CORPORATE COMPUTER SECURITY
CORPORATE COMPUTER SECURITY EXAM QUESTIONS WITH SOLVED
SOLUTIONS.
access control answer >>>> the policy driven control of access to systems, data,
and dialogues.
policy answer >>>> central to access control
authentication, authorizations, and auditing answer >>>> three functions of
access control
authentication answer >>>> the process of assessing the identity of each
individual claiming to have permission to use a resource
supplicant answer >>>> person or process requesting access
verifier answer >>>> person or process providing admission
credentials answer >>>> the supplicant authenticates himself, herself, or itself to
the verifier by sending:
authorizations answer >>>> Specific permissions that a particular authenticated
user should have, given his or her authenticated identity.
auditing answer >>>> collecting information about an individual's activities log
files
,CORPORATE COMPUTER SECURITY
what you know (a password or private key
what you have (a physical key or smart card)
who you are (your fingerprint), or
what you do (how you specifically pronounce a passphrase answer >>>> to be
authenticated, you must show verifier credentials that are based on one of the
following:
two-factor authentication answer >>>> two different forms of authentication
must be used for access, provides defense in depth (multi factor authentication)
multi-factor authentication answer >>>> Use of several authentication techniques
together, such as passwords and security tokens.
man-in-the middle attack answer >>>> two factor authentication often can be
defeated by (acts as a silent go-between):
Trojan horse answer >>>> two factor authentication means nothing if the user's
computer is compromised with a:
Role-Based Access Control (RBAC) answer >>>> An access control model that
bases the access control authorizations on the roles (or functions) that the user is
assigned within an organization
cheaper and less error prone than basing access rules on individual accounts
answer >>>> advantages to RBAC versus individual access controls
,CORPORATE COMPUTER SECURITY
These technologies are always embedded in an organizational and human context
which creates opportunities to bypass technology. answer >>>> why do
technologically strong access controls not provide strong access control in real
organizations?
mandatory access control (MAC) answer >>>> departments have no ability to
alter access control rules set by higher authorities
discretionary access control (DAC) answer >>>> A department can decide what
access to allow for each individual within policy standards set by higher
authorities
mandatory access control (MAC) and discretionary access control (DAC) answer
>>>> In the military and national security organizations, two other forms of access
controls are common:
multi-level security answer >>>> system that rates documents by sensitivity
MAC gives stronger security but it is difficult to implement answer >>>>
Advantage/disadvantage of MAC
SBU answer >>>> sensitive but unclassified
Physical and Environmental Security answer >>>> ISO/IEC 27002s Security Clause
9
risk analysis has already been done answer >>>> Security Clause 9 assumes
, CORPORATE COMPUTER SECURITY
9.1 - Secure Areas; 9.2 - Equipment Security answer >>>> Security Clause 9 has
two main security categories
9.1 Secure Areas answer >>>> Security Clause 9's first main security category
9.2 Equipment Security answer >>>> Security Clause 9's second main security
category
six controls: physical security perimeter; physical entry controls; public access,
delivery and loading areas; securing offices, rooms, and facilities; protecting
against external and environmental threats; creating rules for secure work areas
answer >>>> Main Security Category 9.1 has
single point of entry, walls that separate the building from the outside that are
sound and free of gaps, and emergency exits answer >>>> Ideally, a physical
security perimeter would have a:
alarmed, monitored, and tested frequently and allow for escape whenever
justified answer >>>> emergency exits should be:
all physical access must be authorized and entry must be justified, authorized,
logged, and monitored answer >>>> Physical Entry Controls means that:
limited access to delivery and loading areas. Incoming shipments are inspected
and logged and separated from outgoing shipments answer >>>> Public access,
delivery and loading areas require:
CORPORATE COMPUTER SECURITY EXAM QUESTIONS WITH SOLVED
SOLUTIONS.
access control answer >>>> the policy driven control of access to systems, data,
and dialogues.
policy answer >>>> central to access control
authentication, authorizations, and auditing answer >>>> three functions of
access control
authentication answer >>>> the process of assessing the identity of each
individual claiming to have permission to use a resource
supplicant answer >>>> person or process requesting access
verifier answer >>>> person or process providing admission
credentials answer >>>> the supplicant authenticates himself, herself, or itself to
the verifier by sending:
authorizations answer >>>> Specific permissions that a particular authenticated
user should have, given his or her authenticated identity.
auditing answer >>>> collecting information about an individual's activities log
files
,CORPORATE COMPUTER SECURITY
what you know (a password or private key
what you have (a physical key or smart card)
who you are (your fingerprint), or
what you do (how you specifically pronounce a passphrase answer >>>> to be
authenticated, you must show verifier credentials that are based on one of the
following:
two-factor authentication answer >>>> two different forms of authentication
must be used for access, provides defense in depth (multi factor authentication)
multi-factor authentication answer >>>> Use of several authentication techniques
together, such as passwords and security tokens.
man-in-the middle attack answer >>>> two factor authentication often can be
defeated by (acts as a silent go-between):
Trojan horse answer >>>> two factor authentication means nothing if the user's
computer is compromised with a:
Role-Based Access Control (RBAC) answer >>>> An access control model that
bases the access control authorizations on the roles (or functions) that the user is
assigned within an organization
cheaper and less error prone than basing access rules on individual accounts
answer >>>> advantages to RBAC versus individual access controls
,CORPORATE COMPUTER SECURITY
These technologies are always embedded in an organizational and human context
which creates opportunities to bypass technology. answer >>>> why do
technologically strong access controls not provide strong access control in real
organizations?
mandatory access control (MAC) answer >>>> departments have no ability to
alter access control rules set by higher authorities
discretionary access control (DAC) answer >>>> A department can decide what
access to allow for each individual within policy standards set by higher
authorities
mandatory access control (MAC) and discretionary access control (DAC) answer
>>>> In the military and national security organizations, two other forms of access
controls are common:
multi-level security answer >>>> system that rates documents by sensitivity
MAC gives stronger security but it is difficult to implement answer >>>>
Advantage/disadvantage of MAC
SBU answer >>>> sensitive but unclassified
Physical and Environmental Security answer >>>> ISO/IEC 27002s Security Clause
9
risk analysis has already been done answer >>>> Security Clause 9 assumes
, CORPORATE COMPUTER SECURITY
9.1 - Secure Areas; 9.2 - Equipment Security answer >>>> Security Clause 9 has
two main security categories
9.1 Secure Areas answer >>>> Security Clause 9's first main security category
9.2 Equipment Security answer >>>> Security Clause 9's second main security
category
six controls: physical security perimeter; physical entry controls; public access,
delivery and loading areas; securing offices, rooms, and facilities; protecting
against external and environmental threats; creating rules for secure work areas
answer >>>> Main Security Category 9.1 has
single point of entry, walls that separate the building from the outside that are
sound and free of gaps, and emergency exits answer >>>> Ideally, a physical
security perimeter would have a:
alarmed, monitored, and tested frequently and allow for escape whenever
justified answer >>>> emergency exits should be:
all physical access must be authorized and entry must be justified, authorized,
logged, and monitored answer >>>> Physical Entry Controls means that:
limited access to delivery and loading areas. Incoming shipments are inspected
and logged and separated from outgoing shipments answer >>>> Public access,
delivery and loading areas require:
