacker can send attack packets using a fake source IP address but arrange to wiretap the victims reply to the fake address. The attacker can do this without having access to the computer at the fake address. This manipulation of IP addressing is called IP address spoofing. A scanning attack occurs when an attacker probes a target network or system by sending different kinds of packets (choice a). Denial of service attacks attempt to slow or shut down targeted network systems or services (choice b). System penetration attacks involve the unauthorized acquisition and/or alteration of system privileges, resources, or data (choice c).
110. A more reliable authentication device is a: a. Fixed callback system b. Variable callback system c. Fixed and variable callback system d. Smart card system
Choice (d) is the correct answer. Authentication is providing assurance regarding the identity of a subject or object, for example, ensuring that a particular user is who he claims to be. A smart card system uses cryptographic-based smart tokens that offer great flexibility and can be used to solve many authentication problems such as forgery and masquerading. A smart token typically requires a user to provide something the user knows (i.e., a PIN or password), which provides a stronger control than the smart token alone. Smart cards do not require a call-back since the codes used in the smart card change frequently, which cannot be repeated. Call-back systems are used to authenticate a person. A fixed call-back system (choice a) calls back to a known telephone associated with a known place. However, the called person may not be known, which is a problem with masquerading. It is not only insecure but also inflexible since it is tied to a specific place. It is not applicable if the caller moves around. A variable call-back system (choice b) is more flexible than the fixed one but requires greater maintenance of the variable telephone numbers and locations. These phone numbers can be recorded or decoded by a hacker.
103. A system mechanism and audit trails assist business managers to hold individual users accountable for their actions. In order to utilize these audit trails, which of the following controls is a prerequisite for the mechanism to be effective? a. Physical access controls b. Environmental controls c. Management controls d. Logical access controls
Choice (d) is the correct answer. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log. Audit trails work in concert with logical access controls, which restrict use of system resources. Since logical access controls are enforced through software, audit trails are used to maintain an individual's accountability. Although choices (a) through (c) collect some data in the form of an audit trail, their use is limited due to limitation of useful data collected.
93. A security label, or access control mechanism, is supported by which of the following access control policies? a. Role-based policy b. Identity-based policy c. User-directed policy d. Mandatory access control policy
Choice (d) is the correct answer. Mandatory access control is a type of access control that cannot be made more permissive by subjects. They are based on information sensitivity such as security labels for clearance and data classification. Rule-based and administratively directed policies are examples of mandatory access control policy. Role-based policy (choice a) is an example of non-discretionary access controls. Access control decisions are based on the roles individual users are taking in an organization. This includes the specification of duties, responsibilities, obligations, and qualifications (e.g., a teller or loan officer associated with a banking system). Both identity-based and user-directed policies (choices b and c) are examples of discretionary access control. It is a type of access control that permits subjects to specify the access controls with certain limitations. Identity-based access control is based only on the identity of the subject and object. User-directed control is a type of access control in which subjects can alter the access rights with certain restrictions.
106. Many computer systems provide "maintenance accounts" for diagnostic and support services. Which of the following security techniques is least preferred to ensure reduced vulnerability when using these accounts? a. Call-back confirmation b. Encryption of communications c. Smart tokens d. Password and user ID
Choice (d) is the correct answer. Many computer systems provide maintenance accounts. These special login accounts are normally preconfigured at the factory with preset, widely known weak passwords. It is critical to change these passwords or otherwise disable the accounts until they are needed. If the account is to be used remotely, authentication of the maintenance provider can be performed using call-back confirmation (choice a). This helps ensure that remote diagnostic activities actually originate from an established phone number at the vendor's site. Other techniques can also help, including encryption and decryption of diagnostic communications (choice b), strong identification and authentication techniques, such as smart tokens (choice c), and remote disconnect verification.
121. Which of the following password selection procedures would be the most difficult to remember? a. Reverse or rearrange the characters in user birthday b. Reverse or rearrange the characters in user annual salary c. Reverse or rearrange the characters in the user's spouse's name d. Use randomly generated characters
Choice (d) is the correct answer. Password selection is a difficult task to balance between password effectiveness and its remembrance by the user. The selected password should be simple to remember for oneself and difficult for others to know. It is no advantage in having a scientifically generated password if the user cannot remember it. Using randomly generated characters as a password is not only difficult to remember but also easy to publicize. Users will be tempted to write them down in a conspicuous place if the password is difficult to remember. The approaches in the other three choices would be relatively easy to remember due to the user familiarity with the password origin. A simple procedure is to use well-known personal information that is rearranged.
104. The best place to put the Kerberos protocol is in which of the following? a. At the application layer b. At the transport layer c. At the network layer d. At all layers of the network
Choice (d) is the correct answer. Placing the Kerberos protocol below the application layer and at all layers of the network provides greatest security protection without the need to modify applications.
29. The Take-Grant security model focuses on which of the following? a. Confidentiality b. Accountability c. Availability d. Access rights
Choice (d) is the correct answer. The Take-Grant security model uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject.
82. A data/tape librarian should not be responsible for: a. Record-keeping of tape and cartridge activity b. Taking periodic inventory of tapes and cartridges c. Logging movement of magnetic media d. Operating the computer
Choice (d) is the correct answer. There would be a conflict of interest if a tape librarian operates the computer since he is close to the data. Choices (a), (b), and (c) are typical job duties of a tape librarian. Each IS organization may have a different focus on these items. The combination of tasks in the other three choices is compatible with no harm done to the organization.