Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
51 Cards in this Set
- Front
- Back
|
Separation of duties is an example of what type of access control?
- Preventative - Corrective - Compensative - Detective |
- Preventative
Explanation: Preventive access controls deter intrusion or attacks, for example, separation of duties or dual-custody processes. Detective access controls search for details about the attack or the attacker, for example, intrusion detection systems. Corrective access controls implement short-term repairs to restore basic functionality following an attack. Compensative access controls are alternatives to primary access controls. Section 1.1 |
|
|
Which of the following defines an object as used in access control?
- Resources, policies, and systems. - Policies, procedures, and technologies that are implemented within a system. - Users, applications, or processes that need to be given access. - Data, applications, systems, networks, and physical space. |
- Data, applications, systems, networks, and physical space.
Explanation: Objects are the data, applications, systems, networks, and physical space. Subjects are the users, applications, or processes that need access to objects. Section 1.1 |
|
|
Which of the following is the term for the process of validating a subject's identity?
- Authorization - Authentication - Identification - Auditing |
- Authentication
Explanation: Authentication is the process of validating a subject's identity. It includes the identification process, the user providing input to prove identity, and the system accepting that input as valid. Authorization is the granting or denying a subject's access to an object based on the level of permissions or the actions allowed on the object. Identification identifies the subject. Examples include a username or a user ID number. Auditing is maintaining a record of a subject's activity within the information system. Section 1.1 |
|
|
Encryption is which type of access control?
- Technical - Administrative - Restrictive - Physical |
- Technical
Explanation: Technical controls are computer mechanisms that restrict access. Examples are encryption, one-time passwords, access control lists, and firewall rules. Administrative controls are policies that describe accepted practices. Examples are directive policies and employee awareness training. Physical controls restrict physical access. Examples are perimeter security, site location, networking cables, and employee segregation. Section 1.1 |
|
|
Which of the following controls is an example of a physical access control method?
- Smartcards - Passwords - Hiring background checks - Access control lists with permissions - Locks on doors |
- Locks on doors
Explanation: Locks on doors is an example of a physical access control method. Physical controls restrict or control physical access. Passwords, access control lists, and smartcards are all examples of technical controls. Even though the smartcard is a physical object, the card by itself is part of a technical implementation. Requiring background checks for hiring is an example of a policy or an administrative control. Section 1.1 |
|
|
With which TCSEC classification level does DAC correspond?
- Level A - Level B - Level C - Level D |
- Level C
Explanation: Discretionary Access Control (DAC) corresponds to TCSEC level C classifications. Section 1.2 |
|
|
With which TCSEC classification level does MAC correspond?
- Level A - Level B - Level C - Level D |
- Level B
Explanation: Mandatory Access Control (MAC) corresponds to TCSEC level B classifications. Section 1.2 |
|
|
Which of the following is a password that relates to things that people know, such as a mother's maiden name, or the name of a pet?
- One-time - Pass phrase - Cognitive - Dynamic |
- Cognitive
Explanation: Cognitive passwords relate to things that people know, such as a mother's maiden name, or the name of a pet. Dynamic passwords change upon each consecutive login. One-time passwords are only valid for a single use. A pass phrase is a password based on a phrase. Section 1.3 |
|
|
What type of password is maryhadalittlelamb?
- Pass phrase - Static - Cognitive - Composition |
- Pass phrase
Explanation: A pass phrase is a password based on a phrase, such as maryhadalittlelamb. Cognitive passwords are passwords that relate to things that people know, such as a mother's maiden name, or the name of a pet. A static password is created by a user and overseen by an administrator. Composition passwords are created by the system and are usually two or more unrelated words divided by symbols on the keyboard. Section 1.3 |
|
|
Which of the following defines the crossover rate for evaluating biometric systems?
- The rate of people who are denied access that should be allowed access. - The rate of people who are given access that should be denied access. - The number of subjects or authentication attempts that can be validated. - The point where the number of false positives matches the number of false negatives in a biometric system. |
- The point where the number of false positives matches the number of false negatives in a biometric system.
Explanation: The crossover error rate, also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. A false negative (or Type I error) occurs when a person who should be allowed access is denied access. A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated. Section 1.3 |
|
|
Which of the following conditions is desirable when selecting a biometric system? (Select two.)
- A high processing rate - A low crossover error rate - A high false negative rate - A high false positive rate |
- A high processing rate
- A low crossover error rate Explanation: When selecting a biometric system, you want: * A high processing rate. This is the rate at which authentication requests can be processed. Target a rate of 10 subjects or more per minute. * A low crossover error rate. The crossover error rate is the point where the number of false positives matches the number of false negatives in a biometric system. * A low false negative rate. A false negative occurs when someone is denied access who should be allowed access. * A low false positive rate. A false positive occurs when someone is allowed access who should have been denied access. Section 1.3 |
|
|
Which of the following terms is used to describe an event in which a person is denied access to a system when they should be allowed to enter?
- False acceptance - False negative - False positive - Error rate |
- False negative
Explanation: A false negative (or Type I error) occurs when a person who should be allowed access is denied access. A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated. The crossover error rate, also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. Section 1.3 |
|
|
What should you do to a user account if the user goes on an extended vacation?
- Lock the account - Remove all rights from the account - Monitor the account more closely - Delete the account |
- Lock the account
Explanation: Locking the account is the best measure to protect an inactive account. If you delete the account or the rights assigned to the account, you will have to re-create the account or the rights when the user returns. Leaving the account active might expose it to attack, even if you regularly monitor it. Section 1.5 |
|
|
A device which is synchronized to an authentication server is which type of authentication?
- Swipe card - Asynchronous token - Synchronous token - Smart card |
- Synchronous token
Explanation: Synchronous token devices are synchronized to an authentication server. Asynchronous token devices require an authentication server to send challenge text to a workstation when a user attempts to log in. Smart cards contain a memory chip with encrypted authentication information. Swipe cards are similar to credit cards with authentication information stored on the magnetic strip. Section 1.3 |
|
|
Which of the following is an example of a strong password?
- Robert694 - a8bT11$yi - desktop#7 - at9iov45a |
- a8bT11$yi
Explanation: A strong password should not contain dictionary words or any part of the login name. They should include upper- and lower-case letters, numbers, and symbols. In addition, longer passwords are stronger than shorter passwords. Section 1.4 |
|
|
Which access control type is used to implement short-term repairs to restore basic functionality following an attack?
- Compensative - Recovery - Detective - Corrective |
- Corrective
Explanation: Corrective access controls are used for short-term repairs and to restore basic functionality. Following the implementation of corrective controls, an incident might also require recovery access control methods which are long-term activities that restore full functionality. Compensative access controls are alternatives to primary access controls. Detective access controls search for details about the attack or the attacker Section 1.1 |
|
|
Which of the following is an example of Type 1 authentication?
- Pass phrase - Username - Retina scan - Smartcard |
- Pass phrase
Explanation: A pass phrase is an example of Type 1 (something you know) authentication. The username is used for identification, not authentication. A smartcard is an example of Type 2 (something you have) authentication. A retina scan is an example of Type 3 (something you are) authentication. Section 1.3 |
|
|
You have just configured the password policy and set the minimum password age to 10. What will be the effect of this configuration?
- The password must contain 10 or more characters. - Users must change the password at least every 10 days. - The previous 10 passwords cannot be reused. - Users cannot change the password for 10 days. - The password must be entered within 10 minutes of the logon prompt being displayed. |
- Users cannot change the password for 10 days.
Explanation: The minimum password age setting prevents too frequent changing of the password. After the password is changed, it cannot be changed again for at least 10 days. The maximum password age setting determines how frequently a password must be changed. The minimum password length setting controls the minimum number of characters in the password. Password history is used to prevent previous passwords from being reused. Section 1.4 |
|
|
You have implemented account lockout with a clipping level of 4. What will be the effect of this setting?
- The account will be locked after 4 incorrect attempts. - Locked accounts will remain locked for 4 hours. - Password hashes will be generated using a salt value of 4 - Incorrect logon attempts during the past 4 hours will be tracked. |
- The account will be locked after 4 incorrect attempts.
Explanation: The clipping level specifies the number of incorrect attempts that will trigger account lockout. In this example, 4 incorrect passwords would lock the user account. Account lockout duration specifies how long the account remains locked. Incorrect logon attempts are typically cleared after a successful logon or after a predetermined time passes. The salt value is a random value that ensures that hashes of the same password result in different hashes. Section 1.4 |
|
|
As you are helping a user with a computer problem you notice that she has written her password on a note stuck to her computer monitor. You check the password policy of your company and find that the following settings are currently required:
* Minimum password length = 10 * Minimum password age = 4 * Maximum password age = 30 * Password history = 6 * Require complex passwords that include numbers and symbols * Account lockout clipping level = 3 Which of the following is the best action to take to make remembering passwords easier so that she no longer has to write the password down? - Increase the account lockout clipping level. - Decrease the minimum password length. - Implement end-user training. - Increase the maximum password age. - Remove the complex password requirement. |
- Implement end-user training.
Explanation: The best solution is to implement end-user training. Instruct users on the importance of security and teach them how to create and remember complex passwords. Making any other changes would violate the security policy and reduce the overall security of the passwords. Section 1.4 |
|
|
You have a set of CD-Rs that you have used to store confidential product development data. Now that the project is over, you need to dispose of the discs. Which method should you use to dispose of the media?
- Shredding - Run the 'Cipher' command - Overwrite the media 7 times with random data - Degaussing |
- Shredding
Explanation: For optical media, you must destroy the media to prevent later data extraction. Many paper shredders now include the ability to shred optical discs. Use degaussing on hard disks. Degaussing applies a magnetic field to the disk, removing all data. Because the discs are CD-R (and not CD-RW) discs, you cannot re-write to the discs to overwrite the disc contents. Section 1.5 |
|
|
Which is the star property of Bell-LaPadula?
- No write up - No read up - No read down - No write down |
- No write down
Explanation: The star property of Bell-LaPadula is no write down. The simple property of Bell-LaPadula is no read up. The star property of Biba is no write up. The simple property of Biba is a no read down. Section 1.2 |
|
|
The Clark-Wilson model is primarily based on?
- A matrix - Controlled intermediary access applications - Dynamic access controls - A directed graph |
- Controlled intermediary access applications
Explanation: The Clark-Wilson model is primarily based on controlled intermediary access applications that prevent direct access to the back-end database. Dynamic access controls are the basis of the Brewer-Nash model. A matrix is the basis for the Access Matrix. A directed graph is the basis of the Take-Grant model. Section 1.2 |
|
|
Which access control model manages rights and permissions based on job descriptions and responsibilities?
- Discretionary Access Control (DAC) - Role Based Access Control (RBAC) - Mandatory Access Control (MAC) - Task Based Access Control (TBAC) |
- Role Based Access Control (RBAC)
Explanation: Role Based Access Control (RBAC) is the access control model that manages rights and permissions based on job descriptions. RBAC focuses on job descriptions or work tasks, instead of employing user accounts to define access. RBAC are best suited for environments that have a high rate of employee turnover. By defining access based on roles rather than individuals, it simplifies administration when granting a new person access to common activities. DAC is based on user accounts. MAC is based on security labels, classifications, or clearances. TBAC is based on work tasks. Section 1.2 |
|
|
What does the Mandatory Access Control (MAC) method use to control access?
- Geographic location - Job descriptions - User accounts - Sensitivity labels |
- Sensitivity labels
Explanation: Mandatory Access Control (MAC) is based on sensitivity labels (a.k.a. classifications or clearance levels). A sensitivity label is a descriptive tag that indicates how important, valuable, volatile, or classified a resource is. Common sensitivity labels in a military computing environment are: Top Secret, Secret, Classified, Sensitive but Unclassified, and Unclassified. Common Sensitivity labels in a private sector computing environment include Proprietary, Confidential, Private, and Public. Sensitivity labels can be applied to both resources and people. Sensitivity labels define how much security should be used to protect and manage resources. DAC is based on user accounts. RBAC is based on job descriptions. No standard access control model is based on geographic location. Section 1.2 |
|
|
Discretionary Access Control (DAC) manages access to resources using what primary element or aspect?
- Identity - Classification - Age - Rules |
- Identity
Explanation: Discretionary Access Control (DAC) manages access to resources using identity (i.e. user accounts). DAC is the most common type of access control in use. Managing access by identity means you grant the ability to access resources and perform actions based on who a person is. The most common means to log into a DAC environment is to provide a username and password. MAC uses classification and rules. No standard access control model uses age. Section 1.2 |
|
|
Which form of access control enforces security based on user identities and allows individual users to define access controls over owned resources?
- RBAC (Role-based Access Control) - TBAC (Task-based Access Control) - DAC (Discretionary Access Control) - MAC (Mandatory Access Control) |
- DAC (Discretionary Access Control)
Explanation: DAC (Discretionary Access Control) uses identities to control resource access. Users can make their own decisions about the access to grant to other users. RBAC (Role-based Access Control), MAC (Mandatory Access Control), and TBAC (Task-based Access Control) enforce security based on rules. * The rules of RBAC are job descriptions * The rules of MAC are classifications * The rules of TBAC are work tasks Section 1.2 |
|
|
What type of access control focuses on assigning privileges based on security clearance and data sensitivity?
- RBAC (Role-based Access Control) - TBAC (Task-based Access Control) - MAC (Mandatory Access Control) - DAC (Discretionary Access Control) |
- MAC (Mandatory Access Control)
Explanation: MAC (Mandatory Access Control) uses classifications to assign privileges based on a security clearances and data sensitivity. RBAC (Role-based Access Control) is a form of access control that assigns privileges based on a job description. New users are simply assigned a job label. The job label holds all the privileges needed to accomplish the work tasks assigned to that job. TBAC (Task-based Access Control) defines individual work tasks to assign privileges. It is similar to RBAC, but with a primary difference. A single user may be assigned dozens of tasks under TBAC, while under RBAC, each user is only assigned a single job description. With DAC (Discretionary Access Control), an administrator or owner defines user and resource access. Section 1.2 |
|
|
Which of the following principles is implemented in a mandatory access control model to determine access to an object using classification levels?
- Least privilege - Ownership - Clearance - Need to know - Separation of duties |
- Need to know
Explanation: Need to know is used with mandatory access control environments to implement granular control over access to segmented classified data. Separation of duties is the security principle that states no single user is granted sufficient privileges to compromise the security of an entire environment. Clearance is the subject classification label that grants a user access to a specific security domain in a mandatory access control environment. Ownership is the access right in a discretionary access control environment where a user has complete control over an object usually because they created it. Section 1.2 |
|
|
Need to know is required to access what types of resources?
- Low-security resources - Resources with unique ownership - Compartmentalized resources - High-security resources |
- Compartmentalized resources
Explanation: Need to know is required to access compartmentalized resources. Within any classification level of a MAC environment, data can be compartmentalized and thus require the additional access control clearance of need to know in order to gain access. Need to know is not specifically limited to or required by either high- or low-security resources. In a MAC environment, there is no concept of ownership. Section 1.2 |
|
|
In what form of access control environment is access controlled by rules rather than by identity?
- Mandatory access control (MAC) - Access control lists (ACLs) - Discretionary access control (DAC) - Most client-server environments |
- Mandatory access control (MAC)
Explanation: A MAC environment controls access based on rules rather than by identity. DAC environments use identity to control access. ACLs are a specific example of an identity-based access control mechanism used in DAC environments. Most client-server environments use ACLs and thus are DAC solutions. Section 1.2 |
|
|
What form of access control is based on job descriptions?
- Discretionary access control (DAC) - Location-based access control (LBAC) - Mandatory access control (MAC) - Role-based access control (RBAC) |
- Role-based access control (RBAC)
Explanation: RBAC is based on job descriptions. DAC is based on identity. MAC is based on rules. LBAC is based on geography or logical designations. Section 1.2 |
|
|
Which of the following are examples of single sign-on authentication solutions? (Select two.)
- Biometrics - Digital Certificates - Kerberos - SESAME - RADIUS - DIAMETER |
- Kerberos
- SESAME Explanation: Kerberos and SESAME are single sign-on authentication solutions. A single sign-on authentication solution is a mechanism that allows a user to log into a network once and then be able to roam the entire network without re-authenticating. This does not mean that the user is granted unlimited access to all of the resources within the network. It just means that as the user accesses resources and performs activities that they are authorized to perform, they are not required to re-authenticate each time they connect to a new system on the network. Biometrics and digital certificates are used in authentication but are not single sign-on authentication solutions. RADIUS and DIAMETER are centralized remote access authentication methods. Section 1.3 |
|
|
Which of the following is not a characteristic of Kerberos?
- Symmetric key cryptography - Peer-to-peer relationships between entities - End-to-end security - Data Encryption Standard |
- Peer-to-peer relationships between entities
Explanation: Kerberos is more of a client/server or master/principle technology rather than a peer-to-peer technology. Thus, this statement does not relate to Kerberos. The single sign-on solution that is a peer-to-peer technology is that of SESAME. Kerberos uses symmetric key cryptography, employs DES, and provides end-to-end security. Section 1.3 |
|
|
What is another term for the type of logon credentials provided by a token device?
- One-time password - Two-factor authentication - Biometric - Mutual authentication |
- One-time password
Explanation: A token device provides a type of one-time password. There are several types of token devices. Generally, a token device requires you to enter a code or a PIN. The device then displays a code that you must enter into the logon prompt. Some tokens are time-based so that the code provided by the token is only valid for a short period of time. Other tokens are challenge/response-based where the logon prompt displays a challenge message that you enter into the token. The response from the token must match that expected by the secured system. A token device may require the use of a biometric or it may be involved in a mutual or two-factor authentication system. Section 1.3 |
|
|
Which of the following is the strongest form of multi-factor authentication?
- Two passwords - Two-factor authentication - A password and a biometric scan - A password, a biometric scan, and a token device |
- A password, a biometric scan, and a token device
Explanation: A password, a biometric scan, and a token device together are the strongest form of multi-factor authentication listed here. Multifactor authentication is any combination of two or more of the same or different authentication factors. The three common authentication factor types are Something You Know (such as a password), Something You Have (such as a smart card or a token device), or Something You Are (such as a biometric quality like a fingerprint). The other three options are all weaker forms of multi-factor authentication. A password and a biometric scan is a multi-factor authentication but it is also an example of two-factor authentication. Two-factor authentication is any combination of two or more different authentication factors. Two passwords is an example of multi-factor authentication, but since it uses two of the same type of factors it is not a true two-factor authentication method. Section 1.3 |
|
|
What is mutual authentication?
- Using a CA (certificate authority) to issue certificates - A process by which each party in an online communication verifies the identity of the other party - The use of two or more authentication factors - Deploying CHAP and EAP on remote access connections |
- A process by which each party in an online communication verifies the identity of the other party
Explanation: Mutual authentication is the process by which each party in an online communication verifies the identity of the other party. Mutual authentication is most common in VPN links, SSL connections, and e-commerce transactions. In each of these situations, both parties in the communication want to ensure that they know whom they are interacting with. The use of two or more authentication factors is called two-factor authentication. CHAP and EAP are authentication protocols. Communicating hosts might use certificates issued by a trusted CA in performing mutual authentication, but using the CA is not in itself a definition of mutual authentication. Section 1.3 |
|
|
Which of the following is not a form of biometric?
- Retina scan - Token device - Face recognition - Fingerprint |
- Token device
Explanation: A token device is not a form of biometric. Biometrics rely on personal characteristics (such as fingerprints, face recognition, or a retina scan) to prove identity. A token device is an example of the authentication factor of Something You Have. A token device is a small device that you type in a code or a pin and the token produces a response. The response is used on a secured system along with your name and password to gain access to that system. Section 1.3 |
|
|
Which of the following is a disadvantage of biometrics? (Select two.)
- They have a potential for numerous false rejections. - Biometric factors for identical twins will be the same. - They require time synchronization. - They can be circumvented using a brute force attack. - When used alone or solely, they are no more secure than a strong password. |
- They have a potential for numerous false rejections.
- When used alone or solely, they are no more secure than a strong password. Explanation: When a biometric is used by itself, it is no more secure than a strong password. A single successful attack can subvert a biometric in much the same way that a single successful attack can subvert a biometric. Biometric attacks need not be based on physical harm (such as cutting off a finger), but can include a wide variety of realistic reproductions that fool the biometric reader device. When a biometric device has its sensitivity set too high, it will result in numerous false rejections, that is when authorized users are not recognized and therefore rejected. The advantage of biometrics is that no two people have the same biometric characteristics. Most characteristics, such as retinal patterns, are unique even among identical twins. A password can be discovered using a brute force attack, but there is no such form of attack against biometrics. Section 1.4 |
|
|
Which form of authentication solution employs a hashed form of the user's password that has an added time stamp as a form of identity?
- Certificates - Biometrics - Kerberos - Directory Service |
- Kerberos
Explanation: Kerberos employs a hashed form of the user's password as a form of identity. This hashed password is assigned an expiration date and is called a Ticket Granting Ticket (TGT) within the Kerberos realm. Possession of the TGT equals proof of identity. Once the time stamp expires, the TGT becomes invalid. This is designed to limit and prevent impersonation attacks. For this reason, accurate time synchronization is a requirement for deploying Kerberos. A Directory Service may or may not employ Kerberos. A Directory Service typically serves as a master index or lookup solution to allow users to locate resources easily within a defined network. Certificates use certificates rather than hashed passwords as a form of identification. Biometrics use a physical human feature, such as a fingerprint, as a form of identification. Section 1.3 |
|
|
What is the most important aspect of a biometric device?
- Accuracy - Throughput - Size of the reference profile - Enrollment time |
- Accuracy
Explanation: The most important aspect of a biometric device is accuracy. If an access control device is not accurate, it does not offer reliable security. Enrollment time is how long it takes for a new user to be defined in the biometric database. Typically an enrollment time less than two minutes is preferred. The size of the reference profile is irrelevant in most situations. Throughput is how many users a biometric device can scan and verify within a given time period. Typically, a throughput of 10 users per minute is preferred. Section 1.3 |
|
|
Which of the following is stronger than any biometric authentication factor?
- A 47-character password - A dynamic asynchronous token device without a PIN - A two-factor authentication - A USB device hosting PKI certificates |
- A two-factor authentication
Explanation: A two factor authentication system is always stronger than a single authentication system, even if that single factor is a biometric. When a single authentication factor is compared to other single authentication factors, they are all roughly the same in terms of strength of security protection. Thus, the single factors of a password, a non-PIN token device, and a USB drive with PKI certificates are all equally weak. Section 1.3 |
|
|
Which of the following is not an example of a single sign-on solution?
- Scripted access - Workgroup - Directory services - Kerberos |
- Workgroup
Explanation: A workgroup is not a form of single sign-on. Each time you visit or access a resource on another system, you must authenticate to that system. Kerberos, directory services, and some forms of scripted access are single sign-on solutions. After you provide your logon credentials, you are not required to provide them again as long as you remain within the same security realm. Section 1.3 |
|
|
Which of the following advantages can Single Sign-On (SSO) provide? (Select two.)
- Secure remote access - Enhanced password complexity requirements - The elimination of multiple user accounts and passwords for an individual - Access to all authorized resources with a single instance of authentication |
- The elimination of multiple user accounts and passwords for an individual
- Access to all authorized resources with a single instance of authentication Explanation: A properly designed Single Sign-On (SSO) system can reduce human error and system administration time by providing access to all authorized resources with a single instance of authentication through a single set of user credentials. Enhanced password complexity is not a direct function of SSO, although enhanced security may be achieved by eliminating multiple credentials for individual authentication and enforcing password complexity policies. SSO is not a replacement for sound security policies or properly configured systems. Implementation of an SSO system can be challenging, as all systems and applications must be capable of utilizing a common method of authentication. Section 1.3 |
|
|
A smart card can be used to store all but which of the following items?
- Digital signature - Biometric template original - Identification codes - Cryptography keys |
- Biometric template original
Explanation: A smart card cannot store biometric template originals as those are the physical components of the human body. A smart card can store digital signatures, cryptography keys, and identification codes. Section 1.3 |
|
|
Which two of the following are requirements to deploy Kerberos on a network?
- Use of token devices and one-time passwords - Blocking of remote connectivity - A centralized database of users and passwords - Time synchronization between devices - A directory service |
- A centralized database of users and passwords
- Time synchronization between devices Explanation: Kerberos requires that there be a centralized database of users and passwords and time synchronization. The user database is usually maintained on the KDC itself or on a separate pre-authentication server system. Time synchronization is required to stamp a consistent expiration date within the Ticket Granting Ticket (TGT). Kerberos can function across remote links, thus remote connectivity does not need to be blocked. Kerberos is based on passwords, but can be deployed within an environment that employs tokens and one-time passwords. However, this is not a requirement of Kerberos. Kerberos is often deployed simultaneously with a directory service, such as Active Directory, but Kerberos does not require a directory service to be present. Kerberos can function as a stand-alone, single-sign on solution. Section 1.3 |
|
|
Which of the following is not an important aspect of password management?
- Training users to create complex passwords that are easy to remember - Enable account lockout - Always store passwords in a secure medium - Prevent use of personal information in a password |
- Enable account lockout
Explanation: Account lockout is not a password management mechanism, rather it is an access control mechanism to protect against attempted compromise of user accounts. Password management includes the prevention of personal information in passwords, training users on how to create complex passwords that are easy to remember, and to ensure that passwords are always stored securely. Section 1.4 |
|
|
In a variation of the brute force attack, an attacker may use a predefined list (dictionary) of commonly used usernames and passwords to gain access to existing user accounts. Which countermeasure best addresses this issue?
- VLANs - A strong password policy - 3DES Encryption - AES Encryption |
- A strong password policy
Explanation: A strong password policy is the best defense against dictionary attacks. The policy must be enforced and all users must be trained to properly construct and protect strong passwords. 3DES and AES Encryption alone do not protect against dictionary attacks. Encryption technologies are useless if weak passwords permit easy access to encrypted channels. VLANs allow logical segmentation of a physical network and do not prevent dictionary attacks and weak passwords. Section 1.4 |
|
|
Which of the following is an example of privilege escalation?
- Separation of duties - Mandatory vacations - Principle of least privilege - Creeping privileges |
- Creeping privileges
Explanation: Creeping privileges is what occurs when a user's job position changes and they are granted a new set of access privileges for their new work tasks, however their previous access privileges are not removed. As a result, the user accumulates privileges over time that are not necessary for their current work tasks. This is a form of privilege escalation. Principle of least privilege and separation of duties are countermeasures against privilege escalation. Mandatory vacations are used to perform peer reviewing. It requires cross-trained personnel and helps detect mistakes and fraud. Section 1.5 |
|
|
Which of the following is the least reliable means to clean or purge media?
- Overwriting every sector with alternating 1's and 0's - Degaussing - Drive controller hardware level formatting - OS low-level formatting |
- Degaussing
Explanation: The least reliable means to clean or purge media is degaussing. Degaussing is the use of strong magnetic fields to remove stored information from a drive. Unfortunately, user error and equipment failure often results in only partially cleaned media. Various forms of formatting, such as OS low-level and drive controller hardware level formatting, are not perfect, but are often more reliable than degaussing. Overwriting every sector with alternating 1's and 0's can be effective if performed multiple times (such as 60 or more times). Section 1.5 |
|
|
In a high security environment, what is the most important concern when a removable media is no longer needed?
- Destruction - Re-use - Labeling - Purging |
- Destruction
Explanation: The most important concern is the destruction of the media. In a high security environment, removable media is not reused. After the media is no longer needed, it needs to be destroyed. Labeling is important, but it is important before removable media is put into use, not after. Re-use and purging are not secure activities in a high security environment. Re-using media can result in confidentiality compromise. Purging is rarely sufficient to fully remove data. Section 1.5 |
