Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
98 Cards in this Set
- Front
- Back
|
Which of the following implements the authorized access relationship between subjects and
objects of a system? A. Security model B. Reference kernel C. Security kernel D. Information flow model |
C. Security kernel
|
|
|
Which of the following is a means of restricting access to objects based on the identity of the
subject to which they belong? A. Mandatory access control B. Group access control C. Discretionary access control D. User access control |
C. Discretionary access control
|
|
|
What is the method of coordinating access to resources based on the listening of permitted IP
addresses? A. MAC B. ACL C. DAC D. None of the choices. |
B. ACL
|
|
|
Which of the following is true about MAC?
A. It is more flexible than DAC. B. It is more secure than DAC. C. It is less secure than DAC. D. It is more scalable than DAC. |
B. It is more secure than DAC.
|
|
|
A system using Discretionary Access Control (DAC) is vulnerable to which one of the following
attacks? A. Trojan horse B. Phreaking C. Spoofing D. SYN flood |
C. Spoofing
|
|
|
What defines an imposed access control level?
A. MAC B. DAC C. SAC D. CAC |
A. MAC
|
|
|
DAC are characterized by many organizations as:
A. Need-to-know controls B. Preventive controls C. Mandatory adjustable controls D. None of the choices |
A. Need-to-know controls
|
|
|
Which of the following correctly describe DAC?
A. It is the most secure method. B. It is of the B2 class. C. It can extend beyond limiting which subjects can gain what type of access to which objects. D. It is of the B1 class. |
C. It can extend beyond limiting which subjects can gain what type of access to which objects.
|
|
|
Under DAC, a subjects rights must be ________ when it leaves an organization altogether.
A. recycled B. terminated C. suspended D. resumed |
B. terminated
|
|
|
DAC and MAC policies can be effectively replaced by:
A. Rule based access control. B. Role based access control. C. Server based access control. D. Token based access control |
B. Role based access control.
|
|
|
What access control methodology facilitates frequent changes to data permissions?
A. Rule-based B. List-based C. Role-based D. Ticket-based |
A. Rule-based
|
|
|
What security model implies a central authority that determines what subjects can have access to what objects?
A. Centralized access control B. Discretionary access control C. Mandatory access control D. Non-discretionary access control |
D. Non-discretionary access control
|
|
|
Enforcing minimum privileges for general system users can be easily achieved through the use of:
A. TSTEC B. RBAC C. TBAC D. IPSEC |
B. RBAC
|
|
|
With RBAC, each user can be assigned:
A. One or more roles. B. Only one role. C. A token role. D. A security token. |
A. One or more roles.
|
|
|
With RBAC, roles are:
A. Based on labels. B. All equal C. Hierarchical D. Based on flows. |
C. Hierarchical
|
|
|
Role based access control is attracting increasing attention particularly for what applications?
A. Scientific B. Commercial C. Security D. Technical |
B. Commercial
|
|
|
What is one advantage of deploying Role based access control in large networked applications?
A. Higher security B. Higher bandwidth C. User friendliness D. Lower cost |
D. Lower cost
|
|
|
Which of the following risk will most likely affect confidentiality, integrity and availability?
A. Physical damage B. Unauthorized disclosure of information C. Loss of control over system D. Physical theft |
D. Physical theft
|
|
|
Which of the following best provides e-mail message authenticity and confidentiality?
A. Signing the message using the sender’s public key and encrypting the message using the receiver’s private key B. Signing the message using the sender’s private key and encrypting the message using the receiver’s public key C. Signing the message using the receiver’s private key and encrypting the message using the sender’s public key D. Signing the message using the receiver’s public key and encrypting the message with the sender’s private key |
B. Signing the message using the sender’s private key and encrypting the message using the
receiver’s public key |
|
|
One-way hash provides:
A. Confidentiality B. Availability C. Integrity D. Authentication |
C. Integrity
|
|
|
PGP provides which of the following?(Choose three)
A. Confidentiality B. Accountability C. Accessibility D. Integrity E. Interest F. Non-repudiation G. Authenticity |
A. Confidentiality
D. Integrity G. Authenticity |
|
|
Which of the following services is not provided by the digital signature standard (DSS)?
A. Encryption B. Integrity C. Digital signature D. Authentication |
A. Encryption
|
|
|
Making sure that the data is accessible when and where it is needed is which of the following?
A. Confidentiality B. Integrity C. Acceptability D. Availability |
D. Availability
|
|
|
The guarantee that the message sent is the message received, and that the message was not
intentionally or unintentionally altered is? A. Integrity B. Confidentiality C. Availability D. Identity |
A. Integrity
|
|
|
Who of the following is responsible for ensuring that proper controls are in place to address
integrity, confidentiality, and availability of IT systems and data? A. Business and functional managers. B. IT Security practitioners. C. System and information owners. D. Chief information officer. |
C. System and information owners.
|
|
|
What are the elements of the CIA triad?(Choose three)
A. Confidentiality B. Accountability C. Accessibility D. Integrity E. Interest F. Control G. Availability |
A. Confidentiality
D. Integrity G. Availability |
|
|
The Clark-Wilson model focuses on data's:
A. Availability. B. Confidentiality. C. Format. D. Integrity. |
D. Integrity.
|
|
|
The theft of a laptop poses a threat to which tenet of the C.I.A. triad?
A. All of the above B. Availability C. Integrity D. Confidentiality |
A. All of the above
|
|
|
What security model implies a central authority that determines what subjects can have access to what objects?
A. Centralized access control B. Discretionary access control C. Mandatory access control D. Non-discretionary access control |
D. Non-discretionary access control
|
|
|
Which of the following centralized access control mechanisms is not appropriate for mobile workers access the corporate network over analog lines?
A. TACACS B. Call-back C. CHAP D. RADIUS |
B. Call-back
|
|
|
Which of the following are proprietarily implemented by CISCO?
A. RADIUS+ B. TACACS C. XTACACS and TACACS+ D. RADIUS |
C. XTACACS and TACACS+
|
|
|
What is a protocol used for carrying authentication, authorization, and configuration information
between a Network Access Server and a shared Authentication Server? A. IPSec B. RADIUS C. L2TP D. PPTP |
B. RADIUS
|
|
|
RADIUS is defined by which RFC?
A. 2168 B. 2148 C. 2138 D. 2158 |
C. 2138
|
|
|
In a RADIUS architecture, which of the following acts as a client?
A. A network Access Server. B. None of the choices. C. The end user. D. The authentication server. |
A. A network Access Server.
|
|
|
In a RADIUS architecture, which of the following can act as a proxy client?
A. The end user. B. A Network Access Server. C. The RADIUS authentication server. D. None of the choices. |
C. The RADIUS authentication server.
|
|
|
Which of the following statements pertaining to RADIUS is incorrect?
A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains. B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy C. Most RADIUS servers have built-in database connectivity for billing and reporting purposes D. Most RADIUS servers can work with DIAMETER servers. |
D. Most RADIUS servers can work with DIAMETER servers.
|
|
|
What protocol was UDP based and mainly intended to provide validation of dial up user login passwords?
A. PPTP B. L2TP C. IPSec D. TACACS |
D. TACACS
|
|
|
Which one of the following statements is TRUE concerning the Terminal Access Controller Access Control System (TACACS) and TACACS+?
A. TACACS supports prompting for a password change. B. TACACS+ employs a user ID and static password. C. TACACS+ employs tokens for two-factor, dynamic password authentication. D. TACACS employs tokens for two-factor, dynamic password authentication. |
C. TACACS+ employs tokens for two-factor, dynamic password
authentication. |
|
|
What is NOT a feature of TACACS+?
A. Replaces older Frame Relay-switched networks B. Enables a user to change passwords C. Enables two-factor authentication D. Resynchronizes security tokens |
A. Replaces older Frame Relay-switched networks
|
|
|
Which of the following centralized access control mechanisms is not appropriate for mobile workers access the corporate network over analog lines?
A. TACACS B. Call-back C. CHAP D. RADIUS |
B. Call-back
|
|
|
What are edit controls?
A. Preventive controls B. Detective controls C. Corrective controls D. Compensating controls |
A. Preventive controls
|
|
|
Which of the following control pairing include organizational policies and procedures, preemployment
background checks, strict hiring practices, employment agreements, friendly and unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks in? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Administrative Pairing |
A. Preventive/Administrative Pairing
|
|
|
An audit trail is a category of what control?
A. System, Manual B. Detective, Technical C. User, Technical D. Detective, Manual |
B. Detective, Technical
|
|
|
An IDS is a category of what control?
A. Detective, Manual B. Detective, Technical C. User, Technical D. System, Manual |
B. Detective, Technical
|
|
|
Technical controls such as encryption and access control can be built into the operating system,
be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing? A. Preventive/Administrative Pairing B. Preventive/Technical Pairing C. Preventive/Physical Pairing D. Detective/Technical Pairing |
B. Preventive/Technical Pairing
|
|
|
A business continuity plan is an example of which of the following?
A. Corrective Control B. Detective Control C. Preventive Control D. Compensating Control |
A. Corrective Control
|
|
|
________ Technical Controls warn of technical Access Control violations.
A. Elusive B. Descriptive C. Corrective D. Detective |
D. Detective
|
|
|
___________________ are the technical ways of restricting who or what can access system
resources. A. Preventive Manual Controls B. Detective Technical Controls C. Preventive Circuit Controls D. Preventive Technical Controls |
D. Preventive Technical Controls
|
|
|
Which of the following is not a form of detective administrative control?
A. Rotation of duties B. Required vacations C. Separation of duties D. Security reviews and audits |
C. Separation of duties
|
|
|
Which of the following is NOT a type of access control?
A. Intrusive B. Deterrent C. Detective D. Preventive |
A. Intrusive
|
|
|
As a type of access control, which of the following asks for avoiding occurrence?
A. Preventive B. Deterrent C. Intrusive D. Detective |
A. Preventive
|
|
|
As a type of access control, which of the following asks for identifying occurrences?
A. Deterrent B. Preventive C. Detective D. Intrusive |
C. Detective
|
|
|
As a type of access control, which of the following asks for discouraging occurrence?
A. Detective B. Intrusive C. Deterrent D. Preventive |
C. Deterrent
|
|
|
The recording of events with a closed-circuit TV camera is considered a:
A. Preventative control B. Detective control C. Compensating control D. Corrective Control |
B. Detective control
|
|
|
Which type of control would password management classify as?
A. Compensating control B. Detective control C. Preventive control D. Technical control |
C. Preventive control
|
|
|
Which of the following would NOT be an example of compensating controls
being implemented? A. Modifying the timing of a system resource in some measurable way to covertly transmit information B. Sensitive information requiring two authorized signatures to release C. Asafety deposit box needing two keys to open D. Signing in or out of a traffic log and using a magnetic card to access to an operations center |
A. Modifying the timing of a system resource in some measurable way to covertly transmit
information |
|
|
Which is NOT an element of two-factor authentication?
A. Something you are B. Something you have C. Something you know D. Something you ate |
D. Something you ate
|
|
|
Memory only cards work based on:
A. Something you have. B. Something you know. C. None of the choices. D. Something you know and something you have. |
D. Something you know and something you have.
|
|
|
Authentication is typically based upon:
A. Something you have. B. Something you know. C. Something you are. D. All of the choices. |
D. All of the choices.
|
|
|
A password represents:
A. Something you have. B. Something you know. C. All of the choices. D. Something you are. |
B. Something you know.
|
|
|
A smart card represents:
A. Something you are. B. Something you know. C. Something you have. D. All of the choices. |
C. Something you have.
|
|
|
Which of the following is the most commonly used check on something you know?
|
A. One time password
B. Login phrase C. Retinal D. Password |
|
|
Retinal scans check for:
A. Something you are. B. Something you have. C. Something you know. D. All of the choices. |
A. Something you are.
|
|
|
Which of the following is the weakest authentication mechanism?
A. Passphrases B. Passwords C. One-time passwords D. Token devices |
B. Passwords
|
|
|
When two different keys encrypt a plaintext message into the same
ciphertext, this situation is known as: A. Cryptanalysis. B. Public key cryptography. C. Hashing. D. Key clustering. |
D. Key clustering.
|
|
|
The hashing algorithm in the Digital Signature Standard (DSS) generates
a message digest of: A. 130 bit B. 56 bits C. 120 bits D. 160 bits |
D. 160 bits
|
|
|
What are MD4 and MD5?
A. Symmetric encryption algorithms B. Digital certificates C. Hashing algorithms D. Asymmetric encryption algorithms |
C. Hashing algorithms
|
|
|
Which of the following algorithms does *NOT* provide hashing?
A. SHA-1 B. MD2 C. RC4 D. MD5 |
C. RC4
|
|
|
Which of the following does not apply to system-generated passwords?
A. Passwords are harder to remember for users B. If the password-generating algorithm gets to be known, the entire system is in jeopardy C. Passwords are more vulnerable to brute force and dictionary attacks. D. Passwords are harder to guess for attackers |
C. Passwords are more vulnerable to brute force and dictionary attacks.
|
|
|
_______ are added to Linux passwords to increase their randomness.
A. Salts B. Pepper C. Grains D. MD5 hashes E. Asymmetric algorithms |
A. Salts
|
|
|
The beginning and the end of each transfer during asynchronous communication data transfer are marked by?
A. Start and Stop bits. B. Start and End bits. C. Begin and Stop bits. D. Start and Finish bits. |
A. Start and Stop bits.
|
|
|
A token that generates a unique password at fixed time intervals is called:
A. A synchronous dynamic password token. B. A challenge-response token. C. A time-sensitive token. D. An asynchronous dynamic password token. |
A. A synchronous dynamic password token.
|
|
|
The data transmission method in which data is sent continuously and
doesn't use either an internal clocking source or start/stop bits for timing is known as: A. Asynchronous B. Pleisiochronous C. Synchronous D. Isochronous |
D. Isochronous
|
|
|
The technique of skimming small amounts of money from multiple transactions is called the
A. Scavenger technique B. Salami technique C. Synchronous attack technique D. Leakage technique |
B. Salami technique
|
|
|
What are the valid types of one time password generator?
A. All of the choices. B. Transaction synchronous C. Synchronous/PIN synchronous D. Asynchronous/PIN asynchronous |
A. All of the choices.
|
|
|
What is the most critical characteristic of a biometric identifying system?
A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Reliability |
C. Accuracy
|
|
|
In the following choices there is one that is a typical biometric characteristics that is not used to
uniquely authenticate an individual’s identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans |
D. Skin scans
|
|
|
In biometrics, a one-to-one search to verify an individual's claim of an
identity is called: A. Audit trail review. B. Accountability. C. Authentication. D. Aggregation. |
C. Authentication.
|
|
|
An acceptable biometric throughput rate is:
A. One subject per two minutes. B. Five subjects per minute. C. Ten subjects per minute. D. Two subjects per minute. |
C. Ten subjects per minute.
|
|
|
In addition to accuracy, a biometric system has additional factors that
determine its effectiveness. Which one of the following listed items is NOT one of these additional factors? A. Corpus B. Throughput rate C. Enrollment time D. Acceptability |
A. Corpus
|
|
|
In biometrics, a good measure of performance of a system is the:
A. False detection. B. Positive acceptance rate. C. Sensitivity. D. Crossover Error Rate (CER). |
D. Crossover Error Rate (CER).
|
|
|
In a biometric system, the time it takes to register with the system by providing
samples of a biometric characteristic is called: A. Set-up time. B. Enrollment time. C. Log-in time. D. Throughput time. |
B. Enrollment time.
|
|
|
A type of preventive/physical access control is:
A. Biometrics for identification B. An intrusion detection system C. Biometrics for authentication D. Motion detectors |
A. Biometrics for identification
|
|
|
The main approach to obtaining the true biometric information from a
collected sample of an individual's physiological or behavioral characteristics is: A. False rejection B. Enrollment C. Digraphs D. Feature extraction |
D. Feature extraction
|
|
|
Biometrics is used for identification in the physical controls and for
authentication in the: A. Detective controls. B. Corrective controls. C. Logical controls. D. Preventive controls. |
C. Logical controls.
|
|
|
What is called the percentage of invalid subjects that are falsely accepted?
A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. True Acceptance Rate (TAR) or Type III error |
B. False Acceptance Rate (FAR) or Type II Error
|
|
|
Biometric performance is most commonly measured in terms of:
A. FRR and FAR B. FAC and ERR C. IER and FAR D. FRR and GIC |
A. FRR and FAR
|
|
|
You are comparing biometric systems. Security is the top priority. A low ________ is most important in this regard.
A. FAR B. FRR C. MTBF D. ERR |
A. FAR
|
|
|
Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. To have a valid measure of the system performance:
A. The CER is used. B. the FRR is used C. the FAR is used D. none of the above choices is correct |
A. The CER is used.
|
|
|
The quality of finger prints is crucial to maintain the necessary:
A. FRR B. ERR and FAR C. FAR D. FRR and FAR |
D. FRR and FAR
|
|
|
Which of the following methods is more microscopic and will analyze the direction of the ridges of the fingerprints for matching?
A. None of the choices. B. Flow direct C. Ridge matching D. Minutia matching |
D. Minutia matching
|
|
|
DSV as an identification method check against users:
A. Fingerprints B. Signature C. Keystrokes D. Facial expression |
B. Signature
|
|
|
In terms of the order of effectiveness, which of the following technologies is the most affective?
A. Fingerprint B. Iris scan C. Keystroke pattern D. Retina scan |
B. Iris scan
|
|
|
In terms of the order of acceptance, which of the following technologies is the LEAST accepted?
A. Fingerprint B. Iris C. Handprint D. Retina patterns |
D. Retina patterns
|
|
|
JC Key concepts -Confidentiality -Privacy -Integrity -Assurance Availability |
|
|
|
JC Managerial 5 hour exam 700/1000 to pass 25 questions done count need 100 to pass, 800 to be sure 250 questions, 200 is 80% 4pts each |
|
|
|
JC CISSP domains Access Telecom/network security InfoSec gov and risk mgmt SW dev security Crypto Sec arch/design Operational security BCP/DR planning Legal, regulatory, investigation, compliance Physical security |
|
|
|
Confidentiality Availability Integrity |
|
