IT 223 Exam 2 Questions With
Accurate Answers
Access control - ANSWER What is access control? Answer: ONLY authorized
entities can use
ONLY those resources
for which they are authorized
How is policy related to it? Policy driven control of access to systems,
data and dialogues. Examples of access
control include barriers, passwords, and
bio-metrics.
Three As of Access Control - ANSWER Three As:
1. Authentication: Verification (or not) of an individual's claim (usually of
identity). Two roles verifier and supplicant (ask for access)
2. Authorization: An entity (via his/her/its identity)
is given certain permissions
to access particular resources.
3. Auditing:After-the-fact analysis of data
collected about an individual's activities. Activities online can be and are
monitored.
What are 4 different ways to authenticate a claim of identity? - ANSWER • What
you know - a password for an
account
• What you have - a door key, a smart card
• Who you are - fingerprint
• What you do - how you pronounce
a passphrase
What is multi-factor authentication? Why is it useful? - ANSWER Multiple ways to
authorize and protect your self from others. Examples passwords +phone codes
(sending a code to you directly) , retina scan, etc
Multi-Factor Authentication How does it impact the probability of a false
negative result? How does it
,impact the probability of a false positive result? - ANSWER False positive:
intruder is allowed into the system, by being lucky.
False negative: actual persona has bad credentials (finger prints won't detect)
forgot password, etc.
What is mandatory access control? What is Discretionary access control? -
ANSWER • Mandatory access control
- Strict access control barriers to gain
Entry, no variation allowed.
vs.
• Discretionary access control
- A department can decide what access to allow
for each individual.
How does a multi-level security (MLS) system work? - ANSWER • NTK (need to
know) access
• Classified information requires complex
layers of control that far exceed basic
clearance granting and badge granting
policies.
• Example, EPA or public trust can not ask for access to files that are higher
security levels without approval.
Can you give examples of common policy requirements for physical security?
Why is it
important to consider utilities? - ANSWER Security Clause 9 - First do risk
analysis
• Secure areas in a building
- Perimeter
- Public access
- Offices/rooms
Supporting Utilities
• Electricity, water, HVAC must be supplied
to adequate level, inspected and tested
regularly
• UPS is required (have availability)
• Backup generator
What are important issues to remember when disposing of computer
equipment? What
is the role of a password in access control? - ANSWER Wipe and destroy hard
drives so no hacker goes dumpster diving (exp. incident where a dentist threw
his clients files into the trash.)
, Passwords: extra layer that can be cracked but will delay an immediate attack
(even if its only a few seconds).
Also prevent normal people into viewing files that they are not suppose too.
Can you give examples of common policy requirements for passwords? How do
users
sometimes misuse passwords? - ANSWER Password Policies - mandatory
changes
regularly
• Password use/misuse
- Never share it
- Never reuse it over multiple sites
At least 8 characters long
• At least one change of case
• At least one digit
• At least one special character,
and not at the end of the password
People use multiple passwords on same websites etc.
Can you give examples of physical devices used in access control?
What is the most important issue when using physical devices in this way? -
ANSWER Magnetic Strip Cards
• Smart Cards
- Microprocessor
- Can implement asymmetric encryption for
challenge response
Tokens
- Constantly changing password devices
for one-time passwords
- Proximity Access
issues: Loss and Theft are common...
• 2 Factor authentication eases loss or theft
- User enters a PIN upon placing badge in card
reader or proxying it near the badge reader
What does "bio-metrics" mean literally? in the I.T. context?
Can you give examples of common bio-metric technologies? - ANSWER -Based
on biological and/or
behavioral measurements
Promises to make reusable passwords obsolete
Accurate Answers
Access control - ANSWER What is access control? Answer: ONLY authorized
entities can use
ONLY those resources
for which they are authorized
How is policy related to it? Policy driven control of access to systems,
data and dialogues. Examples of access
control include barriers, passwords, and
bio-metrics.
Three As of Access Control - ANSWER Three As:
1. Authentication: Verification (or not) of an individual's claim (usually of
identity). Two roles verifier and supplicant (ask for access)
2. Authorization: An entity (via his/her/its identity)
is given certain permissions
to access particular resources.
3. Auditing:After-the-fact analysis of data
collected about an individual's activities. Activities online can be and are
monitored.
What are 4 different ways to authenticate a claim of identity? - ANSWER • What
you know - a password for an
account
• What you have - a door key, a smart card
• Who you are - fingerprint
• What you do - how you pronounce
a passphrase
What is multi-factor authentication? Why is it useful? - ANSWER Multiple ways to
authorize and protect your self from others. Examples passwords +phone codes
(sending a code to you directly) , retina scan, etc
Multi-Factor Authentication How does it impact the probability of a false
negative result? How does it
,impact the probability of a false positive result? - ANSWER False positive:
intruder is allowed into the system, by being lucky.
False negative: actual persona has bad credentials (finger prints won't detect)
forgot password, etc.
What is mandatory access control? What is Discretionary access control? -
ANSWER • Mandatory access control
- Strict access control barriers to gain
Entry, no variation allowed.
vs.
• Discretionary access control
- A department can decide what access to allow
for each individual.
How does a multi-level security (MLS) system work? - ANSWER • NTK (need to
know) access
• Classified information requires complex
layers of control that far exceed basic
clearance granting and badge granting
policies.
• Example, EPA or public trust can not ask for access to files that are higher
security levels without approval.
Can you give examples of common policy requirements for physical security?
Why is it
important to consider utilities? - ANSWER Security Clause 9 - First do risk
analysis
• Secure areas in a building
- Perimeter
- Public access
- Offices/rooms
Supporting Utilities
• Electricity, water, HVAC must be supplied
to adequate level, inspected and tested
regularly
• UPS is required (have availability)
• Backup generator
What are important issues to remember when disposing of computer
equipment? What
is the role of a password in access control? - ANSWER Wipe and destroy hard
drives so no hacker goes dumpster diving (exp. incident where a dentist threw
his clients files into the trash.)
, Passwords: extra layer that can be cracked but will delay an immediate attack
(even if its only a few seconds).
Also prevent normal people into viewing files that they are not suppose too.
Can you give examples of common policy requirements for passwords? How do
users
sometimes misuse passwords? - ANSWER Password Policies - mandatory
changes
regularly
• Password use/misuse
- Never share it
- Never reuse it over multiple sites
At least 8 characters long
• At least one change of case
• At least one digit
• At least one special character,
and not at the end of the password
People use multiple passwords on same websites etc.
Can you give examples of physical devices used in access control?
What is the most important issue when using physical devices in this way? -
ANSWER Magnetic Strip Cards
• Smart Cards
- Microprocessor
- Can implement asymmetric encryption for
challenge response
Tokens
- Constantly changing password devices
for one-time passwords
- Proximity Access
issues: Loss and Theft are common...
• 2 Factor authentication eases loss or theft
- User enters a PIN upon placing badge in card
reader or proxying it near the badge reader
What does "bio-metrics" mean literally? in the I.T. context?
Can you give examples of common bio-metric technologies? - ANSWER -Based
on biological and/or
behavioral measurements
Promises to make reusable passwords obsolete
