Page 778 - StudyBook.pdf
P. 778
762 Appendix • Self Test Appendix
of the authorization process. In addition, authorization is not included in the acronym AAA per
CompTIA’s definition.Answer D is incorrect because this type of written policy is not part of
the auditing process.
2. One of the goals of AAA is to provide CIA.A valid user has entered their ID and password
and has been authenticated to access network resources.When they attempt to access a
resource on the network, the attempt returns a message stating,“The server you are
attempting to access has reached its maximum number of connections.”Which part of CIA is
being violated in this situation?
A. Confidentiality
B. Integrity
C. Availability
D. Authentication
C.Availability under CIA has not been assured because the resource is not available to the user
after they have authenticated.
Answer A is incorrect because confidentiality has not been breached in this scenario.Answer B
is incorrect because integrity has not been breached in this scenario.While the resource may
not be available, that does not mean that the integrity of the data has been violated.Answer D
is incorrect because authentication is not a component of CIA and the scenario describes that
authentication has completed successfully.
3. A user from your company is being investigated for attempting to sell proprietary information
to a competitor.You are the IT security administrator responsible for assisting with the investi-
gation.The user has claimed that he did not try to access any restricted files and is conse-
quently not guilty of any wrongdoing.You have completed your investigation and have a log
record showing that the user did attempt to access restricted files. How does AAA help you to
prove that the user is guilty regardless of what he says?
A. Access Control
B. Auditing
C. Authorization
D. Non-repudiation
D. Non-repudiation is part of authentication under AAA, and serves to ensure that the pre-
senter of the authentication request cannot later deny they were the originator of the request
through the use of time stamps, particular protocols, or authentication methods.
Answer A is incorrect because access control does not provide a method of proving that the
user accessed the files.Answer B is incorrect because auditing does not provide any proof that
the user is guilty either.While auditing may be the method used for finding the authentication
records proving the user’s guilt, the auditing process itself is not proof. If there were no authen-
tication method with non-repudiation, there would be no log for you to find in your audit.
Answer C is incorrect because authorization is not a part of the acronym AAA per CompTIA’s
definition.
www.syngress.com
