Methodology and Systems Prep Test

1.	General purpose control types include all the following except: Detective Mandatory Preventive Compensating
2.	Violation reports and audit trails are examples of what type of control? Detective technical Preventive technical Detective administrative Preventive administrative
3.	“A user cannot deny an action” describes the concept of Authentication Accountability Non-repudiation Plausible deniability
4.	Authentication can be based on any combination of the following factors except Something you know Something you have Something you need Something you are
5.	Unauthorized users that are incorrectly granted access in biometric systems are described as the False Reject Rate (Type II error) False Accept Rate (Type II error) False Reject Rate (Type I error) False Accept Rate (Type I error)
6.	All the following devices and protocols can be used to implement one-time passwords except Tokens S/Key Diameter Kerberos
7.	Which of the following PPP authentication protocols transmits passwords in clear text? PAP CHAP MS-CHAP FTP
8.	Which of the following is not considered a method of attack against access control systems? Brute force Dictionary Denial of service Buffer overflow
9.	Sensitivity labels are a fundamental component in which type of access control systems? Mandatory access control Discretionary access control Access control lists Role-based access control
10.	Which of the following access control models addresses availability issues? Bell-LaPadula Biba Clark-Wilson None of the above

Answers

1.	B. Mandatory. Control types identified by purpose include preventive, detective, corrective, deterrent, recovery, and compensating controls. Review “Control types.”
2.	A. Detective technical. Preventive technical controls include access control mechanisms and protocols. Review of audit trails is a detective administrative control, but the actual generating of audit trails is a technical function (control). Review “Technical controls.”
3.	C. Non-repudiation. Authentication and accountability are related to but aren’t the same as non-repudiation. Plausible deniability is a bogus answer. Review “Accountability.”
4.	C. Something you need.The three factors of authentication are something you know, something you have, and something you are. Review “System access controls.”
5.	B. False Accept Rate (Type II error).You should know the biometric error types by both descriptions.The False Reject Rate is aType I error and describes the percentage of authorized users that are incorrectly denied access. Review “Biometrics and behavior.”
6.	D. Kerberos. Kerberos is a ticket-based authentication protocol. Although the tickets that are generated are unique for every logon, Kerberos relies on shared secrets that are static.Therefore, Kerberos isn’t considered a one-time password protocol. Review these three sections: “One-time passwords,” “Tokens,” and “Single sign-on (SSO).”
7.	A. PAP.The Password Authentication Protocol (PAP) transmits passwords in clear text. CHAP and MS-CHAP authenticate using challenges and responses that are calculated, using a one-way hash function. FTP transmits passwords in clear text but isn’t a PPP authentication protocol. Review “Centralized access controls.”
8.	C. Denial of service.The purpose of an attack against access controls is to gain access to a system. Brute force and dictionary attacks are both password cracking methods. Although commonly used in denial of service attacks, a buffer overflow attack can exploit vulnerabilities or flaws in certain applications and protocols that will allow unauthorized access. Review “Methods of attack.”
9.	A. Mandatory access control.The fundamental components in discretionary access controls are file (and data) ownership and access rights and permissions. Access control lists and role-based access control are types of discretionary access control systems. Review “Access control techniques.”
10.	D. None of the above. Bell-LaPadula addresses confidentiality issues. Biba and Clark-Wilson address integrity issues. Review “Access control models.”