Security+ 2.4 Access Control Best Practices
Terms in this set (12)
2.4.1 Which type of media preparation is sufficent for media that will be reused in a different security context within your organization?
A-(correct) Sanitization; process of cleaning a device by having all data remants removed; necessary b/c deleting, overwriting, and reformatting (even many times) doesn't remove all data;
B-(incorrect) Destruction; used for media that has reached the end of its useful lifetime
D-(incorrect) Formatting; typically sufficient for media that will be reused w/in the same security context
2.4.2 Which of the following is an example of privilege escalation?
A-Separation of duties
D-Principle of least privilege
A-(incorrect) Separation of duties countermeasures against privilege escalation
B-(correct) Creeping privileges; happen when a user's job changes & they are granted new privileges, but old ones aren't removed; so, they accumulate privileges over time that they don't have to have
C-(incorrect) Mandatory vacations; used to perform peer reviewing; requires cross-training personnel & detects mistakes & fraud
D-(incorrect) Principle of least privilege; countermeasure against privilege escalation
2.4.3 Which security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution?
A-Separation of duties
B-Principle of least privilege
C-Need to know
D-Dual administrator accounts
A-(correct) Separation of duties; security principle that no single user is granted sufficient privileges to compromise the security of an entire environment; usually dividing admins amongst several admins
B-(incorrect) Principle of least privilege; users should have minimal access necessary to perform their work tasks
C-(incorrect) Need to know; access control tool used in mandatory access control environments to implement granular control over access to segmented classified data
D-(incorrect) Dual administrator accounts; policy of ensuring each admin has privileged level account and normal user level account
2.4.4 By assigning access permissions so that users can only access those resources which are required to accomplish their specific work tasks, you would be in compliance with?
A-Principle of least privilege
C-Need to know
A-(correct) Principle of least privilege; only access the resources required to accomplish specific work tasks
B-(incorrect) Cross training; groups of workers trained on how to perform multiple job roles & periodically switch their role
C-(incorrect) Need to know; feature of MAC environments where data w/in your classification level is compartmentalized and requires specific work task needs in order to gain access to privileges
D-(incorrect) Job rotation; groups of workers trained on how to perform multiple job roles & periodically switch their role
2.4.5 An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone NOT on the list?
A-(incorrect) Explicit deny
B-(correct) Implicit deny; users/groups are not specifically given access to a resource are denied access; there is an assumed or unstated deny that prevents access to anyone not explicitly on the list
C-(incorrect) Explicit allow
D-(incorrect) Implicit allow
2.4.6 You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which principle should you implement to accomplish this goal?
B-Separation of duties
A-(incorrect) Implicit deny; users or groups who aren't specifically given access to a resource are denied access
B-(correct) Separation of duties; helps prevent insider attacks b/c no one person has end-to-end control and no one person is irreplaceable
C-(incorrect) Job rotation; users are cross-trained in multiple positions; responsibilities are rotated
D-(incorrect) Mandatory vacations; can be used to audit actions
E-(incorrect) Least privilege
2.4.7 You are concerned that an accountant in your organization might have the chance to modify the books and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any irregularities. Which solution should you implement?
A-Need to know
E-Separation of duties
A-(incorrect) Need to know; describes the restriction of data that is highly sensitive & usually referenced in government and military context
B-(correct) Job rotation; responsibilities and training are rotated
C-(incorrect) Explicit deny; users are specifically prevented from gaining access to a resource
D-(incorrect) Least privilege; users or groups are given only the access they need to do their job & no more
E-(incorrect) Separation of duties; having more than one person required to complete a task
2.4.8 You want to implement an access control list where only the users you specifically authorize have access to the resource. Anyone not on the list should be prevented from having access. Which of the following will the access list use?
A-Explicit allow, explicit deny
B-Implicit allow, implicit deny
C-Implicit allow, explicit deny
D-Explicit allow, implicit deny
A-(incorrect) Explicit allow, explicit deny
B-(incorrect) Implicit allow, implicit deny
C-(incorrect) Implicit allow, explicit deny
D-(correct) Explicit allow, implicit deny; explicit allow in that users who are allowed access are specifically identified; implicit deny will be used, in that other users not explicitly allowed access are denied
2.4.9 Which of the following principles is implemented in a mandatory access control model to determine access to an object using classification levels?
B-Separation of duties
D-Need to know
A-(incorrect) Clearance; classification label that grants user access to a specific security domain in a mandatory access control environment
B-(incorrect) Separation of duties; no single user has sufficient privileges to compromise the security of an entire environment
C-(incorrect) Least privilege
D-(correct) Need to know; used with mandatory access control environments to implement granular control over access to segmented classified data
E-(incorrect) Ownership; access right in a discretionary access control environment where a user has complete control over an object usually b/c they created it
2.4.10 What is the primary purpose of separation of duties?
A-Inform managers that they are not trusted
B-Grant a greater range of control to senior management
C-Increase the difficulty in performing administration
D-Prevent conflicts of interest
A-(incorrect) Inform managers that they are not trusted
B-(incorrect) Grant a greater range of control to senior management; already have control over an organization
C-(incorrect) Increase the difficulty in performing administration
D-(correct) Prevent conflicts of interest; by dividing up admin powers among several trusted admins; prevents single person from having all privileges over environment, and making them a target of attack and single point of failure
2.4.11 Separation of duties is an example of which type of access control?
A-(incorrect) Compensative; alternatives to primary access controls
B-(incorrect) Detective; search for details about the attack or attacker, like an intrusion detection system (IDS)
C-(incorrect) Corrective; implement short-term repairs to restore basic functionality following an attack
D-(correct) Preventive; deter intrusion or attack, like separation of duties or dual-custody process
2.4.12 Need to know is required to access which types of resources?
D-Resources w/ unique ownership
A-(correct) Compartmentalized resources; w/in any classification level of a MAC environment, data can be compartmentalized & require additional access control clearance of need to know to gain access
B-(incorrect) High-security resources
C-(incorrect) Low-security resources
D-(incorrect) Resources w/ unique ownership