 |
|
|
|
|
 |
CertiGuide to Security+ 9 Chapter 7: Practice Exam Answers |
|
Answers to Questions 11-15
11. Under MAC, which of the following is true?
A. All that is not expressly permitted is forbidden
B. All that is expressly permitted is forbidden
C. All that is not expressly permitted is not forbidden
D. No Answer is Correct
Explanation: MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
Under MAC, you define who is allowed to access objects, and if you haven't defined an access right, access is not permitted. So, it is not the case that All that is expressly permitted is forbidden, or that All that is not expressly permitted is not forbidden.
& Section 1.1: Access Control
& Section 5.5.5: MAC/DAC/RBAC
12. Under MAC, a clearance is a:
A. Privilege
B. Subject
C. Sensitivity
D. Object
Explanation: MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
In MAC, subjects (such as users) are each assigned a clearance (such as "secret" or "top secret"). Objects (containers for information, such as files) are assigned a sensitivity (classification, similar to clearance). When determining whether or not to grant a subject access to an object, the requesting subject's clearance is compared with the sensitivity of the object, and if the clearance is at or higher than the object's sensitivity level, access is granted. Therefore, a clearance functions as a privilege.
& Section 1.1: Access Control
& Section 5.5.5: MAC/DAC/RBAC
13. Access controls that are not based on the policy are characterized as:
A. Mandatory controls
B. Discretionary controls
C. Secret controls
D. Corrective controls
Explanation: Access controls that are not based on the policy are characterized as discretionary controls by the U.S. government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.
Mandatory controls are based on policy. Secret controls and corrective controls are not related to access control.
& Section 1.1: Access Control
& Section 5.5.5: MAC/DAC/RBAC
14. DAC are characterized by many organizations as:
A. Preventive controls
B. Mandatory adjustable controls
C. Need-to-know controls
D. No Answer is Correct
Explanation: DAC is the acronym for Discretionary Access Controls. Access controls that are not based on the policy are characterized as discretionary controls by the U.S. government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.
Preventive controls and mandatory adjustable controls do not characterize DAC.
& Section 1.1: Access Control
& Section 5.5.5: MAC/DAC/RBAC
15. A password represents:
A. Something you know
B. Something you have
C. Something you are
D. No Answer is Correct
Explanation: Authentication is accomplished through something you know, something you have and/or something you are. The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.
Something you have, would be a physical item you possess, such as a smartcard. Something you are, would be a personal characteristic of you, not a piece of information you know.
& Section 1.2: Authentication
& Section 1.2.4: Username/Password
|
| |||||||||||||||||||
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.