Logical access controls can help protect (i) operating systems and other systems software from unauthorized modification or manipulation (and thereby help ensure the system’s integrity and availability); (ii) the integrity and availability of information by restricting the number of users and processes with access; and (iii) confidential information from being disclosed to unauthorized individuals.
220. Which of the following internal access control methods offers a strong form of access control and is a significant deterrent to its use?
a. Security labels
b. Passwords
c. Access control lists
d. Encryption
220. a. Security labels are a strong form of access control. Unlike access control lists, labels cannot ordinarily be changed. Because labels are permanently linked to specific information, data cannot be disclosed by a user copying information and changing the access to that file so that the information is more accessible than the original owner intended. Security labels are well suited for consistently and uniformly enforcing access restrictions, although their administration and inflexibility can be a significant deterrent to their use.
Passwords are a weak form of access control, although they are easy to use and administer. Although encryption is a strong form of access control, it is not a deterrent to its use when compared to labels. In reality, the complexity and difficulty of encryption can be a deterrent to its use.
221. It is vital that access controls protecting a computer system work together. Which of the following types of access controls should be most specific?
a. Physical
b. Application system
c. Operating system
d. Communication system
221. b. At a minimum, four basic types of access controls should be considered: physical, operating system, communications, and application. In general, access controls within an application are the most specific. However, for application access controls to be fully effective, they need to be supported by operating system and communications system access controls. Otherwise, access can be made to application resources without going through the application. Operating system, communication, and application access controls need to be supported by physical access controls such as physical security and contingency planning.
222. Which of the following types of logical access control mechanisms does not rely on physical access controls?
a. Encryption controls
b. Application system access controls
c. Operating system access controls
d. Utility programs
222. a. Most systems can be compromised if someone can physically access the CPU machine or major components by, for example, restarting the system with different software. Logical access controls are, therefore, dependent on physical access controls (with the exception of encryption, which can depend solely on the strength of the algorithm and the secrecy of the key).
Application systems, operating systems, and utility programs are heavily dependent on logical access controls to protect against unauthorized use.
223. A system mechanism and audit trails assist business managers to hold individual users accountable for their actions. To utilize these audit trails, which of the following controls is a prerequisite for the mechanism to be effective?
a. Physical
b. Environmental
c. Management
d. Logical access
223. d. By advising users that they are personally accountable for their actions, which are tracked by an audit trail that logs user activities, managers can help promote proper user behavior. Users are less likely to attempt to circumvent security policy if they know that their actions will be recorded in an audit log. Audit trails work in concert with logical access controls, which restrict use of system resources. Because logical access controls are enforced through software, audit trails are used to maintain an individual’s accountability. The other three choices collect some data in the form of an audit trail, and their use is limited due to the limitation of useful data collected.
224. Which of the following is the best place to put the Kerberos protocol?
a. Application layer
b. Transport layer
c. Network layer
d. All layers of the network
224. d. Placing the Kerberos protocol below the application layer and at all layers of the network provides greatest security protection without the need to modify applications.
225. An inherent risk is associated with logical access that is difficult to prevent or mitigate but can be identified via a review of audit trails. Which of the following types of access is this risk most associated with?
a. Properly used authorized access
b. Misused authorized access
c. Unsuccessful unauthorized access
d. Successful unauthorized access
225. b. Properly authorized access, as well as misused authorized access, can use audit trail analysis but more so of the latter due to its high risk. Although users cannot be prevented from using resources to which they have legitimate access authorization, audit trail analysis is used to examine their actions. Similarly, unauthorized access attempts, whether successful or not, can be detected through the analysis of audit trails.
226. Many computer systems provide maintenance accounts for diagnostic and support services. Which of the following security techniques is least preferred to ensure reduced vulnerability when using these accounts?
a. Call-back confirmation
b. Encryption of communications
c. Smart tokens
d. Password and user ID
226. d. Many computer systems provide maintenance accounts. These special login accounts are normally preconfigured at the factory with preset, widely known weak passwords. It is critical to change these passwords or otherwise disable the accounts until they are needed. If the account is to be used remotely, authentication of the maintenance provider can be performed using callback confirmation. This helps ensure that remote diagnostic activities actually originate from an established phone number at the vendor’s site. Other techniques can also help, including encryption and decryption of diagnostic communications, strong identification and authentication techniques, such as smart tokens, and remote disconnect verification.
227. Below is a list of pairs, which are related to one another. Which pair of items represents the integral reliance on the first item to enforce the second?
a. The separation of duties principle, the least privilege principle
b. The parity check, the limit check
c. The single-key system, the Rivest-Shamir-Adelman (RSA) algorithm