What is the primary reason we would implement clipping levels?
|
In what way can violation of clipping levels assist in violation tracking and analysis? Show A. Clipping levels set a baseline for acceptable normal user errors, and violations exceeding that threshold will be recorded for analysis of why the violations occurred. B. Clipping levels enable a security administrator to customize the audit trail to record only those violations which are deemed to be security relevant. C. Clipping levels enable the security administrator to customize the audit trail to record only actions for users with access to user accounts with a privileged status. D. Clipping levels enable a security administrator to view all reductions in security levels which have been made to user accounts which have incurred violations.
1. Which of the following is not one of the three types of access controls? A. Administrative 1.Answer: B. The three types of controls are as follows: ◦Administrative: These controls are composed of the policies and procedures the organization has put in place to prevent problems and to ensure that the technical and physical controls are known, understood, and implemented. ◦Technical: These controls are used to control access and monitor potential violations. They may be either hardware- or software-based. ◦Physical: These control systems are used to protect the welfare and safety of the employees and the organization. Physical controls include such items as smoke alarms, security guards, cameras, and mantraps. 2. Your company has just opened a call center in India, and you have been asked to review the site’s security controls. Specifically, you have been asked which of the following is the strongest form of authentication. What will your answer be? A. Something you know 2.Answer: B. Authentication can take one of three forms: something you know, something you have, or something you are. Something you are, such as biometrics, is by far the strongest form of authentication. Systems such as retina and iris scans have high levels of accuracy. The accuracy of a biometric device can be assessed by means of the crossover error rate. Remember that on the exam, questions are sometimes vague, and you will be asked to pick the best available answer. 3. Your organization has become worried about recent attempts to gain unauthorized access to the R&D facility. Therefore, you have been asked to implement a system that will require individuals to present a password and enter a PIN at the security gate before gaining access. What is this type of system called? A. Authorization 3.Answer: C. The question states that a password and PIN are required. Both passwords and PINs are examples of something you know. Authentication is something you know, something you have, or something you are. Therefore, this is an example of authentication. Answer B is incorrect because two-factor authentication requires two of the three primary categories of authentication to be used. Two-factor authentication is considered more secure than single-factor authentication because the individual who wants to gain access must possess two items to be successful. Three-factor authentication requires all three categories. Authorization is what you allow the user to do or accomplish. 4. Which of the following is not one of the three primary types of authentication? A. Something you remember 4.Answer: A. Authentication can be based on one or more of the following three factors: ◦Something you know: This could be a password, passphrase, or secret number. ◦Something you have: This could be a token, bank debit card, or smart card. ◦Something you are: This could be a retina scan, fingerprint, DNA sample, or facial recognition. 5. While working as a contractor for Widget, Inc., you are asked what the weakest form of authentication is. What will you say? A. Passwords 5.Answer: A. Passwords, which belong to the “something you know” category, are the weakest form of authentication. Although there are many more stringent forms of authentication, passwords remain the most widely used. Passwords are insecure because people choose weak ones, don’t change them, and have a tendency to write them down or allow others to gain knowledge of them. If more than one person is using the same password, there is no way to properly execute the audit function, and at this point, loss of security occurs. Passwords are also very susceptible to cracking and brute-force attacks. 6. You’re preparing a presentation for the senior management of your company. They have asked you to rank the general order of accuracy of the most popular biometric systems, with 1 being the lowest and 5 being the highest. What will you tell them? A. (1) fingerprint, (2) palm scan, (3) hand geometry, (4) retina scan, (5) iris scan 6.Answer: A. The general order of accuracy of biometric systems is fingerprint, palm scan, hand geometry, retina scan, and iris scan. However, the accuracy of an individual system is not the only item a security professional needs to consider before implementing a biometric system. Security professionals must examine usability, employee acceptance, and the crossover error rate of the proposed system.The employee acceptance rate examines the employees’ willingness to use the system. For example, technology innovations with RFID tags have made it possible to inject an extremely small tag into an employee’s arm. This RFID tag could be used for identification, for authorization, and to monitor employee movement throughout the organization’s facility. However, most employees would be hesitant to allow the employer to embed such a device in their arm. Currently issued passports have RFID tags, which has created an issue with identity theft (RFID sniffers). The crossover error rate examines the capability of the proposed systems to accurately identify the individual. If the system has a high false reject rate, employees will soon grow weary of the system and look for ways to bypass it. Therefore, each of these items is important to consider. 7. Which of the following items is the least important to consider when designing an access control system? A. Risk 7.Answer: D. Before implementing any type of access control system, the security professional needs to consider potential vulnerabilities, because these give rise to threats. Threats must also be considered, because they lead to risks. Risk is the potential that the vulnerability may be exploited. Answer D is incorrect because it relates to the formula used for risk analysis. 8. Today you are meeting with a coworker who is proposing that the number of logins and passwords be reduced. Another coworker has suggested that you investigate single sign-on technologies and make a recommendation at the next scheduled meeting. Which of the following is a type of single sign-on system? A. Kerberos 8.Answer: A. Kerberos is a single sign-on system for distributed systems. It is unlike authentication systems such as NTLM that perform only one-way authentication. It provides mutual authentication for both parties involved in the communication process. Kerberos operates under the assumption that there is no trusted party; therefore, both client and server must be authenticated. After mutual authentication occurs, Kerberos makes use of a ticket stored on the client machine to access network resources. Answers B and C are incorrect because they describe access control models. Answer D describes centralized authentication. 9. Which style of authentication is not susceptible to a dictionary attack? A. CHAP 9.Answer: D. Only PAP is not susceptible to a dictionary attack; no attack is needed because the password is transmitted in clear text. Answers A, B, and C are incorrect because CHAP, LEAP, and WPA-PSK are all susceptible to dictionary attacks. The only security when forced to use one of these mechanisms is to choose passwords that will not be in any contrived dictionary—although precomputed hashes are now being used for that purpose. 10. Your organization has decided to use a biometric system to authenticate users. If the FAR is high, what happens? A. Legitimate users are denied access to the organization’s resources. 10.Answer: B. FAR (False Acceptance Rate) is the percentage of illegitimate users who are granted access to the organization’s resources. Keeping this number low is important to keeping unauthorized individuals out of the company’s resources. 11. Which of the following types of copper cabling is the most secure against eavesdropping and unauthorized access? A. Single-mode fiber 11.Answer: C. The only choice for copper cabling would be Category 6. Answers A and B are incorrect because single-mode and multimode fiber are not examples of copper cabling. However, fiber is considered a more secure transmission medium than copper cabling because it does not emit any EMI. All types of copper cabling emit a certain amount of EMI. Unauthorized personnel can clamp probes to these cables and decode the transmitted messages. Answer D is incorrect because wireless also is not an example of copper cabling. 12. Which of the following is not one of the primary categories access control models? A. Discretionary 12.Answer: D. There are three types of access control models. Discretionary access control places the data owners in charge of access control. Mandatory access control uses labels to determine who has access to data. Role-based access control is based on the user’s role in the organization. Answer D is incorrect because there is no category called delegated access control. 13. Auditing is considered what method of access control? A. Preventive 13.Answer: C. Auditing is considered an administrative control. The three types of controls are discussed in answer 1. 14. What method of access control system would a bank teller most likely fall under? A. Discretionary 14.Answer: C. Bank tellers would most likely fall under a role-based access control system. These systems work well for organizations in which employee roles are identical. 15. Which of the following is the easiest and most common form of password attack used to pick off insecure passwords? A. Hybrid 15.Answer: B. Dictionary attacks are an easy way to pick off insecure passwords. Passwords based on dictionary words allow attackers to simply perform password guessing or to use more advanced automated methods employing software programs. LCP, Cain and Able, and John the Ripper are commonly used password-cracking programs that can launch dictionary attacks. Answers A is incorrect because a hybrid attack must try a combination of words and special characters. Answer C is incorrect because a brute-force attack must try all combinations of characters, numbers, and special characters. Answer D is incorrect because a man-in-the-middle attack is one in which the attacker stands between the victim and the service and attempts to steal or sniff passwords or information. 16. Your company is building a research facility in Bangalore and is concerned about technologies that can be used to pick up stray radiation from monitors and other devices. Specifically, your boss wants copper shielding installed. Which technology does your boss want to know more about? A. Radon 16.Answer: C. Tempest is the standard for electromagnetic shielding of computer equipment. Answer B is a distracter, answer A is the name of a radioactive gas, and answer D is the name of the individual who discovered the radiation belts that surround the Earth. 17. Which of the following is not an example of a single sign-on service? A. RADIUS 17.Answer: A. Single sign-on is an authentication process that requires a user to enter only one username and password. The user can then access multiple systems without being burdened by additional logins. Single sign-on is implemented by using ticket-based systems such as Kerberos, SESAME, and KryptoKnight. RADIUS is a centralized remote authentication service that can be used for dial-in user service or wireless clients. 18. Christine, a newly certified CISSP, has offered to help her brother-in-law, Gary, at his small construction business. The business currently has 18 computers configured as a peer-to-peer network. All users are responsible for their own security and can set file and folder privileges as they see fit. Which access control model best describes the configuration at this organization? A. Discretionary 18.Answer: A. Answer A is correct because a discretionary access system places the data owners in charge of access control. Answers B, C, and D are incorrect because mandatory access control uses labels to determine who has access to data, and role-based access control is based on organizational roles. This is also known as nondiscretionary and is based on the user’s role in the organization. 19. Which of the following best describes challenge/response authentication? A. It is an authentication protocol in which a salt value is presented to the user, who then returns an MD5 hash based on this salt value. 19.Answer: D. Challenge/response authentication is a secure authentication scheme that works in the following way: First, a randomly generated string of values is presented to the user, who then returns a calculated number based on those random values. Second, the server performs the same process locally and compares the result to the saved value. Finally, if these values match, the user is granted access; otherwise, access is denied. Answer A is a distracter. Answer B is an example of Kerberos. Answer C is an example of Challenge Handshake Authentication Protocol (CHAP). 20. Your company has installed biometric access control systems. Your director has mentioned that he thinks the systems will have a high FRR. What does this mean? A. Quite a few valid users will be denied access. 20.Answer: A. FRR (False Rejection Rate) measures the number of authorized users who were incorrectly denied access. If a system has a high FRR, many valid users will be denied access. Answer B is incorrect because valid users who are denied access may attempt to bypass or subvert the authentication system because they believe it does not work correctly. Answer C is incorrect because the FRR is separate from the False Acceptance Rate (FAR). The FAR is used to measure statistics of unauthorized users. Answer D is incorrect because FRR has nothing to do with the rate of return. 21. Which of the following is the most time-intensive type of password attack to attempt? A. Hybrid 21.Answer: C. Password attacks are the easiest way to attempt to bypass access control systems. Password attacks can range from simple password guessing to more advanced automated methods in which software programs are used. Whereas dictionary attacks may be the fastest, brute-force is considered the most time-intensive. If the user has chosen a complex password, this may be the attacker’s only choice. Brute force uses a combination of all numbers and letters, making substitutions as it progresses. It continues until all possible combinations have been attempted. If the password is very long or complex, this may take a considerable amount of time. A plain text password wold require no cracking at all. 22. You are approached by a junior security officer who wants to know what CVE stands for. What do you tell him? A. Critical Vulnerability and Exploits 22.Answer: B. CVE stands for Common Vulnerabilities and Exposures. CVE was a database developed to standardize the naming system of security vulnerabilities where information could be easily exchanged between different vendors and software platforms. You can find more information about the CVE database at http://cve.mitre.org. 23. Which of the following protocols is recommended to be turned off because it transmits usernames and passwords in clear text? A. SSH 23.Answer: C. Telnet transmits username and password information in clear text and thus can be used by attackers to gain unauthorized access. Answers A and B are incorrect because SSH and HTTPS are secure protocols. Although some versions of SSH are more secure than others, it is always better to go with some form of encryption. Answer D is incorrect because even though TFTP transmits in clear text, no username and password information is exchanged, because TFTP does not require authentication. 24. Which biometric authentication system is most closely associated with law enforcement? A. Fingerprint recognition 24.Answer: A. Fingerprints are most closely associated with law enforcement. Close behind this is facial recognition. Facial recognition has made great strides since 9/11. Common methods include the Markov model, eigenface, and fisherface. Iris and retina recognition typically are not associated with law enforcement. 25. What type of access control system doesn’t give users much freedom to determine who can access their files and is known for its structure and use of security labels? A. Discretionary 25.Answer: B. Under the mandatory access control model, the system administrator establishes file, folder, and account rights. It is a very restrictive model in which users cannot share resources dynamically. 26. As the newly appointed security officer for your corporation, you suggest replacing the password-based authentication system with RSA tokens. Elsa, your CTO, denies your request, citing budgetary constraints. As a temporary solution, Elsa asks that you find ways to increase password security. Which of the following will accomplish this goal? A. Disabling password-protected screensavers 26.Answer: B. Password-based authentication systems can be made more secure if complex passwords are used, account lockouts are put in place, and tools such as Passprop are implemented. Passprop places remote lockout restrictions on the administrator account. Passprop is Microsoft-specific, and the test will not quiz you on that level of detail. Just understand that tools are available on both Windows and *NIX platforms to accomplish this task. Many routers, switches, and network gear also support varying degrees of lockout (usually tied to RADIUS). Disabling password-protected screensavers would decrease security, as would allowing users to reuse passwords. 27. Which of the following is a major issue with signature-based IDSs? A. Signature-based IDSs cannot detect zero-day attacks. 27.Answer: A. Signature-based IDSs can detect only attack signatures that have been previously stored in their databases. These systems rely on the vendor for updates. Until then they are vulnerable to new zero-day or polymorphic attacks. Answer B is incorrect because it describes a statistical-based IDSs. Answer C is incorrect because signature-based IDSs are available as both host and network configurations. Answer D is incorrect because the costs of signature-based IDS and statistical anomaly-based IDS are comparable. 28. Administrative controls form an important part of security, and although most of us don’t like paperwork, that is a large part of this security control. Which of the following is a high-level document that describes a management plan for how security should be practiced throughout the organization? A. Guidelines 28.Answer: B. Policies provide a high-level overview of how security should be practiced throughout the organization. Answers A, C, and D all describe the details of how these policies are to be implemented. What is most important about these particular concepts is that security policy must flow from the top of the organization. 29. A hacker submits a malicious URL request for a help page from an unpatched Apache server that supports an Oracle9i Application Server. This causes a denial of service. Which of the following would have best protected the corporation from this attack? A. HIDS 29.Answer: B. A Network Intrusion Prevention System (NIPS) provides protective/reactive responses to a network. This malicious attack was submitted via port 80 HTTP service and is identified by network monitoring. Answer A is incorrect because a Host Intrusion Detection System (HIDS) focuses on services that cannot be seen from the network. Answer C is incorrect because a Host Intrusion Prevention System (HIPS) is focused on the system but can respond. Answer D is incorrect because a Network Intrusion Detection System (NIDS) identifies suspicious activity in a log file but cannot take action. 30. One of your coworkers has joined a CISSP study group and is discussing today’s list of topics. One of the topics is this: What is an example of a passive attack? A. Dumpster diving 30.Answer: B. Sniffing is an example of a passive attack. Attackers performing the sniff simply wait and capture data when they find the information they are looking for. This might be usernames, passwords, credit card numbers, or proprietary information. All other answers are incorrect because installing programs, dumpster diving, and social engineering (which uses the art of deception) are all active attacks. 31. What is one of the major reasons why separation of duties should be practiced? A. Reduced cross-training 31.Answer: D. Forcing collusion is one of the primary reasons why separation of duties should be practiced. Simply stated, collusion requires two or more employees to work together to bypass security. This means that one person working alone cannot pull off an attack. The practice of separation of duties vastly reduces this risk. 32. There are two basic types of access control policies. Which of the following describes the best approach for a CISSP? A. Begin with deny all. 32.Answer: A. The best access control policy is “deny all.” This strategy starts by denying all access and privileges to all employees. Then, only as required by the job needs should access and privilege be granted. Some organizations start with “allow all.” This should not be done, because it presents a huge security risk. 33. Your manager asks you to set up a fake network to identify contractors who may be poking around the network without authorization. What is this type of system called? A. Trap-and-trace 33.Answer: B. Honeypots, which also have been expanded into honeynets, are network decoys or entire networks that are closely monitored systems. These devices allow security personnel to monitor when the systems are being attacked or probed. They can also provide advance warning of a pending attack and act as a jail until you have decided how to respond to the intruder. 34. Various operating systems such as Windows use what to control access rights and permissions to resources and objects? A. RBAC 34.Answer: D. ACLs, as seen in the context of the CISSP exam, are used to set discretionary access controls. The three basic types are read, write, and execute. RBAC refers to role-based access controls, MITM is an acronym for man-in-the-middle, and ABS is simply a distracter. 35. While hanging around the watercooler, you hear that your company, Big Tex Bank and Trust, is introducing a new policy. The company will require periodic job rotation and will force all employees to use their vacation time. From a security standpoint, why is this important? A. Job rotation is important because it reduces employee burnout. 35.Answer: C. Although job rotation does provide backup for key personnel and may help in all the other ways listed, its primary purpose is to prevent fraud or financial deception. 36. Your manager persists in asking you to set up a fake network to identify contractors who may be poking around the network without authorization. What is the largest legal issue with these devices? A. Enticement 36.Answer: C. Some of the issues surrounding honeypots include entrapment and enticement. Entrapment is illegal and unethical, whereas enticement typically is used to gather additional information for prosecution. Statute 1029 is related to hacking and is not the primary concern of honeypots. Answer D is incorrect because although liability is an issue, it is not the primary concern in the context of this question. 37. Your brother-in-law, Mario, is studying for the CISSP exam. He text-messages you with what he believes is an important question: What is a major disadvantage of access control lists? How will you answer him? A. Overhead of the auditing function 37.Answer: D. The major disadvantages of ACLs are the lack of centralized control and the fact that many OSs default to full access. This method of access control is burdened by the difficulty of implementing a robust audit function. Therefore, answers A, B, and C are incorrect. 38. Which of the following was one of the first access control models based on confidentiality? A. Clark-Wilson 38.Answer: C. Bell-LaPadula, which was developed in the early 1970s, uses confidentiality as its basis of design. Answers A and B are integrity models and answer D is a state model that examines the state a system can enter. 39. What does TACACS+ use as its communication protocol? A. TCP 39.Answer: A. TACACS+ uses TCP port 49 for communication. The strength of TACACS+ is that it supports authentication, authorization, and accounting. Each is implemented as a separate function, which allows the organization to determine which services it wants to deploy. This makes it possible to use TACACS+ for authorization and accounting, while choosing a technology such as RADIUS for authentication. 40. Which of the following attributes does not apply to MAC? A. Multilevel 40.Answer: D. MAC (Mandatory Access Control) typically is built in and is a component of most OSs. MAC’s attributes include the following: it’s nondiscretionary because it is hard-coded and cannot easily be modified, it is capable of multilevel control, it is label-based because it can be used to control access to objects in a database, and it is universally applied because changes affect all objects. 41. Which of the following is not part of physical access control? A. CCTV 41.Answer: C. CCTV, mantraps, biometrics, and badges are just some of the items that are part of physical access control. Data classification and labeling are preventive access control mechanisms. 42. During a weekly staff meeting, your boss reveals that some employees have been allowing other employees to use their passwords. He is determined to put a stop to this and wants you to install biometric access control systems. He has been reading up on these systems and has asked you what’s so important about the CER. How do you respond? A. Speed typically is determined by calculating the CER. 42.Answer: C. The CER (Crossover Error Rate) is used to determine the device’s accuracy. A lower CER means that the device is more accurate. The CER is determined by mapping the point at which the FAR (False Acceptance Rate) and the FRR (False Rejection Rate) meet. The CER does not determine speed, customer acceptance, or cost per employee. 43. Kerberos has some features that make it a good choice for access control and authentication. One of these items is a ticket. What is a ticket used for? A. A ticket is a block of data that allows users to prove their identity to an authentication server. 43.Answer: B. Kerberos is a network authentication protocol that provides single sign-on service for client/server networks. A ticket is a block of data that allows users to prove their identity to a service. The ticket is valid only for a limited amount of time. Allowing tickets to expire helps raise the barrier for possible attackers, because the ticket becomes invalid after a fixed period. Answer A is incorrect because an authentication server provides each client with a ticket-granting ticket. Answer C is incorrect because clients use a ticket-granting server to grant session tickets and reduce the workload of the authentication server. 44. What is the best definition of identification? A. The act of verifying your identity 44.Answer: B. Identification is defined as the act of claiming a specific identity. Authentication is the act of verifying your identity, validation is the act of finding or testing the truth, and auditing is the act of inspecting or reviewing a user’s actions. 45. What term means that a user cannot deny a specific action because there is positive proof that he or she performed it? A. Accountability 45.Answer: C. Nonrepudiation is closely tied to accountability. It is defined as a means to ensure that users cannot deny their actions. Therefore, nonrepudiation is what makes users accountable. Digital signatures and timestamps are two popular methods used to prove nonrepudiation. Answer A is incorrect because accountability is more closely related to activities, intrusions, events, and system conditions. Answer B is incorrect because auditing is the act of review. Answer D is incorrect because validation is more closely associated with certification and accreditation. 46. What type of cryptography does SESAME use to distribute keys? A. Public key 46.Answer: A. SESAME uses public key cryptography to distribute secret keys. It also uses the MD5 algorithm to provide a one-way hashing function. It does not distribute keys in clear text, use SHA, or use secret key encryption. 47. Which of the following is a category of security controls that job rotation fits into? A. Recovery 47.Answer: C. There are six categories of security controls: preventive, detective, corrective, deterrent, recovery, and compensation. Job rotation would help in the detective category because it could be used to uncover violations. It would not help in recovery, corrective, or compensation. 48. What does RADIUS use for its transport protocol? A. UDP 48.Answer: A. RADIUS (Remote Authentication Dial-in User Service) uses UDP ports 1812 and 1813. RADIUS performs authentication, authorization, and accounting for remote users. RADIUS can also use UDP 1645 for authentication and UDP 1646 for accounting. Answers B, C, and D are wrong because RADIUS does not use TCP or ICMP as a transport protocol. 49. Your coworkers are having a heated discussion about access control models and their differences. To help them move on to more productive endeavors, you offer to answer their question. Specifically, they want to know what the driving force was behind the development of the Biba model. What do you tell them? A. The Biba model addressed the fact that the Bell-LaPadula model would allow a user with a higher security level rating to write to a subject’s
information with a higher security level. 49.Answer: B. The Biba model was developed in 1977 largely to address the fact that the Bell-LaPadula model allowed a user with a lower security level rating to write to a subject’s information with a higher security level. Therefore, its goal was to build in integrity by making sure that individuals could not write to a more secure (higher-level) object. 50. Which of the following access control models addresses integrity? A. Brewer Nash 50.Answer: B. Biba is based on the concept of integrity. The Bell-LaPadula access control model is based on confidentiality. Brewer Nash was designed to protect equal competition. The Program Evaluation Review Technique (PERT) model is a program management technique. 51. What does strong authentication require? A. Public/private keys 51.Answer: C. Each answer is a good authentication method, but C is the best description of two-factor authentication. Answer A describes asymmetric encryption. Answer B does not specify what types or categories are being used. Answer D could be the description of IPSec or another tunneling protocol. 52. You have a homogeneous environment with multiple application servers. Your users have been having difficulty remembering all their passwords as they complete their daily activities. What would be the best solution? A. Lower the passwords’ complexity requirements 52.Answer: D. Single sign-on (SSO) can be difficult in a heterogeneous environment, where not all manufacturers may support the same authentication method. But it is a great solution in a homogeneous environment, where all vendors support the same mechanism. But the password must be complex, or you’ve given a malicious hacker a single point where he can breach your network. 53. How do you lower type 1 errors on biometric devices? A. By increasing type 2 errors 53.Answer: A. Type 1 errors result from rejection of authenticated persons. You lower this count by relaxing the precision of the equipment (decreasing precision), which increases type 2 errors (accepting unauthenticated persons). You stop your tuning when type 1 errors equal type 2 errors (the crossover error rate [CER]). Under no circumstances do you want to let in more unauthenticated persons, because then you risk rejecting authorized persons. 54. When you log into your remote server from home, your server sends you a nonce that you enter into a token device that you were issued when you were hired. Your token device responds with a value you enter at the prompt. What have you entered? A. A single sign-on using synchronous authentication 54.Answer: D. Your token uses the nonce to create a one-time password. This is called asynchronous authentication. Answers A, B, and C are incorrect because synchronous token authentication takes place when the token has a timing device that is in sync with a timing mechanism on the server. 55. Which of the following describes a distinction between Kerberos and SESAME? A. Kerberos supplies SSO; SESAME does not. 55.Answer: B. Because SESAME uses asymmetric authentication, it can be used for non-repudiation, whereas Kerberos cannot. Both Kerberos and SESAME support single sign-on (SSO), and both can be accessed by applications that use GSS-API function calls. 56. What type of physical control is a mantrap? A. Deterrent 56.Answer: C. A mantrap is a preventive control, because it prevents the entry of unauthorized individuals. Deterrent controls slow down unauthorized behavior, corrective controls remove inappropriate actions, and detective controls discover that unauthorized behavior occurred. 57. What is the best way to store passwords? A. In a one-way encrypted file 57.Answer: A. A one-way encrypted file is the best way to store passwords. Cryptographic solutions to accomplish this include MD5, SHA, and HAVAL. Answer B, C, and D are incorrect because symmetric, asymmetric, and digital signatures are not the preferred way of storing passwords. 58. The act of professing to be a specific user is A. Validation 58.Answer: D. The act of professing to be a specific user is identification. It is not validation, authorization, or authentication. 59. Which of the following best describes a Zephyr chart? A. A means of establishing the accuracy of a biometric systems 59.Answer: B. A Zephyr chart can be used to compare and measure different types of biometric systems. For example, consider a situation in which you are asked to compare a fingerprint scanner to a palm scanner. Answer A is incorrect because the Crossover Error Rate (CER) is better suited for that task. Answer C also refers to the CER. Answer D is incorrect because a Zephyr chart is not used for intrusion detection. 60. What is authentication? A. Supplying a username 60.Answer: C. Authentication can best be described as the act of verifying identity. 61. Being asked what your maiden name is, what city you were born in, and what your pet’s name is is an example of what? A. Single sign-on (SSO) 61.Answer: B. The best answer is a self-service password reset. Many websites allow users to reset their passwords by supplying some basic information. This is not an example of single sign-on, centralized authentication, or assisted passwords. 62. Which of the following best describes a federated identity? A. Simply another term for SSO 62.Answer: D. A federated identity is portable and can be used across business boundaries. Federated identity is not SSO or one that is restricted for use within a single domain. Federated identity also is not restricted to type I authentication. 63. Which of the following is the most accurate biometric system? A. A CER of 1 63.Answer: A. The lower the crossover error rate (CER), the more accurate the biometric system. Therefore, a system with a CER of 1 would be the most accurate. 64. Which type of control that includes fences, password protection, and CCTV is designed to stop an event from occurring? A. Detective control 64.Answer: B. Preventive systems are designed to stop an unwanted event from occurring. Detective controls are designed to discover an event. Corrective controls are designed to provide a countermeasure to the unwanted event, and deterrent controls are used for discouragement. 65. Nondiscretionary access control includes which of the following? A. Role- and task-based 65.Answer: A. Nondiscretionary access control includes role- and task-based mechanisms. Mandatory access controls are an example of label-based security and are not considered nondiscretionary. 66. What is a trust? A. A one-way-only bridge established between two domains 66.Answer: D. A trust can be defined as a security bridge that is established between two domains. The trust can be one-way or two-way and is not restricted to either of these modes. 67. What form of authorization is closely associated with labels? A. Rule-based access control 67.Answer: C. Labels are associated with Mandatory Access Control (MAC). MAC is not permissive; it is considered prohibitive. MAC is more secure and less flexible than DAC; if access is not specifically granted, it is forbidden. Answers A, B, and D are not associated with labels. 68. How can a swipe card, smart card, or USB dongle be described? A. An active token 68.Answer: B. A static token can be a swipe card, smart card, or USB token. These tokens are not active and are not considered type I (something you know) or type III (something you are) authentication. 69. The Equal Error Rate is equivalent to what? A. The point at which false acceptance and false rejection meet 69.Answer: A. The Equal Error Rate (EER) is simply another name for the Crossover Error Rate (CER). It is not the CER minus 10%, or where the FAR is lowest or highest. 70. Which of the following is the most expensive means of verifying a user’s identity? A. Single sign-on 70.Answer: C. Biometric systems are the most expensive means of performing authentication. They cost more than tokens, single sign-on, or passwords 71. Which biometric system examines the colored portion of the eye that surrounds the pupil? A. Iris 71.Answer: A. The optic disk and the fovea are parts of the eye, but an iris scan looks at the colored portion of the eye. A retina scan looks at the blood vessels at the back of the eye. 72. Which of the following best describes a rainbow table? A. An attack against a biometric system 72.Answer: D. A rainbow table is a type of precomputed hash. It utilizes the time memory trade-off principle. It is not an attack against a biometric or fingerprint system and has nothing to do with digital certificates. 73. The ticket-granting service is a component of what? A. TACACS 73.Answer: B. The ticket-granting service is a component of Kerberos. 74. The Privilege Attribute Certificate (PAC) is a component of what? A. TACACS 74.Answer: D. SESAME uses a PAC in much the same way that Kerberos uses a key distribution center. RADIUS and TACACS do not use PACs. 75. What nontechnical attack attempts to lure the victim into giving up financial data, credit card numbers, or other types of account information? A. Pretexting 75.Answer: D. Phishing is a nontechnical attack that attempts to trick the victim into giving up account or password information. Pretexting is the act of using established personal information to gain access to accounts, cell phone records, or other information. Social engineering is a more general term used to describe this entire category of attacks. Dumpster diving is accomplished by means of digging through the trash. 76. War dialing is an attack that uses a wireless network. True 76.Answer: False. War dialing is the act of using a phone dialer program to dial a series of numbers in search of an open modem. Some people now use VoIP for war dialing, such as the I-War tool and IAX protocol (Asterisk). 77. Encryption is an example of a technical control. True 77.Answer: True. Encryption is an example of a technical control. Something like policies is an example of an administrative control, whereas a fence is a physical control. 78. Access controls should default to full access. True 78.Answer: False. Access control should default to no access. You should also restrict the user to allow access to only what is needed and nothing more. As a default, no access should be provided unless a business justification can be shown as to why access should be provided. 79. TACACS is an example of centralized access technology. True 79.Answer: True. TACACS, RADIUS, and Diameter are all examples of centralized access controls. For example, RADIUS is widely used by ISPs to authenticate dialup users. This central point of authentication provides an easy mechanism if users do not pay their monthly fees. 80. Kerberos addresses availability. True 80.Answer: False. Although Kerberos provides single sign-on capability, it does not provide availability. Kerberos is a network authentication protocol created at the Massachusetts Institute of Technology that uses secret-key cryptography. Kerberos has three parts: a client, a server, and a trusted third party (KDC) to mediate between them. Clients obtain tickets from the Kerberos Key Distribution Center (KDC), and they present these tickets to servers when connections are established. 81. An example of an IDS engine is signature-based. True 81.Answer: True. IDS engines typically include signature and anomaly. Valid types of IDSs include host and network. Knowing the difference in these terms is an important distinction for the exam. 82. Stateful matching is a type of signature-based IDS. True 82.Answer: True. Signature-based IDSs can be pattern-matching or stateful. Pattern matching looks to map the results to a known signature. Stateful compares patterns to the user’s activities. 83. SATAN is an example of a vulnerability scanner. True 83.Answer: True. SATAN was actually the first vulnerability assessment tool ever created. The cocreator was fired for releasing the program. The creator released a second tool named repent to rename the program SANTA. Although the CISSP exam is not platform-specific, you may be asked about well-known tools and open-source technologies. 84. Software faults can be uncovered with watchdog timers. True 84.Answer: True. Watchdog times can prevent timing problems, infinite loops, deadlocks, and other software issues. 85. PAP is considered a secure protocol. True 85.Answer: False. Password Authentication Protocol (PAP) is not a secure protocol, because passwords are passed in clear text. 86. Diameter is not an AAA protocol. True 86.Answer: False. Diameter got its name as a takeoff on RADIUS. Diameter is considered a centralized AAA protocol. Diameter was designed for all forms of remote connectivity, not just dialup. 87. Attribute value pairs are used with SESAME. True 87.Answer: False. Attribute pairs are used with RADIUS. RADIUS is a UDP-based client/server protocol defined in RFCs 2058 and 2059. RADIUS provides three services: authentication, authorization, and accounting. RADIUS facilitates centralized user administration and keeps all user profiles in one location that all remote services share. SESAME is a single sign-on mechanism created in Europe. 88. A token, ticket, or key can be a capability. True 88.Answer: True. A capability can be a token, ticket, or key. Capabilities define specific use. For example, a movie ticket lets the holder watch the show. As another example, before access is granted to read a file, the capability is verified. 89. MAC allows the owner to determine who has access. True 89.Answer: False. MAC is mandatory access control and, as such, the user has little freedom. Therefore, in a MAC-based system, access is determined by the system rather than the user. The MAC model typically is used by organizations that handle highly sensitive data, such as the DoD, NSA, CIA, and FBI. 90. Static separation of duties is one way to restrict the combination of duties. True 90.Answer: True. Static separation of duties is one way to restrict the combination of duties. This means of control is commonly found in RBAC environments. For example, the individual who initiates the payment cannot also authorize the payment. 91. Superzapping is a term that relates to data destruction. True 91.Answer: False. Superzapping is a generic term that describes a program that can bypass normal security restrictions. The term is not associated with data destruction. 92. Retina scanning matches the person’s blood vessels on the back of the eye and is very accurate. True 92.Answer: True. Retina scanning matches blood vessels on the back of the eye and is very accurate. Iris scanning looks at the colored portion of the eye. 93. TACACS+ supports two-factor authentication. True 93.Answer: True. Terminal Access Controller Access Control System (TACACS) is available in three variations: TACACS, XTACACS (Extended TACACS), and TACACS+, which features two-factor authentication. TACACS also allows the division of the authentication, authorization, and accounting function, which gives the administrator more control over its deployment. 94. Centralized authentication allows a subject to be authenticated by a system only once and then access resource after resource repeatedly. True 94.Answer: False. This is actually a description of single sign-on (SSO). 95. Tokens are an example of type II authentication. True 95.Answer: True. Tokens are an example of type II authentication. Tokens, which are something you have, can be synchronous dynamic password tokens or asynchronous password devices. These devices use a challenge-response scheme and are form-factored as smart cards, USB plugs, key fobs, or keypad-based units. These devices generate authentication credentials that often are used as one-time passwords. Another great feature of token-based devices is that they can be used for two-factor authentication. 96. Keyboard dynamics is an example of type III authentication. True 96.Answer: True. Keyboard dynamics is an example of type III authentication. Keyboard dynamics analyzes the speed and pattern of typing. Different biometric systems such as keyboard dynamics have varying levels of accuracy. The accuracy of a biometric device is measured by the percentage of type 1 and type 2 errors it produces. 97. Scrubbing is the act of clearing a hard drive for destruction or resale. True 97.Answer: False. Scrubbing is an activity undertaken by a user to erase evidence of illegal or unauthorized acts. 98. Keystroke monitoring is a form of biometrics. 98.Answer: False. Keystroke monitoring can be used to watch employees’ activities. Keystroke monitors can be either hardware or software devices. One important issue with their use is acceptable use policies (AUPs). Users must understand that their activities can be monitored and that privacy is not implied. 99. A federated identity is an identity management system (IdM) that is considered portable. True 99.Answer: True. A federated identity is an IdM that is considered portable. For example, consider someone who travels by both plane and rental car. If both the airline and the rental car company use a federated identity management system, the traveler’s authentication can be used between the two organizations. 100. Type I authentication systems typically have a clipping level set to 3. True 100.Answer: True. Type I authentication systems typically have a clipping level set to 3. This limits logon attempts to three tries or successive attempts. 101. Match each attack with its definition: B.LAND: _____ C.TRINOO: _____ D.SYN Attack: _____ E.Chargen: _____ F.Ping of death: _____ 1.Uses two systems to bounce a continuous stream of traffic between ports 7 and 19. 2.A SYN packet that is to and from the same address and port. 3.A series of SYN packets are sent that fill the receiving buffer. 4.Uses a ping packet to broadcast addresses spoofed from the victim. 5.An early type of DDOS attack. 101.The answers are as follows: A.Smurf: 4. Uses a ping packet to broadcast addresses spoofed from the victim. The victim is flooded with ping replies. B.LAND: 2. Sends a spoofed SYN packet that is addressed with the target’s address and port as the source and destination. C.TRINOO: 5. An early type of DDoS attack. D.SYN attack: 3. Sends a rapid series of spoofed SYN packets that are designed fill up the receiver queue. E.Chargen: 1. Loops traffic between echo and chargen on ports 7 and 19. F.Ping of death: 6. Sends ICMP ping packets that are at or exceed maximum size. Which of these is the weakest form of authentication we can implement?The correct answer is passwords. Passwords are considered the weakest form of protection with Type 1 authentication, passwords are poor security mechanisms for several reasons i.e., commonly written or guessed.
Which of these countermeasures would be effective against rainbow tables?Experts say the best defense against rainbow tables is to "salt" passwords, which is the practice of appending a random value to the password before it is encrypted.
In which type of access management would we use labels for objects?Mandatory Access Control (MAC)
All users are assigned a security or clearance level. All objects are assigned a security label. Users can access only resources that correspond to a security level equal to or lower than theirs in the hierarchy.
Which type of authentication can also be used for identification?Multi-factor authentication
Multi-Factor Authentication (MFA) is an authentication method that requires two or more independent ways to identify a user. Examples include codes generated from the user's smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition.
|
