Home > Articles

📄 Contents

  1. Foundation Topics
  2. Exam Preparation Tasks
This chapter is from the book

This chapter is from the book

CISSP Cert Guide, 2nd EditionCISSP Cert Guide, 2nd Edition

Learn More Buy

This chapter is from the book

This chapter is from the book

CISSP Cert Guide, 2nd EditionCISSP Cert Guide, 2nd Edition

Learn More Buy

Exam Preparation Tasks

Review All Key Topics

Review the most important topics in this chapter, noted with the Key Topics icon in the outer margin of the page. Table 5-1 lists a reference of these key topics and the page numbers on which each is found.

key_topic.jpg

Table 5-1 Key Topics for Chapter 5

Key Topic Element

Description

Page Number

Paragraph

Access control process

410

Paragraph

Provisioning life cycle

413

Paragraph

Five factors of authentication

415

Paragraph

Password types

417

Paragraph

Password management considerations

419

Paragraph

Physiological characteristics

422

Paragraph

Behavioral characteristics

424

Paragraph

Biometric considerations

424

Paragraph

Advantages and disadvantages of SSO

430

Paragraph

Advantages and disadvantages of Kerberos

431

Paragraph

Auditing mechanism guidelines

437

Paragraph

Classes of malware

446

Define Key Terms

Define the following key terms from this chapter and check your answers in the glossary:

  • access control

  • access control list (ACL)

  • access control matrix

  • access control policy

  • authentication

  • authorization

  • backdoor

  • biometric acceptability

  • biometric accuracy

  • biometric throughput

  • brute-force attack

  • buffer overflow

  • capability table

  • centralized access control

  • characteristic factors

  • context-dependent access control

  • cross-certification federated identity model

  • crossover error rate

  • decentralized access control

  • Dictionary attack

  • discretionary access control (DAC)

  • dumpster diving

  • false acceptance rate (FAR)

  • false rejection rate (FRR)

  • federated identity

  • identification

  • Identity as a Service (IDaaS)

  • Kerberos

  • knowledge factors

  • least privilege

  • Lightweight Directory Access Protocol (LDAP)

  • location factors

  • logical control

  • mandatory access control (MAC)

  • multi-factor authentication

  • need-to-know

  • ownership factors

  • password masking

  • pharming

  • phishing

  • physical control

  • provisioning life cycle

  • ransomware

  • role-based access control (RBAC)

  • rule-based access control

  • Secure European System for Applications in a Multi-vendor Environment (SESAME)

  • Security Assertion Markup Language (SAML)

  • security domain

  • separation of duties

  • shoulder surfing

  • single-factor authentication

  • single sign-on (SSO)

  • spyware

  • trapdoor

  • Trojan horse

  • trusted third-party federated identity model

  • virus

  • vishing

  • whaling

  • worm

Review Questions

  1. Which of the following is NOT an example of a knowledge authentication factor?

    1. password

    2. mother’s maiden name

    3. city of birth

    4. smart card

  2. Which of the following statements about memory cards and smart cards is false?

    1. A memory card is a swipe card that contains user authentication information.

    2. Memory cards are also known as integrated circuit cards (ICCs).

    3. Smart cards contain memory and an embedded chip.

    4. Smart card systems are more reliable than memory card systems.

  3. Which biometric method is most effective?

    1. iris scan

    2. retina scan

    3. fingerprint

    4. hand print

  4. What is a Type I error in a biometric system?

    1. crossover error rate (CER)

    2. false rejection rate (FRR)

    3. false acceptance rate (FAR)

    4. throughput rate

  5. Which access control model is most often used by routers and firewalls to control access to networks?

    1. discretionary access control

    2. mandatory access control

    3. role-based access control

    4. rule-based access control

  6. Which threat is NOT considered a social engineering threat?

    1. phishing

    2. pharming

    3. DoS attack

    4. dumpster diving

  7. Which of the following statements best describes an IDaaS implementation?

    1. Ensures that any instance of identification and authentication to a resource is managed properly.

    2. Collects and verifies information about an individual to prove that the person who has a valid account is who he or she claims to be.

    3. Provides a set of identity and access management functions to target systems on customers’ premises and/or in the cloud.

    4. It is an SAML standard that exchanges authentication and authorization data between organizations or security domains.

  8. Which of the following is an example of multi-factor authentication?

    1. username and password

    2. username, retina scan, and smart card

    3. retina scan and finger scan

    4. smart card and security token

  9. You decide to implement an access control policy that requires that users logon from certain workstations within your enterprise. Which type of authentication factor are you implementing?

    1. knowledge factor

    2. location factor

    3. ownership factor

    4. characteristic factor

  10. Which threat is considered a password threat?

    1. buffer overflow

    2. sniffing

    3. spoofing

    4. brute-force attack

  11. Which session management mechanisms are often used to manage desktop sessions?

    1. screensavers and timeouts

    2. FIPS 201.2 and NIST SP 800-79-2

    3. Bollards and locks

    4. KDC, TGT, and TGS

  12. Which of the following is a major disadvantage of implementing an SSO system?

    1. Users are able to use stronger passwords.

    2. Users need to remember the login credentials for a single system.

    3. User and password administration are simplified.

    4. If a user’s credentials are compromised, attacker can access all resources.

  13. Which type of attack is carried out from multiple locations using zombies and botnets?

    1. TEMPEST

    2. DDoS

    3. Backdoor

    4. Emanating

Answers and Explanations

  1. Knowledge factors are something a person knows, including passwords, mother’s maiden name, city of birth, and date of birth. Ownership factors are something a person has, including a smart card.

  2. Memory cards are NOT also known as integrated circuit cards (ICCs). Smart cards are also known as ICCs.

  3. Iris scans are considered more effective than retina scans, fingerprints, and hand prints.

  4. A Type I error in a biometric system is false rejection rate (FRR). A Type II error in a biometric system is false acceptance rate (FAR). Crossover error rate (CER) is the point at which FRR equals FAR. Throughput rate is the rate at which users are authenticated.

  5. Rule-based access control is most often used by routers and firewalls to control access to networks. The other three types of access control models are not usually implemented by routers and firewalls.

  6. A denial-of-service (DoS) attack is not considered a social engineering threat. The other three options are considered to be social engineering threats.

  7. An Identity as a Service (IDaaS) implementation provides a set of identity and access management functions to target systems on customers’ premises and/or in the cloud. Session management ensures that any instance of identification and authentication to a resource is managed properly. A proof of identity process collects and verifies information about an individual to prove that the person who has a valid account is who he or she claims to be.

  8. Using username, retina scan, and a smart card is an example of multi-factor authentication. The username is something you know, the retina scan is something you are, and the smart card is something you have.

  9. You are implementing location factors, which are based on where a person is located when logging in.

  10. A brute-force attack is considered a password threat.

  11. Desktop sessions can be managed through screensavers, timeouts, logon, and schedule limitations. Federal Information Processing Standards (FIPS) Publication 201.2 and NIST Special Publication 800-79-2 are documents that provide guidance on proof of identity. Physical access to facilities can be provided securely using locks, fencing, bollards, guards, and closed-circuit television (CCTV). In Kerberos, the key distribution center (KDC) issues a ticket-granting ticket (TGT) to the principal. The principal sends the TGT to the ticket-granting service (TGS) when the principal needs to connect to another entity.

  12. If a user’s credentials are compromised in a single sign-on (SSO) environment, attackers have access to all resources to which the user has access. All other choices are advantages to implementing an SSO system.

  13. A distributed DoS (DDoS) attack is a DoS attack that is carried out from multiple attack locations. Vulnerable devices are infected with software agents, called zombies. This turns the vulnerable devices into botnets, which then carry out the attack. Devices that meet TEMPEST standards implement an outer barrier or coating, called a Faraday cage or Faraday shield. A backdoor or trapdoor is a mechanism implemented in many devices or applications that gives the user who uses the backdoor unlimited access to the device or application. Emanations are electromagnetic signals that are emitted by an electronic device. Attackers can target certain devices or transmission mediums to eavesdrop on communication without having physical access to the device or medium.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.