1.

-Paul has been handed two different Smart cards and is told that one is a combicard and one
is a hybrid card. What is the difference between two?

-Both can work as a contact or a contactless card. A hybrid has two chips and a combi card has
one chip

2.-what needs to take place for an environment using XTACACS to be compatible with an
environment using TACACS+?

-There is no interoperability between them. They are two totally different protocols

3.-Which type of access control model allows data owners to be the ultimate source for
determining access to system resources?

-Discretionary

4.-Todd has been asked by the security officer to purchase a counter based authentication
system. Which of the following best describes what this type of system is?

-An authentication system that creates one-time passwords that are encrypted with secret keys

5.-What is a land attack and what type of IDS can identify it based on its platteland not
behavior?

-Header has the same and destination address and can be identified by asignarute-based IDS

6.-Of the following choices, which best ensures user accountability for actions taken within a
system or domain?

-Authentication

7.-Which of the following statements about biometrics is not true?

-Users can be authenticated by what they know

8.-Identify the incorrect mapping for biometric devices

-Physiological=signature dynamics

9.-Which of the following is not an important characteristic of creating and maintaining user
identification information?

-Use the first initial of the firs name and all of the last name for accountability

10.-Shoose which of the following has an incorrect mapping

-Recovery- Restore conditions to unusual

11.-Windows and most linux and unix systems are based on the DAC model. Which of the
following is not true pertaining to the permissions that can be granted?

-change allows a user to read and write only

12.-Which of the following is UNTRUE of a database directory based on the X.500 standard?

-The unique identifiers are called fully qualified names.

13.-An online banking program may allow a customer to view his account balance, but may not
allow the customer to transfer money until he has a certain security level or access right. What
type of access control is being used?

-Transaction

14.-Passwords serve many purposes. What is their primary purpose?

-Authenticate users

15.-which provides the best authentication?

-what a person has and knows

16.-what would be a good reason for the use of thin clients for a company that wants to
implement stronger access control?

-Limits user to the functions and capabilities of a secured operating system

17.-If a company has a high turnover rate, which access control structure is best?

-Role-based

18.-What type of operating parameter can an administrator set that would lock out a user after
so many failed attempts at logon?

-Clipping level

19.-Which of the following does not describe a synchronous token device?

-Challenge-based

20.-what is the purpose of clipping levels?

-To set allowable thresholds on a reported activity

21.-How does the Diameter protocol provide more security than RADIUS?

-Diameter has been developed to work directly with TLS and IPSec.

22.-When purchasing a biometric system, one of the considerations that should be reviewed is
the processing speed. Which of the following best describes what it is meant by processing?

-When an individual provides identification and authentication information and the amount of
time it takes to either be accepted or rejected

23.-What is the difference between a session and a permanent cookie?

-Session cookies are stored in memory and permanent cookies are stored on the hard drive

24.-Yourr biometric system has been known to accept imposters. This is known as which type of
error?

-Type II

25.-Tom’s company managers may be able to access an employee folder, but there needs to be
detailed access control that indicates, for example, that they can access customers’ home
addresses but not social security numbers. What type of access control should tom
implement?
-Privacy

26.-which of the following choices is not a two-factor authentication?

-A password and something you know

27.-Jean is an internal auditor who consistently uses the audit logs of various network systems
to produce reports. And e-mail to the VP of IT, she stresses how important it is that proper
protection controls are put in place to protect the audit logs. Of the justifications listed below,
which is the weakest?

-Unapproved changes to audit logs hurt the consistency and efficiency of automating reporting.

28.-A digital identity is made up of attributes, entitlements, and traits. Which of the following
has the incorrect mapping when considering these identity characteristics?

-None of the above

29.-John has noticed some unusual activities in his company’s logs. There have been several
outgoing authentication attempts in the format of “www.msn.com@notmsn.com” what type
of activity could this indicate?

-Phishing

30.-how are smart cards and memory cards functionally different?

-Memory cards store but do not process information while smart cards can process information

31.-Traditional access control process uses all but which of the following?

-Provisioning

32.-Diane, Kris and Kathy are IT managers who all report to the division VP, Marge Diane’s
group handles all firewall administration tasks. Kris’s group handles user accounts, and Kathy’s
group manages help desk support. No one from Diane’s group can do the tasks that Kris and
Kathy’s groups do. The same can be said for Kris and Kathy’s people. What security control is
marge enforcing?

-Separation of duties

33.-Joe is a manager over the e-commerce capabilities and technologies within his company.
His boss has recently told him that the company is going to partner with another company and
that customer entitlements need to be able to transparently transverse the different networks.
What type of technology does Joe need to implement for this type of functionality?

-Federated identification systems

34.-An attack that specifically deals with timing is which of the following?

-Asynchronous attack

35.-“Subjects can access resources in domains of equal or lower trust levels.” This is an assay
sentence, but a difficult concept for many people to really understand. Which of the following
is not an example of this concept?

-A quest account has access to all administrator accounts in the domain

36.-How is a challenge-response protocol utilized with token implementations?

-An authentication service generates a challenge, and the smart token generates a response
based on the challenge.

37.-What is the relationship between an IDS event generator, sensor, and response module?

-The sensor receives raw data from the event generator, compares it to a database, and
response module dictates the response activity

38.-What role does biometrics play in access control?

-Authenticity

39.-Which of the following term describes the creation, maintenance, and deactivation of user
objects and attributes as they exist in one of more systems, directories, or applications, in
response to business processes?

-User provisioning

40.-Tom has led a research group in deciding upon the type of access control that should be
used in the product their company is planning to develop. Which of the following is the best
reason why the group decided upon rule-based?

-It allows for access decisions to be based on complex situations

41.-what is the reason for enforcing the separation of duties?

-no one person can complete all the steps of a critical activity

42.-fact of opinion-based passwords are referred to as:

-Cognitive passwords

43.-which of the following best describes the difference between content and context access
control?

-Content access control is based on the sensitivity of the data and context access control is
based on the prior operations.

44.-which of the following is not used to control the “leakage” of electrical signals?

-Mandatory control

45.-when a system officially permits access to a file or a program, what is ir doing?

-Authorizing

46.-RADIUS and TACACS+ work in a client/server model and Diameter works in a peer to peer
model. What is the benefit of using this peer to peer model?

-Allows for the server to request another credential set from the user

47.-which of the following statements correctly describes biometric methods?

-They are the most expensive and most secure

48.-Media sanitization and destruction prevent_______.

-Object reuse

49.-Which of the following is a proper match for the type of IDS and the type of attack it is best
suited to uncover?

-Protocol anomaly IDS – brand new service on the network

50.-John needs to be able to use an access control technology that enforces the following rules;
if the user is accessing the system between Monday and Friday and between 8AM and 5PM
and if the user’s security clearance equals or dominates the object’s classification, and if the
user has the necessary need to know, then the user can access the object. What type of access
control technology does John need to implement?

-Rule-based

51.-George is responsible for setting and tuning the thresholds for his company’s behavior-
based IDS. Which of the following outlines the possibilities of not doing this activity properly?

-If the threshold is set too low, non-intrusive activities are considered attacks (false positives). If
the threshold is set too high, then malicious activities are not identified (dales negatives).

52.-Which access control policy is enforced when an environment uses groups?

-Role-Based

53.-Reviewing audit logs is an example of which security function?

-Detective

54.-A password is mainly used for what function?

-Authentication

55.-some protocols and products are referred to as stateful. What does “state” actually mean
and what does it mean to call a product or protocol stateful?

-State is a snapshot of a systems status, and stateful means that a product or protocol
understands and can keep track of the state transitions.

56.-How does RADIUS allow companies to centrally control remote user access?

-Once a user is authenticated a pre-configured profile is assigned to him, which outlines what
he is authorized to do within the network.

57.-if Jan chooses a product based upon this type of technology, how would the objects in the
database be uniquely identified and addressed?

-Distinguished names.

58.-which diametric mechanism identifies an individual by electrical signals that are emitted by
a person’s physical movement?

-signature dynamics

59.-what are the purposes of Attribute value pairs and how do they different from RADIUS and
diameter?
-AVPs are the constructs that outline how two entities will communicate. Diameter has many
mode AVPs, which allow for the protocol to have more capabilities than RADIUS

60.-the security administrator has been told that there is some suspicious activity that is taking
place on three of the company’s workstations. He has been instructed to review the type of
ICMP traffic that is being allowed through the ingress routers. Why would he be told to look at
this specifically?

-Backdoor communication

61.-which of the following is not a true statement about viruses?

-number one objective is to take up system resources

62.-the type of token device that employs a challenge response mechanism is which of the
following?

-Asynchronous

63.-Security domains are critical construct’s in a physical network and within a logical
environment, as in an operating system. Which of the following best describes how addressing
allows for isolation?

-In a network domains are isolated by using subnet mask and in an operating system domains
can be isolated by using memory addresses.

64.-There are several examples of single sign-on technologies. Which of the following has the
correct mapping of technology type and characteristic?

-I, II, III, IV

65.-spoofing can be described as which of the following?

-Pretending to be someone or something else

66.-Verification that the user’s claimed identity is valid is a form of:

-Authentication

67.-what is a phishing attack and how is it commonly carried out?

-Identity theft scheme that takes place through e-mail and a bogus web site.

68.-In discretionary access control security, who has delegation authority to grant access to
data?

-Owner

69.-what determines if an organization is going to operate under a discretionary, mandatory, or

nondiscretionary access control model?
-Security policy

70.-why are biometric systems considered more accurate than many of the other types of
authentication technologies in use today?

-they are harder to circumvent than other mechanisms

71.-Two companies need to exchange data between the company databases. Both
organizations use different database management systems that do not support direct
communications or replication. One company will need to export the data from its database
and provide it to the other in a way that is consumable by the other company. These
companies should ensure that their database management software supports which of the
following?

-Extensible markup language

72.-which centralized access control authentication is also an adoptedrnet standard?

-RADIUS

73.-Of the following choices, which would be the best password?

-t1me4phUn

74.-Sarah is the security officer for her organization and must be concerned about the many
types of threats that exist. She has been told that there have been attempts by external entities
to access resources in an unauthorized manner through the organization’s legacy modems.
Which of the following controls should Sarah ensure that her team implements?

-I, II, III, IV

75.-which of the following is not an advantage of a centralized access control administration?

-Flexibility

76.-Jack has submitted his physical security program solutions to management for approval.
One of the responses to his submission was that the company could not afford to employ
security guards as he recommended. What type of control should jack look at implementing?

-Compensating

77.-Watchdog functionality can be used in AAA protocols. Which of the following best
describes its purpose?

-Detects process failure

78.-which of the following is not a logical access control?

-ID badge

79.-which could be considered a single point of failure within a single sign-on implementation?

-Authentication server
80.-A rule-based IDS is a newer and more sophisticated IDS. Which of the following is not a
characteristic of this type of security mechanism?

-knowledge is represented as data and facts are used to analyze the data

81.-which of the following issues deal with reassigning to a subject media that previously
contained one of more objects?

-Object reuse

82.-Determining what a user can access based on the data, not the subject’s identity, is called:

-Content-based

83.-host-based intrusion detection systems (IDS) mainly utilize which of the following to
perform their analysis?

-Audit logs and system files

84.-Batch files and scripts should be stored in a protected area. Why is this?

-they may contain credentials

85.-of the following access control models, which one requires defining classification for
objects?

-Mandatory access control

86.-what do tickets allow within a Kerberos environment?

-permits a subject to access an object

87.-what is authorization creep and what is the best defense against it?

-employees continually being given more rights and permissions. The best countermeasure is
to continue to review employees need to know.

88.-Denial-of-service attacks are common tactics used by hackers to affect the service
capabilities of companies’ computer systems. Often times, they are brought forward by
competing companies. Which attack below would not be considered a DoS attack?

-Main-in-the-middle

89.-Because identification is critical to the issue of accountability, companies should follow

strict guidelines. Which would not be considered a good practice in implementing identification
access control?

-IDs should be job descriptive

90. - which of the following statements correctly describes passwords?

-they are the least expensive and least secure

91.-which of the following is not a form of identification?

-token device
92.-it was uncovered that several attacks on a company’s network have been successful. The
manager was told that this is because anomaly scores were set improperly and most likely too
low. What does this information pertain to?

-the behavioral IDS system was not properly tuned

93.-which of the following is the best approach to validate the continued need for a user to
have privileged access system resources?

-Periodic review and re-certification of privileged user needs

94,-which of the following is not a weakness of Kerberos?

-More and more products are beginning to support it

95.-unix and linux systems use salts when storing passwords. Which of the followings a true
statement pertaining to the use of salts?

-the use of different salts means that the same password could end up indifferent doormats

96.-John is moving his company’s network from traditional configuration to aswitched

environment. How does this affect the company’s IDS?

-network IDS sensors cannot access traffic on port to port communication

97.-which of the following describes the discrepancies in the following statement? “a TCP
connection, the sender sends an SYN packet, the receiver sends an ACK, and then the sender
acknowledges that packet with an ACK packet”

-The receiver sends a SYN\\ACK

98.-Password management could be classified as a:

-Preventive control

99.-a table of subjects and objects indicating what actions individual subjects can take upon
individual objects is called a:

-access control matrix

100.-the process of identifying an individual by the unique blood-vessel pattern on the back of
this eyeball is called?

-Retina scan

101.-companies that practice “separation of duties” force two or more employee’s to carry
out________in order to carry out fraud. Lisionlusion

-collusion

102.-which of the following is the best definition for equal error rate (EER)?

-type I error equals type II error

103.-Buffer overflows happen because:

-the length of the data is not checked at time of input

104.-which of the following is not a way that clients can authenticate to servers in a
client\\server model?

-MS-Password Authentication Protocol (MS-PAP)

105.-what does authentication mean?

-validating a user

106.-if a company needs to ensure it detects all known attacks, what technology should it
implement?

-Signature-based IDS

107.-At work Joan’s two network engineers are in a passionate debate over the value of a soft
token versus a hard token device. Which of the following best describes a page 2 cess troll-
P2.txt soft token?

-Software that creates one-time passwords

108.-there has been more of a movement towards role-based access controls in products. This
model gained acceptance in the 1990s and has recently been integrated into products more
because of which of the following?

-it is difficult to assign each and every user the exact level of access

109.-which of the following is the best definition of a security domain?

-a domain that is managed by the same group using the same security policy

110.-Chrissy is a new employee at a coffee shop. She meets three other co-workers on her first
day. Since they all work different shifts, sometimes opening the store and sometimes closing
the store, they have been given the store security code. Chrissy asks her boss if she will get the
code, and her boss says “No, you won’t need it because you’re working the mad-day shift”
what security principle is the coffee shop manager implementing?

-Least privilege

111.-Most operating systems and applications allow for administrators to configure the data
that will be captured in audit logs for security purposes. Which of the following is the least
important item to be captured in audit logs?

-system performance output data

112.-which item is not a part of a Kerberos authentication implementation?

-Message authentication code

113.-which of the following is not a characteristic of a counter-based token device?

-it shares a secret key with the authentication service

114.-what is the main drawback to using simple sign-on?

-if a password is disclosed, maximum unauthorized access would be possible

115.-of the following choices, which is not a denial-of-service attack?

-zone transfer

116.-which of the following is not a result of a penetration test?

-modify access control permissions

117.-if a company is going to be keyboard monitoring to monitor their employees they need to
do all but which of the following?

-Employees should be given the right to accept or refuse this type of activity

118.-RADIUS is a protocol that has been used for many years for centralized remote access
control. Which of the following properly explains a traditional RADIUS architecture?

-user is a client to the access server and the access server is a client to the RADIUS server
communication cannot go directly from the user to the RADIUS server.

119.-Paul needs to implement e-mail filters that look for specific string, such as “confidential”
and “social security number” what type of controls would this type of filter be implementing?

-content

120.-a program that receives too much data so that it cannot execute instructions properly has
been exploited by a _________ attack.

-buffer overflow

121.-Doug, the security officer, has been told by his manager that the people should not be
accessing the company’s servers during the weekend. What type of solution should Doug
implement?

-Anomaly-based IDS

122.-which of the following is not an example of a capability?

-ACL

123.-Kathy has been asked to give the senior management a briefing on the different security
technologies that are deployed in the environment. Which of the following is an incorrect
characteristic of statistical anomaly-based IDS?

-a technology that uses if/then programming

124.-an attack that changes the source IP address a ICMP ECHO request packet so it appears as
though it came from the victim and is broadcasted to an amplifying network can be called all of
the following except:

-tunneling

125.-Diane has to brief her CIO on the best product and protocol to use for the company’s
centralized remote access control technology. Which of the following are true statements
pertaining to the more appropriate use of TACACS+ versus RADIUS?

-RADIUS is best if an environment only needs simplistic username/password authentication

and TACACS+ is better for environments that require more complex and tighter control.

126.-categories within a security label are used to enforce which of the following?
-need to know

127.-what is the difference between a pharming attack and phishing attack?

-pharming involves DNS poisoning and phishing involves social engineering

128.-John has been told that he needs to implement host IDS software to ensure that the host
files on systems are not modified. What type of attack would this beat tempting to thwart?

-pharming

129.-what component of Kerberos helps mitigate replay attacks?

-authenticator

130.-privilege attribute certificates (PACs) are used in what single sign-on technology?

-SESAME

131.-syskey is a technology provided and used in Microsoft windows environments. What is

syskey and what is its importance?

-it is a utility that can be used to encrypt the database that holds all of the systems, or
networks, passwords

132.-tom is setting up computers at a trade show for his company’s booth. The computers will
give customers’ the opportunity to access a new product but will also take them onto a live
network. Which control would be the best fit to offer the necessary protection from public
users gaining privileged access?

-constrained user interface

133.-one of the following is not an example of a domain. Choose the correct answer

-ACLs, firewalls, security kernel

134.-which of the following administrative controls is not considered detective?

-separation of duties

135.-what is a salt and what is it used for in a linux or unix system?

-a salt is a value that is used to encrypt passwords before they are stored in the registry

136.-paul has been asked to evaluate implementing soft tokens across the enterprise. What
exactly are soft tokens?

-one-time password generators that reside in software

137.-which of the following is used to validate a user’s identity with a confidential number?

-PIN

138.-which of the following is not true of Kerberos?

-it is a proprietary protocol

139.-which of the following are used in an attack detected by an IDS?

-a signature-based ID or a statistical anomaly-based ID

140.-Sam has to lay out his company’s IDS schematic. The VPN connections stop at the security
gateway and there are three SSL connections that take place for the gateway to the database,
web server, and file server. Which is the best implementation for this environment?

-NIDS in all segments that need to be monitored and a HIDS on at least the database, web
server, and file server

141.-how are access control lists (ACLs) and capability tables different?

-access control lists are object-based, and capability tables are subject-based

142.-which of the following has an incorrect definition?

-Detective-helps authorize an incident’s activities

143.-tom needs a AAA solution that ensures that he does not need to maintain a remote access
server database of remote user credentials and a database within Active Directory for local
users. What technology should Tom implement within his environment?

-RADIUS

144.-how can logging play a role in stopping security breaches in a system?

-logging is the activity of collecting system information that will be used for monitoring and
auditing to enable early detection of security problems

145.-what important variable is used when evaluating the effectiveness of biometric systems?

-CER

146.-As Hamid is reviewing IDM products and their specific characteristics, his boss calls him
and tells him that the product also needs to allow for externally controlled access for the
company’s e-commerce operations. What functionally does Hamid need to ensure is part of
the product he purchases?

-web access management

147.-within a windows environment, what is the relationship between a SAM and syskey?

-the security accounts management database contains all of the hashed versions of users
passwords and syskey encrypts the entire SAM database

148.-what is the difference between separation of duties compared to rotation of duties?

-separation of duties is a preventive protocol, and rotation of duties is a detective control

149.-the Kerberos technology has some issues that need to be understood before page 7cess
troll-P2.txt implementation. Which of the following are issues pertaining to ketberos?
-I, II, III, IV

150.- which of the following is an example of preventive-physical access control?

-locking laptop docking stations

151.-which of the following has the correct definition mapping?

-I, II, III, IV

152.-what is access control?

-security features that control how users and systems communicate and interact with other
systems and resources

153.-which implements mainly access control matrixes?

-discretionary

154.-two types of contact less smart cards are available which are the hybrid andcombi. Which
of the following best describes their differences? Page 4access troll-P2.txt

-the hybrid card has two chips, with the capability of utilizing both the contact and contactless
formats. A combi card has one microprocessor chip that can communicate to contact or
contactless readers.

155.-which exploit builds its attack around “half-open” connections?

-SYN flooding

156.-each distinguished name (DN) in an LDAP directory represents a collection of attributes

about a specific object, and is stored in the directory as an entry. DNsare composed of mon
name (CN) components which describe the object, and Domainponents (DC) which describe
the domain in which the object resides. Which of the following makes the most sense when
constructing a DN?

-cn=Shon Harris, dc=LogicalSecurity, dc=com

157.-tom’s environment has RADIUS servers that authenticate remote users before being
allowed access to network resources. He has been asked for a solution to allow for
authentication of the employee’s smart phones, which cannot work with RADIUS. Tome needs
a AAA protocol that is designed for cell phone usage. What type of solution should tome
suggest?

-Diameter

158.-John is an engineer within company ACME. He has been told by his boss, the security
officer has he must implement a tool that he can use to perform deep analysis on captured
network traffic that has been flagged as suspicious. What type of tool should John put into
place?

-Protocol analyzer

159.-which access control method is user-directed?

-Discretionary

160.-what is the main difference between IDS and IPS?

-preventative versus detective

161.-a server with open ports placed within a network to entice and attacker is called:

-honeypot

162.-microprobing is an attack that would most likely be targeted towards which of the
following?

-smart card

163.-which of the following biometric technologies is considered the most accurate?

-iris

164.-Recently passed over for an executive promotion, carol is anxious to hear about a major
company announcement which will most likely reveal the new hire.

-dumpster diving

165.-RADIUS is considered an open protocol, which means what?

-RADIUS is now a standard that is outlined in RFC 2138 and RFC 2139. Any vendor can follow
these standards and develop the protocol to work within their product

166.-Jane is responsible for enrolling out her company’s IDS product.

-Overwhelmed sensors

167.-If John books his flight on southwest, the web site asks him if he wants to also book a
hotel room.

-Federated identity

168.-which of the following attacks requires the least amount of skill?

-shoulder surfing

169.-kevin changes his e-mail header so that Kim thinks his message is coming from an IT
administrator who is asking for her private account information.

-Passive

170.-Dan is a senior manager within the security department of his company.

-PARB

171.-the XYZ company was attacked by an entity who was authorized to access system
resources but
-an inside attack

172.-hamid is reviewing identity management (IDM) products for his company’s environment.

-meta-directory types

173.-which of the following is a true statement pertaining to the different type of smart cards
and their characteristics?

-a contactless smart card has an antenna and communicates to the reader through radio waves

174.-RADIUS and TACAS+ have several different characteristics from each other. Which of the
follow answers best describes theses?

-TACACS+ uses TCP and encrypts all data between the client and the server

175.-which of the following are correct characteristics of anomaly-based IDSes?

-III, IV, V

176.-An access control model should work mainly in a ___________manner.

-Preventive

177.-Access controls that five subjects and objects a range of upper and lower bound
capabilities are called:

-Lattice-based

178.-Joe is a member of both the cashier and cashier supervisor roles.

-dynamic separation of duty

179.-Charlie is a hacker who has managed to plant a software agent on Steve’s computer and
has uninterrupted access to it.

-zombie

180.-Joe is the manager of the network administration group.

-guards

181.-Tim is purchasing a smart card solution for his company.

-corruptive

182.-Jan needs to be able to structure the company’s network resources in a hierarchical

manner

-X500 directory

183.-which of the following is a true statement pertaining to TACACS, XTACACS, and TACACS+?
-TACACS+ allows for two factor authentication and dynamic password

184.-Acme has the choice of rolling out products that are based on DAC, MAC, or RBAC models.

-DAC

185.-Steven’s staff has asked for founding to implement technology that provides MobileIP.

-employees can move from one network to another

186.-what is another name for a dynamic password?

-one-time password

187.-an accurate picture of the use and acceptance of biometrics is:

-very expensive not well received by society, and highly accurate

188.-How is Kerberos a single sign-on technology?

-the user enters his credentials one time and obtains a TGT. The user uses the TGT each time he
needs to communicate to a network resource

189.-one way to limit connections to a system is by calling back the number of a previously
authorized location.

-callback system

190.-capability table are bound to what?

-subjects

191.-the ACME tile company needs to allow its partner companies to interface and passer vice
request

-service provisioning markup language

192.-which of the following is not a single sign-on access approach

-discretionary

193.-what is derived from a passphrase?

-virtual password

194.-there are different types of biometric systems in the industry today.

-a system that uses physical attributes provides more accuracy than one that uses behavior
attributes

195.-tim is a member of management and has just been notified that two sniffer tools have
been identified on the network.

-the tools were probably installed by the engineer to identify legitimately suspicious activities,
but should be a concern

196.-what would be a common access control technique used in firewalls and routers for
processing packets?

-rule-based access control

197.-Although terms within access control are sometimes used interchangeably,

-authorization=Verifies a user’s identity and authentication

198.-what type of attack attempts’ all possible solutions?

-brute force

199.-when determining what biometric access control system to buy,

-deporting capabilities

200.-single sign-on systems have a main strength and main weakness.

-users do not need to remember multiple passwords, but access to many systems can be
obtained by cracking only one password, making it less secure

201.-and old laptop used by a network technician has many device

-data remanence

202.-you are looking to implement an access control on your systems resources. The steps of
your access control model should follow which logical flow?

-identification, authentication, authorization

203.-which of the following best describes the architecture of a Kerberos authentication

system?

-an architecture with a central server that issues tickets to allow one principal (for instance, a
user) to authenticate themselves to another (such as a server)

204.-which matches the following definition,

-micro probing

205.-which of the following is not a benefit of the diameter protocol?

-increases customer cost because of the different policy servers that must be maintained

206.-all of the following are technical controls except:

-testing

207.-a passphrase is turned into a virtual password, but what exactly is a virtual password?

-the length and format that is required for a specific system or application

208.-which of the following is a correct definition mapping?

-I, II, III

209.-what is the reason that Kerberos and SESAME, among other products,

-interoperability
210.-which of the following is not an example of a preventive physical access control?

-passwords

211.-stephanie is a recently hired manager at a large financial organization.

-privacy

212.-yout office is implementing an access control policy based on decentralized

administration,

-it puts access control into the hands of those most accountable for the information, but leads
to inconsistencies in procedures and criteria

213.-the study and controls of spurious electrical signals

-TEMPEST

214.-since 9/11, airport parking

-a physical control

215.-cristine is part of the management team in her company. She has been asked

-entrapment issues

216.-which of the following is not included in the classic ways of authenticating a user?

-something you control

217.-bob has been concerned about potential

-execution of JavaScript

218.-administrative controls include all but which of the following?

-audit trails

219.-you are trying to implement a strong authentication system.

-something you have and something you know

220.-monica is the IT director of a large printing press

-reduce the clipping level

221.-of the following choices, which of one is something that instruction detection

-a preventive control

222.-which of the following is not a physical access control?

-Host-based IDS

223.-most Kerberos implementations use an authenticator

-principal identification and a time stamp encrypted with a shared session key. It is used to
authenticate the requesting principal and is a countermeasure against replay attacks.

224.-TACACS+ provides what type of access

-centralized

225.-bob needs to implement role-based access control

-Non-RBAC

226.-Hamid is reviewing different

-Self-service password reset

227.-which of the following is not considered a AAA protocol?

-SESAME

228.-Choose the following answer that has the correct definition for False Rejection Rate

-False rejection rate is the amount of authorized users who were improperly rejected and the
false acceptance rate is a type II error

229.- Sam is a software developer and has recently gone

-processing sequencing can be manipulated

230.-which of the following is not a necessary characteristic of a Kerberos implementation?

-cohesive

231.-which of the following is least important to be included

-access control in place

232.-the process of mutual authentication involves ______.

-a user authenticating to a system and the system authenticating to the user

233.-to properly enforce access control within environment,

-I, III, IV

234.-under which of the following models are rights implicitly

-RBAC

235.-the appropriate default level for an access control mechanism is?

-no access

236.-what type of control is auditing?

-technical

237.-something you know, something you have

-authentication
238.-writing company security policy is what type of control?

-administrative

239.-larry is in a management role with his organization. He has to decide on the type of
information

-identity theft