Week5 MCQ Answers PDF

Preview

Summary

Week 5 answers (CSEC102)...

Description

CSEC 102- Information Assurance and Security Rochester Institute of Technology -RIT Dubai Campus FALL 2020

Week 5: Discuss Discussion ion Que Questions stions (NOT GRA GRADED) DED) Multiple-Choice Questions 1. Which one of the following is an example of a logical access control? A. Key for a lock B. Password C. Access card D. Fence

Answer: B Reference: Two Types of Access Controls Explanation: Logical access controls restrict access to a computer system or network and a password is the most common example. Physical keys, access cards, and fences are all examples of physical access controls.

2. During which phase of the access control process does the system answer the question, "What can the requestor access?" A. Identification B. Authentication C. Authorization D. Accountability

Answer: C Reference: Four-Part Access Control Explanation: During the authorization phase of access control, the system answers the questions: "What, exactly, can the requestor access?" and "What can they do?"

3. Ed wants to make sure that his system is designed in a manner that allows tracing actions to an individual. Which phase of access control is Ed concerned about? A. Identification B. Authentication C. Authorization D. Accountability

Answer: D Reference: Four-Part Access Control Explanation: The process of associating actions with users for later reporting and research is known as accountability. It ensures that a person who access or makes changes to data or systems can be identified.

4. The ___________ is the central part of a computing environment's hardware, software, and firmware that enforces access control. A. security kernel B. CPU C. memory D. co-processor

Answer: A Reference: The Security Kernel Explanation: The security kernel provides a central point of access control and implements the reference monitor concept. It mediates all access requests and permits access only when the appropriate rules or conditions are met.

5. Which type of authentication includes smart cards? A. Knowledge B. Ownership C. Location D. Action

Answer: B Reference: Authentication Types

Explanation: Ownership authentication methods fit the criteria of "something you have." These include smart cards, keys, badges, and tokens.

6. Which one of the following is an example of two-factor authentication? A. Smart card and personal identification number (PIN) B. Personal identification number (PIN) and password C. Password and security questions D. Token and smart card

Answer: A Reference: Authentication Types Explanation: Authentication using smart cards and PINs is two-factor authentication because it combines ownership and knowledge. Using PINs, passwords, and security questions in any combination is single-factor authentication because all three are knowledge-based. Tokens and smart cards are both ownership-based.

7. Which type of password attack attempts all possible combinations of a password in an attempt to guess the correct value? A. Dictionary attack B. Rainbow table attack C. Social engineering attack D. Brute-force attack

Answer: D Reference: Authentication by Knowledge Explanation: Brute force attacks involve trying every possible combination of characters. They test low entropy words first followed by passwords with higher entropy.

8. Which one of the following is NOT a commonly accepted best practice for password security? A. Use at least six alphanumeric characters. B. Do not include usernames in passwords. C. Include a special character in passwords.

D. Include a mixture of uppercase characters, lowercase characters, and numbers in passwords.

Answer: A Reference: Password Account Policies Explanation: Best practices for passwords dictate the use of passwords containing at least eight alphanumeric characters. Six-character passwords are insufficient to defeat modern attacks.

9. Which characteristic of a biometric system measures the system's accuracy using a balance of different error types? A. False acceptance rate (FAR) B. False rejection rate (FRR) C. Crossover error rate (CER) D. Reaction time

Answer: C Reference: Authentication by Characteristics/Biometrics Explanation: The CER is the point at which the FAR and FRR are equal. It provides a balanced look at the accuracy of a biometric system.

10. Alan is evaluating different biometric systems and is concerned that users might not want to subject themselves to retinal scans due to privacy concerns. Which characteristic of a biometric system is he considering? A. Accuracy B. Reaction time C. Dynamism D. Acceptability

Answer: D Reference: Concerns Surrounding Biometrics Explanation: The measure of user comfort is the acceptability of the system. Certain biometric measurements, such as retinal scans, are more objectionable to some users than other biometric measurements, such as signature dynamics. It's important to note that if users are not comfortable using a system, they may refuse to submit to it.

11. Which one of the following is NOT an advantage of biometric systems? A. Biometrics require physical presence. B. Biometrics are hard to fake. C. Users do not need to remember anything. D. Physical characteristics may change.

Answer: D Reference: Advantages and Disadvantages of Biometrics Explanation: The fact that physical characteristics of a user may change is a disadvantage of biometric systems because significant changes that affect the access profile will result in false rejections that require reenrollment of the user.

12. What is a single sign-on (SSO) approach that relies upon the use of key distribution centers (KDCs) and ticket-granting servers (TGSs)? A. Secure European System for Applications in a Multi-Vendor Environment (SESAME) B. Lightweight Directory Access Protocol (LDAP) C. Security Assertion Markup Language (SAML) D. Kerberos

Answer: D Reference: SSO Processes Explanation: Kerberos uses both KDCs and TGSs in the authentication and authorization process to provide legitimate users with access to systems appropriate to their authorization level.

13. Which of the following is an example of a hardware security control? A. NTFS permission B. MAC filtering C. ID badge D. Security policy

Answer: B Reference: Security Controls Explanation: Hardware controls include equipment that checks and validates IDs, such as MAC filtering on network devices, smart card use for two-step authentication, and security tokens such as radio frequency identification (RFID) tags.

14. Gary would like to choose an access control model in which the owner of a resource decides who may modify permissions on that resource. Which model fits that scenario? A. Discretionary access control (DAC) B. Mandatory access control (MAC) C. Rule-based access control D. Role-based access control (RBAC)

Answer: A Reference: Formal Models of Access Control Explanation: In a DAC system, the owner of the resource decides who gets in and changes permissions as needed. The owner can delegate that responsibility to others.

15. Tomahawk Industries develops weapons control systems for the military. The company designed a system that requires two different officers to enter their access codes before allowing the system to engage. Which principle of security is this following? A. Least privilege B. Security through obscurity C. Need to know D. Separation of duties

Answer: D Reference: Defeating Least Privilege, Separation of Duties, and Need to Know Explanation: Separation of duties is the process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task.

16. Which security model does NOT protect the integrity of information? A. Bell-LaPadula B. Clark-Wilson C. Biba D. Brewer and Nash

Answer: A Reference: Other Access Control Models Explanation: The Bell-LaPadula mode focuses on the confidentiality, not the integrity, of data and helps govern access to classified information.

17. Which one of the following principles is NOT a component of the Biba integrity model? A. Subjects cannot read objects that have a lower level of integrity than the subject. B. Subjects cannot change objects that have a lower integrity level. C. Subjects at a given integrity level can call up only subjects at the same integrity level or lower. D. A subject may not ask for service from subjects that have a higher integrity level.

Answer: B Reference: Other Access Control Models Explanation: The Biba integrity model does not allow subjects to change objects that have a higher integrity level than the subject.

18. Which of the following does NOT offer authentication, authorization, and accounting (AAA) services? A. Remote Authentication Dial-In User Service (RADIUS) B. Terminal Access Controller Access Control System Plus (TACACS+) C. Redundant Array of Independent Disks (RAID) D. DIAMETER

Answer: C Reference: Types of AAA Servers Explanation: RAID is a business continuity technology, not an authentication,

authorization, and accounting service. RADIUS, TACACS+, and DIAMETER are all AAA services.

19. What is an XML-based open standard for exchanging authentication and authorization information and is commonly used for web applications? A. Security Assertion Markup Language (SAML) B. Secure European System for Applications in a Multi-Vendor Environment (SESAME) C. User Datagram Protocol (UDP) D. Password Authentication Protocol (PAP)

Answer: A Reference: Types of AAA Servers Explanation: SAML is an open standard used for exchanging both authentication and authorization data. SAML is based on XML and was designed to support access control needs for distributed systems. SAML is often used in web application access control.

20. Which of the following is NOT a benefit of cloud computing to organizations? A. On-demand provisioning B. Improved disaster recovery C. No need to maintain a data center D. Lower dependence on outside vendors

Answer: D Reference: Cloud Computing Explanation: Cloud computing increases the need to rely upon outside vendors. Releasing private data to a cloud service provider requires some level of trust in that provider.

True/False Questions 1. A trusted operating systems (TOS) provides features that satisfy specific government requirements for security. A. True

B. False

Answer: A Reference: The Security Kernel

2. The four central components of access control are users, resources, actions, and features. A. True B. False

Answer: B Reference: Access Control Policies Explanation: The four central components of access control are users, resources, actions, and relationships, not features.

3. Common methods used to identify a user to a system include username, smart card, and biometrics. A. True B. False

Answer: A Reference: Methods and Guidelines for Identification

4. A dictionary attack works by hashing all the words in a dictionary and then comparing the hashed value with the system password file to discover a match. A. True B. False

Answer: A Reference: Authentication by Knowledge

5. Passphrases are less secure than passwords.

A. True B. False

Answer: B Reference: Authentication by Knowledge Explanation: A passphrase is longer and generally harder to guess, so it's considered more secure than a password.

6. The number of failed logon attempts that trigger an account action is called an audit logon event. A. True B. False

Answer: B Reference: Authentication by Knowledge Explanation: The number of failed logon attempts that trigger an account action is called the threshold. Audit logon events provide you with a record of when every user logs on or off a computer.

7. You should use easy-to-remember personal information to create secure passwords. A. True B. False

Answer: B Reference: Authentication by Knowledge Explanation: Passwords must never use an employee's ID number, Social Security number, birth date, telephone number, or any personal information that can be easily guessed.

8. A smart card is a token shaped like a credit card that contains one or more microprocessor chips that accept, store, and send information through a reader.

A. True B. False

Answer: A Reference: Authentication by Ownership

9. Voice pattern biometrics are accurate for authentication because voices can't easily be replicated by computer software. A. True B. False

Answer: B Reference: Authentication by Characteristics/Biometrics Explanation: Voice pattern is NOT accurate for authentication because voices can be too easily replicated by computer software.

10. Fingerprints, palm prints, and retina scans are types of biometrics. A. True B. False

Answer: A Reference: Authentication by Characteristics/Biometrics

11. Single sign-on (SSO) can provide for stronger passwords because with only one password to remember, users are generally willing to use stronger passwords. A. True B. False

Answer: A Reference: Advantages and Disadvantages of SSO

12. DIAMETER is a research and development project funded by the European Commission.

A. True B. False

Answer: B Reference: SSO Processes Explanation: SESAME is a research and development project funded by the European Commission. DIAMETER is a type of AAA server.

13. Log files are records that detail who logged on to a system, when they logged on, and what information or resources they used. A. True B. False

Answer: A Reference: Log Files

14. A degausser creates a magnetic field that erases data from magnetic storage media. A. True B. False

Answer: A Reference: Media Disposal Requirements

15. User-based permission levels limit a person to executing certain functions and often enforces mutual exclusivity. A. True B. False

Answer: B Reference: Permission Levels Explanation: User-based permission levels are where the permissions granted to a user are often specific to that user. In this case, the rules are set according to a user ID or other unique identifier. Task-based access control limits a person to executing certain functions and often enforces mutual exclusivity.

16. Temporal isolation is commonly used in combination with rule-based access control. A. True B. False

Answer: B Reference: Mandatory Access Control (MAC) Explanation: Temporal isolation restricts access to specific times and is commonly used in combination with role-based access control, not rule-based access control.

17. Content-dependent access control requires the access control mechanism to look at the data to decide who should get to see it. A. True B. False

Answer: A Reference: Content-Dependent Access Control

18. A Chinese wall security policy defines a barrier and develops a set of rules that makes sure no subject gets to objects on the other side. A. True B. False

Answer: A Reference: Brewer and Nash Integrity Model

19. An example of a threat to access control is in a peer-to-peer (P2P) arrangement in which users share their My Documents folder with each other by accident. A. True B. False

Answer: A Reference: Threats to Access Controls

20. Terminal Access Controller Access Control System Plus (TACACS+) is an authentication server that uses client and user configuration files. A. True B. False

Answer: B Reference: Types of AAA Servers Explanation: Remote Authentication Dial-In User Service (RADIUS) is an authentication server that uses client and user configuration files. TACACS+ is an Internet Engineering Task Force (IETF) standard that uses a single configuration file....