CISSP - Chapter 14 Review Questions and Answers

CISSP - Chapter 14 Review Questions and Answers which of the following best describes an implicit deny principle? A. All actions that are not expressly denied are allowed. B. All actions that are not expressly allowed are denied. C. All actions must be expressly denied. D. None of the above. B What is the intent of least privilege? A. Enforce the most restrictive rights required by users to run system processes. B. Enforce the least restrictive rights required by users to run system processes. C. Enforce the most restrictive rights required by users to complete assigned tasks. D. Enforce the least restrictive rights required by users to complete assigned tasks. C 00:37 01:09 A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table? A. Access control list B. Access control matrix C. Federation D. Creeping privilege B Who, or what, grants permissions to users in a DAC model? A. Administrators B. Access control list C. Assigned labels D. The data custodian D Which of the following models is also known as an identity-based access control model? A. DAC B. RBAC C. Rule-based access control D. MAC A A central authority determines which files a user can access. Which of the following best describes this? A. An access control list (ACL) B. An access control matrix C. Discretionary Access Control model D. Nondiscretionary access control model D A central authority determines which files a user can access based on the organization's hierarchy. Which of the following best describes this? A. DAC model B. An access control list (ACL) C. Rule-based access control model D. RBAC model D Which of the following statements is true related to the RBAC model? A. A RBAC model allows users membership in multiple groups. B. A RBAC model allows users membership in a single group. C. A RBAC model is nonhierarchical. D. A RBAC model uses labels. A Which of the following is the best choice for a role within an organization using a RBAC model? A. Web server B. Application C. Database D. Programmer D Which of the following best describes a rule-based access control model? A. It uses local rules applied to users individually. B. It uses global rules applied to users individually. C. It uses local rules applied to all users equally. D. It uses global rules applied to all users equally. D What type of access control model is used on a firewall? A. MAC model B. DAC model C. Rule-based access control model D. RBAC model C What type of access controls rely on the use of labels? A. DAC B. Nondiscretionary C. MAC D. RBAC C Which of the following best describes a characteristic of the MAC model? A. Employs explicit-deny philosophy B. Permissive C. Rule-based D. Prohibitive D Which of the following is not a valid access control model? A. Discretionary Access Control model B. Nondiscretionary access control model C. Mandatory Access Control model D. Compliance-based access control model D What would an organization do to identify weaknesses? A. Asset valuation B. Threat modeling C. Vulnerability analysis D. Access review C Which of the following can help mitigate the success of an online brute-force attack? A. Rainbow table B. Account lockout C. Salting passwords D. Encryption of password B Which of the following would provide the best protection against rainbow table attacks? A. Hashing passwords with MD5 B. Salt and pepper with hashing C. Account lockout D. Implement RBAC B What type of attack uses email and attempts to trick high-level executives? A. Phishing B. Spear phishing C. Whaling D. Vishing C What would the consultant use to identify potential attackers? A. Asset valuation B. Threat modeling C. Vulnerability analysis D. Access review and audit B Management wants to ensure that the consultant has the correct priorities while doing her research. Of the following, what should be provided to the consultant to meet this need? A. Asset valuation B. Threat modeling results C. Vulnerability analysis reports D. Audit trails A