CISSP For Dummies
1. | General purpose control types include all the following except:
| |
2. | Violation reports and audit trails are examples of what type of control?
| |
3. | “A user cannot deny an action” describes the concept of
| |
4. | Authentication can be based on any combination of the following factors except
| |
5. | Unauthorized users that are incorrectly granted access in biometric systems are described as the
| |
6. | All the following devices and protocols can be used to implement one-time passwords except
| |
7. | Which of the following PPP authentication protocols transmits passwords in clear text?
| |
8. | Which of the following is not considered a method of attack against access control systems?
| |
9. | Sensitivity labels are a fundamental component in which type of access control systems?
| |
10. | Which of the following access control models addresses availability issues?
| |
Answers
1. | B. Mandatory. Control types identified by purpose include preventive, detective, corrective, deterrent, recovery, and compensating controls. Review “Control types.” |
2. | A. Detective technical. Preventive technical controls include access control mechanisms and protocols. Review of audit trails is a detective administrative control, but the actual generating of audit trails is a technical function (control). Review “Technical controls.” |
3. | C. Non-repudiation. Authentication and accountability are related to but aren’t the same as non-repudiation. Plausible deniability is a bogus answer. Review “Accountability.” |
4. | C. Something you need.The three factors of authentication are something you know, something you have, and something you are. Review “System access controls.” |
5. | B. False Accept Rate (Type II error).You should know the biometric error types by both descriptions.The False Reject Rate is aType I error and describes the percentage of authorized users that are incorrectly denied access. Review “Biometrics and behavior.” |
6. | D. Kerberos. Kerberos is a ticket-based authentication protocol. Although the tickets that are generated are unique for every logon, Kerberos relies on shared secrets that are static.Therefore, Kerberos isn’t considered a one-time password protocol. Review these three sections: “One-time passwords,” “Tokens,” and “Single sign-on (SSO).” |
7. | A. PAP.The Password Authentication Protocol (PAP) transmits passwords in clear text. CHAP and MS-CHAP authenticate using challenges and responses that are calculated, using a one-way hash function. FTP transmits passwords in clear text but isn’t a PPP authentication protocol. Review “Centralized access controls.” |
8. | C. Denial of service.The purpose of an attack against access controls is to gain access to a system. Brute force and dictionary attacks are both password cracking methods. Although commonly used in denial of service attacks, a buffer overflow attack can exploit vulnerabilities or flaws in certain applications and protocols that will allow unauthorized access. Review “Methods of attack.” |
9. | A. Mandatory access control.The fundamental components in discretionary access controls are file (and data) ownership and access rights and permissions. Access control lists and role-based access control are types of discretionary access control systems. Review “Access control techniques.” |
10. | D. None of the above. Bell-LaPadula addresses confidentiality issues. Biba and Clark-Wilson address integrity issues. Review “Access control models.” |
Категории