Computer Security Principles And Practice 3rd Edition by Stalling - Test Bank

Chapter 4 – Access Control

TRUE/FALSE QUESTIONS:

T          F          1.   Access control is the central element of computer security.

T          F          2.   The authentication function determines who is trusted for a given purpose.

T          F          3.   An auditing function monitors and keeps a record of user accesses to       

      system resources.

T          F          4.   External devices such as firewalls cannot provide access control services.

T          F          5.   The principal objectives of computer security are to prevent

unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.

T          F          6.  Security labels indicate which system entities are eligible to access certain

     resources.

T          F          7.  Reliable input is an access control requirement.

T          F          8.  A user may belong to multiple groups.

T          F          9.  An access right describes the way in which a subject may access an object.

T          F          10.  The default set of rights should always follow the rule of least privilege or        

       read-only access

T          F          11.  A user program executes in a kernel mode in which certain areas of memory

are protected from the user’s use and certain instructions may not be executed.

T          F          12.  Any program that is owned by, and SetUID to, the “superuser” potentially

       grants unrestricted access to the system to any user executing that program.

T          F          13.  Traditional RBAC systems define the access rights of individual users and

       groups of users.

T          F          14.  A constraint is a defined relationship among roles or a condition related to  

                               roles.

T          F          15.  An ABAC model can define authorizations that express conditions on

       properties of both the resource and the subject.

MULTIPLE CHOICE QUESTIONS:

1.     __________ implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance.

A.  Audit control                     B.  Resource control

C.  System control                  D.  Access control

2.  __________ is verification that the credentials of a user or other system entity are valid.

                  A.  Adequacy                          B.  Authentication

                  C.  Authorization                    D.  Audit

3.  _________ is the granting of a right or permission to a system entity to access a system resource.

                  A.  Authorization                    B.  Authentication

                  C.  Control                              D.  Monitoring

4.  __________ is the traditional method of implementing access control.

                  A.  MAC                                 B.  RBAC

                  C.  DAC                                  D.  MBAC

5.  __________ controls access based on comparing security labels with security clearances.

                  A.  MAC                                 B.  DAC

                  C.  RBAC                               D.  MBAC

6.  A concept that evolved out of requirements for military information security is ______ .

                  A.  reliable input                                 B.  mandatory access control

                  C.  open and closed policies               D.  discretionary input

7.  A __________ is an entity capable of accessing objects.

                  A.  group                                 B.  object

                  C.  subject                               D.  owner

8.  A(n) __________ is a resource to which access is controlled.

                  A.  object                                B.  owner

                  C.  world                                 D.  subject

9.  The final permission bit is the _________ bit.

                  A.  superuser                           B.  kernel

                  C.  set user                              D.  sticky

10.  __________ is based on the roles the users assume in a system rather than the user’s identity.

                  A.  DAC                                  B.  RBAC

                  C.  MAC                                 D.  URAC

11.  A __________ is a named job function within the organization that controls this computer system.

                  A.  user                                   B.  role

                  C.  permission                         D. session

12.  __________ provide a means of adapting RBAC to the specifics of administrative and security policies in an organization.

                  A.  Constraints                        B.  Mutually Exclusive Roles

                  C.  Cardinality                        D.  Prerequisites

13.  __________ refers to setting a maximum number with respect to roles.

                  A.  Cardinality                        B.  Prerequisite

                  C.  Exclusive                           D.  Hierarchy

14.  Subject attributes, object attributes and environment attributes are the three types of          attributes in the __________ model.

                  A.  DSD                                  B.  RBAC

                  C.  ABAC                               D.  SSD

15.  The __________ component deals with the management and control of the

 ways entities are granted access to resources.

                  A.  resource management                   B.  access management

                        C.  privilege management