311. What is password management an example of?
a. Directive control
b. Preventive control
c. Detective control
d. Corrective control
311. b. Password management is an example of preventive controls in that passwords deter unauthorized users from accessing a system unless they know the password through some other means.
312. Which one of the following access control policy uses an access control matrix for its implementation?
a. Discretionary access control (DAC)
b. Mandatory access control (MAC)
c. Role-based access control (RBAC)
d. Access control lists (ACLs)
312. a. A discretionary access control (DAC) model uses access control matrix where it places the name of users (subjects) in each row and the names of objects (files or programs) in each column of a matrix. The other three choices do not use an access control matrix.
313. Access control mechanisms include which of the following?
a. Directive, preventive, and detective controls
b. Corrective, recovery, and preventive controls
c. Logical, physical, and administrative controls
d. Management, operational, and technical controls
313. c. Access control mechanisms include logical (passwords and encryption), physical (keys and tokens), and administrative (forms and procedures) controls. Directive, preventive, detective, corrective, and recovery controls are controls by action. Management, operational, and technical controls are controls by nature.
314. Which one of the following access control policy uses security labels?
a. Discretionary access control (DAC)
b. Mandatory access control (MAC)
c. Role-based access control (RBAC)
d. Access control lists (ACLs)
314. b. Security labels and interfaces are used to determine access based on the mandatory access control (MAC) policy. A security label is the means used to associate a set of security attributes with a specific information object as part of the data structure for that object. Labels could be designated as proprietary data or public data. The other three choices do not use security labels.
315. Intrusion detection and prevention systems serve as which of the following?
a. Barrier mechanism
b. Monitoring mechanism
c. Accountability mechanism
d. Penetration mechanism
315. b. Intrusion detection and prevention systems (IDPS) serve as monitoring mechanisms, watching activities, and making decisions about whether the observed events are suspicious. IDPS can spot attackers circumventing firewalls and report them to system administrators, who can take steps to prevent damage. Firewalls serve as barrier mechanisms, barring entry to some kinds of network traffic and allowing others, based on a firewall policy.
316. Which of the following can coexist in providing strong access control mechanisms?
a. Kerberos authentication and single sign-on system
b. Kerberos authentication and digital signature system
c. Kerberos authentication and asymmetric key system
d. Kerberos authentication and digital certificate system
316. a. When Kerberos authentication is combined with single sign-on systems, it requires establishment of and operating the privilege servers. Kerberos uses symmetric key cryptography, and the other three choices are examples of asymmetric key cryptography.
317. Uses of honeypots and padded cells have which of the following?
a. Social implications
b. Legal implications
c. Technical implications
d. Psychological implications
317. b. The legal implications of using honeypot and padded cell systems are not well defined. It is important to seek guidance from legal counsel before deciding to use either of these systems.
318. From security and safety viewpoints, safety enforcement is tied to which of the following?
a. Job rotation
b. Job description
c. Job enlargement
d. Job enrichment
318. b. Safety is fundamental to ensuring that the most basic of access control policies can be enforced. This enforcement is tied to the job description of an individual employee through access authorizations (e.g., permissions and privileges). Job description lists job tasks, duties, roles, and responsibilities expected of an employee, including safety and security requirements.
The other three choices do not provide safety enforcements. Job rotation makes an employee well-rounded because it broadens an employee’s work experience, job enlargement adds width to a job, and job enrichment adds depth to a job.
319. Which of the following is the correct sequence of actions in access control mechanisms?
a. Access profiles, authentication, authorization, and identification
b. Security rules, identification, authorization, and authentication
c. Identification, authentication, authorization, and accountability
d. Audit trails, authorization, accountability, and identification
319. c. Identification comes before authentication, and authorization comes after authentication. Accountability is last where user actions are recorded.
320. The principle of least privilege is most closely linked to which of the following security objectives?
a. Confidentiality
b. Integrity
c. Availability
d. Nonrepudiation
320. b. The principle of least privilege deals with access control authorization mechanisms, and as such the principle ensures integrity of data and systems by limiting access to data/information and information systems.
321. Which of the following is a major vulnerability with Kerberos model?
a. User
b. Server
c. Client
d. Key-distribution-server
321. d. A major vulnerability with the Kerberos model is that if the key distribution server is attacked, every secret key used on the network is compromised. The principals involved in the Kerberos model include the user, the client, the key-distribution-center, the ticket-granting-service, and the server providing the requested services.
322. For electronic authentication, identity proofing involves which of the following?
a. CSP
b. RA
c. CSP and RA
d. CA and CRL
322. c. Identity proofing is the process by which a credential service provider (CSP) and a registration authority (RA) validate sufficient information to uniquely identify a person. A certification authority (CA) is not involved in identity proofing. A CA is a trusted entity that issues and revokes public key certificates. A certificate revocation list (CRL) is not involved in identity proofing. A CRL is a list of revoked public key certificates created and digitally signed by a CA.