Untitled Quiz
46 Questions
0 Views

Untitled Quiz

Created by
@CompliantConsonance

Podcast Beta

Play an AI-generated podcast conversation about this lesson

Questions and Answers

Which access control model provides upper and lower bounds of access capabilities for a subject?

  • Content-dependent access control
  • Lattice-based access control (correct)
  • Biba access control
  • Role-based access control

    • Which of the following is used to create and modify the structure of your tables and other objects in the database?

  • SQL Data Definition Language (DDL) (correct)
  • SQL Data Manipulation Language (DML)
  • SQL Data Identification Language (DIL)
  • SQL Data Relational Language (DRL)

    • Which of the following is true of two-factor authentication?

  • It requires two measurements of hand geometry.
  • It does not use single sign-on technology.
  • It relies on two independent proofs of identity. (correct)
  • It uses the RSA public-key signature based on integers with large prime factors.

    • Of the seven types of Access Control Categories, which is described as such? Designed to specify rules of acceptable behavior in the organization. Example: Policy stating that employees may not spend time on social media websites

    <p>Directive Access Control</p> Signup and view all the answers

    Which type of password token involves time synchronization?

    <p>Synchronous dynamic password tokens</p> Signup and view all the answers

    Technical controls such as encryption and access control represent which pairing?

    <p>Preventive/Technical Pairing</p> Signup and view all the answers

    What best describes a security issue where a user has more computer rights, permissions, and access than necessary?

    <p>Excessive Privileges</p> Signup and view all the answers

    In Mandatory Access Control, what information do sensitivity labels attached to objects contain?

    <p>The item's classification and category set</p> Signup and view all the answers

    Which access control model is also called Non Discretionary Access Control (NDAC)?

    <p>Role-based access control</p> Signup and view all the answers

    In biometric identification systems, which parts of the body are conveniently available for identification?

    <p>Hands, face, and eyes</p> Signup and view all the answers

    Which of the following tools is less likely to be used by a hacker?

    <p>Tripwire</p> Signup and view all the answers

    An employee ensures all cables are shielded, builds concrete walls that extend from the floor to the ceiling, and installs a white noise generator. What attack is the employee trying to protect against?

    <p>Emanation Attacks</p> Signup and view all the answers

    What is an error called that causes a system to be vulnerable because of the environment in which it is installed?

    <p>Environmental error</p> Signup and view all the answers

    Which of the following biometric devices has the lowest user acceptance level?

    <p>Retina Scan</p> Signup and view all the answers

    When a biometric system is used, which error type deals with the possibility of GRANTING access to impostors who should be REJECTED?

    <p>Type II error</p> Signup and view all the answers

    A host-based IDS is resident on which of the following?

    <p>On each of the critical hosts</p> Signup and view all the answers

    The following is NOT a security characteristic we need to consider while choosing a biometric identification system:

    <p>Cost</p> Signup and view all the answers

    Which of the following best describes an exploit?

    <p>A chunk of data, or sequence of commands that take advantage of a bug, glitch, or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software</p> Signup and view all the answers

    Which of the following testing method examines internal structure or working of an application?

    <p>White-box testing</p> Signup and view all the answers

    Attributes that characterize an attack are stored for reference using which of the following Intrusion Detection System (IDS)?

    <p>Signature-based IDS</p> Signup and view all the answers

    Who developed one of the first mathematical models of a multilevel-security computer system?

    <p>Bell and LaPadula</p> Signup and view all the answers

    Suppose you are a domain administrator and are choosing an employee to carry out backups. Which access control method would be best for this scenario?

    <p>RBAC - Role-Based Access Control</p> Signup and view all the answers

    Logical or technical controls involve the restriction of access to systems and the protection of information. Which of the following statements pertaining to these types of controls is correct?

    <p>Examples of these types of controls include policies and procedures, security awareness training, background checks, work habit checks, a review of vacation history, and increased supervision.</p> Signup and view all the answers

    Access Control techniques do not include which of the following choices?

    <p>Relevant Access Controls</p> Signup and view all the answers

    A database view is the result of which of the following operations?

    <p>Join, Project, and Select</p> Signup and view all the answers

    What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time?

    <p>Authentication</p> Signup and view all the answers

    During an IS audit, the auditor observed that authentication and authorization steps are split into two functions. What technique could an attacker use to force the authorization step before authentication?

    <p>Race Condition</p> Signup and view all the answers

    In which of the following security models is the subject's clearance compared to the object's classification for controlling subject-to-object interactions?

    <p>Bell-LaPadula model</p> Signup and view all the answers

    Which of the following statements pertaining to Kerberos is TRUE?

    <p>Kerberos does not address availability</p> Signup and view all the answers

    Database views are NOT used to:

    <p>Implement referential integrity</p> Signup and view all the answers

    Which of the following is most appropriate to notify an external user that session monitoring is being conducted?

    <p>Logon Banners</p> Signup and view all the answers

    Which of the following is not a two-factor authentication mechanism?

    <p>Something you know and a password</p> Signup and view all the answers

    In biometric identification systems, what raised the necessity of answering 2 questions?

    <p>What part of body to be used and how to accomplish identification that is viable</p> Signup and view all the answers

    What is the FIRST step in protecting data's confidentiality?

    <p>Identify which information is sensitive</p> Signup and view all the answers

    What is the type of discretionary access control (DAC) based on an individual's identity called?

    <p>Identity-based Access control</p> Signup and view all the answers

    What does a synchronous dynamic password token generate at fixed time intervals?

    <p>A new non-unique password value based on the time of day encrypted with a secret key</p> Signup and view all the answers

    Which pairing uses technology to enforce access control policies?

    <p>Preventive/Technical</p> Signup and view all the answers

    What is most appropriate to notify an internal user that session monitoring is being conducted?

    <p>Written agreement</p> Signup and view all the answers

    Which of the following is not included in individual accountability?

    <p>Policies &amp; procedures</p> Signup and view all the answers

    What are additional access control objectives beyond availability?

    <p>Reliability and utility</p> Signup and view all the answers

    What is Business Impact Analysis (BIA) about?

    <p>Supporting the mission of the organization</p> Signup and view all the answers

    In a highly secure environment, which information security model would you recommend to identify potential covert channels?

    <p>Information Flow Model combined with Bell Lapadula</p> Signup and view all the answers

    What kind of certificate is used to validate a user identity?

    <p>Public key certificate</p> Signup and view all the answers

    Which of the following access control models requires security clearance for subjects?

    <p>Mandatory access control</p> Signup and view all the answers

    Which of the following protocol was used by the INITIAL version of the Terminal Access Controller Access Control System (TACACS) for communication between clients and servers?

    <p>UDP</p> Signup and view all the answers

    RADIUS incorporates which of the following services?

    <p>Authentication server as well as support for Static and Dynamic passwords</p> Signup and view all the answers

    Study Notes

    Security Measures

    • Shielding cables, building concrete walls, and using white noise generators can protect against emanation attacks, which involve intercepting electrical signals from computing equipment.
    • Emanation attacks can be countered with TEMPEST equipment, which creates a Faraday cage around the equipment.

    Biometric Devices

    • Biometric devices can have varying user acceptance levels, with retina scans having the lowest user acceptance due to their intrusive nature.
    • Retina scans are highly accurate, with an error rate of one in 10 million uses.
    • Biometric systems can make authentication decisions based on an individual's behavior, such as signature dynamics, or physical attributes, such as iris, retina, or fingerprint recognition.

    Error Types in Biometric Systems

    • Type I error (False Rejection Rate): when a biometric system rejects an authorized individual.
    • Type II error (False Acceptance Rate): when a biometric system accepts an unauthorized individual.
    • Crossover Error Rate (CER) or Equal Error Rate (EER): the point at which the False Rejection Rate and False Acceptance Rate are equal.

    Host-Based Intrusion Detection Systems (HIDS)

    • A HIDS is resident on a critical host and reviews system and event logs to detect attacks.
    • HIDS can detect patterns of attacks within encrypted traffic, which NIDS may not be able to detect.
    • Critical servers should have both NIDS and HIDS.

    Exploits

    • An exploit is a chunk of data or sequence of commands that take advantage of a bug, glitch, or vulnerability to cause unintended behavior on computer software.
    • Exploits can lead to unauthorized access, data breaches, or system crashes.

    Password Tokens

    • Synchronous dynamic password tokens generate a new unique password value at fixed time intervals, requiring synchronization between the server and token.

    Logical Controls

    • Technical controls, such as encryption and access control, can be built into the operating system, be software applications, or supplemental hardware/software units.
    • These controls are also known as logical controls and represent preventive/technical pairing.

    Mandatory Access Control (MAC)

    • MAC involves attaching sensitivity labels to objects, containing the item's classification and category set.
    • Category set and compartment set are synonyms, indicating the categories to which an item belongs.

    Access Control Models

    • Role-Based Access Control (RBAC) is also known as Non-Discretionary Access Control (NDAC), distinguishing it from Mandatory Access Control (MAC).
    • RBAC bases access control authorizations on the roles or functions assigned to users within an organization.### Access Control Models
    • Role-Based Access Control (RBAC) is a model that assigns users to roles, and then grants access to resources based on those roles.
    • There are four basic RBAC architectures:
      • Non-RBAC: users are granted access to resources directly, without the use of roles.
      • Limited RBAC: users are assigned to roles within a single application, but can also access non-RBAC-based applications.
      • Hybrid RBAC: users are assigned to roles that are applied across multiple applications.
      • Full RBAC: users are assigned to roles that are defined by the organization's policy and access control infrastructure.

    Lattice-Based Access Control

    • Lattice-based access control is a model that uses a lattice structure to assign access control privileges.
    • In a lattice-based model, users are assigned a security clearance and data is classified based on its sensitivity level.
    • Access decisions are made based on the user's clearance and the classification of the data.

    SQL and Database Management

    • SQL (Structured Query Language) is a language used to manage and manipulate data in relational databases.
    • SQL is used to perform various operations on data, including:
      • Creating and modifying database structures (Data Definition Language, DDL)
      • Inserting, updating, and deleting data (Data Manipulation Language, DML)
      • Querying data (Data Control Language, DCL)
    • DDL commands include:
      • CREATE: creates a new database object, such as a table or view.
      • ALTER: modifies an existing database object.
      • DROP: deletes a database object.
    • DML commands include:
      • INSERT: adds new data to a table.
      • UPDATE: modifies existing data in a table.
      • DELETE: deletes data from a table.
      • SELECT: retrieves data from a table.

    Views in Database Management

    • A view is a virtual table that is based on the result of a query.
    • Views can be used to:
      • Subset the data contained in a table.
      • Join and simplify multiple tables into a single virtual table.
      • Hide the complexity of data.
      • Provide an additional layer of security.
    • Views take very little space to store, and can be used to create abstraction.

    Testing Methods

    • White-box testing is a method of testing software that examines the internal structure or working of an application.
    • White-box testing is used to test the internal workings of an application, and is typically performed at the unit, integration, and system levels.
    • Other testing methods include:
      • Alpha testing: an early version of the application is submitted to internal users for testing.
      • Beta testing: a limited number of external users test the application.
      • Pilot testing: a preliminary test that focuses on specific and predefined aspects of a system.### Proof of Concept and Testing Methods
    • Proof of concept is not meant to replace other testing methods, but to provide a limited evaluation of the system
    • Early pilot tests are conducted on an interim platform with basic functionalities

    Types of Testing

    • White Box Testing: assesses the effectiveness of a software program's logic
    • Black Box Testing: evaluates an information system's functional operating effectiveness without regards to internal program structure
    • Function/Validation Testing: tests the functionality of the system against detailed requirements to ensure traceability to customer requirements
    • Regression Testing: involves rerunning a portion of a test scenario or plan to ensure changes or corrections have not introduced new errors
    • Parallel Testing: feeds test data into two systems (modified and alternative) and compares the results
    • Sociability Testing: confirms that a new or modified system can operate in its target environment without negatively impacting existing systems

    Access Control Models

    • Role-Based Access Control (RBAC): grants access based on job function, with permissions correlated tightly with permissions granted to a role
    • Mandatory Access Control (MAC): requires security clearance for subjects, with access dependent on labels indicating clearance
    • Discretionary Access Control (DAC): relies on data owner/creators to determine who has access to information
    • Attribute-Based Access Control: grants access based on attributes, such as a user's role, department, or job function

    Certificates and Authentication

    • Public Key Certificate: validates a user's identity, binding a public key with identity information
    • Attribute Certificate: describes a permission granted to a user, with permissions delegated by the issuer
    • Root Certificate: a self-signed certificate issued by a Certificate Authority (CA)
    • Code Signing Certificate: used to sign software, ensuring authenticity and integrity

    Communication Protocols

    • TACACS (Terminal Access Controller Access Control System): a protocol used for communication between clients and servers, initially using UDP, then TCP
    • RADIUS (Remote Authentication Dial-In User Service): a protocol for authentication, authorization, and configuration information exchange between a Network Access Server and a shared Authentication Server

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Cissp-8sn2bm.pdf

    More Like This

    Use Quizgecko on...
    Browser
    Open
    Browser
    Browser