Self Test | SSCP Study Guide and DVD Training System

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and epxlanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix.

1.	You are working on a presentation for upper management on how a new access control system will work. What three steps do you show are necessary for access to be granted to an access control object? Authentication, repudiation, and identification Authentication, identification, and authorization Identification, repudiation, and availability Identification, authorization, and assurance
2.	What advantage does a centralized access control methodology offer to security administrators? It provides a method to ensure that the authentication responsibility is broken up across multiple systems. It allows users to use a single ID and password to access all resources on the network. It provides a method to ensure that all authentication responsibility is controlled by a single system or group of systems. It allows users to use X.509 certificates to access secure Web sites via HTTP with SSL (S-HTTP).
3.	The "Orange" book and "Red" book are used to rate access control systems. How does the "Red" book differ from the "Orange" book in the guidelines that it provides? The Red book provides guidelines on how to rate access control systems within operating systems. The Red book provides guidelines on how to create access control systems that work with the guidelines in the Orange book. The Red book provides guidelines on how the concepts and guidelines from the Orange book can be applied to enterprise environments. The Red book provides guidelines on how the concepts and guidelines from the Orange book can be applied to network environments.
4.	When using DAC systems with ACLs, what permission or privilege gives users the ability to read and write to an access control object? Write Create Execute Modify
5.	When using MAC, how is permission to access control objects controlled after a user has been authenticated? By ACLs By sensitivity levels By identification By user role
6.	How does RBAC differ from DAC? RBAC requires that permissions be configured on every object and DAC does not. RBAC uses the ID of the user to help determine permissions to objects and DAC does not. RBAC uses the position of the user in the organization structure to determine permissions for objects and DAC does not. RBAC requires that every object have a sensitivity label and DAC requires that every object have an ACL.
7.	The Bell-LaPadula formal model for access control is most similar to which access control model? DAC MAC RBAC Clark-Wilson access control
8.	What are the three main parts of account administration within an access control system? Creation, maintenance, and destruction Creation, maintenance, and deletion Creation, policies, and destruction Creation, policies, and deletion
9.	The Clark-Wilson formal access control model specifies a very important guideline related to account administration. What is this guideline and what does it mean? Principle of Least Privilege - Grant all the rights and permissions necessary to an account, but no more than what is needed. Account Administration - Work hand-in-hand with the human resources or personnel office of the company to ensure that accounts can be authorized and created when employees are hired and immediately destroyed when they are dismissed. Segregation of Duties - No single person should perform a task from beginning to end, but the task should be divided among two or more people to prevent fraud by one person acting alone. Access Control - Provide access control subjects the ability to work with access control objects in a controlled manner.
10.	A MITM attack is used to hijack an existing connection. What is the principle technology behind the MITM attack that allows this to happen? Cracking Spoofing Sniffing Spamming
11.	Some attackers will attempt to do a spamming attack while making it look like another system is performing the attack. This is done using open relays. What protocol is used with open relays to accomplish this attack? NNTP TCP/IP SMTP SNMP
12.	In a good access control system, how are audit trails and violation reports used after it has been determined that an actual attack has occurred? Audit trails and violation reports are used to determine whether or not an attack has occurred. Audit trails and violation reports are used to track the activities that occurred during the attack. Audit trails and violation reports are used to monitor the access control system. Audit trails and violation reports are used to determine the effectiveness of penetration testing.
13.	What is the most important thing that you should do prior to beginning a penetration test? Plan what type of attack you are going to perform. Enable all necessary logging to track your test. Obtain permission to perform the test. Research the techniques that you plan to use during your test.
14.	You have been contracted to design and implement a new access control system. At what point during the process should you perform penetration testing against the system? During the access control system design. Before the access control system implementation. After the access control system implementation. During the entire design and implementation process.
15.	While performing penetration testing against your access control system, you are successful in uncovering a vulnerability in the system. After doing some follow-up research, you determine that this vulnerability has been addressed in a security patch for the software. What should you do? Implement the patch for the software immediately to plug the hole. Test the patch for the software and then implement it as soon as possible. Wait until the next version of the software comes out which includes the security patch. Do nothing and ensure that your IDS is scanning the system with the hole.

Answers

1.	þ Answer B is correct. These are the three steps required in any access control system in order to grant access to objects. ý Answer A is incorrect because authentication, repudiation, and identification as repudiation refers to the ability to prove that a specific entity performed an action. This is not a step in obtaining access to objects. Answer C is incorrect because repudiation is not a step in obtaining access to objects and neither is availability, which refers to the ability to use the access control system itself. Answer D is incorrect because assurance is the part of access control that includes confidentiality, integrity, availability, and accountability. As such, assurance is not a specific step in gaining access to an object.
2.	þ Answer C is correct. A centralized access control methodology ensures that all authentication responsibility is controlled in a central location. ý Answer A is incorrect because ensuring that the authentication responsibility is broken up is the behavior of a decentralized access control methodology, not centralized. Answer B is incorrect because using a single ID and password to access all resources on the network is done using SSO technology, not a centralized access control methodology. Answer D is incorrect because using X.509 certificates is not a part of the centralized access control methodology.
3.	þ Answer D is correct. The Red book provides guidelines on how to apply the information in the Orange book to network environments. ý Answer A is incorrect because the Orange book provides guidelines on how to rate access control systems within operating systems, not the Red book. Answer B is incorrect because the Red book does not provide guidelines on how to create access control systems. Answer C is incorrect because the Red book does not specifically provide guidelines for enterprise environments; it provides guidelines for network environments.
4.	þ Answer D is correct. The "modify" permission allows users to both read and write to an access control object. ý Answer A is incorrect because the ability to write to an object does not imply the ability to read from the object. Answer B is incorrect because the ability to create new objects does not imply the ability to read or write to the new objects. Answer C is incorrect because the ability to execute an object does not imply the ability to read or write to the object.
5.	þ Answer B is correct. Sensitivity levels such as "secret" or "top-secret" are used to control access to objects. ý Answer A is incorrect because ACLs are used by DAC, not MAC. Answer C is incorrect because identification is a part of the authentication process and does not control access to objects. Answer D is incorrect because user roles are used in RBAC, not MAC.
6.	þ Answer C is correct. RBAC uses the position of the user in the organization structure or their role to determine the user's permissions. ý Answer A is incorrect because both RBAC and DAC require that every object have permissions defined. Answer B is incorrect because DAC does use the ID of the user to determine their permissions. Answer D is not correct because RBAC does not use sensitivity labels.
7.	þ Answer B is correct. The Bell-LaPadula access control model specifies the use of sensitivity labels on every access control subject and object. MAC uses sensitivity labels in the same way. ý Answer A is incorrect because DAC does not use sensitivity labels as outlined in the Bell-LaPadula formal access control model. Answer C is incorrect as RBAC uses roles or positions for access control rather than sensitivity labels. Answer D is incorrect because Clark-Wilson is another formal access control model, but it is a guideline for access control relating to integrity.
8.	þ Answer A is correct. The processes of creation, maintenance, and destruction are the three main parts of account administration. ý Answer B is incorrect because deletion is not necessarily a function of account administration. This is due to the fact that some access control systems do not allow for account deletion, just deactivation. Answer C is incorrect because policies are a part of access control administration, not necessarily account administration. Answer D is incorrect because policies are a part of access control administration and deletion is not necessarily a function of account administration.
9.	þ Answer C is correct. The Clark-Wilson formal model provides guidelines related to segregation or separation of duties. ý Answer A is incorrect because the principle of least privilege is not part of the Clark-Wilson formal model. Answer B is incorrect because this definition is only part of the definition for account administration. Answer D is incorrect because the Clark-Wilson formal model does not define access control itself, just manners in which access controls can be employed.
10.	þ Answer B is correct. Spoofing is used to emulate the system that either side of the connection was expecting to communicate with while actually feeding the connection through a third system. ý Answer A is incorrect because while cracking may be used to access routers and so forth during a MITM attack, it is not the principle technology used to perform the attack. Answer C is incorrect because sniffing is not the principle technology used to perform the attack, although it may be used as part of the attack. Answer D is incorrect because spamming has nothing to do with MITM attacks.
11.	þ Answer C is correct. The SMTP can be used over an open relay to forward spam. ý Answer A is incorrect because NNTP does not use relays although it can be used to spam a Usenet newsgroup. Answer B is incorrect because TCP/IP by itself is not able to accomplish this attack. Answer D is incorrect because SNMP is used to manage networks, not transfer mail.
12.	þ Answer B is correct. After an attack has occurred, audit trails and violation reports can provide critical information about the nature of the attack and what was done during the attack. This is why most well planned attacks include the removal of any known log entries that might show what happened during the attack. ý Answer A is incorrect because while audit trails and violation reports are used to determine whether or not an attack occurred, this is done prior to the actual determination not after. Answer C is incorrect because audit trails and violation reports are used to monitor the access control system, but that too is done before it has been determined that an attack has occurred. Answer D is incorrect because penetration testing is a planned attack and should not be labeled as an "actual attack."
13.	þ Answer C is correct. The most important thing to do prior to penetration testing is to obtain permission to perform the testing. Failure to do this can result in employee termination or even incarceration. ý Answer A is incorrect because planning is not the most important thing that needs to be done prior to beginning the test. Answer B is incorrect because enabling logging is also not the most important thing to be done prior to testing. Answer D is not correct, as researching the techniques that you plan to use is not the most important thing to do prior to performing penetration testing.
14.	þ Answer D is correct. Penetration testing should be done during the design, implementation, and post-implementation phases of your project. ý Answer A is incorrect because during the design is not the only time that penetration testing should be done. Answer B is incorrect because prior to implementation is not the only time that penetration testing should be done. Answer C is incorrect because post-implementation is certainly not the best time to start performing penetration testing.
15.	þ Answer B is correct. The patch should be implemented as soon as possible, but it is very important to perform testing first. ý Answer A is incorrect because any changes to your software should be tested prior to implementation. Answer C is incorrect because waiting for the next version of the software could take some time during which you are vulnerable to attack. Answer D is incorrect because ignoring the hole leaves you vulnerable to attack even though your IDS may be scanning the system. It is always best to patch known security holes as soon as possible after appropriate testing of the patch.