CCNA Cyber Ops FAQ: Introduction to Access Controls
Q1. What entity requests access to a resource?
A. Object
B. Subject
C. File
D. Database
Q2. In which phase of the access control does a user need to prove his or her identity?
A. Identification
B. Authentication
C. Authorization
D. Accounting
Q3. Which of the following authentication methods can be considered examples of authentication by knowledge? (Select all that apply.)
A. Password
B. Token
C. PIN
D. Fingerprint
Q4. When a biometric authentication system rejects a valid user, which type of error is generated?
A. True positive
B. False positive
C. False rejection
D. Crossover error
Q5. In military and governmental organizations, what is the classification for an asset that, if compromised, would cause severe damage to the organization?
A. Top Secret
B. Secret
C. Confidential
D. Unclassified
Q6. What is a common way to protect “data at rest”?
A. Encryption
B. Transport Layer Security
C. Fingerprint
D. IPSec
Q7. Who is ultimately responsible for security control of an asset?
A. Senior management
B. Data custodian
C. User
D. System administrator
Q8. Which type of access controls are used to protect an asset before a breach occurs? (Select all that apply.)
A. Preventive
B. Deterrent
C. Corrective
D. Recovery
Q9. Which access control model uses environmental information to make an access decision?
A. Discretionary access control
B. Attribute-based access control
C. Role-based access control
D. Mandatory access control
Q10. What is the main advantage of using a mandatory access control (MAC) model instead of a discretionary access control (DAC) model?
A. MAC is more secure because the operating system ensures security policy compliance.
B. MAC is more secure because the data owner can decide which user can get access, thus providing more granular access.
c. MAC is more secure because permissions are assigned based on roles.
D. MAC is better because it is easier to implement.
Q11. Which of the following are part of a security label used in the mandatory access control model? (Select all that apply.)
A. Classification
B. Category
C. Role
D. Location
Q12. Which access control model uses the function of a subject in an organization?
A. Discretionary access control
B. Attribute-based access control
C. Role-based access control
D. Mandatory access control
Q13. Which IDS system can detect attacks using encryption?
A. Network IDS deployed in inline mode
B. Network IDS deployed in promiscuous mode
C. Host-based IDS
D. Network IPS deployed in inline mode
Q14. Which of the following is not a disadvantage of host-based antimal ware?
A. It requires updating multiple endpoints.
B. It does not have visibility into encrypted traffic.
C. It does not have visibility of all events happening in the network.
D. It may require working with different operating systems.
Q15. Which type of access list works better when implementing RBAC?
A. Layer 2 access list
B. MAC access list
C. VLAN map
D. Security group access list
Q16. Which of the following is not a true statement about TACACS+?
A. It offers command-level authorization.
B. It is proprietary to Cisco.
C. It encrypts the TACACS+ header.
D. It works over TCP.
Q17. What is used in the Cisco TrustSec architecture to provide link-level encryption?
A. MACSec
B. IPSec
C. TLS
D. EAP
Q18. In which phase of access control is access granted to a resource with specific privileges?
A. Identification
B. Authentication
C. Authorization
D. Accounting
Q19. Which of the following are characteristics of a secure identity? (Select all that apply.)
A. Uniqueness
B. Nondescriptiveness
C. Secured issuance
D. Length
Q20. Which of the following authentication methods is considered strong?
A. Authentication by knowledge
B. Authentication by characteristic
C. Authentication by ownership
D Any combination of these methods
Q21. Who assigns a security classification to an asset?
A. Asset owner
B. Senior management
C. Asset custodian
D. Security administrator
Q22. Which type of control includes security training?
A. Administrative
B. Physical
C. Logical
D. None of the above
Q23. Which technique ensures protection against simple and noninvasive data-recovery techniques?
A. Clearing
B. Purging
C. Destroying
D. Erasing
Q24. Which type of control best describes an IPS dropping a malicious packet?
A. Preventive
B. Corrective
C. Compensating
D. Recovery
Q25. Which type of controls best describe a fence?
A. Administrative, preventive
B. Administrative, logical
C. Physical, deterrent
D. Logical, compensating
Q26. What is included in a capability table?
A. Several objects with user access rights
B. Several subjects with user access rights
C. Objects and subjects with their access rights
D. Access rights
Q27. Where does the RADIUS exchange happen?
A. Between the user and the network access server
B. Between the network access server and the authentication server
C. Between the user and the authentication server
D. None of the above
Q28. Which AAA protocol allows for capabilities exchange?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos
Q29. Which port access control technology allows dynamic authorization policy to be downloaded from the authentication server?
A. VLAN map
B. Port security
C. 802.1x
D. MAC access list
Q30. Where is EAPoL traffic seen?
A. Between the supplicant and the authentication server
B. Between the supplicant and the authenticator
C. Between the authenticator and the authentication server
D. None of the above
Q31. What is the Security Group Tag Exchange (SXP) protocol used for?
A. To transmit SGT to the egress point for enforcement
B. To send SGT information to a hardware-capable Cisco TrustSec device for tagging
C. To send SGT information from the authentication server to the authenticator
D. To send SGT information to the supplicant
Q32. A host on an isolated port can communicate with which of the following?
A. A host on another isolated port
B. A host on a community port
C. A server on a community port
D. With the promiscuous port only
Q33. What is a disadvantage of using an IPS compared to an IDS?
A. It may add latency due to packet processing.
B. It is not able to drop a packet.
C. To stop an attack, it relies on external devices such as a firewall.
D. It is more difficult to maintain.
Q34. What is an advantage of network-based antimalware compared to a host-based solution?
A. It can block malware at the entry point.
B. It can check the integrity of a file on the host.
C. It can receive a signature and reputation from the cloud.
D. It can use a heuristic engine for malware detection
Q35. According to the attribute-based access control (ABAC) model, what is the subject location considered?
A. Part of the environmental attributes
B. Part of the object attributes
C. Part of the access control attributes
D. None of the above
Q36. Which of the following access control models use security labels to make access decisions?
A. Discretionary access control (DAC)
B. Mandatory access control (MAC)
C. Role-based access control (RBAC)
D. Identity-based access control (IBAC)
Q37. What is one of the advantages of the mandatory access control (MAC) model?
A. Complex to administer.
B. Stricter control over the information access.
C. Easy and scalable.
D. The owner can decide whom to grant access to.
Q38. In a discretionary access control (DAC) model, who can authorize access to an object?
A. The object owner
B. The subject
C. The system
D. None of the above
More Resources