Study your flashcards anywhere!

Download the official Cram app for free >

  • Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

How to study your flashcards.

Right/Left arrow keys: Navigate between flashcards.right arrow keyleft arrow key

Up/Down arrow keys: Flip the card between the front and back.down keyup key

H key: Show hint (3rd side).h key

A key: Read text to speech.a key

image

Play button

image

Play button

image

Progress

1/98

Click to flip

98 Cards in this Set

  • Front
  • Back
Which of the following implements the authorized access relationship between subjects and
objects of a system?
A. Security model
B. Reference kernel
C. Security kernel
D. Information flow model
C. Security kernel
Which of the following is a means of restricting access to objects based on the identity of the
subject to which they belong?
A. Mandatory access control
B. Group access control
C. Discretionary access control
D. User access control
C. Discretionary access control
What is the method of coordinating access to resources based on the listening of permitted IP
addresses?
A. MAC
B. ACL
C. DAC
D. None of the choices.
B. ACL
Which of the following is true about MAC?
A. It is more flexible than DAC.
B. It is more secure than DAC.
C. It is less secure than DAC.
D. It is more scalable than DAC.
B. It is more secure than DAC.
A system using Discretionary Access Control (DAC) is vulnerable to which one of the following
attacks?
A. Trojan horse
B. Phreaking
C. Spoofing
D. SYN flood
C. Spoofing
What defines an imposed access control level?
A. MAC
B. DAC
C. SAC
D. CAC
A. MAC
DAC are characterized by many organizations as:
A. Need-to-know controls
B. Preventive controls
C. Mandatory adjustable controls
D. None of the choices
A. Need-to-know controls
Which of the following correctly describe DAC?
A. It is the most secure method.
B. It is of the B2 class.
C. It can extend beyond limiting which subjects can gain what type of access to which objects.
D. It is of the B1 class.
C. It can extend beyond limiting which subjects can gain what type of access to which objects.
Under DAC, a subjects rights must be ________ when it leaves an organization altogether.
A. recycled
B. terminated
C. suspended
D. resumed
B. terminated
DAC and MAC policies can be effectively replaced by:
A. Rule based access control.
B. Role based access control.
C. Server based access control.
D. Token based access control
B. Role based access control.
What access control methodology facilitates frequent changes to data permissions?
A. Rule-based
B. List-based
C. Role-based
D. Ticket-based
A. Rule-based
What security model implies a central authority that determines what subjects can have access to what objects?
A. Centralized access control
B. Discretionary access control
C. Mandatory access control
D. Non-discretionary access control
D. Non-discretionary access control
Enforcing minimum privileges for general system users can be easily achieved through the use of:
A. TSTEC
B. RBAC
C. TBAC
D. IPSEC
B. RBAC
With RBAC, each user can be assigned:
A. One or more roles.
B. Only one role.
C. A token role.
D. A security token.
A. One or more roles.
With RBAC, roles are:
A. Based on labels.
B. All equal
C. Hierarchical
D. Based on flows.
C. Hierarchical
Role based access control is attracting increasing attention particularly for what applications?
A. Scientific
B. Commercial
C. Security
D. Technical
B. Commercial
What is one advantage of deploying Role based access control in large networked applications?
A. Higher security
B. Higher bandwidth
C. User friendliness
D. Lower cost
D. Lower cost
Which of the following risk will most likely affect confidentiality, integrity and availability?
A. Physical damage
B. Unauthorized disclosure of information
C. Loss of control over system
D. Physical theft
D. Physical theft
Which of the following best provides e-mail message authenticity and confidentiality?
A. Signing the message using the sender’s public key and encrypting the message using the
receiver’s private key
B. Signing the message using the sender’s private key and encrypting the message using the
receiver’s public key
C. Signing the message using the receiver’s private key and encrypting the message using the
sender’s public key
D. Signing the message using the receiver’s public key and encrypting the message with the
sender’s private key
B. Signing the message using the sender’s private key and encrypting the message using the
receiver’s public key
One-way hash provides:
A. Confidentiality
B. Availability
C. Integrity
D. Authentication
C. Integrity
PGP provides which of the following?(Choose three)
A. Confidentiality
B. Accountability
C. Accessibility
D. Integrity
E. Interest
F. Non-repudiation
G. Authenticity
A. Confidentiality
D. Integrity
G. Authenticity
Which of the following services is not provided by the digital signature standard (DSS)?
A. Encryption
B. Integrity
C. Digital signature
D. Authentication
A. Encryption
Making sure that the data is accessible when and where it is needed is which of the following?
A. Confidentiality
B. Integrity
C. Acceptability
D. Availability
D. Availability
The guarantee that the message sent is the message received, and that the message was not
intentionally or unintentionally altered is?
A. Integrity
B. Confidentiality
C. Availability
D. Identity
A. Integrity
Who of the following is responsible for ensuring that proper controls are in place to address
integrity, confidentiality, and availability of IT systems and data?
A. Business and functional managers.
B. IT Security practitioners.
C. System and information owners.
D. Chief information officer.
C. System and information owners.
What are the elements of the CIA triad?(Choose three)
A. Confidentiality
B. Accountability
C. Accessibility
D. Integrity
E. Interest
F. Control
G. Availability
A. Confidentiality
D. Integrity
G. Availability
The Clark-Wilson model focuses on data's:
A. Availability.
B. Confidentiality.
C. Format.
D. Integrity.
D. Integrity.
The theft of a laptop poses a threat to which tenet of the C.I.A. triad?
A. All of the above
B. Availability
C. Integrity
D. Confidentiality
A. All of the above
What security model implies a central authority that determines what subjects can have access to what objects?
A. Centralized access control
B. Discretionary access control
C. Mandatory access control
D. Non-discretionary access control
D. Non-discretionary access control
Which of the following centralized access control mechanisms is not appropriate for mobile workers access the corporate network over analog lines?
A. TACACS
B. Call-back
C. CHAP
D. RADIUS
B. Call-back
Which of the following are proprietarily implemented by CISCO?
A. RADIUS+
B. TACACS
C. XTACACS and TACACS+
D. RADIUS
C. XTACACS and TACACS+
What is a protocol used for carrying authentication, authorization, and configuration information
between a Network Access Server and a shared Authentication Server?
A. IPSec
B. RADIUS
C. L2TP
D. PPTP
B. RADIUS
RADIUS is defined by which RFC?
A. 2168
B. 2148
C. 2138
D. 2158
C. 2138
In a RADIUS architecture, which of the following acts as a client?
A. A network Access Server.
B. None of the choices.
C. The end user.
D. The authentication server.
A. A network Access Server.
In a RADIUS architecture, which of the following can act as a proxy client?
A. The end user.
B. A Network Access Server.
C. The RADIUS authentication server.
D. None of the choices.
C. The RADIUS authentication server.
Which of the following statements pertaining to RADIUS is incorrect?
A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication
domains.
B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy
C. Most RADIUS servers have built-in database connectivity for billing and reporting purposes
D. Most RADIUS servers can work with DIAMETER servers.
D. Most RADIUS servers can work with DIAMETER servers.
What protocol was UDP based and mainly intended to provide validation of dial up user login passwords?
A. PPTP
B. L2TP
C. IPSec
D. TACACS
D. TACACS
Which one of the following statements is TRUE concerning the Terminal Access Controller Access Control System (TACACS) and TACACS+?
A. TACACS supports prompting for a password change.
B. TACACS+ employs a user ID and static password.
C. TACACS+ employs tokens for two-factor, dynamic password
authentication.
D. TACACS employs tokens for two-factor, dynamic password
authentication.
C. TACACS+ employs tokens for two-factor, dynamic password
authentication.
What is NOT a feature of TACACS+?
A. Replaces older Frame Relay-switched networks
B. Enables a user to change passwords
C. Enables two-factor authentication
D. Resynchronizes security tokens
A. Replaces older Frame Relay-switched networks
Which of the following centralized access control mechanisms is not appropriate for mobile workers access the corporate network over analog lines?
A. TACACS
B. Call-back
C. CHAP
D. RADIUS
B. Call-back
What are edit controls?
A. Preventive controls
B. Detective controls
C. Corrective controls
D. Compensating controls
A. Preventive controls
Which of the following control pairing include organizational policies and procedures, preemployment
background checks, strict hiring practices, employment agreements, friendly and
unfriendly employee termination procedures, vacation scheduling, labeling of sensitive materials,
increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks in?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Administrative Pairing
A. Preventive/Administrative Pairing
An audit trail is a category of what control?
A. System, Manual
B. Detective, Technical
C. User, Technical
D. Detective, Manual
B. Detective, Technical
An IDS is a category of what control?
A. Detective, Manual
B. Detective, Technical
C. User, Technical
D. System, Manual
B. Detective, Technical
Technical controls such as encryption and access control can be built into the operating system,
be software applications, or can be supplemental hardware/software units. Such controls, also
known as logical controls, represent which pairing?
A. Preventive/Administrative Pairing
B. Preventive/Technical Pairing
C. Preventive/Physical Pairing
D. Detective/Technical Pairing
B. Preventive/Technical Pairing
A business continuity plan is an example of which of the following?
A. Corrective Control
B. Detective Control
C. Preventive Control
D. Compensating Control
A. Corrective Control
________ Technical Controls warn of technical Access Control violations.
A. Elusive
B. Descriptive
C. Corrective
D. Detective
D. Detective
___________________ are the technical ways of restricting who or what can access system
resources.
A. Preventive Manual Controls
B. Detective Technical Controls
C. Preventive Circuit Controls
D. Preventive Technical Controls
D. Preventive Technical Controls
Which of the following is not a form of detective administrative control?
A. Rotation of duties
B. Required vacations
C. Separation of duties
D. Security reviews and audits
C. Separation of duties
Which of the following is NOT a type of access control?
A. Intrusive
B. Deterrent
C. Detective
D. Preventive
A. Intrusive
As a type of access control, which of the following asks for avoiding occurrence?
A. Preventive
B. Deterrent
C. Intrusive
D. Detective
A. Preventive
As a type of access control, which of the following asks for identifying occurrences?
A. Deterrent
B. Preventive
C. Detective
D. Intrusive
C. Detective
As a type of access control, which of the following asks for discouraging occurrence?
A. Detective
B. Intrusive
C. Deterrent
D. Preventive
C. Deterrent
The recording of events with a closed-circuit TV camera is considered a:
A. Preventative control
B. Detective control
C. Compensating control
D. Corrective Control
B. Detective control
Which type of control would password management classify as?
A. Compensating control
B. Detective control
C. Preventive control
D. Technical control
C. Preventive control
Which of the following would NOT be an example of compensating controls
being implemented?
A. Modifying the timing of a system resource in some measurable way to covertly transmit
information
B. Sensitive information requiring two authorized signatures to release
C. Asafety deposit box needing two keys to open
D. Signing in or out of a traffic log and using a magnetic card to access to an operations center
A. Modifying the timing of a system resource in some measurable way to covertly transmit
information
Which is NOT an element of two-factor authentication?
A. Something you are
B. Something you have
C. Something you know
D. Something you ate
D. Something you ate
Memory only cards work based on:
A. Something you have.
B. Something you know.
C. None of the choices.
D. Something you know and something you have.
D. Something you know and something you have.
Authentication is typically based upon:
A. Something you have.
B. Something you know.
C. Something you are.
D. All of the choices.
D. All of the choices.
A password represents:
A. Something you have.
B. Something you know.
C. All of the choices.
D. Something you are.
B. Something you know.
A smart card represents:
A. Something you are.
B. Something you know.
C. Something you have.
D. All of the choices.
C. Something you have.
Which of the following is the most commonly used check on something you know?
A. One time password
B. Login phrase
C. Retinal
D. Password
Retinal scans check for:
A. Something you are.
B. Something you have.
C. Something you know.
D. All of the choices.
A. Something you are.
Which of the following is the weakest authentication mechanism?
A. Passphrases
B. Passwords
C. One-time passwords
D. Token devices
B. Passwords
When two different keys encrypt a plaintext message into the same
ciphertext, this situation is known as:
A. Cryptanalysis.
B. Public key cryptography.
C. Hashing.
D. Key clustering.
D. Key clustering.
The hashing algorithm in the Digital Signature Standard (DSS) generates
a message digest of:
A. 130 bit
B. 56 bits
C. 120 bits
D. 160 bits
D. 160 bits
What are MD4 and MD5?
A. Symmetric encryption algorithms
B. Digital certificates
C. Hashing algorithms
D. Asymmetric encryption algorithms
C. Hashing algorithms
Which of the following algorithms does *NOT* provide hashing?
A. SHA-1
B. MD2
C. RC4
D. MD5
C. RC4
Which of the following does not apply to system-generated passwords?
A. Passwords are harder to remember for users
B. If the password-generating algorithm gets to be known, the entire system is in jeopardy
C. Passwords are more vulnerable to brute force and dictionary attacks.
D. Passwords are harder to guess for attackers
C. Passwords are more vulnerable to brute force and dictionary attacks.
_______ are added to Linux passwords to increase their randomness.
A. Salts
B. Pepper
C. Grains
D. MD5 hashes
E. Asymmetric algorithms
A. Salts
The beginning and the end of each transfer during asynchronous communication data transfer are marked by?
A. Start and Stop bits.
B. Start and End bits.
C. Begin and Stop bits.
D. Start and Finish bits.
A. Start and Stop bits.
A token that generates a unique password at fixed time intervals is called:
A. A synchronous dynamic password token.
B. A challenge-response token.
C. A time-sensitive token.
D. An asynchronous dynamic password token.
A. A synchronous dynamic password token.
The data transmission method in which data is sent continuously and
doesn't use either an internal clocking source or start/stop bits for
timing is known as:
A. Asynchronous
B. Pleisiochronous
C. Synchronous
D. Isochronous
D. Isochronous
The technique of skimming small amounts of money from multiple transactions is called the
A. Scavenger technique
B. Salami technique
C. Synchronous attack technique
D. Leakage technique
B. Salami technique
What are the valid types of one time password generator?
A. All of the choices.
B. Transaction synchronous
C. Synchronous/PIN synchronous
D. Asynchronous/PIN asynchronous
A. All of the choices.
What is the most critical characteristic of a biometric identifying system?
A. Perceived intrusiveness
B. Storage requirements
C. Accuracy
D. Reliability
C. Accuracy
In the following choices there is one that is a typical biometric characteristics that is not used to
uniquely authenticate an individual’s identity?
A. Retina scans
B. Iris scans
C. Palm scans
D. Skin scans
D. Skin scans
In biometrics, a one-to-one search to verify an individual's claim of an
identity is called:
A. Audit trail review.
B. Accountability.
C. Authentication.
D. Aggregation.
C. Authentication.
An acceptable biometric throughput rate is:
A. One subject per two minutes.
B. Five subjects per minute.
C. Ten subjects per minute.
D. Two subjects per minute.
C. Ten subjects per minute.
In addition to accuracy, a biometric system has additional factors that
determine its effectiveness. Which one of the following listed items is NOT one of these additional factors?
A. Corpus
B. Throughput rate
C. Enrollment time
D. Acceptability
A. Corpus
In biometrics, a good measure of performance of a system is the:
A. False detection.
B. Positive acceptance rate.
C. Sensitivity.
D. Crossover Error Rate (CER).
D. Crossover Error Rate (CER).
In a biometric system, the time it takes to register with the system by providing
samples of a biometric characteristic is called:
A. Set-up time.
B. Enrollment time.
C. Log-in time.
D. Throughput time.
B. Enrollment time.
A type of preventive/physical access control is:
A. Biometrics for identification
B. An intrusion detection system
C. Biometrics for authentication
D. Motion detectors
A. Biometrics for identification
The main approach to obtaining the true biometric information from a
collected sample of an individual's physiological or behavioral
characteristics is:
A. False rejection
B. Enrollment
C. Digraphs
D. Feature extraction
D. Feature extraction
Biometrics is used for identification in the physical controls and for
authentication in the:
A. Detective controls.
B. Corrective controls.
C. Logical controls.
D. Preventive controls.
C. Logical controls.
What is called the percentage of invalid subjects that are falsely accepted?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Acceptance Rate (TAR) or Type III error
B. False Acceptance Rate (FAR) or Type II Error
Biometric performance is most commonly measured in terms of:
A. FRR and FAR
B. FAC and ERR
C. IER and FAR
D. FRR and GIC
A. FRR and FAR
You are comparing biometric systems. Security is the top priority. A low ________ is most important in this regard.
A. FAR
B. FRR
C. MTBF
D. ERR
A. FAR
Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. To have a valid measure of the system performance:
A. The CER is used.
B. the FRR is used
C. the FAR is used
D. none of the above choices is correct
A. The CER is used.
The quality of finger prints is crucial to maintain the necessary:
A. FRR
B. ERR and FAR
C. FAR
D. FRR and FAR
D. FRR and FAR
Which of the following methods is more microscopic and will analyze the direction of the ridges of the fingerprints for matching?
A. None of the choices.
B. Flow direct
C. Ridge matching
D. Minutia matching
D. Minutia matching
DSV as an identification method check against users:
A. Fingerprints
B. Signature
C. Keystrokes
D. Facial expression
B. Signature
In terms of the order of effectiveness, which of the following technologies is the most affective?
A. Fingerprint
B. Iris scan
C. Keystroke pattern
D. Retina scan
B. Iris scan
In terms of the order of acceptance, which of the following technologies is the LEAST accepted?
A. Fingerprint
B. Iris
C. Handprint
D. Retina patterns
D. Retina patterns

JC Key concepts


-Confidentiality


-Privacy


-Integrity


-Assurance


Availability


JC Managerial 5 hour exam


700/1000 to pass


25 questions done count


need 100 to pass, 800 to be sure


250 questions, 200 is 80%


4pts each




JC CISSP domains


Access


Telecom/network security


InfoSec gov and risk mgmt


SW dev security


Crypto


Sec arch/design


Operational security


BCP/DR planning


Legal, regulatory, investigation, compliance


Physical security


Confidentiality


Availability


Integrity