Access Controls for SSCP

Sample Practice Questions

1. Question 1

   A potential problem related to the physical installation of the Iris Scanner in regards to the usage of the iris pattern within a biometric system is:
   1. A. concern that the laser beam may cause eye damage
   2. B. the iris pattern changes as a person grows older.
   3. C. there is a relatively high rate of false accepts.
   4. D. the optical unit must be positioned so that the sun does not shine into the aperture.
   Explanation

   The correct answer is: D. the optical unit must be positioned so that the sun does not shine into the aperture..

   A potential physical-installation problem with an iris scanner is that the optical unit must be positioned so the sun does not shine into the aperture — bright sunlight overwhelms the sensor and can prevent reliable iris-pattern capture. Outdoor or sunlit-window installations have to consider lighting geometry. The concern that the laser beam may cause eye damage is unfounded for modern iris scanners, which use very low-power infrared illumination well within safety limits. The iris pattern does not change significantly as a person grows older after the first few years of life — iris is one of the most stable biometric features. A high rate of false accepts is the opposite of iris reality; iris recognition has one of the lowest FAR values of any biometric. Plan iris-scanner placement to avoid direct sunlight, glare, and reflective surfaces.

2. Question 2

   In Mandatory Access Control, sensitivity labels attached to object contain what information?
   1. A. The item's classification
   2. B. The item's classification and category set
   3. C. The item's category
   4. D. The items's need to know
   Explanation

   The correct answer is: B. The item's classification and category set.

   In MAC, the sensitivity label attached to an object contains both the item's classification (such as Confidential, Secret, Top Secret) and the category set (compartments like NUCLEAR, NATO, MEDICAL). The classification is the hierarchical part; the category set is the non-hierarchical compartment part. Saying labels contain only the classification omits the category dimension that supports compartmentalisation. Saying labels contain only the category is similarly incomplete. Saying labels contain the item's need-to-know mistakes a separate concept; need-to-know is enforced through access decisions over labels, not embedded in the label itself. The classification + category pair is what allows policies such as "Secret AND NUCLEAR-only" to be enforced precisely.

3. Question 3

   What are the components of an object's sensitivity label?
   1. A. A Classification Set and a single Compartment.
   2. B. A single classification and a single compartment.
   3. C. A Classification Set and user credentials.
   4. D. A single classification and a Compartment Set.
   Explanation

   The correct answer is: D. A single classification and a Compartment Set..

   An object's sensitivity label consists of a single classification (the hierarchical level such as Confidential, Secret, Top Secret) and a Compartment Set (the non-hierarchical compartments such as NUCLEAR, NATO, CRYPTO). The combination supports both hierarchical and need-to-know access control. A Classification Set with a single Compartment inverts the structure incorrectly. A single classification with a single compartment is too restrictive; multiple compartments are typically permitted. A Classification Set with user credentials confuses the label structure with authentication elements. The standard "Top Secret//NUCLEAR/NATO" notation reflects classification + compartment-set in a single label.

4. Question 4

   Which of the following is needed for System Accountability?
   1. A. Audit mechanisms.
   2. B. Documented design as laid out in the Common Criteria.
   3. C. Authorization.
   4. D. Formal verification of system design.
   Explanation

   The correct answer is: A. Audit mechanisms..

   System accountability is achieved through audit mechanisms — the logs and records that capture who did what, when, and to which resources. Without audit, no after-the-fact accountability is possible regardless of how strong authentication or access control may be. Documented design as laid out in the Common Criteria addresses assurance and evaluation rather than runtime accountability. Authorization decides whether a subject may perform an action but does not by itself record the action for accountability. Formal verification of system design provides mathematical assurance of correctness but is an assurance technique rather than a runtime accountability mechanism. Pair strong audit with tamper-resistant log storage and regular log review for genuine accountability.

5. Question 5

   What is Kerberos?
   1. A. A three-headed dog from the egyptian mythology.
   2. B. A trusted third-party authentication protocol.
   3. C. A security model.
   4. D. A remote authentication dial in user server.
   Explanation

   The correct answer is: B. A trusted third-party authentication protocol..

   Kerberos is a trusted third-party authentication protocol — the KDC (Key Distribution Center) serves as the trusted third party that authenticates principals and issues tickets that prove identity to other services in the realm. The three-party model (client, service, KDC) is foundational. The three-headed dog reference is Greek mythology (Cerberus), not Egyptian; the protocol name plays on this. Kerberos is not a security model; it is a specific authentication protocol with implementation details. RADIUS (Remote Authentication Dial-In User Service) is a different AAA protocol used for network access; not Kerberos. Modern Active Directory uses Kerberos extensively for domain authentication and SSO.

Other SSCP domains

• Cryptography (185 questions)
• Incident Response and Recovery (112 questions)
• Network and Communications Security (252 questions)
• Risk Identification, Monitoring, and Analysis (59 questions)
• Security Concepts and Practices (237 questions)
• Systems and Application Security (26 questions)