CCNA Cyber Ops FAQ: Introduction to Access Controls

CCNA Cyber Ops FAQ: Introduction to Access Controls

Q1. What entity requests access to a resource?
A. Object
B. Subject
C. File
D. Database

Answer: B. A subject is the active entity that requests access to a resource.

Q2. In which phase of the access control does a user need to prove his or her identity?
A. Identification
B. Authentication
C. Authorization
D. Accounting

Answer: B. Authentication is the process of proving one’s identity.

Q3. Which of the following authentication methods can be considered examples of authentication by knowledge? (Select all that apply.)
A. Password
B. Token
C. PIN
D. Fingerprint

Answer: A and C. Password and PIN code are examples of authentication by knowledge.

Q4. When a biometric authentication system rejects a valid user, which type of error is generated?
A. True positive
B. False positive
C. False rejection
D. Crossover error

Answer: C. False rejection rate (FRR) refers to when the system rejects a valid user that should have been authenticated.

Q5. In military and governmental organizations, what is the classification for an asset that, if compromised, would cause severe damage to the organization?
A. Top Secret
B. Secret
C. Confidential
D. Unclassified

Answer: B. In military classification, the Secret label is usually associated with severe damage to the organization.

Q6. What is a common way to protect “data at rest”?
A. Encryption
B. Transport Layer Security
C. Fingerprint
D. IPSec

Answer: A. Encryption and storage media access controls are commonly used to protect data at rest.

Q7. Who is ultimately responsible for security control of an asset?
A. Senior management
B. Data custodian
C. User
D. System administrator

Answer: A. The asset owner and senior management are ultimately responsible for the security of the assets.

Q8. Which type of access controls are used to protect an asset before a breach occurs? (Select all that apply.)
A. Preventive
B. Deterrent
C. Corrective
D. Recovery

Answer: A and B. Preventive and Deterrent access controls are controls used to prevent a breach.

Q9. Which access control model uses environmental information to make an access decision?
A. Discretionary access control
B. Attribute-based access control
C. Role-based access control
D. Mandatory access control

Answer: B. Attribute-based access control (ABAC) uses subject, object, and environmental attributes to make an access decision.

Q10. What is the main advantage of using a mandatory access control (MAC) model instead of a discretionary access control (DAC) model?
A. MAC is more secure because the operating system ensures security policy compliance.

B. MAC is more secure because the data owner can decide which user can get access, thus providing more granular access.

c. MAC is more secure because permissions are assigned based on roles.

D. MAC is better because it is easier to implement.

Answer: A. MAC offers better security compared to DAC because the operating system ensures compliance with the organization’s security policy.

Q11. Which of the following are part of a security label used in the mandatory access control model? (Select all that apply.)
A. Classification
B. Category
C. Role
D. Location

Answer: A and B. Classification and category are typically found in a security label.

Q12. Which access control model uses the function of a subject in an organization?
A. Discretionary access control
B. Attribute-based access control
C. Role-based access control
D. Mandatory access control

Answer: C. Role-based access control (RBAC) uses the role or function of a subject to make access decisions.

Q13. Which IDS system can detect attacks using encryption?
A. Network IDS deployed in inline mode
B. Network IDS deployed in promiscuous mode
C. Host-based IDS
D. Network IPS deployed in inline mode

Answer: C. Host-based IDS can detect attacks using encryption, because it can see the decrypted payload on the host.

Q14. Which of the following is not a disadvantage of host-based antimal ware?
A. It requires updating multiple endpoints.
B. It does not have visibility into encrypted traffic.
C. It does not have visibility of all events happening in the network.
D. It may require working with different operating systems.

Answer: B. Host-based antimalware can detect attacks using encryption, because it can see the decrypted payload on the host.

Q15. Which type of access list works better when implementing RBAC?
A. Layer 2 access list
B. MAC access list
C. VLAN map
D. Security group access list

Answer: D. A security group access list (SGACL) implements access control based on a security group tag (SGT) assigned to a packet. The SGT could be assigned, for example, based on the role of the user.

Q16. Which of the following is not a true statement about TACACS+?
A. It offers command-level authorization.
B. It is proprietary to Cisco.
C. It encrypts the TACACS+ header.
D. It works over TCP.

Answer: C. TACACS+ encrypts the TACACS+ message payload.

Q17. What is used in the Cisco TrustSec architecture to provide link-level encryption?
A. MACSec
B. IPSec
C. TLS
D. EAP

Answer: A. Cisco TrustSec uses MACSec to provide link-level encryption.

Q18. In which phase of access control is access granted to a resource with specific privileges?
A. Identification
B. Authentication
C. Authorization
D. Accounting

Answer: C. In the authorization phase, access is granted to a resource.

Q19. Which of the following are characteristics of a secure identity? (Select all that apply.)
A. Uniqueness
B. Nondescriptiveness
C. Secured issuance
D. Length

Answer: A, B, C. Uniqueness, nondescriptiveness, and secured issuance are characteristics of a secure identity.

Q20. Which of the following authentication methods is considered strong?
A. Authentication by knowledge
B. Authentication by characteristic
C. Authentication by ownership
D Any combination of these methods

Answer: D. Strong authentication is obtained by the combination of at least two methods.

Q21. Who assigns a security classification to an asset?
A. Asset owner
B. Senior management
C. Asset custodian
D. Security administrator

Answer: A. The asset owner assigns the classification.

Q22. Which type of control includes security training?
A. Administrative
B. Physical
C. Logical
D. None of the above

Answer: A. Security training is a type of administrative control.

Q23. Which technique ensures protection against simple and noninvasive data-recovery techniques?
A. Clearing
B. Purging
C. Destroying
D. Erasing

Answer: A. Clearing ensures protection against simple and noninvasive data-recovery techniques.

Q24. Which type of control best describes an IPS dropping a malicious packet?
A. Preventive
B. Corrective
C. Compensating
D. Recovery

Answer: A. Dropping a packet prevents a security incident from occurring.

Q25. Which type of controls best describe a fence?
A. Administrative, preventive
B. Administrative, logical
C. Physical, deterrent
D. Logical, compensating

Answer: C. A fence is an example of physical deterrent control.

Q26. What is included in a capability table?
A. Several objects with user access rights
B. Several subjects with user access rights
C. Objects and subjects with their access rights
D. Access rights

Answer: A. A capability table is user centric and includes several objects with user access rights.

Q27. Where does the RADIUS exchange happen?
A. Between the user and the network access server
B. Between the network access server and the authentication server
C. Between the user and the authentication server
D. None of the above

Answer: B. The RADIUS exchange happens between the NAS and the authentication server.

Q28. Which AAA protocol allows for capabilities exchange?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos

Answer: C. Diameter allows for the exchange of nodes’ capabilities.

Q29. Which port access control technology allows dynamic authorization policy to be downloaded from the authentication server?
A. VLAN map
B. Port security
C. 802.1x
D. MAC access list

Answer: C. 802.1x allows authorization policy to be downloaded and enforced at the access device.

Q30. Where is EAPoL traffic seen?
A. Between the supplicant and the authentication server
B. Between the supplicant and the authenticator
C. Between the authenticator and the authentication server
D. None of the above

Answer: B. EAPoL messages are transmitted between the supplicant and the authenticator.

Q31. What is the Security Group Tag Exchange (SXP) protocol used for?
A. To transmit SGT to the egress point for enforcement

B. To send SGT information to a hardware-capable Cisco TrustSec device for tagging

C. To send SGT information from the authentication server to the authenticator

D. To send SGT information to the supplicant

Answer: B. SXP can be used to exchange SGT between an access device with only Cisco TrustSec capability on software and a device with Cisco TrustSec hardware support.

Q32. A host on an isolated port can communicate with which of the following?
A. A host on another isolated port
B. A host on a community port
C. A server on a community port
D. With the promiscuous port only

Answer: D. An isolated port can only communicate with the promiscuous port.

Q33. What is a disadvantage of using an IPS compared to an IDS?
A. It may add latency due to packet processing.
B. It is not able to drop a packet.
C. To stop an attack, it relies on external devices such as a firewall.
D. It is more difficult to maintain.

Answer: A. An IPS may add latency due to its packet-processing engine.

Q34. What is an advantage of network-based antimalware compared to a host-based solution?
A. It can block malware at the entry point.
B. It can check the integrity of a file on the host.
C. It can receive a signature and reputation from the cloud.
D. It can use a heuristic engine for malware detection

Answer: A. Network-based antimalware can block malware before it enters the network. Answers C and D are true for host-based antimalware as well. Answer B applies only to host-based antimalware.

Q35. According to the attribute-based access control (ABAC) model, what is the subject location considered?
A. Part of the environmental attributes
B. Part of the object attributes
C. Part of the access control attributes
D. None of the above

Answer: A. Location is part of the environmental attributes.

Q36. Which of the following access control models use security labels to make access decisions?
A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Identity-based access control (IBAC)

Answer: B. MAC uses security labels for access decisions.

Q37. What is one of the advantages of the mandatory access control (MAC) model?
A. Complex to administer.
B. Stricter control over the information access.
C. Easy and scalable.
D. The owner can decide whom to grant access to.

Answer: B. Strict control over the access to resources is one of the main advantages of MAC.

Q38. In a discretionary access control (DAC) model, who can authorize access to an object?
A. The object owner
B. The subject
C. The system
D. None of the above

Answer: A. In a DAC model, the object owner grants authorization permission over the objects he owns.

More Resources

About the author

Scott

Leave a Comment