CISSP | Test Questions| Domain 1 | Access Control

Passwords and personal identification numbers (PINs) are examples of which of the following? a. Procedural access controls b. Physical access controls c. Logical access controls d. Administrative access controls

C. Logical, physical, and administrative controls are examples of access control mechanisms. Passwords, PINs, and encryption are examples of logical access controls.

In electronic authentication, which of the following controls is not effective against a cross site request forgery (CSRF) attack? a. Sanitize inputs to make them nonexecutable. b. Insert random data into any linked uniform resource locator. c. Insert random data into a hidden field. d. Generate a per-session shared secret.

a. A cross site request forgery (CSRF) is a type of session hijacking attack where a malicious website contains a link to the URL of the legitimate relying party. Web applications, even those protected by secure sockets layer/transport layer security (SSL/TLS), can still be vulnerable to the CSRF attack. One control to protect the CSRF attack is by inserting random data, supplied by the relying party, into any linked uniform resource locator with side effects and into a hidden field within any form on the relying party's website. Generating a per-session shared secret is effective against a session hijacking problem. Sanitizing inputs to make them nonexecutable is effective against cross site scripting (XSS) attacks, not CSRF attacks.

Which one of the following access control policies treats users and owners as the same? a. Discretionary access control (DAC) b. Mandatory access control (MAC) c. Role-based access control (RBAC) d. Access control lists (ACLs)

a. A discretionary access control (DAC) mechanism enables users to grant or revoke access to any of the objects under their control. As such, users are said to be the owners of the objects under their control. Users and owners are different in the other three choices.

In electronic authentication, an authenticated session is established between which of the following? a. Claimant and the relying party b. Applicant and the registration authority c. Subscriber and the credential service provider d. Certifying authority and the registration authority

a. An authenticated session is established between the claimant and the relying party. Sometimes the verifier is also the relying party. The other three choices are incorrect because the correct answer is based on facts.

For device identification and authentication, the authentication between devices and connections to networks is an example of a(n): a. Bidirectional authentication b. Group authentication c. Device-unique authentication d. Individual authentication

a. An information system authenticates devices before establishing remote and wireless network connections using bidirectional authentication between devices that are cryptographically-based. Examples of device identifiers include media access control (MAC) addresses, IP addresses, e-mail IDs, and device-unique token identifiers. Examples of device authenticators include digital/PKI certificates and passwords. The other three choices are not correct because they lack two-way authentication.

A lattice security model is an example of which of the following access control policies? a. Discretionary access control (DAC) b. Non-DAC c. Mandatory access control (MAC) d. Non-MAC

b. A lattice security model is based on a nondiscretionary access control (non-DAC) model. A lattice model is a partially ordered set for which every pair of elements (subjects and objects) has a greatest lower bound and a least upper bound. The subject has the greatest lower bound, and the object has the least upper bound.

Which of the following solutions to local account password management problem could an attacker exploit? a. Use multifactor authentication to access the database. b. Use a hash-based local password and a standard password. c. Use randomly generated passwords. d. Use a central password database.

b. A local password could be based on a cryptographic hash of the media access control address and a standard password. However, if an attacker recovers one local password, the attacker could easily determine other local passwords. An attacker could not exploit the other three choices because they are secure. Other positive solutions include disabling built-in accounts, storing the passwords in the database in an encrypted form, and generating passwords based on a machine name or a media access control address.

Which of the following provides a finer level of granularity (i.e., more restrictive security) in the access control process? a. Mandatory access control b. Discretionary access control c. Access control list d. Logical access control

b. Discretionary access control offers a finer level of granularity in the access control process. Mandatory access controls can provide access to broad categories of information, whereas discretionary access controls can be used to fine-tune those broad controls, override mandatory restrictions as needed, and accommodate special circumstances.

Which of the following security control mechanisms is simplest to administer? a. Discretionary access control b. Mandatory access control c. Access control list d. Logical access control

b. Mandatory access controls are the simplest to use because they can be used to grant broad access to large sets of files and to broad categories of information. Discretionary access controls are not simple to use due to their finer level of granularity in the access control process. Both the access control list and logical access control require a significant amount of administrative work because they are based on the details of each individual user.

Which of the following security models addresses "separation of duties" concept? a. Biba model b. Clark-Wilson model c. Bell-LaPadula model d. Sutherland model

b. The Clark and Wilson security model addresses the separation of duties concept along with well-formed transactions. Separation of duties attempts to ensure the external consistency of data objects. It also addresses the specific integrity goal of preventing authorized users from making improper modifications. The other three models do not address the separation of duties concept.

The Clark-Wilson security model focuses on which of the following? a. Confidentiality b. Integrity c. Availability d. Accountability

b. The Clark-Wilson security model is an approach that provides data integrity for common commercial activities. It is a specific model addressing "integrity," which is one of five security objectives. The five objectives are: confidentiality, integrity, availability, accountability, and assurance.

In the electronic authentication process, who performs the identity proofing? a. Subscriber b. Registration authority c. Applicant d. Credential service provider

b. The RA performs the identity proofing after registering the applicant with the CSP. An applicant becomes a subscriber of the CSP.

In electronic authentication, using one token to gain access to a second token is called a: a. Single-token, multifactor scheme b. Single-token, single-factor scheme c. Multitoken, multifactor scheme d. Multistage authentication scheme

b. Using one token to gain access to a second token is considered a single token and a single factor scheme because all that is needed to gain access is the initial token. Therefore, when this scheme is used, the compound solution is only as strong as the token with the lowest assurance level. The other choices are incorrect because they are not applicable to the situation here.

What do policy enforcement mechanisms, used to transfer information between different security domains prior to transfer, include? 1. Embedding rules 2. Release rules 3. Filtering rules 4. Sanitization rules a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

c. Policy enforcement mechanisms include the filtering and/or sanitization rules that are applied to information prior to transfer to a different security domain. Embedding rules and release rules do not handle information transfer.

Individual accountability does not include which of the following? a. Unique identifiers b. Access rules c. Audit trails d. Policies and procedures

d. A basic tenet of IT security is that individuals must be accountable for their actions. If this is not followed and enforced, it is not possible to successfully prosecute those who intentionally damage or disrupt systems or to train those whose actions have unintended adverse effects. The concept of individual accountability drives the need for many security safeguards, such as unique (user) identifiers, audit trails, and access authorization rules. Policies and procedures indicate what to accomplish and how to accomplish objectives. By themselves, they do not exact individual accountability.

As a part of centralized password management solution, which of the following architectures for single sign-on technology becomes a single point-of-failure? a. Kerberos authentication service b. Lightweight directory access protocol c. Domain passwords d. Centralized authentication server

d. A common architecture for single sign-on (SSO) is to have an authentication service, such as Kerberos, for authenticating SSO users, and a database or directory service such as lightweight directory access protocol (LDAP) that stores authentication information for the resources the SSO handles authentication for. By definition, the SSO technology uses a password, and an SSO solution usually includes one or more centralized servers containing authentication credentials for many users. Such a server becomes a single point-of-failure for authentication to many resources, so the availability of the server affects the availability of all the resources that rely on that server.

Which one of the following access control policy uses an access control matrix for its implementation? a. Discretionary access control (DAC) b. Mandatory access control (MAC) c. Role-based access control (RBAC) d. Access control lists (ACLs)

a. A discretionary access control (DAC) model uses access control matrix where it places the name of users (subjects) in each row and the names of objects (files or programs) in each column of a matrix. The other three choices do not use an access control matrix.

Logical access controls are a technical means of implementing security policy decisions. It requires balancing the often-competing interests. Which of the following trade-offs should receive the highest interest? a. User-friendliness b. Security principles c. Operational requirements d. Technical constraints

a. A management official responsible for a particular application system, subsystem, or group of systems develops the security policy. The development of an access control policy may not be an easy endeavor. User-friendliness should receive the highest interest because the system is designed for users, and the system usage is determined by whether the system is userfriendly. The other three choices have a competing interest in a security policy, but they are not as important as the user-friendliness issue. An example of a security principle is "least privilege."

For electronic authentication, which of the following is an example of a passive attack? a. Eavesdropping b. Man-in-the-middle c. Impersonation d. Session hijacking

a. A passive attack is an attack against an authentication protocol where the attacker intercepts data traveling along the network between the claimant and verifier but does not alter the data. Eavesdropping is an example of a passive attack. A man-in-the-middle (MitM) attack is incorrect because it is an active attack on the authentication protocol run in which the attacker positions himself between the claimant and verifier so that he can intercept and alter data traveling between them. Impersonation is incorrect because it is an attempt to gain access to a computer system by posing as an authorized user. It is the same as masquerading, spoofing, and mimicking. Session hijacking is incorrect because it is an attack that occurs during an authentication session within a database or system. The attacker disables a user's desktop system, intercepts responses from the application, and responds in ways that probe the session. Man-in-the-middle, impersonation, and session hijacking are examples of active attacks. Note that MitM attacks can be passive or active depending on the intent of the attacker because there are mild MitM or strong MitM attacks.

For identity management, international standards do not use which of the following access control policies for making access control decisions? 1. Discretionary access control (DAC) 2. Mandatory access control (MAC) 3. Identity-based access control (IBAC) 4. Rule-based access control (RuBAC) a. 1 and 2 b. 1 and 3 c. 2 and 3 d. 3 and 4

a. International standards for access control decisions do not use the U.S.-based discretionary or mandatory access control policies. Instead, they use identity-based and rulebased access control policies.

Which of the following types of passwords is counterproductive? a. System-generated passwords b. Encrypted passwords c. Nonreusable passwords d. Time-based passwords

a. A password-generating program can produce passwords in a random fashion, rather than relying on user-selected ones. System-generated passwords are usually hard to remember, forcing users to write them down. This defeats the whole purpose of stronger passwords. Encrypted passwords protect from unauthorized viewing or using. The encrypted password file is kept secure with access permission given to security administration for maintenance or to the passwords system itself. This approach is productive in keeping the passwords secure and secret. Nonreusable passwords are used only once. A series of passwords are generated by a cryptographic secure algorithm and given to the user for use at the time of login. Each password expires after its initial use and is not repeated or stored anywhere. This approach is productive in keeping the passwords secure and secret. In time-based passwords, the password changes every minute or so. A smart card displays some numbers that are a function of the current time and the user's secret key. To get access, the user must enter a number based on his own key and the current time. Each password is a unique one and therefore need not be written down or guessed. This approach is productive and effective in keeping the passwords secure and secret.

In electronic authentication, which of the following can be used to derive, guess, or crack the value of the token secret or spoof the possession of the token? a. Private credentials b. Public credentials c. Paper credentials d. Electronic credentials

a. A private credential object links a user's identity to a representation of the token in a way that the exposure of the credential to unauthorized parties can lead to any exposure of the token secret. A private credential can be used to derive, guess, or crack the value of the token secret or spoof the possession of the token. Therefore, it is important that the contents of the private credential be kept confidential (e.g., a hashed password values). Public credentials are shared widely, do not lead to an exposure of the token secret, and have little or no confidentiality requirements. Paper credentials are documents that attest to the identity of an individual (e.g., passports, birth certificates, and employee identity cards) and are based on written signatures, seals, special papers, and special inks. Electronic credentials bind an individual's name to a token with the use of X.509 certificates and Kerberos tickets.

Which of the following statements is not true about a session lock in access control? a. A session lock is a substitute for logging out of the system. b. A session lock can be activated on a device with a display screen. c. A session lock places a publicly viewable pattern on to the device display screen. d. A session lock hides what was previously visible on the device display screen.

a. A session lock prevents further access to an information system after a defined time period of inactivity. A session lock is not a substitute for logging out of the system as in logging out at the end of the workday. The other three choices are true statements about a session lock.

Which of the following are compatible with each other in the pair in performing similar functions in information security? a. SSO and RSO b. DES and DNS c. ARP and PPP d. SLIP and SKIP

a. A single sign-on (SSO) technology allows a user to authenticate once and then access all the resources the user is authorized to use. A reduced sign-on (RSO) technology allows a user to authenticate once and then access many, but not all, of the resources the user is authorized to use. Hence, SSO and RSO perform similar functions. The other three choices do not perform similar functions. Data encryption standard (DES) is a symmetric cipher encryption algorithm. Domain name system (DNS) provides an Internet translation service that resolves domain names to Internet Protocol (IP) addresses and vice versa. Address resolution protocol (ARP) is used to obtain a node's physical address. Point-topoint protocol (PPP) is a data-link framing protocol used to frame data packets on point-topoint lines. Serial line Internet protocol (SLIP) carries Internet Protocol (IP) over an asynchronous serial communication line. PPP replaced SLIP. Simple key management for Internet protocol (SKIP) is designed to work with the IPsec and operates at the network layer of the TCP/IP protocol, and works very well with sessionless datagram protocols.

The purpose of static separation of duty is to address problems, such as static exclusivity and the assurance principle. Which of the following refers to the static exclusivity problem? 1. To reduce the likelihood of fraud. 2. To prevent the loss of user objectivity. 3. One user is less likely to commit fraud when this user is a part of many users involved in a business transaction. 4. Few users are less likely to commit collusion when these users are a part of many users involved in a business transaction. a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

a. A static exclusivity problem is the condition for which it is considered dangerous for any user to gain authorization for a conflicting set of access capabilities. The motivation for exclusivity relations includes reducing the likelihood of fraud or preventing the loss of user objectivity. The assurance principle deals with committing fraud or collusion when many users are involved in handling a business transaction.

Which of the following information security control families requires a cross-cutting approach? a. Access control b. Audit and accountability c. Awareness and training d. Configuration management

a. Access control requires a cross-cutting approach because it is related to access control, incident response, audit and accountability, and configuration management control families (areas). Cross-cutting means a control in one area affects the controls in other-related areas. The other three choices require a control-specific approach.

Which of the following circumstances require additional security protections for mobile devices after unsuccessful login attempts? a. When a mobile device requires a login to itself, and not a user account on the device b. When a mobile device is accessing a removable media without a login c. When information on the mobile device is encrypted d. When the login is made to any one account on the mobile device

a. Additional security protection is needed for a mobile device (e.g., PDA) requiring a login where the login is made to the mobile device itself, not to any one account on the device. Additional protection is not needed when removable media is accessed without a login and when the information on the mobile device is encrypted. A successful login to any account on the mobile device resets the unsuccessful login count to zero.

As a part of centralized password management solutions, password synchronization becomes a single point-of-failure due to which of the following? a. It uses the same password for many resources. b. It can enable an attacker to compromise a low-security resource to gain access to a highsecurity resource. c. It uses the lowest common denominator approach to password strength. d. It can lead passwords to become unsynchronized.

a. All four choices are problems with password synchronization solution. Because the same password is used for many resources, the compromise of any one instance of the password compromises all the instances, therefore becoming a single point-of-failure. Password synchronization forces the use of the lowest common denominator approach to password strength, resulting in weaker passwords due to character and length constraints. Passwords can become unsynchronized when a user changes a resource password directly with that resource instead of going through the password synchronization user interface. A password could also be changed due to a resource failure that requires restoration of a backup.

For key functions of intrusion detection and prevention system (IDPS) technologies, which of the following is referred to when an IDPS configuration is altered? a. Tuning b. Evasion c. Blocking d. Normalization

a. Altering the configuration of an intrusion detection and prevention system (IDPS) to improve its detection accuracy is known as tuning. IDPS technologies cannot provide completely accurate detection at all times. Access to the targeted host is blocked from the offending user account or IP address. Evasion is modifying the format or timing of malicious activity so that its appearance changes but its effect is the same. Attackers use evasion techniques to try to prevent intrusion detection and prevention system (IDPS) technologies from detecting their attacks. Most IDPS technologies can overcome common evasion techniques by duplicating special processing performed by the targeted host. If the IDPS configuration is same as the targeted host, then evasion techniques will be unsuccessful at hiding attacks. Some intrusion prevention system (IPS) technologies can remove or replace malicious portions of an attack to make it benign. A complex example is an IPS that acts as a proxy and normalizes incoming requests, which means that the proxy repackages the payloads of the requests, discarding header information. This might cause certain attacks to be discarded as part of the normalization process.

Which of the following is best to replace the use of personal identification numbers (PINs) in the world of automated teller machines (ATMs)? a. Iris-detection technology b. Voice technology c. Hand technology d. Fingerprint technology

a. An ATM customer can stand within three feet of a camera that automatically locates and scans the iris in the eye. The scanned bar code is then compared against previously stored code in the bank's file. Iris-detection technology is far superior for accuracy compared to the accuracy of voice, face, hand, and fingerprint identification systems. Iris technology does not require a PIN.

In biometrics-based identification and authentication techniques, what is a countermeasure to mitigate the threat of identity spoofing? a. Liveness detection b. Digital signatures c. Rejecting exact matches d. Session lock

a. An adversary may present something other than his own biometric to trick the system into verifying someone else's identity, known as spoofing. One type of mitigation for an identity spoofing threat is liveness detection (e.g., pulse or lip reading). The other three choices cannot perform liveness detection.

In electronic authentication, which of the following can mitigate the threat of assertion manufacture and/or modification? a. Digital signature and TLS/SSL b. Timestamp and short lifetime of validity c. Digital signature with a key supporting nonrepudiation d. HTTP and TLS

a. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion manufacture and/or modification, the assertion may be digitally signed by the verifier and the assertion sent over a protected channel such as TLS/SSL. The other three choices are incorrect because they are not applicable to the situation here.

Which of the following access authorization policies applies to when an organization has a list of software not authorized to execute on an information system? a. Deny-all, permit-by-exception b. Allow-all, deny-by-exception c. Allow-all, deny-by-default d. Deny-all, accept-by-permission

a. An organization employs a deny-all, permit-by-exception authorization policy to identify software not allowed to execute on the system. The other three choices are incorrect because the correct answer is based on specific access authorization policy.

The concept of least privilege is based on which of the following? a. Risk assessment b. Information flow enforcement c. Access enforcement d. Account management

a. An organization practices the concept of least privilege for specific job duties and information systems, including specific responsibilities, network ports, protocols, and services in accordance with risk assessments. These practices are necessary to adequately mitigate risk to organizations' operations, assets, and individuals. The other three choices are specific components of access controls.

How is authorization different from authentication? a. Authorization comes after authentication. b. Authorization and authentication are the same. c. Authorization is verifying the identity of a user. d. Authorization comes before authentication.

a. Authorization comes after authentication because a user is granted access to a program (authorization) after he is fully authenticated. Authorization is permission to do something with information in a computer. Authorization and authentication are not the same, where the former is verifying the user's permission and the latter is verifying the identity of a user.

The principle of least privilege refers to the security objective of granting users only those accesses they need to perform their job duties. Which of the following actions is inconsistent with the principle of least privilege? a. Authorization creep b. Re-authorization when employees change positions c. Users have little access to systems d. Users have significant access to systems

a. Authorization creep occurs when employees continue to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege. All the other three choices are incorrect because they are consistent with the principle of least privilege. Reauthorization can eliminate authorization creep, and it does not matter how many users have access to the system or how much access to the system as long as their access is based on need-to-know concept. Permanent changes are necessary when employees change positions within an organization. In this case, the process of granting account authorizations occurs again. At this time, however, it is also important that access authorizations of the prior position be removed. Many instances of authorization-creep have occurred with employees continuing to maintain access rights for previously held positions within an organization. This practice is inconsistent with the principle of least privilege, and it is security vulnerability.

Which of the following use data by row to represent the access control matrix? a. Capabilities and profiles b. Protection bits and access control list c. Profiles and protection bits d. Capabilities and access control list

a. Capabilities and profiles are used to represent the access control matrix data by row and connect accessible objects to the user. On the other hand, a protection bit-based system and access control list represents the data by column, connecting a list of users to an object.

Confidentiality controls include which of the following? a. Cryptography b. Passwords c. Tokens d. Biometrics

a. Cryptography, which is a part of technical control, ensures the confidentiality goal. The other three choices are part of user identification and authentication controls, which are also a part of technical control.

Which of the following should not be used in Kerberos authentication implementation? a. Data encryption standard (DES) b. Advanced encryption standard (AES) c. Rivest, Shamir, and Adelman (RSA) d. Diffie-Hellman (DH)

a. DES is weak and should not be used because of several documented security weaknesses. The other three choices can be used. AES can be used because it is strong. RSA is used in key transport where the authentication server generates the user symmetric key and sends the key to the client. DH is used in key agreement between the authentication server and the client.

The process of identifying users and objects is important to which of the following? a. Discretionary access control b. Mandatory access control c. Access control d. Security control

a. Discretionary access control is a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. In a mandatory access control mechanism, the owner of a file or object has no discretion as to who can access it. Both security control and access control are too broad and vague to be meaningful here.

What names does an access control matrix place? a. Users in each row and the names of objects in each column b. Programs in each row and the names of users in each column c. Users in each column and the names of devices in each row d. Subjects in each column and the names of processes in each row

a. Discretionary access control is a process to identify users and objects. An access control matrix can be used to implement a discretionary access control mechanism where it places the names of users (subject) in each row and the names of objects in each column of a matrix. A subject is an active entity, generally in the form of a person, process, or device that causes information to flow among objects or changes the system's state. An object is a passive entity that contains or receives information. Access to an object potentially implies access to the information it contains. Examples of objects include records, programs, pages, files, and directories. An access control matrix describes an association of objects and subjects for authentication of access rights.

Which of the following deals with access control by group? a. Discretionary access control b. Mandatory access control c. Access control list d. Logical access control

a. Discretionary access controls deal with the concept of control objectives, or control over individual aspects of an enterprise's processes or resources. They are based on the identity of the users and of the objects they want to access. Discretionary access controls are implemented by one user or the network/system administrator to specify what levels of access other users are allowed to have. Mandatory access controls are implemented based on the user's security clearance or trust level and the particular sensitivity designation of each file. The owner of a file or object has no discretion as to who can access it. An access control list is based on which user can access what objects. Logical access controls are based on a user-supplied identification number or code and password. Discretionary access control is by group association whereas mandatory access control is by sensitivity level.

For electronic authentication protocol threats, which of the following are assumed to be physically able to intercept authentication protocol runs? a. Eavesdroppers b. Subscriber impostors c. Impostor verifiers d. Hijackers

a. Eavesdroppers are assumed to be physically able to intercept authentication protocol runs; however, the protocol may be designed to render the intercepted messages unintelligible, or to resist analysis that would allow the eavesdropper to obtain information useful to impersonate the claimant. Subscriber impostors are incorrect because they need only normal communications access to verifiers or relying parties. Impostor verifiers are incorrect because they may have special network capabilities to divert, insert, or delete packets. But, in many cases, such attacks can be mounted simply by tricking subscribers with incorrect links or e-mails or on Web pages, or by using domain names similar to those of relying parties or verifiers. Therefore, the impostors do not necessarily need to have any unusual network capabilities. Hijackers are incorrect because they must divert communications sessions, but this capability may be comparatively easy to achieve today when many subscribers use wireless network access.

Which of the following is not a common type of electronic credential? a. SAML assertions b. X.509 public-key identity certificates c. X.509 attribute certificates d. Kerberos tickets

a. Electronic credentials are digital documents used in authentication that bind an identity or an attribute to a subscriber's token. Security assertion markup language (SAML) is a specification for encoding security assertions in the extensible markup language (XML). SAML assertions have nothing to do with electronic credential because they can be used by a verifier to make a statement to a relying party about the identity of a claimant. An X.509 public-key identity certificate is incorrect because binding an identity to a public key is a common type of electronic credential. X.509 attribute certificate is incorrect because binding an identity or a public key with some attribute is a common type of electronic credential. Kerberos tickets are incorrect because encrypted messages binding the holder with some attribute or privilege is a common type of electronic credential.

Online guessing is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the online guessing threat? a. Use tokens that generate high entropy authenticators. b. Use hardware cryptographic tokens. c. Use tokens with dynamic authenticators. d. Use multifactor tokens.

a. Entropy is the uncertainty of a random variable. Tokens that generate high entropy authenticators prevent online guessing of secret tokens registered to a legitimate claimant and offline cracking of tokens. The other three choices cannot prevent online guessing of tokens or passwords.

Which of the following access authorization policies applies to external networks through managed interfaces employing boundary protection devices such as gateways or firewalls? a. Deny-all, permit-by-exception b. Allow-all, deny-by-exception c. Allow-all, deny-by-default d. Deny-all, accept-by-permission

a. Examples of managed interfaces employing boundary protection devices include proxies, gateways, routers, firewalls, hardware/software guards, and encrypted tunnels on a demilitarized zone (DMZ). This policy "deny-all, permit-by-exception" denies network traffic by default and enables network traffic by exception only. The other three choices are incorrect because the correct answer is based on specific access authorization policy. Access control lists (ACL) can be applied to traffic entering the internal network from external sources.

For device identification and authentication, dynamic address allocation process for devices is standardized with which of the following? a. Dynamic host configuration protocol b. Dynamic authentication c. Dynamic hypertext markup language d. Dynamic binding

a. For dynamic address allocation for devices, dynamic host configuration protocol (DHCP)-enabled clients obtain leases for Internet Protocol (IP) addresses from DHCP servers. Therefore, the dynamic address allocation process for devices is standardized with DHCP. The other three choices do not have the capability to obtain leases for IP addresses.

Regarding local administrator password selection, which of the following can become a single point-of-failure? a. Using the same local root account password across systems b. Using built-in root accounts c. Storing local passwords on the local system d. Authenticating local passwords on the local system

a. Having a common password shared among all local administrator or root accounts on all machines within a network simplifies system maintenance, but it is a widespread security weakness, becoming a single point-of-failure. If a single machine is compromised, an attacker may recover the password and use it to gain access to all other machines that use the shared password. Therefore, it is good to avoid using the same local administrator or root account passwords across many systems. The other three choices, although risky in their own way, do not yield a single point-of-failure.

Intrusion detection refers to the process of identifying attempts to penetrate a computer system and gain unauthorized access. Which of the following assists in intrusion detection? a. Audit records b. Access control lists c. Security clearances d. Host-based authentication

a. If audit records showing trails have been designed and implemented to record appropriate information, they can assist in intrusion detection. Usually, audit records contain pertinent data (e.g., date, time, status of an action, user IDs, and event ID), which can help in intrusion detection. Access control lists refer to a register of users who have been given permission to use a particular system resource and the types of access they have been permitted. Security clearances are associated with a subject (e.g., person and program) to access an object (e.g., files, libraries, directories, and devices). Host-based authentication grants access based upon the identity of the host originating the request, instead of the identity of the user making the request. The other three choices have no facilities to record access activity and therefore cannot assist in intrusion detection.

In electronic authentication, which of the following controls is effective against cross site scripting (XSS) vulnerabilities? a. Sanitize inputs to make them nonexecutable. b. Insert random data into any linked uniform resource locator. c. Insert random data into a hidden field. d. Use a per-session shared secret.

a. In a cross site scripting (XSS) vulnerability, an attacker may use an extensible markup language (XML) injection to perform the equivalent of an XSS, in which requesters of a valid Web service have their requests transparently rerouted to an attacker-controlled Web service that performs malicious operations. To prevent XSS vulnerabilities, the relying party should sanitize inputs from claimants or subscribers to ensure they are not executable, or at the very least not malicious, before displaying them as content to the subscriber's browser. The other three choices are incorrect because they are not applicable to the situation here.

For token threats in electronic authentication, countermeasures used for which one of the following threats are different from the other three threats? a. Online guessing b. Eavesdropping c. Phishing and pharming d. Social engineering

a. In electronic authentication, a countermeasure against the token threat of online guessing uses tokens that generate high entropy authenticators. Common countermeasures against the threats listed in the other three choices are the same and they do not use high entropy authenticators. These common countermeasures include (i) use of tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator and (ii) use of tokens that generate authenticators based on a token input value.

For information flow enforcement, what are explicit security attributes used to control? a. Release of sensitive data b. Data content c. Data structure d. Source objects

a. Information flow enforcement using explicit security attributes are used to control the release of certain types of information such as sensitive data. Data content, data structure, and source and destination objects are examples of implicit security attributes.

Which of the following is used in the unique identification of employees and contractors? a. Personal identity verification card token b. Passwords c. PKI certificates d. Biometrics

a. It is suggested that a personal identity verification (PIV) card token is used in the unique identification of employees and contractors. The PIV is a physical artifact (e.g., identity card or smart card) issued to an individual that contains stored identity credentials (e.g., photograph, cryptographic keys, or digitized fingerprint). The other three choices are used in user authenticator management, not in user identifier management. Examples of user authenticators include passwords, tokens, cryptographic keys, personal identification numbers (PINs), biometrics, public key infrastructure (PKI) certificates, and key cards. Examples of user identifiers include internal users, external users, contractors, guests, PIV cards, passwords, tokens, and biometrics.

Which of the following security services can Kerberos best provide? a. Authentication b. Confidentiality c. Integrity d. Availability

a. Kerberos is a de facto standard for an authentication protocol, providing a robust authentication method. Kerberos was developed to enable network applications to securely identify their peers and can be used for local/remote logins, remote execution, file transfer, transparent file access (i.e., access of remote files on the network as though they were local) and for client/server requests. The Kerberos system includes a Kerberos server, applications which use Kerberos authentication, and libraries for use in developing applications which use Kerberos authentication. In addition to secure remote procedure call (Secure RPC), Kerberos prevents impersonation in a network environment and only provides authentication services. Other services such as confidentiality, integrity, and availability must be provided by other means. With Kerberos and secure RPC, passwords are not transmitted over the network in plaintext. In Kerberos two items need to prove authentication. The first is the ticket and the second is the authenticator. The ticket consists of the requested server name, the client name, the address of the client, the time the ticket was issued, the lifetime of the ticket, the session key to be used between the client and the server, and some other fields. The ticket is encrypted using the server's secret key and thus cannot be correctly decrypted by the user. If the server can properly decrypt the ticket when the client presents it and if the client presents the authenticator encrypted using the session key contained in the ticket, the server can have confidence in the user's identity. The authenticator contains the client name, address, current time, and some other fields. The authenticator is encrypted by the client using the session key shared with the server. The authenticator provides a time-validation for the credential. If a user possesses both the proper credential and the authenticator encrypted with the correct session key and presents these items within the lifetime of the ticket, then the user's identity can be authenticated. Confidentiality is incorrect because it ensures that data is disclosed to only authorized subjects. Integrity is incorrect because it is the property that an object is changed only in a specified and authorized manner. Availability is incorrect because it is the property that a given resource will be usable during a given time period.

Which situation is Kerberos not used in? a. Managing distributed access rights b. Managing encryption keys c. Managing centralized access rights d. Managing access permissions

a. Kerberos is a private key authentication system that uses a central database to keep a copy of all users' private keys. The entire system can be compromised due to the central database. Kerberos is used to manage centralized access rights, encryption keys, and access permissions.

Which of the following statements is not true about Kerberos protocol? a. Kerberos uses an asymmetric key cryptography. b. Kerberos uses a trusted third party. c. Kerberos is a credential based authentication system. d. Kerberos uses a symmetric key cryptography.

a. Kerberos uses symmetric key cryptography and a trusted third party. Kerberos users authenticate with one another using Kerberos credentials issued by a trusted third party. The bit size of Kerberos is the same as that of DES, which is 56 bits because Kerberos uses a symmetric key algorithm similar to DES.

Which of the following is achieved when two authentication proofs of something that you have is implemented? a. Least assurance b. Increased assurance c. Maximum assurance d. Equivalent assurance

a. Least assurance is achieved when two authentication proofs of something that you have (e.g., card, key, and mobile ID device) are implemented because the card and the key can be lost or stolen. Consequently, multiple uses of something that you have offer lesser access control assurance than using a combination of multifactor authentication techniques. Equivalent assurance is neutral and does not require any further action.

Which of the following is a more simple and basic login control? a. Validating username and password b. Monitoring unsuccessful logins c. Sending alerts to the system operators d. Disabling accounts when a break-in occurs

a. Login controls specify the conditions users must meet for gaining access to a computer system. In most simple and basic cases, access will be permitted only when both a username and password are provided. More complex systems grant or deny access based on the type of computer login; that is, local, dialup, remote, network, batch, or subprocess. The security system can restrict access based on the type of the terminal, or the remote computer's access will be granted only when the user or program is located at a designated terminal or remote system. Also, access can be defined by the time of day and the day of the week. As a further precaution, the more complex and sophisticated systems monitor unsuccessful logins, send messages or alerts to the system operator, and disable accounts when a break-in occurs.

Which of the following types of logical access control mechanisms does not rely on physical access controls? a. Encryption controls b. Application system access controls c. Operating system access controls d. Utility programs

a. Most systems can be compromised if someone can physically access the CPU machine or major components by, for example, restarting the system with different software. Logical access controls are, therefore, dependent on physical access controls (with the exception of encryption, which can depend solely on the strength of the algorithm and the secrecy of the key). Application systems, operating systems, and utility programs are heavily dependent on logical access controls to protect against unauthorized use.

Which of the following authentication techniques is appropriate for accessing nonsensitive IT assets with multiple uses of the same authentication factor? a. Single-factor authentication b. Two-factor authentication c. Three-factor authentication d. Multifactor authentication

a. Multiple uses of the same authentication factor (e.g., using the same password more than once) is appropriate for accessing nonsensitive IT assets and is known as a single-factor authentication. The other three factors are not needed for authentication of low security risk and nonsensitive assets.

Network-based intrusion prevention systems (IPS) are typically deployed: a. Inline b. Outline c. Online d. Offline

a. Network-based IPS performs packet sniffing and analyzes network traffic to identify and stop suspicious activity. They are typically deployed inline, which means that the software acts like a network firewall. It receives packets, analyzes them, and decides whether they should be permitted, and allows acceptable packets to pass through. They detect some attacks on networks before they reach their intended targets. The other three choices are not relevant here.

Which of the following is not an example of nondiscretionary access control? a. Identity-based access control b. Mandatory access control c. Role-based access control d. Temporal constraints

a. Nondiscretionary access control policies have rules that are not established at the discretion of the user. These controls can be changed only through administrative action and not by users. An identity-based access control (IBAC) decision grants or denies a request based on the presence of an entity on an access control list (ACL). IBAC and discretionary access control are considered equivalent and are not examples of nondiscretionary access controls. The other three choices are examples of nondiscretionary access controls. Mandatory access control deals with rules, role-based access control deals with job titles and functions, and temporal constraints deal with time-based restrictions and control time-sensitive activities.

Which of the following cannot detect unsanctioned information and prohibit the transfer of such information between different security domains (i.e., domain-type enforcement)? a. Implementing one-way flows b. Checking information for malware c. Implementing dirty word list searches d. Applying security attributes to metadata

a. One-way flows are implemented using hardware mechanisms for controlling the flow of information within a system and between interconnected systems. As such they cannot detect unsanctioned information. The other three choices do detect unsanctioned information and prohibit the transfer with actions such as checking all transferred information for malware, implementing dirty word list searches on transferred information, and applying security attributes to metadata that are similar to information payloads.

Which of the following is not subjected to impersonation attacks? a. Packet replay b. Forgery c. Relay d. Interception

a. Packet replay is one of the most common security threats to network systems, similar to impersonation and eavesdropping in terms of damage, but dissimilar in terms of functions. Packet replay refers to the recording and retransmission of message packets in the network. It is a significant threat for programs that require authentication-sequences because an intruder could replay legitimate authentication sequence messages to gain access to a system. Packet replay is frequently undetectable but can be prevented by using packet timestamping and packet-sequence counting. Forgery is incorrect because it is one of the ways an impersonation attack is achieved. Forgery is attempting to guess or otherwise fabricate the evidence that the impersonator knows or possesses. Relay is incorrect because it is one of the ways an impersonation attack is achieved. Relay is where one can eavesdrop upon another's authentication exchange and learn enough to impersonate a user. Interception is incorrect because it is one of the ways an impersonation attack is achieved. Interception is where one can slip in between the communications and "hijack" the communications channel.

Which of the security codes is the longest, thereby making it difficult to guess? a. Passphrases b. Passwords c. Lockwords d. Passcodes

a. Passphrases have the virtue of length (e.g., up to 80 characters), making them both difficult to guess and burdensome to discover by an exhaustive trial-and-error attack on a system. The number of characters used in the other three choices is smaller (e.g., four to eight characters) than passphrases. All four security codes are user identification mechanisms. Passwords are uniquely associated with a single user. Lockwords are system-generated terminal passwords shared among users. Passcodes are a combination of password and ID card.

Which of the following is not an example of access control policy? a. Performance-based policy b. Identity-based policy c. Role-based policy d. Rule-based policy

a. Performance-based policy is used to evaluate an employee's performance annually or other times. The other three choices are examples of an access control policy where they control access between users and objects in the information system.

All the following storage encryption authentication products may use the operating system's authentication for single sign-on except: a. Full-disk encryption b. Volume encryption c. Vi rtual disk encryption d. File/folder encryption

a. Products such as volume encryption, virtual disk encryption, or file/folder encryption may use the operating system's authentication for single sign-on (SSO). After a user authenticates to the operating system at login time, the user can access the encrypted file without further authentication, which is risky. You should not use the same single-factor authenticator for multiple purposes. A full-disk encryption provides better security than the other three choices because the entire disk is encrypted, as opposed to part of it.

Some security authorities believe that re-authentication of every transaction provides stronger security procedures. Which of the following security mechanisms is least efficient and least effective for re-authentication? a. Recurring passwords b. Nonrecurring passwords c. Memory tokens d. Smart tokens

a. Recurring passwords are static passwords with reuse and are considered to be a relatively weak security mechanism. Users tend to use easily guessed passwords. Other weaknesses include spoofing users, users stealing passwords through observing keystrokes, and users sharing passwords. The unauthorized use of passwords by outsiders (hackers) or insiders is a primary concern and is considered the least efficient and least effective security mechanism for re-authentication. Nonrecurring passwords are incorrect because they provide a strong form of re-authentication. Examples include a challenge-response protocol or a dynamic password generator where a unique value is generated for each session. These values are not repeated and are good for that session only. Tokens can help in re-authenticating a user or transaction. Memory tokens store but do not process information. Smart tokens expand the functionality of a memory token by incorporating one or more integrated circuits into the token itself. In other words, smart tokens store and process information. Except for passwords, all the other methods listed in the question are examples of advanced authentication methods that can be applied to re-authentication.

In electronic authentication, which of the following is not trustworthy? a. Claimants b. Registration authorities c. Credentials services providers d. Verifiers

a. Registration authorities (RAs), credential service providers (CSPs), verifiers, and relying parties are ordinarily trustworthy in the sense of being correctly implemented and not deliberately malicious. However, claimants or their systems may not be trustworthy or else their identity claims could simply be trusted. Moreover, whereas RAs, CSPs, and verifiers are normally trustworthy, they are not invulnerable and could become corrupted. Therefore, protocols that expose long-term authentication secrets more than are absolutely required, even to trusted entities, should be avoided.

A reuse of a user's operating system password for preboot authentication should not be practiced in the deployment of which of the following storage encryption authentication products? a. Full-disk encryption b. Volume encryption c. Virtual disk encryption d. File/folder encryption

a. Reusing a user' operating system password for preboot authentication in a full (whole) disk encryption deployment would allow an attacker to learn only a single password to gain full access to the device's information. The password could be acquired through technical methods, such as infecting the device with malware, or through physical means, such as watching a user type in a password in a public location. The correct choice is risky compared to the incorrect choices because the latter do not deal with booting a computer or pre-boot authentication.

Which of the following internal access control methods offers a strong form of access control and is a significant deterrent to its use? a. Security labels b. Passwords c. Access control lists d. Encryption

a. Security labels are a strong form of access control. Unlike access control lists, labels cannot ordinarily be changed. Because labels are permanently linked to specific information, data cannot be disclosed by a user copying information and changing the access to that file so that the information is more accessible than the original owner intended. Security labels are well suited for consistently and uniformly enforcing access restrictions, although their administration and inflexibility can be a significant deterrent to their use. Passwords are a weak form of access control, although they are easy to use and administer. Although encryption is a strong form of access control, it is not a deterrent to its use when compared to labels. In reality, the complexity and difficulty of encryption can be a deterrent to its use.

From an access control account management point of view, service-oriented architecture implementations rely on which of the following? a. Dynamic user privileges b. Static user privileges c. Predefined user privileges d. Dynamic user identities

a. Service-oriented architecture (SOA) implementations rely on run-time access control decisions facilitated by dynamic privilege management. In contrast, conventional access control implementations employ static information accounts and predefined sets of user privileges. Although user identities remain relatively constant over time, user privileges may change more frequently based on the ongoing business requirements and operational needs of the organization.

Which of the following statements about an access control system is not true? a. It is typically enforced by a specific application. b. It indicates what a specific user could have done. c. It records failed attempts to perform sensitive actions. d. It records failed attempts to access restricted data.

a. Some applications use access control (typically enforced by the operating system) to restrict access to certain types of information or application functions. This can be helpful to determine what a particular application user could have done. Some applications record information related to access control, such as failed attempts to perform sensitive actions or access restricted data.

What is spoofing? a. Active attack b. Passive attack c. Surveillance attack d. Exhaustive attack

a. Spoofing is a tampering activity and is an active attack. Sniffing is a surveillance activity and is a passive attack. An exhaustive attack (i.e., brute force attack) consists of discovering secret data by trying all possibilities and checking for correctness. For a four-digit password, you might start with 0000 and move to 0001 and 0002 until 9999.

Serious vulnerabilities exist when: a. An untrusted individual has been granted an unauthorized access. b. A trusted individual has been granted an authorized access. c. An untrusted individual has been granted an authorized access. d. A trusted individual has been granted an unauthorized access.

a. Vulnerabilities typically result when an untrusted individual is granted unauthorized access to a system. Granting unauthorized access is riskier than granting authorized access to an untrusted individual, and trusted individuals are better than untrusted individuals. Both trust and authorization are important to minimize vulnerabilities. The other three choices are incorrect because serious vulnerabilities may not exist with them.

Which of the following security models covers confidentiality? a. Bell-LaPadula model b. Biba model c. Information flow model d. Take-grant model

a. The Bell-LaPadula model addresses confidentiality by describing different security levels of security classifications for documents. These classification levels, from least sensitive to most insensitive, include Unclassified, Confidential, Secret, and Top Secret.

In electronic authentication, who maintains the registration records to allow recovery of registration records? a. Credential service provider b. Subscriber c. Relying party d. Registration authority

a. The CSP maintains registration records for each subscriber to allow recovery of registration records. Other responsibilities of the CSP include the following: The CSP is responsible for establishing suitable policies for renewal and reissuance of tokens and credentials. During renewal, the usage or validity period of the token and credential is extended without changing the subscriber's identity or token. During reissuance, a new credential is created for a subscriber with a new identity and/or a new token. The CSP is responsible for maintaining the revocation status of credentials and destroying the credential at the end of its life. For example, public key certificates are revoked using certificate revocation lists (CRLs) after the certificates are distributed. The verifier and the CSP may or may not belong to the same entity. The CSP is responsible for mitigating threats to tokens and credentials and managing their operations. Examples of threats include disclosure, tampering, unavailability, unauthorized renewal or reissuance, delayed revocation or destruction of credentials, and token use after decommissioning. The other three choices are incorrect because the (i) subscriber is a party who has received a credential or token from a CSP, (ii) relying party is an entity that relies upon the subscriber's credentials or verifier's assertion of an identity, and (iii) registration authority (RA) is a trusted entity that establishes and vouches for the identity of a subscriber to a CSP. The RA may be an integral part of a CSP, or it may be independent of a CSP, but it has a relationship to the CSP(s).

From an access control point of view, the Chinese Wall policy focuses on which of the following? a. Confidentiality b. Integrity c. Availability d. Assurance

a. The Chinese Wall policy is used where company sensitive information (i.e., confidentiality) is divided into mutually disjointed conflict-of-interest categories. The Biba model focuses on integrity. Availability, assurance, and integrity are other components of security principles that are not relevant to the Chinese Wall policy.

Which one of the following methodologies or techniques provides the most effective strategy for limiting access to individual sensitive files? a. Access control list and both discretionary and mandatory access control b. Mandatory access control and access control list c. Discretionary access control and access control list d. Physical access control to hardware and access control list with discretionary access control

a. The best control for protecting sensitive files is using mandatory access controls supplemented by discretionary access controls and implemented through the use of an access control list. A complementary mandatory access control mechanism can prevent the Trojan horse attack that can be allowed by the discretionary access control. The mandatory access control prevents the system from giving sensitive information to any user who is not explicitly authorized to access a resource.

During biometric verification, which of the following can result in faster system response times and can be less expensive? a. One-to-one matching b. One-to-many matching c. Many-to-one matching d. Many-to-many matching

a. The biometric verification with one-to-one matching can result in faster system response times and can be less expensive because the personal identification number (PIN) is entered as a first authenticator and the matching is quick.

The correct flows and proper interactions between parties involved in electronic authentication include: a. Applicant?Registration Authority?Subscriber?Claimant b. Registration Authority?Applicant?Claimant?Subscriber c. Subscriber?Applicant?Registration Authority?Claimant d. Claimant?Subscriber?Registration Authority?Applicant

a. The correct flows and proper interactions between the various parties involved in electronic authentication include the following: An individual applicant applies to a registration authority (RA) through a registration process to become a subscriber of a credential service provider (CSP) The RA identity proofs that applicant On successful identity proofing, the RA sends the CSP a registration confirmation message A secret token and a corresponding credential are established between the CSP and the new subscriber for use in subsequent authentication events The party to be authenticated is called a claimant (subscriber) and the party verifying that identity is called a verifier The other three choices are incorrect because they do not represent the correct flows and proper interactions.

The extensible access control markup language (XACML) does not define or support which of the following? a. Trust management b. Privilege management c. Policy language d. Query language

a. The extensible access control markup language (XACML) is a standard for managing access control policy and supports the enterprise-level privilege management. It includes a policy language and a query language. However, XACML does not define authority delegation and trust management.

Which of the following issues is closely related to logical access controls? a. Employee issues b. Hardware issues c. Operating systems software issues d. Application software issues

a. The largest risk exposure remains with employees. Personnel security measures are aimed at hiring honest, competent, and capable employees. Job requirements need to be programmed into the logical access control software. Policy is also closely linked to personnel issues. A deterrent effect arises among employees when they are aware that their misconduct (intentional or unintentional) may be detected. Selecting the right type and access level for employees, informing which employees need access accounts and what type and level of access they require, and informing changes to access requirements are also important. Accounts and accesses should not be granted or maintained for employees who should not have them in the first place. The other three choices are distantly related to logical access controls when compared to employee issues.

What is the objective of separation of duties? a. No one person has complete control over a transaction or an activity. b. Employees from different departments do not work together well. c. Controls are available to protect all supplies. d. Controls are in place to operate all equipment.

a. The objective is to limit what people can do, especially in conflict situations or incompatible functions, in such a way that no one person has complete control over a transaction or an activity from start to finish. The goal is to limit the possibility of hiding irregularities or fraud. The other three choices are not related to separation of duties.

Cryptographic authentication systems must specify how the cryptographic algorithms will be used. Which of the following authentication systems would reduce the risk of impersonation in an environment of networked computer systems? a. Kerberos-based authentication system b. Password-based authentication system c. Memory token-based authentication system d. Smart token-based authentication system

a. The primary goal of Kerberos is to prevent system users from claiming the identity of other users in a distributed computing environment. The Kerberos authentication system is based on secret key cryptography. The Kerberos protocol provides strong authentication of users and host computer systems. Further, Kerberos uses a trusted third party to manage the cryptographic keying relationships, which are critical to the authentication process. System users have a significant degree of control over the workstations used to access network services, and these workstations must therefore be considered not trusted. Kerberos was developed to provide distributed network authentication services involving client/server systems. A primary threat in this type of client/server system is the possibility that one user claims the identity of another user (impersonation), thereby gaining access to system services without the proper authorization. To protect against this threat, Kerberos provides a trusted third party accessible to network entities, which supports the services required for authentication between these entities. This trusted third party is known as the Kerberos key distribution server, which shares secret cryptographic keys with each client and server within a particular realm. The Kerberos authentication model is based upon the presentation of cryptographic tickets to prove the identity of clients requesting services from a host system or server. The other three choices are incorrect because they cannot reduce the risk of impersonation. For example: (i) passwords can be shared, guessed, or captured and (ii) memory tokens and smart tokens can be lost or stolen. Also, these three choices do not use a trusted third party to strengthen controls as Kerberos does.

Each user is granted the lowest clearance needed to perform authorized tasks. Which of the following principles is this? a. The principle of least privilege b. The principle of separation of duties c. The principle of system clearance d. The principle of system accreditation

a. The principle of least privilege requires that each subject (user) in a system be granted the most restrictive set of privileges (or lowest clearances) needed to perform authorized tasks. The application of this principle limits the damage that can result from accident, error, and/or unauthorized use. The principle of separation of duties states that no single person can have complete control over a business transaction or task. The principle of system clearance states that users' access rights should be based on their job clearance status (i.e., sensitive or non-sensitive). The principle of system accreditation states that all systems should be approved by management prior to making them operational.

Which of the following security features is not supported by the principle of least privilege? a. All or nothing privileges b. The granularity of privilege c. The time bounding of privilege d. Privilege inheritance

a. The purpose of a privilege mechanism is to provide a means of granting specific users or processes the ability to perform security-relevant actions for a limited time and under a restrictive set of conditions, while still permitting tasks properly authorized by the system administrator. This is the underlying theme behind the security principle of least privilege. It does not imply an "all or nothing" privilege. The granularity of privilege is incorrect because it is one of the security features supported by the principle of least privilege. A privilege mechanism that supports granularity of privilege can enable a process to override only those security-relevant functions needed to perform the task. For example, a backup program needs to override only read restrictions, not the write or execute restriction on files. The time bounding of privilege is incorrect because it is one of the security features supported by the principle of least privilege. The time bounding of privilege is related in that privileges required by an application or a process can be enabled and disabled as the application or process needs them. Privilege inheritance is incorrect because it is one of the security features supported by the principle of least privilege. Privilege inheritance enables a process image to request that all, some, or none of its privileges get passed on to the next process image. For example, application programs that execute other utility programs need not pass on any privileges if the utility program does not require them.

Which of the following can coexist in providing strong access control mechanisms? a. Kerberos authentication and single sign-on system b. Kerberos authentication and digital signature system c. Kerberos authentication and asymmetric key system d. Kerberos authentication and digital certificate system

a. When Kerberos authentication is combined with single sign-on systems, it requires establishment of and operating the privilege servers. Kerberos uses symmetric key cryptography, and the other three choices are examples of asymmetric key cryptography.

Which of the following statement is not true in electronic authentication? a. The registration authority and the credential service provider may be the same entity b. The verifier and the relying party may be the same entity c. The verifier, credential service provider, and the relying party may be separate entities d. The verifier and the relying party may be separate entities

a. The relationship between the registration authority (RA) and the credential service provider (CSP) is a complex one with ongoing relationship. In the simplest and perhaps the most common case, the RA and CSP are separate functions of the same entity. However, an RA might be part of a company or organization that registers subscribers with an independent CSP, or several different CSPs. Therefore a CSP may be an integral part of RA, or it may have relationships with multiple independent RAs, and an RA may have relationships with different CSPs as well. The statements in the other three choices are true. The party to be authenticated is called a claimant (subscriber) and the party verifying that identity is called a verifier. When a subscriber needs to authenticate to perform a transaction, he becomes a claimant to a verifier. A relying party relies on results of an online authentication to establish the identity or attribute of a subscriber for the purpose of some transaction. Relying parties use a subscriber's authenticated identity and other factors to make access control or authorization decisions. The verifier and the relying party may be the same entity, or they may be separate entities. In some cases the verifier does not need to directly communicate with the CSP to complete the authentication activity (e.g., the use of digital certificates), which represents a logical link between the two entities rather than a physical link. In some implementations, the verifier, the CSP functions, and the relying party may be distributed and separated.

Below is a list of pairs, which are related to one another. Which pair of items represents the integral reliance on the first item to enforce the second? a. The separation of duties principle, the least privilege principle b. The parity check, the limit check c. The single-key system, the Rivest-Shamir-Adelman (RSA) algorithm d. The two-key system, the Data Encryption Standard (DES) algorithm

a. The separation of duties principle is related to the "least privilege" principle; that is, users and processes in a system should have the least number of privileges and for the minimal period of time necessary to perform their assigned tasks. The authority and capacity to perform certain functions should be separated and delegated to different individuals. This principle is often applied to split the authority to write and approve monetary transactions between two people. It can also be applied to separate the authority to add users to a system and other system administrator duties from the authority to assign passwords, conduct audits, and perform other security administrator duties. There is no relation between the parity check, which is hardware-based, and the limit check, which is a software-based application. The parity check is a check that tests whether the number of ones (1s) or zeros (0s) in an array of binary digits is odd or even. Odd parity is standard for synchronous transmission and even parity for asynchronous transmission. In the limit check, a program tests the specified data fields against defined high or low value limits for acceptability before further processing. The RSA algorithm is incorrect because it uses two keys: private and public. The DES is incorrect because it uses only one key for both encryption and decryption (secret or private key).

From an access control point of view, separation of duty is of two types: static and dynamic. Which of the following are examples of dynamic separation of duties? 1. Two-person rule 2. History-based separation of duty 3. Design-time 4. Run-time a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4

a. The two-person rule states that the first user can be any authorized user, but the second user can be any authorized user different from the first. History-based separation of duty regulates that the same subject (role or user) cannot access the same object (program or device) for a variable number of times. Design-time and run-time are used in the workflow policy.

Which of the following is a component that provides a security service for a smart card application used in a mobile device authentication? a. Challenge-response protocol b. Service provider c. Resource manager d. Driver for the smart card reader

a. The underlying mechanism used to authenticate users via smart cards relies on a challenge-response protocol between the device and the smart card. For example, a personal digital assistant (PDA) challenges the smart card for an appropriate and correct response that can be used to verify that the card is the one originally enrolled by the PDA device owner. The challenge-response protocol provides a security service. The three main software components that support a smart card application include the service provider, a resource manager, and a driver for the smart card reader.

Which of the following is the primary technique used by commercially available intrusion detection and prevention systems (IDPS) to analyze events to detect attacks? a. Signature-based IDPS b. Anomaly-based IDPS c. Behavior-based IDPS d. Statistical-based IDPS

a. There are two primary approaches to analyzing events to detect attacks: signature detection and anomaly detection. Signature detection is the primary technique used by most commercial systems; however, anomaly detection is the subject of much research and is used in a limited form by a number of intrusion detection and prevention systems (IDPS). Behavior and statistical based IDPS are part of anomaly-based IDPS.

From an access control effectiveness viewpoint, which of the following represents biometric verification when a user submits a combination of a personal identification number (PIN) first and biometric sample next for authentication? a. One-to-one matching b. One-to-many matching c. Many-to-one matching d. Many-to-many matching

a. This combination of authentication represents something that you know (PIN) and something that you are (biometric). At the authentication system prompt, the user enters the PIN and then submits a biometric live-captured sample. The system compares the biometric sample to the biometric reference data associated with the PIN entered, which is a one-to-one matching of biometric verification. The other three choices are incorrect because the correct answer is based on its definition.

If proper mutual authentication is not performed, what is the single sign-on technology vulnerable to? a. Man-in-the-middle attack b. Replay attack c. Social engineering attack d. Phishing attack

a. User authentication to the single sign-on (SSO) technology is important. If proper mutual authentication is not performed, the SSO technology using passwords is vulnerable to a man-inthe- middle (MitM) attack. Social engineering and phishing attacks are based on passwords, and replay attacks do not use passwords.

For identity management, which of the following requires multifactor authentication? a. User-to-host architecture b. Peer-to-peer architecture c. Client host-to-server architecture d. Trusted third-party architecture

a. When a user logs onto a host computer or workstation, the user must be identified and authenticated before access to the host or network is granted. This process requires a mechanism to authenticate a real person to a machine. The best methods of doing this involve multiple forms of authentication with multiple factors, such as something you know (password), something you have (physical token), and something you are (biometric verification). The other three choices do not require multifactor authentication because they use different authentication methods. Peer-to-peer architecture, sometimes referred to as mutual authentication protocol, involves the direct communication of authentication information between the communicating entities (e.g., peer-to-peer or client host-to-server). The architecture for trusted third-party (TTP) authentication uses a third entity, trusted by all entities, to provide authentication information. The amount of trust given the third entity must be evaluated. Methods to establish and maintain a level of trust in a TTP include certification practice statements (CPS) that establishes rules, processes, and procedures that a certificate authority (CA) uses to ensure the integrity of the authentication process and use of secure protocols to interface with authentication servers. A TTP may provide authentication information in each instance of authentication, in real-time, or as a precursor to an exchange with a CA.

In electronic authentication, electronic credentials are stored as data in a directory or database. Which of the following refers to when the directory or database is untrusted? a. Self-authenticating b. Authentication to the relying party c. Authentication to the verifier d. Authentication to the credential service provider

a. When electronic credentials are stored in a directory or database server, the directory or database may be an untrusted entity because the data it supplies is self-authenticated. Alternatively, the directory or database server may be a trusted entity that authenticates itself to the relying party or verifier, but not to the CSP.

What implementation is an example of an access control policy for a bank teller? a. Role-based policy b. Identity-based policy c. User-directed policy d. Rule-based policy

a. With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, bank teller, and manager). Access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. The use of roles to control access can be an effective means for developing and enforcing enterprise-specific security policies and for streamlining the security management process. Identity-based and user-directed policies are incorrect because they are examples of discretionary access control. Identity-based access control is based only on the identity of the subject and object. In user-directed access controls, a subject can alter the access rights with certain restrictions. Rule-based policy is incorrect because it is an example of a mandatory type of access control and is based on specific rules relating to the nature of the subject and object.

Which one of the following access-control policy or model requires security clearances for subjects? a. Discretionary access control (DAC) b. Mandatory access control (MAC) c. Role-based access control (RBAC) d. Access control lists (ACLs)

b. A mandatory access control (MAC) restricts access to objects based on the sensitivity of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.

Which of the following is critical to understanding an access control policy? a. Reachable-state b. Protection-state c. User-state d. System-state

b. A protection-state is that part of the system-state critical to understanding an access control policy. A system must be either in a protection-state or reachable-state. User-state is not critical because it is the least privileged mode.

Kerberos uses which of the following to protect against replay attacks? a. Cards b. Timestamps c. Tokens d. Keys

b. A replay attack refers to the recording and retransmission of message packets in the network. Although a replay attack is frequently undetected, but it can be prevented by using packet timestamping. Kerberos uses the timestamps but not cards, tokens, and keys.

What is a marking assigned to a computing resource called? a. Security tag b. Security label c. Security level d. Security attribute

b. A security label is a marking bound to a resource (which may be a data unit) that names or designates the security attributes of that resource. A security tag is an information unit containing a representation of certain security-related information (e.g., a restrictive attribute bitmap). A security level is a hierarchical indicator of the degree of sensitivity to a certain threat. It implies, according to the security policy enforced, a specific level of protection. A security attribute is a security-related quality of an object. Security attributes may be represented as hierarchical levels, bits in a bitmap, or numbers. Compartments, caveats, and release markings are examples of security attributes.

What is the most risky part of the primary nature of access control? a. Configured or misconfigured b. Enabled or disabled c. Privileged or unprivileged d. Encrypted or decrypted

b. Access control software can be enabled or disabled, meaning security function can be turned on or off. When disabled, the logging function does not work. The other three choices are somewhat risky but not as much as enabled or disabled.

Accountability is not related to which of the following information security objectives? a. Identification b. Availability c. Authentication d. Auditing

b. Accountability is typically accomplished by identifying and authenticating system users and subsequently tracing their actions through audit trails (i.e., auditing).

Accountability is important to implementing security policies. Which of the following is least effective in exacting accountability from system users? a. Auditing requirements b. Password and user ID requirements c. Identification controls d. Authentication controls

b. Accountability means holding individual users responsible for their actions. Due to several problems with passwords and user IDs, they are considered to be the least effective in exacting accountability. These problems include easy to guess passwords, easy to spoof users for passwords, easy to steal passwords, and easy to share passwords. The most effective controls for exacting accountability include a policy, authorization scheme, identification and authentication controls, access controls, audit trails, and auditing.

For intrusion detection and prevention system capabilities using anomaly-based detection, administrators should check which of the following to determine whether they need to be adjusted to compensate for changes in the system and changes in threats? a. Whitelists b. Thresholds c. Program code viewing d. Blacklists

b. Administrators should check the intrusion detection and prevention system (IDPS) thresholds and alert settings to determine whether they need to be adjusted periodically to compensate for changes in the system environment and changes in threats. The other three choices are incorrect because the anomaly-based detection does not use whitelists, blacklists, and program code viewing.

Which of the following actions is effective for reviewing guest/anonymous accounts, temporary accounts, inactive accounts, and emergency accounts? a. Disabling b. Auditing c. Notifying d. Terminating

b. All the accounts mentioned in the question can be disabled, notified, or terminated, but it is not effective. Auditing of account creation, modification, notification, disabling, and termination (i.e., the entire account cycle) is effective because it can identify anomalies in the account cycle process.

Identifier management is applicable to which of the following accounts? a. Group accounts b. Local user accounts c. Guest accounts d. Anonymous accounts

b. All users accessing an organization's information systems must be uniquely identified and authenticated. Identifier management is applicable to local user accounts where the account is valid only on a local computer, and its identity can be traced to an individual. Identifier management is not applicable to shared information system accounts, such as group, guest, default, blank, anonymous, and nonspecific user accounts.

Which of the following access control policies or models provides a straightforward way of granting or denying access for a specified user? a. Role-based access control (RBAC) b. Access control lists (ACLs) c. Mandatory access control (MAC) d. Discretionary access control (DAC)

b. An access control list (ACL) is an object associated with a file and containing entries specifying the access that individual users or groups of users have to the file. ACLs provide a straightforward way to grant or deny access for a specified user or groups of users. Other choices are not that straightforward in that they use labels, tags, and roles.

In electronic authentication, which of the following represents the correct order of passing information about assertions? a. Subscriber?Credential Service Provider?Registration Authority b. Verifier?Claimant?Relying Party c. Relying Party?Claimant?Registration Authority d. Verifier?Credential Service Provider?Relying Party

b. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber (i.e., claimant). These assertions are used to pass information about the claimant from the verifier to a relying party. Assertions may be digitally signed objects or they may be obtained from a trusted source by a secure protocol. When the verifier and the relying parties are separate entities, the verifier conveys the result of the authentication protocol to the relying party. The object created by the verifier to convey the result of the authentication protocol is called an assertion. The credential service provider and the registration authority are not part of the assertion process.

In electronic authentication, which of the following can mitigate the threat of assertion reuse? a. Digital signature and TLS/SSL b. Timestamp and short lifetime of validity c. Digital signature with a key supporting nonrepudiation d. HTTP and TLS

b. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion reuse, the assertion should include a timestamp and a short lifetime of validity. The other three choices are incorrect because they are not applicable to the situation here.

An information system dynamically reconfigures with which of the following as information is created and combined? a. Security attributes and data structures b. Security attributes and security policies c. Security attributes and information objects d. Security attributes and security labels

b. An information system dynamically reconfigures security attributes in accordance with an identified security policy as information is created and combined. The system supports and maintains the binding of security attributes to information in storage, in process, and in transmission. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structures (e.g., records, buffers, and files) for that object.

Which of the following is the technique used in anomaly detection in intrusion detection systems where user and system behaviors are expressed in terms of counts? a. Parametric statistics b. Threshold detection measures c. Rule-based measures d. Nonparametric statistics

b. Anomaly detectors identify abnormal, unusual behavior (anomalies) on a host or network. In threshold detection measures, certain attributes of user and system behavior are expressed in terms of counts, with some level established as permissible. Such behavior attributes can include the number of files accessed by a user in a given period of time. Statistical measures include parametric and nonparametric. In parametric measures the distribution of the profiled attributes is assumed to fit a particular pattern. In the nonparametric measures the distribution of the profiled attributes is "learned" from a set of historical data values, observed over time. Rule-based measures are similar to nonparametric statistical measures in that observed data defines acceptable usage patterns but differs in that those patterns are specified as rules, not numeric quantities.

It is vital that access controls protecting a computer system work together. Which of the following types of access controls should be most specific? a. Physical b. Application system c. Operating system d. Communication system

b. At a minimum, four basic types of access controls should be considered: physical, operating system, communications, and application. In general, access controls within an application are the most specific. However, for application access controls to be fully effective, they need to be supported by operating system and communications system access controls. Otherwise, access can be made to application resources without going through the application. Operating system, communication, and application access controls need to be supported by physical access controls such as physical security and contingency planning.

In biometrics-based identification and authentication techniques, what is a countermeasure to mitigate the threat of impersonation? a. Liveness detection b. Digital signatures c. Rejecting exact matches d. Session lock

b. Attackers can use residual data on the biometric reader or in memory to impersonate someone who authenticated previously. Cryptographic methods such as digital signatures can prevent attackers from inserting or swapping biometric data without detection. The other three choices do not provide cryptographic measures to prevent impersonation attacks.

Which of the following is not a preventive measure against network intrusion attacks? a. Firewalls b. Auditing c. System configuration d. Intrusion detection system

b. Auditing is a detection activity, not a preventive measure. Examples of preventive measures to mitigate the risks of network intrusion attacks include firewalls, system configuration, and intrusion detection system.

Intrusion detection and prevention systems look at security policy violations: a. Statically b. Dynamically c. Linearly d. Nonlinearly

b. Intrusion detection and prevention systems (IDPS) look for specific symptoms of intrusions and security policy violations dynamically. IDPS are analogous to security monitoring cameras. Vulnerability analysis systems take a static view of symptoms. Linearly and nonlinearly are not applicable here because they are mathematical concepts.

Authorization controls are a part of which of the following? a. Directive controls b. Preventive controls c. Detective controls d. Corrective controls

b. Authorization controls such as access control matrices and capability tests are a part of preventive controls because they block unauthorized access. Preventive controls deter security incidents from happening in the first place. Directive controls are broad-based controls to handle security incidents, and they include management's policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

Use of login IDs and passwords is the most commonly used mechanism for which of the following? a. Providing dynamic verification of a user b. Providing static verification of a user c. Providing a strong user authentication d. Batch and online computer systems alike

b. By definition, a static verification takes place only once at the start of each login session. Passwords may or may not be reusable. Dynamic verification of a user takes place when a person types on a keyboard and leaves an electronic signature in the form of keystroke latencies in the elapsed time between keystrokes. For well-known, regular type strings, this signature can be quite consistent. Here is how a dynamic verification mechanism works: When a person wants to access a computer resource, he is required to identify himself by typing his name. The latency vector of the keystrokes of this name is compared with the reference signature stored in the computer. If this claimant's latency vector and the reference signature are statistically similar, the user is granted access to the system. The user is asked to type his name a number of times to provide a vector of mean latencies to be used as a reference. This can be viewed as an electronic signature of the user. Passwords do not provide a strong user authentication. If they did, there would not be a hacker problem today. Passwords provide the weakest user authentication due to their sharing and guessable nature. Only online systems require a user ID and password from a user due to their interactive nature. Only batch jobs and files require a user ID and password when submitting a job or modifying a file. Batch systems are not interactive.

From an access control point of view, separation of duty is not related to which of the following? a. Safety b. Reliability c. Fraud d. Security

b. Computer systems must be designed and developed with security and safety in mind because unsecure and unsafe systems can cause injury to people and damage to assets (e.g., military and airline systems). With separation of duty (SOD), fraud can be minimized when sensitive tasks are separated from each other (e.g., signing a check from requesting a check). Reliability is more of an engineering term in that a computer system is expected to perform with the required precision on a consistent basis. On the other hand, SOD deals with people and their work-related actions, which are not precise and consistent.

Which of the following pairs of high-level system services provide controlled access to networks? a. Access control lists and access privileges b. Identification and authentication c. Certification and accreditation d. Accreditation and assurance

b. Controlling access to the network is provided by the network's identification and authentication services, which go together. This service is pivotal in providing controlled access to the resources and services offered by the network and in verifying that the mechanisms provide proper protection. Identification is the process that enables recognition of an entity by a computer system, generally by the use of unique machine-readable usernames. Authentication is the verification of the entity's identification. That is when the host, to whom the entity must prove his identity, trusts (through an authentication process) that the entity is who he claims to be. The threat to the network that the identification and authentication service must protect against is impersonation. Access control list (ACL) and access privileges do not provide controlled access to networks because ACL is a list of the subjects that are permitted to access an object and the access rights (privileges) of each subject. This service comes after initial identification and authentication service. Certification and accreditation services do not provide controlled access to networks because certification is the administrative act of approving a computer system for use in a particular application. Accreditation is the management's formal acceptance of the adequacy of a computer system's security. Certification and accreditation are similar in concept. This service comes after initial identification and authentication service. Accreditation and assurance services do not provide controlled access to networks because accreditation is the management's formal acceptance of the adequacy of a computer system's security. Assurance is confidence that a computer system design meets its requirements. Again, this service comes after initial identification and authentication service.

Regarding access enforcement, which of the following mechanisms should not be employed when an immediate response is necessary to ensure public and environmental safety? a. Dual cable b. Dual authorization c. Dual use certificate d. Dual backbone

b. Dual authorization mechanisms require two forms of approval to execute. The organization should not employ a dual authorization mechanism when an immediate response is necessary to ensure public and environmental safety because it could slow down the needed response. The other three choices are appropriate when an immediate response is necessary.

In electronic authentication, electronic credentials are stored as data in a directory or database. Which of the following refers to when the directory or database is trusted? a. Signed credentials are stored as signed data. b. Unsigned credentials are stored as unsigned data. c. Signed credentials are stored as unsigned data. d. Unsigned credentials are stored as signed data.

b. Electronic credentials are digitally signed objects, in which case their integrity is verified. When the directory or database server is trusted, unsigned credentials may be stored as unsigned data.

Intrusion detection and prevention systems serve as which of the following? a. Barrier mechanism b. Monitoring mechanism c. Accountability mechanism d. Penetration mechanism

b. Intrusion detection and prevention systems (IDPS) serve as monitoring mechanisms, watching activities, and making decisions about whether the observed events are suspicious. IDPS can spot attackers circumventing firewalls and report them to system administrators, who can take steps to prevent damage. Firewalls serve as barrier mechanisms, barring entry to some kinds of network traffic and allowing others, based on a firewall policy.

Encryption is a part of which of the following? a. Directive controls b. Preventive controls c. Detective controls d. Corrective controls

b. Encryption prevents unauthorized access and protects data and programs when they are in storage (at rest) or in transit. Preventive controls deter security incidents from happening in the first place. Directive controls are broad-based controls to handle security incidents, and they include management's policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

Which of the following statements is not true about honeypots' logs? a. Honeypots are deceptive measures. b. Honeypots collect data on indications. c. Honeypots are hosts that have no authorized users. d. Honeypots are a supplement to properly securing networks, systems, and applications.

b. Honeypots are deceptive measures collecting better data on precursors, not on indications. A precursor is a sign that an incident may occur in the future. An indication is a sign that an incident may have occurred or may be occurring now. Honeypots are hosts that have no authorized users other than the honeypot administrators because they serve no business function; all activity directed at them is considered suspicious. Attackers scan and attack honeypots, giving administrators data on new trends and attack/attacker tools, particularly malicious code. However, honeypots are a supplement to, not a replacement for, properly securing networks, systems, and applications.

Host and application system hardening procedures are a part of which of the following? a. Directive controls b. Preventive controls c. Detective controls d. Corrective controls

b. Host and application system hardening procedures are a part of preventive controls, as they include antivirus software, firewalls, and user account management. Preventive controls deter security incidents from happening in the first place. Directive controls are broad-based controls to handle security incidents, and they include management's policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

Which of the following access mechanisms creates a potential security problem? a. Location-based access mechanism b. IP address-based access mechanism c. Token-based access mechanism d. Web-based access mechanism

b. IP address-based access mechanisms use Internet Protocol (IP) source addresses, which are not secure and subject to IP address spoofing attacks. The IP address deals with identification only, not authentication. Location-based access mechanism is incorrect because it deals with a physical address, not IP address. Token-based access mechanism is incorrect because it uses tokens as a means of identification and authentication. Web-based access mechanism is incorrect because it uses secure protocols to accomplish authentication. The other three choices accomplish both identification and authentication and do not create a security problem as does the IP addressbased access mechanism.

In electronic authentication, which of the following statements is not true about a multistage token scheme? a. An additional token is used for electronic transaction receipt. b. Multistage scheme assurance is higher than the multitoken scheme assurance using the same set of tokens. c. An additional token is used as a confirmation mechanism. d. Two tokens are used in two stages to raise the assurance level.

b. In a multistage token scheme, two tokens are used in two stages, and additional tokens are used for transaction receipt and confirmation mechanism to achieve the required assurance level. The level of assurance of the combination of the two stages can be no higher than that possible through a multitoken authentication scheme using the same set of tokens.

Kerberos can prevent which one of the following attacks? a. Tunneling attack b. Playback attack c. Destructive attack d. Process attack

b. In a playback (replay) attack, messages received from something or from somewhere are replayed back to it. It is also called a reflection attack. Kerberos puts the time of day in the request to prevent an eavesdropper from intercepting the request for service and retransmitting it from the same host at a later time. A tunneling attack attempts to exploit a weakness in a system that exists at a level of abstraction lower than that used by the developer to design the system. For example, an attacker might discover a way to modify the microcode of a processor used when encrypting some data, rather than attempting to break the system's encryption algorithm. Destructive attacks damage information in a fashion that denies service. These attacks can be prevented by restricting access to critical data files and protecting them from unauthorized users. In process attacks, one user makes a computer unusable for others that use the computer at the same time. These attacks are applicable to shared computers.

Token duplication is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the token duplication threat? a. Use tokens that generate high entropy authenticators. b. Use hardware cryptographic tokens. c. Use tokens with dynamic authenticators. d. Use multifactor tokens.

b. In token duplication, the subscriber's token has been copied with or without the subscriber's knowledge. A countermeasure is to use hardware cryptographic tokens that are difficult to duplicate. Physical security mechanisms can also be used to protect a stolen token from duplication because they provide tamper evidence, detection, and response capabilities. The other three choices cannot handle a duplicate tokens problem.

Which of the following is achieved when two authentication proofs of something that you know are implemented? a. Least assurance b. Increased assurance c. Maximum assurance d. Equivalent assurance

b. Increased assurance is achieved when two authentication proofs of something that you know (e.g., using two different passwords with or without PINs) are implemented. Multiple proofs of something that you know offer greater assurance than does multiple proofs of something that you have. However, multiple uses of something that you know provide equivalent assurance to a combination of multifactor authentication techniques.

What is Kerberos? a. Access-oriented protection system b. Ticket-oriented protection system c. List-oriented protection system d. Lock-and-key-oriented protection system

b. Kerberos was developed to enable network applications to securely identify their peers. It uses a ticket, which identifies the client, and an authenticator that serves to validate the use of that ticket and prevent an intruder from replaying the same ticket to the server in a future session. A ticket is valid only for a given time interval. When the interval ends, the ticket expires, and any later authentication exchanges require a new ticket. An access-oriented protection system can be based on hardware or software or a combination of both to prevent and detect unauthorized access and to permit authorized access. In listoriented protection systems, each protected object has a list of all subjects authorized to access it. A lock-and-key-oriented protection system involves matching a key or password with a specific access requirement. The other three choices do not provide a strong authentication protection, as does the Kerberos.

Which of the following security control mechanisms is simplest to administer? a. Discretionary access control b. Mandatory access control c. Access control list d. Logical access control

b. Mandatory access controls are the simplest to use because they can be used to grant broad access to large sets of files and to broad categories of information. Discretionary access controls are not simple to use due to their finer level of granularity in the access control process. Both the access control list and logical access control require a significant amount of administrative work because they are based on the details of each individual user.

Which of the following binds security attributes to information to facilitate information flow policy enforcement? a. Security labels b. Resolution labels c. Header labels d. File labels

b. Means to bind and enforce the information flow include resolution labels that distinguish between information systems and their specific components, and between individuals involved in preparing, sending, receiving, or disseminating information. The other three types of labels cannot bind security attributes to information.

For identity management, most network operating systems are based on which of the following access control policy? a. Rule-based access control (RuBAC) b. Identity-based access control (IBAC) c. Role-based access control (RBAC) d. Attribute-based access control (ABAC)

b. Most network operating systems are implemented with an identity-based access control (IBAC) policy. Entities are granted access to resources based on any identity established during network logon, which is compared with one or more access control lists (ACLs). These lists may be individually administered, may be centrally administered and distributed to individual locations, or may reside on one or more central servers. Attribute-based access control (ABAC) deals with subjects and objects, rule-based (RuBAC) deals with rules, and role-based (RBAC) deals with roles or job functions.

Which of the following is an example of nonpolled authentication? a. Smart card b. Password c. Memory token d. Communications signal

b. Nonpolled authentication is discrete; after the verdict is determined, it is inviolate until the next authentication attempt. Examples of nonpolled authentication include password, fingerprint, and voice verification. Polled authentication is continuous; the presence or absence of some token or signal determines the authentication status. Examples of polled authentication include smart card, memory token, and communications signal, whereby the absence of the device or signal triggers a nonauthenticated condition.

Which of the following access enforcement mechanisms provides increased information security for an organization? a. Access control lists b. Business application system c. Access control matrices d. Cryptography

b. Normal access enforcement mechanisms include access control lists, access control matrices, and cryptography. Increased information security is provided at the application system level (i.e., accounting and marketing systems) due to the use of password and PIN.

What is using a personal identity card with attended access (e.g., a security guard) and a PIN called? a. One-factor authentication b. Two-factor authentication c. Three-factor authentication d. Four-factor authentication

b. On the surface, this situation may seem a three-factor authentication, but in reality it is a two-factor authentication, because only a card (proof of one factor) and PIN (proof of second factor) are used, resulting in a two-factor authentication. Note that it is not the strongest twofactor authentication because of the attended access. A security guard is an example of attended access, who is checking for the validity of the card, and is counted as one-factor authentication. Other examples of attended access include peers, colleagues, and supervisors who will vouch for the identify of a visitor who is accessing physical facilities.

Which of the following is a major issue with implementation of intrusion detection systems? a. False-negative notification b. False-positive notification c. True-negative notification d. True-positive notification

b. One of the biggest single issues with intrusion detection system (IDS) implementation is the handling of false-positive notification. An anomaly-based IDS produces a large number of false alarms (false-positives) due to the unpredictable nature of users and networks. Automated systems are prone to mistakes, and human differentiation of possible attacks is resourceintensive.

For authenticator management, which of the following presents a significant security risk? a. Stored authenticators b. Default authenticators c. Reused authenticators d. Refreshed authenticators

b. Organizations should change the default authenticators upon information system installation or require vendors and/or manufacturers to provide unique authenticators prior to delivery. This is because default authenticator credentials are often well known, easily discoverable, and present a significant security risk, and therefore, should be changed upon installation. A stored or embedded authenticator can be risky depending on whether it is encrypted or unencrypted. Both reused and refreshed authenticators are less risky compared to default and stored authenticators because they are under the control of the user organization.

In electronic authentication, which of the following is used to verify proof-ofpossession of registered devices or identifiers? a. Lookup secret token b. Out-of-band token c. Token lock-up feature d. Physical security mechanism

b. Out-of-band tokens can be used to verify proof-of-possession of registered devices (e.g., cell phones) or identifiers (e.g., e-mail IDs). The other three choices cannot verify proof-ofpossession. Lookup secret tokens can be copied. Some tokens can lock up after a number of repeated failed activation attempts. Physical security mechanisms can be used to protect a stolen token from duplication because they provide tamper evidence, detection, and response capabilities.

Which of the following is not an example of policy rules for cross domain transfers? a. Prohibiting more than two-levels of embedding b. Facilitating policy decisions on source and destination c. Prohibiting the transfer of archived information d. Limiting embedded components within other components

b. Parsing transfer files facilitates policy decisions on source, destination, certificates, classification subject, or attachments. The other three choices are examples of policy rules for cross domain transfers.

Which of the following is the most effective method for password creation? a. Using password generators b. Using password advisors c. Assigning passwords to users d. Implementing user selected passwords

b. Password advisors are computer programs that examine user choices for passwords and inform the users if the passwords are weak. Passwords produced by password generators are difficult to remember, whereas user selected passwords are easy to guess. Users write the password down on a paper when it is assigned to them.

What is password management an example of? a. Directive control b. Preventive control c. Detective control d. Corrective control

b. Password management is an example of preventive controls in that passwords deter unauthorized users from accessing a system unless they know the password through some other means.

For password management, which of the following ensures password strength? a. Passwords with maximum keyspace, shorter passphrases, low entropy, and simple passphrases b. Passwords with balanced keyspace, longer passphrases, high entropy, and complex passphrases c. Passwords with minimum keyspace, shorter passphrases, high entropy, and simple passphrases d. Passwords with most likely keyspace, longer passphrases, low entropy, and complex passphrases

b. Password strength is determined by a password's length and its complexity, which is determined by the unpredictability of its characters. Passwords based on patterns such as keyspace may meet password complexity and length requirement, but they significantly reduce the keyspace because attackers are aware of these patterns. The ideal keyspace is a balanced one between maximum, most likely, and minimum scenarios. Simple and short passphrases have low entropy because they consist of concatenated dictionary words, which are easy to guess and attack. Therefore, passphrases should be complex and longer to provide high entropy. Passwords with balanced keyspace, longer passphrases, high entropy, and complex passphrases ensure password strength.

In mobile device authentication, password and personal identification number (PIN) authentication is an example of which of the following? a. Proof-by-possession b. Proof-by-knowledge c. Proof-by-property d. Proof-of-origin

b. Proof-by-knowledge is where a claimant authenticates his identity to a verifier by the use of a password or PIN (i.e., something you know) that he has knowledge of. Proof-by-possession and proof-by-property, along with proof-by-knowledge, are used in mobile device authentication and robust authentication. Proof-of-origin is the basis to prove an assertion. For example, a private signature key is used to generate digital signatures as a proofof- origin.

An inherent risk is associated with logical access that is difficult to prevent or mitigate but can be identified via a review of audit trails. Which of the following types of access is this risk most associated with? a. Properly used authorized access b. Misused authorized access c. Unsuccessful unauthorized access d. Successful unauthorized access

b. Properly authorized access, as well as misused authorized access, can use audit trail analysis but more so of the latter due to its high risk. Although users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions. Similarly, unauthorized access attempts, whether successful or not, can be detected through the analysis of audit trails.

Remote access controls are a part of which of the following? a. Directive controls b. Preventive controls c. Detective controls d. Corrective controls

b. Remote access controls are a part of preventive controls, as they include Internet Protocol (IP) packet filtering by border routers and firewalls using access control lists. Preventive controls deter security incidents from happening in the first place. Directive controls are broad-based controls to handle security incidents, and they include management's policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

What is using two different passwords for accessing two different systems in the same session called? a. One-factor authentication b. Two-factor authentication c. Three-factor authentication d. Four-factor authentication

b. Requiring two different passwords for accessing two different systems in the same session is more secure than requiring one password for two different systems. This equates to two-factor authentication. Requiring multiple proofs of authentication presents multiple barriers to entry access by intruders. On the other hand, using the same password (one-factor) for accessing multiple systems in the same session is a one-factor authentication, because only one type (and the same type) of proof is used. The key point is whether the type of proof presented is same or different.

Which of the following controls over telecommuting use tokens and/or one-time passwords? a. Firewalls b. Robust authentication c. Port protection devices d. Encryption

b. Robust authentication increases security in two significant ways. It can require the user to possess a token in addition to a password or personal identification number (PIN). Tokens, when used with PINs, provide significantly more security than passwords. For a hacker or other would-be impersonator to pretend to be someone else, the impersonator must have both a valid token and the corresponding PIN. This is much more difficult than obtaining a valid password and user ID combination. Robust authentication can also create one-time passwords. Electronic monitoring (eavesdropping or sniffing) or observing a user type in a password is not a threat with one-time passwords because each time a user is authenticated to the computer, a different "password" is used. (A hacker could learn the one-time password through electronic monitoring, but it would be of no value.) The firewall is incorrect because it uses a secure gateway or series of gateways to block or filter access between two networks, often between a private network and a larger, more public network such as the Internet or public-switched network (e.g., the telephone system). Firewall does not use tokens and passwords as much as robust authentication. A port protection device (PPD) is incorrect because it is fitted to a communications port of a host computer and authorizes access to the port itself, prior to and independent of the computer's own access control functions. A PPD can be a separate device in the communications stream or may be incorporated into a communications device (e.g. a modem). PPDs typically require a separate authenticator, such as a password, to access the communications port. One of the most common PPDs is the dial-back modem. PPD does not use tokens and passwords as much as robust authentication. Encryption is incorrect because it is more expensive than robust authentication. It is most useful if highly confidential data needs to be transmitted or if moderately confidential data is transmitted in a high-threat area. Encryption is most widely used to protect the confidentiality of data and its integrity (it detects changes to files). Encryption does not use tokens and passwords as much as robust authentication.

From security and safety viewpoints, safety enforcement is tied to which of the following? a. Job rotation b. Job description c. Job enlargement d. Job enrichment

b. Safety is fundamental to ensuring that the most basic of access control policies can be enforced. This enforcement is tied to the job description of an individual employee through access authorizations (e.g., permissions and privileges). Job description lists job tasks, duties, roles, and responsibilities expected of an employee, including safety and security requirements. The other three choices do not provide safety enforcements. Job rotation makes an employee well-rounded because it broadens an employee's work experience, job enlargement adds width to a job, and job enrichment adds depth to a job.

Encryption is used to reduce the probability of unauthorized disclosure and changes to information when a system is in which of the following secure, non-operable system states? a. Troubleshooting b. Offline for maintenance c. Boot-up d. Shutdown

b. Secure, non-operable system states are states in which the information system is not performing business-related processing. These states include offline for maintenance, troubleshooting, bootup, and shutdown. Offline data should be stored with encryption in a secure location. Removing information from online storage to offline storage eliminates the possibility of individuals gaining unauthorized access to that information via a network.

Which one of the following access control policy uses security labels? a. Discretionary access control (DAC) b. Mandatory access control (MAC) c. Role-based access control (RBAC) d. Access control lists (ACLs)

b. Security labels and interfaces are used to determine access based on the mandatory access control (MAC) policy. A security label is the means used to associate a set of security attributes with a specific information object as part of the data structure for that object. Labels could be designated as proprietary data or public data. The other three choices do not use security labels.

Which one of the following does not help in preventing fraud? a. Separation of duties b. Job enlargement c. Job rotation d. Mandatory vacations

b. Separation of duties, job rotation, and mandatory vacations are management controls that can help in preventing fraud. Job enlargement and job enrichment do not prevent fraud because they are not controls; their purpose is to expand the scope of an employee's work for a better experience and promotion.

From an access control point of view, separation of duty is of two types: static and dynamic. Which of the following are examples of static separation of duties? 1. Role-based access control 2. Workflow policy 3. Rule-based access control 4. Chinese Wall policy a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4

b. Separation of duty constraints require that two roles be mutually exclusive because no user should have the privileges from both roles. Both role-based and rule-based access controls are examples of static separation of duty. Dynamic separation of duty is enforced at access time, and the decision to grant access refers to the past access history. Examples of dynamic separation of duty include workflow policy and the Chinese Wall policy.

Sniffing precedes which of the following? a. Phishing and pharming b. Spoofing and hijacking c. Snooping and scanning d. Cracking and scamming

b. Sniffing is observing and monitoring packets passing by on the network traffic using packet sniffers. Sniffing precedes either spoofing or hijacking. Spoofing, in part, is using various techniques to subvert IP-based access control by masquerading as another system by using their IP address. Spoofing is an attempt to gain access to a system by posing as an authorized user. Other examples of spoofing include spoofing packets to hide the origin of attack in a DoS, spoofing e-mail headers to hide spam, and spoofing phone numbers to fool caller-ID. Spoofing is synonymous with impersonating, masquerading, or mimicking, and is not synonymous with sniffing. Hijacking is an attack that occurs during an authenticated session with a database or system. Snooping, scanning, and sniffing are all actions searching for required and valuable information. They involve looking around for vulnerabilities and planning to attack. These are preparatory actions prior to launching serious penetration attacks. Phishing is tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Phishing attacks use social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. It involves Internet fraudsters who send spam or pop-up messages to lure personal information (e.g., credit card numbers, bank account information, social security number, passwords, or other sensitive information) from unsuspecting victims. Pharming is misdirecting users to fraudulent websites or proxy servers, typically through DNS hijacking or poisoning. Cracking is breaking for passwords and bypassing software controls in an electronic authentication system such as user registration. Scamming is impersonating a legitimate business using the Internet. The buyer should check out the seller before buying goods or services. The seller should give out a physical address with a working telephone number.

What is impersonating a user or system called? a. Snooping attack b. Spoofing attack c. Sniffing attack d. Spamming attack

b. Spoofing is an unauthorized use of legitimate identification and authentication data such as user IDs and passwords. Intercepted user names and passwords can be used to impersonate the user on the login or file transfer server host that the user accesses. Snooping and sniffing attacks are the same in that sniffing is observing the packet's passing by on the network. Spamming is posting identical messages to multiple unrelated newsgroups on the Internet or sending unsolicited e-mail sent indiscriminately to multiple users.

From an access control viewpoint, which of the following are examples of super user accounts? a. Root and guest accounts b. Administrator and root accounts c. Anonymous and root accounts d. Temporary and end-user accounts

b. Super user accounts are typically described as administrator or root accounts. Access to super user accounts should be limited to designated security and system administration staff only, and not to the end-user accounts, guest accounts, anonymous accounts, or temporary accounts. Security and system administration staff use the super user accounts to access key security/system parameters and commands.

Which of the following models is used to protect the confidentiality of classified information? a. Biba model and Bell-LaPadula model b. Bell-LaPadula model and information flow model c. Bell-LaPadula model and Clark-Wilson model d. Clark-Wilson model and information flow model

b. The Bell-LaPadula model is used for protecting the confidentiality of classified information, based on multilevel security classifications. The information flow model, a basis for the Bell-LaPadula model, ensures that information at a given security level flows only to an equal or higher level. Each object has an associated security level. An object's level indicates the security level of the data it contains. These two models ensure the confidentiality of classified information. The Biba model is similar to the Bell-LaPadula model but protects the integrity of information instead of its confidentiality. The Clark-Wilson model is a less formal model aimed at ensuring the integrity of information, not confidentiality. This model implements traditional accounting controls including segregation of duties, auditing, and well-formed transactions such as double entry bookkeeping. Both the Biba and Clark-Wilson models are examples of integrity models.

Which of the following security models covers integrity? a. Bell-LaPadula model b. Biba model c. Information flow model d. Take-Grant model

b. The Biba model is an example of an integrity model. The Bell-LaPadula model is a formal state transition model of a computer security policy that describes a set of access control rules. Both the Bell-LaPadula and the Take-Grant models are a part of access control models.

The Biba security model focuses on which of the following? a. Confidentiality b. Integrity c. Availability d. Accountability

b. The Biba security model is an integrity model in which no subject may depend on a less trusted object, including another subject. It is a specific model addressing only one of the security objectives such as confidentiality, integrity, availability, and accountability.

During biometric identification, which of the following can result in slow system response times and increased expense? a. One-to-one matching b. One-to-many matching c. Many-to-one matching d. Many-to-many matching

b. The biometric identification with one-to-many matching can result in slow system response times and can be more expensive depending on the size of the biometric database. That is, the larger the database size, the slower the system response time. A personal identification number (PIN) is entered as a second authentication factor, and the matching is slow.

From an access control point of view, which of the following maintains consistency between the internal data and users' expectations of that data? a. Security policy b. Workflow policy c. Access control policy d. Chinese Wall policy

b. The goal of workflow policy is to maintain consistency between the internal data and external (users') expectations of that data. This is because the workflow is a process, consisting of tasks, documents, and data. The Chinese Wall policy deals with dividing sensitive data into separate categories. The security policy and the access control policy are too general to be of any importance here.

Uses of honeypots and padded cells have which of the following? a. Social implications b. Legal implications c. Technical implications d. Psychological implications

b. The legal implications of using honeypot and padded cell systems are not well defined. It is important to seek guidance from legal counsel before deciding to use either of these systems.

The principle of least privilege is most closely linked to which of the following security objectives? a. Confidentiality b. Integrity c. Availability d. Nonrepudiation

b. The principle of least privilege deals with access control authorization mechanisms, and as such the principle ensures integrity of data and systems by limiting access to data/information and information systems.

Which of the following is the heart of intrusion detection systems? a. Mutation engine b. Processing engine c. State machine d. Virtual machine

b. The processing engine is the heart of the intrusion detection system (IDS). It consists of the instructions (language) for sorting information for relevance, identifying key intrusion evidence, mining databases for attack signatures, and decision making about thresholds for alerts and initiation of response activities. For example, a mutation engine is used to obfuscate a virus, polymorphic or not, to aid the proliferation of the said virus. A state machine is the basis for all computer systems because it is a model of computations involving inputs, outputs, states, and state transition functions. A virtual machine is software that enables a single host computer to run using one or more guest operating systems.

Which of the following is required to thwart attacks against a Kerberos security server? a. Initial authentication b. Pre-authentication c. Post-authentication d. Re-authentication

b. The simplest form of initial authentication uses a user ID and password, which occurs on the client. The server has no knowledge of whether the authentication was successful. The problem with this approach is that anyone can make a request to the server asserting any identity, allowing an attacker to collect replies from the server and successfully launching a real attack on those replies. In pre-authentication, the user sends some proof of his identity to the server as part of the initial authentication process. The client must authenticate prior to the server issuing a credential (ticket) to the client. The proof of identity used in pre-authentication can be a smart card or token, which can be integrated into the Kerberos initial authentication process. Here, postauthentication and re-authentication processes do not apply because it is too late to be of any use.

What does the Bell-LaPadula's star.property (* -property) mean? a. No write-up is allowed. b. No write-down is allowed. c. No read-up is allowed. d. No read-down is allowed.

b. The star property means no write-down and yes to a write-up. A subject can write objects only at a security level that dominates the subject's level. This means, a subject of one higher label cannot write to any object of a lower security label. This is also known as the confinement property. A subject is prevented from copying data from one higher classification to a lower classification. In other words, a subject cannot write anything below that subject's level.

In electronic authentication, which of the following produces an authenticator used in the authentication process? a. Encrypted key and password b. Token and cryptographic key c. Public key and verifier d. Private key and claimant

b. The token may be a piece of hardware that contains a cryptographic key that produces the authenticator used in the authentication process to authenticate the claimant. The key is protected by encrypting it with a password. The other three choices cannot produce an authenticator. A public key is the public part of an asymmetric key pair typically used to verify signatures or encrypt data. A verifier is an entity that verifies a claimant's identity. A private key is the secret part of an asymmetric key pair typically used to digitally sign or decrypt data. A claimant is a party whose identity is to be verified using an authentication protocol.

Under which of the following electronic authentication circumstances does the verifier need to directly communicate with the CSP to complete the authentication activity? a. Use of a digital certificate b. A physical link between the verifier and the CSP c. Distributed functions for the verifier, relying party, and the CSP d. A logical link between the verifier and the CSP

b. The use of digital certificates represents a logical link between the verifier and the CSP rather than a physical link. In some implementations, the verifier, relying party, and the CSP functions may be distributed and separated. The verifier needs to directly communicate with the CSP only when there is a physical link between them. In other words, the verifier does not need to directly communicate with the CSP for the other three choices.

From an access control effectiveness viewpoint, which of the following represents biometric identification when a user submits a combination of a biometric sample first and a personal identification number (PIN) next for authentication? a. One-to-one matching b. One-to-many matching c. Many-to-one matching d. Many-to-many matching

b. This combination of authentication represents something that you know (PIN) and something that you are (biometric). The user presents a biometric sample first to the sensor, and the system conducts a one-to-many matching of biometric identification. The user is prompted to supply a PIN that provided the biometric reference data. The other three choices are incorrect because the correct answer is based on its definition.

A combination of something you have (one time), something you have (second time), and something you know is used to represent which of the following personal authentication proofing scheme? a. One-factor authentication b. Two-factor authentication c. Three-factor authentication d. Four-factor authentication

b. This situation illustrates that multiple instances of the same factor (i.e., something you have is used two times) results in one-factor authentication. When this is combined with something you know, it results in a two-factor authentication scheme.

In the single sign-on technology, timestamps thwart which of the following? a. Man-in-the-middle attack b. Replay attack c. Social engineering attack d. Phishing attack

b. Timestamps or other mechanisms to thwart replay attacks should be included in the single sign-on (SSO) credential transmissions. Man-in-the-middle (MitM) attacks are based on authentication and social engineering, and phishing attacks are based on passwords.

Which of the following complementary strategies to mitigate token threats raise the threshold for successful attacks? a. Physical security mechanisms b. Multiple security factors c. Complex passwords d. System and network security controls

b. Token threats include masquerading, off-line attacks, and guessing passwords. Multiple factors raise the threshold for successful attacks. If an attacker needs to steal the cryptographic token and guess a password, the work factor may be too high. Physical security mechanisms are incorrect because they may be employed to protect a stolen token from duplication. Physical security mechanisms can provide tamper evidence, detection, and response. Complex passwords are incorrect because they may reduce the likelihood of a successful guessing attack. By requiring the use of long passwords that do not appear in common dictionaries, attackers may be forced to try every possible password. System and network security controls are incorrect because they may be employed to prevent an attacker from gaining access to a system or installing malicious software (malware).

What is the major advantage of a single sign-on? a. It reduces management work. b. It is a convenience for the end user. c. It authenticates a user once. d. It provides a centralized administration.

b. Under a single sign-on (SSO), a user can authenticate once to gain access to multiple applications that have been previously defined in the security system. The SSO system is convenient for the end user in that it provides fewer areas to manage when compared to multiple sign-on systems, but SSO is risky. Many points of failure exist in multiple sign-on systems as they are inconvenient for the end user because of many areas to manage.

In electronic authentication, which of the following are examples of weakly bound credentials? 1. Unencrypted password files 2. Signed password files 3. Unsigned public key certificates 4. Signed public key certificates a. 1 only b. 1 and 3 c. 1 and 4 d. 2 and 4

b. Unencrypted password files and unsigned public key certificates are examples of weakly bound credentials. The association between the identity and the token within a weakly bound credential can be readily undone, and a new association can be readily created. For example, a password file is a weakly-bound credential because anyone who has "write" access to the password file can potentially update the association contained within the file.

How does a role-based access control mechanism work? a. Based on job enlargement concept b. Based on job duties concept c. Based on job enrichment concept d. Based on job rotation concept

b. Users take on assigned roles such as doctor, nurse, teller, and manager. With role-based access control mechanism, access decisions are based on the roles that individual users have as part of an organization, that is, job duties. Job enlargement means adding width to a job; job enrichment means adding depth to a job; and job rotation makes a person well rounded.

From an access control decision viewpoint, failures due to flaws in permission-based systems tend to do which of the following? a. Authorize permissible actions b. Fail-safe with permission denied c. Unauthorize prohibited actions d. Grant unauthorized permissions

b. When failures occur due to flaws in permission-based systems, they tend to fail-safe with permission denied. There are two types of access control decisions: permission-based and exclusion-based.

Which one of the following is not an authentication mechanism? a. What the user knows b. What the user has c. What the user can do d. What the user is

c. "What the user can do" is defined in access rules or user profiles, which come after a successful authentication. The other three choices are part of an authentication process. The authenticator factor "knows" means a password or PIN, "has" means key or card, and "is" means a biometric identity.

Rank the following authentication mechanisms providing most to least protection against replay attacks? a. Password only, password and PIN, challenge response, and one-time password b. Password and PIN, challenge response, one-time password, and password only c. Challenge response, one-time password, password and PIN, and password only d. Challenge-response, password and PIN, one-time password, and password only

c. A challenge-response protocol is based on cryptography and works by having the computer generate a challenge, such as a random string of numbers. The smart token then generates a response based on the challenge. This is sent back to the computer, which authenticates the user based on the response. Smart tokens that use either challenge-response protocols or dynamic password generation can create one-time passwords that change periodically (e.g., every minute). If the correct value is provided, the log-in is permitted, and the user is granted access to the computer system. Electronic monitoring is not a problem with one-time passwords because each time the user is authenticated to the computer, a different "password" is used. A hacker could learn the one-time password through electronic monitoring, but it would be of no value. Passwords and personal identification numbers (PINs) have weaknesses such as disclosing and guessing. Passwords combined with PINs are better than passwords only. Both passwords and PINs are subject to electronic monitoring. Simple encryption of a password that will be used again does not solve the monitoring problem because encrypting the same password creates the same cipher-text; the cipher-text becomes the password.

What is a control to prevent an unauthorized user from starting an alternative operating system? a. Shadow password b. Encryption password c. Power-on password d. Network password

c. A computer system can be protected through a power-on password, which prevents an unauthorized user from starting an alternative operating system. The other three types of passwords mentioned do not have the preventive nature, as does the power-on password.

Eavesdropping is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the eavesdropping threat? a. Use tokens that generate high entropy authenticators. b. Use hardware cryptographic tokens. c. Use tokens with dynamic authenticators. d. Use multifactor tokens.

c. A countermeasure to mitigate the eavesdropping threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator. The other choices are incorrect because they cannot provide dynamic authentication.

Phishing or pharming is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the phishing or pharming threat? a. Use tokens that generate high entropy authenticators. b. Use hardware cryptographic tokens. c. Use tokens with dynamic authenticators. d. Use multifactor tokens.

c. A countermeasure to mitigate the phishing or pharming threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator. The other choices are incorrect because they cannot provide dynamic authentication. Phishing is tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Phishing attacks use social engineering and technical subterfuge to steal consumers' personal identity data and financial account credentials. It involves Internet fraudsters who send spam or pop-up messages to lure personal information (e.g., credit card numbers, bank account information, social security numbers, passwords, or other sensitive information) from unsuspecting victims. Pharming is misdirecting users to fraudulent websites or proxy servers, typically through DNS hijacking or poisoning.

Social engineering is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the social engineering threat? a. Use tokens that generate high entropy authenticators. b. Use hardware cryptographic tokens. c. Use tokens with dynamic authenticators. d. Use multifactor tokens.

c. A countermeasure to mitigate the social engineering threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator. The other choices are incorrect because they cannot provide dynamic authentication.

In the electronic authentication process, which of the following is weakly resistant to man-in-the-middle (MitM) attacks? a. Account lockout mechanism b. Random data c. Sending a password over server authenticated TLS d. Nonce

c. A protocol is said to have weak resistance to MitM attacks if it provides a mechanism for the claimant to determine whether he is interacting with the real verifier, but still leaves the opportunity for the nonvigilant claimant to reveal a token authenticator to an unauthorized party that can be used to masquerade as the claimant to the real verifier. For example, sending a password over server authenticated transport layer security (TLS) is weakly resistant to MitM attacks. The browser enables the claimant to verify the identity of the verifier; however, if the claimant is not sufficiently vigilant, the password will be revealed to an unauthorized party who can abuse the information. The other three choices do not deal with MitM attacks, but they can enhance the overall electronic authentication process. An account lockout mechanism is implemented on the verifier to prevent online guessing of passwords by an attacker who tries to authenticate as a legitimate claimant. Random data and nonce can be used to disguise the real data.

In biometrics-based identification and authentication techniques, what is a countermeasure to mitigate the threat of replay attack? a. Liveness detection b. Digital signatures c. Rejecting exact matches d. Session lock

c. A replay attack occurs when someone can capture a valid user's biometric data and use it at a later time for unauthorized access. A potential solution is to reject exact matches, thereby requiring the user to provide another biometric sample. The other three choices do not provide exact matches.

How does a rule-based access control mechanism work? a. It is based on filtering rules. b. It is based on identity rules. c. It is based on access rules. d. It is based on business rules.

c. A rule-based access control mechanism is based on specific rules relating to the nature of the subject and object. These specific rules are embedded in access rules. Filtering rules are specified in firewalls. Both identity and business rules are inapplicable here.

There are trade-offs among controls. A security policy would be most useful in which of the following areas? 1. System-generated passwords versus user-generated passwords 2. Access versus confidentiality 3. Technical controls versus procedural controls 4. Manual controls versus automated controls a. 1 and 2 b. 3 and 4 c. 2 and 3 d. 2 and 4

c. A security policy is the framework within which an organization establishes needed levels of information security to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organizational commitment for a computer system. It is a set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. There are trade-offs among controls such as technical controls and procedural controls. If technical controls are not available, procedural controls might be used until a technical solution is found. Nevertheless, technical controls are useless without procedural controls and a robust security policy. Similarly, there is a trade-off between access and confidentiality; that is, a system meeting standards for access allows authorized users access to information resources on an ongoing basis. The emphasis given to confidentiality, integrity, and access depends on the nature of the application. An individual system may sacrifice the level of one requirement to obtain a greater degree of another. For example, to allow for increased levels of availability of information, standards for confidentiality may be lowered. Thus, the specific requirements and controls for information security can vary. Passwords and controls also involve trade-offs, but at a lower level. Passwords require deciding between system-generated passwords, which can offer more security than usergenerated passwords because system-generated passwords are randomly generated pseudo words not found in the dictionary. However, system-generated passwords are harder to remember, forcing users to write them down, thus defeating the purpose. Controls require selecting between a manual and automated control or selecting a combination of manual and automated controls. One control can work as a compensating control for the other.

Access control mechanisms include which of the following? a. Directive, preventive, and detective controls b. Corrective, recovery, and preventive controls c. Logical, physical, and administrative controls d. Management, operational, and technical controls

c. Access control mechanisms include logical (passwords and encryption), physical (keys and tokens), and administrative (forms and procedures) controls. Directive, preventive, detective, corrective, and recovery controls are controls by action. Management, operational, and technical controls are controls by nature.

RuBAC is rule-based access control; RAdAC is risk adaptive access control; UDAC is user-directed access control; MAC is mandatory access control; ABAC is attribute-based access control; RBAC is role-based access control; IBAC is identity-based access control; and PBAC is policy-based access control. From an access control viewpoint, separation of domains is achieved through which of the following? a. RuBAC or RAdAC b. UDAC or MAC c. ABAC or RBAC d. IBAC or PBAC

c. Access control policy may benefit from separating Web services into various domains or compartments. This separation can be implemented in ABAC using resource attributes or through additional roles defined in RBAC. The other three choices cannot handle separation of domains.

Which of the following user actions are permitted without identification or authentication? 1. Access to public websites 2. Emergency situations 3. Unsuccessful login attempts 4. Reestablishing a session lock a. 1 only b. 2 only c. 1 and 2 d. 3 and 4

c. Access to public websites and emergency situations are examples of user permitted actions that don't require identification or authentication. Both unsuccessful login attempts and reestablishing a session lock require proper identification or authentication procedures. A session lock is retained until proper identification or authentication is submitted, accepted, and reestablished.

Which of the following statements is true about intrusion detection systems (IDS) and firewalls? a. Firewalls are a substitution for an IDS. b. Firewalls are an alternative to an IDS. c. Firewalls are a complement to an IDS. d. Firewalls are a replacement for an IDS.

c. An IDS should be used as a complement to a firewall, not a substitute for it. Together, they provide a synergistic effect.

Electronic authentication begins with which of the following? a. Token b. Credential c. Subscriber d. Credential service provider

c. An applicant applies to a registration authority (RA) to become a subscriber of a credential service provider (CSP) and, as a subscriber, is issued or registers a secret, called a token, and a credential (public key certificate) that binds the token to a name and other attributes that the RA has verified. The token and credential may be used in subsequent authentication events.

For electronic authentication, which of the following is not an example of assertions? a. Cookies b. Security assertions markup language c. X.509 certificates d. Kerberos tickets

c. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. Assertions may be digitally signed objects, or they may be obtained from a trusted source by a secure protocol. X.509 certificates are examples of electronic credentials, not assertions. Cookies, security assertions markup language (SAML), and Kerberos tickets are examples of assertions.

In electronic authentication, which of the following can mitigate the threat of assertion repudiation? a. Digital signature and TLS/SSL b. Timestamp and short lifetime of validity c. Digital signature with a key supporting nonrepudiation d. HTTP and TLS

c. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion repudiation, the assertion may be digitally signed by the verifier using a key that supports nonrepudiation. The other three choices are incorrect because they are not applicable to the situation here.

For access control for mobile devices, which of the following assigns responsibility and accountability for addressing known vulnerabilities in the media? a. Use of writable, removable media b. Use of personally owned removable media c. Use of project-owned removable media d. Use of nonowner removable media

c. An identifiable owner (e.g., employee, organization, or project) for removable media helps to reduce the risk of using such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion). Use of project-owned removable media is acceptable because the media is assigned to a project, and the other three choices are not acceptable because they have no accountability feature attached to them. Restricting the use of writable, removable media is a good security practice.

Inference attacks are based on which of the following? a. Hardware and software b. Firmware and freeware c. Data and information d. Middleware and courseware

c. An inference attack is where a user or an intruder can deduce information to which he had no privilege from information to which he has privilege.

Intrusion detection systems cannot do which of the following? a. Report alterations to data files b. Trace user activity c. Compensate for weak authentication d. Interpret system logs

c. An intrusion detection system (IDS) cannot act as a "silver bullet," compensating for weak identification and authentication mechanisms, weaknesses in network protocols, or lack of a security policy. IDS can do the other three choices, such as recognizing and reporting alterations to data files, tracing user activity from the point of entry to the point of exit or impact, and interpreting the mass of information contained in operating system logs and audit trail logs.

Anomaly detection approaches used in intrusion detection systems (IDS) require which of the following? a. Tool sets b. Skill sets c. Training sets d. Data sets

c. Anomaly detection approaches often require extensive training sets of system event records to characterize normal behavior patterns. Skill sets are also important for the IT security analyst. Tool sets and data sets are not relevant here because the tool sets may contain software or hardware, and the data sets may contain data files and databases.

For intrusion detection and prevention system capabilities, anomaly-based detection uses which of the following? 1. Blacklists 2. Whitelists 3. Threshold 4. Program code viewing a. 1 and 2 b. 1, 2, and 3 c. 3 only d. 1, 2, 3, and 4

c. Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations. Thresholds are most often used for anomaly-based detection. A threshold is a value that sets the limit between normal and abnormal behavior. An anomaly-based detection does not use blacklists, whitelists, and program code viewing. A blacklist is a list of discrete entities, such as hosts or applications that have been previously determined to be associated with malicious activity. A whitelist is a list of discrete entities, such as hosts or applications known to be benign. Program code viewing and editing features are established to see the detection-related programming code in the intrusion detection and prevention system (IDPS).

From a computer security viewpoint, the Chinese-Wall policy is related to which of the following? a. Aggregation problem b. Data classification problem c. Access control problem d. Inference problem

c. As presented by Brewer and Nash, the Chinese-Wall policy is a mandatory access control policy for stock market analysts. According to the policy, a market analyst may do business with any company. However, every time the analyst receives sensitive "inside" information from a new company, the policy prevents him from doing business with any other company in the same industry because that would involve him in a conflict of interest situation. In other words, collaboration with one company places the Chinese-Wall between him and all other companies in the same industry. The Chinese-Wall policy does not meet the definition of an aggregation problem; there is no notion of some information being sensitive with the aggregate being more sensitive. The Chinese-Wall policy is an access control policy in which the access control rule is not based just on the sensitivity of the information, but is based on the information already accessed. It is neither an inference nor a data classification problem.

Authentication is a protection against fraudulent transactions. Authentication process does not assume which of the following? a. Validity of message location being sent b. Validity of the workstations that sent the message c. Integrity of the message that is transmitted d. Validity of the message originator

c. Authentication assures that the data received comes from the supposed origin. It is not extended to include the integrity of the data or messages transmitted. However, authentication is a protection against fraudulent transactions by establishing the validity of messages sent, validity of the workstations that sent the message, and the validity of the message originators. Invalid messages can come from a valid origin, and authentication cannot prevent it.

System administrators pose a threat to computer security due to their access rights and privileges. Which of the following statements is true for an organization with one administrator? a. Masquerading by a system administrator can be prevented. b. A system administrator's access to the system can be limited. c. Actions by the system administrator can be detected. d. A system administrator cannot compromise system integrity.

c. Authentication data needs to be stored securely, and its value lies in the data's confidentiality, integrity, and availability. If confidentiality is compromised, someone may use the information to masquerade as a legitimate user. If system administrators can read the authentication file, they can masquerade as another user. Many systems use encryption to hide the authentication data from the system administrators. Masquerading by system administrators cannot be entirely prevented. If integrity is compromised, authentication data can be added, or the system can be disrupted. If availability is compromised, the system cannot authenticate users, and the users may not be able to work. Because audit controls would be out of the control of the administrator, controls can be set up so that improper actions by the system administrators can be detected in audit records. Due to their broader responsibilities, the system administrators' access to the system cannot be limited. System administrators can compromise a system's integrity; again their actions can be detected in audit records. It makes a big difference whether an organization has one or more than one system administrator for separation of duties or for "least privilege" principle to work. With several system administrators, a system administrator account could be set up for one person to have the capability to add accounts. Another administrator could have the authority to delete them. When there is only one system administrator employed, breaking up the duties is not possible.

What does an example of a drawback of smart cards include? a. A means of access control b. A means of storing user data c. A means of gaining unauthorized access d. A means of access control and data storage

c. Because valuable data is stored on a smart card, the card is useless if lost, damaged, or forgotten. An unauthorized person can gain access to a computer system in the absence of other strong controls. A smart card is a credit card-sized device containing one or more integrated circuit chips, which performs the functions of a microprocessor, memory, and an input/output interface. Smart cards can be used (i) as a means of access control, (ii) as a medium for storing and carrying the appropriate data, and (iii) a combination of (1) and (2).

Which of the following is true about biometrics? a. Least expensive and least secure b. Most expensive and least secure c. Most expensive and most secure d. Least expensive and most secure

c. Biometrics tends to be the most expensive and most secure. In general, passwords are the least expensive authentication technique and generally the least secure. Memory tokens are less expensive than smart tokens but have less functionality. Smart tokens with a human interface do not require reading equipment but are more convenient to use.

From an access control viewpoint, which of the following are restricted access control models? 1. Identity-based access control policy 2. Attribute-based access control policy 3. Bell-LaPadula access control model 4. Domain type enforcement access control model a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

c. Both the Bell-LaPadula model and domain type enforcement model uses restricted access control models because they are employed in safety-critical systems, such as military and airline systems. In a restricted model, the access control policies are expressed only once by a trusted principal and fixed for the life of the system. The identity-based and attribute-based access control policies are not based on restricted access control models but based on identities and attributes respectively.

Which of the following is not a substitute for logging out of the information system? a. Previous logon notification b. Concurrent session control c. Session lock d. Session termination

c. Both users and the system can initiate session lock mechanisms. However, a session lock is not a substitute for logging out of the information system because it is done at the end of the workday. Previous logon notification occurs at the time of login. Concurrent session control deals with either allowing or not allowing multiple sessions at the same time. Session termination can occur when there is a disconnection of the telecommunications link or other network operational problems.

Which of the following provides strong authentication for centralized authentication servers when used with firewalls? a. User IDs b. Passwords c. Tokens d. Account numbers

c. For basic authentication, user IDs, passwords, and account numbers are used for internal authentication. Centralized authentication servers such as RADIUS and TACACS/TACACS+ can be integrated with token-based authentication to enhance firewall administration security.

Which of the following is the most important part of intrusion detection and containment? a. Prevent b. Detect c. Respond d. Report

c. It is essential to detect insecure situations to respond in a timely manner. Also, it is of little use to detect a security breach if no effective response can be initiated. No set of prevention measures is perfect. Reporting is the last step in the intrusion detection and containment process.

Which of the following password methods are based on fact or opinion? a. Static passwords b. Dynamic passwords c. Cognitive passwords d. Conventional passwords

c. Cognitive passwords use fact-based and opinion-based cognitive data as a basis for user authentication. It uses interactive software routines that can handle initial user enrollment and subsequent cue response exchanges for system access. Cognitive passwords are based on a person's lifetime experiences and events where only that person, or his family, knows about them. Examples include the person's favorite high school teachers' names, colors, flowers, foods, and places. Cognitive password procedures do not depend on the "people memory" often associated with the conventional password dilemma. However, implementation of a cognitive password mechanism could cost money and take more time to authenticate a user. Cognitive passwords are easier to recall and difficult for others to guess. Conventional (static) passwords are difficult to remember whether user-created or systemgenerated and are easy to guess by others. Dynamic passwords change each time a user signs on to the computer. Even in the dynamic password environment, a user needs to remember an initial code for the computer to recognize him. Conventional passwords are reusable whereas dynamic ones are not. Conventional passwords rely on memory.

Logical access controls provide a technical means of controlling access to computer systems. Which of the following is not a benefit of logical access controls? a. Integrity b. Availability c. Reliability d. Confidentiality

c. Computer-based access controls are called logical access controls. These controls can prescribe not only who or what is to have access to a specific system resource but also the type of access permitted, usually in software. Reliability is more of a hardware issue. Logical access controls can help protect (i) operating systems and other systems software from unauthorized modification or manipulation (and thereby help ensure the system's integrity and availability); (ii) the integrity and availability of information by restricting the number of users and processes with access; and (iii) confidential information from being disclosed to unauthorized individuals.

For identifier management, service-oriented architecture implementations do not reply on which of the following? a. Dynamic identities b. Dynamic attributes and privileges c. Preregistered users d. Pre-established trust relationships

c. Conventional approaches to identifications and authentications employ static information system accounts for known preregistered users. Service-oriented architecture (SOA) implementations do not rely on static identities but do rely on establishing identities at run-time for entities (i.e., dynamic identities) that were previously unknown. Dynamic identities are associated with dynamic attributes and privileges as they rely on pre-established trust relationships.

An organization is experiencing excessive turnover of employees. Which of the following is the best access control policy under these situations? a. Rule-based access control (RuBAC) b. Mandatory access control (MAC) c. Role-based access control (RBAC) d. Discretionary access control (DAC)

c. Employees can come and go, but their roles do not change, such as a doctor or nurse in a hospital. With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Employee names may change but the roles does not. This access control is the best for organizations experiencing excessive employee turnover. Rule-based access control and mandatory access control are the same because they are based on specific rules relating to the nature of the subject and object. Discretionary access control is a means to restrict access to objects based on the identity of subjects and/or groups to which they belong.

Regarding password guessing and cracking threats, which of the following can help mitigate such threats? a. Passwords with low entropy, larger salts, and smaller stretching b. Passwords with high entropy, smaller salts, and smaller stretching c. Passwords with high entropy, larger salts, and larger stretching d. Passwords with low entropy, smaller salts, and larger stretching

c. Entropy in an information system is the measure of the disorder or randomness in the system. Passwords need high entropy because low entropy is more likely to be recovered through brute force attacks. Salting is the inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash. Larger salts effectively make the use of Rainbow Tables (lookup tables) by attackers infeasible. Many operating systems implement salted password hashing mechanisms to reduce the effectiveness of password cracking. Stretching, which is another technique to mitigate the use of rainbow tables, involves hashing each password and its salt thousands of times. Larger stretching makes the creation of rainbow tables more time-consuming, which is not good for the attacker, but good for the attacked organization. Rainbow tables are lookup tables that contain precomputed password hashes. Therefore, passwords with high entropy, larger salts, and larger stretching can mitigate password guessing and cracking attempts by attackers.

For authenticator management, use of which of the following is risky and leads to possible alternatives? a. A single sign-on mechanism b. Same user identifier and different user authenticators on all systems c. Same user identifier and same user authenticator on all systems d. Different user identifiers and different user authenticators on each system

c. Examples of user identifiers include internal users, contractors, external users, guests, passwords, tokens, and biometrics. Examples of user authenticators include passwords, PINs, tokens, biometrics, PKI/digital certificates, and key cards. When an individual has accounts on multiple information systems, there is the risk that if one account is compromised and the individual uses the same user identifier and authenticator, other accounts will be compromised as well. Possible alternatives include (i) having the same user identifier but different authenticators on all systems, (ii) having different user identifiers and different user authenticators on each system, (iii) employing a single sign-on mechanism, or (iv) having onetime passwords on all systems.

From an access control decision viewpoint, fail-safe defaults operate on which of the following? 1. Exclude and deny 2. Permit and allow 3. No access, yes default 4. Yes access, yes default a. 1 only b. 2 only c. 2 and 3 d. 4 only

c. Fail-safe defaults mean that access control decisions should be based on permit and allow policy (i.e., permission rather than exclusion). This equates to the condition in which lack of access is the default (i.e., no access, yes default). "Allow all and deny-by-default" refers to yes-access, yes-default situations.

Which of the following security solutions for access control is simple to use and easy to administer? a. Passwords b. Cryptographic tokens c. Hardware keys d. Encrypted data files

c. Hardware keys are devices that do not require a complicated process of administering user rights and access privileges. They are simple keys, similar to door keys that can be plugged into the personal computer before a person can successfully log on to access controlled data files and programs. Each user gets a set of keys for his personal use. Hardware keys are simple to use and easy to administer. Passwords is an incorrect answer because they do require some amount of security administrative work such as setting up the account and helping users when they forget passwords. Passwords are simple to use but hard to administer. Cryptographic tokens is an incorrect answer because they do require some amount of security administrative work. Tokens need to be assigned, programmed, tracked, and disposed of. Encrypted data files is an incorrect answer because they do require some amount of security administrative work. Encryption keys need to be assigned to the owners for encryption and decryption purposes.

From an access control point of view, which of the following are examples of historybased access control policies? 1. Role-based access control 2. Workflow policy 3. Rule-based access control 4. Chinese Wall policy a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4

c. History-based access control policies are defined in terms of subjects and events where the events of the system are specified as the object access operations associated with activity at a particular security level. This assumes that the security policy is defined in terms of the sequence of events over time, and that the security policy decides which events of the system are permitted to ensure that information does not flow in an unauthorized manner. History-based access control policies are not based on standard access control mechanism but based on practical applications. In the history-based access control policies, previous access events are used as one of the decision factors for the next access authorization. The workflow and the Chinese Wall policies are examples of history-based access control policies.

Which of the following is the correct sequence of actions in access control mechanisms? a. Access profiles, authentication, authorization, and identification b. Security rules, identification, authorization, and authentication c. Identification, authentication, authorization, and accountability d. Audit trails, authorization, accountability, and identification

c. Identification comes before authentication, and authorization comes after authentication. Accountability is last where user actions are recorded.

For electronic authentication, identity proofing involves which of the following? a. CSP b. RA c. CSP and RA d. CA and CRL

c. Identity proofing is the process by which a credential service provider (CSP) and a registration authority (RA) validate sufficient information to uniquely identify a person. A certification authority (CA) is not involved in identity proofing. A CA is a trusted entity that issues and revokes public key certificates. A certificate revocation list (CRL) is not involved in identity proofing. A CRL is a list of revoked public key certificates created and digitally signed by a CA.

Less common ways to initiate impersonation attacks on the network include the use of which of the following? a. Firewalls and account names b. Passwords and account names c. Biometric checks and physical keys d. Passwords and digital certificates

c. Impersonation attacks involving the use of physical keys and biometric checks are less likely due to the need for the network attacker to be physically near the biometric equipment. Passwords and account names are incorrect because they are the most common way to initiate impersonation attacks on the network. A firewall is a mechanism to protect IT computing sites against Internet-borne attacks. Most digital certificates are password-protected and have an encrypted file that contains identification information about its holder.

Which of the following security models promotes security clearances and sensitivity classifications? a. Biba model b. Clark-Wilson model c. Bell-LaPadula model d. Sutherland model

c. In a Bell-LaPadula model, the clearance/classification scheme is expressed in terms of a lattice. To determine whether a specific access model is allowed, the clearance of a subject is compared to the classification of the object, and a determination is made as to whether the subject is authorized for the specific access mode. The other three models do not deal with security clearances and sensitivity classifications.

In-band attacks against electronic authentication protocols include which of the following? a. Password guessing b. Impersonation c. Password guessing and replay d. Impersonation and man-in-the-middle

c. In an in-band attack, the attacker assumes the role of a claimant with a genuine verifier. These include a password guessing attack and a replay attack. In a password guessing attack, an impostor attempts to guess a password in repeated logon trials and succeeds when he can log onto a system. In a replay attack, an attacker records and replays some part of a previous good protocol run to the verifier. In the verifier impersonation attack, the attacker impersonates the verifier and induces the claimant to reveal his secret token. A man-in-the-middle attack is an attack on the authentication protocol run in which the attacker positions himself between the claimant and verifier so that he can intercept and alter data traveling between them.

For biometric accuracy, which of the following defines the point at which the false rejection rates and the false acceptance rates are equal? a. Type I error b. Type II error c. Crossover error rate d. Type I and II error

c. In biometrics, crossover error rate is defined as the point at which the false rejection rates and the false acceptance rates are equal. Type I error, called false rejection rate, is incorrect because genuine users are rejected as imposters. Type II error, called false acceptance rate, is incorrect because imposters are accepted as genuine users.

Intrusion detection systems can do which of the following? a. Analyze all the traffic on a busy network b. Deal with problems involving packet-level attacks c. Recognize a known type of attack d. Deal with high-speed asynchronous transfer mode networks

c. Intrusion detection systems (IDS) can recognize when a known type of attack is perpetrated on a system. However, IDS cannot do the following: (i) analyze all the traffic on a busy network, (ii) compensate for receiving faulty information from system sources, (iii) always deal with problems involving packet-level attacks (e.g., an intruder using fabricated packets that elude detection to launch an attack or multiple packets to jam the IDS itself), and (iv) deal with high-speed asynchronous transfer mode networks that use packet fragmentation to optimize bandwidth.

What do the weaknesses of Kerberos include? 1. Subject to dictionary attacks. 2. Works with existing security systems software. 3. Intercepting and analyzing network traffic is difficult. 4. Every network application must be modified. a. 1 and 2 b. 2 and 3 c. 1 and 4 d. 3 and 4

c. Kerberos is an authentication system with encryption mechanisms that make network traffic secure. Weaknesses of Kerberos include (i) it is subject to dictionary attacks where passwords can be stolen by an attacker and (ii) it requires modification of all network application source code, which is a problem with vendor developed applications with no source code provided to users. Kerberos strengths include that it can be added to an existing security system and that it makes intercepting and analyzing network traffic difficult. This is due to the use of encryption in Kerberos.

Registration fraud in electronic authentication can be deterred by making it more difficult to accomplish or by increasing the likelihood of which of the following? a. Direction b. Prevention c. Detection d. Correction

c. Making it more difficult to accomplish or increasing the likelihood of detection can deter registration fraud. The goal is to make impersonation more difficult.

Which of the following is achieved when "two authentication proofs of something that you are" is implemented? a. Least assurance b. Increased assurance c. Maximum assurance d. Equivalent assurance

c. Maximum assurance is achieved when two authentication proofs of something that you are (e.g., personal recognition by a colleague, user, or guard, and a biometric verification check) are implemented. Multiple proofs of something that you are offer the greatest assurance than does multiple proofs of something that you have or something that you know, used either alone or combined. Equivalent assurance is neutral and does not require any further action.

Passwords are used as a basic mechanism to identify and authenticate a system user. Which of the following password-related factors cannot be tested with automated vulnerability testing tools? a. Password length b. Password lifetime c. Password secrecy d. Password storage

c. No automated vulnerability-testing tool can ensure that system users have not disclosed their passwords; thus secrecy cannot be guaranteed. Password length can be tested to ensure that short passwords are not selected. Password lifetime can be tested to ensure that they have a limited lifetime. Passwords should be changed regularly or whenever they may have been compromised. Password storage can be tested to ensure that they are protected to prevent disclosure or unauthorized modification.

Information flow control enforcement employing rulesets to restrict information system services provides: 1. Structured data filters 2. Metadata content filters 3. Packet filters 4. Message filters a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

c. Packet filters are based on header information whereas message filters are based on content using keyword searches. Both packet filters and message filters use rulesets. Structured data filters and metadata content filters do not use rulesets.

Which of the following application-related authentication types is risky? a. External authentication b. Proprietary authentication c. Pass-through authentication d. Host/user authentication

c. Pass-through authentication refers to passing operating system credentials (e.g., username and password) unencrypted from the operating system to the application system. This is risky due to unencrypted credentials. Note that pass-through authentications can be encrypted or unencrypted. External authentication is incorrect because it uses a directory server, which is not risky. Proprietary authentication is incorrect because username and passwords are part of the application, not the operating system. This is less risky. Host/user authentication is incorrect because it is performed within a controlled environment (e.g., managed workstations and servers within an organization). Some applications may rely on previous authentication performed by the operating system. This is less risky.

Passwords can be stored safely in which of the following places? a. Initialization file b. Script file c. Password file d. Batch file

c. Passwords should not be included in initialization files, script files, or batch files due to possible compromise. Instead, they should be stored in a password file, preferably encrypted.

For privilege management, which of the following is the correct order? a. Access control?Access management?Authentication management?Privilege management b. Access management?Access control?Privilege management?Authentication management c. Authentication management?Privilege management?Access control?Access management d. Privilege management?Access management?Access control?Authentication management

c. Privilege management is defined as a process that creates, manages, and stores the attributes and policies needed to establish criteria that can be used to decide whether an authenticated entity's request for access to some resource should be granted. Authentication management deals with identities, credentials, and any other authentication data needed to establish an identity. Access management, which includes privilege management and access control, encompasses the science and technology of creating, assigning, storing, and accessing attributes and policies. These attributes and policies are used to decide whether an entity's request for access should be allowed or denied. In other words, a typical access decision starts with authentication management and ends with access management, whereas privilege management falls in between.

Ensuring data and program integrity is important. Which of the following controls best applies the separation of duties principle in an automated computer operations environment? a. File placement controls b. Data file naming conventions c. Program library controls d. Program and job naming conventions

c. Program library controls enable only assigned programs to run in production and eliminate the problem of test programs accidentally entering the production environment. They also separate production and testing data to ensure that no test data are used in normal production. This practice is based on the "separation of duties" principle. File placement controls ensure that files reside on the proper direct access storage device so that data sets do not go to a wrong device by accident. Data file, program, and job naming conventions implement the separation of duties principle by uniquely identifying each production and test data file names, program names, job names, and terminal usage.

In mobile device authentication, fingerprint authentication is an example of which of the following? a. Proof-by-possession b. Proof-by-knowledge c. Proof-by-property d. Proof-of-origin

c. Proof-by-property is where a claimant authenticates his identity to a verifier by the use of a biometric sample such as fingerprints (i.e., something you are). Proof-by-possession and proof-by-knowledge, along with proof-by-property, are used in mobile device authentication and robust authentication. Proof-of-origin is the basis to prove an assertion. For example, a private signature key is used to generate digital signatures as a proofof- origin.

Which of the following is based on precomputed password hashes? a. Brute force attack b. Dictionary attack c. Rainbow attack d. Hybrid attack

c. Rainbow attacks are a form of a password cracking technique that employs rainbow tables, which are lookup tables that contain pre-computed password hashes. These tables enable an attacker to attempt to crack a password with minimal time on the victim system and without constantly having to regenerate hashes if the attacker attempts to crack multiple accounts. The other three choices are not based on pre-computed password hashes; although, they are all related to passwords. A brute force attack is a form of a guessing attack in which the attacker uses all possible combinations of characters from a given character set and for passwords up to a given length. A dictionary attack is a form of a guessing attack in which the attacker attempts to guess a password using a list of possible passwords that is not exhaustive. A hybrid attack is a form of a guessing attack in which the attacker uses a dictionary that contains possible passwords and then uses variations through brute force methods of the original passwords in the dictionary to create new potential passwords.

Which of the following is not an example of authorization and access controls? a. Logical access controls b. Role-based access controls c. Reconstruction of transactions d. System privileges

c. Reconstruction of transactions is a part of audit trail mechanisms. The other three choices are a part of authorization and access controls.

Recovery mechanisms for storage encryption authentication solutions require which of the following? a. A trade-off between confidentiality and security b. A trade-off between integrity and security c. A trade-off between availability and security d. A trade-off between accountability and security

c. Recovery mechanisms increase the availability of the storage encryption authentication solutions for individual users, but they can also increase the likelihood that an attacker can gain unauthorized access to encrypted storage by abusing the recovery mechanism. Therefore, information security management should consider the trade-off between availability and security when selecting and planning recovery mechanisms. The other three choices do not provide recovery mechanisms.

Which of the following does not provide robust authentication? a. Kerberos b. Secure remote procedure calls c. Reusable passwords d. Digital certificates

c. Robust authentication means strong authentication that should be required for accessing internal computer systems. Robust authentication is provided by Kerberos, one-time passwords, challenge-response exchanges, digital certificates, and secure remote procedure calls (Secure RPC). Reusable passwords provide weak authentication.

RBAC is role-based access control, MAC is mandatory access control, DAC is discretionary access control, ABAC is attribute-based access control, PBAC is policybased access control, IBAC is identity-based access control, RuBAC is rule-based access control, RAdAC is risk adaptive access control, and UDAC is user-directed access control. For identity management, RBAC policy is defined as which of the following? a. RBAC = MAC + DAC b. RBAC = ABAC + PBAC c. RBAC = IBAC + RuBAC d. RBAC = RAdAC + UDAC

c. Role-based access control policy (RBAC) is a composite access control policy between identity-based access control (IBAC) policy and rule-based access control (RuBAC) policy and should be considered as a variant of both. In this case, an identity is assigned to a group that has been granted authorizations. Identities can be members of one or more groups.

What do the countermeasures against a rainbow attack resulting from a password cracking threat include? a. One-time password and one-way hash b. Keyspace and passphrase c. Salting and stretching d. Entropy and user account lockout

c. Salting is the inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash. If two users choose the same password, salting can make it highly unlikely that their hashes are the same. Larger salts effectively make the use of rainbow tables infeasible. Stretching involves hashing each password and its salt thousands of times. This makes the creation of the rainbow tables correspondingly more time-consuming, while having little effect on the amount of effort needed by the organization's systems to verify password authentication attempts. Keyspace is the large number of possible key values (keys) created by the encryption algorithm to use when transforming the message. Passphrase is a sequence of characters transformed by a password system into a virtual password. Entropy is a measure of the amount of uncertainty that an attacker faces to determine the value of a secret.

From a safety configuration viewpoint, the separation of duty concept is not enforced in which of the following? a. Mandatory access control policy b. Bell-LaPadula access control model c. Access control matrix model d. Domain type enforcement access control model

c. The separation of duty concept is not enforced by the access control matrix model because it is not safety configured and is based on an arbitrary constraint. The other three choices use restricted access control models with access constraints that describe the safety requirements of any configuration.

Which of the following lists a pair of compatible functions within the IT organization? a. Computer operations and applications programming b. Systems programming and data security administration c. Quality assurance and data security administration d. Production job scheduling and computer operations

c. Separation of duties is the first line of defense against the prevention, detection, and correction of errors, omissions, and irregularities. The objective is to ensure that no one person has complete control over a transaction throughout its initiation, authorization, recording, processing, and reporting. If the total risk is acceptable, then two different jobs can be combined. If the risk is unacceptable, the two jobs should not be combined. Both quality assurance and data security are staff functions and would not handle the day-to-day operations tasks. The other three choices are incorrect because they are examples of incompatible functions. The rationale is to minimize such functions that are not conducive to good internal control structure. For example, if a computer operator is also responsible for production job scheduling, he could submit unauthorized production jobs.

In electronic authentication, shared secrets are based on which of the following? 1. Asymmetric keys 2. Symmetric keys 3. Passwords 4. Public key pairs a. 1 only b. 1 or 4 c. 2 or 3 d. 3 or 4

c. Shared secrets are based on either symmetric keys or passwords. The asymmetric keys are used in public key pairs. In a protocol sense, all shared secrets are similar and can be used in similar authentication protocols.

Smart card authentication is an example of which of the following? a. Proof-by-knowledge b. Proof-by-property c. Proof-by-possession d. Proof-of-concept

c. Smart cards are credit card-size plastic cards that host an embedded computer chip containing an operating system, programs, and data. Smart card authentication is perhaps the best-known example of proof-by-possession (e.g., key, card, or token). Passwords are an example of proof-by-knowledge. Fingerprints are an example of proof-by-property. Proof-ofconcept deals with testing a product prior to building an actual product.

Which of the following is not an example of attacks on data and information? a. Hidden code b. Inference c. Spoofing d. Traffic analysis

c. Spoofing is using various techniques to subvert IP-based access control by masquerading as another system by using its IP address. Attacks such as hidden code, inference, and traffic analysis are based on data and information.

Which of the following violates a user's privacy? a. Freeware b. Firmware c. Spyware d. Crippleware

c. Spyware is malicious software (i.e., malware) intended to violate a user's privacy because it is invading many computer systems to monitor personal activities and to conduct financial fraud. Freeware is incorrect because it is software made available to the public at no cost, but the author retains the copyright and can place restrictions on how the program is used. Some freeware can be harmless whereas others are harmful. Not all freeware violates a user's privacy. Firmware is incorrect because it is software that is permanently stored in a hardware device, which enables reading but not writing or modifying. The most common device for firmware is read-only-memory (ROM). Crippleware is incorrect because it enables trial (limited) versions of vendor products that operate only for a limited period of time. Crippleware does not violate a user's privacy.

The Bell-LaPadula Model for a computer security policy deals with which of the following? a. $ -property b. @ -property c. Star (*) -property d. # -property

c. Star property (* -property) is a Bell-LaPadula security rule enabling a subject write access to an object only if the security level of the object dominates the security level of the subject.

When security products cannot provide sufficient protection through encryption, system administrators should consider using which of the following to protect intrusion detection and prevention system management communications? 1. Physically separated network 2. Logically separated network 3. Virtual private network 4. Encrypted tunneling a. 1 and 4 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

c. System administrators should ensure that all intrusion detection and prevention system (IDPS) management communications are protected either through physical separation (management network) or logical separation (virtual network) or through encryption using transport layer security (TLS). However, for security products that do not provide sufficient protection through encryption, administrators should consider using a virtual private network (VPN) or other encrypted tunneling method to protect the network traffic.

Access triples used in the implementation of Clark-Wilson security model include which of the following? a. Policy, procedure, and object b. Class, domain, and subject c. Subject, program, and data d. Level, label, and tag

c. The Clark-Wilson model partitions objects into programs and data for each subject forming a subject/program/data access triple. The generic model for the access triples is <subject, rights, object>.

Which of the following is the correct description of roles between a registration authority (RA) and a credential service provider (CSP) involved in identity proofing? a. The RA may be a part of the CSP. b. The RA may be a separate entity. c. The RA may be a trusted relationship. d. The RA may be an independent entity.

c. The RA may be a part of the CSP, or it may be a separate and independent entity; however a trusted relationship always exists between the RA and CSP. Either the RA or CSP must maintain records of the registration. The RA and CSP may provide services on behalf of an organization or may provide services to the public.

From an information flow policy enforcement viewpoint, which of the following allows forensic reconstruction of events? 1. Security attributes 2. Security policies 3. Source points 4. Destination points a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

c. The ability to identify source and destination points for information flowing in an information system allows for forensic reconstruction of events and increases compliance to security policies. Security attributes are critical components of the operations security concept.

Which of the following is most commonly used in the implementation of an access control matrix? a. Discretionary access control b. Mandatory access control c. Access control list d. Logical access control

c. The access control list (ACL) is the most useful and flexible type of implementation of an access control matrix. The ACL permits any given user to be allowed or disallowed access to any object. The columns of an ACL show a list of users attached to protected objects. One can associate access rights for individuals and resources directly with each object. The other three choices require extensive administrative work and are useful but not that flexible.

In electronic authentication using tokens, the authenticator in the general case is a function of which of the following? a. Token secret and salt or challenge b. Token secret and seed or challenge c. Token secret and nonce or challenge d. Token secret and shim or challenge

c. The authenticator is generated through the use of a token. In the trivial case, the authenticator may be the token secret itself where the token is a password. In the general case, an authenticator is generated by performing a mathematical function using the token secret and one or more optional token input values such as a nonce or challenge. A salt is a nonsecret value used in a cryptographic process, usually to ensure that the results of computations for one instance cannot be reused by an attacker. A seed is a starting value to generate initialization vectors. A nonce is an identifier, a value, or a number used only once. Using a nonce as a challenge is a different requirement than a randomchallenging because a nonce is predictable. A shim is a layer of host-based intrusion detection and prevention code placed between existing layers of code on a host that intercepts data and analyzes it.

In electronic authentication, after a credential has been created, which of the following is responsible for maintaining the credential in storage? a. Verifier b. Relying party c. Credential service provider d. Registration authority

c. The credential service provider (CSP) is the only one responsible for maintaining the credential in storage. The verifier and the CSP may or may not belong to the same entity. The other three choices are incorrect because they are not applicable to the situation here.

Which of the following is an incompatible function for a database administrator? a. Data administration b. Information systems administration c. Systems security d. Information systems planning

c. The database administrator (DBA) function is concerned with short-term development and use of databases, and is responsible for the data of one or several specific databases. The DBA function should be separate from the systems' security function due to possible conflict of interest for manipulation of access privileges and rules for personal gain. The DBA function can be mixed with data administration, information systems administration, or information systems planning because there is no harm to the organization.

Extensible access control markup language (XACML) framework incorporates the support of which of the following? a. Rule-based access control (RuBAC) b. Mandatory access control (MAC) c. Role-based access control (RBAC) d. Discretionary access control (DAC)

c. The extensible access control markup language (XACML) framework does not provide support for representing the traditional access controls (e.g., RuBAC, MAC, and DAC), but it does incorporate the role-based access control (RBAC) support. The XACML specification describes building blocks from which an RBAC solution is developed.

From an access control viewpoint, which of the following requires an audit the most? a. Public access accounts b. Nonpublic accounts c. Privileged accounts d. Non-privileged accounts

c. The goal is to limit exposure due to operating from within a privileged account or role. A change of role for a user or process should provide the same degree of assurance in the change of access authorizations for that user or process. The same degree of assurance is also needed when a change between a privileged account and non-privileged account takes place. Auditing of privileged accounts is required mostly to ensure that privileged account users use only the privileged accounts and that non-privileged account users use only the non-privileged accounts. An audit is not required for public access accounts due to little or no risk involved. Privileged accounts are riskier than nonpublic accounts.

In biometrics-based identification and authentication techniques, which of the following statements are true about biometric errors? 1. High false rejection rate is preferred. 2. Low false acceptance rate is preferred. 3. High crossover error rate represents low accuracy. 4. Low crossover error rate represents low accuracy. a. 1 and 3 b. 1 and 4 c. 2 and 3 d. 2 and 4

c. The goal of biometrics-based identification and authentication techniques about biometric errors is to obtain low numbers for both false rejection rate and false acceptance rate errors. Another goal is to obtain a low crossover error rate because it represents high accuracy or a high crossover error rate because it represents low accuracy.

Which of the following is most risky? a. Permanent access b. Guest access c. Temporary access d. Contractor access

c. The greatest problem with temporary access is that once temporary access is given to an employee, it is not reverted back to the previous status after the project has been completed. This can be due to forgetfulness on both sides of employee and employer or the lack of a formal system for change notification. There can be a formal system of change notification for permanent access, and guest or contractor accesses are removed after the project has been completed.

Honeypot systems do not contain which of the following? a. Event triggers b. Sensitive monitors c. Sensitive data d. Event loggers

c. The honeypot system is instrumented with sensitive monitors, event triggers, and event loggers that detect unauthorized accesses and collect information about the attacker's activities. These systems are filled with fabricated data designed to appear valuable.

Which of the following cannot prevent shoulder surfing? a. Promoting education and awareness b. Preventing password guessing c. Installing encryption techniques d. Asking people not to watch while a password is typed

c. The key thing in shoulder surfing is to make sure that no one watches the user while his password is typed. Encryption does not help here because it is applied after a password is entered, not before. Proper education and awareness and using difficult-to-guess passwords can eliminate this problem.

The principle of least privilege supports which of the following? a. All or nothing privileges b. Super-user privileges c. Appropriate privileges d. Creeping privileges

c. The principle of least privilege refers to granting users only those accesses required to perform their duties. Only the concept of "appropriate privilege" is supported by the principle of least privilege.

Which of the following is an example of a system integrity tool used in the technical security control category? a. Auditing b. Restore to secure state c. Proof-of-wholeness d. Intrusion detection tool

c. The proof-of-wholeness control is a system integrity tool that analyzes system integrity and irregularities and identifies exposures and potential threats. The proof-of-wholeness principle detects violations of security policies. Auditing is a detective control, which enables monitoring and tracking of system abnormalities. "Restore to secure state" is a recovery control that enables a system to return to a state that is known to be secure, after a security breach occurs. Intrusion detection tools detect security breaches.

In biometrics-based identification and authentication techniques, which of the following indicates that security is unacceptably weak? a. Low false acceptance rate b. Low false rejection rate c. High false acceptance rate d. High false rejection rate

c. The trick is balancing the trade-off between the false acceptance rate (FAR) and false rejection rate (FRR). A high FAR means that security is unacceptably weak. A FAR is the probability that a biometric system can incorrectly identify an individual or fail to reject an imposter. The FAR given normally assumes passive imposter attempts, and a low FAR is better. The FAR is stated as the ratio of the number of false acceptances divided by the number of identification attempts. An FRR is the probability that a biometric system will fail to identify an individual or verify the legitimate claimed identity of an individual. A low FRR is better. The FRR is stated as the ratio of the number of false rejections divided by the number of identification attempts.

Which of the following is an example of infrastructure threats related to the registration process required in identity proofing? a. Separation of duties b. Record keeping c. Impersonation d. Independent audits

c. There are two general categories of threats to the registration process: impersonation and either compromise or malfeasance of the infrastructure (RAs and CSPs). Infrastructure threats are addressed by normal computer security controls such as separation of duties, record keeping, and independent audits.

From an access control effectiveness viewpoint, which of the following is represented when a user submits a combination of hardware token and a personal identification number (PIN) for authentication? 1. A weak form of two-factor authentication 2. A strong form of two-factor authentication 3. Supports physical access 4. Supports logical access a. 1 only b. 2 only c. 1 and 3 d. 2 and 4

c. This combination represents something that you have (i.e., hardware token) and something that you know (i.e., PIN). The hardware token can be lost or stolen. Therefore, this is a weak form of two-factor authentication that can be used to support unattended access controls for physical access only. Logical access controls are software-based and as such do not support a hardware token.

Location-based authentication techniques for transportation firms can be effectively used to provide which of the following? a. Static authentication b. Intermittent authentication c. Continuous authentication d. Robust authentication

c. Transportation firms can use location-based authentication techniques continuously, as there are no time and resource limits. It does not require any secret information to protect at either the host or user end. Continuous authentication is better than robust authentication, where the latter can be intermittent.

Bitmap objects and textual objects are part of which of the following security policy filters? a. File type checking filters b. Metadata content filters c. Unstructured data filters d. Hidden content filters

c. Unstructured data consists of two basic categories: bitmap objects (e.g., image, audio, and video files) and textual objects (e.g., e-mails and spreadsheets). Security policy filters include file type checking filters, dirty word filters, structured and unstructured data filters, metadata content filters, and hidden content filters.

From an access control point of view, which of the following are examples of task transactions and separation of conflicts-of-interests? 1. Role-based access control 2. Workflow policy 3. Rule-based access control 4. Chinese Wall policy a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4

c. Workflow policy is a process that operates on rules and procedures. A workflow is specified as a set of tasks and a set of dependencies among the tasks, and the sequencing of these tasks is important (i.e., task transactions). The various tasks in a workflow are usually carried out by several users in accordance with organizational rules represented by the workflow policy. The Chinese Wall policy addresses conflict-of-interest issues, with the objective of preventing illicit flows of information that can result in conflicts of interest. The Chinese Wall policy is simple and easy to describe but difficult to implement. Both role- and rule-based access control can create conflict-of-interest situations because of incompatibility between employee roles and management rules.

For identity management, which of the following qualifies as continuously authenticated? a. Unique ID b. Signed X.509 certificate c. Password with access control list d. Encryption

d. A commonly used method to ensure that access to a communications session is controlled and authenticated continuously is the use of encryption mechanisms to prevent loss of control of the session through session stealing or hijacking. Other methods such as signed x.509 certificates and password files associated with access control lists (ACLs) can bind entities to unique IDs. Although these other methods are good, they do not prevent the loss of control of the session.

Theft is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the theft threat? a. Use tokens that generate high entropy authenticators. b. Use hardware cryptographic tokens. c. Use tokens with dynamic authenticators. d. Use multifactor tokens.

d. A countermeasure to mitigate the threat of token theft is to use multifactor tokens that need to be activated through a PIN or biometric. The other choices are incorrect because they cannot provide multifactor tokens.

In biometrics-based identification and authentication techniques, which of the following indicates that technology used in a biometric system is not viable? a. Low false acceptance rate b. Low false rejection rate c. High false acceptance rate d. High false rejection rate

d. A high false rejection rate (FRR) means that the technology is creating a (PP) nuisance to falsely rejected users thereby undermining user acceptance and questioning the viability of the technology used. This could also mean that the technology is obsolete, inappropriate, and/or not meeting the user's changing needs. A false acceptance rate (FAR) is the probability that a biometric system will incorrectly identify an individual or fail to reject an imposter. The FAR given normally assumes passive imposter attempts, and a low FAR is better and a high FAR is an indication of a poorly operating biometric system, not related to technology. The FAR is stated as the ratio of the number of false acceptances divided by the number of identification attempts. A FRR is the probability that a biometric system will fail to identify an individual or verify the legitimate claimed identity of an individual. A low FRR is better. The FRR is stated as the ratio of the number of false rejections divided by the number of identification attempts.

Which of the following is a major vulnerability with Kerberos model? a. User b. Server c. Client d. Key-distribution-server

d. A major vulnerability with the Kerberos model is that if the key distribution server is attacked, every secret key used on the network is compromised. The principals involved in the Kerberos model include the user, the client, the key-distribution-center, the ticket-grantingservice, and the server providing the requested services.

As a part of centralized password management solutions, which of the following statements are true about password synchronization? 1. No centralized directory 2. No authentication server 3. Easier to implement than single sign-on technology 4. Less expensive than single sign-on technology a. 1 and 3 b. 2 and 4 c. 3 and 4 d. 1, 2, 3, and 4

d. A password synchronization solution takes a password from a user and changes the passwords on other resources to be the same as that password. The user then authenticates directly to each resource using that password. There is no centralized directory or no authentication server performing authentication on behalf of the resources. The primary benefit of password synchronization is that it reduces the number of passwords that users need to remember; this may permit users to select stronger passwords and remember them more easily. Unlike single sign-on (SSO) technology, password synchronization does not reduce the number of times that users need to authenticate. Password synchronization solutions are typically easier, less expensive, and less secure to implement than SSO technologies.

In the electronic authentication process, which of the following is strongly resistant to man-in-the-middle (MitM) attacks? a. Encrypted key exchange (EKE) b. Simple password exponential key exchange (SPEKE) c. Secure remote password protocol (SRP) d. Client authenticated transport layer security (TLS)

d. A protocol is said to be highly resistant to man-in-the-middle (MitM) attacks if it does not enable the claimant to reveal, to an attacker masquerading as the verifier, information (e.g., token secrets and authenticators) that can be used by the latter to masquerade as the true claimant to the real verifier. For example, in client authenticated transport layer security (TLS), the browser and the Web server authenticate one another using public key infrastructure (PKI) credentials, thus strongly resistant to MitM attacks. The other three choices are incorrect, because they are examples of being weakly resistant to MitM attacks and are examples of zeroknowledge password protocol where the claimant is authenticated to a verifier without disclosing the token secret.

From an access control viewpoint, which of the following is computed from a passphrase? a. Access password b. Personal password c. Valid password d. Virtual password

d. A virtual password is a password computed from a passphrase that meets the requirements of password storage (e.g., 56 bits for DES). A passphrase is a sequence of characters, longer than the acceptable length of a regular password, which is transformed by a password system into a virtual password of acceptable length. An access password is a password used to authorize access to data and is distributed to all those who are authorized to have similar access to that data. A personal password is a password known by only one person and is used to authenticate that person's identity. A valid password is a personal password that authenticates the identity of an individual when presented to a password system. It is also an access password that enables the requested access when presented to a password system.

For wireless access, in which of the following ways does an organization confine wireless communications to organization-controlled boundaries? 1. Reducing the power of the wireless transmission and controlling wireless emanations 2. Configuring the wireless access path such that it is point-to-point in nature 3. Using mutual authentication protocols 4. Scanning for unauthorized wireless access points and connections a. 1 only b. 3 only c. 2 and 4 d. 1, 2, 3, and 4

d. Actions that may be taken to confine wireless communication to organization-controlled boundaries include all the four items mentioned. Mutual authentication protocols include EAP/TLS and PEAP. Reducing the power of the wireless transmission means that the transmission cannot go beyond the physical perimeter of the organization. It also includes installing TEMPEST measures to control emanations.

In electronic authentication, which of the following can mitigate the threat of assertion substitution? a. Digital signature and TLS/SSL b. Timestamp and short lifetime of validity c. Digital signature with a key supporting nonrepudiation d. HTTP and TLS

d. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion substitution, the assertion may include a combination of HTTP to handle message order and TLS to detect and disallow malicious reordering of packets. The other three choices are incorrect because they are not applicable to the situation here.

Which of the following is not commonly detected and reported by intrusion detection and prevention systems (IDPS)? a. System scanning attacks b. Denial-of-service attacks c. System penetration attacks d. IP address spoofing attacks

d. An attacker can send attack packets using a fake source IP address but arrange to wiretap the victims reply to the fake address. The attacker can do this without having access to the computer at the fake address. This manipulation of IP addressing is called IP address spoofing. A system scanning attack occurs when an attacker probes a target network or system by sending different kinds of packets. Denial-of-service attacks attempt to slow or shut down targeted network systems or services. System penetration attacks involve the unauthorized acquisition and/or alteration of system privileges, resources, or data.

Which of the following can prevent replay attacks in an authentication process for network access to privileged and non-privileged accounts? 1. Nonces 2. Challenges 3. Time synchronous authenticators 4. Challenge-response one-time authenticators a. 1 and 2 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address the replay attacks include protocols that use nonces or challenges (e.g., TLS) and time synchronous or challenge-response one-time authenticators.

An information system uses multifactor authentication mechanisms to minimize potential risks for which of the following situations? 1. Network access to privileged accounts 2. Local access to privileged accounts 3. Network access to non-privileged accounts 4. Local access to non-privileged accounts a. 1 and 2 b. 1 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. An information system must use multifactor authentication mechanisms for both network access (privileged and non-privileged) and local access (privileged and non-privileged) because both situations are risky. System/network administrators have administrative (privileged) accounts, and these individuals have access to a set of "access rights" on a given system. Malicious non-privileged account users are as risky as privileged account users because they can cause damage to data and program files.

Which of the following is an example of less than secure networking protocols for remote access sessions? a. Secure shell-2 b. Virtual private network with blocking mode enabled c. Bulk encryption d. Peer-to-peer networking protocols

d. An organization must ensure that remote access sessions for accessing security functions employ security measures and that they are audited. Bulk encryption, session layer encryption, secure shell-2 (SSH-2), and virtual private networking (VPN) with blocking enabled are standard security measures. Bluetooth and peer-to-peer (P2P) networking are examples of less than secure networking protocols.

Which one of the following items is a more reliable authentication device than the others? a. Fixed callback system b. Variable callback system c. Fixed and variable callback system d. Smart card system

d. Authentication is providing assurance about the identity of a subject or object; for example, ensuring that a particular user is who he claims to be. A smart card system uses cryptographic-based smart tokens that offer great flexibility and can solve many authentication problems such as forgery and masquerading. A smart token typically requires a user to provide something the user knows (i.e., a PIN or password), which provides a stronger control than the smart token alone. Smart cards do not require a callback because the codes used in the smart card change frequently, which cannot be repeated. Callback systems are used to authenticate a person. A fixed callback system calls back to a known telephone associated with a known place. However, the called person may not be known, and it is a problem with masquerading. It is not only insecure but also inflexible because it is tied to a specific place. It is not applicable if the caller moves around. A variable callback system is more flexible than the fixed one but requires greater maintenance of the variable telephone numbers and locations. These phone numbers can be recorded or decoded by a hacker.

For password management, automatically generated random passwords usually provide which of the following? 1. Greater entropy 2. Passwords that are hard for attackers to guess 3. Stronger passwords 4. Passwords that are hard for users to remember a. 2 only b. 2 and 3 c. 2, 3, and 4 d. 1, 2, 3, and 4

d. Automatically generated random (or pseudo-random) passwords usually provide greater entropy, are hard for attackers to guess or crack, stronger passwords, but at the same time are hard for users to remember.

Which of the following user identification and authentication techniques depend on reference profiles or templates? a. Memory tokens b. Smart cards c. Cryptography d. Biometric systems

d. Biometric systems require the creation and storage of profiles or templates of individuals wanting system access. This includes physiological attributes such as fingerprints, hand geometry, or retina patterns, or behavioral attributes such as voice patterns and handwritten signatures. Memory tokens and smart cards involve the creation and distribution of a token device with a PIN, and data that tell the computer how to recognize valid tokens or PINs. Cryptography requires the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys.

A system mechanism and audit trails assist business managers to hold individual users accountable for their actions. To utilize these audit trails, which of the following controls is a prerequisite for the mechanism to be effective? a. Physical b. Environmental c. Management d. Logical access

d. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log. Audit trails work in concert with logical access controls, which restrict use of system resources. Because logical access controls are enforced through software, audit trails are used to maintain an individual's accountability. The other three choices collect some data in the form of an audit trail, and their use is limited due to the limitation of useful data collected.

Which of the following authentication types is most effective? a. Static authentication b. Robust authentication c. Intermittent authentication d. Continuous authentication

d. Continuous authentication protects against impostors (active attacks) by applying a digital signature algorithm to every bit of data sent from the claimant to the verifier. Also, continuous authentication prevents session hijacking and provides integrity. Static authentication uses reusable passwords, which can be compromised by replay attacks. Robust authentication includes one-time passwords and digital signatures, which can be compromised by session hijacking. Intermittent authentication is not useful because of gaps in user verification.

Which of the following statements is not true about discretionary access control? a. Access is based on the authorization granted to the user. b. It uses access control lists. c. It uses grant or revoke access to objects. d. Users and owners are different.

d. Discretionary access control (DAC) permits the granting and revoking of access control privileges to be left to the discretion of individual users. A discretionary access control mechanism enables users to grant or revoke access to any of the objects under the control. As such, users are said to be the owners of the objects under their control. It uses access control lists.

Which of the following security mechanisms for high-risk storage encryption authentication products provides protection against authentication-guessing attempts and favors security over functionality? a. Alert consecutive failed login attempts. b. Lock the computer for a specified period of time. c. Increase the delay between attempts. d. Delete the protected data from the device.

d. For high-security situations, storage encryption authentication products can be configured so that too many failed attempts cause the product to delete all the protected data from the device. This approach strongly favors security over functionality. The other three choices can be used for low-security situations.

Which of the following is not a sophisticated technical attack against smart cards? a. Reverse engineering b. Fault injection c. Signal leakage d. Impersonating

d. For user authentication, the fundamental threat is an attacker impersonating a user and gaining control of the device and its contents. Of all the four choices, impersonating is a nonsophisticated technical attack. Smart cards are designed to resist tampering and monitoring of the card, including sophisticated technical attacks that involve reverse engineering, fault injection, and signal leakage.

Regarding password management, which of the following enforces password strength requirements effectively? a. Educate users on password strength. b. Run a password cracker program to identify weak passwords. c. Perform a cracking operation offline. d. Use a password filter utility program.

d. One way to ensure password strength is to add a password filter utility program, which is specifically designed to verify that a password created by a user complies with the password policy. Adding a password filter is a more rigorous and proactive solution, whereas the other three choices are less rigorous and reactive solutions. The password filter utility program is also referred to as a password complexity enforcement program.

Which of the following intrusion detection and prevention system (IDPS) methodology is appropriate for analyzing both network-based and host-based activity? a. Signature-based detection b. Misuse detection c. Anomaly-based detection d. Stateful protocol analysis

d. IDPS technologies use many methodologies to detect incidents. The primary classes of detection methodologies include signature-based, anomaly-based, and stateful protocol analysis, where the latter is the only one that analyzes both network-based and host-based activity. Signature-based detection is the process of comparing signatures against observed events to identify possible incidents. A signature is a pattern that corresponds to a known threat. It is sometimes incorrectly referred to as misuse detection or stateful protocol analysis. Misuse detection refers to attacks from within the organizations. Anomaly-based detection is the process of comparing definitions of what activity is considered normal against observed events to identify significant deviations and abnormal behavior. Stateful protocol analysis (also known as deep packet inspection) is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. The stateful protocol is appropriate for analyzing both network-based and host-based activity, whereas deep packet inspection is appropriate for network-based activity only. One network-based IDPS can listen on a network segment or switch and can monitor the network traffic affecting multiple hosts that are connected to the network segment. One host-based IDPS operates on information collected from within an individual computer system and determines which processes and user accounts are involved in a particular attack.

How is identification different from authentication? a. Identification comes after authentication. b. Identification requires a password, and authentication requires a user ID. c. Identification and authentication are the same. d. Identification comes before authentication.

d. Identification is the process used to recognize an entity such as a user, program, process, or device. It is performed first, and authentication is done next. Identification and authentication are not the same. Identification requires a user ID, and authentication requires a password.

Identity thieves can get personal information through which of the following means? 1. Dumpster diving 2. Skimming 3. Phishing 4. Pretexting a. 1 only b. 3 only c. 1 and 3 d. 1, 2, 3, and 4

d. Identity thieves get personal information by stealing records or information while they are on the job, bribing an employee who has access to these records, hacking electronic records, and conning information out of employees. Sources of personal information include the following: Dumpster diving, which includes rummaging through personal trash, a business' trash, or public trash dumps. Skimming includes stealing credit card or debit card numbers by capturing the information in a data storage device. Phishing and pretexting deal with stealing information through e-mail or phone by posing as legitimate companies and claiming that you have a problem with your account. This practice is known as phishing online or pretexting (social engineering) by phone respectively.

RuBAC is rule-based access control, ACL is access control list, IBAC is identitybased access control, DAC is discretionary access control, and MAC is mandatory access control. For identity management, which of the following equates the access control policies and decisions between the U.S. terminology and the international standards? 1. RuBAC = ACL 2. IBAC = ACL 3. IBAC = DAC 4. RuBAC = MAC a. 1 only b. 2 only c. 3 only d. 3 and 4

d. Identity-based access control (IBAC) and discretionary access control (DAC) are considered equivalent. The rule-based access control (RuBAC) and mandatory access control (MAC) are considered equivalent. IBAC uses access control lists (ACLs) whereas RuBAC does not.

Which of the following is preferable for environments at high risk of identity spoofing? a. Digital signature b. One-time passwords c. Digital certificate d. Mutual authentication

d. If a one-way method is used to authenticate the initiator (typically a road warrior) to the responder (typically an IPsec gateway), a digital signature is used to authenticate the responder to the initiator. One-way authentication, such as one-time passwords or digital certificates on tokens is well suited for road warrior usage, whereas mutual authentication is preferable for environments at high risk of identity spoofing, such as wireless networks.

Which of the following statements are true about access controls, safety, trust, and separation of duty? 1. No leakage of access permissions are allowed to an unauthorized principal. 2. No access privileges can be escalated to an unauthorized principal. 3. No principals' trust means no safety. 4. No separation of duty means no safety. a. 1 only b. 2 only c. 1, 2, and 3 d. 1, 2, 3, and 4

d. If complete trust by a principal is not practical, there is a possibility of a safety violation. The separation of duty concept is used to enforce safety and security in some access control models. In an event where there are many users (subjects), objects, and relations between subjects and objects, safety needs to be carefully considered.

What occurs in a man-in-the-middle (MitM) attack on an electronic authentication protocol? 1. An attacker poses as the verifier to the claimant. 2. An attacker poses as the claimant to the verifier. 3. An attacker poses as the CA to RA. 4. An attacker poses as the RA to CA. a. 1 only b. 3 only c. 4 only d. 1 and 2

d. In a man-in-the-middle (MitM) attack on an authentication protocol, the attacker interposes himself between the claimant and verifier, posing as the verifier to the claimant, and as the claimant to the verifier. The attacker thereby learns the value of the authentication token. Registration authority (RA) and certification authority (CA) has no roles in the MitM attack.

Many computer systems provide maintenance accounts for diagnostic and support services. Which of the following security techniques is least preferred to ensure reduced vulnerability when using these accounts? a. Call-back confirmation b. Encryption of communications c. Smart tokens d. Password and user ID

d. Many computer systems provide maintenance accounts. These special login accounts are normally preconfigured at the factory with preset, widely known weak passwords. It is critical to change these passwords or otherwise disable the accounts until they are needed. If the account is to be used remotely, authentication of the maintenance provider can be performed using callback confirmation. This helps ensure that remote diagnostic activities actually originate from an established phone number at the vendor's site. Other techniques can also help, including encryption and decryption of diagnostic communications, strong identification and authentication techniques, such as smart tokens, and remote disconnect verification.

Out-of-band attacks against electronic authentication protocols include which of the following? 1. Password guessing attack 2. Replay attack 3. Verifier impersonation attack 4. Man-in-the-middle attack a. 1 only b. 3 only c. 1 and 2 d. 3 and 4

d. In an out-of-band attack, the attack is against an authentication protocol run where the attacker assumes the role of a subscriber with a genuine verifier or relying party. The attacker obtains secret and sensitive information such as passwords and account numbers and amounts when a subscriber manually enters them into a one-time password device or confirmation code sent to the verifier or relying party. In an out-of-band attack, the attacker alters the authentication protocol channel through session hijacking, verifier impersonation, or man-in-the-middle (MitM) attacks. In a verifier impersonation attack, the attacker impersonates the verifier and induces the claimant to reveal his secret token. The MitM attack is an attack on the authentication protocol run in which the attacker positions himself in between the claimant and verifier so that he can intercept and alter data traveling between them. In a password guessing attack, an impostor attempts to guess a password in repeated logon trials and succeeds when he can log onto a system. In a replay attack, an attacker records and replays some part of a previous good protocol run to the verifier. Both password guessing and replay attacks are examples of in-band attacks. In an in-band attack, the attack is against an authentication protocol where the attacker assumes the role of a claimant with a genuine verifier or actively alters the authentication channel. The goal of the attack is to gain authenticated access or learn authentication secrets.

Which of the following statements are true about access controls and safety? 1. More complex safety policies need more flexible access controls. 2. Adding flexibility to restricted access control models increases safety problems. 3. A trade-off exists between the expressive power of an access control model and the ease of safety enforcement. 4. In the implicit access constraints model, safety enforcement is relatively easier than in the arbitrary constraints model. a. 1 and 3 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. In general, access control policy expression models, such as role-based and access control matrix models, operate on arbitrary constraints and safety enforcement is difficult. In implicit (restricted) access constraints models (e.g., Bell-LaPadula), the safety enforcement is attainable.

For major functions of intrusion detection and prevention system technologies, which of the following statements are true? 1. It is not possible to eliminate all false positives and false negatives. 2. Reducing false positives increases false negatives and vice versa. 3. Decreasing false negatives is always preferred. 4. More analysis is needed to differentiate false positives from false negatives. a. 1 only b. 2 only c. 3 only d. 1, 2, 3, and 4

d. Intrusion detection and prevention system (IDPS) technologies cannot provide completely accurate detection at all times. All four items are true statements. When an IDPS incorrectly identifies benign activity as being malicious, a false positive has occurred. When an IDPS fails to identify malicious activity, a false negative has occurred.

From security and safety viewpoints, which of the following does not support the static separation-of-duty constraints? a. Mutually exclusive roles b. Reduced chances of collusion c. Conflict-of-interest in tasks d. Implicit constraints

d. It is difficult to meet the security and safety requirements with flexible access control policies expressed in implicit constraints such as role-based access control (RBAC) and rulebased access control (RuBAC). Static separation-of-duty constraints require that two roles of an individual must be mutually exclusive, constraints must reduce the chances of collusion, and constraints must minimize the conflict-of-interest in task assignments to employees.

In biometrics-based identification and authentication techniques, what is a countermeasure to mitigate the threat of a security breach from unsuccessful authentication attempts? a. Liveness detection b. Digital signatures c. Rejecting exact matches d. Session lock

d. It is good to limit the number of attempts any user can unsuccessfully attempt to authenticate. A session lock should be placed where the system locks the user out and logs a security event whenever a user exceeds a certain amount of failed logon attempts within a specified timeframe. The other three choices cannot stop unsuccessful authentication attempts. For example, if an adversary can repeatedly submit fake biometric data hoping for an exact match, it creates a security breach without a session lock. In addition, rejecting exact matches creates ill will with the genuine user.

For authenticator management, which of the following is the least risky situation when compared to the others? a. Authenticators embedded in an application system b. Authenticators embedded in access scripts c. Authenticators stored on function keys d. Identifiers created at run-time

d. It is less risky to dynamically manage identifiers, attributes, and access authorizations. Run-time identifiers are created on-the-fly for previously unknown entities. Information security management should ensure that unencrypted, static authenticators are not embedded in application systems or access scripts or not stored on function keys. This is because these approaches are risky. Here, the concern is to determine whether an embedded or stored authenticator is in the encrypted or unencrypted form.

A security label, or access control mechanism, is supported by which of the following access control policies? a. Role-based policy b. Identity-based policy c. User-directed policy d. Mandatory access control policy

d. Mandatory access control is a type of access control that cannot be made more permissive by subjects. They are based on information sensitivity such as security labels for clearance and data classification. Rule-based and administratively directed policies are examples of mandatory access control policy. Role-based policy is an example of nondiscretionary access controls. Access control decisions are based on the roles individual users are taking in an organization. This includes the specification of duties, responsibilities, obligations, and qualifications (e.g., a teller or loan officer associated with a banking system). Both identity-based and user-directed policies are examples of discretionary access control. It is a type of access control that permits subjects to specify the access controls with certain limitations. Identity-based access control is based only on the identity of the subject and object. User-directed control is a type of access control in which subjects can alter the access rights with certain restrictions.

Which of the following statements is true about mandatory access control? a. It does not use sensitivity levels. b. It uses tags. c. It does not use security labels. d. It reduces system performance.

d. Mandatory access control is expensive and causes system overhead, resulting in reduced system performance of the database. Mandatory access control uses sensitivity levels and security labels. Discretionary access controls use tags.

For least functionality, organizations utilize which of the following to identify and prevent the use of prohibited functions, ports, protocols, and services? 1. Network scanning tools 2. Intrusion detection and prevention systems 3. Firewalls 4. Host-based intrusion detection systems a. 1 and 3 b. 2 and 4 c. 3 and 4 d. 1, 2, 3, and 4

d. Organizations can utilize network scanning tools, intrusion detection and prevention systems (IDPS), endpoint protections such as firewalls, and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.

Which of the following password selection procedures would be the most difficult to remember? a. Reverse or rearrange the characters in the user's birthday b. Reverse or rearrange the characters in the user's annual salary c. Reverse or rearrange the characters in the user's spouse's name d. Use randomly generated characters

d. Password selection is a difficult task to balance between password effectiveness and its remembrance by the user. The selected password should be simple to remember for oneself and difficult for others to know. It is no advantage to have a scientifically generated password if the user cannot remember it. Using randomly generated characters as a password is not only difficult to remember but also easy to publicize. Users will be tempted to write them down in a conspicuous place if the password is difficult to remember. The approaches in the other three choices would be relatively easy to remember due to the user familiarity with the password origin. A simple procedure is to use well-known personal information that is rearranged.

Which of the following is not a common method used to gain unauthorized access to computer systems? a. Password sharing b. Password guessing c. Password capturing d. Password spoofing

d. Password spoofing is where intruders trick system security into permitting normally disallowed network connections. The gained passwords allow them to crack security or to steal valuable information. For example, the vast majority of Internet traffic is unencrypted and therefore easily readable. Consequently, e-mail, passwords, and file transfers can be obtained using readily available software. Password spoofing is not that common. The other three choices are incorrect because they are the most commonly used methods to gain unauthorized access to computer systems. Password sharing allows an unauthorized user to have the system access and privileges of a legitimate user, with the legitimate user's knowledge and acceptance. Password guessing occurs when easy-to-use or easy-to-remember codes are used and when other users know about them (e.g., hobbies, sports, favorite stars, and social events). Password capturing is a process in which a legitimate user unknowingly reveals the user's login ID and password. This may be done through the use of a Trojan horse program that appears to the user as a legitimate login program; however, the Trojan horse program is designed to capture passwords.

Which of the following authentication techniques is impossible to forge? a. What the user knows b. What the user has c. What the user is d. Where the user is

d. Passwords and PINs are often vulnerable to guessing, interception, or brute force attack. Devices such as access tokens and crypto-cards can be stolen. Biometrics can be vulnerable to interception and replay attacks. A location cannot be different than what it is. The techniques used in the other three choices are not foolproof. However, "where the user is" based on a geodetic location is foolproof because it cannot be spoofed or hijacked. Geodetic location, as calculated from a location signature, adds a fourth and new dimension to user authentication and access control mechanisms. The signature is derived from the user's location. It can be used to determine whether a user is attempting to log in from an approved location. If unauthorized activity is detected from an authorized location, it can facilitate finding the user responsible for that activity.

Which of the following is the best place to put the Kerberos protocol? a. Application layer b. Transport layer c. Network layer d. All layers of the network

d. Placing the Kerberos protocol below the application layer and at all layers of the network provides greatest security protection without the need to modify applications.

From an access control policy enforcement viewpoint, which of the following should not be given a privileged user account to access security functions during the course of normal operations? 1. Network administration department 2. Security administration department 3. End user department 4. Internal audit department a. 1 and 2 b. 3 only c. 4 only d. 3 and 4

d. Privileged user accounts should be established and administered in accordance with a role-based access scheme to access security functions. Privileged roles include network administration, security administration, system administration, database administration, and Web administration, and should be given access to security functions. End users and internal auditors should not be given a privileged account to access security functions during the course of normal operations.

For identity management, which of the following is supporting the determination of an authentic identity? 1. X.509 authentication framework 2. Internet Engineering Task Force's PKI 3. Secure DNS initiatives 4. Simple public key infrastructure a. 1 only b. 2 only c. 3 only d. 1, 2, 3, and 4

d. Several infrastructures are devoted to providing identities and the means of authenticating those identities. Examples of these infrastructures include the X.509 authentication framework, the Internet Engineering Task Force's PKI (IETF's PKI), the secure domain name system (DNS) initiatives, and the simple public key infrastructure (SPKI).

In electronic authentication, which of the following are examples of strongly bound credentials? 1. Unencrypted password files 2. Signed password files 3. Unsigned public key certificates 4. Signed public key certificates a. 1 only b. 1 and 3 c. 1 and 4 d. 2 and 4

d. Signed password files and signed public key certificates are examples of strongly bound credentials. The association between the identity and the token within a strongly bound credential cannot be easily undone. For example a digital signature binds the identity to the public key in a public key certificate; tampering of this signature can be easily detected through signature verification.

What are the Bell-LaPadula access control model and mandatory access control policy examples of? a. Identity-based access controls (IBAC) b. Attribute-based access controls (ABAC) c. Role-based access controls (RBAC) d. Rule-based access controls (RuBAC)

d. The rule-based access control (RuBAC) is based on specific rules relating to the nature of the subject and object. A RuBAC decision requires authorization information and restriction information to compare before any access is granted. Both Bell-LaPadula access control model and mandatory access control policy deals with rules. The other three choices do not deal with rules.

For intrusion detection and prevention system (IDPS) security capabilities, which of the following prevention actions should be performed first to reduce the risk of inadvertently blocking benign activity? 1. Alert enabling capability. 2. Alert disabling capability. 3. Sensor learning mode ability. 4. Sensor simulation mode ability. a. 1 and 2 b. 1 and 3 c. 2 and 4 d. 3 and 4

d. Some intrusion detection and prevention system (IDPS) sensors have a learning mode or simulation mode that suppresses all prevention actions and instead indicates when a prevention action should have been performed. This ability enables administrators to monitor and fine-tune the configuration of the prevention capabilities before enabling prevention actions, which reduces the risk of inadvertently blocking benign activity. Alerts can be enabled or disabled later.

What do architectural security solutions to enforce security policies about information on interconnected systems include? 1. Implementing access-only mechanisms 2. Implementing one-way transfer mechanisms 3. Employing hardware mechanisms to provide unitary flow directions 4. Implementing regrading mechanisms to reassign security attributes a. 1 only b. 2 only c. 3 only d. 1, 2, 3, and 4

d. Specific architectural security solutions can reduce the potential for undiscovered vulnerabilities. These solutions include all four items mentioned.

For intrusion detection and prevention system capabilities, stateful protocol analysis uses which of the following? 1. Blacklists 2. Whitelists 3. Threshold 4. Program code viewing a. 1 and 2 b. 1, 2, and 3 c. 3 only d. 1, 2, 3, and 4

d. Stateful protocol analysis (also known as deep packet inspection) is the process of comparing predetermined profiles of generally accepted definitions of benign protocol activity for each protocol state against observed events to identify deviations. Stateful protocol analysis uses blacklists, whitelists, thresholds, and program code viewing to provide various security capabilities. A blacklist is a list of discrete entities, such as hosts or applications that have been previously determined to be associated with malicious activity. A whitelist is a list of discrete entities, such as hosts or applications known to be benign. Thresholds set the limits between normal and abnormal behavior of the intrusion detection and prevention systems (IDPS). Program code viewing and editing features are established to see the detection-related programming code in the IDPS.

The Take-Grant security model focuses on which of the following? a. Confidentiality b. Accountability c. Availability d. Access rights

d. The Take-Grant security model uses a directed graph to specify the rights that a subject can transfer to an object or that a subject can take from another subject. It does not address the security objectives such as confidentiality, integrity, availability, and accountability. Access rights are a part of access control models.

Role-based access control and the least privilege principle do not enable which of the following? a. Read access to a specified file b. Write access to a specified directory c. Connect access to a given host computer d. One administrator with super-user access permissions

d. The concept of limiting access or least privilege is simply to provide no more authorization than necessary to perform required functions. Best practice suggests it is better to have several administrators with limited access to security resources rather than one administrator with super-user access permissions. The principle of least privilege is connected to the role-based access control in that each role is assigned those access permissions needed to perform its functions, as mentioned in the other three choices.

Which of the following are the ways to reduce the range of potential malicious content when transferring information between different security domains? 1. Constrain file lengths 2. Constrain character sets 3. Constrain schemas 4. Constrain data structures a. 1 and 3 b. 2 and 3 c. 3 and 4 d. 1, 2, 3, and 4

d. The information system, when transferring information between different security domains, implements security policy filters that constrain file lengths, character sets, schemas, data structures, and allowed enumerations to reduce the range of potential malicious and/or unsanctioned content.

Which of the following correctly represents the flow in the identity and authentication process involved in the electronic authentication? a. Claimant?Authentication Protocol?Verifier b. Claimant?Authenticator?Verifier c. Verifier?Claimant?Relying Party d. Claimant?Verifier?Relying Party

d. The party to be authenticated is called a claimant and the party verifying that identity is called a verifier. When a claimant successfully demonstrates possession and control of a token in an online authentication to a verifier through an authentication protocol, the verifier can verify that the claimant is the subscriber. The verifier passes on an assertion about the identity of the subscriber to the relying party. The verifier must verify that the claimant has possession and control of the token that verifies his identity. A claimant authenticates his identity to a verifier by the use of a token and an authentication protocol, called proof-of-possession protocol. The other three choices are incorrect as follows: The flow of authentication process involving Claimant?Authentication Protocol?Verifier: The authentication process establishes the identity of the claimant to the verifier with a certain degree of assurance. It is implemented through an authentication protocol message exchange, as well as management mechanisms at each end that further constrain or secure the authentication activity. One or more of the messages of the authentication protocol may need to be carried on a protected channel. The flow of tokens and credentials involving Claimant?Authenticator?Verifier: Tokens generally are something the claimant possesses and controls that may be used to authenticate the claimant's identity. In E-authentication, the claimant authenticates to a system or application over a network by proving that he has possession of a token. The token produces an output called an authenticator and this output is used in the authentication process to prove that the claimant possesses and controls the token. The flow of assertions involving Verifier?Claimant?Relying Party: Assertions are statements from a verifier to a relying party that contain information about a subscriber (claimant). Assertions are used when the relying party and the verifier are not collocated (e.g., they are connected through a shared network). The relying party uses the information in the assertion to identify the claimant and make authorization decisions about his access to resources controlled by the relying party.

What control is referred to when an auditor reviews access controls and logs? a. Directive control b. Preventive control c. Corrective control d. Detective control

d. The purpose of auditors reviewing access controls and logs is to find out whether employees follow security policies and access rules, and to detect any violations and anomalies. The audit report helps management to improve access controls.

In electronic authentication, which of the following provides the authenticated information to the relying party for making access control decisions? a. Claimant/subscriber b. Applicant/subscriber c. Verifier/claimant d. Verifier/credential service provider

d. The relying party can use the authenticated information provided by the verifier/CSP to make access control decisions or authorization decisions. The verifier verifies that the claimant is the subscriber/applicant through an authentication protocol. The verifier passes on an assertion about the identity of the subscriber to the relying party. The verifier and the CSP may or may not belong to the same identity.

Which of the following is a hidden file? a. Password aging file b. Password validation file c. Password reuse file d. Shadow password file

d. The shadow password file is a hidden file that stores all users' passwords and is readable only by the root user. The password validation file uses the shadow password file before allowing the user to log in. The password-aging file contains an expiration date, and the password reuse file prevents a user from reusing a previously used password. The files mentioned in the other three choices are not hidden.

From an access control effectiveness viewpoint, which of the following is represented when a user submits a combination of public key infrastructure (PKI) keys and a personal identification number (PIN) for authentication? 1. A weak form of two-factor authentication 2. A strong form of two-factor authentication 3. Supports physical access 4. Supports logical access a. 1 only b. 2 only c. 1 and 3 d. 2 and 4

d. This combination represents something that you have (i.e., PKI keys) and something that you know (i.e., PIN). There is no hardware token to lose or steal. Therefore, this is a strong form of two-factor authentication that can be used to support logical access.

A truck driver, who is an employee of a defense contractor, transports highly sensitive parts and components from a defense contractor's manufacturing plant to a military installation at a highly secure location. The military's receiving department tracks the driver's physical location to ensure that there are no security problems on the way to the installation. Upon arrival at the installation, the truck driver shows his employee badge with photo ID issued by the defense contractor, enters his password and PIN, and takes a biometric sample of his fingerprint prior to entering the installation and unloading the truck's content. What does this described scenario represents? a. One-factor authentication b. Two-factor authentication c. Three-factor authentication d. Four-factor authentication

d. Tracking the driver's physical location (perhaps with GPS or wireless sensor network) is an example of somewhere you are (proof of first factor). Showing the employee a physical badge with photo ID is an example of something you have (proof of second factor). Entering a password and PIN is an example of something you know (proof of third factor). Taking a biometric sample of fingerprint is an example of something you are (proof of fourth factor). Therefore, this scenario represents a four-factor authentication. The key point is that it does not matter whether the proof presented is one item or more items in the same category (e.g, somewhere you are, something you have, something you know, and something you are).

For password management, user-selected passwords generally contain which of the following? 1. Less entropy 2. Easier for users to remember 3. Weaker passwords 4. Easier for attackers to guess a. 2 only b. 2 and 3 c. 2, 3, and 4 d. 1, 2, 3, and 4

d. User-selected passwords generally contain less entropy, are easier for users to remember, use weaker passwords, and at the same time are easier for attackers to guess or crack.

From an access control decision viewpoint, failures due to flaws in exclusion-based systems tend to do which of the following? a. Authorize permissible actions b. Fail-safe with permission denied c. Unauthorize prohibited actions d. Grant unauthorized permissions

d. When failures occur due to flaws in exclusion-based systems, they tend to grant unauthorized permissions. The two types of access control decisions are permission-based and exclusion-based.

Which of the following are needed when the enforcement of normal security policies, procedures, and rules are difficult to implement? 1. Compensating controls 2. Close supervision 3. Team review of work 4. Peer review of work a. 1 only b. 2 only c. 1 and 2 d. 1, 2, 3, and 4

d. When the enforcement of normal security policies, procedures, and rules is difficult, it takes on a different dimension from that of requiring contracts, separation of duties, and system access controls. Under these situations, compensating controls in the form of close supervision, followed by peer and team review of quality of work are needed.

For access control for mobile devices, which of the following actions can trigger an incident response handling process? a. Use of external modems or wireless interfaces within the device b. Connection of unclassified mobile devices to unclassified systems c. Use of internal modems or wireless interfaces within the device d. Connection of unclassified mobile devices to classified systems

d. When unclassified mobile devices are connected to classified systems containing classified information, it is a risky situation because a security policy is violated. This action should trigger an incident response handling process. Connection of an unclassified mobile device to an unclassified system still requires an approval; although, it is less risky. Use of internal or external modems or wireless interfaces within the mobile device should be prohibited.

Which of the following statements is not true about identification and authentication requirements? a. Group authenticators should be used with an individual authenticator b. Group authenticators should be used with a unique authenticator c. Unique authenticators in group accounts need greater accountability d. Individual authenticators should be used at the same time as the group authenticators

d. You need to require that individuals are authenticated with an individual authenticator prior to using a group authenticator. The other three choices are true statements.