Identification and authentication are the keystones of most access control systems. Identification establishes:
Correct Answer: A
Section: Access Control Explanation/Reference: Identification and authentication are the keystones of most access control systems. Identification establishes user accountability for the actions on the system. The control environment can be established to log activity regarding the identification, authentication, authorization, and use of privileges on a system. This can be used to detect the occurrence of errors, the attempts to perform an unauthorized action, or to validate when provided credentials were exercised. The logging system as a detective device provides evidence of actions (both successful and unsuccessful) and tasks that were executed by authorized users. Once a person has been identified through the user ID or a similar value, she must be authenticated, which means she must prove she is who she says she is. Three general factors can be used for authentication: something a person knows, something a person has, and something a person is. They are also commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic. For a user to be able to access a resource, he first must prove he is who he claims to be, has the necessary credentials, and has been given the necessary rights or privileges to perform the actions he is requesting. Once these steps are completed successfully, the user can access and use network resources; however, it is necessary to track the user's activities and enforce accountability for his actions. Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token. These two credential items are compared to information that has been previously stored for this subject. If these credentials match the stored information, the subject is authenticated. But we are not done yet. Once the subject provides its credentials and is properly identified, the system it is trying to access needs to determine if this subject has been given the necessary rights and privileges to carry out the requested actions. The system will look at some type of access control matrix or compare security labels to verify that this subject may indeed access the requested resource and perform the actions it is attempting. If the system determines that the subject may access the resource, it authorizes the subject. Although identification, authentication, authorization, and accountability have close and complementary definitions, each has distinct functions that fulfill a specific requirement in the process of access control. A user may be properly identified and authenticated to the network, but he may not have the authorization to access the files on the file server. On the other hand, a user may be authorized to access the files on the file server, but until she is properly identified and authenticated, those resources are out of reach. Reference(s) used for this question: Schneiter, Andrew (2013-04-15). Official (ISC)2 Guide to the CISSP CBK, Third Edition: Access Control ((ISC) 2 Press) (Kindle Locations 889-892). Auerbach Publications. Kindle Edition. and Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3875-3878). McGraw- Hill. Kindle Edition. and Harris, Shon (2012-10-25). CISSP All-in-One Exam Guide, 6th Edition (Kindle Locations 3833-3848). McGraw- Hill. Kindle Edition. and Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.
Question 828
Which of the following are not Remote Access concerns?
Correct Answer: D
Access badges are more relevant to physical security rather than remote access. "Justification for remote access" is incorrect. Justification for remote access is a relevant concern. "Auditing of activities" is incorrect. Auditing of activites is an imporant aspect to assure that malicious or unauthorized activities are not occuring. "Regular review of access privileges" is incorrect. Regular review of remote accept privileges is an important management responsibility. References: AIO3, pp. 547 - 548
Question 829
What is the act of obtaining information of a higher sensitivity by combining information from lower levels of sensitivity?
Correct Answer: C
Section: Security Operation Adimnistration Explanation/Reference: Aggregation is the act of obtaining information of a higher sensitivity by combining information from lower levels of sensitivity. The incorrect answers are: Polyinstantiation is the development of a detailed version of an object from another object using different values in the new object. Inference is the ability of users to infer or deduce information about data at sensitivity levels for which they do not have access privilege. Data mining refers to searching through a data warehouse for data correlations. Sources: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 7: Applications and Systems Development (page 261). KRUTZ, Ronald & VINES, Russel, The CISSP Prep Guide: Gold Edition, Wiley Publishing Inc., 2003, Chapter 7: Database Security Issues (page 358).
Question 830
Define the acronym RBAC
Correct Answer: D
Question 831
The three classic ways of authenticating yourself to the computer security software are: something you know, something you have, and something:
Correct Answer: C
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.