Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key


Play button


Play button




Click to flip

59 Cards in this Set

  • Front
  • Back
Access control is concerned with protecting?
- Confidentiality
- Integrity
- Availability
Confidentiality is?
The property that ensures information is not disclosed to unauthorized users: Prevention of Disclouser
Integrity is?
The property that ensures data has not been modified either in transit or while in storage: Prevention of Alteration
Availability is?
The property that ensures access to data when it is needed: Prevention of Destruction
Access Control Responsibility Role:
- Data owner
- Ultimately responsible
- Final authority
Access Control Responsibility Roles:

Data custodian
- Acts on behalf of the data owner
- Maintains and administers security
• Centralized control
- Single group in charge
- Could cause delays in response to remote business units
• Decentralized control
- Controls map to individual business units
- Causes discrepancies across the
- No consistent view
Challenge Handshake Authentication Protocol
- Central location sends challenge to remote user
- User responds with encrypted hash of challenge
- Password not sent in clear over link and messages are encrypted
Terminal Access Controller Access Control System
- Requires user ID and static password
- Provides better protection
- Uses tokens for two-factor, dynamic password authentication.

Password Authentication Protocol
PAP is used by Point to Point Protocol to validate users before allowing them access to server resources.

- Unencrypted
What are the three areas of security?
C - Confidentiality
I - Integrity
A - Availability
Which of the following critical areas of security represents the unauthorized
modification of information?
Which formula below accurately represents the equation for calculating the risk
associated with your critical assets?
Risk = Threat x Vulnerability
Of the four core principles of network security, which one relates to
understanding which services are running on your system?
Know thy system
Giving Bob, the accountant, access only to the Accounting application required
for his duties is an example of which core security principle?
Principle of Least Privilege
Which principle is represented by an accountant creating a company's books and
an auditor reviewing the books for accuracy?
Separation of Duties
Which access control measure method would be affected by an inaccessible
system administrator?
Which of the following concepts relates most closely to the Principle of Least
a) Authentication
b) Identity
c) Detection
d) Separation of Duties
Separation of Duties
If Dan, a user with level three clearance, attempts to read a document requiring a
level four clearance, he is violating which of the following access control
a) The Star Property of the Bell-LaPadula Model
b) The Simple Security Property of the Bell-LaPadula Model
c) The Simple Integrity Property of the Biba Model
d) The Super Simple Star Property of Biba Model
The Simple Security Property of the Bell-LaPadula Model
Which of the following access control techniques requires the user to follow a
procedure to access protected data?
a) The Clark-Wilson model
b) The Biba model
c) The Middleman model
d) The Bell-LaPadula model
The Clark-Wilson model
Which of the following characteristics makes the BIBA model the opposite of the
Bell LaPadula (BLP) model?
a) No write down and no read up
b) Read up but no write down
c) No read down and no write up
d) Write down but no read up
No read down and no write up
In the process of employee termination, which access management activity most
effectively controls access?
a) Account administration
b) Account maintenance
c) Account monitoring
d) Account revocation
d) Account revocation
Of the four ways a user can be authenticated, which presents the use of physical
human attributes in the process?
a) Something you are
b) Something you have
c) Something you know
d) Something you share
Something you are
If you had a classified system located in the middle of the desert, which
authentication method would serve best?
a) Something you have
b) Something you know and are
c) Something you share
d) Someplace you are
Someplace you are
What is the MOST influential factor in determining if a biometric solution is
feasible for a system?
a) System size
b) Usability
c) Criticality
d) Cost
Which authentication method negotiates the validity of the user through tickets?
a) Single Sign On (SSO)
b) System Generated Passwords (SGP)
c) Challenge Handshake Authentication Protocol (CHAP)
d) Kerberos
Which password cracking technique will eventually figure out Jim's hard-to-guess
a) Hybrid attack
b) Brute force attack
c) Dictionary attack
d) Long-term attack
Brute force attack
Stateful inspection of packets is an example of which kind of access control?
a) Prevention
b) Detection
c) Suspension
d) Eradication
Which are the three common methods used in password cracking?
a) Dictionary, hybrid, and brute force
b) Word list, brute force, and distributed
c) John the ripper, LOphtcrack, and hydra
d) SAM, passwd, and shadow
Dictionary, hybrid, and brute force
Which of the following are among the primary design types used for access
control systems today?
a) Mandatory, discretionary, and role-based
b) Interaction, fixed, and closed
c) Subject-based, object-based, and file-based
d) Mandatory, optional, and discretionary
Mandatory, discretionary, and role-based
Which of the following access control techniques associates a group of users and their privileges with each
a) Role Based Access Control
b) Token Based Access Control
c) List Based Access Control
d) User Based Access Control
List Based Access Control
Which of the following is NOT an example of a Mandatory Access Control (MAC)
a) Secure Communications Processor (SCOMP)
c) Pump
d) Purple Penelope
Which of the following access control techniques allows the user to feel
empowered and able to change security attributes?
a) Discretionary Access Control
b) Mandatory Access Control
c) Optional Access Control
d) User Access Control
Discretionary Access Control
Which of the following control types is used to provide alternatives to other
a) Compensating
b) Deterrent
c) Corrective
d) Recovery
Your location is one of four commonly accepted items on which authentication
can be based. What are the other three?
a) Something you say, type, or press
b) Something you have, do, or know
c) Something you do, know, type
d) Something you know, have, or are
Something you know, have, or are
What attribute of the Kerberos authentication process makes it so strong?
a) Encrypting the Ticket Granting Ticket (TGT)
b) Mutual authentication
c) Using a Ticket Distribution Center (TDC) and a Key Granting Server (KGS)
d) User defined passwords
Mutual authentication
Applying which principle represents one of the best ways to thwart internal
attacks using access control systems?
a) Principle of Open Access
b) Principle of Least Privilege
c) Principle of Internal Suppression
d) Principle of Trust
Principle of Least Privilege
There are three primary areas of threat. Of the following items, which is NOT one
of those three areas?
a) Threats to business goals
b) Threats based on validated data
c) Threats that are widely known
d) Threats combined with risk
Threats combined with risk
In terms of information security, what is a vulnerability?
a) A weakness in your systems that allows a threat to occur
b) A threat to your security that creates a risk condition
c) A combining of both a risk and a threat in the same system
d) A risk to your system(s) that cannot be eliminated
A weakness in your systems that allows a threat to occur
Which are the three generally accepted options for managing risk?
a) Eliminate, quarantine, or insure
b) Accept, mediate, or delegate
c) Accept, eliminate, or transfer
d) Transfer, eliminate, or cogitate
Accept, eliminate, or transfer
What is the principle that ensures data has not been modified either in transit or while in storage referred
to as?
a) Non-repudiation
b) Assurance
c) Integrity
d) Reliability
What is the principle that ensures information is not disclosed to unauthorized
users referred to as?
a) Encryption
b) Confidentiality
c) Encapsulation
d) Security
The assurance of access to data when it is needed is one of the three key
principles in information security. What is this principle called?
a) Availability
b) Guaranteed delivery
c) Accessibility
d) Connectivity
Discretionary Access Control (DAC) is one of the many Access Control Models.
Which of the following items is NOT part of the Discretionary Access Control
(DAC) model?
a) An administrator decides whether a user should have access to an object
b) Performed at the discretion of any administrator
c) Strictly enforced by the system and cannot be overridden
d) Owners can change security attributes
Strictly enforced by the system and cannot be overridden
Lattice Security Model
- Deals with information flow
- Formalizes network security models
- Shows how Information can or cannot flow
Chinese Wall Security Model
(lBrewer and Nash)
- Deals with conflict of intrest
- No information flow allowed that could lead to "conflit of intrest" (COI)
Bell-LaPadula Security Model
- Deal with confidentiality
The are two main rules with BLP:
• The Simple Security property, which is No Read Up (NRU)
• The * property, which is No Write Down (NWD)
- Deals with integrity
• Simple integrity property: A user cannot write data to a higher integrity level than hers.
• Integrity star property: A user cannot read data of a lower integrity level than hers.
Clark-Wilson Security Model
• Deals with integrity
- Unauthorized users cannot make changes.
- This model maintains internal and external
consistency at the system level.
- Authorized users cannot make unauthorized
When more than one person controlling a component
portion collaborates with others to breach the security of a system.
Rotation of Duties
Rotation of duties occurs when personnel are moved from one job to another at regular intervals.
This helps to detect and minimize fraud.
Separation of Duties
Separation of duties is considered valuable in deterring fraud because fraud can occur if an
opportunity exists for collaboration between various job-related capabilities.
Least Privilege
• Access control needs good
• Availability versus security: The
best security is no availability.
• What is the need of the business?
• Reduce the misuse of privilege.
Subjects: Active
A subject is either a user or process.
Objects: Passive
An object is a passive entity that contains data. An object can be files, directories, pipes, devices,
sockets, ports, and so on.
Rules: Filters
The standard rules for UNIX are Read, Write, and Execute. The standard rules for Windows NT 4 are
Read, Write, Execute, and No Access. The standard rules of NDS and Active Directory are more
granular. In Windows 2000, there are about 30 rules, which are also known as permissions. Each rule
has a positive and a negative.
Labels: Sensitivity
Another set of rules with respect to sensitivity of both object and subject is labels