DOMAIN 2: ACCESS CONTROL

QUESTION 1 Brute-force attacks are used most often against which types of access control?

A. Biometrics and passwords C. Cognitive passwords and biometrics

B. Passwords and cryptographic keys D. Cryptographic keys and cognitive passwords

CORRECT ANSWER - B. Passwords and cryptographic keys

QUESTION 2 Passwords are one of many types of authentication mechanisms. Which is not true of a
password? A. Can be automatically created by a password generator B. Relies heavily on the discipline of the user and the administrator C. Is the most insecure of access controls D. Is moderately used CORRECT ANSWER - D. Is moderately used

QUESTION 3 A single sign-on technology that offers symmetric and asymmetry keys for encryption and
uses privileged attribute certificates for authentication is called ___________. A. Thin clients B. SESAME C. Kerberos D. Cryptographic keys E. Directory services CORRECT ANSWER - B. SESAME

QUESTION 4 Which of the following biometric methods obtains the patterns and colors around a
person's pupil?

A. Iris scan

B. Palm scan

C. Retina pattern

D. Fingerprint

CORRECT ANSWER - A. Iris scan

QUESTION 5 Security labels are used in what type of model?

A. Role-based access control model C. Discretionary access control model

B. Mandatory access control model D. Military access control model

CORRECT ANSWER - B. Mandatory access control model

QUESTION 6 Companies have different ways of coming up with passwords to be used for
authentication. Which of the following best describes a password advisor? A. A potential attack using a dictionary program B. An automated system that creates long-stringed passwords for use, which are difficult to remember C. A list of questions for the user to answer D. A program that provides users with passwords that are easy to remember and difficult to crack CORRECT ANSWER - D. A program that provides users with passwords that are easy to remember and difficult to crack

QUESTION 7 Which of the following centralized access control protocols would a security professional
choose if his or her network consisted of multiple protocols and had users connecting via wireless and wired transmissions? A. RADIUS B. TACACS+ C. Diameter D. Kerberos CORRECT ANSWER - C. Diameter

QUESTION 8 Passwords are one of the most sought-after items by attackers because of the level of
access they can provide. Which of the following is the least effective when trying to protect against password attacks? A. Ensure six characters are used B. Do not allow passwords to be shown in cleartext C. Use dictionary attack tools to identify weaknesses D. Implement encryption and hashing algorithms CORRECT ANSWER - A. Ensure six characters are used

QUESTION 9 There are security issues when a company allows users to have too many rights and
permissions. Allowing a user the absolute minimum rights necessary when accessing a network is referred to as what? A. Separation of duties B. Least privilege C. Full disclosure D. Discretionary access control YOUR ANSWER - B. Least privilege

QUESTION 10 Which of the following access control types is considered a "soft" measure at protecting
an organization as a whole? A. Preventive Administrative B. Preventive Physical C. Predictive D. Corrective

YOUR ANSWER - A. Preventive Administrative

QUESTION 11 Which of the following best describes Extended TACACS (XTACACS)?

A. An Internet standard B. Combines authentication and authorization C. Separates authentication, authorization and auditing processes D. Has three-factor user authentication

YOUR ANSWER - C. Separates authentication, authorization and auditing processes

QUESTION 12 Katie is an IT administrator who needs to set up an access control system that designates
users' permission to control some files but keeps database and network resource permissions in the hands of the IT organization. What type of access control administration would she employ? A. Hybrid B. Decentralized C. Centralized D. Security labels CORRECT ANSWER - A. Hybrid

QUESTION 13 Guard dogs and closed-circuit television would be examples of what type of access
control? A. Recovery B. Corrective C. Preventive Technical D. Preventive -- Physical

CORRECT ANSWER - D. Preventive -- Physical

QUESTION 14 There are several different types of single sign-on technologies. Which is the simplest
technology? A. Kerberos B. Scripting C. SESAME D. KDC

CORRECT ANSWER - B. Scripting

QUESTION 15 A dynamic password is another name for what authentication mechanism?

A. Cognitive password

B. Smart card

C. Passphrase

D. One-time password

CORRECT ANSWER - D. One-time password

1. Which technique monitors networks and computer systems for signs of intrusion or misuse? IDS 2. Which of the following allows attackers to imitate a different user or system? SPOOFING 3. Which access control technique allows security officers to specify access security policies based on an organization's structure? RBAC 4. Which example is not two factor authentication? PALM GEOMETRY AND IRIS SCAN 5. Which of the following is a centralized access control methodology? RADIUS 6. When an attacker sends unsolicited communication, it is an example of: SPAMMING 7. Kerberos certificates are susceptible to what kind of attack? REPLAY 8. Which hierarchical access control model is enforced by the operating system and can be difficult to implement? MANDATORY ACCESS CONTROL (MAC) 9. what is a type of attack that involves trying all possible combinations to break a code or password? BRUTE FORCE ATTACK 10. What access control model says you can't read up and can't write down? BEL-LA PADULA 11. Which of the following allows attackers to break passwords? CRACKERS 12. Which of the following access control models is most commonly used by firewalls? Rule-Based Access Control (RBAC) 13. Centralized access control provides remote users with all of the following properties except AVAILABILITY 14. Which attack has victims believe they are communicating directly to their intended host when in reality all their messages are being intercepted? MAN-IN-THE-MIDDLE 15. Which of the following is a knowledge-based authentication mechinism? PASSWORD 16. Which is an example of a decentralized access control methodology? NIS 17. Which of the following is a table that identifies user access rights for a particular system object? ACL 18. What are three principals of identification and authentication? Something you know, something you are, something you have 19. What type of access control alerts you when an access is violated? DETECTIVE 20. A fence is what type of access control? PHYSICAL 21. What best describes a Trojan Horse? malicious code disguised as or inserted into a legitimate program 22. What are three methods of performing centralized remote authentication access control? TACACS, RADIUS, and DIAMETER 23. Which access control technique is non-discretionary? MAC 24. Background checks are what type of control? ADMINISTRATIVE 25. Which remote access protocol sends the user ID and password in clear text? PAP 26. What type of access control avoids access violations? PREVENTIVE

27. Which access control model allows data owners to control access by modifying Access Control Lists which are enforced by the Operating System? Discretionary Access Control (DAC) 28. Which access control technique allows a resource owner to control other user's access to an object? DAC

1. Which of the following statements correctly describes biometric methods? A. They are the least expensive and provide the most protection. B. They are the most expensive and provide the least protection. C. They are the least expensive and provide the least protection. D. They are the most expensive and provide the most protection. 2. What is derived from a passphrase? A. Personal password B. Virtual password

C. User ID

D. Valid password

3. Which of the following statements correctly describes passwords? A. They are the least expensive and most secure. B. They are the most expensive and least secure. C. They are the least expensive and least secure. D. They are the most expensive and most secure. 4. What is the reason for enforcing the separation of duties? A. No one person can complete all the steps of a critical activity. B. It induces an atmosphere for collusion. C. It increases dependence on individuals. D. It makes critical tasks easier to accomplish. 5. Which of the following is not a logical access control? A. Encryption B. Network architecture C. ID badge

D. Access control matrix

6. An access control model should be applied in a _______________ manner. A. Detective B. Recovery C. Corrective D. Preventive 7. Which access control policy is enforced when an environment uses a nondiscretionary model? A. Rule-based B. Role-based C. Identity-based D. Mandatory 8. How is a challenge/response protocol utilized with token device implementations? A. This protocol is not used; cryptography is used. B. An authentication service generates a challenge, and the smart token generates a response based on the challenge. C. The token challenges the user for a username and password. D. The token challenges the users password against a database of stored credentials. 9. Which access control method is user-directed? A. Nondiscretionary B. Mandatory 10. Which provides the best authentication? A. What a person knows B. What a person is

C. Identity-based

D. Discretionary

C. What a person has

D. What a person has and knows

11. Which item is not part of a Kerberos authentication implementation? A. Message authentication code B. Ticket granting service C. Authentication service D. Users, programs, and services 12. Which model implements access control matrices to control how subjects interact with objects? A. Mandatory B. Centralized C. Decentralized D. Discretionary 13. What does authentication mean? A. Registering a user B. Identifying a user

C. Validating a user

D. Authorizing a user

14. If a company has a high turnover rate, which access control structure is best?

A. Role-based

B. Decentralized

C. Rule-based

D. Discretionary

15. A password is mainly used for what function? A. Identity B. Registration C. Authentication

D. Authorization

16. The process of mutual authentication involves _______________. A. A user authenticating to a system and the system authenticating to the user B. A user authenticating to two systems at the same time C. A user authenticating to a server and then to a process D. A user authenticating, receiving a ticket, and then authenticating to a service 17. Reviewing audit logs is an example of which security function? A. Preventive B. Detective C. Deterrence D. Corrective 18. In discretionary access control security, who has delegation authority to grant access to data? A. User B. Security office C. Security policy D. Owner 19. Which could be considered a single point of failure within a single sign-on implementation? A. Authentication server B. Users workstation C. Logon credentials D. RADIUS 20. What role does biometrics play in access control? A. Authorization B. Authenticity C. Authentication

D. Accountability

21. What determines if an organization is going to operate under a discretionary, mandatory, or nondiscretionary access control model? A. Administrator B. Security policy C. Culture D. Security levels 22. What type of attack attempts all possible solutions? A. Dictionary B. Brute force C. Man-in-the-middle

D. Spoofing

23. Spoofing can be described as which of the following? A. Eavesdropping on a communication link B. Working through a list of words C. Session hijacking D. Pretending to be someone or something else 24. Which of the following is not an advantage of a centralized access control administration? A. Flexibility B. Standardization C. A higher level of security D. No need for different interpretations of a necessary security level 25. Which of the following best describes what role-based access control offers companies in reducing administrative burdens? A. It allows entities closer to the resources to make decisions about who can and cannot access resources. B. It provides a centralized approach for access control, which frees up department managers. C. User membership in roles can be easily revoked and new ones established as job assignments dictate. D. It enforces enterprise-wide security policies, standards, and guidelines. ANSWERS:

1-D 6-D 11-A 16-A 21-B

2-B 7-B 12-D 17-B 22-B

3-C 8-B 13-C 18-D 23-D

4-A 9-D 14-A 19-A 24-A

5-C 10-D 15-C 20-C 25-C

DOMAIN 3: SECURITY ARCHITACTURE DESIGN

1. 2. 3. 4. Which model displays access control delegation using directed graph representations? TAKE GRANT What do the rows of an Access Matrix represent? CAPABILITY LISTS What mediates a subject's request for access to an object? REFERENCE MONITOR The delay between access approval and actual access can create what type of security concern? TIME OF CHECK TO TIME OF USE 5. 6. 7. C is an example of which generation programming language? THIRD Which type of memory is un-alterable and non-volatile? ROM Which security model can subjects read less secure objects and write more secure objects? BellLaPadula 8. 9. The Orange Book defined what evaluation method? Trusted Computer System Evaluation Criteria Which Information flow model uses strong access controls to prevent conflicts of interest? Chinese Wall Model 10. Which is not a Certification and Accreditation process? MILCAP 11. Which technique is used to prevent conflicts over memory and execution cycles? PROCESS ISOLATION 12. What is an Access Matrix made up of? Subjects, objects, and rights 13. Which area of memory is not directly addressable and must be searched from the beginning? SEQUENTIAL MEMORY 14. Which of the following is an advantage of Open Systems? enables wide-spread evaluation and assessment

1. What flaw creates buffer overflows?

A. Application executing in privileged mode C. Inadequate protection ring use B. Inadequate memory segmentation D. Insufficient bounds checking

2. The operating system performs all except which of the following tasks?
A. Memory allocation C. Resource allocation B. Input and output tasks D. User access to database views

3. If an operating system allows sequential use of an object without refreshing it, what security issue can arise?
A. Disclosure of residual data C. Data leakage through covert channels B. Unauthorized access to privileged processes D. Compromise of the execution domain

4. What is the final step in authorizing a system for use in an environment?

A. Certification B. Security evaluation and rating C. Accreditation D. Verification

5. What feature enables code to be executed without the usual security checks?
A. Temporal isolation B. Maintenance hook C. Race conditions D. Process multiplexing

6. If a component fails, a system should be designed to do which of the following?

A. Change to a protected execution domain C. Change to a more secure state

B. Change to a problem state D. Release all data held in volatile memory

7. What security advantage does firmware have over software?

A. It is difficult to modify without physical access. C. It does not need to enforce the security policy. B. It requires a smaller memory segment. D. It is easier to reprogram.

8. Which is the first level of the Orange Book that requires classification labeling of data?
A. B3 B. B2 C. B1 D. C2

9. Which of the following best describes the security kernel?

A. A software component that monitors activity and writes security events to an audit log B. A software component that determines if a user is authorized to perform a requested operation C. A software component that isolates processes and separates privileged and user modes D. A software component that works in the center protection ring and provides interfaces between trusted and untrusted objects

10. The Information Technology Security Evaluation Criteria was developed for which of the following?
A. International use B. U.S. use C. European use D. Global use

11. A security kernel contains which of the following?

A. Software, hardware, and firmware B. Software, hardware, and system design C. Security policy, protection mechanisms, and software D. Security policy, protection mechanisms, and system design

12. What is the purpose of base and limit registers?

A. Countermeasure buffer overflows C. Process isolation B. Time sharing of system resources, mainly the CPU D. TCB enforcement

13. A guard is commonly used with a classified system. What is the main purpose of implementing and using a guard?
A. To ensure that less trusted systems only receive acknowledgments and not messages B. To ensure proper information flow C. To ensure that less trusted and more trusted systems have open architectures and interoperability D. To allow multilevel and dedicated mode systems to communicate

14. The trusted computing base (TCB) controls which of the following?
A. All trusted processes and software components B. All trusted security policies and implementation mechanisms C. All trusted software and design mechanisms D. All trusted software and hardware components

15. What is the imaginary boundary that separates components that maintain security from components that are not security related?
A. Reference monitor B. Security kernel C. Security perimeter D. Security policy

16. Which model deals only with confidentiality?

A. Bell-LaPadula B. Clark-Wilson C. Biba D. Reference monitor

17. What is the best description of a security kernel from a security point of view?
A. Reference monitor B. Resource manager C. Memory mapper D. Security perimeter

18. When is the security of a system most effective and economical?

A. When it is designed and implemented from the beginning of the development of the system B. When it is designed and implemented as a secure and trusted front end C. When it is customized to fight specific types of attacks D. When the system is optimized before security is added

19. In secure computing systems, why is there a logical form of separation used between processes?
A. Processes are contained within their own security domains so each does not make unauthorized accesses to other processes or their resources. B. Processes are contained within their own security perimeter so they can only access protection levels above them. C. Processes are contained within their own security perimeter so they can only access protection levels equal to them. D. The separation is hardware and not logical in nature.

20. What type of attack is taking place when a higher-level subject writes data to a storage area and a lower-level subject reads it?
A. TOC/TOU B. Covert storage attack C. Covert timing attack D. Buffer overflow

21. What type of rating does the Common Criteria give to products?
A. PP B. EPL C. EAL D. AD

22. Which best describes the *-integrity axiom?

A. No write up in the Biba model C. No write down in the Bell-LaPadula model B. No read down in the Biba model D. No read up in the Bell-LaPadula model

23. Which best describes the simple security rule?

A. No write up in the Biba model C. No write down in the Bell-LaPadula model B. No read down in the Biba model D. No read up in the Bell-LaPadula model

24. Which of the following was the first mathematical model of a multilevel security policy used to define the concepts of a security state and mode of access, and to outline rules of
access? A. Biba B. Bell-LaPadula C. Clark-Wilson D. State machine

25. Which of the following is a true statement pertaining to memory addressing?

A. The CPU uses absolute addresses. Applications use logical addresses. Relative addresses are based on a known address and an offset value. B. The CPU uses logical addresses. Applications use absolute addresses. Relative addresses are based on a known address and an offset value. C. The CPU uses absolute addresses. Applications use relative addresses. Logical addresses are based on a known address and an offset value. D. The CPU uses absolute addresses. Applications use logical addresses. Absolute addresses are based on a known address and an offset value.

1-D 6-C 11-A 16-A 21-C

2-D 7-A 12-C 17-A 22-A

3-A 8-C 13-B 18-A 23-D

4-C 9-B 14-D 19-A 24-B

5-B 10-C 15-C 20-B 25-A