Access Control and Identity Management
Showing posts with label Access Control and Identity Management. Show all posts
Showing posts with label Access Control and Identity Management. Show all posts

Which one of the following defines APIs for devices such as smart cards that contain cryptographic information?

Which one of the following defines APIs for devices such as smart cards that contain cryptographic information?




a. PKCS #11
b. PKCS #13
c. PKCS #4
d. PKCS #2



Answer: A

PKCS #11, the Cryptographic Token Interface Standards, defines an API named Cryptoki for devices holding cryptographic information. Answer B is incorrect because PKCS #13 is the Elliptic Curve Cryptography (ECC) standard. Both answers C and D are incorrect because PKCS #4 and PKCS #2 no longer exist and have been integrated into PKCS #1, RSA Cryptography Standard.

Which is the best rule-based access control constraint to protect against unauthorized access when admins are off-duty?

Which is the best rule-based access control constraint to protect against unauthorized access when admins are off-duty?




a. Least privilege
b. Separation of duties
c. Account expiration
d. Time of day




Answer: D

Time-of-day rules prevent administrative access requests during off-hours when local admins and security professionals are not on duty. Answer A is incorrect because least privilege is a principle of assigning only those rights necessary to perform assigned tasks. Answer B is incorrect because separation of duties aids in identification of fraudulent or incorrect processes by ensuring that action and validation practices are performed separately. Answer C is incorrect because account expiration policies ensure that individual accounts do not remain active past their designated lifespan but do nothing to ensure protections are enabled during admin downtime.

Which type of authorization provides no mechanism for unique logon identification?

Which type of authorization provides no mechanism for unique logon identification?




a. Anonymous
b. Kerberos
c. TACACS
d. TACACS+



Answer: A

During anonymous access, such as requests to a public FTP server, unique identify of the requester is not determined and so cannot be used for personalized logon identification. Answers B, C, and D are incorrect because authorization services such as Kerberos, TACACS, and its replacement TACACS+ all verify access requests against a list of authorized credentials and so can log individual visits and identify access request logons.

Which of the following is not true regarding expiration dates of certificates?

Which of the following is not true regarding expiration dates of certificates?




a. Certificates may be issued for a week.
b. Certificates are issued only at yearly intervals.
c. Certificates may be issued for 20 years.
d. Certificates must always have an expiration date.



Answer: B

Digital certificates contain a field indicating the date to which the certificate is valid. This date is mandatory, and the validity period can vary from a short period of time up to a number of years; therefore, answers A, C, and D are incorrect.

Subscribe to: Comments (Atom)