Topic 1: Access Control
Which of the following would assist the most in Host Based intrusion detection?
A.
audit trails.
B.
access control lists.
C.
security clearances.
D.
host-based authentication
audit trails.
To assist in Intrusion Detection you would review audit logs for access
violations.
The following answers are incorrect:
access control lists. This is incorrect because access control lists determine who has
access to what but do not detect intrusions.
security clearances. This is incorrect because security clearances determine who has
access to what but do not detect intrusions.
host-based authentication. This is incorrect because host-based authentication determine
who have been authenticated to the system but do not dectect intrusions.
Which access control model enables the OWNER of the resource to specify what subjects
can access specific resources based on their identity?
A.
Discretionary Access Control
B.
Mandatory Access Control
C.
Sensitive Access Control
D.
Role-based Access Control
Discretionary Access Control
Data owners decide who has access to resources based only on the identity
of the person accessing the resource.
The following answers are incorrect :
Mandatory Access Control : users and data owners do not have as much freedom to
determine who can access files. The operating system makes the final decision and can
override the users' wishes and access decisions are based on security labels.
Sensitive Access Control : There is no such access control in the context of the above
question.
Role-based Access Control : uses a centrally administered set of controls to determine how
subjects and objects interact , also called as non discretionary access control.
In a mandatory access control (MAC) model, users and data owners do not have as much
freedom to determine who can access files. The operating system makes the final decision
and can override the users’ wishes. This model is much more structured and strict and is
based on a security label system. Users are given a security clearance (secret, top secret,
confidential, and so on), and data is classified in the same way. The clearance and
classification data is stored in the security labels, which are bound to the specific subjects
and objects. When the system makes a decision about fulfilling a request to access an
object, it is based on the clearance of the subject, the classification of the object, and the
security policy of the system. The rules for how subjects access objects are made by the
security officer, configured by the administrator, enforced by the operating system, and
supported by security technologies
Reference : Shon Harris , AIO v3 , Chapter-4 : Access Control , Page : 163-165
A department manager has read access to the salaries of the employees in his/her
department but not to the salaries of employees in other departments. A database security
mechanism that enforces this policy would typically be said to provide which of the
following?
A.
Content-dependent access control
B.
Context-dependent access control
C.
Least privileges access control
D.
Ownership-based access control
When access control is based on the content of an object, it is considered to
be content dependent access control.
Content-dependent access control is based on the content itself.
The following answers are incorrect:
context-dependent access control. Is incorrect because this type of control is based on
what the context is, facts about the data rather than what the object contains.
least privileges access control. Is incorrect because this is based on the least amount of
rights needed to perform their jobs and not based on what is contained in the database.
ownership-based access control. Is incorrect because this is based on the owner of the
data and and not based on what is contained in the database.
References:
OIG CBK Access Control (page 191)
Which of the following is related to physical security and is not considered a technical
control?
A.
Access control Mechanisms
B.
Intrusion Detection Systems
C.
Firewalls
D.
Locks
Locks
All of the above are considered technical controls except for locks, which are
physical controls. Administrative, Technical, and Physical Security Controls
Administrative security controls are primarily policies and procedures put into place to
define and guide employee actions in dealing with the organization's sensitive information.
For example, policy might dictate (and procedures indicate how) that human resources
conduct background checks on employees with access to sensitive information. Requiring
that information be classified and the process to classify and review information
classifications is another example of an administrative control. The organization security
awareness program is an administrative control used to make employees cognizant of their
security roles and responsibilities. Note that administrative security controls in the form of a
policy can be enforced or verified with technical or physical security controls. For instance,
security policy may state that computers without antivirus software cannot connect to the
network, but a technical control, such as network access control software, will check for
antivirus software when a computer tries to attach to the network.
Technical security controls (also called logical controls) are devices, processes, protocols,
and other measures used to protect the C.I.A. of sensitive information. Examples include
logical access systems, encryptions systems, antivirus systems, firewalls, and intrusion
detection systems.
Physical security controls are devices and means to control physical access to sensitive
information and to protect the availability of the information. Examples are physical access
systems (fences, mantraps, guards), physical intrusion detection systems (motion detector,
alarm system), and physical protection systems (sprinklers, backup generator).
Administrative and technical controls depend on proper physical security controls being in
place. An administrative policy allowing only authorized employees access to the data
center do little good without some kind of physical access control.
From the GIAC.ORG website
Which of the following is not a logical control when implementing logical access security?
A.
access profiles.
B.
userids.
C.
employee badges.
D.
passwords.
employee badges.
Employee badges are considered Physical so would not be a logical control.
The following answers are incorrect:
userids. Is incorrect because userids are a type of logical control.
access profiles. Is incorrect because access profiles are a type of logical control.
passwords. Is incorrect because passwords are a type of logical control
Kerberos can prevent which one of the following attacks?
A.
tunneling attack.
B.
playback (replay) attack.
C.
destructive attack.
D.
process attack
playback (replay) attack.
Each ticket in Kerberos has a timestamp and are subject to time expiration to
help prevent these types of attacks.
The following answers are incorrect:
tunneling attack. This is incorrect because a tunneling attack is an attempt to bypass
security and access low-level systems. Kerberos cannot totally prevent these types of
attacks.
destructive attack. This is incorrect because depending on the type of destructive attack,
Kerberos cannot prevent someone from physically destroying a server.
process attack. This is incorrect because with Kerberos cannot prevent an authorzied
individuals from running processes
The throughput rate is the rate at which individuals, once enrolled, can be processed and
identified or authenticated by a biometric system. Acceptable throughput rates are in the
range of:
A.
100 subjects per minute.
B.
25 subjects per minute.
C.
10 subjects per minute.
D.
50 subjects per minute
10 subjects per minute.
The throughput rate is the rate at which individuals, once enrolled, can be
processed and identified or authenticated by a biometric system.
Acceptable throughput rates are in the range of 10 subjects per minute.
Things that may impact the throughput rate for some types of biometric systems may
include:
A concern with retina scanning systems may be the exchange of body fluids on the
eyepiece.
Another concern would be the retinal pattern that could reveal changes in a person's
health, such as diabetes or high blood pressure.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.
This is a common security issue that is extremely hard to control in large environments. It
occurs when a user has more computer rights, permissions, and access than what is
required for the tasks the user needs to fulfill. What best describes this scenario?
A.
Excessive Rights
B.
Excessive Access
C.
Excessive Permissions
D.
Excessive Privileges
Excessive Privileges
Even thou all 4 terms are very close to each other, the best choice is
Excessive Privileges which would include the other three choices presented.
Reference(s) used for this question:
HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-Hill/Osborne, 2001,
Page 645.
and
Which of the following is most appropriate to notify an internal user that session monitoring
is being conducted?
A.
Logon Banners
B.
Wall poster
C.
Employee Handbook
D.
Written agreement
Written agreement
This is a tricky question, the keyword in the question is Internal users.
There are two possible answers based on how the question is presented, this question
could either apply to internal users or ANY anonymous/external users.
Internal users should always have a written agreement first, then logon banners serve as a
constant reminder.
Banners at the log-on time should be used to notify external users of any monitoring that is
being conducted. A good banner will give you a better legal stand and also makes it
obvious the user was warned about who should access the system, who is authorized and
unauthorized, and if it is an unauthorized user then he is fully aware of trespassing.
Anonymous/External users, such as those logging into a web site, ftp server or even a mail
server; their only notification system is the use of a logon banner.
References used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 50.
and
Shon Harris, CISSP All-in-one, 5th edition, pg 873
In non-discretionary access control using Role Based Access Control (RBAC), a central
authority determines what subjects can have access to certain objects based on the
organizational security policy. The access controls may be based on:
A.
The societies role in the organization
B.
The individual's role in the organization
C.
The group-dynamics as they relate to the individual's role in the organization
D.
The group-dynamics as they relate to the master-slave role in the organization
The individual's role in the organization
In Non-Discretionary Access Control, when Role Based Access Control is
being used, a central authority determines what subjects can have access to certain
objects based on the organizational security policy. The access controls may be based on
the individual's role in the organization.
Reference(S) used for this question:
KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, 2001, John Wiley & Sons, Page 33.
Page 17 out of 105 Pages |
Previous |