1. Главная
  2. Книги
  3. Vallabhaneni S. Rao
  4. CISSP Practice
  5. Страница 17
Выбрать главу

c. 3 only

d. 3 and 4

132. d. Identity-based access control (IBAC) and discretionary access control (DAC) are considered equivalent. The rule-based access control (RuBAC) and mandatory access control (MAC) are considered equivalent. IBAC uses access control lists (ACLs) whereas RuBAC does not.

133. For identity management, most network operating systems are based on which of the following access control policy?

a. Rule-based access control (RuBAC)

b. Identity-based access control (IBAC)

c. Role-based access control (RBAC)

d. Attribute-based access control (ABAC)

133. b. Most network operating systems are implemented with an identity-based access control (IBAC) policy. Entities are granted access to resources based on any identity established during network logon, which is compared with one or more access control lists (ACLs). These lists may be individually administered, may be centrally administered and distributed to individual locations, or may reside on one or more central servers. Attribute-based access control (ABAC) deals with subjects and objects, rule-based (RuBAC) deals with rules, and role-based (RBAC) deals with roles or job functions.

134. RBAC is role-based access control, MAC is mandatory access control, DAC is discretionary access control, ABAC is attribute-based access control, PBAC is policy-based access control, IBAC is identity-based access control, RuBAC is rule-based access control, RAdAC is risk adaptive access control, and UDAC is user-directed access control. For identity management, RBAC policy is defined as which of the following?

a. RBAC = MAC + DAC

b. RBAC = ABAC + PBAC

c. RBAC = IBAC + RuBAC

d. RBAC = RAdAC + UDAC

134. c. Role-based access control policy (RBAC) is a composite access control policy between identity-based access control (IBAC) policy and rule-based access control (RuBAC) policy and should be considered as a variant of both. In this case, an identity is assigned to a group that has been granted authorizations. Identities can be members of one or more groups.

135. A combination of something you have (one time), something you have (second time), and something you know is used to represent which of the following personal authentication proofing scheme?

a. One-factor authentication

b. Two-factor authentication

c. Three-factor authentication

d. Four-factor authentication

135. b. This situation illustrates that multiple instances of the same factor (i.e., something you have is used two times) results in one-factor authentication. When this is combined with something you know, it results in a two-factor authentication scheme.

136. Remote access controls are a part of which of the following?

a. Directive controls

b. Preventive controls

c. Detective controls

d. Corrective controls

136. b. Remote access controls are a part of preventive controls, as they include Internet Protocol (IP) packet filtering by border routers and firewalls using access control lists. Preventive controls deter security incidents from happening in the first place.

Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.

137. What is using two different passwords for accessing two different systems in the same session called?

a. One-factor authentication

b. Two-factor authentication

c. Three-factor authentication

d. Four-factor authentication

137. b. Requiring two different passwords for accessing two different systems in the same session is more secure than requiring one password for two different systems. This equates to two-factor authentication. Requiring multiple proofs of authentication presents multiple barriers to entry access by intruders. On the other hand, using the same password (one-factor) for accessing multiple systems in the same session is a one-factor authentication, because only one type (and the same type) of proof is used. The key point is whether the type of proof presented is same or different.

138. What is using a personal identity card with attended access (e.g., a security guard) and a PIN called?

a. One-factor authentication

b. Two-factor authentication

c. Three-factor authentication

d. Four-factor authentication

138. b. On the surface, this situation may seem a three-factor authentication, but in reality it is a two-factor authentication, because only a card (proof of one factor) and PIN (proof of second factor) are used, resulting in a two-factor authentication. Note that it is not the strongest two-factor authentication because of the attended access. A security guard is an example of attended access, who is checking for the validity of the card, and is counted as one-factor authentication. Other examples of attended access include peers, colleagues, and supervisors who will vouch for the identify of a visitor who is accessing physical facilities.

139. A truck driver, who is an employee of a defense contractor, transports highly sensitive parts and components from a defense contractor’s manufacturing plant to a military installation at a highly secure location. The military’s receiving department tracks the driver’s physical location to ensure that there are no security problems on the way to the installation. Upon arrival at the installation, the truck driver shows his employee badge with photo ID issued by the defense contractor, enters his password and PIN, and takes a biometric sample of his fingerprint prior to entering the installation and unloading the truck’s content. What does this described scenario represents?

a. One-factor authentication

b. Two-factor authentication

c. Three-factor authentication

d. Four-factor authentication

139. d. Tracking the driver’s physical location (perhaps with GPS or wireless sensor network) is an example of somewhere you are (proof of first factor). Showing the employee a physical badge with photo ID is an example of something you have (proof of second factor). Entering a password and PIN is an example of something you know (proof of third factor). Taking a biometric sample of fingerprint is an example of something you are (proof of fourth factor). Therefore, this scenario represents a four-factor authentication. The key point is that it does not matter whether the proof presented is one item or more items in the same category (e.g, somewhere you are, something you have, something you know, and something you are).

140. Which of the following is achieved when two authentication proofs of something that you have is implemented?

a. Least assurance

b. Increased assurance

c. Maximum assurance

d. Equivalent assurance

~ 17 ~