Cyber Security TM256 - Systems Security Block 2

Questions and Answers

Which of the following is NOT a key security objective of authentication?

Confidentiality

Integrity

Performance (correct)

Availability

Multi-Factor Authentication enhances the security of authentication processes.

True

What is the primary purpose of authentication mechanisms?

To verify the identity of an entity accessing a resource in a system.

Passwords are a basic element of approaches to __________.

authentication

Match the following authentication types with their definitions:

Multi-Factor Authentication = Uses two or more verification methods Mandatory Access Control = Access decisions are made by a system-admin Discretionary Access Control = Resource owner decides who can access Role-Based Access Control = Access based on user roles in the organization

Which of the following policies can help prevent compromises of password security?

Implementing password complexity requirements

Establishing accountability does not involve data collection.

False

Name one challenge associated with accountability in systems security.

Log storage and management.

What is the minimum password length typically recommended by password policies?

8 characters

A master password is not required for accessing password management applications.

False

What is the purpose of Two-Factor Authentication (2FA)?

To provide an additional layer of security by requiring a username and password plus confidential information.

Password management applications can help prevent the ________ of previous passwords.

reuse

Which of the following is NOT a functionality of password management applications?

Locking out all users immediately

Match the following types of attacks with their descriptions:

Brute-Force Attack = Systematic guessing of passwords to gain entry Dictionary Attack = Using a predefined list of words to attempt to access accounts Denial of Service (DoS) = Blocking legitimate users from accessing a service Multi-Factor Authentication = Using multiple methods to verify user identity

Users can employ _____ applications to safely manage their passwords.

management

What measures can be taken to counter multiple failed login attempts?

Implement a timeout period to prevent further login attempts.

What is the main advantage of Role-Based Access Control (RBAC)?

It allows automatic assignment of permissions based on roles.

RBAC is less suitable for small organizations due to the labor involved in managing roles.

True

What does DAC stand for in access control models?

Discretionary Access Control

Under RBAC, every user is associated with one or more identified ______.

roles

What is a primary function of a reference monitor?

To enforce access control policies over subjects and objects.

Match the following concepts with their descriptions:

RBAC = Access control model based on user roles DAC = Access control model allowing user discretion Role Hierarchy = Structure where child roles inherit parent roles Reference Monitor = Enforces access control policies over subjects and objects

A child role in a role hierarchy does not inherit transactions from its parent role.

False

One potential disadvantage of RBAC is the occurrence of ______ explosion.

role

What is the primary role of an operating system (OS)?

To manage hardware resources and processes

A monolithic operating system has all components within a trusted boundary.

True

What are two techniques used by operating systems to protect critical data?

Access control and encryption

The core OS, known as the ______, provides essential services to manage hardware resources.

kernel

Match the following operating system types with their characteristics:

Basic Operating System = All components within a trusted boundary Monolithic Operating System = Components are separated into the kernel Access Control = Technique to protect resources Encryption = Technique to secure data

Which of the following is NOT a component of operating system security?

Data analysis

The security of an operating system is only important for the protection of the device itself.

False

What is essential for controlling access to files and devices within an OS?

Access control

Which of the following is a high-level principle of security control?

Confidentiality

Server hardening is the process of enhancing a server’s performance and speed.

False

What command is commonly used in Red Hat Linux to ensure the system is fully updated?

yum update

The process of securing low-level system areas, such as booting and CPU protection, is referred to as __________.

low-level operating system hardening

Match the following server hardening activities with their descriptions:

Replacing the root user account = Enhancing root account security Creating a password policy in Linux = Establishing rules for password complexity Blocking ports that are not required = Improving network security Removing services that are not required = Reducing attack surfaces

Which of the following commands is useful to block unnecessary ports on a Linux server?

iptables

Regular updates to software on a server can significantly reduce security risks.

True

What is the primary purpose of creating a password policy in Linux?

To enforce strong password standards and improve security.

What defines a monolithic operating system?

All OS functions are combined within a single trust boundary.

Multi-server operating systems do not require inter-process communication between components.

False

What is the primary function of a hypervisor in an operating system?

Resource management and scheduling.

In a hypervisor-based operating system, a ________ represents a single user account or group project.

tenant

Which of the following is a characteristic of multi-server operating systems?

They can integrate additional security mechanisms within components.

In a multi-server operating system, applications can easily interact without any communication mechanism.

False

What security objectives are ensured by preventing tenant access to each other's resources?

Confidentiality and availability.

Study Notes

Cyber Security TM256 - Block 2: Systems Security

• Course offered by Dr. Ahmed Mahfouz at AOU, Oman

• Part 5: Authentication, authorization, and accountability

  • Authentication: verifying entity identity
  • Password policies: crucial for security
  • Multi-Factor Authentication (2FA): uses username/password & another factor
  • Authorization: right to access system resources
    • Access control models
      • Mandatory Access Control (MAC)
      • Discretionary Access Control (DAC)
      • Role-Based Access Control (RBAC)
  • Accountability: tracking security-relevant actions
    • Establishing accountability: recording events
    • Data collection: mechanisms to record information
    • Log storage and management: maintaining logs
    • Logging obligations: GDPR requirements for logging personal data

• Part 6: Operating system security

  • Overview of operating systems: fundamental to managing device processes
  • Operating system architecture
    • Basic operating systems
    • Monolithic operating systems
    • Multi-server operating systems
    • Hypervisor-based operating systems
  • Principles of operating system security: confidentiality, integrity, availability
  • Server hardening: securing a system's configuration
    • Keeping Linux up-to-date: using yum command, maintaining software lists, updating and deleting software
    • Server hardening activities: replacing root user account, creating password policies, removing unnecessary services, blocking ports, using scanning tools
  • Low-level operating system hardening: securing low-level areas like booting, memory & CPU
    • Implementing UEFI, establishing trust, testing hardware, selecting boot device, starting OS

• Learning Outcomes

  • Understand theory and practice of systems security, including threats, controls, and policies
  • Identify threats and vulnerabilities and develop security controls
  • Effectively communicate and analyze problems within a computer environment
  • Stay updated with cyber security developments

Description

This quiz covers essential concepts in Systems Security, specifically focusing on authentication, authorization, and accountability. It examines techniques like Multi-Factor Authentication, access control models, and the importance of logging for maintaining security. Ideal for students enrolled in Dr. Ahmed Mahfouz's course at AOU, Oman.