Podcast
Questions and Answers
Which access control model provides upper and lower bounds of access capabilities for a subject?
Which access control model provides upper and lower bounds of access capabilities for a subject?
Which of the following is used to create and modify the structure of your tables and other objects in the database?
Which of the following is used to create and modify the structure of your tables and other objects in the database?
Which of the following is true of two-factor authentication?
Which of the following is true of two-factor authentication?
Of the seven types of Access Control Categories, which is described as such? Designed to specify rules of acceptable behavior in the organization. Example: Policy stating that employees may not spend time on social media websites
Of the seven types of Access Control Categories, which is described as such? Designed to specify rules of acceptable behavior in the organization. Example: Policy stating that employees may not spend time on social media websites
Signup and view all the answers
Which type of password token involves time synchronization?
Which type of password token involves time synchronization?
Signup and view all the answers
Technical controls such as encryption and access control represent which pairing?
Technical controls such as encryption and access control represent which pairing?
Signup and view all the answers
What best describes a security issue where a user has more computer rights, permissions, and access than necessary?
What best describes a security issue where a user has more computer rights, permissions, and access than necessary?
Signup and view all the answers
In Mandatory Access Control, what information do sensitivity labels attached to objects contain?
In Mandatory Access Control, what information do sensitivity labels attached to objects contain?
Signup and view all the answers
Which access control model is also called Non Discretionary Access Control (NDAC)?
Which access control model is also called Non Discretionary Access Control (NDAC)?
Signup and view all the answers
In biometric identification systems, which parts of the body are conveniently available for identification?
In biometric identification systems, which parts of the body are conveniently available for identification?
Signup and view all the answers
Which of the following tools is less likely to be used by a hacker?
Which of the following tools is less likely to be used by a hacker?
Signup and view all the answers
An employee ensures all cables are shielded, builds concrete walls that extend from the floor to the ceiling, and installs a white noise generator. What attack is the employee trying to protect against?
An employee ensures all cables are shielded, builds concrete walls that extend from the floor to the ceiling, and installs a white noise generator. What attack is the employee trying to protect against?
Signup and view all the answers
What is an error called that causes a system to be vulnerable because of the environment in which it is installed?
What is an error called that causes a system to be vulnerable because of the environment in which it is installed?
Signup and view all the answers
Which of the following biometric devices has the lowest user acceptance level?
Which of the following biometric devices has the lowest user acceptance level?
Signup and view all the answers
When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED?
When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED?
Signup and view all the answers
A host-based IDS is resident on which of the following?
A host-based IDS is resident on which of the following?
Signup and view all the answers
The following is NOT a security characteristic we need to consider while choosing a biometric identification system:
The following is NOT a security characteristic we need to consider while choosing a biometric identification system:
Signup and view all the answers
Which of the following best describes an exploit?
Which of the following best describes an exploit?
Signup and view all the answers
Which of the following testing method examines internal structure or working of an application?
Which of the following testing method examines internal structure or working of an application?
Signup and view all the answers
Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS)?
Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS)?
Signup and view all the answers
Who developed one of the first mathematical models of a multilevel-security computer system?
Who developed one of the first mathematical models of a multilevel-security computer system?
Signup and view all the answers
Suppose you are a domain administrator and are choosing an employee to carry out backups. Which access control method would be best for this scenario?
Suppose you are a domain administrator and are choosing an employee to carry out backups. Which access control method would be best for this scenario?
Signup and view all the answers
Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct?
Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct?
Signup and view all the answers
Access Control techniques do not include which of the following choices?
Access Control techniques do not include which of the following choices?
Signup and view all the answers
A database view is the result of which of the following operations?
A database view is the result of which of the following operations?
Signup and view all the answers
What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time?
What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time?
Signup and view all the answers
During an IS audit, the auditor observed that authentication and authorization steps are split into two functions. What technique could an attacker use to force the authorization step before authentication?
During an IS audit, the auditor observed that authentication and authorization steps are split into two functions. What technique could an attacker use to force the authorization step before authentication?
Signup and view all the answers
In which of the following security models is the subject's clearance compared to the object's classification for controlling subject-to-object interactions?
In which of the following security models is the subject's clearance compared to the object's classification for controlling subject-to-object interactions?
Signup and view all the answers
Which of the following statements pertaining to Kerberos is TRUE?
Which of the following statements pertaining to Kerberos is TRUE?
Signup and view all the answers
Database views are NOT used to:
Database views are NOT used to:
Signup and view all the answers
Which of the following is most appropriate to notify an external user that session monitoring is being conducted?
Which of the following is most appropriate to notify an external user that session monitoring is being conducted?
Signup and view all the answers
Which of the following is not a two-factor authentication mechanism?
Which of the following is not a two-factor authentication mechanism?
Signup and view all the answers
In biometric identification systems, what raised the necessity of answering 2 questions?
In biometric identification systems, what raised the necessity of answering 2 questions?
Signup and view all the answers
What is the FIRST step in protecting data's confidentiality?
What is the FIRST step in protecting data's confidentiality?
Signup and view all the answers
What is the type of discretionary access control (DAC) based on an individual's identity called?
What is the type of discretionary access control (DAC) based on an individual's identity called?
Signup and view all the answers
What does a synchronous dynamic password token generate at fixed time intervals?
What does a synchronous dynamic password token generate at fixed time intervals?
Signup and view all the answers
Which pairing uses technology to enforce access control policies?
Which pairing uses technology to enforce access control policies?
Signup and view all the answers
What is most appropriate to notify an internal user that session monitoring is being conducted?
What is most appropriate to notify an internal user that session monitoring is being conducted?
Signup and view all the answers
Which of the following is not included in individual accountability?
Which of the following is not included in individual accountability?
Signup and view all the answers
What are additional access control objectives beyond availability?
What are additional access control objectives beyond availability?
Signup and view all the answers
What is Business Impact Analysis (BIA) about?
What is Business Impact Analysis (BIA) about?
Signup and view all the answers
In a highly secure environment, which information security model would you recommend to identify potential covert channels?
In a highly secure environment, which information security model would you recommend to identify potential covert channels?
Signup and view all the answers
What kind of certificate is used to validate a user identity?
What kind of certificate is used to validate a user identity?
Signup and view all the answers
Which of the following access control models requires security clearance for subjects?
Which of the following access control models requires security clearance for subjects?
Signup and view all the answers
Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access Control System (TACACS) for communication between clients and servers?
Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access Control System (TACACS) for communication between clients and servers?
Signup and view all the answers
RADIUS incorporates which of the following services?
RADIUS incorporates which of the following services?
Signup and view all the answers
Study Notes
Security Measures
- Shielding cables, building concrete walls, and using white noise generators can protect against emanation attacks, which involve intercepting electrical signals from computing equipment.
- Emanation attacks can be countered with TEMPEST equipment, which creates a Faraday cage around the equipment.
Biometric Devices
- Biometric devices can have varying user acceptance levels, with retina scans having the lowest user acceptance due to their intrusive nature.
- Retina scans are highly accurate, with an error rate of one in 10 million uses.
- Biometric systems can make authentication decisions based on an individual's behavior, such as signature dynamics, or physical attributes, such as iris, retina, or fingerprint recognition.
Error Types in Biometric Systems
- Type I error (False Rejection Rate): when a biometric system rejects an authorized individual.
- Type II error (False Acceptance Rate): when a biometric system accepts an unauthorized individual.
- Crossover Error Rate (CER) or Equal Error Rate (EER): the point at which the False Rejection Rate and False Acceptance Rate are equal.
Host-Based Intrusion Detection Systems (HIDS)
- A HIDS is resident on a critical host and reviews system and event logs to detect attacks.
- HIDS can detect patterns of attacks within encrypted traffic, which NIDS may not be able to detect.
- Critical servers should have both NIDS and HIDS.
Exploits
- An exploit is a chunk of data or sequence of commands that take advantage of a bug, glitch, or vulnerability to cause unintended behavior on computer software.
- Exploits can lead to unauthorized access, data breaches, or system crashes.
Password Tokens
- Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, requiring synchronization between the server and token.
Logical Controls
- Technical controls, such as encryption and access control, can be built into the operating system, be software applications, or supplemental hardware/software units.
- These controls are also known as logical controls and represent preventive/technical pairing.
Mandatory Access Control (MAC)
- MAC involves attaching sensitivity labels to objects, containing the item's classification and category set.
- Category set and compartment set are synonyms, indicating the categories to which an item belongs.
Access Control Models
- Role-Based Access Control (RBAC) is also known as Non-Discretionary Access Control (NDAC), distinguishing it from Mandatory Access Control (MAC).
- RBAC bases access control authorizations on the roles or functions assigned to users within an organization.### Access Control Models
- Role-Based Access Control (RBAC) is a model that assigns users to roles, and then grants access to resources based on those roles.
- There are four basic RBAC architectures:
- Non-RBAC: users are granted access to resources directly, without the use of roles.
- Limited RBAC: users are assigned to roles within a single application, but can also access non-RBAC-based applications.
- Hybrid RBAC: users are assigned to roles that are applied across multiple applications.
- Full RBAC: users are assigned to roles that are defined by the organization's policy and access control infrastructure.
Lattice-Based Access Control
- Lattice-based access control is a model that uses a lattice structure to assign access control privileges.
- In a lattice-based model, users are assigned a security clearance and data is classified based on its sensitivity level.
- Access decisions are made based on the user's clearance and the classification of the data.
SQL and Database Management
- SQL (Structured Query Language) is a language used to manage and manipulate data in relational databases.
- SQL is used to perform various operations on data, including:
- Creating and modifying database structures (Data Definition Language, DDL)
- Inserting, updating, and deleting data (Data Manipulation Language, DML)
- Querying data (Data Control Language, DCL)
- DDL commands include:
- CREATE: creates a new database object, such as a table or view.
- ALTER: modifies an existing database object.
- DROP: deletes a database object.
- DML commands include:
- INSERT: adds new data to a table.
- UPDATE: modifies existing data in a table.
- DELETE: deletes data from a table.
- SELECT: retrieves data from a table.
Views in Database Management
- A view is a virtual table that is based on the result of a query.
- Views can be used to:
- Subset the data contained in a table.
- Join and simplify multiple tables into a single virtual table.
- Hide the complexity of data.
- Provide an additional layer of security.
- Views take very little space to store, and can be used to create abstraction.
Testing Methods
- White-box testing is a method of testing software that examines the internal structure or working of an application.
- White-box testing is used to test the internal workings of an application, and is typically performed at the unit, integration, and system levels.
- Other testing methods include:
- Alpha testing: an early version of the application is submitted to internal users for testing.
- Beta testing: a limited number of external users test the application.
- Pilot testing: a preliminary test that focuses on specific and predefined aspects of a system.### Proof of Concept and Testing Methods
- Proof of concept is not meant to replace other testing methods, but to provide a limited evaluation of the system
- Early pilot tests are conducted on an interim platform with basic functionalities
Types of Testing
- White Box Testing: assesses the effectiveness of a software program's logic
- Black Box Testing: evaluates an information system's functional operating effectiveness without regards to internal program structure
- Function/Validation Testing: tests the functionality of the system against detailed requirements to ensure traceability to customer requirements
- Regression Testing: involves rerunning a portion of a test scenario or plan to ensure changes or corrections have not introduced new errors
- Parallel Testing: feeds test data into two systems (modified and alternative) and compares the results
- Sociability Testing: confirms that a new or modified system can operate in its target environment without negatively impacting existing systems
Access Control Models
- Role-Based Access Control (RBAC): grants access based on job function, with permissions correlated tightly with permissions granted to a role
- Mandatory Access Control (MAC): requires security clearance for subjects, with access dependent on labels indicating clearance
- Discretionary Access Control (DAC): relies on data owner/creators to determine who has access to information
- Attribute-Based Access Control: grants access based on attributes, such as a user's role, department, or job function
Certificates and Authentication
- Public Key Certificate: validates a user's identity, binding a public key with identity information
- Attribute Certificate: describes a permission granted to a user, with permissions delegated by the issuer
- Root Certificate: a self-signed certificate issued by a Certificate Authority (CA)
- Code Signing Certificate: used to sign software, ensuring authenticity and integrity
Communication Protocols
- TACACS (Terminal Access Controller Access Control System): a protocol used for communication between clients and servers, initially using UDP, then TCP
- RADIUS (Remote Authentication Dial-In User Service): a protocol for authentication, authorization, and configuration information exchange between a Network Access Server and a shared Authentication Server
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
