ITS 421 - Tactical Perimeter Defense

Review for First Test

The following questions are provided to help you study for the first test. Do not expect to see these exact questions on the test.


  1. The text starts out with the idea that access requires a subject and an object. What do those words mean, with regard to network resources?

  2. What is a policy? Give an example of a policy regarding Internet access.

  3. What does it mean to be an authorized user? How about being an unauthorized user?

  4. Explain the difference between authentication and authorization. When would a person attain each status during a network login process?

  5. What are the three stages of access control that occur during a login process?

  6. How could it make sense to authorize a network itself the permissions needed to use a resource?

  7. What are the three classic elements or parts that may be found in two factor authentication? Is there another part that is sometimes used?



  8. What is the difference between a threat and a threat agent?

  9. What is a vulnerability, and how does it relate to the probability of an exploit being successful?

  10. What are three kinds of impact a successful exploit might have on an asset?

  11. What is the purpose of most access controls?

  12. When we calculate the number of possible passwords a user might have, what are the two numbers we need to know, used in the formula nr?

  13. Is the calculation for the number of possible passwords a combination problem or a permutation problem? Why?

  14. Passwords are typically not stored in Active Directory in an unencrypted form. What general encryption method is used to encrypt them?

  15. How might a rainbow table enable a hacker to determine a user's password? What might the hacker have to steal or intercept to make this possible?

  16. In the realm of social engineering, what is shoulder surfing? What is tailgating?

  17. What is the relationship between the length of a password and the length of a hash output made from it?

  18. What is an exposure factor? What do we get if we multiply it by an asset's value?

  19. What is a DMZ used for in most network layouts?



  20. Why should policy authors consider how easy it is for users to comply  with a policy?

  21. In the US National Security Classification system, what is the diffrerence between an unclassified document and one that is confidential? What is the highest security classification?

  22. How would a document become automatically declassified?

  23. What are the three possible results of a request for a declassification review?

  24. What kind of information is protected by HIPAA?

  25. In the process of risk assessment, in what order should we consider assets, exploits, and vulnerabilities?

  26. What is a mitigation plan? How would it help a potential attacker to have a copy of yours?

  27. What does the Safeguards rule of the GLBA require?

  28. Which law listed in the text requires the communications industry to provide wiretap access to law enforcement agents when properly ordered by a court?

  29. Which law discussed in the text requires controls to keep obscene or harmful content away from children?

  30. Put these words in order, from the least specific to the most specific: Guideline, Policy, Procedure, Standard