d. Applying security attributes to metadata
62. a. One-way flows are implemented using hardware mechanisms for controlling the flow of information within a system and between interconnected systems. As such they cannot detect unsanctioned information.
The other three choices do detect unsanctioned information and prohibit the transfer with actions such as checking all transferred information for malware, implementing dirty word list searches on transferred information, and applying security attributes to metadata that are similar to information payloads.
63. Which of the following binds security attributes to information to facilitate information flow policy enforcement?
a. Security labels
b. Resolution labels
c. Header labels
d. File labels
63. b. Means to bind and enforce the information flow include resolution labels that distinguish between information systems and their specific components, and between individuals involved in preparing, sending, receiving, or disseminating information. The other three types of labels cannot bind security attributes to information.
64. Which of the following access enforcement mechanisms provides increased information security for an organization?
a. Access control lists
b. Business application system
c. Access control matrices
d. Cryptography
64. b. Normal access enforcement mechanisms include access control lists, access control matrices, and cryptography. Increased information security is provided at the application system level (i.e., accounting and marketing systems) due to the use of password and PIN.
65. What do architectural security solutions to enforce security policies about information on interconnected systems include?
1. Implementing access-only mechanisms
2. Implementing one-way transfer mechanisms
3. Employing hardware mechanisms to provide unitary flow directions
4. Implementing regrading mechanisms to reassign security attributes
a. 1 only
b. 2 only
c. 3 only
d. 1, 2, 3, and 4
65. d. Specific architectural security solutions can reduce the potential for undiscovered vulnerabilities. These solutions include all four items mentioned.
66. From an access control point of view, separation of duty is of two types: static and dynamic. Which of the following are examples of static separation of duties?
1. Role-based access control
2. Workflow policy
3. Rule-based access control
4. Chinese Wall policy
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
66. b. Separation of duty constraints require that two roles be mutually exclusive because no user should have the privileges from both roles. Both role-based and rule-based access controls are examples of static separation of duty.
Dynamic separation of duty is enforced at access time, and the decision to grant access refers to the past access history. Examples of dynamic separation of duty include workflow policy and the Chinese Wall policy.
67. In biometrics-based identification and authentication techniques, which of the following statements are true about biometric errors?
1. High false rejection rate is preferred.
2. Low false acceptance rate is preferred.
3. High crossover error rate represents low accuracy.
4. Low crossover error rate represents low accuracy.
a. 1 and 3
b. 1 and 4
c. 2 and 3
d. 2 and 4
67. c. The goal of biometrics-based identification and authentication techniques about biometric errors is to obtain low numbers for both false rejection rate and false acceptance rate errors. Another goal is to obtain a low crossover error rate because it represents high accuracy or a high crossover error rate because it represents low accuracy.
68. For password management, user-selected passwords generally contain which of the following?
1. Less entropy
2. Easier for users to remember
3. Weaker passwords
4. Easier for attackers to guess
a. 2 only
b. 2 and 3
c. 2, 3, and 4
d. 1, 2, 3, and 4
68. d. User-selected passwords generally contain less entropy, are easier for users to remember, use weaker passwords, and at the same time are easier for attackers to guess or crack.
69. As a part of centralized password management solution, which of the following architectures for single sign-on technology becomes a single point-of-failure?
a. Kerberos authentication service
b. Lightweight directory access protocol
c. Domain passwords
d. Centralized authentication server
69. d. A common architecture for single sign-on (SSO) is to have an authentication service, such as Kerberos, for authenticating SSO users, and a database or directory service such as lightweight directory access protocol (LDAP) that stores authentication information for the resources the SSO handles authentication for. By definition, the SSO technology uses a password, and an SSO solution usually includes one or more centralized servers containing authentication credentials for many users. Such a server becomes a single point-of-failure for authentication to many resources, so the availability of the server affects the availability of all the resources that rely on that server.
70. If proper mutual authentication is not performed, what is the single sign-on technology vulnerable to?
a. Man-in-the-middle attack
b. Replay attack
c. Social engineering attack
d. Phishing attack
70. a. User authentication to the single sign-on (SSO) technology is important. If proper mutual authentication is not performed, the SSO technology using passwords is vulnerable to a man-in-the-middle (MitM) attack. Social engineering and phishing attacks are based on passwords, and replay attacks do not use passwords.
71. From an access control point of view, separation of duty is of two types: static and dynamic. Which of the following are examples of dynamic separation of duties?
1. Two-person rule
2. History-based separation of duty
3. Design-time
4. Run-time
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
71. a. The two-person rule states that the first user can be any authorized user, but the second user can be any authorized user different from the first. History-based separation of duty regulates that the same subject (role or user) cannot access the same object (program or device) for a variable number of times. Design-time and run-time are used in the workflow policy.