107. Which of the following access authorization policies applies to when an organization has a list of software not authorized to execute on an information system?
a. Deny-all, permit-by-exception
b. Allow-all, deny-by-exception
c. Allow-all, deny-by-default
d. Deny-all, accept-by-permission
107. a. An organization employs a deny-all, permit-by-exception authorization policy to identify software not allowed to execute on the system. The other three choices are incorrect because the correct answer is based on specific access authorization policy.
108. Encryption is a part of which of the following?
a. Directive controls
b. Preventive controls
c. Detective controls
d. Corrective controls
108. b. Encryption prevents unauthorized access and protects data and programs when they are in storage (at rest) or in transit. Preventive controls deter security incidents from happening in the first place.
Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.
109. Which of the following access authorization policies applies to external networks through managed interfaces employing boundary protection devices such as gateways or firewalls?
a. Deny-all, permit-by-exception
b. Allow-all, deny-by-exception
c. Allow-all, deny-by-default
d. Deny-all, accept-by-permission
109. a. Examples of managed interfaces employing boundary protection devices include proxies, gateways, routers, firewalls, hardware/software guards, and encrypted tunnels on a demilitarized zone (DMZ). This policy “deny-all, permit-by-exception” denies network traffic by default and enables network traffic by exception only.
The other three choices are incorrect because the correct answer is based on specific access authorization policy. Access control lists (ACL) can be applied to traffic entering the internal network from external sources.
110. Which of the following are needed when the enforcement of normal security policies, procedures, and rules are difficult to implement?
1. Compensating controls
2. Close supervision
3. Team review of work
4. Peer review of work
a. 1 only
b. 2 only
c. 1 and 2
d. 1, 2, 3, and 4
110. d. When the enforcement of normal security policies, procedures, and rules is difficult, it takes on a different dimension from that of requiring contracts, separation of duties, and system access controls. Under these situations, compensating controls in the form of close supervision, followed by peer and team review of quality of work are needed.
111. Which of the following is critical to understanding an access control policy?
a. Reachable-state
b. Protection-state
c. User-state
d. System-state
111. b. A protection-state is that part of the system-state critical to understanding an access control policy. A system must be either in a protection-state or reachable-state. User-state is not critical because it is the least privileged mode.
112. Which of the following should not be used in Kerberos authentication implementation?
a. Data encryption standard (DES)
b. Advanced encryption standard (AES)
c. Rivest, Shamir, and Adelman (RSA)
d. Diffie-Hellman (DH)
112. a. DES is weak and should not be used because of several documented security weaknesses. The other three choices can be used. AES can be used because it is strong. RSA is used in key transport where the authentication server generates the user symmetric key and sends the key to the client. DH is used in key agreement between the authentication server and the client.
113. From an access control decision viewpoint, failures due to flaws in permission-based systems tend to do which of the following?
a. Authorize permissible actions
b. Fail-safe with permission denied
c. Unauthorize prohibited actions
d. Grant unauthorized permissions
113. b. When failures occur due to flaws in permission-based systems, they tend to fail-safe with permission denied. There are two types of access control decisions: permission-based and exclusion-based.
114. Host and application system hardening procedures are a part of which of the following?
a. Directive controls
b. Preventive controls
c. Detective controls
d. Corrective controls
114. b. Host and application system hardening procedures are a part of preventive controls, as they include antivirus software, firewalls, and user account management. Preventive controls deter security incidents from happening in the first place.
Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.
115. From an access control decision viewpoint, fail-safe defaults operate on which of the following?
1. Exclude and deny
2. Permit and allow
3. No access, yes default
4. Yes access, yes default
a. 1 only
b. 2 only
c. 2 and 3
d. 4 only
115. c. Fail-safe defaults mean that access control decisions should be based on permit and allow policy (i.e., permission rather than exclusion). This equates to the condition in which lack of access is the default (i.e., no access, yes default). “Allow all and deny-by-default” refers to yes-access, yes-default situations.
116. For password management, automatically generated random passwords usually provide which of the following?
1. Greater entropy
2. Passwords that are hard for attackers to guess
3. Stronger passwords