Risk Management: Use of Access Controls to Protect Assets Quiz Answers

Get All Weeks Risk Management: Use of Access Controls to Protect Assets Quiz Answers

Week 01: Risk Management: Use of Access Controls to Protect Assets Quiz Answers

password policy Quiz Answers

Match the components of a password policy with their definitions.

Q.1. Used to effectively create, maintain, and protect passwords and to establish any guidelines.

Protection
Creation
Overview
Aging
Scope

Q.2. To whom the policy applies, e.g., all employees, contractors, and affiliates of IMI, and governs the acceptable password type and length used on all systems.

Protection
Creation
Overview
Aging
Scope

Q.3. user and admin passwords must be at least [define] characters in length. Longer passphrases are strongly encouraged.  Dictionary words and phrases should be avoided to prevent the use of common and easily cracked passwords.

Protection
Creation
Overview
Aging
Scope

Q.4. User passwords must be changed every [define length] months. Previously used passwords may not be reused. System-level passwords must be changed on a [define period].

Protection
Creation
Overview
Aging
Scope

Q.5. Passwords must not be shared with anyone (including coworkers and supervisors) and must not be revealed or sent electronically.

Protection
Creation
Overview
Aging
Scope

Q.6. From the user’s perspective, which might be the best type of password?

Short, complex
Long, complex
Long, simple
Long, with slight complexity
Knowledge Check: Document, Implement, and Maintain Functional Controls

Applied Scenario 1 Review: Governance and Policies Quiz Answers

Q.1 Which of the following is a type of a security control? (D1, L2.1)

Administrative (or Managerial)
Technical (or Logical)
Physical (or Operational)
All of these

Q.2 What are some of the governing policies and requirements to which IMI will have to conform? (D1, L2.1)

HIPAA
GDPR
Taxation
All of these and more

Q.3 True or False: All policies come from governance requirements.  (D1, L2.1)

True
False

Q.4 Does allowing users to access news feeds such as BBC and CNN from corporate systems and sites conflict with IMI’s AUP? (D1, L2.1)

Yes, definitely
No, certainly not
Yes, potentially

Applied Scenario 2: Access Controls Quiz Answers

Q.1 Match the area of concern with the control that IMI should implement to address it. (D2, L2.2)

People
Areas of concern
Servers
Rooms or sites
Data access
Network access

Q.2. Need-to-know aligned to clearance levels and permissions 

People
Areas of concern
Servers
Rooms or sites
Data access
Network access

Q.3. Identity management

People
Areas of concern
Servers
Rooms or sites
Data access
Network access

Q.4 Permissions

People
Areas of concern
Servers
Rooms or sites
Data access
Network access

Q.5.Physical isolation

People
Areas of concern
Servers
Rooms or sites
Data access
Network access

Q.6. Mantraps or turnstiles

People
Areas of concern
Servers
Rooms or sites
Data access
Network access

Q.7. What are the two primary types of access control systems, and what is one way that access control systems are maintained? (D2, L2.2)  

Physical and network; due diligence
Deterrent and corrective; due care and due diligence
Integrity and availability; by as much security as can be safely applied
Logical and physical; central administration of access control systems

Week 02: Risk Management: Use of Access Controls to Protect Assets Quiz Answers

Knowledge Check: Certificates and Tokens

Q.1 What is the difference between a synchronous and asynchronous password token? (D1, L2.1)

Asynchronous tokens contain a password that is physically hidden and then transmitted for each authentication while synchronous tokens do not.
Synchronous tokens are generated with the use of a timer while asynchronous tokens do not use a clock for generation.
Synchronous tokens contain a password that is physically hidden and then transmitted for each authentication while asynchronous tokens do not.
Asynchronous tokens are generated with the use of a timer while synchronous tokens do not use a clock for generation.

Activity 2: Biometric Identification

Q.1. Match the technology to the correct description (D1, L2.1) 

Typically requires seven characteristics or matching points to either enroll a new access control subject or to verify an existing access control subject.

Retinal Scan
Voice Recognition
Hand Geometry
Facial Recognition
Fingerprint
Iris Scan

Q.2 The person’s identity is verified based upon the location of a number of key points.

Retinal Scan
Voice Recognition
Hand Geometry
Facial Recognition
Fingerprint
Iris Scanx

Q.3. This system acquires images of the iris in both the visible wavelength and the electromagnetic spectrum. 

Retinal Scan
Voice Recognition
Hand Geometry
Facial Recognition
Fingerprint
Iris Scan

Q.4 Dating back to 1930, this biometric system simply maps the blood vessels.

Retinal Scan
Voice Recognition
Hand Geometry
Facial Recognition
Fingerprint
Iris Scan

Q.5 This system uses a mathematical geometric model of certain landmarks such as socket orientation and measures the distance between them.

Retinal Scan
Voice Recognition
Hand Geometry
Facial Recognition
Fingerprint

Q.6 Starts by creating a template of the user’s identity software then splits the input into various frequencies.  

Retinal Scan
Voice Recognition
Hand Geometry
Facial Recognition
Fingerprint
Iris Scan

Case Study: Biometrics Data Transmission

Q.1 Would EBTS work for your client? (D1, L2.1) 

Yes
No

q.2 What advantages might it provide?  (D1, L2.1)

Centralized biometric storage
Decentralized biometric storage
Hybrid biometric storage
None of these

Knowledge Check: Identity Management Maintenance

Q.1. True or False? Your SSCP qualifications could be considered as part of your identity. (D2, L2.3) 

True
False

Q.2 True or False? Within an identity store such as Microsoft’s Active Directory, your name (first, last) is sufficient to uniquely identify you as a valid user. (D2, L2.3)

True
False

Q.3 True or False? Identity management and access management are closely related. (D2, L2.3) 

True
False

Knowledge Check: Privileged Access and Associated Risks

Q.1 True or False? Privileged users require a high level of access and are obviously trustworthy and don’t require any special consideration. (D2, L2.3)

True
False

Q.2 True or False? The best course of action to take with privileged types of users to reduce the possible risk is to reduce their access rights. (D2, L2.3)

True
False

Q.3 True or False? Auditing will provide sufficient protection against misuse.  (D2, L2.3)

True
False

Knowledge Check: Identity Management

Q.1 True or False? Accounting is the last phase in the identity management lifecycle process. (D2, L2.3) 

True
False

Q.2 True or False? Authentication and authorization bypass attacks are the same.  (D2, L2.3)

True
False

Q.3 True or False? Sponsorship occurs when an authorized entity sponsors a claimant for a credential with a CSP. (D2, L2.3)

True
False

Knowledge Check: Identity Management Lifecycle

Q.1 What are three types of behavioral biometrics? (D2, L2.3)

Signature, voice pattern, keystroke dynamics
Voice pattern, iris scan, retinal scan
Facial, signature, keystroke
Token, voice pattern, facial

Knowledge Check: Access Configuration

Q.1 Now, having considered access configuration requirements, answer the following questions:   True or False? The IAAA system can be secured (protected) using biometrics. (D2, L2.4) 

True
False

Q.2 True or False? A combination of ABAC, RuBAC, risk-based and RBAC is the best approach for protecting the data and metadata about the IAAA system.  (D2, L2.4)

True
False

Q.3 True or False? Adopting a purely MAC approach is effective for protecting the data and metadata about the IAAA system.

True
False

Knowledge Check: Authentication Methods

Q.1. What are the three roles within Security Assertion Markup Language (SAML)? (D2, L2.4) 

Identity provider, relying party, service provider
Identity provider, relying party, user
Identity provider, service provider, relative token
Attributes, principal, bindings

Q.2. Name two roles related to Open Authorization (OAuth). (D2, L2.4) 

Resource provider, resource server
Resource provider, resource relying party
Authorization server, authorization owner
Authorization server, resource server

Chapter 2 Quiz: Understanding Risk Management Options and the Use of Access Controls to Protect Assets

Q.1. What is the purpose of countermeasures (D1, L2.1)?

React to an incident
Prevent an incident
Deter an incident
Manage an incident

Q.2. Which of the following is a basic requirement the security kernel must meet? (D2, L2.2)

Completeness
Isolation
Verifiability
All of these

Q.3 What function does an access control system NOT perform? (D2, L2.1)

Perform the same way every time
Make access control decisions
Identify all subjects and objects
Provide complete mediation

Q.4 . A list of company-restricted websites would best be handled in the first instance by what type of control? (D2, L2.1)

Physical
Administrative
Environmental
Technical

Q.5 What mechanism is used to verify a user’s claim to an identity? (D2, L2.4)

Proofing
Entitlement
Authentication
Provisioning

Q.6 Which system security model emphasizes system and data integrity as the highest priority security characteristic? (D2, L2.2)

Biba
MAC
Bell-LaPadula
DAC

Q.7. Which encryption method does Kerberos use to encrypt the exchange of messages between users, key distribution centers (KDC) and the applications? (D2, L2.4)