CISSP Prep- Access Control Questions
-
A preliminary step in managing resources is:
-
Conducting a risk analysis
-
Defining who can access a given system or information
-
Performing a business impact analysis
-
Obtaining top management support
-
This CISSP Prep- Access Control Questions quiz assesses knowledge on managing and securing access to resources. It covers defining access permissions, understanding different types of access controls, and the role of least privilege in security protocols.
Quiz Preview
- 2.
Which best describes access controls?
-
Access controls are a collection of technical controls that permit access to authorized users, systems, and applications.
-
Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.
-
Access control is the employment of encryption solutions to protect authentication information during log-on.
-
Access controls help protect against vulnerabilities by controlling unauthorized access to systems and information by employees, partners, and customers.
Correct Answer
A. Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved.Explanation
Access controls are a set of technical measures that allow authorized users, systems, and applications to access resources. These controls are designed to protect against threats and vulnerabilities by limiting exposure to unauthorized activities and granting access to information and systems only to approved individuals. By implementing access controls, organizations can effectively manage and control access to their systems and information, reducing the risk of unauthorized access and potential security breaches.Rate this question:
-
- 3.
----------- requires that a user or process be granted access to only those resources necessary to perform assigned functions. resources necessary to perform assigned functions.
-
Discretionary access control
-
Separation of duties
-
Least privilege
-
Rotation of duties
Correct Answer
A. Least privilegeExplanation
Least privilege is a principle that ensures that a user or process is only given access to the resources that are necessary for them to perform their assigned functions. This principle helps to minimize the potential damage that can be caused by unauthorized access or misuse of resources. By granting the least amount of privileges necessary, organizations can reduce the risk of unauthorized access and limit the potential impact of any security breaches.Rate this question:
-
- 4.
What are the seven main categories of access control?
-
Detective, corrective, monitoring, logging, recovery, classifi cation, and directive
-
Directive, deterrent, preventative, detective, corrective, compensating, and recovery
-
Authorization, identifi cation, factor, corrective, privilege, detective, and directive
-
Identifi cation, authentication, authorization, detective, corrective, recovery, and directive
Correct Answer
A. Directive, deterrent, preventative, detective, corrective, compensating, and recovery -
- 5.
What are the three types of access control?
-
Administrative, physical, and technical
-
Identifi cation, authentication, and authorization
-
Mandatory, discretionary, and least privilege
-
Access, management, and monitoring
Correct Answer
A. Administrative, physical, and technicalExplanation
The three types of access control are administrative, physical, and technical. Administrative access control involves the policies and procedures that determine who has access to certain resources and what actions they are allowed to perform. Physical access control involves physical measures such as locks, badges, and security guards to control access to physical spaces. Technical access control involves the use of technology such as firewalls, encryption, and authentication mechanisms to control access to computer systems and networks.Rate this question:
-
- 6.
Which approach revolutionized the process of cracking passwords?
-
Brute force
-
Rainbow table attack
-
Memory tabling
-
One-time hashing
Correct Answer
A. Rainbow table attackExplanation
The correct answer is Rainbow table attack. A rainbow table attack is a method of cracking passwords by precomputing and storing the hash values of all possible passwords. This allows for quick lookup and comparison, significantly speeding up the process of cracking passwords compared to traditional brute force methods.Rate this question:
-
- 7.
What best describes two-factor authentication?
-
Something you know
-
Something you have
-
Something you are
-
A combination of two listed above
Correct Answer
A. A combination of two listed aboveExplanation
Two-factor authentication is a security measure that requires the user to provide two different forms of identification in order to access a system or account. This can include something the user knows, such as a password or PIN, something the user has, such as a physical token or a mobile device, or something the user is, such as a fingerprint or facial recognition. The correct answer states that two-factor authentication is a combination of two of these factors, indicating that it requires the user to provide two different forms of identification for added security.Rate this question:
-
- 8.
A potential vulnerability of the Kerberos authentication server is
-
Single point of failure
-
Asymmetric key compromise
-
Use of dynamic passwords
-
Limited lifetimes for authentication credentials
Correct Answer
A. Single point of failureExplanation
Correct answer is a. Th ere are some issues related to the use of Kerberos. For starters,
the security of the whole system depends on careful implementation: enforcing
limited lifetimes for authentication credentials minimizes the threats of replayed
credentials, the KDC must be physically secured, and it should be hardened, not
permitting any non-Kerberos activity. More importantly, the KDC can be a single
point of failure, and therefore should be supported by backup and continuity plans.
Page 111.Rate this question:
-
- 9.
In mandatory access control the system controls access and the owner determines
-
Validation
-
Need to know
-
Consensus
-
Verifi cation
Correct Answer
A. Need to knowExplanation
Correct answer is b. MAC is based on cooperative interaction between the system
and the information owner. Th e system’s decision controls access and the owner
provides the need-to-know control. Page 117Rate this question:
-
- 10.
Which is the least significant issue when considering biometrics?
-
Resistance to counterfeiting
-
Technology type
-
User acceptance
-
Reliability and accuracy
Correct Answer
A. Technology typeExplanation
In addition to the access control elements of a biometric system,
there are several other considerations that are important to the integrity of the control
environment. Th ese are resistance to counterfeiting, data storage requirements, user
acceptance, reliability and accuracy, and target user and approach. Page 75.Rate this question:
-
- 11.
Which is a fundamental disadvantage of biometrics?
-
Revoking credentials
-
Encryption
-
Communications
-
Placement
Correct Answer
A. Revoking credentialsExplanation
When considering the role of biometrics, its close interactions
with people, and the privacy and sensitivity of the information collected, the inability
to revoke the physical attribute of the credential becomes a major concern. Th e
binding of the authentication process to the physical characteristics of the user can
complicate the revocation or decommissioning processes. Page 77.Rate this question:
-
- 12.
Role-based access control-------------
-
Is unique to mandatory access control
-
Is independent of owner input
-
Is based on user job functions
-
Can be compromised by inheritance
Correct Answer
A. Is based on user job functionsExplanation
A role-based access control (RBA) model bases the access
control authorizations on the roles (or functions) that the user is assigned within
an organization. Th e determination of what roles have access to a resource can be
governed by the owner of the data, as with DACs, or applied based on policy, as
with MACs. Page 120.Rate this question:
-
- 13.
Identity management is
-
Another name for access controls
-
A set of technologies and processes intended to off er greater effi ciency in the management of a diverse user and technical environment
-
A set of technologies and processes focused on the provisioning and decommissioning of user credentials
-
A set of technologies and processes used to establish trust relationships with disparate systems
Correct Answer
A. A set of technologies and processes intended to off er greater effi ciency in the management of a diverse user and technical environmentExplanation
Identity management is a much-used term that refers to a set
of technologies intended to off er greater effi ciency in the management of a diverse
user and technical environment. Page 92.Rate this question:
-
- 14.
A disadvantage of single sign-on is
-
Consistent time-out enforcement across platforms
-
A compromised password exposes all authorized resources
-
Use of multiple passwords to remember
-
Password change control
Correct Answer
A. A compromised password exposes all authorized resourcesExplanation
One of the more prevalent concerns with centralized SSO
systems is the fact that all of a user’s credentials are protected by a single password:
the SSO password. If someone were to crack that user’s SSO password, they would
eff ectively have all the keys to that user’s kingdom. Page 107.Rate this question:
-
- 15.
Which of the following is incorrect when considering privilege management?
-
Privileges associated with each system, service, or application, and the defi ned roles within the organization to which they are needed, should be identified and clearly documented.
-
Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group, or role
-
An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated.
-
Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.
Correct Answer
A. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.Explanation
An authorization process and a record of all privileges allocated
should be maintained. Privileges should not be granted until the authorization
process is complete and validated. If any signifi cant or special privileges
are needed for intermittent job functions, these should be performed using an
account specifi cally allocated for such a task, as opposed to those used for normal
system and user activity. Th is enables the access privileges assigned to the special
account to be tailored to the needs of the special function rather than simply
extending the access privileges associated with the user’s normal work functions.
Page 46.Rate this question:
-
Quiz Review Timeline (Updated): Mar 20, 2023 +
Our quizzes are rigorously reviewed, monitored and continuously updated by our expert board to maintain accuracy, relevance, and timeliness.
-
Current Version
-
Mar 20, 2023Quiz Edited by
ProProfs Editorial Team -
Dec 21, 2012Quiz Created by
Cindymurray
Back to top