CertiGuide to Security+  9  Chapter 7:  Practice Exam Answers

Chapter 7:  Practice Exam Answers 1 Answers to Questions 6-10

1. Covert channel is a communication channel that can be used for:

A. Violating the security policy

B. Strengthening the security policy

C. Hardening the system

D. Protecting the DMZ

Explanation: Covert channels: indirect ways for transmitting information with no explicit reading of confidential information. In other words, the communication is out in plain view, but "invisible" to those who don't know how to look for it. This kind of difficulty has induced some researchers to rethink from scratch the whole problem of guaranteeing security in computer systems. Some obscure techniques which can be utilized to create covert channels include hiding messages using the first letters of each word in a longer communication, blinking eyes in "Morse code" during a conversation, etc. Even something as mundane as some of the "signals" used by a baseball team, if non-obvious enough, could be considered a covert channel.

Covert channels are not a way to strengthen the security policy of an organization, hardening the system or protecting the DMZ -- they are a security risk, not a security-enhancing technique.

& Section 1.4.2: Backdoors

2. Enforcing minimum privileges for general system users can be easily achieved through the use of:

A. RBAC

B. PRVMIN

C. TSTEC

D. IPSEC

Explanation: Ensuring least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn't be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC (role based access control), enforced minimum privileges for general system users can be easily achieved.

& Section 1.1: Access Control

& Section 5.5: Privilege Management

3. Which of the following services should be logged for security purpose?

A. bootp

B. tftp

C. sunrpc

D. No Answer is Correct

Explanation: Requests for the following services should be logged on all systems: systat, bootp, tftp, sunrpc, snmp, snmp-trap, nfs. This list is rather UNIX-centric, nevertheless, it's possible for many of those services to be running on Windows as well (if you're running them, log them!).

& Section 1.7: Auditing

& Section 5.9.4: Logs and Inventories

4. All logs are kept on archive for a period of time. What determines this period of time?

A. Retention policies

B. Administrator preferences

C. MTTF

D. MTTR

Explanation: All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time, called a retention period. This period of time will be determined by your company policies. This allows the use of logs for regular audits, and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

Administrator preference is often used to determine certain things like how long logs are retained ... but since these decisions can affect the ability of the company to go back and research potential security issues, it is a corporate issue that should be governed by a deliberate policy statement.

MTTF and MTTR are not relevant to setting the time for which logs will be retained. MTTF (Mean Time To Failure, sometimes called MTBF, Mean Time Before Failure) is related to the average amount of time a piece of equipment will be in service before it fails. MTTR (Mean Time To Repair) is a measure of how long it will take to repair the equipment when it fails.

& Section 1.7: Auditing

& Section 5.9.4: Logs and Inventories

5. With RBAC, roles are:

A. All equal

B. Based on labels

C. Based on flows

D. Hierarchical

Explanation: With RBAC (role-based access control), security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Roles can be hierarchical.

Roles are not all equal. The point of RBAC is that different rules can be assigned different security privileges. Labels (such as secret, top secret, etc.) are more usually associated with MAC (Mandatory Access Control). RBAC roles are not typically determined by information flows.

& Section 1.1: Access Control

& Section 5.5.5: MAC/DAC/RBAC

Chapter 7:  Practice Exam Answers 1 Answers to Questions 6-10