CISSP Prep- Access Control Questions

Two-factor authentication is a security measure that requires the user to provide two different forms of identification in order to access a system or account. This can include something the user knows, such as a password or PIN, something the user has, such as a physical token or a mobile device, or something the user is, such as a fingerprint or facial recognition. The correct answer states that two-factor authentication is a combination of two of these factors, indicating that it requires the user to provide two different forms of identification for added security.

One of the more prevalent concerns with centralized SSO
systems is the fact that all of a user’s credentials are protected by a single password:
the SSO password. If someone were to crack that user’s SSO password, they would
eff ectively have all the keys to that user’s kingdom. Page 107.

A role-based access control (RBA) model bases the access
control authorizations on the roles (or functions) that the user is assigned within
an organization. Th e determination of what roles have access to a resource can be
governed by the owner of the data, as with DACs, or applied based on policy, as
with MACs. Page 120.

Least privilege is a principle that ensures that a user or process is only given access to the resources that are necessary for them to perform their assigned functions. This principle helps to minimize the potential damage that can be caused by unauthorized access or misuse of resources. By granting the least amount of privileges necessary, organizations can reduce the risk of unauthorized access and limit the potential impact of any security breaches.

Correct answer is a. Th ere are some issues related to the use of Kerberos. For starters,
the security of the whole system depends on careful implementation: enforcing
limited lifetimes for authentication credentials minimizes the threats of replayed
credentials, the KDC must be physically secured, and it should be hardened, not
permitting any non-Kerberos activity. More importantly, the KDC can be a single
point of failure, and therefore should be supported by backup and continuity plans.
Page 111.

The three types of access control are administrative, physical, and technical. Administrative access control involves the policies and procedures that determine who has access to certain resources and what actions they are allowed to perform. Physical access control involves physical measures such as locks, badges, and security guards to control access to physical spaces. Technical access control involves the use of technology such as firewalls, encryption, and authentication mechanisms to control access to computer systems and networks.

Correct answer is b. MAC is based on cooperative interaction between the system
and the information owner. Th e system’s decision controls access and the owner
provides the need-to-know control. Page 117

Access controls are a set of technical measures that allow authorized users, systems, and applications to access resources. These controls are designed to protect against threats and vulnerabilities by limiting exposure to unauthorized activities and granting access to information and systems only to approved individuals. By implementing access controls, organizations can effectively manage and control access to their systems and information, reducing the risk of unauthorized access and potential security breaches.

An authorization process and a record of all privileges allocated
should be maintained. Privileges should not be granted until the authorization
process is complete and validated. If any signifi cant or special privileges
are needed for intermittent job functions, these should be performed using an
account specifi cally allocated for such a task, as opposed to those used for normal
system and user activity. Th is enables the access privileges assigned to the special
account to be tailored to the needs of the special function rather than simply
extending the access privileges associated with the user’s normal work functions.
Page 46.

not-available-via-ai

Defining who can access a given system or information is a preliminary step in managing resources because it helps establish proper controls and permissions. By determining who has the authority to access specific systems or information, organizations can ensure that only authorized individuals are granted access, reducing the risk of unauthorized access or data breaches. This step also helps in implementing appropriate security measures and defining user roles and responsibilities, ultimately contributing to effective resource management.

The correct answer is Rainbow table attack. A rainbow table attack is a method of cracking passwords by precomputing and storing the hash values of all possible passwords. This allows for quick lookup and comparison, significantly speeding up the process of cracking passwords compared to traditional brute force methods.

When considering the role of biometrics, its close interactions
with people, and the privacy and sensitivity of the information collected, the inability
to revoke the physical attribute of the credential becomes a major concern. Th e
binding of the authentication process to the physical characteristics of the user can
complicate the revocation or decommissioning processes. Page 77.

In addition to the access control elements of a biometric system,
there are several other considerations that are important to the integrity of the control
environment. Th ese are resistance to counterfeiting, data storage requirements, user
acceptance, reliability and accuracy, and target user and approach. Page 75.

Identity management is a much-used term that refers to a set
of technologies intended to off er greater effi ciency in the management of a diverse
user and technical environment. Page 92.