Page 779 - StudyBook.pdf
P. 779
Self Test Appendix • Appendix 763
4. You have been brought in as a security consultant for a programming team working on a new
operating system designed strictly for use in secure government environments. Part of your
role is to help define the security requirements for the operating system and to instruct the
programmers in the best security methods to use for specific functions of the operating
system.What method of access control is most appropriate for implementation as it relates to
the security of the operating system itself?
A. MAC
B. DAC
C. RBAC
D. All of the above
A. Mandatory access control is generally built into and implemented within the operating
system being used and is hard-coded to protect specific objects.
Answer B is incorrect because discretionary access control is optional and would not be able to
protect the operating system itself from being modified.Answer C is incorrect because RBAC
is also optional and would not be able to protect the operating system itself from being modi-
fied.Answer D is incorrect because answers B and C do not fit the requirements.
5. You are designing the access control methodology for a company implementing an entirely
new IT infrastructure.This company has several hundred employees, each with a specific job
function.The company wants their access control methodology to be as secure as possible due
to recent compromises within their previous infrastructure.Which access control methodology
would you use and why?
A. RBAC because it is job-based and more flexible than MAC
B. RBAC because it is user-based and easier to administer
C. Groups because they are job-based and very precise
D. Groups because they are highly configurable and more flexible than MAC
A. Role-based access control is appropriate for this situation because it is job-based, highly con-
figurable, more flexible than MAC, and more precise than groups.
Answer B is incorrect because RBAC is not user-based, nor is it easier to administer.Answer C
is incorrect because groups are not job-based, nor are they precise.Answer D is incorrect
because groups are not highly configurable although they are more flexible than MAC.
6. You are performing a security audit for a company to determine their risk from various attack
methods.As part of your audit, you work with one of the company’s employees to see what
activities he performs during the day that could be at risk.As you work with the employee,
you see him perform the following activities:
■ Log in to the corporate network using Kerberos
■ Access files on a remote system through a Web browser using SSL
www.syngress.com
