2. Internet Engineering Task Force’s PKI

3. Secure DNS initiatives

4. Simple public key infrastructure

a. 1 only

b. 2 only

c. 3 only

d. 1, 2, 3, and 4

292. d. Several infrastructures are devoted to providing identities and the means of authenticating those identities. Examples of these infrastructures include the X.509 authentication framework, the Internet Engineering Task Force’s PKI (IETF’s PKI), the secure domain name system (DNS) initiatives, and the simple public key infrastructure (SPKI).

293. Which one of the following methodologies or techniques provides the most effective strategy for limiting access to individual sensitive files?

a. Access control list and both discretionary and mandatory access control

b. Mandatory access control and access control list

c. Discretionary access control and access control list

d. Physical access control to hardware and access control list with discretionary access control

293. a. The best control for protecting sensitive files is using mandatory access controls supplemented by discretionary access controls and implemented through the use of an access control list. A complementary mandatory access control mechanism can prevent the Trojan horse attack that can be allowed by the discretionary access control. The mandatory access control prevents the system from giving sensitive information to any user who is not explicitly authorized to access a resource.

294. Which of the following security control mechanisms is simplest to administer?

a. Discretionary access control

b. Mandatory access control

c. Access control list

d. Logical access control

294. b. Mandatory access controls are the simplest to use because they can be used to grant broad access to large sets of files and to broad categories of information. Discretionary access controls are not simple to use due to their finer level of granularity in the access control process. Both the access control list and logical access control require a significant amount of administrative work because they are based on the details of each individual user.

295. Which of the following use data by row to represent the access control matrix?

a. Capabilities and profiles

b. Protection bits and access control list

c. Profiles and protection bits

d. Capabilities and access control list

295. a. Capabilities and profiles are used to represent the access control matrix data by row and connect accessible objects to the user. On the other hand, a protection bit-based system and access control list represents the data by column, connecting a list of users to an object.

296. The process of identifying users and objects is important to which of the following?

a. Discretionary access control

b. Mandatory access control

c. Access control

d. Security control

296. a. Discretionary access control is a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. In a mandatory access control mechanism, the owner of a file or object has no discretion as to who can access it. Both security control and access control are too broad and vague to be meaningful here.

297. Which of the following is a hidden file?

a. Password aging file

b. Password validation file

c. Password reuse file

d. Shadow password file

297. d. The shadow password file is a hidden file that stores all users’ passwords and is readable only by the root user. The password validation file uses the shadow password file before allowing the user to log in. The password-aging file contains an expiration date, and the password reuse file prevents a user from reusing a previously used password. The files mentioned in the other three choices are not hidden.

298. From an access control point of view, which of the following are examples of task transactions and separation of conflicts-of-interests?

1. Role-based access control

2. Workflow policy

3. Rule-based access control

4. Chinese Wall policy

a. 1 and 2

b. 1 and 3

c. 2 and 4

d. 3 and 4

298. c. Workflow policy is a process that operates on rules and procedures. A workflow is specified as a set of tasks and a set of dependencies among the tasks, and the sequencing of these tasks is important (i.e., task transactions). The various tasks in a workflow are usually carried out by several users in accordance with organizational rules represented by the workflow policy. The Chinese Wall policy addresses conflict-of-interest issues, with the objective of preventing illicit flows of information that can result in conflicts of interest. The Chinese Wall policy is simple and easy to describe but difficult to implement. Both role- and rule-based access control can create conflict-of-interest situations because of incompatibility between employee roles and management rules.

299. For identity management, which of the following qualifies as continuously authenticated?

a. Unique ID

b. Signed X.509 certificate

c. Password with access control list

d. Encryption

299. d. A commonly used method to ensure that access to a communications session is controlled and authenticated continuously is the use of encryption mechanisms to prevent loss of control of the session through session stealing or hijacking. Other methods such as signed x.509 certificates and password files associated with access control lists (ACLs) can bind entities to unique IDs. Although these other methods are good, they do not prevent the loss of control of the session.

300. What is a control to prevent an unauthorized user from starting an alternative operating system?

a. Shadow password

b. Encryption password

c. Power-on password

d. Network password

300. c. A computer system can be protected through a power-on password, which prevents an unauthorized user from starting an alternative operating system. The other three types of passwords mentioned do not have the preventive nature, as does the power-on password.

301. The concept of least privilege is based on which of the following?

a. Risk assessment

b. Information flow enforcement

c. Access enforcement

d. Account management

301. a. An organization practices the concept of least privilege for specific job duties and information systems, including specific responsibilities, network ports, protocols, and services in accordance with risk assessments. These practices are necessary to adequately mitigate risk to organizations’ operations, assets, and individuals. The other three choices are specific components of access controls.

302. Which of the following is the primary technique used by commercially available intrusion detection and prevention systems (IDPS) to analyze events to detect attacks?