1、853Appendix Answers to Practice QuestionsChapter 1 Access Control 1.A preliminary step in managing resources is a.Conducting a risk analysis b.Defi ning who can access a given system or information c.Performing a business impact analysis d.Obtaining top management supportCorrect answer is b.Th e fi
2、rst step to enabling an eff ective access control strategy is to specifi cally defi ne the resources that exist in the environment for users to access.Th e next step in managing access control is defi ning who can access a given resource.Th e fi nal step in the access control process is to specify t
3、he level of use for a given resource and the permitted user actions on that resource.Page 9.2.Which best describes access controls?a.Access controls are a collection of technical controls that permit access to authorized users,systems,and applications.b.Access controls help protect against threats a
4、nd vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.c.Access control is the employment of encryption solutions to protect authen-tication information during log-on.d.Access controls help protect again
5、st vulnerabilities by controlling unau-thorized access to systems and information by employees,partners,and customers.Correct answer is b.Access controls are the collection of mechanisms that work together to protect the assets of the enterprise.Th ey help protect against threats and 2010 by Taylor
6、and Francis Group,LLC854 Appendixvulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.Page 3.3.requires that a user or process be granted access to only those resources necessary to perform assigned funct
7、ions.a.Discretionary access control b.Separation of duties c.Least privilege d.Rotation of dutiesCorrect answer is c.Th e principle of least privilege is one of the most fundamental characteristics of access control for meeting security objectives.Least privilege requires that a user or process be g
8、iven no more access privilege than necessary to perform a job,task,or function.Page 15.4.What are the seven main categories of access control?a.Detective,corrective,monitoring,logging,recovery,classifi cation,and directive b.Directive,deterrent,preventative,detective,corrective,compensating,and reco
9、very c.Authorization,identifi cation,factor,corrective,privilege,detective,and directive d.Identifi cation,authentication,authorization,detective,corrective,recov-ery,and directiveCorrect answer is b.Th e seven main categories of access control are directive,deter-rent,compensating,detective,correct
10、ive,and recovery.Page 29.5.What are the three types of access control?a.Administrative,physical,and technical b.Identifi cation,authentication,and authorization c.Mandatory,discretionary,and least privilege d.Access,management,and monitoringCorrect answer is a.For any of the access control categorie
11、s,the controls in those categories can be implemented in one of three ways:administrative controls,technical(logical)controls,and physical controls.Page 34.6.Which approach revolutionized the process of cracking passwords?a.Brute force b.Rainbow table attack c.Memory tabling d.One-time hashing 2010
12、by Taylor and Francis Group,LLCAppendix 855Correct answer is b.In 2003,Philippe Oechslin developed a faster method of orga-nizing the hash chains.Th e new chain structure developed from this method is called a rainbow chain or a rainbow table.Th e rainbow table attack has revolution-ized password cr
13、acking and is being rapidly adopted by tool creators.Page 139.7.What best describes two-factor authentication?a.Something you know b.Something you have c.Something you are d.A combination of two listed aboveCorrect answer is d.Th ere are three fundamental types of authentication:authenti-cation by k
14、nowledgesomething a person knows,authentication by possessionsomething a person has,and authentication by characteristicsomething a person is.Technical controls related to these types are called“factors.”Something you know can be a password or PIN,something you have can be a token fob or smart card,
15、and something you are is usually some form of biometrics.Single-factor authentication is the employment of one of these factors,two-factor authentication is using two of the three factors,and three-factor authentication is the combination of all three factors.Th e general term for the use of more th
16、an one factor during authentication is multifactor authentication.Page 59.8.A potential vulnerability of the Kerberos authentication server is a.Single point of failure b.Asymmetric key compromise c.Use of dynamic passwords d.Limited lifetimes for authentication credentialsCorrect answer is a.Th ere
17、 are some issues related to the use of Kerberos.For start-ers,the security of the whole system depends on careful implementation:enforcing limited lifetimes for authentication credentials minimizes the threats of replayed credentials,the KDC must be physically secured,and it should be hardened,not p
18、ermitting any non-Kerberos activity.More importantly,the KDC can be a single point of failure,and therefore should be supported by backup and continuity plans.Page 111.9.In mandatory access control the system controls access and the owner determines a.Validation b.Need to know c.Consensus d.Verifi c
19、ation 2010 by Taylor and Francis Group,LLC856 AppendixCorrect answer is b.MAC is based on cooperative interaction between the system and the information owner.Th e systems decision controls access and the owner provides the need-to-know control.Page 117.10.Which is the least signifi cant issue when
20、considering biometrics?a.Resistance to counterfeiting b.Technology type c.User acceptance d.Reliability and accuracyCorrect answer is b.In addition to the access control elements of a biometric system,there are several other considerations that are important to the integrity of the control environme
21、nt.Th ese are resistance to counterfeiting,data storage requirements,user acceptance,reliability and accuracy,and target user and approach.Page 75.11.Which is a fundamental disadvantage of biometrics?a.Revoking credentials b.Encryption c.Communications d.PlacementCorrect answer is a.When considering
22、 the role of biometrics,its close interactions with people,and the privacy and sensitivity of the information collected,the inabil-ity to revoke the physical attribute of the credential becomes a major concern.Th e binding of the authentication process to the physical characteristics of the user can
23、 complicate the revocation or decommissioning processes.Page 77.12.Role-based access control a.Is unique to mandatory access control b.Is independent of owner input c.Is based on user job functions d.Can be compromised by inheritanceCorrect answer is c.A role-based access control(RBA)model bases the
24、 access control authorizations on the roles(or functions)that the user is assigned within an organization.Th e determination of what roles have access to a resource can be governed by the owner of the data,as with DACs,or applied based on policy,as with MACs.Page 120.13.Identity management is a.Anot
25、her name for access controls b.A set of technologies and processes intended to off er greater effi ciency in the management of a diverse user and technical environment 2010 by Taylor and Francis Group,LLCAppendix 857 c.A set of technologies and processes focused on the provisioning and decom-mission
26、ing of user credentials d.A set of technologies and processes used to establish trust relationships with disparate systemsCorrect answer is b.Identity management is a much-used term that refers to a set of technologies intended to off er greater effi ciency in the management of a diverse user and te
27、chnical environment.Page 92.14.A disadvantage of single sign-on is a.Consistent time-out enforcement across platforms b.A compromised password exposes all authorized resources c.Use of multiple passwords to remember d.Password change controlCorrect answer is b.One of the more prevalent concerns with
28、 centralized SSO systems is the fact that all of a users credentials are protected by a single password:the SSO password.If someone were to crack that users SSO password,they would eff ectively have all the keys to that users kingdom.Page 107.15.Which of the following is incorrect when considering p
29、rivilege management?a.Privileges associated with each system,service,or application,and the defi ned roles within the organization to which they are needed,should be identifi ed and clearly documented.b.Privileges should be managed based on least privilege.Only rights required to perform a job shoul
30、d be provided to a user,group,or role.c.An authorization process and a record of all privileges allocated should be maintained.Privileges should not be granted until the authorization process is complete and validated.d.Any privileges that are needed for intermittent job functions should be assigned
31、 to multiple user accounts,as opposed to those for normal system activity related to the job function.Correct answer is d.An authorization process and a record of all privileges allo-cated should be maintained.Privileges should not be granted until the authori-zation process is complete and validate
32、d.If any signifi cant or special privileges are needed for intermittent job functions,these should be performed using an account specifi cally allocated for such a task,as opposed to those used for normal system and user activity.Th is enables the access privileges assigned to the special account to
33、 be tailored to the needs of the special function rather than simply extending the access privileges associated with the users normal work functions.Page 46.2010 by Taylor and Francis Group,LLC858 AppendixChapter 2 Application Security 1.Th e key objective of application security is to ensure a.Th a
34、t the software is hacker proof b.Th e confi dentiality,integrity,and availability of data c.Accountability of software and user activity d.Prevent data theftCorrect answer is b.Th e objective of application security is to make sure that the system and its resources are available when needed,that the
35、 integrity of the pro-cessing of the data and the data itself are ensured,and that the confi dentiality of the data is protected.All of these purposes rely upon secure,consistent,reliable,and properly operating software.Ensuring confi dentiality,integrity,and avail-ability will mitigate the chances
36、and impact of a hacking incident or data theft,but it must be recognized that total hacker proof software is utopian.Auditing(logging)functionality in software can help with detecting software and user activity,but this is not the key objective of application security.Software security controls can
37、reduce the likelihood of data theft but they are not necessarily preventative.Page 164.2.For an application security program to be eff ective within your organization,it is critical to a.Identify regulatory and compliance requirements.b.Educate the software development organization the impact of ins
38、ecure programming.c.Develop the security policy that can be enforced.d.Properly test all the software that is developed by your organization for security vulnerabilities.Correct answer is c.Th e underlying foundation of software security controls is the organizations security policy.Th e security po
39、licy refl ects the security requirements of the organization.Th e identifi cation of regulatory and compli-ance requirements such as SarbanesOxley(SOX),payment card industry data security standard(PCIDSS)are essential and must be factored into the security policy.Without a clear understanding of wha
40、t the security requirements are,as defi ned in the security policy,educating software development teams may poten-tially be still inadequate.Testing for security vulnerability can provide some degree of software assurance,but with newer kinds of attacks against software being discovered,security tes
41、ting does not directly indicate the eff ectiveness of an application security program.Page 165.2010 by Taylor and Francis Group,LLCAppendix 859 3.Th ere is no inherent diff erence between the representation of data and pro-gramming in computer memory can lead to injection attacks,characterized by ex
42、ecuting data as instructions.Th is is the fundamental aspect of which of the following computer architecture?a.Von Neumann b.Linus law c.Clark and Wilson d.BellLaPadulaCorrect answer is a.A fundamental aspect of von Neumann architecture on which most computers today are based on is that there is no
43、inherent diff erence between data and programming(instructions)representations in memory.Th erefore,we cannot tell whether the pattern 4Eh(00101110)is the letter N or a decrement oper-ation code(commonly known as opcode).Similarly,the pattern 72h(01110010)may be the letter r or the fi rst byte of th
44、e“jump if below”opcode.Th erefore,with-out proper input validation,an attacker can provide input data that may actually be an instruction for the system to do something unintended.Linus law basically is based on the premise that with more people reviewing the source code(as in the case of open sourc
45、e),more security bugs can be detected and hence improve security.Clark and Wilson model is an integrity model from which entity and referential integrity(RDBMS integrity)rules are derived.BellLaPadula is a con-fi dentiality model.Page 168.4.An important characteristic of bytecode is that it a.has in
46、creased secure inherently due to sandboxing b.manages memory operations automatically c.is more diffi cult to reverse engineer d.is faster than interpreted languagesCorrect answer is d.A programming language like Java compiles source code into a sort of pseudo-object code called bytecode.Th e byteco
47、de is then processed by the interpreter(called the Java Virtual Machine,or JVM)for the CPU to run.Because the bytecode is already fairly close to object code,the interpretation process is much faster than for other interpreted languages.And because bytecode is still undergo-ing an interpretation,a g
48、iven Java program will run on any machine that has a JVM.Memory management and sandboxing are important security aspects that apply to the programming language Java,but not to bytecode itself.Th e debate over whether a pseudo-object(bytecode)representation can be easily reverse engineered is debatab
49、le and inconclusive.Because bytecode is more pseudo-object representa-tion of the source code,reversing to source code is in fact considered less diffi cult than from object or executable code.Page 171.2010 by Taylor and Francis Group,LLC860 Appendix 5.Two cooperating processes that simultaneously c
50、ompete for a shared resource,in such a way that they violate the systems security policy,is commonly known as a.Covert channel b.Denial of service c.Overt channel d.Object reuseCorrect answer is a.A covert channel or confi nement problem is an information fl ow issue.It is a communication channel al
