ITS 421 - Tactical Perimeter Defense
Review for First Test
The following questions are provided to help you study for
the first test. Do not expect to see these exact questions on the test.
- The text starts out with the idea that access requires a subject and
an object. What do those words mean, with regard to network resources?
- What is a policy? Give an example of a policy regarding Internet access.
- What does it mean to be an authorized user? How about being an unauthorized
- Explain the difference between authentication and authorization. When
would a person attain each status during a network login process?
- What are the three stages of access control that occur during a login
- How could it make sense to authorize a network itself the permissions
needed to use a resource?
- What are the three classic elements or parts that may be found in
two factor authentication? Is there another part that is sometimes used?
- What is the difference between a threat and a threat agent?
- What is a vulnerability, and how does it relate to the probability
of an exploit being successful?
- What are three kinds of impact a successful exploit might have on
- What is the purpose of most access controls?
- When we calculate the number of possible passwords a user might have,
what are the two numbers we need to know, used in the formula nr?
- Is the calculation for the number of possible passwords a combination
problem or a permutation problem? Why?
- Passwords are typically not stored in Active Directory in an unencrypted
form. What general encryption method is used to encrypt them?
- How might a rainbow table enable a hacker to determine a user's password?
What might the hacker have to steal or intercept to make this possible?
- In the realm of social engineering, what is shoulder surfing? What
- What is the relationship between the length of a password and the
length of a hash output made from it?
- What is an exposure factor? What do we get if we multiply it by an
- What is a DMZ used for in most network layouts?
- Why should policy authors consider how easy it is for users to comply
with a policy?
- In the US National Security Classification system, what is the diffrerence
between an unclassified document and one that is confidential? What
is the highest security classification?
- How would a document become automatically declassified?
- What are the three possible results of a request for a declassification
- What kind of information is protected by HIPAA?
- In the process of risk assessment, in what order should we consider
assets, exploits, and vulnerabilities?
- What is a mitigation plan? How would it help a potential attacker
to have a copy of yours?
- What does the Safeguards rule of the GLBA require?
- Which law listed in the text requires the communications industry
to provide wiretap access to law enforcement agents when properly ordered
by a court?
- Which law discussed in the text requires controls to keep obscene
or harmful content away from children?
- Put these words in order, from the least specific to the most specific:
Guideline, Policy, Procedure, Standard