ITS 4210 -Access Control, Authentication, and PKI
Review for First Test
The following questions are provided to help you study for
the first test. Do not expect to see these exact questions on the test.
- The text starts out with the idea that access requires a subject and
an object. What do those words mean, with regard to network resources?
- What is a policy? Give an example of a policy regarding Internet access.
- What does it mean to be an authorized user? How about being an unauthorized
- Explain the difference between authentication and authorization. When
would a person attain each status during a network login process?
- What are the three stages of access control that occur during a login
- How could it make sense to authorize a network itself the permissions
needed to use a resource?
- What are the three classic elements or parts that may be found in
two factor authenication? Is there another part that is sometimes used?
- What is the difference between a threat and a threat agent?
- What is a vulnerbility, and how does it relate to the probability
of an exploit being successful?
- What are three kinds of impact a successful exploit might have on
- What is the purpose of most access controls?
- When we calculate the number of possible passwords a user might have,
what are the two numbers we need to know, used in the formula nr?
- Is the calculation for the number of possible passwords a combination
problem or a permutation problem? Why?
- Passwords are typically not stored in Active Directory in an unencrypted
form. What general encryption method is used to encrypt them?
- How might a rainbow table enable a hacker to determine a user's password?
What might the hacker have to steal or intercept to make this possible?
- In the realm of social engineering, what is shoulder surfing? What
- What is the relationship between the length of a password and the
length of a hash output made from it?
- What is an exposure factor? What do we get if we multiply it by an
- What is a DMZ used for in most network layouts?
- Why should policy authors consider how easy it is for users to comply
with a policy?
- In the US National Security Classification system, what is the diffrerence
between an unclassified document and one that is confidential? What
is the highest security classification?
- How would a document become automatically declassified?
- What are the three possible results of a request for a declassification
- What kind of information is protected by HIPAA?
- In the process of risk assessment, in what order should we consider
assets, exploits, and vulnerabilities?
- Wha tis a mitigation plan? How would it help a potential attacker
to have a copy of yours?
- What does the Safeguards rule of the GLBA require?
- Which law listed in the text requires the communications industry
to provide wiretap access to law enforcement agents when properly ordered
by a court?
- Which law discussed in the text requires controls that to keep obscene
or harmful content away from children?
- Put these words in order, from the least specific to the most specific:
Guideline, Policy, Procedure, Standard
- What is the basic purpose of the Computer Fraud and Abuse Act?
- What does the Digital Millennium Copyright Act protect?
- What is fair use? Can anyone make fair use of almost anything?
- The text talks about complying with laws that affect our company.
How might there be a conflict between security concerns and fire codes?
- What should be included in a reasonable policy about visitors to secure
- In the story in the text about a dinner at the White House, what seemed
to be a social engineering aspect? What should security people do as
a reaction to social engineering?
- In the text, a penetration test team added a WAP to a system by accessing
a network cable. What can you propose as controls that would prevent
this from happening?
- How do social engineering scams like phishing lead to compromised
systems or stolen IDs?
- How can our company be at risk from an "unintentional threat"?
- What common value do job rotation and required vactions provide to
- What is an acceptable use policy for from the perspective of the employer
and from that of an employee?
- What is the value of a security awareness policy? What should it include?