Question on access control

SeabSeab Member Posts: 127
What type of access control system is deployed to physically deter unwanted or unauthorized activity and access?

a) preventive access control
b) deterrent access control
c) directive access control
d) Compensation access control

My answer was B, and reading the definition from Sybex, my answer is still B.
Right answer from the test is A, explanation is : Preventive access control is deployed to stop unwanted or unauthorized activity from occurring.

It doesn't make sense to me, and seems to be an error from the test. But if anyone can explain, please do :)

Comments

  • SeabSeab Member Posts: 127
    Another typo in the same test ?

    "Biometric authentication devices reprensent a Type 3 ( something you have ) authentication factor."

    Biometry always been something you are since I am in Info Sec ;)
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    If it was from Transcender -- don't worry. They have tons of questions that don't make any sense.

    Also, all of this managerial stuff is so ambiguous and would depend on how many types of controls this or that framework recognizes, etc. In this particular case, however, it should be clear that correct is b. A control that is used to deter can't prevent. Typical deterrent is a warning sign, like a billboard with "Don't litter. Fine $500", etc.

    PS Second question -- same story. You are right.
  • SeabSeab Member Posts: 127
    Thanks gespenstern for the confirmation!
  • SeabSeab Member Posts: 127
    What setup should an administrator use for regularly testing the strength of user passwords?

    1- A networked workstation so that the live password database can easily be accessed by the cracking program.
    2- A networked workstation so the password database can easily be copied locally and processed by the cracking program.
    3- A standalone workstation on which the password database is copied and processed by the cracking program.
    4- A password-cracking program is unethical; therefore it should not be used

    Hi guys,

    I was a bit surprised by the answer from that question..... So, if I would really want to do password cracking, I will do it on an standalone workstation, so #3.
    But, as an Official CISSP, cracking password seem a bit hardcore, no? And honestly, who is cracking password to control the strength of password, breaking privacy policy and so on??

    My answer was 4), the 'right' answer was 3.
    icon_rolleyes.gif


  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    A security engineer from an auditing team cracks passwords, it's okay. I've been doing it for last 16 years.

    Currently a company I work for has a dedicated crackstation with 4 ATI top videocards with liquid cooling. Its primary use is to crack ms office password protected files, but occasionally other stuff gets cracked, such as ADDS ntds.dit file, exactly for auditing purposes. So folks that have passwords such as TomJerry123 get identified and forced to change their passwords. And this workstation is isolated and not domain-joined.

    Privacy doesn't mean much in corporate environment. Each employee at a company I work for signs an acceptable use policy where it is stated that they should not perceive a laptop given to them as theirs, shouldn't do anything personal on it and shouldn't have any expectation of privacy while doing their job on a corporate PC. Basically it means that their passwords are actually not theirs, but belong to the company.

    Also, there's no other way to assess the password strength but attempt to crack it.

    This is typical for business. For example, after 2013 breach Target Corp paid for an external audit of its networks. They were audited by Verizon. Among other things Verizon took their ntds.dit and cracked it to some extent, retrieving plain-text passwords for ~70% of the users, AFAIR.

    Software that does that that I've used is for example L0pht Crack, Passware Forensic toolkit, John the Ripper etc. Currently at my work I use Passware Forensic toolkit.
  • webpriestesswebpriestess Member Posts: 82 ■■□□□□□□□□
    If it was from Transcender -- don't worry. They have tons of questions that don't make any sense.

    Agreed. I ran into a question where they said that 2 hours is the minimum fire rating and ever single other source says it's one. I thought Transcender was supposed to one of the best test engines out there.

    ::Claudia
  • webpriestesswebpriestess Member Posts: 82 ■■□□□□□□□□
    Sorry about my keyboard mishaps...
  • kabooterkabooter Member Posts: 115
    I agree that B is correct answer.
  • SeabSeab Member Posts: 127
    Thank you gespenstern, Excellent answer with hands on experience!
    I've been working in the field for a few years now in a few companies, I never saw this, except maybe trying to decrypt a forgotten password from an encrypted file.
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■■□□
    I thought Transcender was supposed to one of the best test engines out there.

    ::Claudia

    You can encounter different opinions here on that, but I've used a couple and I'm certain that cccure is better than Transcender. Still sucks though. It's really hard to compose a good set of CISSP-like questions, but Clement did the best job so far compared to competitors.
Sign In or Register to comment.