d. 3 and 4
89. c. Access to public websites and emergency situations are examples of user permitted actions that don't require identification or authentication. Both unsuccessful login attempts and reestablishing a session lock require proper identification or authentication procedures. A session lock is retained until proper identification or authentication is submitted, accepted, and reestablished.
90. Which of the following circumstances require additional security protections for mobile devices after unsuccessful login attempts?
a. When a mobile device requires a login to itself, and not a user account on the device
b. When a mobile device is accessing a removable media without a login
c. When information on the mobile device is encrypted
d. When the login is made to any one account on the mobile device
90. a. Additional security protection is needed for a mobile device (e.g., PDA) requiring a login where the login is made to the mobile device itself, not to any one account on the device. Additional protection is not needed when removable media is accessed without a login and when the information on the mobile device is encrypted. A successful login to any account on the mobile device resets the unsuccessful login count to zero.
91. An information system dynamically reconfigures with which of the following as information is created and combined?
a. Security attributes and data structures
b. Security attributes and security policies
c. Security attributes and information objects
d. Security attributes and security labels
91.b. An information system dynamically reconfigures security attributes in accordance with an identified security policy as information is created and combined. The system supports and maintains the binding of security attributes to information in storage, in process, and in transmission. The term security label is often used to associate a set of security attributes with a specific information object as part of the data structures (e.g., records, buffers, and files) for that object.
92. For identity management, international standards do not use which of the following access control policies for making access control decisions?
1. Discretionary access control (DAC)
2. Mandatory access control (MAC)
3. Identity-based access control (IBAC)
4. Rule-based access control (RuBAC)
a. 1 and 2
b. 1 and 3
c. 2 and 3
d. 3 and 4
92. a. International standards for access control decisions do not use the U.S.-based discretionary or mandatory access control policies. Instead, they use identity-based and rule-based access control policies.
93. Which of the following is an example of less than secure networking protocols for remote access sessions?
a. Secure shell-2
b. Virtual private network with blocking mode enabled
c. Bulk encryption
d. Peer-to-peer networking protocols
93. d. An organization must ensure that remote access sessions for accessing security functions employ security measures and that they are audited. Bulk encryption, session layer encryption, secure shell-2 (SSH-2), and virtual private networking (VPN) with blocking enabled are standard security measures. Bluetooth and peer-to-peer (P2P) networking are examples of less than secure networking protocols.
94. For wireless access, in which of the following ways does an organization confine wireless communications to organization-controlled boundaries?
1. Reducing the power of the wireless transmission and controlling wireless emanations
2. Configuring the wireless access path such that it is point-to-point in nature
3. Using mutual authentication protocols
4. Scanning for unauthorized wireless access points and connections
a. 1 only
b. 3 only
c. 2 and 4
d. 1, 2, 3, and 4
94. d. Actions that may be taken to confine wireless communication to organization-controlled boundaries include all the four items mentioned. Mutual authentication protocols include EAP/TLS and PEAP. Reducing the power of the wireless transmission means that the transmission cannot go beyond the physical perimeter of the organization. It also includes installing TEMPEST measures to control emanations.
95. For access control for mobile devices, which of the following assigns responsibility and accountability for addressing known vulnerabilities in the media?
a. Use of writable, removable media
b. Use of personally owned removable media
c. Use of project-owned removable media
d. Use of nonowner removable media
95. c. An identifiable owner (e.g., employee, organization, or project) for removable media helps to reduce the risk of using such technology by assigning responsibility and accountability for addressing known vulnerabilities in the media (e.g., malicious code insertion). Use of project-owned removable media is acceptable because the media is assigned to a project, and the other three choices are not acceptable because they have no accountability feature attached to them. Restricting the use of writable, removable media is a good security practice.
96. For access control for mobile devices, which of the following actions can trigger an incident response handling process?
a. Use of external modems or wireless interfaces within the device
b. Connection of unclassified mobile devices to unclassified systems
c. Use of internal modems or wireless interfaces within the device
d. Connection of unclassified mobile devices to classified systems
96. d. When unclassified mobile devices are connected to classified systems containing classified information, it is a risky situation because a security policy is violated. This action should trigger an incident response handling process. Connection of an unclassified mobile device to an unclassified system still requires an approval; although, it is less risky. Use of internal or external modems or wireless interfaces within the mobile device should be prohibited.
97. For least functionality, organizations utilize which of the following to identify and prevent the use of prohibited functions, ports, protocols, and services?
1. Network scanning tools
2. Intrusion detection and prevention systems
3. Firewalls
4. Host-based intrusion detection systems
a. 1 and 3
b. 2 and 4
c. 3 and 4
d. 1, 2, 3, and 4
97. d. Organizations can utilize network scanning tools, intrusion detection and prevention systems (IDPS), endpoint protections such as firewalls, and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services.
98. An information system uses multifactor authentication mechanisms to minimize potential risks for which of the following situations?