What is the BEST method of storing user passwords for a system?
a. Password-protected file.
b. File restricted to one individual.
c. One-way encrypted file.
d. Two-way encrypted file.
Reference: Computer Security Basics; Russell & Gangemi; pg 65-66.
A password protected file could leave the passwords in the file in clear text so that anyone with the password could see all user’s passwords, making it impossible to hold users accountable for what happens under their ID.
The file restricted to one individual has the same problem as a.
Answer c - One-way encryption means that the password file is never decrypted, therefore, only the user knows the password (and hackers that use a dictionary attack, but nobody's perfect).
What is "two-way encryption"? As I keep telling you, just because you don't understand it doesn't mean it's the right answer!
19. What is the purpose of a ticket-oriented security mechanism?
a. Permits the subject’s access to objects
b. Assigns access modes to objects
c. Grants subject’s discretionary control
d. Assures user access accountability
Reference: Handbook of Information Security Management; Ruthberg & Tipton; pg 538-539.
You could say that this is an example of all the answers being correct. However, the answer that most completely answers the question asked is the most correct, and therefore the answer that will get you that point. Answer a may seem a bit broad: after all, that's the purpose of any access control mechanism, and doesn't differentiate a ticket-oriented system from any other. But that's the most correct. Since no other answer (that you're given) distinguishes a ticket-oriented system from any other, "ticket-oriented" is irrelevant.
thank you @rslade for these questions. For the first time I understand why people fail this exam. I went through quite a few tests and would say that I'm well versed in taking them, but this is going to be really really difficult for me
21. Which of the following is a rule-based control mechanism?
a. Discretionary Access Control
b. Task-based Access Control
c. Subject-based Access Control
d. Token-based Access Control
Reference: Handbook of Info. Sys. Sec.; Ruthberg & Tipton; pg 517.
Answer a - some access control systems contain rules that are used to determine whether or not an individual can achieve the access requested. This is particularly true for discretionary access control. Remember your ACL (Access Control List)? A list of rules, right?
For those wanting to answer b, c, or d, remember that if you don't know what it is, that doesn't mean it's the right answer. As far as I know, none of those are actual access control systems (unless some marketing department is out there messing with things again).