Domain 1: Sample Access Control Questions
What is an authorization table a. A matrix of access control objects, access control subjects, and their respective rights b. A service or program where access control information is stored and where access control decisions are made c. A listing of access control objects and their respective rights d. A listing of access control subjects and their respective rights
A matrix of access control objects, access control subjects, and their respective rights. The authorization table is used in some DAC systems to provide for a simple and intuitive interface for the definition of access control rules.
In the measurement of biometric accuracy, which of the following is commonly referred to as a "type 2 error" a. Cross-over error rate (CER) b. Rate of false rejection—False Rejection Rate (FRR) c. Input/output per second (IOPS) d. Rate of false acceptance—False Acceptance Rate (FAR)
Rate of false acceptance - False Acceptance Rate (FAR). A false reject (FRR) is a type 1 error, false acceptance rate is a type 2 error and cross-over error rate is the intersection when FRR equals FAR.
What ports are used during Kerberos Authentication? a. 53 and 25 b. 169 and 88 c. 53 and 88 d. 443 and 21
UDP/TCP DNS 53 and UDP/TCP Kerberos 88
Which of the following are behavioral traits in a biometric device a. Voice pattern and keystroke dynamics b. Signature dynamics and iris scan c. Retina scan and hand geometry d. Fingerprint and facial recognition
a, b Voice pattern, signature dynamics, and keystroke dynamics are all behavioral traits in biometric devices.
Which of the following are supported authentication methods for iSCSI? (Choose two.) a. Kerberos b. Transport Layer Security (TLS) c. Secure Remote Password (SRP) d. Layer 2 Tunneling Protocol (L2TP)
a,c There are a number of authentication methods supported with iSCSI: Kerberos - a network authentication protocol. Designed to provide strong authentication for client/server applications by using secret-key cryptography. SRP (Secure Remote Password) - a secure password-based authentication and key-exchange protocol. SRP exchanges a cryptographically strong secret as a byproduct of successful authentication, which enables the two parties to communicate securely. SPKM1/2 (Simple Public-Key Mechanism) - provides authentication, key establishment, data integrity, and data confidentiality in an online distributed application environment using a public-key infrastructure. The use of a public-key infrastructure allows digital signatures supporting non-repudiation to be employed for message exchanges. CHAP (Challenge Handshake Authentication Protocol) - used to periodically verify the identity of the peer using a three-way handshake. This is done upon initial link establishment and may be repeated any time after the link has been established.
Which of the following is not one of the three primary rules in a Biba formal model? a. An access control subject cannot request services from an access control object that has a higher integrity level. b. An access control subject cannot modify an access control object that has a higher integrity level. c. An access control subject cannot access an access control object that has a lower integrity level. d. An access control subject cannot access an access control object that has a higher integrity level.
a. An access control subject cannot request services from an access control object that has a higher integrity level. (invocation property). An access control subject cannot modify an access control object that has a higher integrity level. (no write up) An access control subject cannot access an access control object that has a lower integrity level (no read down)
What type of controls are used in a Rule Set-Based Access Control system? a. Discretionary b. Mandatory c. Role Based d. Compensating
a. Discretionary - Rule set-based access controls (RSBAC) are discretionary controls giving data owners the discretion to determine the rules necessary to facilitate access.
Which of the following is an example of a firewall that does not use Context-Based Access Control? a. Static packet filter b. Circuit gateway c. Stateful inspection d. Application proxy
a. Static packet filter: Context-based access controls also consider the "state" of the connection, and in a static packet filter no consideration is given to the connection state. Each and every packet is compared to the rule base regardless of whether it had previously been allowed or denied.
What is the difference between a synchronous and asynchronous password token a. Asynchronous tokens contain a password that is physically hidden and then transmitted for each authentication, while synchronous tokens do not. b. Synchronous tokens are generated with the use of a timer, while asynchronous tokens do not use a clock for generation. c. Synchronous tokens contain a password that is physically hidden and then transmitted for each authentication, while asynchronous tokens do not. d. Asynchronous tokens are generated with the use of a timer, while synchronous tokens do not use a clock for generation.
a. Synchronous tokens are generated with the use of a timer, while asynchronous tokens do not use a clock for generation. Security tokens are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something. All tokens contain some secret information that are used to prove identity. There are four different ways in which this information can be used. Static password token: the device contains a password that is physically hidden (not visible to the possessor) but that is transmitted for each authentication. This type is vulnerable to repaly attacks Synchronous dynamic password token. A timer is used to rotate through various combinations produced by a cryptographic algorithm. The token and the authentication server must have synchronized clocks. Asynchronous password token. A one-time password is generated without the use of a clock, either from a one-time pad or cryptographic algorithim Challenge response token. Using public key cryptography, it is possible to prove possession of a private key without revealing that key. The authentication server encrypts a challenge (typically a random number, or at least data with some random parts) with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.
Where would you find a singulation protocol being used? a. Where there is a Radio Frequency ID system deployed and tag collisions are a problem b. Where there is router that has gone offline in a multi-path storage network c. Where there is a Radio Frequency ID system deployed and reader collisions are a problem d. Where there is switch that has gone offline in a multi-path storage network
a. Where there is a Radio Frequency ID system deployed and reader collisions are a problem. Some common problems with RFID are reader collision and tag collision. Reader collision occurs when the signals from two or more readers overlap. The tag is unable to respond to simultaneous queries. Systems must be carefully set up to avoid this problem; many systems use an anti-collision protocol (also called a singulation protocol). Anti-collision protocols enable the tags to take turns in transmitting to a reader.
Which of the following are not principal components of access control systems? (Choose two.) a. Objects b. Biometrics c. Subjects d. Auditing
b, d Bio-metrics and Auditing. While bio-metrics devices are used in some access control systems to confirm an individual's identity, they are not considered to be one of the principal components of an access control system. While auditing is used in many access control systems, it is not a mandatory feature or function of all systems and is not always enabled. Both objects and subjects are the building blocks of all access control systems.
View-Based Access Controls are an example of a(n): a. Audit control b. Constrained User Interface c. Temporal constraint d. Side Channel
b. Constrained User Interface. View-based access controls (VBACs) are most commonly found in database applications to control access to specific parts of a database. The constrained user interface in VBAC restricts or limits an access control subject's ability to view or perhaps act on "components" of an access control object based on the access control subject's assigned level of authority. Views are dynamically created by the system for each user-authorized access. Simply put, VBAC separates a given access control object into sub-components and then permits or denies access for the access control subject to view or interact with specific sub-components of the underlying access control object.
According to the following scenario, what would be the most appropriate access control model to deploy? Scenario: A medical records database application is used by a health-care worker to access blood test records. If a record contains information about an HIV test, the health-care worker may be denied access to the existence of the HIV test and the results of the HIV test. Only specific hospital staff would have the necessary access control rights to view blood test records that contain any information about HIV tests. a. Discretionary Access Control b. Context-Based Access Control c. Content-Dependent Access Control d. Role-Based Access Control
c Content-Dependent Access Control: Content-Dependent Access Control is used to protect databases containing sensitive information. Content-dependent access controls works by permitting or denying the access control subjects access to access control objects based on the explicit content within the access control object. Context-based access control is often confused with content-dependent access control, but they are two completely different methodologies. While content-dependent access control makes decisions base on the content within an access control object, context-based access control is not concerned with the content; it is concerned only with the context or the sequence of events leading to the access control object being allowed through the firewall. In the example of blood test records for content dependent access control, the access control subject would be denied access to the access control object because it contained information about an HIV test. Context-based access control could be used to limit the total number of requests for access to any blood test records over a given period of time. Hence, a health-care worker may be limited to accessing blood test database more than 100 times in a 24-hour period. While a context-based access control does not require that permissions be configured for individual access control objects, it requires that rules be created in relation to the sequence of events that preceded an access attempt.
What are the five areas that make up the identity management lifecycle a. Authorization, proofing, provisioning, maintenance, and establishment b. Accounting, proofing, provisioning, maintenance, and entitlement c. Authorization, proofing, provisioning, monitoring, and entitlement d. Authorization, proofing, provisioning, maintenance, and entitlement
d. Authorization, proofing, provisioning, maintenance, and entitlement. In essence, identity management is the process for managing the entire life cycle of digital identities, including the profiles of people, systems, and services, as well as the use of emerging technologies to control access to company resources. A digital identity is the representation of a set of claims made by a digital subject including, but not limited to, computers, resources, or persons about itself or another digital subject. The goal of identity management, therefore, is to improve company-wide productivity and security, while lowering the costs associated with managing users and their identities, attributes, and credentials.
What framework is the Rule Set-Based Access Controls logic based upon? a. Logical Framework for Access Control b. Specialized Framework for Access Control c. Technical Framework for Access Control d. Generalized Framework for Access Control
d. Generalized Framework for Access Control. The RSBAC framework logic is based on the work done for the generalized framework for access control (GFAC) by Abrams and LaPadula.