ITS 4210 -Access Control, Authentication, and PKI

Review for First Test

The following questions are provided to help you study for the first test. Do not expect to see these exact questions on the test.

  1. The text starts out with the idea that access requires a subject and an object. What do those words mean, with regard to network resources?

  2. What is a policy? Give an example of a policy regarding Internet access.

  3. What does it mean to be an authorized user? How about being an unauthorized user?

  4. Explain the difference between authentication and authorization. When would a person attain each status during a network login process?

  5. What are the three stages of access control that occur during a login process?

  6. How could it make sense to authorize a network itself the permissions needed to use a resource?

  7. What are the three classic elements or parts that may be found in two factor authenication? Is there another part that is sometimes used?

  8. What is the difference between a threat and a threat agent?

  9. What is a vulnerbility, and how does it relate to the probability of an exploit being successful?

  10. What are three kinds of impact a successful exploit might have on an asset?

  11. What is the purpose of most access controls?

  12. When we calculate the number of possible passwords a user might have, what are the two numbers we need to know, used in the formula nr?

  13. Is the calculation for the number of possible passwords a combination problem or a permutation problem? Why?

  14. Passwords are typically not stored in Active Directory in an unencrypted form. What general encryption method is used to encrypt them?

  15. How might a rainbow table enable a hacker to determine a user's password? What might the hacker have to steal or intercept to make this possible?

  16. In the realm of social engineering, what is shoulder surfing? What is tailgating?

  17. What is the relationship between the length of a password and the length of a hash output made from it?

  18. What is an exposure factor? What do we get if we multiply it by an asset's value?

  19. What is a DMZ used for in most network layouts?

  20. Why should policy authors consider how easy it is for users to comply  with a policy?

  21. In the US National Security Classification system, what is the diffrerence between an unclassified document and one that is confidential? What is the highest security classification?

  22. How would a document become automatically declassified?

  23. What are the three possible results of a request for a declassification review?

  24. What kind of information is protected by HIPAA?

  25. In the process of risk assessment, in what order should we consider assets, exploits, and vulnerabilities?

  26. Wha tis a mitigation plan? How would it help a potential attacker to have a copy of yours?

  27. What does the Safeguards rule of the GLBA require?

  28. Which law listed in the text requires the communications industry to provide wiretap access to law enforcement agents when properly ordered by a court?

  29. Which law discussed in the text requires controls that to keep obscene or harmful content away from children?

  30. Put these words in order, from the least specific to the most specific: Guideline, Policy, Procedure, Standard

  31. What is the basic purpose of the Computer Fraud and Abuse Act?

  32. What does the Digital Millennium Copyright Act protect?

  33. What is fair use? Can anyone make fair use of almost anything?

  34. The text talks about complying with laws that affect our company. How might there be a conflict between security concerns and fire codes?

  35. What should be included in a reasonable policy about visitors to secure data centers?

  36. In the story in the text about a dinner at the White House, what seemed to be a social engineering aspect? What should security people do as a reaction to social engineering?

  37. In the text, a penetration test team added a WAP to a system by accessing a network cable. What can you propose as controls that would prevent this from happening?

  38. How do social engineering scams like phishing lead to compromised systems or stolen IDs?

  39. How can our company be at risk from an "unintentional threat"?

  40. What common value do job rotation and required vactions provide to an organization?

  41. What is an acceptable use policy for from the perspective of the employer and from that of an employee?

  42. What is the value of a security awareness policy? What should it include?