Certified Information Systems Security Professional

Topic 1, Access Control

QUESTION NO: 1

A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is:

A. Concern that the laser beam may cause eye damage.

B. The iris pattern changes as a person grows older.

C. There is a relatively high rate of false accepts.

D. The optical unit must be positioned so that the sun does not shine into the aperture.

Answer: D

Explanation:

The optical unit of the iris pattern biometric system must be positioned so that the sun does not shine into the aperture.

Incorrect Answers:

A: Iris recognition systems do not use laser like beams.

B: With iris scans, the kind of errors that can occur during the authentication process is reduced because the iris remains constant through adulthood.

C: Extreme resistance to false matching is an advantage of iris recognition.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, p. 191

https://en.wikipedia.org/wiki/Iris_recognition

QUESTION NO: 2

In Mandatory Access Control, sensitivity labels attached to object contain what information?

A. The item's classification

B. The item's classification and category set

C. The item's category

D. The item 's need to know

Answer: B

Explanation:

A sensitivity label is required for every subject and object when using the Mandatory Access Control (MAC) model. The sensitivity label is made up of a classification and different categories.

Incorrect Answers:

A: The item's classification on its own is incorrect. It has to have a category as well.

C: The item's category on its own is incorrect. It has to have a classification as well.

D: Need-to-know rules are applied by the categories section of the label.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, p. 223

QUESTION NO: 3

Which of the following is true about Kerberos?

A. It utilizes public key cryptography.

B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.

C. It depends upon symmetric ciphers.

D. It is a second party authentication system.

Answer: C

Explanation:

Kerberos makes use of symmetric key cryptography and offers end-to-end security. The majority Kerberos implementations works with shared secret keys.

Incorrect Answers:

A: Kerberos makes use of symmetric key cryptography, which does not include the use of public keys.

B: Kerberos was specifically designed to remove the need to transmit passwords over the network.

D: Kerberos is a trusted third-party service.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, p. 782

https://en.wikipedia.org/wiki/Kerberos_(protocol)

QUESTION NO: 4

Which of the following is needed for System Accountability?

A. Audit mechanisms.

B. Documented design as laid out in the Common Criteria.

C. Authorization.

D. Formal verification of system design.

Answer: A

Explanation:

Accountability is the ability to identify users and to be able to track user actions. Through the use of audit logs and other tools the user actions are recorded and can be used at a later date to verify what actions were performed.

Incorrect Answers:

B: Common Criteria is an international standard to evaluate trust and would not be a factor in System Accountability.

C: Authorization is granting access to subjects, just because you have authorization does not hold the subject accountable for their actions.

D: Formal verification involves Validating and testing highly trusted systems. It does not, however, involve System Accountability.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 203, 248-250, 402.

QUESTION NO: 5

What is Kerberos?

A. A three-headed dog from the Egyptian mythology.

B. A trusted third-party authentication protocol.

C. A security model.

D. A remote authentication dial-in user server.

Answer: B

Explanation:

Kerberos is a third-party authentication service that can be used to support SSO.

Kerberos (or Cerberus) was the name of the three-headed dog that guarded the entrance to Hades in Greek mythology.

Incorrect Answers:

A: Kerberos (or Cerberus) was the name of the three-headed dog that guarded the entrance to Hades in Greek mythology. We are, however, dealing with information systems, not mythology.

C: Kerberos is an authentication protocol, not just a security model.

D: A remote authentication dial in user server refers to RADIUS, not Kerberos.

References:

Conrad, Eric, Seth Misenar, Joshua Feldman, CISSP Study Guide , 2nd Edition, Syngress, Waltham, 2012, pp. 22, 43

QUESTION NO: 6

Kerberos depends upon what encryption method?

A. Public Key cryptography.

B. Secret Key cryptography.

C. El Gamal cryptography.

D. Blowfish cryptography.

Answer: B

Explanation:

Kerberos makes use of symmetric key cryptography and offers end-to-end security. The majority Kerberos implementations works with shared secret keys.

Incorrect Answers:

A: Kerberos makes use of symmetric key cryptography, which does not include the use of public keys.

C: El Gamal is a public key algorithm.

D: Blowfish cryptography is a symmetric-key block cipher that is unpatented, and has a weak class of keys.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 782, 818

https://en.wikipedia.org/wiki/Kerberos_(protocol)

http://en.wikipedia.org/wiki/Blowfish_%28cipher%29

QUESTION NO: 7

A confidential number used as an authentication factor to verify a user's identity is called a:

A. PIN

B. User ID

C. Password

D. Challenge

Answer: A

Explanation:

Personal Identification Number (PIN) is a numeric password shared between a user and a system, which can be used to authenticate the user to the system.

Incorrect Answers:

B: User ID is used for identification, not authentication.

C: A password is a word or string of characters used for user authentication.

D: Challenge-response authentication involves one party presenting a question ("challenge") and another party providing a valid answer ("response") to be authenticated. It does not specifically be a number sequence.

References:

https://en.wikipedia.org/wiki/Personal_identification_number

https://en.wikipedia.org/wiki/Password

https://en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication#Cryptographic_techniques

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, p. 162

QUESTION NO: 8

Individual accountability does not include which of the following?

A. unique identifiers

B. policies & procedures

C. access rules

D. audit trails

Answer: B

Explanation:

Accountability would not include policies & procedures because while important on an effective security program they cannot be used in determining accountability.

References:

A: Accountability would include unique identifiers so that you can identify the individual.

C: Accountability would include access rules to define access violations.

D: Accountability would include audit trails to be able to trace violations or attempted violations.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 248-250

QUESTION NO: 9

Which of the following exemplifies proper separation of duties?

A. Operators are not permitted modify the system time.

B. Programmers are permitted to use the system console.

C. Console operators are permitted to mount tapes and disks.

D. Tape operators are permitted to use the system console.

Answer: A

Explanation:

Changing the system time would cause logged events to have the wrong time. An operator could commit fraud and cover his tracks by changing the system time to make it appear as the events happened at a different time. Ensuring that operators are not permitted modify the system time (another person would be required to modify the system time) is an example of separation of duties.

The objective of separation of duties is to ensure that one person acting alone cannot compromise the company’s security in any way. High-risk activities should be broken up into different parts and distributed to different individuals or departments. That way, the company does not need to put a dangerously high level of trust in certain individuals. For fraud to take place, collusion would need to be committed, meaning more than one person would have to be involved in the fraudulent activity Job rotation in the workplace is a system where employees work at several jobs in a business, performing each job for a relatively short period of time.

Incorrect Answers:

B: Programmers being permitted to use the system console is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud.

C: Console operators being permitted to mount tapes and disks is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud.

D: Tape operators being permitted to use the system console is not an example of separation of duties. Separation of duties requires that another person is required to do something thus reducing the chance of fraud.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 1235-1236

QUESTION NO: 10

An access control policy for a bank teller is an example of the implementation of which of the following?

A. Rule-based policy

B. Identity-based policy

C. User-based policy

D. Role-based policy

Answer: D

Explanation:

Role-based access control is a model where access to resources is determined by job role rather than by user account. In this question, a bank teller is a job role. Therefore, an access control policy for a bank teller is a role-based policy.

Within an organization, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. Members or staff (or other system users) are assigned particular roles, and through those role assignments acquire the computer permissions to perform particular computer-system functions. Since users are not assigned permissions directly, but only acquire them through their role (or roles), management of individual user rights becomes a matter of simply assigning appropriate roles to the user's account; this simplifies common operations, such as adding a user, or changing a user's department.

Incorrect Answers:

A: With Rule-Based Access Control, access is allowed or denied to resources based on a set of rules. The rules could be membership of a group, time of day etc. This model is not used to provide access to resources to someone performing a job role such as a bank teller.

B: Bank Teller is a job role, not an identity. In an identity-based policy, access to resources is determined by the identity of the user, not the role of the user.

C: A user-based policy would be similar to an identity-based policy whereby access to resources is determined by who the user is, not what role the user performs.

References:

http://en.wikipedia.org/wiki/Role-based_access_control

QUESTION NO: 11

Which one of the following authentication mechanisms creates a problem for mobile users?

A. Mechanisms based on IP addresses

B. Mechanism with reusable passwords

C. One-time password mechanism.

D. Challenge response mechanism.

Answer: A

Explanation:

Authentication mechanisms based on IP addresses are useful if a user has a fixed IP address. This could be a fixed IP address at work or even a fixed IP address at home. With authentication mechanisms based on IP addresses, a user can access a resource only from a defined IP address.

However, authentication mechanisms based on IP addresses are a problem for mobile users. This is because mobile users will connect to different networks on their travels such as different WiFi networks or different mobile networks. This means that the public IP address that the mobile user will be connecting from will change frequently.

Incorrect Answers:

B: Authentication mechanisms with reusable passwords are not a problem for mobile users. As long as the mobile user knows the password, he can access the resource.

C: One-time password authentication mechanisms are not a problem for mobile users. The mobile user will have a token device that provides the one-time password which will enable the user to access the resource.

D: Challenge response authentication mechanisms are not a problem for mobile users. As long as the user has network connectivity to the authenticating server (usually over the Internet) the challenge-response authentication will succeed.

QUESTION NO: 12

Organizations should consider which of the following first before allowing external access to their LANs via the Internet?

A. Plan for implementing workstation locking mechanisms.

B. Plan for protecting the modem pool.

C. Plan for providing the user with his account usage information.

D. Plan for considering proper authentication options.

Answer: D

Explanation:

LANs are typically protected from the Internet by firewalls. However, to allow external access to a LAN, you need to open ports on the firewall to allow the connections. With the firewall allowing external connections into the LAN, your last line of defense is authentication. You need to ensure that the remote user connecting to the LAN is who they say they are. Therefore, before allowing external access into a LAN, you should plan and implement proper authentication.

Incorrect Answers:

A: Workstation locking mechanisms are not the most important consideration when allowing external access to a LAN. Without the proper authentication mechanism in place, an intruder could connect to the LAN from an unlocked workstation.

B: Protecting the modem pool (if a modem pool is used to provide the remote access) is not the most important consideration when allowing external access to a LAN. Without the proper authentication mechanism in place, an intruder could connect to the LAN.

C: Providing the user with his account usage information is not the most important consideration when allowing external access to a LAN. Protecting LAN resources by ensuring only authorized people can connect to the LAN is far more important.

QUESTION NO: 13

Kerberos can prevent which one of the following attacks?

A. Tunneling attack.

B. Playback (replay) attack.

C. Destructive attack.

D. Process attack.

Answer: B

Explanation:

In a Kerberos implementation that is configured to use an authenticator, the user sends to the server her identification information, a timestamp, as well as sequence number encrypted with the session key that they share. The server then decrypts this information and compares it with the identification data the KDC sent to it regarding this requesting user. The server will allow the user access if the data is the same. The timestamp is used to help fight against replay attacks.

Incorrect Answers:

A: Tunneling attack is not a valid type of attack with regards to Kerberos.

C: Destructive attack is not a valid type of attack with regards to Kerberos.

D: Process attack is not a valid type of attack with regards to Kerberos.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, p. 212

QUESTION NO: 14

In discretionary access environments, which of the following entities is authorized to grant information access to other people?

A. Manager

B. Group Leader

C. Security Manager

D. Data Owner

Answer: D

Explanation:

Discretionary access control (DAC) enables data owners to dictate who has access to the files and resources owned by them.

Incorrect Answers:

A: In Discretionary Access Control (DAC) environments it is the data owner that is authorized to grant information access to other people, not the manager.

B: In Discretionary Access Control (DAC) environments it is the data owner that is authorized to grant information access to other people, not the group leader.

C: In Discretionary Access Control (DAC) environments it is the data owner that is authorized to grant information access to other people, not the security manager.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, p. 220

QUESTION NO: 15

What is the main concern with single sign-on?

A. Maximum unauthorized access would be possible if a password is disclosed.

B. The security administrator's workload would increase.

C. The users' password would be too hard to remember.

D. User access rights would be increased.

Answer: A

Explanation:

A major concern with Single Sign-On (SSO) is that if a user's ID and password are compromised, the intruder would have access to all the systems that the user was authorized for.

Incorrect Answers:

B: Since the security administrator would not be responsible for maintaining multiple user accounts just the one, the security administrator's workload would decrease and not increase.

C: Since users would only have one password to remember, it would not be hard.

D: User access rights would not be any different than if they had to log into systems manually.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 207-209

QUESTION NO: 16

Who developed one of the first mathematical models of a multilevel-security computer system?

A. Diffie and Hellman.

B. Clark and Wilson.

C. Bell and LaPadula.

D. Gasser and Lipner.

Answer: C

Explanation:

The Bell-LaPadula model was the first mathematical model of a multilevel security policy used to define the concept of a secure state machine and modes of access, and outlined rules of access.

Incorrect Answers:

A: Diffie and Hellman developed the first asymmetric key agreement algorithm, not the first multilevel security policy computer system.

B: The question asks for the developers of the first mathematical models of a multilevel-security computer system. This was Bell and LaPadula, not Clark and Wilson.

D: The question asks for the developers of the first mathematical models of a multilevel-security computer system. This was Bell and LaPadula, not Gasser and Lipner.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 369, 812

QUESTION NO: 17

Which of the following attacks could capture network user passwords?

A. Data diddling

B. Sniffing

C. IP Spoofing

D. Smurfing

Answer: B

Password sniffing sniffs network traffic with the hope of capturing passwords being sent between computers.

Incorrect Answers:

A: Data diddling refers to the alteration of existing data.

C: Spoofing is forging an address and inserting it into a packet to disguise the origin of the communication - or causing a system to respond to the wrong address.

D: Smurfing would refer to the smurf attack, where an attacker sends spoofed packets to the broadcast address on a gateway in order to cause a denial of service.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 599, 1059, 1060

QUESTION NO: 18

Which of the following would constitute the best example of a password to use for access to a system by a network administrator?

A. holiday

B. Christmas12

C. Jenny

D. GyN19Za!

Answer: D

Explanation:

A generally accepted minimum standard for password complexity is a minimum of eight characters, one uppercase alpha character, one lowercase alpha character, one number character, and one symbol character. Therefore, “ GyN19Za! ” is the best example.

Incorrect Answers:

A: This option does not satisfy the minimum complexity as it only has lowercase characters.

B: This option does not satisfy minimum complexity as there are no alpha or symbol characters.

C: This option does not satisfy the minimum complexity as it is less than eight characters, and has no alpha, number, or symbol characters.

References:

Miller, David R, CISSP Training Kit , O’Reilly Media, 2013, California, p. 77

QUESTION NO: 19

What physical characteristic does a retinal scan biometric device measure?

A. The amount of light reaching the retina

B. The amount of light reflected by the retina

C. The pattern of light receptors at the back of the eye

D. The pattern of blood vessels at the back of the eye

Answer: D

Explanation:

A Retina Scan is a biometric system that scans the blood-vessel pattern of the retina on the backside of the eyeball.

Incorrect Answers:

A: Retina Scans do not measure the amount of light reaching the retina, but scans the blood-vessel pattern of the retina on the backside of the eyeball.

B: Retina Scans do not measure the amount of light reflected by the retina, but scans the blood-vessel pattern of the retina on the backside of the eyeball.

C: Retina Scans do not measure the pattern of light receptors at the back of the eye, but scans the blood-vessel pattern of the retina on the backside of the eyeball.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, p. 191

QUESTION NO: 20

The Computer Security Policy Model the Orange Book is based on is which of the following?

A. Bell-LaPadula

B. Data Encryption Standard

C. Kerberos

D. Tempest

Answer: A

Explanation:

The Orange Book used the Bell-LaPadula Computer Security Policy model as a comparative evaluation for all systems.

Incorrect Answers:

B: The Data Encryption Standard (DES) is a cryptographic algorithm, not a Computer Security Policy model.

C: Kerberos is an authentication protocol, not a Computer Security Policy model.

D: TEMPEST is related to limiting the electromagnetic emanations from electronic equipment.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 209, 254, 402, 800

QUESTION NO: 21

The end result of implementing the principle of least privilege means which of the following?

A. Users would get access to only the info for which they have a need to know

B. Users can access all systems.

C. Users get new privileges added when they change positions.

D. Authorization creep.

Answer: A

Explanation:

Least privilege means an individual should have just enough permissions and rights to fulfill his role in the company and no more.

Incorrect Answers:

B Least privilege means an individual should have just enough permissions and rights to fulfill his role in the company and no more. Not all users in an organization requires access to all systems.

C: The principle of least privilege would require that the rights required for the position be closely evaluated and where possible rights revoked.

D: Authorization creep occurs when users are given additional rights with new positions and responsibilities. The principle of least privilege should actually prevent authorization creep.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 281, 1236

https://en.wikipedia.org/wiki/Principle_of_least_privilege

QUESTION NO: 22

Which of the following is the most reliable authentication method for remote access?

A. Variable callback system

B. Synchronous token

C. Fixed callback system

D. Combination of callback and caller ID

Answer: B

A Synchronous token generates a one-time password that is only valid for a short period of time. Once the password is used it is no longer valid, and it expires if not entered in the acceptable time frame.

Incorrect Answers:

A: Although variable callback systems are more flexible than fixed callback systems, the system assumes the identity of the individual unless two-factor authentication is also implemented.

C: Callback systems authenticate a person, but anyone can pretend to be that person. They are tied to a specific place and phone number, which can be spoofed by implementing call-forwarding.

D: The caller ID and callback functionality provides greater confidence and auditability of the caller's identity. However, unless combined with strong authentication, any individual at the location could obtain access.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 196, 696

https://technet.microsoft.com/en-us/library/cc778189(v=ws.10).aspx

QUESTION NO: 23

Which of the following is true of two-factor authentication?

A. It uses the RSA public-key signature based on integers with large prime factors.

B. It requires two measurements of hand geometry.

C. It does not use single sign-on technology.

D. It relies on two independent proofs of identity.

Answer: D

Explanation:

There are three general factors that are used for authentication:

  • Something a person knows.

  • Something a person has.

  • Something a person is.

Two-factor authentication requires two of the three factors to be part of authentication process.

Incorrect Answers:

A: RSA encryption uses integers with exactly two prime factors, but the term "two-factor authentication" is not used in that context.

B: Measuring hand geometry twice only provides one factor.

C: Single sign-on (SSO) technology allows a user to enter their credentials once to gain access to multiple systems. Two-factor authentication could be used for SSO, not the other way around.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 162, 163, 207, 815

QUESTION NO: 24

The primary service provided by Kerberos is which of the following?

A. non-repudiation

B. confidentiality

C. authentication

D. authorization

Answer: C

Explanation:

Kerberos is a third-party authentication service that can be used to support SSO.

Incorrect Answers:

A: Non-repudiation provides assurance that a specific user performed a specific transaction that did not change. It is not, however, the primary service provided by Kerberos.

B: Confidentiality strives to prevent unauthorized read access to data. It is not, however, the primary service provided by Kerberos.

D: Authorization refers to the actions you are allowed to carry out on a system after identification and authentication has taken place. It is not, however, the primary service provided by Kerberos.

References:

Conrad, Eric, Seth Misenar, Joshua Feldman, CISSP Study Guide , 2nd Edition, Syngress, Waltham, 2012, pp. 12, 14, 15, 43

QUESTION NO: 25

There are parallels between the trust models in Kerberos and Public Key Infrastructure (PKI). When we compare them side by side, Kerberos tickets correspond most closely to which of the following?

A. public keys

B. private keys

C. public-key certificates

D. private-key certificates

Answer: C

Explanation:

Public Key describes a system that uses certificates or the underlying public key cryptography on which the system is based.

In the traditional public key model, clients are issued credentials or "certificates" by a Certificate Authority (CA). The CA is a trusted third party. Public key certificates contain the user's name, the expiration date of the certificate etc. The most common certificate format is X.509. Public key credentials in the form of certificates and public-private key pairs can provide a strong distributed authentication system.

The Kerberos and public key trust models are very similar. A Kerberos ticket is analogous to a public key certificate (a Kerberos ticket is supplied to provide access to resources). However, Kerberos tickets usually have lifetimes measured in days or hours rather than months or years.

Incorrect Answers:

A: Kerberos tickets do not actually contain public keys. They use symmetric cryptography which uses one shared key instead of asymmetric cryptography which uses public-private key pairs.

B: Kerberos tickets do not contain private keys. They use symmetric cryptography which uses one shared key instead of asymmetric cryptography which uses public-private key pairs.

D: Private-key certificates are always kept by the authentication provider; they are never distributed to subjects that require access to resources. The public key is given to the subject to provide access to a resource in a similar way to a Kerberos ticket.

References:

Tipton, Harold F. and Micki Krause, Information Security Management Handbook , 5th Edition, Auerbach Publications, Boca Raton, 2006, p. 1438

QUESTION NO: 26

Which of the following security control is intended to avoid an incident from occurring?

A. Deterrent

B. Preventive

C. Corrective

D. Recovery

Answer: B

Explanation:

Preventive controls stop actions from taking place. It applies restrictions to what a possible user can do, whether the user is authorized or unauthorized.

Incorrect Answers:

A: Deterrent controls discourage users from performing actions on a system.

C: Corrective controls deals with correcting a damaged system or process.

D: Recovery controls may be required to restore functionality of the system and organization subsequent to a security incident taking place.

References:

Conrad, Eric, Seth Misenar, Joshua Feldman, CISSP Study Guide , 2nd Edition, Syngress, Waltham, 2012, p. 27, 28

QUESTION NO: 27

Which of the following was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support?

A. SESAME

B. RADIUS

C. KryptoKnight

D. TACACS+

Answer: A

Explanation:

Secure European System for Applications in a Multi-vendor Environment (SESAME) was developed to address some of the weaknesses in Kerberos and uses public key cryptography for the distribution of secret keys and provides additional access control support.

Incorrect Answers:

B: RADIUS is a network protocol that allows for client/server authentication and authorization, and audits remote users. It was not developed to address some of the weaknesses in Kerberos.

C: KryptoKnight provides authentication and key distribution services to applications and communicating entities in a network environment. It was not developed to address some of the weaknesses in Kerberos.

D: TACACS+ is a network protocol that allows for client/server authentication and authorization. It was not developed to address some of the weaknesses in Kerberos.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 214, 234-236

http://www.eurecom.fr/~nsteam/Papers/kryptoknight.pdf

QUESTION NO: 28

Single Sign-on (SSO) is characterized by which of the following advantages?

A. Convenience

B. Convenience and centralized administration

C. Convenience and centralized data administration

D. Convenience and centralized network administration

Answer: B

Explanation:

Single sign-on allows users to type their passwords only once when they first log in to access all the network resources. This makes SSO convenient.

Single Sign-on allows a single administrator to add and delete accounts across the entire network from one user interface, providing centralized administration.

Incorrect Answers:

A: Single Sign-on does offer convenience, but it also offers centralized administration, making option B a more suitable answer.

C: Centralized data administration is not an advantage of Single Sign-on.

D: Centralized network administration is not an advantage of Single Sign-on.

References:

Conrad, Eric, Seth Misenar, Joshua Feldman, CISSP Study Guide , 2nd Edition, Syngress, Waltham, 2012, p. 42

QUESTION NO: 29

What is the primary role of smartcards in a PKI?

A. Transparent renewal of user keys

B. Easy distribution of the certificates between the users

C. Fast hardware encryption of the raw data

D. Tamper resistant, mobile storage and application of private keys of the users

Answer: D

Explanation:

A smart card, which includes the ability to process data stored on it, is also able to deliver a two-factor authentication method as the user may have to enter a PIN to unlock the smart card. The authentication can be completed by using an OTP, by utilizing a challenge/response value, or by presenting the user’s private key if it is used within a PKI environment. The fact that the memory of a smart card is not readable until the correct PIN is entered, as well as the complexity of the smart token makes these cards resistant to reverse-engineering and tampering methods.

Incorrect Answers:

A: Transparent renewal of user keys is not the primary role of smartcards in a PKI.

B: Easy distribution of the certificates between the users is not the primary role of smartcards in a PKI.

C: Fast hardware encryption of the raw data is not the primary role of smartcards in a PKI.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 200, 201

QUESTION NO: 30

What kind of certificate is used to validate a user identity?

A. Public key certificate

B. Attribute certificate

C. Root certificate

D. Code signing certificate

Answer: A

Explanation:

In cryptography, a public key certificate (or identity certificate) is an electronic document which incorporates a digital signature to bind together a public key with an identity — information such as the name of a person or an organization, their address, and so forth. The certificate can be used to verify that a public key belongs to an individual.

Incorrect Answers:

B: In computer security, an authorization certificate (also known as an attribute certificate) is a digital document that describes a written permission from the issuer to use a service or a resource that the issuer controls or has access to use.

C: A root certificate is an unsigned or a self-signed public key certificate that identifies the Root Certificate Authority (CA).

D: Code signing digitally signs executables and scripts to verify the software author and guarantee that the code has not been changed or tainted since it was signed by use of a cryptographic hash.

References:

http://en.wikipedia.org/wiki/Attribute_certificate

http://en.wikipedia.org/wiki/Public_key_certificate

https://en.wikipedia.org/wiki/Root_certificate

https://en.wikipedia.org/wiki/Code_signing

QUESTION NO: 31

Which of the following is NOT a security characteristic we need to consider while choosing a biometric identification system?

A. data acquisition process

B. cost

C. enrollment process

D. speed and user interface

Answer: B

Explanation:

The cost of the biometric identification system is a financial consideration, not a security consideration.

The data acquisition process refers to how a user’s biometric data will be acquired. Will you use a fingerprint scan, a retina scan, a palm scan etc. This is an obvious security characteristic to be considered while choosing a biometric identification system.

The enrollment process refers to how the user’s biometric data will be initially acquired and the data stored as a template for comparison for future identifications. This is also a security characteristic to be considered while choosing a biometric identification system.

The speed and user interface are security characteristics to be considered while choosing a biometric identification system. You need a biometric identification system that does not keep the user waiting before being identified and authenticated. The user interface for a biometric identification system should include instructional and feedback aspects that would enable users to use the system effectively without assistance.

Incorrect Answers:

A: The data acquisition process refers to how a user’s biometric data will be acquired. This is a security characteristic to be considered while choosing a biometric identification system.

C: The enrollment process is a security characteristic to be considered while choosing a biometric identification system.

D: The speed and user interface are security characteristics to be considered while choosing a biometric identification system.

QUESTION NO: 32

In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessity of answering two questions:

A. what was the sex of a person and his age

B. what part of body to be used and how to accomplish identification that is viable

C. what was the age of a person and his income level

D. what was the tone of the voice of a person and his habits

Answer: B

Explanation:

When it became apparent that truly positive identification could only be based on physical attributes of a person, two questions had to be answered. First, what part of body could be used? Second, how could identification be accomplished with sufficient accuracy, reliability and speed so as to be viable?

Because most identity authentication requirements take place when people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are the hands, face and eyes.

Incorrect Answers:

A: The sex of a person and his age are not considered in biometric identification systems.

C: The age of a person and his income level are not considered in biometric identification systems.

D: The tone of the voice of a person and his habits are not considered in biometric identification systems.

References:

Tipton, Harold F. and Micki Krause, Information Security Management Handbook , 5th Edition, Auerbach Publications, Boca Raton, 2006, p. 62

QUESTION NO: 33

In biometric identification systems, the parts of the body conveniently available for identification are:

A. neck and mouth

B. hands, face, and eyes

C. feet and hair

D. voice and neck

Answer: B

Explanation:

Most identity authentication takes place when people are fully clothed (neck to feet and wrists), the parts of the body conveniently available for this purpose are hands, face, and eyes.

Incorrect Answers:

A: The neck is not convenient as it can be covered.

C: The feet normally have shoes on, and therefore not convenient.

D: The neck is not convenient as it can be covered.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 187-192

QUESTION NO: 34

Controlling access to information systems and associated networks is necessary for the preservation of their:

A. Authenticity, confidentiality and availability

B. Confidentiality, integrity, and availability.

C. integrity and availability.

D. authenticity, confidentiality, integrity and availability.

Answer: B

Explanation:

Information security is made up of the following main attributes:

  • Availability - Prevention of loss of, or loss of access to, data and resources

  • Integrity - Prevention of unauthorized modification of data and resources

  • Confidentiality - Prevention of unauthorized disclosure of data and resources

Incorrect Answers:

A: Authenticity is an attribute that stems from the three main attributes.

C: Information security is made up of three main attributes, which includes confidentiality.

D: Authenticity is an attribute that stems from the three main attributes.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 298, 299

QUESTION NO: 35

To control access by a subject (an active entity such as individual or process) to an object (a passive entity such as a file) involves setting up:

A. Access Rules

B. Access Matrix

C. Identification controls

D. Access terminal

Answer: A

Explanation:

Rule-based access control makes use of explicit rules that specify what can and cannot happen between a subject and an object.

Incorrect Answers:

B: An access control matrix is a table of subjects and objects specifying the actions individual subjects can take upon individual objects.

C: Identification is a mechanism that falls under the Technical controls banner.

D: Access terminal refers to the workstation that allows access.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 28, 227-229

QUESTION NO: 36

Rule-Based Access Control (RuBAC) access is determined by rules. Such rules would fit within what category of access control?

A. Discretionary Access Control (DAC)

B. Mandatory Access control (MAC)

C. Non-Discretionary Access Control (NDAC)

D. Lattice-based Access control

Answer: C

Explanation:

Rule-based access control is considered nondiscretionary because the users cannot make access decisions based upon their own discretion.

Incorrect Answers:

A: Discretionary Access Control (DAC) allows data owners to dictate what subjects have access to the files and resources they own.

B: Mandatory Access control is considered nondiscretionary and is based on a security label system

D: Lattice-based Access control is known as a label-based access control, or rule-based access control restriction.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 220-228

https://en.wikipedia.org/wiki/Lattice-based_access_control

QUESTION NO: 37

The type of discretionary access control (DAC) that is based on an individual's identity is also called:

A. Identity-based Access control

B. Rule-based Access control

C. Non-Discretionary Access Control

D. Lattice-based Access control

Answer: A

Explanation:

An identity-based access control is a type of Discretionary Access Control (DAC) that is based on an individual's identity.

Incorrect Answers:

B: Rule-based Access control is based on rules.

C: Non-Discretionary Access Control does not allow access based on discretion.

D: Lattice-based Access control is a type of label-based mandatory access control model.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 220-228

https://en.wikipedia.org/wiki/Lattice-based_access_control

QUESTION NO: 38

Which access control type has a central authority that determine to what objects the subjects have access to and it is based on role or on the organizational security policy?

A. Mandatory Access Control

B. Discretionary Access Control

C. Non-Discretionary Access Control

D. Rule-based Access control

Answer: C

Explanation:

Non-discretionary access control is when the system administrator or a single management body within an organization centrally controls access to all resources for everybody on a network. This type of access control can be role based or rule based, as both of these prevents users from making access decisions based upon their own discretion.

Incorrect Answers:

A: Mandatory Access Control is based on a security label system.

B: Discretionary Access control is based on identity.

D: Rule Based Access Control is based on rules.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 220-228

http://www.answers.com/Q/What_is_Non_discretionary_access_control

https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems#Non_Discretionary_or_Role_Based_Access_Control

QUESTION NO: 39

Which of the following control pairings include: organizational policies and procedures, pre-employment background checks, strict hiring practices, employment agreements, employee termination procedures, vacation scheduling, labeling of sensitive materials, increased supervision, security awareness training, behavior awareness, and sign-up procedures to obtain access to information systems and networks?

A. Preventive/Administrative Pairing

B. Preventive/Technical Pairing

C. Preventive/Physical Pairing

D. Detective/Administrative Pairing

Answer: A

Explanation:

Preventive administrative controls are management policies and procedures designed to protect against unwanted employee behavior. This includes separation of duties, business continuity and DR planning/testing, proper hiring practices, and proper processing of terminations. It also includes security policy, information classification, personnel procedures, and security-awareness training.

Incorrect Answers:

B: Technical controls, which are also known as logical controls, are software or hardware components, such as firewalls, IDS, encryption, identification and authentication mechanisms.

C: Physical controls are items put into place to protect facility, personnel, and resources. These include guards, locks, fencing, and lighting.

D: Detective/Administrative controls include monitoring and supervising, job rotation, and investigations.

References:

http://www.brighthub.com/computing/smb-security/articles/2388.aspx

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 28-33

QUESTION NO: 40

Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing?

A. Preventive/Administrative Pairing

B. Preventive/Technical Pairing

C. Preventive/Physical Pairing

D. Detective/Technical Pairing

Answer: B

Explanation:

Technical controls, which are also known as logical controls, are software or hardware components, such as firewalls, IDS, encryption, identification and authentication mechanisms. Preventive/Technical controls include the following:

  • Passwords, biometrics, smart cards

  • Encryption, secure protocols, call-back systems, database views, constrained user interfaces

  • Antimalware software, access control lists, firewalls, intrusion prevention

Incorrect Answers:

A: Technical controls are also known as logical controls, not Administrative controls.

C: Technical controls are also known as logical controls, not Physical controls.

D: Detective/Technical controls include Audit logs and IDS.

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 28-33

QUESTION NO: 41

What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?

A. Micrometrics

B. Macrometrics

C. Biometrics

D. MicroBiometrics

Answer: C

Explanation:

Some biometric systems base authentication decisions on physical attributes such as iris, retina, or fingerprints.

Incorrect Answers:

A: Micrometrics is a business term used for measures that support the improvement and management of a particular project, program or initiative.

B: Macrometrics is a business term used for the overall organization or cross-functional metrics used to drive strategy.

D: MicroBiometrics is not a technology that uses fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources

References:

Harris, Shon, All In One CISSP Exam Guide , 6th Edition, McGraw-Hill, 2013, pp. 187

http://www.humanresourcesiq.com/hr-technology/columns/macro-vs-micro-metrics/

Site Search:

Close

Close
Download Free Demo of VCE
Exam Simulator

Experience Avanset VCE Exam Simulator for yourself.


Simply submit your e-mail address below to get started with our interactive software demo of your free trial.


Enter Your Email Address

Free Demo Limits: In the demo version you will be able to access only first 5 questions from exam.