Quiz #2

You're preparing a presentation for the senior management of your company. They have asked you to rank the general order of accuracy of the most popular biometric systems, with 1 being the lowest and 5 being the highest. What will you tell them? (1) palm scan, (2) hand geometry, (3) iris scan, (4) retina scan, (5) fingerprint (1) fingerprint, (2) palm scan, (3) iris scan, (4) retina scan, (5) hand geometry (1) fingerprint, (2) palm scan, (3) hand geometry, (4) retina scan, (5) iris scan (1) hand geometry, (2) palm scan, (3) fingerprint, (4) retina scan, (5) iris scan

(1) fingerprint, (2) palm scan, (3) hand geometry, (4) retina scan, (5) iris scan

Kerberos has some features that make it a good choice for access control and authentication. One of these items is a ticket. What is a ticket used for? A ticket is a block of data that allows users to prove their identity to the Kerberos server A ticket is a block of data that allows users to prove their identity to a service A ticket is a block of data that allows users to prove their identity to an authentication server A ticket is a block of data that allows users to prove their identity to a ticket-granting server

A ticket is a block of data that allows users to prove their identity to a service

Various operating systems such as Windows use what to control access rights and permissions to resources and objects? ABS RBAC MITM ACL

ACL

During a weekly staff meeting, your boss reveals that some employees have been allowing other employees to use their passwords. He is determined to put a stop to this and wants you to install biometric access control systems. He has asked about some basic attributes, such as type I error, type II errors, and the CER, as show in the figure below. What's so important about the CER? How do you respond? The CER has to do with the customer acceptance rate because some systems are more user-friendly than others The CER has to do with the cost per employee because some biometric access control systems are very good, but also very expensive Speed typically is determined by calculating the CER Accuracy typically is determined by calculating the CER

Accuracy typically is determined by calculating the CER

Auditing is considered what method of access control? Preventative Administrative Physical Technical

Administrative

Administrative controls form an important part of security, and although most of us don't like paperwork, that is a large part of this security control. Which of the following is a high-level document that describes a management plan for how security should be practiced throughout the organziation? Policies Procedures Guidelines Standards

Answer Policies

There are two basic types of access control policies. Which of the following describes the best approach for a CISSP? Begin with deny all Begin with allow all Deny some based on needs analysis Allow some bashed on needs analysis

Begin with deny all

Which of the following types of copper cabling is the most secure against eavesdropping and unauthorized access? 802.11ac wireless Category 6 cabling multimode fiber single-mode

Category 6 cabling

You are approached by a junior security officer who wants to know what CVE stands for. What do you tell him? Common Vulnerabilities and Exploits Chosen Vulnerabilities and Exploits Common Vulnerabilities and Exposures Critical Vulnerability and Exploits

Common Vulnerabilities and Exposures

Which of the following is not part of physical access control? Mantraps CCTV Biometrics Data classification and labeling

Data classification and labeling

Which of the following is not one of the four access control models? Mandatory Delegated Discretionary Role-based

Delegated

Which of the following is a category of security controls that job rotation fits into? Recovery Compensation Corrective Detective

Detective

Which of the following is the easiest and most common form of offline password hash attack used to pick off insecure passwords? Hybrid Man-in-the-middle Dictionary Brute-force

Dictionary

As a newly appointed security officer for your corporation, you suggest replacing the password-based authentication system with RSA tokens. Elsa, your chief technology officer, denies your request, citing budgetary constraints. As a temporary solution, Elsa asks that you find ways to increase password security. Which of the following will accomplish this goal? Disabling password-protected screensavers Enabling account lockout controls Enabling users to use the same password on more than one system Enforcing a password policy that requires non-complex passwords

Enabling account lockout controls

Your manager persists in asking you to set up a fake network to identify contractors who may be poking around the network without authorization. What legal issue pertaining to these devices should you be most concerned with? Entrapment Federal Statute 1029 Enticement Liability

Entrapment

Which biometric authentication system is most closely associated with law enforcement? Fingerprint recognition Retina pattern recognition Iris recognition Facial recognition

Fingerprint recognition

Your manager asks you to set up a fake network to identify contractors who may be poking around the network without authorization. What is this type of system called? Prison Trap-and-Trace Honeypot Snare

Honeypot

Your organization has decided to use a biometric system to authenticate users. If the FAR is high, what happens? Illegitimate users are denied access to the organization's resources Illegitimate users are granted access to the organization's resources Legitimate users are denied access to the organization's resources Legitimate users are granted access to the organization's resources

Illegitimate users are granted access to the organization's resources

Your brother-in-law, Mario, is studying for the CISSP exam. He text-messages you with what he believes is an important question: What is a major disadvantage of access control lists? How do you answer him? Independence from resource owners lack of centralized control overhead of the auditing function burden of centralized control

Independence from resource owners

Which of the following best describes challenge/response authentication? It is an authentication protocol in which a salt value is presented to the user, who then returns an MD5 hash based on this salt value It is an authentication protocol in which the username and password are passed to the server using CHAP It is an authentication protocol in which a system of tickets is used to validate the user's rights to access resources and services It is an authentication protocol in which a randomly generated string of values is presented to the user, who then returns a calculated number based on those random values

It is an authentication protocol in which a randomly generated string of values is presented to the user, who then returns a calculated number based on those random values

Today, you are meeting with a coworker who is proposing that the number of logins and passwords be reduced. Another coworker has suggested that you investigate single sign-on technologies and make a recommendation at the next scheduled meeting. Which of the following is a type of single sign-on system? SAML Kerberos DAC RBAC

Kerberos

What type of access control system doesn't give users much freedom to determine who can access their files and is known for its structure and use of security labels? Nondiscretionary discretionary Mandatory Role-based

Mandatory

A hacker submits a malicious URL request for a help page from an unpatched Apache server that supports an Oracle9i Application Server. This causes a denial of service. Which of the following would have best protected the corporation from this attack? HIDS NIPS HIPS NIDS

NIPS

What term means that a user cannot deny a specific action because this positive proof that he or she performed it? Nonrepudiation Auditing Validation Accountability

Nonrepudiation

Which of the following is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider? LDAP OAuth SAML KryptoKnight

OAuth

Which style of authentication is not susceptible to a dictionary attack? PAP WPA-PSK CHAP LEAP

PAP

While working as a contractor for Widget, Inc., you are asked what the weakest form of authentication is. What will you say? facial recognition tokens passwords retina scans

Passwords

You have been promoted to security officer for a Fortune 500 company and are performing an audit of elevated privileges for the network. You observe that there are many members from the help desk that have privileges to various systems that they do not require to do their job on a daily basis. What best business practice does your company lack? Principle of least privilege Separation of duties Need to know Privilege creep

Principle of least privilege

Your chief information officer (CIO) needs your recommendation for a centralized access control system to maintain all the users and associated permissions. He also wants to be able to use this system for a wireless local area network (LAN). In addition to the wireless LAN requirement, the network administrator has stated that it is not important to the CIO to have a system that will split the authentication, authorization, and accounting process up; however, having the option to use UDP, SCTP, or TCP is a must. The CIO also requires a SSO technology that can support nonrepudiation and authenticity. The CIO has stated he is willing to purchase more than one system to meet the specified requirements. Which of the following is the best recommendation you would give? Purchase Extended Terminal Access Controller System for centralized access control and use SESAME for SSO Purchases a RADIUS for centralized access control and Kerberos because it is most commonly used and, most importantly, has been around a long time and many organizations trust it Purchase a Diameter for centralized access control and SESAME for SSO Purchase a Diameter for centralized access control and Kerberos for SSO

Purchase a Diameter for centralized access control and SESAME for SSO

Your company has installed biometric access control systems. Your director has mentioned that he thinks the system will have a high FRR. What does this mean? Quite a few valid users will be denied access Employees will accept the system Almost all unauthorized users will be denied The system has a high return rate and will quickly pay for itself

Quite a few valid users will be denied access

What method of access control system would a bank teller most likely fall under? Role-based Discretionary Rule-based Mandatory

Role-Based

Which of the following is a major issue with signature-based IDSs? Signature-based IDSs are cost-prohibitive Signature-based IDSs can detect only attacks in which activity deviates from normal behavior Signature-based IDSs are available only as host-based systems Signature-based IDSs cannot detect zero-day attacks

Signature-based IDSs cannot detect zero-day attacks

One of your coworkers has joined a CISSP study group and is discussing today's list of topics. One of the topics is this: What is an example of a passive attack? Dumpster diving Social Engineering Sniffing Installing SubSeven

Sniffing

What does TACACS+ use as its communication protocol? UDP TCP ICMP TCP and UDP

TCP

Which of the following protocols is recommended to be turned off because it transmits usernames and passwords in plaintext? Telnet TFTP SSH HTTPS

Telnet

Your company is building a research facility in Bangalore and is concerned about technologies that can be used to pick up stray radiation from monitors and other devices. Specifically, your boss wants copper shielding installed. Which technology does your boss want to know more about? Tempest Van Allen Waveguard Radon

Tempest

What is the best definition of identification? The act of claiming a specific identity The act of inspecting or reviewing a user's actions The act of verifying your identity The act of finding or testing the truth

The act of claiming a specific identity

What is one of the major reasons why separation of duties should be practiced? reduced cross-training legal union policies and procedures To force collusion

To force collusion

What does RADIUS use for its transport protocol? TCP UDP ICMP TCP and UDP

UDP

Which of the following attributes does not apply to MAC? Universally applied Multilevel discretionary Label-based

Universally applied

The image below provides an example of some types and categories of access control. Which of the following is the best example of a technical deterrent? Warning banner AUP Hot site Anti-virus

Warning banner

Which of the following items is the least important to consider when designing an access control system? vulnerability risk annual loss expectancy threat

annual loss expectancy

Your organization has become worried about recent attempts to gain unauthorized access to the R&D facility. Therefore, you are asked to implement a system that will require individuals to present a password and a PIN at the security gate before gaining access. What is this type of system called? two-factor authentication authentication authorization three-factor authentication

authentication

Which of the following is the most time-intensive type of offline password attack to attempt? plain text brute-force man-in-the-middle hybrid

brute-force

Christine, a newly certified CISSP, has offered to help her brother-in-law, Gary, at his small construction business. The business currently has 18 computers configured as a peer-to-peer network. All users are responsible for their own security and can set file and folder privileges as they see fit. Which access control model best describes the configuration at this organization? role-based non-discretionary mandatory discretionary

discretionary

While hanging around the watercooler, you hear that your company, Big Tex Bank and Trust, is introducing a new policy. The company will require periodic job rotation and will force all employees to use their vacation time. From a security standpoint, why is this important? job rotation ensures that no one can easily commit fraud or other types of deception without risking exposure forcing employees to use their vacation time ensures time away from work, which results in healthy, more productive employees job rotation is important because employees need to be cross-trained in case of man-made or natural disasters job rotation is important because it reduces employee burnout

job rotation ensures that no one can easily commit fraud or other types of deception without risking exposure

Which of the following is not one of the three types of access controls? administrative technical physical personnel

personnel

What type of cryptography does SESAME use to distribute keys? secret key None, it uses plaintext public key SHA hashing algorithm

public key

Your company has just opened a call center in India to handle nighttime operations, and you are asked to review the site's security controls. Specifically, you are asked which of the following is the strongest form of authentication. What will you answer be? something you know something you are passwords tokens

something you are

Which of the following is not one of the three primary types of authentication? something you are something you remember something you have something you know

something you remember