SQL Database Management
279 Questions
2 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the purpose of pilot testing in software development?

  • To feed test data into two systems
  • To rerun a portion of a test scenario
  • To replace other testing methods
  • To evaluate a specific aspect of a system (correct)
  • What type of IDS stores attributes that characterize an attack for reference?

  • Inferent-based IDS
  • Statistical anomaly-based IDS
  • Signature-based IDS (correct)
  • Event-based IDS
  • What is regression testing used for?

  • To evaluate a specific aspect of a system
  • To feed test data into two systems
  • To test a new product feature
  • To rerun a portion of a test scenario (correct)
  • Who developed one of the first mathematical models of a multilevel-security computer system?

    <p>Bell and LaPadula</p> Signup and view all the answers

    What is the main difference between parallel testing and regression testing?

    <p>Parallel testing involves feeding test data into two systems</p> Signup and view all the answers

    What is proof of concept related to?

    <p>Pilot testing</p> Signup and view all the answers

    What is the purpose of feeding test data into two systems?

    <p>To compare the results of two systems</p> Signup and view all the answers

    What is the main purpose of regression testing?

    <p>To ensure that changes or corrections have not introduced new errors</p> Signup and view all the answers

    Which access control model uses security clearance for subjects?

    <p>Mandatory access control</p> Signup and view all the answers

    What is the primary difference between discretionary access control and mandatory access control?

    <p>The way access is controlled and enforced</p> Signup and view all the answers

    Which protocol was used by the initial version of TACACS for communication between clients and servers?

    <p>UDP</p> Signup and view all the answers

    What is the primary purpose of a TACACS authentication server?

    <p>To authenticate users and determine access</p> Signup and view all the answers

    What is the default port used by TACACS?

    <p>Port 49</p> Signup and view all the answers

    What is the relationship between TACACS and TCP?

    <p>TACACS uses either TCP or UDP</p> Signup and view all the answers

    What is the name of the daemon that runs on the TACACS authentication server?

    <p>TACACSD</p> Signup and view all the answers

    What is the RFC that defines TACACS?

    <p>RFC 1492</p> Signup and view all the answers

    What is the purpose of the 'money' argument in the Data Definition Language?

    <p>To specify a format for storing salaries</p> Signup and view all the answers

    What is the effect of the 'null' keyword in the Data Definition Language?

    <p>It allows a field to contain no value</p> Signup and view all the answers

    What is the purpose of the DROP command in the Data Definition Language?

    <p>To remove entire database objects from the DBMS</p> Signup and view all the answers

    What is the difference between the DROP command and the DELETE command?

    <p>DROP removes entire tables, while DELETE removes individual records</p> Signup and view all the answers

    What is the purpose of the Data Manipulation Language (DML)?

    <p>To retrieve, insert, and modify database information</p> Signup and view all the answers

    What is the purpose of the INSERT command in the Data Manipulation Language?

    <p>To add a new record to an existing table</p> Signup and view all the answers

    What is the most commonly used command in SQL?

    <p>SELECT</p> Signup and view all the answers

    What is the purpose of the SELECT command in the Data Manipulation Language?

    <p>To retrieve specific records from a table</p> Signup and view all the answers

    What is the primary function of preventive technical controls?

    <p>To prevent unauthorized personnel or programs from gaining remote access to computing resources</p> Signup and view all the answers

    What is an example of a technical control used to enforce access control policies?

    <p>Access control software</p> Signup and view all the answers

    What is the primary purpose of synchronous dynamic password tokens?

    <p>To authenticate users</p> Signup and view all the answers

    What type of control is a password considered?

    <p>Technical control</p> Signup and view all the answers

    What is the purpose of a smart card?

    <p>To authenticate users</p> Signup and view all the answers

    What is the primary purpose of antivirus software?

    <p>To detect malware</p> Signup and view all the answers

    What is an example of a logical control?

    <p>Access control software</p> Signup and view all the answers

    What is the purpose of dial-up access control and callback systems?

    <p>To prevent unauthorized remote access</p> Signup and view all the answers

    What is the primary purpose of using banners at log-on time for external users?

    <p>To notify users of monitoring being conducted</p> Signup and view all the answers

    What is an essential element of individual accountability?

    <p>Unique identifiers</p> Signup and view all the answers

    What is the benefit of using a well-crafted logon banner?

    <p>Better legal standing</p> Signup and view all the answers

    Which of the following is NOT an aspect of individual accountability?

    <p>Policies and procedures</p> Signup and view all the answers

    What is the main objective of access control?

    <p>To provide timely access to authorized users</p> Signup and view all the answers

    Which of the following is an additional access control objective?

    <p>Reliability and utility</p> Signup and view all the answers

    What is the primary purpose of logon banners for anonymous or external users?

    <p>To notify users of monitoring being conducted</p> Signup and view all the answers

    Which of the following is a key aspect of accountability?

    <p>Identifying individual users</p> Signup and view all the answers

    What type of attack is an employee trying to protect against by ensuring all cables are shielded, building concrete walls, and installing a white noise generator?

    <p>Emanation Attacks</p> Signup and view all the answers

    What is the term for an error that causes a system to be vulnerable due to its installation environment?

    <p>Environmental error</p> Signup and view all the answers

    What is the primary purpose of shielding cables in a security setup?

    <p>To prevent emanation attacks</p> Signup and view all the answers

    What is the term for the act of intercepting electrical signals that radiate from computing equipment?

    <p>Emanation attacks</p> Signup and view all the answers

    What is the purpose of a white noise generator in a security setup?

    <p>To prevent emanation attacks</p> Signup and view all the answers

    What is the name of the equipment used to prevent emanation attacks?

    <p>TEMPEST equipment</p> Signup and view all the answers

    What is the purpose of building concrete walls that extend from the true floor to the true ceiling in a security setup?

    <p>To prevent emanation attacks</p> Signup and view all the answers

    What is the primary purpose of degaussing a device or overwriting it multiple times?

    <p>To sanitize storage media</p> Signup and view all the answers

    What is the primary limitation of white-box testing?

    <p>It has the potential to miss unimplemented parts of the specification</p> Signup and view all the answers

    What is the primary difference between alpha testing and beta testing?

    <p>Alpha testing is performed by internal users, while beta testing is performed by external users</p> Signup and view all the answers

    What is the primary purpose of pilot testing?

    <p>To provide a limited evaluation of the system</p> Signup and view all the answers

    What is the primary characteristic of a proof of concept?

    <p>It is an early pilot test, usually on an interim platform and with only basic functionalities</p> Signup and view all the answers

    What is the primary benefit of using white-box testing?

    <p>It can test paths within a unit, paths between units, and between subsystems</p> Signup and view all the answers

    What is the primary purpose of beta testing?

    <p>To test the system in a real-world environment</p> Signup and view all the answers

    What is the primary difference between unit testing and integration testing?

    <p>Unit testing is used for testing individual units, while integration testing is used for testing multiple units together</p> Signup and view all the answers

    What is the primary benefit of using alpha testing?

    <p>It identifies defects early in the development process</p> Signup and view all the answers

    What is the primary purpose of using banners at log-on time for external users?

    <p>To notify external users of any monitoring that is being conducted</p> Signup and view all the answers

    What is the benefit of using a well-crafted logon banner?

    <p>It gives a legal stand and makes it obvious to users who should access the system</p> Signup and view all the answers

    Which of the following is NOT an aspect of individual accountability?

    <p>Policies and procedures</p> Signup and view all the answers

    What is the main objective of access control?

    <p>To assure that a system's authorized users have timely and uninterrupted access to the information in the system</p> Signup and view all the answers

    Which of the following is an additional access control objective?

    <p>Reliability and utility</p> Signup and view all the answers

    What is the primary purpose of logon banners for anonymous or external users?

    <p>To notify external users of any monitoring that is being conducted</p> Signup and view all the answers

    What is an essential element of individual accountability?

    <p>Unique identifiers</p> Signup and view all the answers

    Which of the following is a key aspect of accountability?

    <p>Unique identifiers</p> Signup and view all the answers

    What is the primary focus of access control mechanisms?

    <p>Supporting the mission of the organization</p> Signup and view all the answers

    What is the main objective of Business Impact Analysis (BIA)?

    <p>Supporting the mission of the organization</p> Signup and view all the answers

    What is the primary concern in a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications?

    <p>Identification of potential covert channels</p> Signup and view all the answers

    Which model would an Information Security Professional recommend for a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications?

    <p>Information Flow Model combined with Bell Lapadula</p> Signup and view all the answers

    What is the primary purpose of access control mechanisms?

    <p>To control access to information</p> Signup and view all the answers

    What is the primary concern in planning and implementing access control mechanisms?

    <p>All of the above</p> Signup and view all the answers

    What is the primary objective of Business Impact Analysis (BIA)?

    <p>To support the mission of the organization</p> Signup and view all the answers

    What is the primary purpose of access control mechanisms in a highly secure environment?

    <p>To control access to information</p> Signup and view all the answers

    What is the security flaw that occurs when two or more processes use the same resource and the sequence of steps within the software can be carried out in an improper order?

    <p>Race condition</p> Signup and view all the answers

    What is the process of intercepting and examining messages to deduce information from patterns in communication?

    <p>Traffic analysis</p> Signup and view all the answers

    What is the term for secretly listening to private conversations of others without their consent?

    <p>Eavesdropping</p> Signup and view all the answers

    What is the result of carrying out processes in an improper sequence in software development?

    <p>Drastically affected output</p> Signup and view all the answers

    What is the goal of an attacker who exploits a race condition in software?

    <p>To force the authorization step to take place before the authentication step</p> Signup and view all the answers

    What is the term for the process of intercepting and examining messages to infer information?

    <p>Traffic analysis</p> Signup and view all the answers

    What is the consequence of carrying out processes in a correct sequence in software development?

    <p>Improved security</p> Signup and view all the answers

    What is the main difference between the correct and incorrect sequence of processes in software development?

    <p>Output is drastically affected</p> Signup and view all the answers

    In a DAC system, who decides who has access to a file?

    <p>The file owner</p> Signup and view all the answers

    What is the main characteristic of Discretionary Access Control (DAC)?

    <p>Access is based on the discretion of the owner</p> Signup and view all the answers

    In synchronous dynamic password tokens, what is generated at fixed time intervals?

    <p>A unique password value</p> Signup and view all the answers

    What is the role of the owner in a DAC system?

    <p>To specify which subjects can access specific resources</p> Signup and view all the answers

    What is the primary purpose of synchronous dynamic password tokens?

    <p>To provide one-time passwords</p> Signup and view all the answers

    In a DAC system, who can be made the owner of files and resources?

    <p>Specific individuals, such as department managers</p> Signup and view all the answers

    What is an access control matrix used for in a DAC system?

    <p>To store an identifier for the file owner</p> Signup and view all the answers

    What is the main advantage of using DAC?

    <p>It provides flexible access control</p> Signup and view all the answers

    In biometric identification systems, what parts of the body are conveniently available for identification when people are fully clothed?

    <p>hands, face, and eyes</p> Signup and view all the answers

    What is the access control model also known as Non Discretionary Access Control (NDAC)?

    <p>Role-based access control</p> Signup and view all the answers

    In Mandatory Access Control (MAC), what is used to specify the sensitivity of objects and the categories they belong to?

    <p>Labels</p> Signup and view all the answers

    What is the primary data access control decision that an organization must make?

    <p>The level of control given to system and data owners</p> Signup and view all the answers

    What is the main difference between Discretionary Access Control (DAC) and Mandatory Access Control (MAC)?

    <p>DAC gives control to system owners, while MAC uses sensitivity labels</p> Signup and view all the answers

    What is the primary function of a TACACS authentication server?

    <p>To authenticate clients and authorize access</p> Signup and view all the answers

    What is the relationship between TACACS and TCP?

    <p>TACACS is a protocol used on top of TCP</p> Signup and view all the answers

    What is the name of the daemon that runs on the TACACS authentication server?

    <p>tac_plus</p> Signup and view all the answers

    What is the primary function of a view in a database?

    <p>To provide a virtual table composed of a query result set</p> Signup and view all the answers

    What is the main advantage of using views in a database?

    <p>They provide a simple way to subset and simplify complex data</p> Signup and view all the answers

    What happens to the data in a view when the underlying table is changed?

    <p>The data in the view is updated accordingly</p> Signup and view all the answers

    What is a key difference between a view and a physical table?

    <p>A table is physical, while a view is virtual</p> Signup and view all the answers

    How much space does a view take up in a database?

    <p>Very little space, as it only stores the definition</p> Signup and view all the answers

    What is one advantage of using views in terms of security?

    <p>They provide an additional layer of security by hiding complex data</p> Signup and view all the answers

    What is an example of how a view can simplify complex data?

    <p>By creating a virtual table that appears as 'Sales2000' or 'Sales2001'</p> Signup and view all the answers

    What is the primary purpose of the SELECT command in the example query?

    <p>To retrieve specific data from multiple tables</p> Signup and view all the answers

    What is the primary purpose of Directive Access Control?

    <p>To specify rules of acceptable behavior</p> Signup and view all the answers

    Which type of access control is used to prevent a security incident or information breach?

    <p>Preventive Access Control</p> Signup and view all the answers

    What is the primary purpose of Detective Access Control?

    <p>To detect and respond to security incidents</p> Signup and view all the answers

    What type of access control is used to remedy a circumstance, mitigate damage, or restore control?

    <p>Corrective Access Control</p> Signup and view all the answers

    What is the primary purpose of Compensating Access Control?

    <p>To substitute for the loss of a primary control or add additional mitigation</p> Signup and view all the answers

    What type of access control is used to restore conditions to normal after a security incident?

    <p>Recovery Access Control</p> Signup and view all the answers

    Which of the following is an example of a Directive Access Control?

    <p>A policy stating that employees may not use Facebook</p> Signup and view all the answers

    What is the primary purpose of access control categories?

    <p>To shape employee behavior to better maintain an environment that supports business objectives</p> Signup and view all the answers

    What is the main objective of strong authentication?

    <p>To use two factors from different categories</p> Signup and view all the answers

    What is the purpose of a database view?

    <p>To retrieve the results of a query</p> Signup and view all the answers

    What is relational algebra used for?

    <p>To operate on relational databases</p> Signup and view all the answers

    What is the purpose of mandatory access control?

    <p>To enforce a set of rules for access control</p> Signup and view all the answers

    What is the primary purpose of access control?

    <p>To authorize access to resources</p> Signup and view all the answers

    What is the difference between discretionary access control and mandatory access control?

    <p>Discretionary access control is more flexible</p> Signup and view all the answers

    What is the purpose of a lattice-based access control model?

    <p>To enforce a hierarchical access control model</p> Signup and view all the answers

    What is the primary purpose of role-based access control?

    <p>To limit access based on user role</p> Signup and view all the answers

    What is the primary purpose of preventive physical controls?

    <p>To prevent unauthorized personnel from entering computing facilities</p> Signup and view all the answers

    Which of the following is an example of a preventive administrative control?

    <p>Security awareness and technical training</p> Signup and view all the answers

    What is the primary purpose of backup files and documentation?

    <p>To ensure business continuity</p> Signup and view all the answers

    What is the purpose of site selection in preventive physical controls?

    <p>To select a safe location for computing facilities</p> Signup and view all the answers

    What is the primary purpose of double door systems in preventive physical controls?

    <p>To prevent unauthorized access</p> Signup and view all the answers

    What is the primary purpose of security guards in preventive physical controls?

    <p>To prevent unauthorized access</p> Signup and view all the answers

    What is the primary purpose of badge systems in preventive physical controls?

    <p>To control access to computing facilities</p> Signup and view all the answers

    What is the primary purpose of fences in preventive physical controls?

    <p>To prevent unauthorized access to computing facilities</p> Signup and view all the answers

    What is the primary characteristic of a limited RBAC system?

    <p>Roles are defined within an application and not necessarily based on the user's organizational job function</p> Signup and view all the answers

    What is the primary characteristic of mandatory access control?

    <p>Controlling access based on security clearance</p> Signup and view all the answers

    What is the key difference between Hybrid RBAC and Full RBAC?

    <p>Hybrid RBAC uses a role that is applied to multiple applications or systems, while Full RBAC uses a role defined by the organization's policy</p> Signup and view all the answers

    What is the primary purpose of Full RBAC?

    <p>To apply permissions based on the organization's policy and access control infrastructure</p> Signup and view all the answers

    What protocol was used by the initial version of TACACS for communication between clients and servers?

    <p>UDP</p> Signup and view all the answers

    What is the main difference between Mandatory Access Control (MAC) and Role-Based Access Control (RBAC)?

    <p>MAC is based on the sensitivity of the object and uses categories to implement the need to know, while RBAC is based on the user's role within the organization</p> Signup and view all the answers

    What is the primary function of a TACACS authentication server?

    <p>To authenticate user requests</p> Signup and view all the answers

    What is a key characteristic of Hybrid RBAC?

    <p>Roles are applied to multiple applications or systems based on a user's specific role within the organization, and may also be assigned solely within specific applications</p> Signup and view all the answers

    What is the default port used by TACACS?

    <p>49</p> Signup and view all the answers

    What is the primary benefit of using Role-Based Access Control (RBAC)?

    <p>It simplifies the management of access control by assigning roles to users</p> Signup and view all the answers

    What is the relationship between TACACS and TCP?

    <p>TACACS uses TCP for communication</p> Signup and view all the answers

    What is the main difference between Limited RBAC and Full RBAC in terms of where roles are defined?

    <p>In Limited RBAC, roles are defined within an application, while in Full RBAC, roles are defined by the organization's policy</p> Signup and view all the answers

    What is the name of the daemon that runs on a TACACS authentication server?

    <p>TACACSD</p> Signup and view all the answers

    What is the RFC that defines TACACS?

    <p>RFC 1492</p> Signup and view all the answers

    What is the primary purpose of attribute certificates?

    <p>To store user attributes</p> Signup and view all the answers

    What is the primary purpose of a mobile communications service provider customizing the mobile terminal client distribution?

    <p>To include one or more root certificates with associated capabilities or permissions</p> Signup and view all the answers

    What is the purpose of a developer acquiring a certificate from a commercial Certificate Authority (CA)?

    <p>To validate their identity and obtain a certificate to sign their software</p> Signup and view all the answers

    What is the advantage of separating the identity and authorization certificates?

    <p>To improve key management and recovery from errant software</p> Signup and view all the answers

    What is typically done to the software submitted by a developer before generating an authorization certificate?

    <p>It is tested or profiled by the processor</p> Signup and view all the answers

    What is the purpose of the 'install and execute' capability in a root certificate?

    <p>To allow developers to install and execute their software</p> Signup and view all the answers

    What is the purpose of validating a developer's identity through out-of-band mechanisms?

    <p>To verify the developer's identity and issue a certificate</p> Signup and view all the answers

    What is the purpose of an ephemeral asymmetric key-pair in the software distribution process?

    <p>To sign the software as the last step of preparation for distribution</p> Signup and view all the answers

    What is the benefit of customizing the mobile terminal client distribution with root certificates?

    <p>It enables service providers to control and manage access to the mobile phone operating system</p> Signup and view all the answers

    What is a masquerade attack?

    <p>An attack that uses a fake identity to gain unauthorized access to personal computer information</p> Signup and view all the answers

    What determines the amount of access a masquerade attacker gets?

    <p>The level of authorization they've managed to attain</p> Signup and view all the answers

    What is the purpose of a security model like Bell-LaPadula?

    <p>To apply specific rules to control how the subject-to-object interactions take place</p> Signup and view all the answers

    What type of security system is the Bell-LaPadula model?

    <p>Multilevel security system</p> Signup and view all the answers

    When can a masquerade attack be triggered?

    <p>By someone within the organization or by an outsider if the organization is connected to a public network</p> Signup and view all the answers

    What is the result of a masquerade attack if the attacker gains the highest access authority?

    <p>They have a full smorgasbord of cybercrime opportunities</p> Signup and view all the answers

    What is the purpose of the authorization process in a system?

    <p>To control how the subject-to-object interactions take place</p> Signup and view all the answers

    What is the difference between a masquerade attack and a personal attack?

    <p>A personal attack is less common but still harmful</p> Signup and view all the answers

    What is the primary function of a Host-Based Intrusion Detection System (HIDS)?

    <p>To monitor system and event logs</p> Signup and view all the answers

    Why is it important to have both NIDS and HIDS on critical servers?

    <p>To detect patterns of attacks on both network and host levels</p> Signup and view all the answers

    What is NOT a security characteristic to consider when choosing a biometric identification system?

    <p>Cost</p> Signup and view all the answers

    What is the main difference between a HIDS and a NIDS?

    <p>A HIDS monitors system logs, while a NIDS monitors network traffic</p> Signup and view all the answers

    What is the primary objective of using a HIDS?

    <p>To detect and prevent attacks on a host</p> Signup and view all the answers

    What is monitored by a HIDS?

    <p>Dynamic behavior and state of a computer system</p> Signup and view all the answers

    What is the purpose of a HIDS in relation to security policy?

    <p>To detect circumvention of security policy</p> Signup and view all the answers

    What is the benefit of having both NIDS and HIDS on critical servers?

    <p>To provide comprehensive security coverage</p> Signup and view all the answers

    What is the primary purpose of views in databases?

    <p>To provide abstraction and security</p> Signup and view all the answers

    What type of attack involves using a fake identity to gain unauthorized access to personal computer information?

    <p>Masquerade attack</p> Signup and view all the answers

    What is a characteristic of rows in a view?

    <p>They are not ordered</p> Signup and view all the answers

    What is the difference between black-box testing and white-box testing?

    <p>White-box testing tests internal structures, while black-box testing tests functionality</p> Signup and view all the answers

    What is the primary goal of a masquerade attack?

    <p>To gain unauthorized access to personal computer information</p> Signup and view all the answers

    In which security model is the subject's clearance compared to the object's classification?

    <p>Bell-LaPadula model</p> Signup and view all the answers

    What is the purpose of normalization in databases?

    <p>To organize data to minimize data redundancy</p> Signup and view all the answers

    What is the main advantage of using views in databases?

    <p>They provide abstraction and security</p> Signup and view all the answers

    What is the main characteristic of the Bell-LaPadula model?

    <p>It uses a multilevel security system</p> Signup and view all the answers

    Who developed the Bell-LaPadula model?

    <p>US Military</p> Signup and view all the answers

    What is the primary purpose of a view in a database?

    <p>To provide abstraction and security</p> Signup and view all the answers

    What is the primary purpose of the Data Definition Language (DDL)?

    <p>To create, modify, and delete views and relations in a database</p> Signup and view all the answers

    What is the primary limitation of a masquerade attack?

    <p>The amount of access the attacker can gain</p> Signup and view all the answers

    What is a common use of views in databases?

    <p>To make it easier to create lossless join decomposition</p> Signup and view all the answers

    What is the primary purpose of a database administrator using DDL commands?

    <p>To create and modify database structures</p> Signup and view all the answers

    What is the primary benefit of a masquerade attack?

    <p>It allows the attacker to gain full access to the system</p> Signup and view all the answers

    What is the relationship between views and tables?

    <p>A view is a relational table</p> Signup and view all the answers

    What is the main difference between the CREATE and DROP commands in DDL?

    <p>CREATE is used to create database objects, while DROP is used to delete database objects</p> Signup and view all the answers

    What access control model is based on a lattice structure?

    <p>Bell-LaPadula model</p> Signup and view all the answers

    What is the primary motivation behind a masquerade attack?

    <p>To gain unauthorized access to personal computer information</p> Signup and view all the answers

    What is the purpose of the least upper bound in the Bell-LaPadula model?

    <p>To determine the highest level of access a user can have to a file</p> Signup and view all the answers

    What is the star property in the Bell-LaPadula model?

    <p>A user's least upper bound access is 'READ', and their least lower bound is 'NO WRITE'</p> Signup and view all the answers

    What is the main difference between the Bell-LaPadula model and Role-Based Access Control (RBAC)?

    <p>Bell-LaPadula is based on a lattice structure, while RBAC is based on roles</p> Signup and view all the answers

    What is the primary purpose of the Data Manipulation Language (DML)?

    <p>To perform data manipulation operations</p> Signup and view all the answers

    What is an example of something you do that involves strong authentication?

    <p>Typing text on your keyboard</p> Signup and view all the answers

    What type of access control technique is NOT included in the common techniques?

    <p>Relevant Access Controls</p> Signup and view all the answers

    What operations are used to define a database view?

    <p>Join, Project, and Select</p> Signup and view all the answers

    What is the term for a single entry in a relational database?

    <p>Tuple</p> Signup and view all the answers

    What is the primary function of Mandatory Access Control?

    <p>To provide access based on security clearance</p> Signup and view all the answers

    What is the primary difference between Discretionary Access Control and Mandatory Access Control?

    <p>DAC is based on user identity, MAC is based on security clearance</p> Signup and view all the answers

    What is the term for the mathematics underlying SQL operations?

    <p>Relational Algebra</p> Signup and view all the answers

    What is the purpose of a database view?

    <p>To present the result of a query</p> Signup and view all the answers

    What type of controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units?

    <p>Preventive/Technical Pairing</p> Signup and view all the answers

    What best describes a scenario where a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill?

    <p>Excessive Privileges</p> Signup and view all the answers

    What information do sensitivity labels attached to objects contain in Mandatory Access Control?

    <p>The item's classification and category set</p> Signup and view all the answers

    What is the primary purpose of technical controls such as encryption and access control?

    <p>To prevent security breaches</p> Signup and view all the answers

    What is an example of a logical control used to enforce access control policies?

    <p>Access control lists</p> Signup and view all the answers

    What is the primary purpose of antivirus software?

    <p>To prevent security breaches</p> Signup and view all the answers

    What is an example of a physical control used to enforce access control policies?

    <p>Shielded cables</p> Signup and view all the answers

    What is the primary purpose of logon banners for external users?

    <p>To inform users of their responsibilities</p> Signup and view all the answers

    What is the primary purpose of synchronous dynamic password tokens?

    <p>To generate a new password value at fixed time intervals</p> Signup and view all the answers

    What type of control is a password considered?

    <p>Preventive technical control</p> Signup and view all the answers

    What is the primary purpose of preventive technical controls?

    <p>To prevent unauthorized access</p> Signup and view all the answers

    What is an example of a technical control used to enforce access control policies?

    <p>Access control software</p> Signup and view all the answers

    What is the primary purpose of antivirus software?

    <p>To prevent virus attacks</p> Signup and view all the answers

    What is the primary purpose of dial-up access control and callback systems?

    <p>To prevent unauthorized access</p> Signup and view all the answers

    What is the primary purpose of logon banners for external users?

    <p>To notify users of legal responsibilities</p> Signup and view all the answers

    What is the primary objective of access control?

    <p>To prevent unauthorized access</p> Signup and view all the answers

    What is the main focus of a Business Impact Analysis (BIA)?

    <p>Supporting the mission of the organization</p> Signup and view all the answers

    Which model would you recommend to a client looking to identify potential covert channels in a highly secure environment?

    <p>Information Flow Model combined with Bell Lapadula</p> Signup and view all the answers

    What is the primary concern of the client in the highly secure environment?

    <p>Identification of potential covert channels</p> Signup and view all the answers

    What is the purpose of an access control policy?

    <p>To control access to information and personnel</p> Signup and view all the answers

    What is the term for the act of intercepting electrical signals that radiate from computing equipment?

    <p>Emanation</p> Signup and view all the answers

    What is the primary purpose of degaussing a device or overwriting it multiple times?

    <p>To delete sensitive data</p> Signup and view all the answers

    What is the primary purpose of building concrete walls in a security setup?

    <p>To prevent emanation attacks</p> Signup and view all the answers

    What is the main objective of access control?

    <p>To prevent unauthorized access</p> Signup and view all the answers

    What is the primary goal of a noninterference model in information security?

    <p>To minimize leakages that may happen through covert channels</p> Signup and view all the answers

    What is the main limitation of access control lists in file systems?

    <p>They do not control how the data is used afterwards</p> Signup and view all the answers

    What is the primary purpose of assigning security levels to variables in low-level information flow analysis?

    <p>To control the flow of information between variables</p> Signup and view all the answers

    What is the main difference between publicly observable information and secret information?

    <p>Publicly observable information is assigned a low security level, while secret information is assigned a high security level</p> Signup and view all the answers

    What is the primary benefit of using a lattice model to represent security levels?

    <p>It allows information to flow only upwards in the lattice</p> Signup and view all the answers

    What is the primary goal of cryptography in information security?

    <p>To exchange information privately across a non-secure channel</p> Signup and view all the answers

    What is the main limitation of firewalls in information security?

    <p>They provide no guarantees about information propagation</p> Signup and view all the answers

    What is the primary purpose of restricting flows to high variables in information security?

    <p>To ensure confidentiality by restricting flows to high variables</p> Signup and view all the answers

    What is the primary goal of the Biba Integrity Model?

    <p>Prevent data modification by unauthorized parties</p> Signup and view all the answers

    What is the key principle of the Biba model?

    <p>no read down, no write up</p> Signup and view all the answers

    What is a key limitation of the Bell-LaPadula model?

    <p>It only addresses data confidentiality</p> Signup and view all the answers

    What is the relationship between a subject's integrity level and their ability to create content?

    <p>Subjects can only create content at or below their own integrity level</p> Signup and view all the answers

    What is the main difference between the Biba model and the Clark-Wilson model?

    <p>The Biba model only addresses the first goal of data integrity</p> Signup and view all the answers

    What is the purpose of the Biba model?

    <p>To ensure data integrity</p> Signup and view all the answers

    What is the main goal of the Biba model in terms of data modification?

    <p>Prevent data modification by unauthorized parties</p> Signup and view all the answers

    What is the relationship between a subject's integrity level and their ability to view content?

    <p>Subjects can only view content at or above their own integrity level</p> Signup and view all the answers

    What is the primary function of a Host-Based Intrusion Detection System (HIDS)?

    <p>To monitor system and event logs for signs of attack</p> Signup and view all the answers

    Why is it important to have both NIDS and HIDS on a critical server?

    <p>To ensure that the server is protected from both network and host-based attacks</p> Signup and view all the answers

    What is a key benefit of using a HIDS?

    <p>It can detect attacks that a NIDS might miss</p> Signup and view all the answers

    What is NOT a security characteristic to consider when choosing a biometric identification system?

    <p>Cost</p> Signup and view all the answers

    What is the primary purpose of a biometric system's enrollment process?

    <p>To capture and store user biometric data</p> Signup and view all the answers

    What is a key advantage of using a HIDS over a NIDS?

    <p>A HIDS can detect attacks that a NIDS might miss</p> Signup and view all the answers

    What type of control is a password considered?

    <p>Logical control</p> Signup and view all the answers

    What is the primary purpose of a bastion host?

    <p>To provide an additional layer of security for a critical server</p> Signup and view all the answers

    What is the purpose of acquiring a certificate from a commercial CA in a mobile software deployment?

    <p>To verify the developer's identity</p> Signup and view all the answers

    What is the benefit of separating identity and authorization certificates?

    <p>Improved risk mitigation</p> Signup and view all the answers

    What is the purpose of an ephemeral asymmetric key-pair in mobile software deployment?

    <p>To sign the software for distribution</p> Signup and view all the answers

    What is the primary advantage of customizing the mobile terminal client distribution?

    <p>Improved security</p> Signup and view all the answers

    What is the purpose of submitting the software to a processor before distribution?

    <p>To test or profile the content</p> Signup and view all the answers

    What is the purpose of an identity certificate in mobile software deployment?

    <p>To verify the developer's identity</p> Signup and view all the answers

    What is the main focus of the Bell-LaPadula model?

    <p>Data confidentiality</p> Signup and view all the answers

    What is the primary purpose of a root certificate in mobile software deployment?

    <p>To associate with a set of capabilities or permissions</p> Signup and view all the answers

    What is the Bell-LaPadula model based on?

    <p>A state machine model</p> Signup and view all the answers

    What is the purpose of security labels in the Bell-LaPadula model?

    <p>To classify data based on sensitivity</p> Signup and view all the answers

    What is the primary benefit of vetting developers or publishers in mobile software deployment?

    <p>Improved security</p> Signup and view all the answers

    What is the goal of the Bell-LaPadula model's state transition?

    <p>To ensure each state transition preserves security</p> Signup and view all the answers

    Who developed the Bell-LaPadula model?

    <p>David Elliott Bell and Leonard J. LaPadula</p> Signup and view all the answers

    What is the primary difference between the Bell-LaPadula model and the Biba Integrity Model?

    <p>The Bell-LaPadula model focuses on data confidentiality, while the Biba Integrity Model focuses on data integrity</p> Signup and view all the answers

    What is a 'secure state' in the Bell-LaPadula model?

    <p>A state where access modes of subjects to objects are in accordance with a security policy</p> Signup and view all the answers

    What is the purpose of transition functions in the Bell-LaPadula model?

    <p>To define the transition from one state to another</p> Signup and view all the answers

    What is the primary goal of the Biba Integrity Model?

    <p>Prevent data modification by unauthorized parties</p> Signup and view all the answers

    What is the main difference between the Biba Model and the Bell-LaPadula model?

    <p>The Biba Model addresses integrity, while Bell-LaPadula addresses confidentiality</p> Signup and view all the answers

    In the Biba Model, what is the rule for users creating content?

    <p>Users can create content at or below their own integrity level</p> Signup and view all the answers

    What is the phrase characterized by the Biba Model?

    <p>No read down, no write up</p> Signup and view all the answers

    What is the primary goal of the Clark-Wilson model, in contrast to the Biba Model?

    <p>To address all three goals of integrity</p> Signup and view all the answers

    In the Biba Model, what is the rule for users viewing content?

    <p>Users can view content at or above their own integrity level</p> Signup and view all the answers

    What is the main purpose of the Biba Integrity Model?

    <p>To ensure data integrity</p> Signup and view all the answers

    What is the relationship between the Biba Model and boolean policies?

    <p>The Biba Model is one type of boolean policy</p> Signup and view all the answers

    What is the primary purpose of the Simple Integrity Axiom?

    <p>To prevent a subject from reading an object at a lower integrity level</p> Signup and view all the answers

    What is the principle behind the * (star) Integrity Axiom?

    <p>No write up</p> Signup and view all the answers

    What is the primary characteristic of Lattice-Based Access Control (LBAC)?

    <p>It is a mandatory access control model</p> Signup and view all the answers

    In LBAC, what determines the security level of an object?

    <p>The meet of the levels of the subjects accessing the object</p> Signup and view all the answers

    What is the purpose of the lattice structure in LBAC?

    <p>To define the levels of security for subjects and objects</p> Signup and view all the answers

    What is the result of combining two objects, X and Y, in LBAC?

    <p>A new object with the join of the security levels of X and Y</p> Signup and view all the answers

    What is the analogy used to explain the concept of integrity in the Biba model?

    <p>The military chain of command</p> Signup and view all the answers

    What is the primary difference between the Biba model and the Bell-LaPadula model?

    <p>The Biba model is based on integrity, while the Bell-LaPadula model is based on confidentiality</p> Signup and view all the answers

    Study Notes

    Data Definition Language (DDL)

    • The DROP command is used to remove entire database objects from a DBMS.
    • DROP TABLE command is used to remove a specific table, and DROP DATABASE command is used to remove an entire database.

    Data Manipulation Language (DML)

    • The INSERT command is used to add records to an existing table.
    • The SELECT command is the most commonly used command in SQL, used to retrieve data from a database.

    Intrusion Detection System (IDS)

    • An IDS stores attributes of an attack for reference using a signature-based IDS.

    Access Control Models

    • Mandatory access control (MAC) requires security clearance for subjects, where authorization is dependent on labels indicating the subject's clearance.

    Terminal Access Controller Access Control System (TACACS)

    • The original TACACS used UDP transport, while the extended version uses TCP.
    • TACACS allows a client to send a username and password to a TACACS authentication server, which verifies the authentication request.

    Authentication

    • Synchronous dynamic password tokens generate a new password value at fixed time intervals, which is entered along with a PIN for authentication.

    Access Control Policies

    • Preventive/technical pairing uses technology to enforce access control policies, including technical controls such as access control software, antivirus software, and encryption.

    Accountability

    • Accountability includes unique identifiers, access rules, and audit trails, but not policies and procedures.

    Emanation Attacks and Security Measures

    • Emanation attacks involve intercepting electrical signals that radiate from computing equipment.
    • Countermeasures include:
      • Shielding cabling
      • Using white noise generators
      • Implementing control zones
      • Using TEMPEST equipment (a Faraday cage around the equipment)

    Error Types and Testing

    • Environmental error: an error that causes a system to be vulnerable due to the environment in which it is installed.
    • White-box testing: a method of test design that uses internal perspectives of the system and programming skills to design test cases.
    • Alpha testing: an early version of the application system submitted to internal users for testing.
    • Beta testing: a form of user acceptance testing that involves a limited number of external users.

    Accountability and Access Control

    • Individual accountability includes:
      • Unique identifiers
      • Access rules
      • Audit trails
    • But does not include policies and procedures.
    • Additional access control objectives include:
      • Reliability
      • Utility

    Business Impact Analysis

    • Business Impact Analysis (BIA) is about supporting the mission of the organization.
    • BIA is not about technology or risk assessment.

    Information Security Models

    • The Information Flow Model combined with Bell-LaPadula is recommended for a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications.
    • This model is concerned with the identification of potential covert channels.

    Biometric Identification Systems

    • In biometric identification systems, conveniently available parts of the body for identification are hands, face, and eyes.
    • This is because most identity authentication takes place when people are fully clothed (neck to feet and wrists).

    Access Control Models

    • Role-Based Access Control (RBAC) is also called Non-Discretionary Access Control (NDAC).
    • RBAC is sometimes referred to as Rule-Based Access Control (RuBAC).
    • Mandatory Access Control (MAC) makes use of Labels, which contain the sensitivity of objects and the categories they belong to.
    • No labels means MAC is not being used.

    Database Access Control

    • A view is a virtual or logical table composed of the result set of a query.
    • Views can:
      • Subset the data contained in a table
      • Join and simplify multiple tables into a single virtual table
      • Act as aggregated tables, where aggregated data is calculated and presented
      • Hide the complexity of data
      • Take very little space to store; only the definition is stored, not a copy of all the data they present
      • Provide extra security depending on the SQL engine used

    Discretionary Access Control (DAC)

    • DAC is suitable for low-level security environments.
    • The owner of the file decides who has access to the file.
    • Ownership might also be granted to a specific individual, such as a department manager.
    • DAC enables the owner of the resource to specify which subjects can access specific resources.

    Synchronous Dynamic Password Tokens

    • In Synchronous dynamic password tokens, the token generates a new password value at fixed time intervals, based on the time of day encrypted with a secret key.

    Access Control Categories

    • Access Control Categories include:
      • Directive: specifies rules of acceptable behavior
      • Deterrent: designed to discourage people from violating security directives
      • Preventive: implemented to prevent a security incident or information breach
      • Detective: used to mitigate the loss
      • Compensating: substitutes for the loss of a primary control or adds additional mitigation
      • Corrective: remedies circumstances, mitigates damage, or restores control
      • Recovery: restores conditions to normal after a security incident

    Access Control Techniques

    • Access Control Techniques include:
      • Discretionary Access Control
      • Mandatory Access Control
      • Lattice-Based Access Control
      • Rule-Based Access Control
      • Role-Based Access Control

    Access Control Models

    • Limited RBAC: Users can access non-RBAC-based applications or data, and have direct access to another application or system independent of their assigned role.
    • Hybrid RBAC: Introduces a role applied to multiple applications or systems based on a user's specific role within the organization.
    • Full RBAC: Controlled by roles defined by the organization's policy and access control infrastructure, applied to applications and systems across the enterprise.

    Mandatory Access Control (MAC)

    • Requires security clearance for subjects.
    • Authorization of a subject's access to an object is dependant upon labels, which indicate the subject's clearance.
    • Uses labels to indicate the sensitivity of the object and categories to implement the need to know.

    Other Access Control Models

    • Identity-based access control: a type of discretionary access control.
    • Role-based access control: a type of non-discretionary access control.

    TACACS

    • Original TACACS used UDP transport.
    • Extended in the early 1990s to include additional functionality and changed to TCP transport.
    • Uses port 49 by default.

    Preventive Controls

    • Preventive physical controls: prevent unauthorized personnel from entering computing facilities and protect against natural disasters.
      • Examples: Backup files and documentation, Fences, Security guards, Badge systems, Double door systems, Locks and keys, Backup power, Biometric access controls, Site selection, Fire extinguishers.
    • Preventive administrative controls: personnel-oriented techniques for controlling people's behavior to ensure confidentiality, integrity, and availability of computing data and programs.
      • Examples: Security awareness and technical training, Separation of duties, Procedures for recruiting and terminating employees, Security policies and procedures, Supervision, Disaster recovery, Contingency and emergency plans, User registration for computer access.

    Masquerade Attacks

    • An attack that uses a fake identity to gain unauthorized access to personal computer information through legitimate access identification.
    • Can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process.

    Bell-LaPadula Model

    • A security model where the subject's clearance is compared to the object's classification, and specific rules are applied to control how the subject-to-object interactions take place.
    • Developed by the US Military in the 1970s.
    • Also called a multilevel security system because users with different clearances use the system and the system processes data with different classifications.

    Host-Based Intrusion Detection Systems (HIDS)

    • A HIDS monitors the system and event logs to detect an attack on the host and determine if the attack was successful.
    • Critical servers should have a HIDS installed.
    • HIDS can detect patterns of attacks within encrypted traffic after decryption on the host.
    • HIDS monitors all or part of the dynamic behavior and state of a computer system.
    • HIDS detects which program accesses what resources and assures that a program hasn't suddenly modified the system password database.
    • HIDS checks the state of a system, stored information, and ensures that the contents appear as expected.

    Biometric Identification Systems

    • Data acquisition process is a security characteristic to consider when choosing a biometric identification system.
    • Enrollment process is a security characteristic to consider when choosing a biometric identification system.
    • Speed and user interface are security characteristics to consider when choosing a biometric identification system.
    • Cost is not a security characteristic when choosing a biometric identification system.

    Access Control Models

    • Bell-LaPadula model compares the subject's clearance to the object's classification to apply specific rules to control subject-to-object interactions.
    • In the Bell-LaPadula model, the subject's clearance is compared to the object's classification, and specific rules are applied to control interactions.
    • The Bell-LaPadula model is a multilevel security system that processes data with different classifications.

    Database Management Systems

    • SQL Data Definition Language (DDL) is used to create, modify, and delete views and relations (tables) in a database.
    • DDL commands are used primarily by database administrators during setup and removal phases of a database project.
    • Views are used to create abstraction, and they can make it easier to create lossless join decomposition.
    • Views are relational tables, and the relational model states that a table is a set of rows, which means the rows in a view are not ordered.

    Software Testing Methods

    • White-box testing (also known as clear box testing, glass box testing, transparent box testing, or structural testing) examines the internal structure or workings of an application.
    • White-box testing is a method of testing software that tests internal structures or workings of an application, as opposed to its functionality.

    Security Models

    • Masquerade attacks use a fake identity to gain unauthorized access to personal computer information through legitimate access identification.
    • Masquerade attacks can be perpetrated using stolen passwords and logons, by locating gaps in programs, or by finding a way around the authentication process.

    Access Control Techniques

    • Access Control techniques include Discretionary Access Control, Mandatory Access Control, Lattice-Based Access Control, Rule-Based Access Control, and Role-Based Access Control.
    • Relevant Access Controls is not an Access Control technique.

    Database Views

    • A database view is the result of Join, Project, and Select operations.
    • Relational algebra operations include Select, Project, Union, Difference, and Product, which can be used to build relations and operate on data.

    Technical Controls and Access Control

    • Technical controls, also known as logical controls, can be built into the operating system, software applications, or supplemental hardware/software units.
    • Preventive technical controls are used to prevent unauthorized personnel or programs from gaining remote access to computing resources.
    • Examples of technical controls include access control software, antivirus software, library control systems, passwords, smart cards, encryption, dial-up access control, and callback systems.

    Excessive Privileges

    • Excessive privileges occur when a user has more computer rights, permissions, and access than what is required for the tasks the user needs to fulfill.

    Mandatory Access Control

    • In Mandatory Access Control, sensitivity labels attached to objects contain the item's classification and category set.

    Access Control Policies

    • The preventive/technical pairing uses technology to enforce access control policies.
    • Technical controls are sometimes referred to as logical controls.
    • Three things that must be considered for the planning and implementation of access control mechanisms are the threats to the system, the system's vulnerability to these threats, and the risk that the threat may materialize.

    Business Impact Analysis (BIA)

    • Business Impact Analysis (BIA) is about supporting the mission of the organization.
    • BIA is not about technology.

    Information Security Models

    • The Information Flow Model combined with Bell-Lapadula is recommended for a highly secure environment where data at high classifications cannot be leaked to subjects at lower classifications.
    • The Biba Model or Biba Integrity Model is a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity.
    • The Biba Model focuses on data integrity and is characterized by the phrase: "no read down, no write up".
    • Noninterference Models help minimize damage from covert channels by maintaining activities at different security levels to separate these levels from each other.

    Host-Based Intrusion Detection Systems (HIDS)

    • A HIDS is a system that monitors the dynamic behavior and state of a computer system to detect attacks and determine if they were successful.
    • It reviews system and event logs to detect patterns of attacks, including those within encrypted traffic.
    • Critical servers should have both NIDS and HIDS for comprehensive security.
    • A HIDS monitors which programs access resources and ensures that they do not modify the system in unexpected ways.
    • It also checks the state of a system, its stored information, and ensures that it appears as expected.

    Biometric Identification Systems

    • Security characteristics to consider when choosing a biometric identification system include:
      • Data acquisition process
      • Enrollment process
      • Speed and user interface
    • Cost is not a security characteristic, but rather a factor to consider when choosing a biometric system.

    Bell-LaPadula Model

    • A formal state machine model used for enforcing access control in government and military applications.
    • It focuses on data confidentiality and controlled access to classified information.
    • Security labels range from most sensitive (e.g. "Top Secret") to least sensitive (e.g. "Unclassified" or "Public").
    • The model ensures that each state transition preserves security by moving from secure state to secure state.

    Biba Integrity Model

    • A formal state transition system that describes a set of access control rules designed to ensure data integrity.
    • Data and subjects are grouped into ordered levels of integrity.
    • The model is designed to prevent data modification by unauthorized parties and maintain internal and external consistency.
    • It is characterized by the phrase "no read down, no write up".
    • The model defines two security rules:
      • The Simple Integrity Axiom: a subject at a given level of integrity must not read an object at a lower integrity level.
      • The * (star) Integrity Axiom: a subject at a given level of integrity must not write to any object at a higher level of integrity.

    Lattice Model

    • A complex access control model based on the interaction between objects and subjects.
    • It uses a lattice to define the levels of security that an object may have and that a subject may have access to.
    • The subject is only allowed to access an object if the security level of the subject is greater than or equal to that of the object.
    • The security level access may be expressed in terms of the lattice (a partial order set) where each object and subject have a greatest lower bound (meet) and least upper bound (join) of access rights.

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Cissp-8sn2bm.pdf

    Description

    This quiz covers SQL commands for creating and managing database tables, including the use of the DROP command to remove database objects.

    More Like This

    SQL Commands Quiz
    3 questions

    SQL Commands Quiz

    EminentCelebration avatar
    EminentCelebration
    SQL CREATE TABLE Commands
    44 questions
    ALTER TABLE Command in MySQL Workbench
    9 questions
    Use Quizgecko on...
    Browser
    Browser