Chapter 11: Access Control
A. False positive B, C, and D are incorrect. A true negative means an occurrence is considered normal activity and not malicious. False negatives are problems that do not get detected, such as zero-day exploits. True positive means an occurrence that is malicious has been detected.
A legitimate e-mail message ends up being flagged as spam. Which term best describes this situation? A. False positive B. True negative C. False negative D. True positive
D. MAC A, B, and C are incorrect. RBAC assigns rights and permissions to roles. People occupying the role therefore acquire the role's access to resources. DAC enables the owner of a resource (for example, a file) to determine who else has access. Public key infrastructure (PKI) is a system of digital certificates used for authentication, data encryption, and digital signatures.
What security model uses data classifications and security clearances? A. RBAC B. DAC C. PKI D. MAC
B. Add the new employee user account to a group. Ensure that the group has the necessary rights and permissions. A, C, and D are incorrect. Granting individual user rights and permissions becomes difficult to manage as the number of users grows. Granting new employees administrative rights to the network is a violation of all network security best practices—grant only the rights needed. Users may not know what rights they need, or they may ask for rights they do not need to perform their job.
A network administrator must grant the appropriate network permissions to a new employee. Which of the following is the best strategy? A. Give the new employee user account the necessary rights and permissions. B. Add the new employee user account to a group. Ensure that the group has the necessary rights and permissions. C. Give the new employee administrative rights to the network. D. Ask the new employee what network rights she would like.
B. Dictionary A, C, and D are incorrect. They are not directly impeded by stronger passwords as dictionary attacks are.
What type of attack is mitigated by strong, complex passwords? A. DoS B. Dictionary C. Brute force D. DNS poisoning
C. Use a trusted OS. A, B, and D are incorrect. The question does not state details about the operating system being patched, so patching in itself is not the best answer. Purchasing new network equipment refers to acquiring or replacing network hardware, not computer hardware.
A government contract requires your computers to adhere to mandatory access control methods and multilevel security. What should you do to remain compliant with this contract? A. Patch your current operating system. B. Purchase new network hardware. C. Use a trusted OS. D. Purchase network encryption devices.
D. Create a group for each department and add members to the groups. Add the groups to the folder ACLs with the appropriate permissions. A, B, and C are incorrect. Managing individual user permissions becomes difficult as the network grows. A single group will not work here since different sets of users require different sets of permissions to different shared folders. A users group and an administrators group will not suffice; each department should have its own group.
A network administrator, Justin, must grant various departments read access to the Corp_Policies folder and grant other departments read and write access to the Current_Projects folder. What strategy should Justin employ? A. Add all departmental users to the shared folder ACLs with the appropriate permissions. B. Create one group, add members, and add the group to the folder ACLs with the appropriate permissions. C. Create a users group and an administrators group with the correct members. Add the groups to the folder ACLs with the appropriate permissions. D. Create a group for each department and add members to the groups. Add the groups to the folder ACLs with the appropriate permissions.
D. Subject
When configuring a MAC model, the security clearance is assigned to which of the following? A. Resource B. Data C. File D. Subject
B. Group Policy A, C, and D are incorrect. Although PowerShell and batch files can be used to automated administrative tasks, this would require more effort that using Group Policy. Local Group Policy requires more effort since the same settings would need to be configured on each computer.
Ana is the Windows Server administrator for a federal government department. All departmental Windows servers are joined to a single Active Directory domain. New regulations require user password history to be retained to prevent password reuse. Using the least amount of administrative effort, how can Ana enforce the new settings to all departmental users? A. PowerShell B. Group Policy C. Local Group Policy D. Batch file
A. MAC
Which access control model involves assigning classification labels to information to decide who should have access to the information? A. MAC B. DAC C. RBAC D. Corrective
C. Credential A, B, and D are incorrect. Expiry can be set on user accounts for temporary accounts. Recovery entails setting the state of a user account or computer system to a previous functional state. Disabling user accounts is appropriate for users who are on leave.
As a server administrator, you configure security settings such that complex passwords at least eight characters long must be used by all user accounts. What type of management practice is this? A. Expiration B. Recovery C. Credential D. Disablement
B. Technical A, C, and D are incorrect. Management controls are written policies that determine acceptable activities and how they should be conducted. Physical controls such as door locks and fences protect organizational assets from threats. Operational controls such as data backups ensure business continuity.
Complex passwords are considered which type of security control? A. Management B. Technical C. Physical D. Operational
D. DoS attacks could render administrative accounts unusable. A, B, and C are incorrect. Although these statements are all true, they are not issues resulting from account lockout settings.
During an IT security meeting, the topic of account lockout surfaces. When you suggest all user accounts be locked for 30 minutes after three incorrect logon attempts, your colleague Phil states that this is a serious problem when applied to administrative accounts. What types of issues might Phil be referring to? A. Dictionary attacks could break into administrative accounts. B. Administrative accounts are much sought-after by attackers. C. Administrative accounts are placed into administrative groups. D. DoS attacks could render administrative accounts unusable.
C. Password hints A, B, and D are incorrect. Password expiration, periodic password change, and password lengths will not help users remember their passwords.
In securing your network, you enforce complex user passwords. Users express concern about forgetting their passwords. What should you configure to allay those concerns? A. Password expiration B. Periodic password change C. Password hints D. Maximum password length
D. A third party should have been hired to conduct the audit. A, B, and C are incorrect. You should not have company employees conducting an audit. Many freely available tools are robust and reliable.
James is the branch network administrator for ABC, Inc. Recently the company headquarters requested a network security audit, so James performed an audit himself using freely available Linux tools. What is the problem with James's actions? A. ABC, Inc., should have sent a network administrator from headquarters to perform the audit. B. The chief security officer should have conducted the audit. C. Freely available tools are not reliable and should not have been used. D. A third party should have been hired to conduct the audit.
B. Discretionary access control A, C, and D are incorrect. Mandatory access control is security policy driven, not user driven. A role that groups the needed access rights is not required for access to a single folder. Linda has given rights to the folder, and no time factor is mentioned in the question.
Linda creates a folder called Budget Projections in her home account and shares it with colleagues in her department. Which of the following best describes this type of access control system? A. Mandatory access control B. Discretionary access control C. Role-based access control D. Time-of-day access control
A. Irregularities in job duties can be noticed when another employee fills that role. B, C, and D are incorrect. Users feeling recharged and adherence to labor regulations are important, but they are not the motivating factor in IT environments. Fewer users on the network does not imply less security risk.
Margaret is the head of Human Resources for Emrom, Inc. An employee does not want to use his annual vacation allotment, but Margaret insists it is mandatory. What IT benefit is derived from mandatory vacations? A. Irregularities in job duties can be noticed when another employee fills that role. B. Users feel recharged after time off. C. Emrom, Inc., will not be guilty of labor violations. D. There is less security risk when fewer users are on the network.
C. Role-based access control A, B, and D are incorrect. Mandatory access control grants access based on security clearances given to users. Discretionary access control puts the control of giving access in the hands of the data owner (for example, a file owner can give permissions to others to that file). Time-of-day access controls are based on time of day and are therefore incorrect in this case.
To ease giving access to network resources for employees, you decide there must be an easier way than granting users individual access to files, printers, computers, and applications. What security model should you consider using? A. Mandatory access control B. Discretionary access control C. Role-based access control D. Time-of-day access control
B. Least privilege A, C, and D are incorrect. Separation of duties means assigning multiple people to perform specific functions to complete a task. Job rotation is a strategy that exposes employees to various facets of a business and has nothing to do with security. Account lockout relates to security but is not violated by giving a user too many permissions.
To give a contractor network access, a network administrator adds the contractor account to the Windows Administrators group. Which security principle does this violate? A. Separation of duties B. Least privilege C. Job rotation D. Account lockout
B. Preventative A, C, and D are incorrect. Deterrent controls discourage malicious or illegal actions but do not necessarily prevent them from happening. Detective controls recognize malicious activity and generate a notification. Compensating controls are used when other specific security requirements cannot be met but are mitigated through a different type of control.
Traveling employees are given a cable lock and told to lock down their laptops when stepping away from the device. To which class of security control does this apply? A. Deterrent B. Preventative C. Detective D. Compensating
B. chmod
What Linux command is used to change permission on a file? A. cat B. chmod C. ls D. chperm
D. Rule-based access control
What access control model involves configuring permissions on a resource such as a file or folder? A. MAC B. DAC C. Role-based access control D. Rule-based access control
A. Personnel hiring policy D. Separation of duties B and C are incorrect. VPN and disk encryption policies deal with specific technologies and thus are considered technical controls.
Which of the following are considered administrative controls? (Choose two.) A. Personnel hiring policy B. VPN policy C. Disk encryption policy D. Separation of duties
C. Using cable locks to secure laptops A, B, and D are all incorrect because they are examples of software access control, not physical access control.
Which of the following is an example of physical access control? A. Encrypting the USB flash drive B. Disabling USB ports on a computer C. Using cable locks to secure laptops D. Limiting who can back up sensitive data
D. Corrective A, B, and C are incorrect. Preventative controls are proactive, such as data backups to prevent data loss. A security camera is an example of both a detective and a deterrent type of control; it can be used to deter negative behavior and it can also be used to detect bad behavior that has already occurred; it has nothing to do with recovery.
Your IT team has documented a disaster recovery plan in the event of a web application failure. What type of control is this? A. Preventative B. Detective C. Deterrent D. Corrective
B. Implicit deny A, C, and D are incorrect. Implicit allowance implies all are allowed unless specifically denied. The questions asks about blocked users, not allowed users. The configuration does not specify who (or what) is blocked, so explicit deny is not applicable here.
Your VPN appliance is configured to disallow user authentication unless the user or group is listed as allowed. Regarding blocked users, what best describes this configuration? A. Implicit allow B. Implicit deny C. Explicit allow D. Explicit deny
D. Employee screening
Your manager wants you to design the access control mechanism for the company. You are working on the administrative controls. Which of the following is considered an administrative control? A. Firewall B. Encryption C. Intrusion detection system D. Employee screening
C. FTP and RDP are explicitly allowed; all else is implicitly denied. A, B, and D are incorrect. Simple Mail Transfer Protocol (SMTP) uses TCP port 25, Simple Network Management Protocol (SNMP) uses UDP port 161, and RDP uses TCP port 3389. FTP and RDP are not implicitly allowed; they are explicitly allowed.
A network router has the following ACL: ip access-group 101 in access-list 101 permit tcp any any eq 20 access-list 101 permit tcp any any eq 21 access-list 101 permit tcp any any eq 3389 Choose the correct description of the ACL configuration. A. SMTP, SNMP, and RDP are explicitly allowed; all else is implicitly denied. B. SMTP, SNMP, and RDP are implicitly allowed; all else is explicitly denied. C. FTP and RDP are explicitly allowed; all else is implicitly denied. D. FTP and RDP are implicitly allowed; all else is explicitly denied.
A. Mandatory access control B, C, and D are incorrect. Discretionary access control (DAC) models leave control of security to the data owner. Permissions are set at the individual object level as opposed to using data classification labels. Role-based access control places users into roles that have been granted groups of permissions to perform a job function; roles were not mentioned in the question. Dates or times of allowed access were not mentioned in the question.
A secure computing environment labels data with various security classifications. Authenticated users must have clearance to read this classified data. What type of access control model is this? A. Mandatory access control B. Discretionary access control C. Role-based access control D. Time-of-day access control
D. NAC A, B, and C are incorrect. Stronger passwords and network encryption protect user accounts and data transmissions, but they are applicable once a computer has gained access to the network, not before. Virtual private networks (VPNs) do not apply to a local area network; they secure a data channel to a private network over an untrusted network.
A technician notices unauthorized computers accessing a sensitive protected network. What solution should the technician consider? A. Stronger passwords B. Network encryption C. VPN D. NAC
C. During the user onboarding process A, B, and D are incorrect. A user promotion or movement to a lower security level does not imply that a NDA must be signed. NDAs are signed before users will have access to sensitive data, not afterward when users leave the organization or are moved to a different role within the organization (offboarding).
At which point should an employee sign a nondisclosure agreement (NDA)? A. When the user is promoted B. When the user is moved to a lower security clearance level C. During the user onboarding process D. During the user offboarding process
B. Disable the account and enable it when he returns. A, C, and D are incorrect. A user account should never be deleted when that user will be returning; instead, regardless of how the account data is backed up, the account should simply be disabled. Guest accounts should not be used, because this makes it difficult to track which user performed a specific action.
One of your users, Matthias, is taking a three-month sabbatical because of a medical condition, after which he will return to work. What should you do with Matthias's user account? A. Delete the account and re-create it when he returns. B. Disable the account and enable it when he returns. C. Export his account properties to a text file for later import and then delete it. D. Have Matthias use a guest account until he returns to work full-time.
A. SSO B, C, and D are incorrect. An ACL controls who and what has access to a particular resource. Although a public key infrastructure (PKI) can be used to authenticate instead of or in addition to usernames and passwords, PKI does not eliminate multiple password prompts; that is what SSO is for. Password complexity is likely to increase the burden that users are complaining about.
Users complain that they must remember passwords for a multitude of user accounts to access software required for their jobs. How can this be solved? A. SSO B. ACL C. PKI D. Password complexity
C. Role-based access control
What access control model involves having privileges assigned to groups so that anyone who is placed in the group has that privilege? A. MAC B. DAC C. Role-based access control D. Rule-based access control
B. Classification labels identify data sensitivity. D. Security clearances are compared with classification labels. A and C are incorrect. There is a difference between the security clearances and classification labels. Security clearances do not identify data sensitivity; classification labeling does.
What is the difference between security clearances and classification labels? (Choose two.) A. There is no difference. B. Classification labels identify data sensitivity. C. Security clearances identify data sensitivity. D. Security clearances are compared with classification labels.
B. Technical controls A, C, and D are incorrect. Secure Sockets Layer (SSL) provides application-specific transmission encryption to ensure data confidentiality. Integrity assures that data is authentic and has not been tampered with. Administrative controls provide a foundation for how a business should be run.
What provides secure access to corporate data in accordance with management policies? A. SSL B. Technical controls C. Integrity D. Administrative controls
B. ACL A, C, and D are incorrect. An individual entry in an ACL is known as an access control entry (ACE). Active Directory is Microsoft's replicated authentication database. Users and groups from Active Directory can appear in ACLs, but permissions themselves are not stored here; they are stored with the file system object. An access log simply lists request details (date, time, user, or computer) for a network resource such as a file.
Which term is best defined as an object's list of users, groups, processes, and their permissions? A. ACE B. ACL C. Active Directory D. Access log
D. Rule-based access control A, B, and C are incorrect. Role-based access control assigns rights to roles or groups. Users assigned a role or memberships to a group inherit those rights. Mandatory access control uses classification labels for resources to determine resource access. Discretionary access control uses an access control list (ACL) that indicates which users have which specific permissions to a resource.
Which type of access control type does a router use to allow or deny network traffic? A. Role-based access control B. Mandatory access control C. Discretionary access control D. Rule-based access control
B. Detective
While implementing the physical controls in your environment, you installed a burglar alarm system. What class of control is a burglar alarm system? A. Logical B. Detective C. Preventative D. Corrective
A. Do not allow multiple users to use generic credentials. B. Conduct periodical user access reviews. C. Monitor Linux server use continuously. D is incorrect. Encrypting files increases file security, but it is not related to the security audit findings stated in the question.
You are a security auditing professional. After evaluating Linux server and file usage, you determine that members of the IT administrative team regularly log in to Linux servers using the root account while performing regular computer tasks. Which recommendations should you make based on your findings? (Choose three.) A. Do not allow multiple users to use generic credentials. B. Conduct periodical user access reviews. C. Monitor Linux server use continuously. D. Encrypt all files on Linux servers.
B. DAC
You are configuring a firewall to allow only certain packets to pass through. What type of access control model is being used? A. MAC B. DAC C. Role-based access control D. Rule-based access control
D. ABAC
You are responsible for configuring the security on your company server. You have decided to grant permissions to the Marketing folder if a users account's Department property is set to Marketing ant its City property is set to London. What access control model are you using? A. RBAC B. GBAC C. MAC D. ABAC
B. Location-based policy A, C, and D are incorrect. Although encryption, VPN, and network acceptable use policies are important to ensure security, they do not specifically control mobile access to data in a restricted area.
You are responsible for configuring the use of tablets in a medical clinic. Doctors would like patient charts to be available only from within the facility. What should you configure? A. Encryption policy B. Location-based policy C. VPN policy D. Network acceptable use policy
A. Implicit deny
You have configured an access list on your Cisco router to allow and deny a number of different types of traffic. The access list denies any traffic that does not match any of the rules. What security principle is being used here? A. Implicit deny B. Least privileges C. Separation of duties D. Job rotation
C. Configure time-of-day restrictions to ensure nobody can be logged in after 6 p.m. A, B, and D are incorrect. Unplugging stations involves physically visiting each station; there are better ways. Locking a workstation does not log out the user. Disabling user accounts at 6 p.m. is an extreme solution and may not affect existing logon sessions immediately (for example, a Windows Active Directory Kerberos ticket would first have to expire).
You require that users not be logged on to the network after 6 p.m. while you analyze network traffic during nonbusiness hours. What should you do? A. Unplug their stations from the network. B. Tell users to press ctrl-alt-del to lock their stations. C. Configure time-of-day restrictions to ensure nobody can be logged in after 6 p.m. D. Disable user accounts at 6 p.m.
C. Separation of duties
You work for a small company as the network administrator and the security officer. You are responsible for all network administration tasks and security task such as security audits. What security principle has been violated? A. Least privilege B. Implicit deny C. Separation of duties D. Job rotation