1、Access Control Part 1 Your quiz results:Hide details in all questions. Hide correct questions. Top of Form1. Question: 216 | Difficulty: 4/5 | Relevancy: 3/3 There are parallels between the trust models in Kerberos and in PKI. When we compare them side by side, Kerberos tickets correspond most close
2、ly to which of the following?o public keys o private keys o public-key certificates o private-key certificates C. A Kerberos ticket is issued by a trusted third party; it is an encrypted data structure that includes the service encryption key. In that sense it is similar to a public-key certificate.
3、 However, the ticket is not a key. And there is no such thing as a private key certificate.Study areas: CISSP CBK domain #1 - Access Control, CISSP CBK domain #5 - CryptographyCovered topics (2): Kerberos, X.509 Digital certificates This question Copyright 20032009 cccure.org. 2. Question: 423 | Dif
4、ficulty: 1/5 | Relevancy: 3/3 What is called a password that is the same for each log-on session?o one-time password o two-time password o static password o dynamic password C. A password that is the same for each log-on is called a static password.Source: KRUTZ, Ronald L. & VINES, Russel D., The CI
5、SSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.Contributor: Rakesh SudStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Passwords This question Copyright 20032009 Rakesh Sud, cccure.org. 3. Question: 88 | Difficulty: 1/5 | Relevancy: 3/3
6、 A timely review of system access audit records would be an example of which of the basic security functions?o avoidance. o deterrence. o prevention. o detection. D. The correct answer is:detection. By reviewing system logs you can detect events that have occured.The following answers are incorrect:
7、avoidance. This is incorrect, avoidance is a distractor. By reviewing system logs you have not avoided anything.deterrence. This is incorrect because system logs are a history of past events. You cannot deter something that has already occurred.prevention. This is incorrect because system logs are a
8、 history of past events. You cannot prevent something that has already occurred. Last modified 6/08/2007 - J. HajecComment: A timely review of the audit logs would provide early detection of possible and intentional abuses but does nothing to prevent occurrence of abuses, if any. An early detection
9、would lead to prevention of much serious abuses later on. Auditing can be seen as a detection exercise more than a preventive exercise.References:OIG CBK Glossary (page 791)Contributor: Kamren LeeStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Account, log and journal monitoring This
10、question Copyright 20032009 cccure.org. 4. Question: 1241 | Difficulty: 2/5 | Relevancy: 3/3 Identification and authentication are the keystones of most access control systems. Identification establishes:o user accountability for the actions on the system. o top management accountability for the act
11、ions on the system. o EDP department accountability for the actions of users on the system. o authentication for actions on the system A. Identification and authentication are the keystones of most access control systems. Identification establishes user accountability for the actions on the system.S
12、ource: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.Contributors: Rakesh Sud, Sasa VidanovicStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Access control objectives This question Copyright
13、20032009 Rakesh Sud, cccure.org. 5. Question: 438 | Difficulty: 2/5 | Relevancy: 3/3 Which of the following biometric characteristics cannot be used to uniquely authenticate an individuals identity?o Retina scans o Iris scans o Palm scans o Skin scans D. The following are typical biometric character
14、istics that are used to uniquely authenticate an individuals identity:- Fingerprints- Retina scans- Iris scans- Facial scans- Palm scans- Hand geometry- Voice- Handwritten signature dynamicsSource: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Secur
15、ity, 2001, John Wiley & Sons, Page 39.And: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, chapter 4: Access Control (pages 127-131).Contributors: Rakesh Sud, Christian Vezina, don murdochStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Biometrics Th
16、is question Copyright 20032009 Rakesh Sud, cccure.org. 6. Question: 408 | Difficulty: 1/5 | Relevancy: 3/3 What is called the access protection system that limits connections by calling back the number of a previously authorized location?o Sendback systems o Callback forward systems o Callback syste
17、ms o Sendback forward systems C. Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer
18、Security, 2001, John Wiley & Sons, Page 35.Contributors: Rakesh Sud, Christian VezinaStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Callback systems This question Copyright 20032009 Rakesh Sud, cccure.org. 7. Question: 1227 | Difficulty: 3/5 | Relevancy: 3/3 Three key things that mus
19、t be considered for the planning and implementation of access control mechanisms do NOT include:o threats to the system o the systems vulnerability to threats to the system o the systems vulnerability to viruses o the risk that the threat may materialize C. Three things that must be considered for t
20、he planning and implementation of access control mechanisms are the threats to the system, the systems vulnerability to these threats, and the risk that the threat may materializeSource: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001,
21、John Wiley & Sons, Page 32.Contributors: Rakesh Sud, Sasa VidanovicStudy areas: CISSP CBK domain #3 - Information Security and Risk Management, CISSP CBK domain #1 - Access ControlCovered topics (2): Threats and vulnerabilites, Access control methodologies and implementation This question Copyright
22、20032009 Rakesh Sud, cccure.org. 8. Question: 380 | Difficulty: 3/5 | Relevancy: 3/3 The following is not a characteristic we need to consider with respect to a biometric identification systems:o data acquisition process o counterfeit information o enrolment process o speed and user interface B. Tod
23、ay implementation of fast, accurate reliable and user-acceptable biometric identification systems is already under way.From: TIPTON, Harold F. & KRAUSE, MICKI, Information Security Management Handbook, 4th Edition, Volume 1, Pages 5-6.Contributor: Rakesh SudStudy area: CISSP CBK domain #1 - Access C
24、ontrolCovered topic: Biometrics This question Copyright 20032009 Rakesh Sud, cccure.org. 9. Question: 748 | Difficulty: 2/5 | Relevancy: 3/3 Which of the following statements pertaining to access control is false?o Users should only access data on a need-to-know basis. o If access is not explicitly
25、denied, it should be implicitly allowed. o Access rights should be granted based on the level of trust a company has on a subject. o Roles can be an efficient way to assign rights to a type of user who performs certain tasks. B. Access control mechanisms should default to no access to provide the ne
26、cessary level of security and ensure that no security holes go unnoticed. If access is not explicitly allowed, it should be implicitly denied.Source: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2002, Chapter 4: Access Control (page 143).Contributor: Christian Vezina
27、Study area: CISSP CBK domain #1 - Access ControlCovered topic: Access control techniques This question Copyright 20032009 Christian Vezina, cccure.org. 10. Question: 1110 | Difficulty: 5/5 | Relevancy: 3/3 Which biometric system typically uses the smallest file size for user data?o Fingerprint o Han
28、d geometry o Retina pattern o Voice pattern B. The hand geometry pattern can be stored in only 9 bytes. Retina pattern uses 96 bytes whereas the fingerprint uses between 0.5 and 1.5 kb and the voice pattern typically uses between 1 and 10 kb.Source: FERREL, Robert G, Questions and Answers for the CI
29、SSP Exam, domain 1 (derived from the Information Security Management Handbook, 4th Ed., by Tipton & Krause). Available at http:/www.cccure.org.Contributor: Christian VezinaStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Biometrics This question Copyright 20032009 Christian Vezina, ccc
30、ure.org. 11. Question: 1245 | Difficulty: 2/5 | Relevancy: 3/3 An alternative to using passwords for authentication in logical or technical access control is:o manage without passwords o biometrics o not there o use of them for physical access control B. An alternative to using passwords for authent
31、ication in logical or technical access control is biometrics. Biometrics are based on the Type 3 authentication mechanism-something you are.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 37.Contributors
32、: Rakesh Sud, Sasa VidanovicStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Biometrics This question Copyright 20032009 Rakesh Sud, cccure.org. 12. Question: 1239 | Difficulty: 2/5 | Relevancy: 3/3 Using clipping levels refers to:o setting allowable thresholds on a reported activity o
33、 limiting access to top management staff o setting personnel authority limits based on need-to-know basis o encryption of data so that it cannot be stolen A. Using clipping levels refers to setting allowable thresholds on a reported activity. For example, a clipping level of three can be set for rep
34、orting failed log-on attempts at a workstation. Thus, three or fewer log-on attempts by an individual at a workstation will not be reported as a violation, thus eliminating the need for reviewing normal log-on entry errors.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering
35、the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.Contributors: Rakesh Sud, Sasa VidanovicStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Clipping level This question Copyright 20032009 Rakesh Sud, cccure.org. 13. Question: 418 | Difficulty: 2/5 | Relevancy: 3/3 W
36、hat is called the act of a user professing an identity to a system, usually in the form of a log-on ID?o Authentication o Identification o Integrity o Confidentiality B. Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system.Source: K
37、RUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.Contributors: Rakesh Sud, Christian VezinaStudy area: CISSP CBK domain #1 - Access ControlCovered topic: Identification and authentication techniques This questi
38、on Copyright 20032009 Rakesh Sud, cccure.org. 14. Question: 7 | Difficulty: 2/5 | Relevancy: 3/3 Which of the following is true in a system with Mandatory Access Control?o The system determines which users or groups may access a file. o A user can set up an access list for the file(s), and the syste
39、m checks both users and groups against this list before granting access. o A user can specify which groups of users can access their files, but the system determines group membership. o No control is being enforced on this model. A. Thecorrect answer is: The system determines which users or groups m
40、ay access a file. Access in a MAC environmentis controlled by the system based upon the sensitivity levels of the subjects and objects.The following answers are incorrect:A user can set up an access list for the file(s), and the system checks both users and groups against this list before granting a
41、ccess. With MAC it is the data owner and the system administrator and not the user who can specify which groups of users can access their files. A user can specify which groups of users can access their files, but the system determines group membership. A user cannot set up an access list for the fi
42、le(s), and the system checks both users and groups against this list before granting access.No control is being enforced on this model. No control is being enforced on this model isa false answer because using MAC, the system enforces the security based upon the sensitivity levels of the subjects an
43、d objects.Last modified 6/06/2007 - J. HajecQA checked by M. ZagorskiComment: Mandatory Access Control (MAC) is a policy based control. All objects and systemshave a sensitivity level assigned to them. A particular subject can only accesa given object if the objects sensitivity level allows for it a
44、nd the subject has the proper need-to-know. The sensitivity levels are determinded by the data owner and the system administrator. Then based on the sensitivity level of both the subjects and objects the systems determines what subject has access to particular objects.Rerferences: OIG CBKAccess Cont
45、rol(pages 186 - 188)AIOv3 Access Control (pages 162 - 163)Study area: CISSP CBK domain #1 - Access ControlCovered topic: Mandatory access control This question Copyright 20032009 cccure.org. 15. Question: 1261 | Difficulty: 4/5 | Relevancy: 3/3 Which of the following is not a valid certification rul
46、e, ensuring integrity monitoring in the Clark-Wilson access control model?o Constrained data items are consistent. o Transformational procedures operate only on unconstrained data items. o Duties are separated. o Accesses are logged. B. In the Clark-Wilson model, data that transformational procedure
47、s modify are called constrained data items (not unconstrained data items) because they are constrained in the sense that only transformational procedures may modify them and that integrity verification procedures exercise constraints on them to ensure that they have certain properties, of which cons
48、istency and conformance to the real world are two of the most significant. Unconstrained data items are all other data, chiefly the keyed input to transformational procedures.Source: DUPUIS, Cl?ment, Access Control Systems and Methodology CISSP Open Study Guide, version 1.0, march 2002 (page 40). Available at http:/www.cccure.org.Contributor: Christian Vezi