[NTLUG:Discuss] I PASSED... I'm an LCA

Chris Cox cjcox at acm.org
Fri Jun 1 12:02:47 CDT 2001 

Jeremy Blosser wrote:
> 
....
The Security and Ethics test is what trips most people up.  It's very
important to remember that all of your life belongs to the company
you work for... every bit of email you send and receive, etc.
IF YOU REMEMBER THAT... you'll do well on the Security exam. To
often people think that "ethics" means their own "ethics"...
the law overrides ethics though.

> Some examples, all from the 'security and ethics' test:
> 
>  "Select the least secure host from the list below.
> 
>  A.A multi-user system that is connected to the Internet directly but runs
>  only a minimum number of services, all of which are started by TCP wrappers
>  B.A multi-user system that is connected to the Internet through a firewall,
>  which runs a minimum number of services.
>  C.A single-user system that is used primarily as an NFS server, that is
>  connected to the Internet directly, and that only runs NFS services
>  D.A single-user system that is used primarily as a development server and
>  that is connected to the Internet through a firewall, which runs a minimum
>  number of services
> 
>  Explanation : Answer C is correct. With NFS, a client can log in and mount
....
> 
> Er, huh?  This one just has to be a typo or something.  D is connected
> through a firewall, for one thing, so the bit about not being behind a
> firewall eliminating D makes no sense.  They say the NFS server is the
> answer, then give all the reasons NFS is insecure.  Etc.

You are correct that the explanation isn't right... but the answer is
correctly given.  You won't get any explanation when you take the exam...
you either get it right or wrong.... and I really hate the ones where
there are multiple correct choices.... I mean, as an administrator
you tend to favor a certain way of doing things... sometimes to
the exclusion of alternatives just because you know you'll never
need the alternatives.... but in the case of the exam, there are
a few questions where you'll need to have a pretty broad
understanding of various methods to due the same thing.

> 
>  "Of the following examples, which would be the best example of physical
>  security?
> 
>  1. Computer Locks
>  2. BIOS Security
>  3. Boot Loader Security (example - LILO)
>  4. xlock and vlock
> 
>  A.1
>  B.1 & 2
>  C.2 & 3
>  D.1,2 & 3
>  E.1,2,3 & 4
> 
>  Explanation : Physical security of a machine is the protection of
>  unauthorized persons from logging into the physical terminal. All four
>  examples help in preventing unauthorized persons from logging into the
>  machine."
> 
> All help, but that wasn't the question.  The question was 'which would be
> the best'.
> 


This sample question is poorly worded...  the first time I took the
online quiz I got this wrong too!  The exam questions are not so
ambiguous... with the possible exception of the Network exam.  I bet
there are more questions on that one that I passed... unfortunately,
you don't get to keep the questions.  Now that I've passed, I may
be able to look into that test some more.... we'll see.

>  "Which of the following is the most secure method for a system
>  administrator to log in as root to a host? (This host may be accessed
>  through the local area network if necessary.)
> 
>  A.Use the "rlogin" command.
>  B.Use the "ssh" command.
>  C.Use Telnet.
>  D.Log in as root at the physical terminal.
>  E.All of the above are equally suitable options.
> 
>  Explanation : Answer D is correct. Using rlogin, ssh, and telnet place the
>  root password on the network, subjecting it to potential snooping. Further,
>  rlogin relies on the "trust" of another host and can be easily fooled.
>  Secure shell is probably the next best choice because it uses encryption to
>  protect the data. It is still feasible, however, that someone could decrypt
>  the message. Telnet transmits data in plain text which can easily be
>  intercepted by a password sniffer. Physically logging onto the terminal is
>  the only method that totally prevents network snooping of the root
>  password."
> 
> Maybe this is just a poorly worded question, but saying the host may be
> accessed through the network implies that that is relevant to the question,
> ie. that we're talking about the most secure method that still allows
> remote access.  Also, root should not be allowed to login directly even at
> the console, which is the reasonable interpretation of "log in as root at
> the physical terminal".

I diagree... this question is worded sufficiently to arrive at the correct
answer.  If the question said that root MUST be through the network...well
that's different.  The question said "if necessary"... and I think
that was designed to trip some up.  Remember it's a security exam....
so it's designed to mess with your mind a bit.  A good security
manager is often very paranoid.

> 
>  "It is ethical for a network administrator to read other users' e-mail
>  without permission on a server that he is administrating.
> 
>  A.True
>  B.False
> 
>  Explanation : Answer A is correct. The Electronic Communications Privacy
>  Act specifically grants this right to authorized personnel. Courts have
>  generally ruled that there is no reasonable expectation to privacy and,
>  further, states that employers have the right to read e-mail to protect
>  their interests."
> 
> This is no doubt debatable, but the phrasing of the question certainly
> implies that they're asking about a sysadmin doing this at their own whim,
> and not just as part of their authorized duties (I guess we're supposed to
> intuit that 'without permission' just means 'without the user's permission,
> but with the permission associated with your job').  Trick question?  Even
> if technically correct, if people are being quizzed on ethics, the standard
> should be quite a bit higher than 'the bare minimum the law allows'.

Though we would all LIKE to think of this as debatable, the company and
their authorized systems administrator (basically a delegated agent of
the company) can peruse your email at its leisure I'm afraid.  It all
belongs to them. What is ambiguous is how far they can take the information
in the email. If you are concerned... don't put anything in your corporate
email system that contains personal or private information PERIOD!

Remember, the Sys Admin can read your email AT WILL! (so bribe your
Sys Admin today!)

> 
>  "While monitoring routine network traffic, a network administrator notices
>  that a user is violating the company's appropriate use policy. As part of
>  his job, the network administrator is expected to report any violations of
>  the policy.  From an ethical standpoint, who should the network
>  administrator inform about the violation?
> 
>  A.The person who has violated the policy
>  B.The boss of the person who has violated the policy
>  C.The owner of the company
>  D.The network administrator's boss
>  E.Both a and b
>  F.All of the above
> 
>  Explanation : Everyone listed here can be notified of the of the violation,
>  especially since an appropriate use policy (by convention, a statement of
>  rights, privileges, and consequences) is in effect. However, notification
>  does not mean that the inappropriate material can be shown to everybody in
>  the list.  NOTE: This question does not address the issue of
>  chain-of-command with respect to company policy.  Jumping the
>  chain-of-command is a separate issue from the ethics of monitoring system
>  activity and should be respected per company policy."
> 
> Also debatable I guess, but I don't think you can even attempt to really
> answer this one without knowing what the company policy is.  If you work in
> a company of a few thousand people, notifying the owner and everyone else
> of one AUP violation makes no sense and is an unnecessary (and probably
> unethical) embarassment to the offender.  It's also doubtful it would be
> appropriate or ethical for the admin to take it up with the user directly
> instead of referring it through those responsible for dealing with such
> things.
> 
> Their explanation says "can be notified", and in that case "all of the
> above" is correct, but again, the question didn't ask who can be, it asked
> who should be.

Again... the law rules over "what is right" in our own eyes.  If the
administrator fails to notify the world (so to speak), he may be
putting his own career in jeopardy....he is failing to protect
the company's interests potentially.

Right now the law favors the business.  I think under the law they
can tar and feather the offender and drop him off of the top floor
if they are found guilty of violating a company computer policy...
which as the law stands right now can be just about anything the
company wants to make it to be .... at any given time.

These are all good questions though... and again, it's probably why
so many members of the "Free Software" movement tend to fail this
exam.... I mean, the law couldn't be this bad (owners of companies
certainly would diagree with that word)... could it?... yes
it can... and is.  The main problem is that one of the largest
lobbies for change in the law could be the ACLU.... you don't
want their kind of world (unless facism appeals to you).

...uh oh... I think I may have just started a flame fest....

Regards,
Chris

More information about the Discuss mailing list