ISC2: Cybersecurity Certifications Exam QA: Part3

Q1: All visitors to a secure facility should be _______.

1. Fingerprinted
2. Photographed
3. Escorted
4. Required to wear protective equipment

Ans: All visitors to a secure facility should be escorted.

Justification:

• Escorted: Escorting visitors ensures that they are supervised and monitored while they are within the secure facility. This practice helps to prevent unauthorized access to restricted areas and ensures that visitors do not wander or access areas beyond their permitted scope.
• Fingerprinted: While fingerprinting can be used for identity verification in some high-security environments, it is not a universal requirement for all visitors to secure facilities.
• Photographed: Taking photographs of visitors may be part of the visitor registration process for identification purposes, but it does not ensure security by itself unless accompanied by other security measures.
• Required to wear protective equipment: This requirement applies to visitors entering areas where specific safety protocols are in place, such as construction sites or laboratories handling hazardous materials, but it is not a universal requirement for all secure facilities.

Q2: All of the following are typically perceived as drawbacks to biometric systems, except:

1. Retention of physiological data past the point of employment
2. Lack of accuracy
3. Legality
4. Potential privacy concerns

Ans: All of the following are typically perceived as drawbacks to biometric systems, except legality.

Justification:

1. Retention of physiological data past the point of employment: This is a common concern with biometric systems. Organizations may retain biometric data longer than necessary, raising issues of data privacy and security.
2. Lack of accuracy: Biometric systems may sometimes encounter challenges in accurately verifying individuals due to factors such as environmental conditions, aging, or variations in biometric characteristics.
3. Potential privacy concerns: Biometric systems require capturing and storing sensitive biometric data, which raises privacy concerns about how this data is used, protected, and shared.
4. Legality: Legality refers to whether the use of biometric systems complies with legal regulations and standards. While legality is a consideration, it is typically addressed through adherence to laws and regulations governing data protection rather than being perceived as a drawback of the technology itself.

Q3: Trina and Doug both work at Triffid, Inc. Doug is having trouble logging into the network. Trina offers to log in for Doug, using Trina’s credentials, so that Doug can get some work done. What is the problem with this?

1. Doug is a bad person
2. Anything either of them do will be attributed to Trina
3. It is against the law
4. If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance

Ans: The problem with Trina logging in for Doug using her credentials is: Anything either of them do will be attributed to Trina.

Justification:

• Anything either of them do will be attributed to Trina: When Trina logs in using her credentials on behalf of Doug, all actions performed on the network will be recorded under Trina’s user account. This makes it impossible to distinguish whether the actions were performed by Trina herself or by Doug while logged in as Trina. This can lead to accountability issues, confusion in auditing and tracking activities, and potential security and compliance breaches.
• Doug is a bad person: There is no indication from the scenario that Doug is a bad person. Logging in on behalf of someone else using one’s credentials is a security concern regardless of the person’s character.
• It is against the law: While this could be a concern depending on the organization’s policies and regulations (especially related to data privacy and access control), the primary issue in this scenario is related to accountability and security rather than legality per se.
• If Trina logs in for Doug, then Doug will never be encouraged to remember credentials without assistance: This is a valid concern in terms of encouraging responsible behavior with credentials, but it is not the primary problem in this scenario.

Q4: Gary is unable to log in to the production environment. Gary tries three times and is then locked out of trying again for one hour. Why could this be?

1. Gray’s actions look like an attack
2. The network is tired
3. Gary is being punished
4. Users remember their credentials if they are given time to think about it

Ans: The reason Gary is locked out of trying to log in again for one hour after three failed attempts is because Gary’s actions look like an attack.

Justification:

• Gary’s actions look like an attack: Many systems implement security measures such as account lockouts after multiple failed login attempts to protect against brute force attacks. A brute force attack is when an attacker tries multiple combinations of usernames and passwords to gain unauthorized access. By locking the account temporarily after a certain number of failed attempts (in this case, three), the system mitigates the risk of such attacks.
• The network is tired: Networks do not get “tired” in this context. The account lockout is a deliberate security measure rather than a reaction to network fatigue.
• Gary is being punished: Account lockouts are not punitive measures but rather security precautions to protect the integrity of the system and prevent unauthorized access.
• Users remember their credentials if they are given time to think about it: While it’s beneficial for users to remember their credentials, the account lockout policy is primarily in place to enhance security by preventing unauthorized access attempts.

Q5: Suvid works at Triffid, Inc. When Suvid attempts to log in to the production environment, a message appears stating that Suvid has to reset the password. What may have occurred to cause this?

1. Someone hacked Suvid’s machine
2. Suvid’s password has expired
3. Suvid broke the law
4. Suvid made the manager angry

Ans: The most likely reason why Suvid is prompted to reset the password when attempting to log in to the production environment is because Suvid’s password has expired.

Justification:

• Suvid’s password has expired: Many systems and organizations enforce password expiration policies to enhance security. When a user’s password reaches its expiration date, the system requires the user to reset it before allowing further access. This ensures that passwords are regularly updated and reduces the risk of unauthorized access due to compromised passwords.
• Someone hacked Suvid’s machine: While this is a possibility, it is less likely the reason for the prompt to reset the password. Password expiration is a standard security practice and a more common reason for such prompts.
• Suvid broke the law: There is no information in the scenario to suggest that Suvid has broken the law. Password expiration policies are typically organizational security measures rather than legal matters.
• Suvid made the manager angry: This is unrelated to the technical reason for the password reset prompt. Managerial issues do not typically lead to password reset prompts unless specified as part of organizational policy, which is less common.

Q6: Prina is a database manager. Prina is allowed to add new users to the database, remove current users, and create new usage functions for the users. Prina is not allowed to read the data in the fields of the database itself. This is an example of:

1. Mandatory access controls (MAC)
2. Role-based access controls (RBAC)
3. Alleviating threat access controls (ATAC)
4. Discretionary access controls (DAC)

Ans: This scenario is an example of discretionary access controls (DAC).

Justification:

• Discretionary access controls (DAC): DAC allows the owner or administrator of a resource (in this case, the database manager Prina) to determine who has access to the resource and what permissions they have. Prina, as the database manager, has the discretion to add new users, remove current users, and define usage functions for users. However, Prina does not have permission to read the data in the fields of the database itself. This setup aligns with DAC because access decisions are at the discretion of the resource owner (Prina) based on her role and responsibilities.
• Mandatory access controls (MAC): MAC is a security model where access decisions are based on security labels assigned to subjects (users) and objects (resources) by a centralized authority. MAC is typically used in environments where sensitivity levels of data are critical, and access is strictly controlled based on these labels, rather than at the discretion of the resource owner.
• Role-based access controls (RBAC): RBAC is a method of restricting system access based on the roles of individual users within an organization. While Prina’s permissions are based on her role as a database manager, the specific restrictions on reading data fields are more aligned with discretionary rather than role-based controls.
• Alleviating threat access controls (ATAC): This term does not commonly appear in standard access control models or frameworks. It does not accurately describe the access control mechanism described in the scenario.

Q7: Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that operational managers have the utmost personal choice in determining which employees get access to which systems/data. Which method should Handel select?

1. Mandatory access controls (MAC)
2. Security policy
3. Discretionary access controls (DAC)
4. Role-based access controls (RBAC)

Ans: Handel should select discretionary access controls (DAC).

Justification:

• Discretionary access controls (DAC): DAC allows the owner or administrator of a resource (in this case, operational managers) to have the discretion or personal choice in determining who has access to which systems or data. This aligns with Handel’s goal of giving operational managers the flexibility to decide access permissions based on their understanding of their team’s needs and responsibilities.
• Mandatory access controls (MAC): MAC is a security model where access controls are determined by a central authority based on security labels assigned to subjects and objects. It does not provide the flexibility and personal choice that Handel wants operational managers to have.
• Security policy: While a security policy is crucial for defining the overall security objectives and requirements of the organization, it does not directly specify the method of access control (such as DAC, MAC, or RBAC). It guides how access controls should be implemented and enforced.
• Role-based access controls (RBAC): RBAC assigns access permissions to users based on their roles within the organization. While RBAC provides a structured approach to managing access based on predefined roles, it may not give operational managers the utmost personal choice that Handel desires.

Q8: Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees transferring from one department to another, getting promoted, or cross-training to new positions can get access to the different assets they’ll need for their new positions, in the most efficient manner. Which method should Handel select?

1. Barbed wire
2. Role-based access controls (RBAC)
3. Mandatory access controls (MAC)
4. Discretionary access controls (DAC)

Ans: Handel should select Role-based access controls (RBAC).

Justification:

• Role-based access controls (RBAC): RBAC is designed to manage access based on the roles of individual users within an organization. It allows organizations to assign permissions to users based on their roles, rather than on an individual basis. This aligns well with Handel’s goal of ensuring efficient access management for employees moving between departments, getting promoted, or cross-training to new positions. With RBAC, access can be easily adjusted or granted based on the roles employees assume, streamlining the process and ensuring that individuals have appropriate access to the assets needed for their new roles.
• Barbed wire: Barbed wire is a physical security measure and not related to access control methods for IT systems.
• Mandatory access controls (MAC): MAC involves assigning access based on security labels and is typically more rigid and less flexible than RBAC. It may not facilitate the efficient adjustment of access rights needed for employees transitioning between roles.
• Discretionary access controls (DAC): DAC allows resource owners to determine access permissions based on their discretion, which may not be as efficient or scalable as RBAC when managing access across departments and roles.

Q9: Handel is a senior manager at Triffid, Inc., and is in charge of implementing a new access control scheme for the company. Handel wants to ensure that employees who are assigned to new positions in the company do not retain whatever access they had in their old positions. Which method should Handel select?

1. Discretionary access controls (DAC)
2. Role-based access controls (RBAC)
3. Mandatory access controls (MAC)
4. Logging

Ans: Handel should select Role-based access controls (RBAC).

Justification:

• Role-based access controls (RBAC): RBAC allows organizations to assign access permissions to users based on their roles within the organization. When an employee moves to a new position, their access privileges can be adjusted by assigning them new roles that are appropriate for their new responsibilities. This ensures that they only have access to the resources necessary for their current role, and their previous access permissions are revoked or modified accordingly.
• Discretionary access controls (DAC): DAC allows resource owners to determine access permissions based on their discretion. While DAC provides flexibility, it may not be as effective in ensuring that access is promptly revoked or updated when employees change positions.
• Mandatory access controls (MAC): MAC assigns access permissions based on security labels and is typically more rigid and less flexible than RBAC. It may not provide the granularity needed to manage access based on changing job roles within an organization.
• Logging: Logging is not an access control method but rather a security measure for recording events and activities. While logging is important for auditing and monitoring access, it does not directly address the issue of controlling access permissions when employees change positions.

Q10: What term refers to the logical address of a device connected to the network or Internet?

1. Internet Protocol (IP) address
2. Media access control (MAC) address
3. Terminal address
4. Geophysical address

Ans: The term that refers to the logical address of a device connected to the network or Internet is Internet Protocol (IP) address.

Explanation:

• Internet Protocol (IP) address: An IP address is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. It serves two main purposes: identifying the host or network interface and providing the location of the device in the network topology.
• Media Access Control (MAC) address: A MAC address is a unique identifier assigned to network interfaces for communications on the physical network segment. It operates at the data link layer of the OSI model and is used for local network communication.
• Terminal address: This term is not commonly used to refer to the address of a device connected to a network or the Internet.
• Geophysical address: This term typically refers to a physical address associated with geographical location, which is not directly related to network or Internet addresses.

_______________________________

Read more

ISC2: Cybersecurity Certifications Exam QA: Part1

ISC2: Cybersecurity Certifications Exam QA: Part2

ISC2: Cybersecurity Certifications Exam QA: Part3

ISC2: Cybersecurity Certifications Exam QA: Part4