CISSP-Topic 3, Access
Which type of attack will most likely provide an attacker with multiple passwords to authenticate to a system? A. Password sniffing B. Dictionary attack C. Dumpster diving D. Social engineering
Answer: A
Role based access control is attracting increasing attention particularly for what applications? A. Scientific B. Commercial C. Security D. Technical
Answer: B Role based access control (RBAC) is a technology that is attracting increasing attention, particularly for commercial applications, because of its potential for reducing the complexity and cost of security administration in large networked applications.
In SSL/TLS protocol, what kind of authentication is supported? A. Peer-to-peer authentication B. Only server authentication (optional) C. Server authentication (mandatory) and client authentication (optional) D. Role based authentication scheme
Answer: C "The server sends a message back to the client indicating that a secure session needs to be established, and the client sends it security parameters. The server compares those security parameters to its own until it finds a match. This is the handshaking phase. The server authenticates to the client by sending it a digital certificate, and if the client decides to trust the server the process continues. The server can require the client to send over a digital certificate for mutual authentication, but that is rare."
Which of the following can be used to protect your system against brute force password attack? A. Decrease the value of password history. B. Employees must send in a signed email before obtaining a password. C. After three unsuccessful attempts to enter a password, the account will be locked. D. Increase the value of password age.
Answer: C Employees must show up in person and present proper identification before obtaining a new or changed password (depending on your policy). After three unsuccessful attempts to enter a password, the account will be locked and only an administrator or the help desk can reactivate the involved user ID.
Which one of the following authentication mechanisms creates a problem for mobile users? A. address-based mechanism B. reusable password mechanism C. one-time password mechanism D. challenge response mechanism
Answer: A
Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT? A. Kerberos B. SESAME C. KryptoKnight D. NetSP
Answer: A "Kerberos is an authentication protocol and was designed in the mid-1980s as part of MIT's Project Athena."
What is called the percentage of invalid subjects that are falsely accepted? A. False Rejection Rate (FRR) or Type I Error B. False Acceptance Rate (FAR) or Type II Error C. Crossover Error Rate (CER) D. True Acceptance Rate (TAR) or Type III error
Answer: B
Which of the following biometric devices has the lowest user acceptance level? A. Voice recognition B. Fingerprint scan C. Hand geometry D. Signature recognition
Answer: B
Which of the following is the most reliable authentication device? A. Variable callback system B. Smart card system C. fixed callback system D. Combination of variable and fixed callback system
Answer: B
Which of the following is the weakest authentication mechanism? A. Passphrases B. Passwords C. One-time passwords D. Token devices
Answer: B
Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, and faster resource access? A. Smart cards B. Single Sign-on (SSO) C. Kerberos D. Public Key Infrastructure (PKI)
Answer: B
Which access control model enables the owner of the resource to specify what subjects can access specific resources? A. Discretionary Access Control B. Mandatory Access Control C. Sensitive Access Control D. Role-based Access Control
Answer: A
Which of the following addresses cumbersome situations where users need to log on multiple times to access different resources? A. Single Sign-On (SSO) systems B. Dual Sign-On (DSO) systems C. Double Sign-On (DS0) systems D. Triple Sign-On (TSO) systems
Answer: A
What is the main concern with single sign-on? A. Maximum unauthorized access would be possible if a password is disclosed B. The security administrator's workload would increase C. The users' password would be to hard to remember D. User access rights would be increased
Answer: A
The type of discretionary access control that is based on an individual's identity is called: A. Identity-based access control B. Rule-based access control C. Non-Discretionary access control D. Lattice-based access control
Answer: A
What is called an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics? A. Biometrics B. Micrometrics C. Macrometrics D. MicroBiometrics
Answer: A
What is called the verification that the user's claimed identity is valid and is usually implemented through a user password at log-on time? A. Authentication B. Identification C. Integrity D. Confidentiality
Answer: A
Which of the following are authentication server systems with operational modes that can implement SSO? A. Kerberos, SESAME and KryptoKnight B. SESAME, KryptoKnight and NetSP C. Kerberos and SESAME D. Kerberos, SESAME, KryptoKnight, and NetSP
Answer: D "Scripts, directory services, thin clients, Kerberos, SESAME, NetSP, scripted access, and KrtyptoKnight are examples of SSO(single sign on) mechanisms."
A confidential number to verify a user's identity is called a: A. PIN B. userid C. password D. challenge
Answer: A
Identification and authentication are the keystones of most access control systems. Identification establishes: A. user accountability for the actions on the system B. top management accountability for the actions on the system C. EDP department accountability for the actions of users on the system D. authentication for actions on the system
Answer: A
Which of the following biometric parameters are better suited for authentication use over a long period of time? A. Iris pattern B. Voice pattern C. Signature dynamics D. Retina pattern
Answer: A
Which of the following is NOT a system-sensing wireless proximity card? A. magnetically striped card B. passive device C. field-powered device D. transponder
Answer: A
Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. To have a valid measure of the system performance: A. The CER is used. B. the FRR is used C. the FAR is used D. none of the above choices is correct
Answer: A "When a biometric system reject an authorized individual, it is called a Type 1 error. When the system accepts impostors who should be rejected, it is called a Type II error. The goal is to obtain low numbers for each type of error. When comparing different biometric systems, many different variables are used, but one of the most important variables is the crossover error rate (CER). This rating is stated in a percentage and represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining the system's accuracy."
In a RADIUS architecture, which of the following acts as a client? A. A network Access Server. B. None of the choices. C. The end user. D. The authentication server.
Answer: A A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response, which is returned.
DAC are characterized by many organizations as: A. Need-to-know controls B. Preventive controls C. Mandatory adjustable controls D. None of the choices
Answer: A Access controls that are not based on the policy are characterized as discretionary controls by the US government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.
MAC is used for: A. Defining imposed access control level. B. Defining user preferences. C. None of the choices. D. Defining discretionary access control level.
Answer: A As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.
With MAC, who may NOT make decisions that derive from policy? A. All users except the administrator. B. The administrator. C. The power users. D. The guests.
Answer: A As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.
Which of the following will you consider as the MOST secure way of authentication? A. Biometric B. Password C. Token D. Ticket Granting
Answer: A Biometric authentication systems take advantage of an individual's unique physical characteristics in order to authenticate that person's identity. Various forms of biometric authentication include face, voice, eye, hand, signature, and fingerprint, each have their own advantages and disadvantages. When combined with the use of a PIN it can provide two factors authentication.
Biometric performance is most commonly measured in terms of: A. FRR and FAR B. FAC and ERR C. IER and FAR D. FRR and GIC
Answer: A Biometric performance is most commonly measured in two ways: False Rejection Rate (FRR), and False Acceptance Rate (FAR). The FRR is the probability that you are not authenticated to access your account. A strict definition states that the FRR is the probability that a mated comparison (i.e. 2 biometric samples of the same finger) incorrectly determines that there is no match.
What is known as decoy system designed to lure a potential attacker away from critical systems? A. Honey Pots B. Vulnerability Analysis Systems C. File Integrity Checker D. Padded Cells
Answer: A Honey pots are decoy systems that are designed to lure a potential attacker away from critical systems. Honey pots are designed to: Divert an attacker from accessing critical systems, Collect information about the attacker's activity, and encourage the attacker to stay on the system long enough for administrators to respond.
What is an important factor affecting the time required to perpetrate a manual trial and error attack to gain access to a target computer system? A. Keyspace for the password. B. Expertise of the person performing the attack. C. Processing speed of the system executing the attack. D. Encryption algorithm used for password transfer.
Answer: A I am not sure of the answer on this question. B seems good but the reference below states that Keyspace (or length of password) is the main deterrent. I did not come across something that directly relates in my readings. "If an attacker mounts a trial-and-error attack against your password, a longer password gives the attacker a larger number of alternatives to try. If each character in the password may take on 96 different values (typical of printable ASCII characters) then each additional character presents the attacker with 96 times as many passwords to try. If the number of alternatives is large enough, the trial-and-error attack might discourage the attacker, or lead to the attacker's detection."
Identification usually takes the form of: A. Login ID. B. User password. C. None of the choices. D. Passphrase
Answer: A Identification is a means to verify who you are. Authentication is what you are authorized to perform, access, or do. User identification enables accountability. It enables you to trace activities to individual users that may be held responsible for their actions. Identification usually takes the form of Logon ID or User ID. Some of the Logon ID characteristics are: they must be unique, not shared, and usually non descriptive of job function
Under MAC, classification reflects: A. Sensitivity B. Subject C. Privilege D. Object
Answer: A It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
In the world of keystroke dynamics, what represents the amount of time you hold down in a particular key? A. Dwell time B. Flight time C. Dynamic time D. Systems time
Answer: A Keystroke dynamics looks at the way a person types at a keyboard. Specifically, keyboard dynamics measures two distinct variables: "dwell time" which is the amount of time you hold down a particular key and "flight time" which is the amount of time it takes a person to switch between keys. Keyboard dynamics systems can measure one's keyboard input up to 1000 times per second.
Under MAC, who may grant a right of access that is explicitly forbidden in the access control policy? A. None of the choices. B. All users. C. Administrators only. D. All managers.
Answer: A MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.
What defines an imposed access control level? A. MAC B. DAC C. SAC D. CAC
Answer: A MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.
Within the Open Systems Interconnection (OSI) Reference Model, authentication addresses the need for a network entity to verify both A. The identity of a remote communicating entity and the authenticity of the source of the data that are received. B. The authenticity of a remote communicating entity and the path through which communications are received. C. The location of a remote communicating entity and the path through which communications are received. D. The identity of a remote communicating entity and the level of security of the path through which data are received.
Answer: A OSI model needs to know the source of the data and that it is who it says it is. Path it the data take is not cared about unless source routing is used. The level of security is not cared about inherently by the receiving node (in general) unless configured. A is the best option in this question.
What are the valid types of one time password generator? A. All of the choices. B. Transaction synchronous C. Synchronous/PIN synchronous D. Asynchronous/PIN asynchronous
Answer: A One-time Passwords are changed after every use. Handheld password generator (tokens) 3 basic types: Synchronous/PIN synchronous, Transaction synchronous, Asynchronous/PIN asynchronous.
Which of the following is an effective measure against a certain type of brute force password attack? A. Password used must not be a word found in a dictionary. B. Password history is used. C. Password reuse is not allowed. D. None of the choices.
Answer: A Password reuse is not allowed (rotating passwords). Password history must be used to prevent users from reusing passwords. On all systems with such a facility the last 12 passwords used will be kept in the history. All computer system users must choose passwords that cannot be easily guessed. Passwords used must not be a word found in a dictionary.
Software generated passwords have what drawbacks? A. Passwords are not easy to remember. B. Password are too secure. C. None of the choices. D. Passwords are unbreakable.
Answer: A Passwords generated by a software package or some operating systems. These password generators are good at producing unique and hard to guess passwords, however you must ensure that they are not so hard that people can't remember them. If you force your users to write their passwords down then you are defeating the purpose of having strong password management.
What type of attacks occurs when normal physical conditions are altered in order to gain access to sensitive information on the smartcard? A. Physical attacks B. Logical attacks C. Trojan Horse attacks D. Social Engineering attacks
Answer: A Physical attacks occur when normal physical conditions, such as temperature, clock frequency, voltage, etc, are altered in order to gain access to sensitive information on the smartcard. Most smartcard operating systems write sensitive data to the EEPROM area in a proprietary, encrypted manner so that it is difficult to obtain clear text keys by directly hacking into the EEPROM. Other physical attacks that have proven to be successful involve an intense physical fluctuation at the precise time and location where the PIN verification takes place. Thus, sensitive card functions can be performed even though the PIN is unknown. This type of attack can be combined with the logical attack mentioned above in order to gain knowledge of the private key. Most physical attacks require special equipment.
Which one of the following addresses the protection of computers and components from electromagnetic emissions? A. TEMPEST B. ISO 9000 C. Hardening D. IEEE 802.2
Answer: A Receipt and Display of information, which is resident on computers or terminals, thorugh the interception of Radio Frequency (RF) signals generated by those computers or terminals. The US government established a program called Tempest that addressed this problem by requiring shielding and other emanation-reducing mechanisms to be employed on computers processing sensitive and classified government information.
In the process of facial identification, the basic underlying recognition technology of facial identification involves: A. Eigenfeatures of eigenfaces. B. Scanning and recognition. C. Detection and scanning. D. None of the choices.
Answer: A Recognition is comparing the captured face to other faces that have been saved and stored in a database. The basic underlying recognition technology of facial feature identification involves either eigenfeatures (facial metrics) or eigenfaces. The German word "eigen" refers to recursive mathematics used to analyze unique facial characteristics.
Which of the following describes the major disadvantage of many SSO implementations? A. Once a user obtains access to the system through the initial log-on they can freely roam the network resources without any restrictions B. The initial logon process is cumbersome to discourage potential intruders C. Once a user obtains access to the system through the initial log-on, they only need to logon to some applications. D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems
Answer: A Reference: "The major disadvantage of many SSO implementations is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions."
Signature identification systems analyze what areas of an individual's signature? A. All of the choices EXCEPT the signing rate. B. The specific features of the signature. C. The specific features of the process of signing one's signature. D. The signature rate.
Answer: A Signature identification systems analyze two different areas of an individual's signature: the specific features of the signature and specific features of the process of signing one's signature. Features that are taken into account and measured include speed, pen pressure, directions, stroke length, and the points in time when the pen is lifted from the paper.
Which of the following correctly describe the features of SSO? A. More efficient log-on. B. More costly to administer. C. More costly to setup. D. More key exchanging involved.
Answer: A Single Sign-On (SSO) - This is a method for a users to identify and present credentials only once to a system. Information needed for future system access to resources is forwarded by the initial System. BENEFITS More efficient user log-on process Users select stronger passwords Inactivity timeout and attempt thresholds applied uniformly closer to user point of entry Improved timely disabling of all network/computer accounts for terminated users
Retinal scans check for: A. Something you are. B. Something you have. C. Something you know. D. All of the choices.
Answer: A Something you are is really a special case of something you have. The usual examples given include fingerprint, voice, or retinal scans.
With Rule Based Security Policy, a security policy is based on: A. Global rules imposed for all users. B. Local rules imposed for some users. C. Global rules imposed for no body. D. Global rules imposed for only the local users.
Answer: A The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A security policy based on global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.
What is an effective countermeasure against Trojan horse attack that targets smart cards? A. Singe-access device driver architecture. B. Handprint driver architecture. C. Fingerprint driver architecture. D. All of the choices.
Answer: A The countermeasure to prevent this attack is to use "single-access device driver" architecture. With this type of architecture, the operating system enforces that only one application can have access to the serial device (and thus the smartcard) at any given time. This prevents the attack but also lessens the convenience of the smartcard because multiple applications cannot use the services of the card at the same time. Another way to prevent the attack is by using a smartcard that enforces a "one private key usage per PIN entry" policy model. In this model, the user must enter their PIN every single time the private key is to be used and therefore the Trojan horse would not have access to the key.
What are the advantages to using voice identification? A. All of the choices. B. Timesaving C. Reliability D. Flexibility
Answer: A The many advantages to using voice identification include: Considered a "natural" biometric technology Provides eyes and hands-free operation Reliability Flexibility Timesaving data input Eliminate spelling errors Improved data accuracy
Type II errors occur when which of the following biometric system rates is high? A. False accept rate B. False reject rate C. Crossover error rate D. Speed and throughput rate
Answer: A There are three main performance issues in biometrics. These measures are as follows: False Rejection Rate (FRR) or Type 1 Error. The percentage of valid subjects that are falsely rejected. False Acceptance Rate (FAR) or Type 2 Error. The percentage of invalid subjects that are falsely accepted. Crossover Error Rate (CER). The percent in which the False Rejection Rate equals the False Acceptance Rate.
Which of the following is the MOST secure network access control procedure to adopt when using a callback device? A. The user enters a userid and PIN, and the device calls back the telephone number that corresponds to the userid. B. The user enters a userid, PIN, and telephone number, and the device calls back the telephone number entered. C. The user enters the telephone number, and the device verifies that the number exists in its database before calling back. D. The user enters the telephone number, and the device responds with a challenge.
Answer: A Usually a request for a username and password takes place and the NAS may hang up the call in order to call the user back at a predefined phone number. This is a security activity that is used to try and ensure that only authenticated users are given access to the network and it reverse the long distance charges back to the company...However, this security measure can be compromised if someone implements call forwarding.
You are comparing biometric systems. Security is the top priority. A low ________ is most important in this regard. A. FAR B. FRR C. MTBF D. ERR
Answer: A When comparing biometric systems, a low false acceptance rate is most important when security is the priority. Whereas, a low false rejection rate is most important when convenience is the priority. All biometric implementations balance these two criteria. Some systems use very high FAR's such as 1 in 300. This means that the likelihood that the system will accept someone other than the enrolled user is 1 in 300. However, the likelihood that the system will reject the enrolled user (its FRR) is very low, giving them ease of use, but with low security. Most fingerprint systems should be able to run with FARs of 1 in 10,000 or better.
Why would a 16 characters password not desirable? A. Hard to remember B. Offers numerous characters. C. Difficult to crack using brute force. D. All of the choices.
Answer: A When the password is too hard to memorize, the user will actually write it down, which is totally insecure and unacceptable.
With RBAC, each user can be assigned: A. One or more roles. B. Only one role. C. A token role. D. A security token.
Answer: A With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Roles can be hierarchical.
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessicity of answering 2 questions: A. What was the sex of a person and his age B. what part of body to be used and how to accomplish identification to be viable C. what was the age of a person and his income level D. what was the tone of the voice of a person and his habits
Answer: B
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessicity of answering 2 questions: A. what was the sex of a person and his age B. what part of the body to be used and how to accomplish identification to be viable C. what was the age of a person and his income level D. what was the tone of the voice of a person and his habits
Answer: B
Passwords can be required to change monthly, quarterly, or any other intervals: A. depending on the criticality of the information needing protection B. depending on the criticality of the information needing protection and the password's frequency of use C. depending on the password's frequency of use D. not depending on the criticality of the information needing protection but depending on the password's frequency of use
Answer: B
They in form of credit card-size memory cards or smart cards, or those resembling small calculators, are used to supply static and dynamic passwords are called: A. Tickets B. Tokens C. Token passing networks D. Coupons
Answer: B
What is Kerberos? A. A three-headed dog from Egyptian Mythology B. A trusted third-party authentication protocol C. A security model D. A remote authentication dial in user server
Answer: B
Which of the following can best eliminate dial-up access through a Remote Access Server as a hacking vector? A. Using TACACS+ server B. Installing the Remote Access Server outside the firewall and forcing legitimate users to authenticate to the firewall. C. Setting modem ring count to at least 5 D. Only attaching modems to non-networked hosts.
Answer: B
Which of the following centralized access control mechanisms is not appropriate for mobile workers access the corporate network over analog lines? A. TACACS B. Call-back C. CHAP D. RADIUS
Answer: B
Which of the following could illegally capture network user passwords? A. Data diddling B. Sniffing C. Spoofing D. Smurfing
Answer: B
What is called the act of a user professing an identity to a system, usually in the form of a log-on ID? A. Authentication B. Identification C. Integrity D. Confidentiality
Answer: B "Identification is the act of a user professing an identity to a system, usually in the form of a logon ID to the system." "Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identification can be provided with the use of a username or account number. To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identification number (PIN), anatomical attribute, or token."
Which of the following will you consider as a program that monitors data traveling over a network? A. Smurfer B. Sniffer C. Fragmenter D. Spoofer
Answer: B A sniffer is a program and/or device that monitor data traveling over a network. Sniffers can be used both for legitimate network management functions and for stealing information off a network. Unauthorized sniffers can be extremely dangerous to a network's security because they are virtually impossible to detect
Which of the following is the correct account policy you should follow? A. All of the choices. B. All active accounts must have a password. C. All active accounts must have a long and complex pass phrase. D. All inactive accounts must have a password.
Answer: B All active accounts must have a password. Unless you are using an application or service designed to be accessed without the need of a proper ID and password. Such service must however be monitored by other means (not a recommended practicE.)
What should you do immediately if the root password is compromised? A. Change the root password. B. Change all passwords. C. Increase the value of password age. D. Decrease the value of password history.
Answer: B All passwords must be changed if the root password is compromised or disclosure is suspected. (This is a separate case; the optimal solution would be to reload the compromised computer. A computer that has been downgraded can never be upgraded to higher security level)
Which one of the following is the MOST solid defense against interception of a network transmission? A. Frequency hopping B. Optical fiber C. Alternate routing D. Encryption
Answer: B An alternative to conductor-based network cabling is fiber-optic cable. Fiber-optic cables transmit pulses of light rather than electricity. This has the advantage of being extremely fast and near impervious to tapping.
What is known as the probability that you are not authenticated to access your account? A. ERR B. FRR C. MTBF D. FAR
Answer: B Biometric performance is most commonly measured in two ways: False Rejection Rate (FRR), and False Acceptance Rate (FAR). The FRR is the probability that you are not authenticated to access your account. A strict definition states that the FRR is the probability that a mated comparison (i.e. 2 biometric samples of the same finger) incorrectly determines that there is no match.
If a token and 4-digit personal identification number (PIN) are used to access a computer system and the token performs off-line checking for the correct PIN, what type of attack is possible? A. Birthday B. Brute force C. Man-in-the-middle D. Smurf
Answer: B Brute force attacks are performed with tools that cycle through many possible character, number, and symbol combinations to guess a password. Since the token allows offline checking of PIN, the cracker can keep trying PINS until it is cracked.
Which of the following actions can increase the cost of an exhaustive attack? A. Increase the age of a password. B. Increase the length of a password. C. None of the choices. D. Increase the history of a password.
Answer: B Defenses against exhaustive attacks involve increasing the cost of the attack by increasing the number of possibilities to be exhausted. For example, increasing the length of a password will increase the cost of an exhaustive attack. Increasing the effective length of a cryptographic key variable will make it more resistant to an exhaustive attack.
Under DAC, a subjects rights must be ________ when it leaves an organization altogether. A. recycled B. terminated C. suspended D. resumed
Answer: B Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended.
Which of the following will you consider as most secure? A. Password B. One time password C. Login phrase D. Login ID
Answer: B Each time the user logs in, the token generates a unique password that is synchronized with the network server. If anyone tries to reuse this dynamic password, access is denied, the event is logged and the network remains secure.
In which situation would TEMPEST risks and technologies be of MOST interest? A. Where high availability is vital. B. Where the consequences of disclose are very high. C. Where countermeasures are easy to implement D. Where data base integrity is crucial
Answer: B Emanation eavesdropping. Receipt and display of information, which is resident on computers or terminals, through the interception of radio frequency (RF) signals generated by those computers or terminals. The US government established a program called TEMPEST that addressed this problem by requiring a shielding and other emanation-reducing mechanisms to be employed on computers processing sensitive and classified government information.
Which of the following is the most secure way to distribute password? A. Employees must send in an email before obtaining a password. B. Employees must show up in person and present proper identification before obtaining a password. C. Employees must send in a signed email before obtaining a password. D. None of the choices.
Answer: B Employees must show up in person and present proper identification before obtaining a new or changed password (depending on your policy). After three unsuccessful attempts to enter a password, the account will be locked and only an administrator or the help desk can reactivate the involved user ID.
Why would an Ethernet LAN in a bus topology have a greater risk of unauthorized disclosure than switched Ethernet in a hub-and-spoke or star topology? A. IEEE 802.5 protocol for Ethernet cannot support encryption. B. Ethernet is a broadcast technology. C. Hub and spoke connections are highly multiplexed. D. TCP/IP is an insecure protocol.
Answer: B Ethernet is broadcast and the question asks about a bus topology vs a SWITCHED Ethernet. Most switched Ethernet lans are divided by vlans which contain broadcasts to a single vlan, but remember only a layer 3 device can stop a broadcast.
Which of the following is being considered as the most reliable kind of personal identification? A. Token B. Finger print C. Password D. Ticket Granting
Answer: B Every person's fingerprint is unique and is a feature that stays with the person throughout his/her life. This makes the fingerprint the most reliable kind of personal identification because it cannot be forgotten, misplaced, or stolen. Fingerprint authorization is potentially the most affordable and convenient method of verifying a person's identity.
Which of the following are the valid categories of hand geometry scanning? A. Electrical and image-edge detection. B. Mechanical and image-edge detection. C. Logical and image-edge detection. D. Mechanical and image-ridge detection.
Answer: B Hand geometry reading (scanning) devices usually fall into one of two categories: mechanical or image-edge detection. Both methods are used to measure specific characteristics of a person's hand such as length of fingers and thumb, widths, and depth.
Identification establishes: A. Authentication B. Accountability C. Authorization D. None of the choices.
Answer: B Identification is a means to verify who you are. Authentication is what you are authorized to perform, access, or do. User identification enables accountability. It enables you to trace activities to individual users that may be held responsible for their actions. Identification usually takes the form of Logon ID or User ID. Some of the Logon ID characteristics are: they must be unique, not shared, and usually non descriptive of job function.
Which of the following offers greater accuracy then the others? A. Facial recognition B. Iris scanning C. Finger scanning D. Voice recognition
Answer: B Iris scanning offers greater accuracy than finger scanning, voice or facial recognition, hand geometry or keystroke analysis. It is safer and less invasive than retinal scanning, an important legal consideration [Nuger]. Any company thinking of using biometrics would do well to ensure that they comply with existing privacy laws.
Under MAC, which of the following is true? A. All that is expressly permitted is forbidden. B. All that is not expressly permitted is forbidden. C. All that is not expressly permitted is not forbidden. D. None of the choices.
Answer: B It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
Under the MAC control system, what is required? A. Performance monitoring B. Labeling C. Sensing D. None of the choices
Answer: B It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
You may describe MAC as: A. Opportunistic B. Prohibitive C. None of the choices. D. Permissive
Answer: B It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
Kerberos depends upon what encryption method? A. Public Key cryptography B. Private Key cryptography C. El Gamal cryptography D. Blowfish cryptography
Answer: B Kerberos uses symmetric key cryptography and provides end-to-end security, meaning that information being passed between a user and a service is protected without the need of an intermediate component. Although it allows the use of passwords for authentication, it was designed specifically to eliminate the need for transmitting passwords over the network. Most Kerberos implementations work with cryptography keys and shared secret keys (private keys) instead of passwords.
In the world of keystroke dynamics, what represents the amount of time it takes a person to switch between keys? A. Dynamic time B. Flight time C. Dwell time D. Systems time.
Answer: B Keystroke dynamics looks at the way a person types at a keyboard. Specifically, keyboard dynamics measures two distinct variables: "dwell time" which is the amount of time you hold down a particular key and "flight time" which is the amount of time it takes a person to switch between keys. Keyboard dynamics systems can measure one's keyboard input up to 1000 times per second.
What type of attacks occurs when a smartcard is operating under normal physical conditions, but sensitive information is gained by examining the bytes going to and from the smartcard? A. Physical attacks. B. Logical attacks. C. Trojan Horse attacks. D. Social Engineering attacks.
Answer: B Logical attacks occur when a smartcard is operating under normal physical conditions, but sensitive information is gained by examining the bytes going to and from the smartcard. One example is the so-called "timing attack" described by Paul Kocher. In this attack, various byte patterns are sent to the card to be signed by the private key. Information such as the time required to perform the operation and the number of zeroes and ones in the input bytes are used to eventually obtain the private key. There are logical countermeasures to this attack but not all smartcard manufacturers have implemented them. This attack does require that the PIN to the card be known, so that many private key operations can be performed on chosen input bytes.
Under MAC, who can change the category of a resource? A. All users. B. Administrators only. C. All managers. D. None of the choices.
Answer: B MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.
Rotating password can be restricted by the use of: A. Password age B. Password history C. Complex password D. All of the choices
Answer: B Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).
Which of the following are the correct guidelines of password deployment? A. Passwords must be masked. B. All of the choices. C. Password must have a minimum of 8 characters. D. Password must contain a mix of both alphabetic and non-alphabetic characters.
Answer: B Passwords must not be displayed in plain text while logging on. Passwords must be masked. Password must have a minimum of 8 characters. Password must contain a mix of both alphabetic and non-alphabetic characters. Passwords must be kept private, e.g. not shared, coded into programs, or written down.
What is a protocol used for carrying authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server? A. IPSec B. RADIUS C. L2TP D. PPTP
Answer: B RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS is a standard published in RFC2138 as mentioned above.
DAC and MAC policies can be effectively replaced by: A. Rule based access control. B. Role based access control. C. Server based access control. D. Token based access control
Answer: B Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Traditionally, managing security has required mapping an organization's security policy to a relatively low-level set of controls, typically access control lists.
Which of the following correctly describe Role based access control? A. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your user profile groups. B. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your organizations structure. C. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your ticketing system. D. It allows you to specify and enforce enterprise-specific security policies in a way that maps to your ACL.
Answer: B Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Traditionally, managing security has required mapping an organization's security policy to a relatively low-level set of controls, typically access control lists.
Which of the following forms of authentication would most likely apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier? A. Dynamic authentication B. Continuous authentication C. Encrypted authentication D. Robust authentication
Answer: B See also www.rxn.com/services/faq/internet/ISPTG-5.html Continuous Authentication This type of authentication provides protection against impostors who can see, alter, and insert information passed between the claimant and verifier even after the claimant/verifier authentication is complete. These are typically referred to as active attacks, since they assume that the imposter can actively influence the connection between claimant and verifier. One way to provide this form of authentication is to apply a digital signature algorithm to every bit of data that is sent from the claimant to the verifier.
Which of the following is an example of an active attack? Select one. A. Traffic analysis B. Masquerading C. Eavesdropping D. Shoulder surfing
Answer: B Shoulder surfing is passive, like eavesdropping and traffic analysis. Masquerading is the only one where you are actually doing something by changing something - actively doing something.
DSV as an identification method check against users: A. Fingerprints B. Signature C. Keystrokes D. Facial expression
Answer: B Signature identification, also known as Dynamic Signature Verification (DSV), is another natural fit in the world of biometrics since identification through one's signature occurs during many everyday transactions. Any process or transaction that requires an individual's signature is a prime contender for signature identification.
What is known as the chance that someone other than you is granted access to your account? A. ERR B. FAR C. FRR D. MTBF
Answer: B The FAR is the chance that someone other than you is granted access to your account, in other words, the probability that a non-mated comparison (i.e. two biometric samples of different fingers) match. FAR and FRR numbers are generally expressed in terms of probability. Note: false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. * false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. FRR is a Type 1 error FAR is a Type 2 error
What is typically used to illustrate the comparative strengths and weaknesses of each biometric technology? A. Decipher Chart B. Zephyr Chart C. Cipher Chart D. Zapper Chart
Answer: B The Zephyr Chart illustrates the comparative strengths and weaknesses of each biometric technology. The eight primary biometric technologies are listed around the outer border, and for each technology the four major evaluation criteria are ranked from outside (better) to inside (worse). Looking at dynamic signature verification (DSV) will illustrate how the Zephyr Chart works.
A password represents: A. Something you have. B. Something you know. C. All of the choices. D. Something you are.
Answer: B The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.
A system uses a numeric password with 1-4 digits. How many passwords need to be tried before it is cracked? A. 1024 B. 10000 C. 100000 D. 1000000
Answer: B The largest 4 digit number is 9999. So 0000 - 9999 provides 10000 possible combinations.
In terms of the order of effectiveness, which of the following technologies is the least effective? A. Voice pattern B. Signature C. Keystroke pattern D. Hand geometry
Answer: B The order of effectiveness has not changed for a few years. It is still the same today as it was three years ago. The list below present them from most effective to list effective: Iris scan Retina scan Fingerprint Hand geometry Voice pattern Keystroke pattern Signature
In terms of the order of effectiveness, which of the following technologies is the most affective? A. Fingerprint B. Iris scan C. Keystroke pattern D. Retina scan
Answer: B The order of effectiveness has not changed for a few years. It is still the same today as it was three years ago. The list below present them from most effective to list effective: Iris scan Retina scan Fingerprint Hand geometry Voice pattern Keystroke pattern Signature
What are the methods used in the process of facial identification? A. None of the choices. B. Detection and recognition. C. Scanning and recognition. D. Detection and scanning.
Answer: B The process of facial identification incorporates two significant methods: detection and recognition.
Which of the following are the types of eye scan in use today? A. Retinal scans and body scans. B. Retinal scans and iris scans. C. Retinal scans and reflective scans. D. Reflective scans and iris scans.
Answer: B There are two types of eye scan in use today for authentication purposes: retinal scans and iris scans. Retinal Scan technology maps the capillary pattern of the retina, a thin (1/50th inch) nerve on the back of the eye. To enroll, a minimum of five scans is required, which takes 45 seconds. The subject must keep his head and eye motionless within 1/2" of the device, focusing on a small rotating point of green light. 320 - 400 points of reference are captured and stored in a 35-byte field, ensuring the measure is accurate with a negligible false rejection rate. This compares to 30-70 points of reference for a finger scan. Unfortunately a retinal scan is considerably more intrusive than an iris scans and many people are hesitant to use the device [Retina-scan]. In addition a significant number of people may be unable to perform a successful enrolment, and there exist degenerative diseases of the retina that alter the scan results over time. Despite these disadvantages, there are several successful implementations of this technology [Retina-scan].
Which of the following eye scan methods is considered to be more intrusive? A. Iris scans B. Retinal scans C. Body scans D. Reflective scans
Answer: B There are two types of eye scan in use today for authentication purposes: retinal scans and iris scans. Retinal Scan technology maps the capillary pattern of the retina, a thin (1/50th inch) nerve on the back of the eye. To enroll, a minimum of five scans is required, which takes 45 seconds. The subject must keep his head and eye motionless within 1/2" of the device, focusing on a small rotating point of green light. 320 - 400 points of reference are captured and stored in a 35-byte field, ensuring the measure is accurate with a negligible false rejection rate. This compares to 30-70 points of reference for a finger scan. Unfortunately a retinal scan is considerably more intrusive than an iris scans and many people are hesitant to use the device [Retina-scan]. In addition a significant number of people may be unable to perform a successful enrolment, and there exist degenerative diseases of the retina that alter the scan results over time. Despite these disadvantages, there are several successful implementations of this technology [Retina-scan].
Which one of the following is the MOST critical characteristic of a biometrics system? A. Acceptability B. Accuracy C. Throughput D. Reliability
Answer: B We don't agree with the original answer, which was throughput. Granted throughput is vital but Krutz lists accuracy is most important. In addition to the accuracy of the biometric systems, there are OTHER factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability.
The primary service provided by Kerberos is which of the following? A. non-repudiation B. confidentiality C. authentication D. authorization
Answer: C
What is the PRIMARY use of a password? A. Allow access to files B. Identify the user C. Authenticate the user D. Segregate various user's accesses
Answer: C
What is the most critical characteristic of a biometric identifying system? A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Reliability
Answer: C
Which of the following biometrics devices has the highs Crossover Error Rate (CER)? A. Iris scan B. Hang Geometry C. Voice pattern D. Fingerprints
Answer: C
Which of the following does not apply to system-generated passwords? A. Passwords are harder to remember for users B. If the password-generating algorithm gets to be known, the entire system is in jeopardy C. Passwords are more vulnerable to brute force and dictionary attacks. D. Passwords are harder to guess for attackers
Answer: C
Which of the following is true about Kerberos? A. It utilizes public key cryptography B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text. C. It depends upon symmetric ciphers D. It is a second party authentication system
Answer: C
Which of the following statements is incorrect? A. Since the early days of mankind humans have struggled with the problems of protecting assets B. The addition of a PIN keypad to the card reader was a solution to unreported card or lost cards problems C. There has never been a problem of lost keys D. Human guard is an inefficient and sometimes ineffective method of protecting resources
Answer: C
What is called the access protection system that limits connections by calling back the number of a previously authorized location? A. Sendback system B. Callback forward systems C. Callback systems D. Sendback forward systems
Answer: C "Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding."
Which of the following is true about Kerberos? A. It utilized public key cryptography B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text C. It depends upon symmetric ciphers D. It is a second party authentication system
Answer: C "Kerberos relies upon symmetric key cryptography, specifically Data Encryption Standard (DES), and provides end-to-end security for authentication traffic between the client and the Key Distribution Center (KDC)."
TEMPEST addresses A. The vulnerability of time-dependent transmissions. B. Health hazards of electronic equipment. C. Signal emanations from electronic equipment. D. The protection of data from high energy attacks.
Answer: C "Tempest is the study and control of spurious electrical signals that are emitted by electrical equipment."
How are memory cards and smart cards different? A. Memory cards normally hold more memory than smart cards B. Smart cards provide a two-factor authentication whereas memory cards don't C. Memory cards have no processing power D. Only smart cards can be used for ATM cards
Answer: C "The main difference between memory cards and smart cards is the processing power. A memory card holds information, but does not process information. A smart card has the necessary hardware and logic to actually process information."
In a RADIUS architecture, which of the following can act as a proxy client? A. The end user. B. A Network Access Server. C. The RADIUS authentication server. D. None of the choices.
Answer: C A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
Access controls that are not based on the policy are characterized as: A. Secret controls B. Mandatory controls C. Discretionary controls D. Corrective controls
Answer: C Access controls that are not based on the policy are characterized as discretionary controls by the US government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.
A system using Discretionary Access Control (DAC) is vulnerable to which one of the following attacks? A. Trojan horse B. Phreaking C. Spoofing D. SYN flood
Answer: C An attempt to gain access to a system by posing as an authorized user. Synonymous with impersonating, masquerading, or mimicking. "Spoofing - The act of replacing the valid source and/or destination IP address and node numbers with false ones. Spoofing attack - any attack that involves spoofed or modified packets."
A smart card represents: A. Something you are. B. Something you know. C. Something you have. D. All of the choices.
Answer: C Another form of authentication requires possession of something such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to possess multiple things to guarantee authenticity.
Which of the following factors may render a token based solution unusable? A. Token length B. Card size C. Battery lifespan D. None of the choices.
Answer: C Another limitation of some of the tokens is their battery lifespan. For example, in the case of SecurID you have a token that has a battery that will last from 1 to 3 years depending on the type of token you acquired. Some token companies such as Cryptocard have introduced tokens that have a small battery compartment allowing you to change the battery when it is discharged.
With MAC, who may make decisions that bear on policy? A. None of the choices. B. All users. C. Only the administrator. D. All users except guests.
Answer: C As the name implies, the Mandatory Access Control defines an imposed access control level. MAC is defined as follows in the Handbook of Information Security Management: With mandatory controls, only administrators and not owners of resources may make decisions that bear on or derive from policy. Only an administrator may change the category of a resource, and no one may grant a right of access that is explicitly forbidden in the access control policy.
Which of the following are proprietarily implemented by CISCO? A. RADIUS+ B. TACACS C. XTACACS and TACACS+ D. RADIUS
Answer: C Cisco implemented an enhanced version of TACACS, known as XTACACS (extended TACACS), which was also compatible with TACACS. It allowed for UDP and TCP encoding. XTACACS contained several improvements: It provided accounting functionality to track length of login and which hosts a user connected to, and it also separated the authentication, authorization, and accounting processes such that they could be independently implemented. None of the three functions are mandatory. XTACACS is described in RFC 1492. TACACS+ is the latest Cisco implementation. It is best described as XTACACS with improved attribute control (authorization) and accounting.
With Discretionary access controls, who determines who has access and what privilege they have? A. End users. B. None of the choices. C. Resource owners. D. Only the administrators.
Answer: C Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended. Under this type of control, the owner determines who has access and what privilege they have.
Which one of the following BEST describes a password cracker? A. A program that can locate and read a password file. B. A program that provides software registration passwords or keys. C. A program that performs comparative analysis. D. A program that obtains privileged access to the system.
Answer: C In a dictionary crack, L0phtCrack encrypts (i.e., hashes) all the passwords in a dictionary file you specify and compares every result with the password hash. If L0phtCrack finds any matches, it knows the password is the dictionary word. L0phtCrack comes with a default dictionary file, wordsenglish. You can download additional files from the Internet or create a custom file. In the Tools Options dialog box, you can choose to run the dictionary attack against the LANMAN password hash, the NT LAN Manager (NTLM) password hash, or both (which is the default). In a hybrid crack, L0phtCrack extends the dictionary crack by appending numbers or symbols to each word in the dictionary file. For example, in addition to trying "Galileo," L0phtCrack also tries "Galileo24," "13Galileo," "?Galileo," "Galileo!," and so on. The default number of characters L0phtCrack tries is two, and you can change this number in the Tools Options dialog box. In a brute-force crack, L0phtCrack tries every possible combination of characters in a character set. L0phtCrack offers four character sets, ranging from alpha only to all alphanumeric plus all symbol characters. You can choose a character set from the Character Set drop-down box in the Tools Options dialog box or type a custom character set in the Character Set drop-down box. L0phtCrack saves custom sets in files with an .lc extension. You can also specify a character set in the password file, as the example in Figure 2 shows. Not B: A key generator is what is being described by the registration password or key answer.
In addition to the accuracy of the biometric systems, there are other factors that must also be considered: A. These factors include the enrollment time and the throughput rate, but not acceptability. B. These factors do not include the enrollment time, the throughput rate, and acceptability. C. These factors include the enrollment time, the throughput rate, and acceptability. D. These factors include the enrollment time, but not the throughput rate, neither the acceptability.
Answer: C In addition to the accuracy of the biometric systems, there are OTHER factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability.
Under MAC, a clearance is a: A. Sensitivity B. Subject C. Privilege D. Object
Answer: C It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
Which one of the following is an example of electronic piggybacking? A. Attaching to a communications line and substituting data. B. Abruptly terminating a dial-up or direct-connect session. C. Following an authorized user into the computer room. D. Recording and playing back computer transactions.
Answer: C Ok this is a weird little question. The term electronic is kinda of throwing me a bit. A lot of times piggybacking can be used in terms of following someone in a building. Piggyback - Gaining unauthorized access to a system via another user's legitimate connection. (see between-the-lines entry) Between-the-lines entry 0 Unauthorized access obtained by tapping the temporarily inactive terminal of a legitimate user.
Which of the following is NOT a good password deployment guideline? A. Passwords must not be he same as user id or login id. B. Password aging must be enforced on all systems. C. Password must be easy to memorize. D. Passwords must be changed at least once every 60 days, depending on your environment.
Answer: C Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).
Processor card contains which of the following components? A. Memory and hard drive. B. Memory and flash. C. Memory and processor. D. Cache and processor.
Answer: C Processor cards contain memory and a processor. They have remarkable data processing capabilities. Very often the data processing power is used to encrypt/decrypt data, which makes this type of card a very unique personal identification token. Data processing also permits dynamic storage management, which enables the realization of flexible multifunctional cards.
RADIUS is defined by which RFC? A. 2168 B. 2148 C. 2138 D. 2158
Answer: C RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS is a standard published in RFC2138 as mentioned above.
A method for a user to identify and present credentials only once to a system is known as: A. SEC B. IPSec C. SSO D. SSL
Answer: C Single Sign-On (SSO) - This is a method for a users to identify and present credentials only once to a system. Information needed for future system access to resources is forwarded by the initial System. BENEFITS More efficient user log-on process Users select stronger passwords Inactivity timeout and attempt thresholds applied uniformly closer to user point of entry Improved timely disabling of all network/computer accounts for terminated users
Which of the following attacks could be the most successful when the security technology is properly implemented and configured? A. Logical attacks B. Physical attacks C. Social Engineering attacks D. Trojan Horse attacks
Answer: C Social Engineering attacks - In computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a low-level employee and requests their password for network servicing purposes. With smartcards, this type of attack is a bit more difficult. Most people would not trust an impersonator wishing to have their smartcard and PIN for service purposes.
By requiring the user to use more than one finger to authenticate, you can: A. Provide statistical improvements in EAR. B. Provide statistical improvements in MTBF. C. Provide statistical improvements in FRR. D. Provide statistical improvements in ERR.
Answer: C Statistical improvements in false rejection rates can also be achieved by requiring the user to use more than one finger to authenticate. Such techniques are referred to as flexible verification.
Which of the following access control types gives "UPDATE" privileges on Structured Query Language (SQL) database objects to specific users or groups? A. Supplemental B. Discretionary C. Mandatory D. System
Answer: C Supplemental and System are not access control types. The most correct answer is mandatory opposed to discretionary. The descriptions below sound typical of how a sql accounting database controls access. "In a mandatory access control (MAC) model, users and data owners do not have as much freedom to determine who can access their files. Data owners can allow others to have access to their files, but it is the operating system that will make the final decision and can override the data owner's wishes." "Rule-based access controls are a variation of mandatory access controls. A rule based systems uses a set of rules, restrictions or filters to determine what can and cannot occur on the system, such as granting subject access, performing an action on an object, or accessing a resource.
What is the PRIMARY advantage of using a separate authentication server (e.g., Remote Access Dial-In User System, Terminal Access Controller Access Control System) to authenticate dial-in users? A. Single user logons are easier to manage and audit. B. Each session has a unique (one-time) password assigned to it. C. Audit and access information are not kept on the access server. D. Call-back is very difficult to defeat.
Answer: C TACACS integrates the authentication and authorization processes. XTACACS keeps the authentication, authorization and accounting processes separate. TACACS+ improves XTACACS by adding two-factor authentication.
With Rule Based Security Policy, global rules usually rely on comparison of the _______ of the resource being accessed. A. A group of users. B. Users C. Sensitivity D. Entities
Answer: C The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A security policy based on global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.
In terms of the order of acceptance, which of the following technologies is the MOST accepted? A. Hand geometry B. Keystroke pattern C. Voice Pattern D. Signature
Answer: C The order of acceptance has slightly changed in the past years. It was Iris that was the most accepted method three years ago but today we have Voice Pattern that is by far the most accepted. Here is the list from most accepted first to least accepted at the bottom of the list: Voice Pattern Keystroke pattern Signature Hand geometry Handprint Fingerprint Iris Retina pattern
Which one of the following conditions is NOT necessary for a long dictionary attack to succeed? A. The attacker must have access to the target system. B. The attacker must have read access to the password file. C. The attacker must have write access to the password file. D. The attacker must know the password encryption mechanism and key variable.
Answer: C The program encrypts the combination of characters and compares them to the encrypted entries in the password file. If a match is found, the program has uncovered a password.
Tokens, as a way to identify users are subject to what type of error? A. Token error B. Decrypt error C. Human error D. Encrypt error
Answer: C Tokens are a fantastic way of ensuring the identity of a user. However, you must remember that no system is immune to "human error". If the token is lost with it's pin written on it, or if it were loaned with the corresponding pin it would allow for masquerading. This is one of the greatest threats that you have with tokens.
What type of password makes use of two totally unrelated words? A. Login phrase B. One time password C. Composition D. Login ID
Answer: C Usage of two totally unrelated words or a series of unrelated characters, such as pizza!wood for example. Such a password is easy to remember but very hard to guess. It would require a cracker quite a bit of time to do a brute force attack on a password that is that long and that uses an extended character as well.
Which of the following correctly describe DAC? A. It is the most secure method. B. It is of the B2 class. C. It can extend beyond limiting which subjects can gain what type of access to which objects. D. It is of the B1 class.
Answer: C With DAC, administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended.
With RBAC, roles are: A. Based on labels. B. All equal C. Hierarchical D. Based on flows.
Answer: C With RBAC, security is managed at a level that corresponds closely to the organization's structure. Each user is assigned one or more roles, and each role is assigned one or more privileges that are permitted to users in that role. Roles can be hierarchical.
With __________, access decisions are based on the roles that individual users have as part of an organization. A. Server based access control. B. Rule based access control. C. Role based access control. D. Token based access control.
Answer: C With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.
Under Role based access control, access rights are grouped by: A. Policy name B. Rules C. Role name D. Sensitivity label
Answer: C With role-based access control, access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.
Which of the following will you consider as a "role" under a role based access control system? A. Bank rules B. Bank computer C. Bank teller D. Bank network
Answer: C With role-based access control, access rights are grouped by role name, and the use of resources is restricted to individuals authorized to assume the associated role. For example, within a hospital system the role of doctor can include operations to perform diagnosis, prescribe medication, and order laboratory tests; and the role of researcher can be limited to gathering anonymous clinical information for studies.
What name is given to the study and control of signal emanations from electrical and electromagnetic equipment? A. EMI B. Cross Talk C. EMP D. TEMPEST
Answer: D
What physical characteristics does a retinal scan biometric device measure? A. The amount of light reaching the retina B. The amount of light reflected by the retina C. The size, curvature, and shape of the retina D. The pattern of blood vessels at the back of the eye
Answer: D
Which of the following biometric characteristics cannot be used to uniquely authenticate an individual's identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans
Answer: D
Which of the following is true of two-factor authentication? A. It uses the RSA public-key signature based algorithm on integers with large prime factors B. It requires two measurements of hand geometry C. It does not use single sign-on technology D. It relies on two independent proofs of identity
Answer: D
Which of the following media is MOST resistant to tapping? A. Microwave B. Twisted pair C. Coaxial cable D. Fiber optic
Answer: D
Which of the following statements pertaining to RADIUS is incorrect? A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains. B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy C. Most RADIUS servers have built-in database connectivity for billing and reporting purposes D. Most RADIUS servers can work with DIAMETER servers.
Answer: D
One of the differences between Kerberos and KryptoKnight is that there is: A. a mapped relationship among the parties takes place B. there is a peer-to-peer relationship among the parties with themselves. C. there is no peer-to-peer relationship among the parties and the KDC D. a peer-to-peer relationship among the parties and the KDC
Answer: D "Krytponight The IBM Kryptonight system provides authentication, SSO, and key distribution services. It was designed to support computers with widely varying computational capabilities. KryptoKnight uses a trusted Key Distribution Center (KDC) that knows the secret key of each party. One of the differences between kerberos and KrytoKnight is that there is a peer-to-peer relationship among the parties and the KDC."
The quality of finger prints is crucial to maintain the necessary: A. FRR B. ERR and FAR C. FAR D. FRR and FAR
Answer: D Another factor that must be taken into account when determining the necessary FAR and FRR for your organization is the actual quality of the fingerprints in your user population. ABC's experience with several thousand users, and the experience of its customers, indicates that a percentage of the populations do not have fingerprints of sufficient quality to allow for authentication of the individual. Approximately 2.5% of employees fall into this group in the general office worker population. For these users, a smart card token with password authentication is recommended.
Attacks on smartcards generally fall into what categories? A. Physical attacks. B. Trojan Horse attacks. C. Logical attacks. D. All of the choices, plus Social Engineering attacks.
Answer: D Attacks on smartcards generally fall into four categories: Logical attacks, Physical attacks, Trojan Horse attacks and Social Engineering attacks.
Authentication is typically based upon: A. Something you have. B. Something you know. C. Something you are. D. All of the choices.
Answer: D Authentication is a means of verifying the eligibility of an entity to receive specific categories of information. The entity could be individual user, machine, or software component. Authentication is typically based upon something you know, something you have, or something you are.
What type of authentication takes advantage of an individuals unique physical characteristics in order to authenticate that persons identity? A. Password B. Token C. Ticket Granting D. Biometric
Answer: D Biometric authentication systems take advantage of an individual's unique physical characteristics in order to authenticate that person's identity. Various forms of biometric authentication include face, voice, eye, hand, signature, and fingerprint, each have their own advantages and disadvantages. When combined with the use of a PIN it can provide two factors authentication.
Which of the following biometric characteristics cannot be used to uniquely authenticate an individual's identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans
Answer: D Biometrics: Fingerprints Palm Scan Hand Geometry Retina Scan Iris Scan Signature Dynamics Keyboard Dynamic Voice Print Facial Scan Hand Topology
Which of the following attacks focus on cracking passwords? A. SMURF B. Spamming C. Teardrop D. Dictionary
Answer: D Dictionaries may be used in a cracking program to determine passwords. A short dictionary attack involves trying a list of hundreds or thousands of words that are frequently chosen as passwords against several systems. Although most systems resist such attacks, some do not. In one case, one system in five yielded to a particular dictionary attack.
Under MAC, a file is a(n): A. Privilege B. Subject C. Sensitivity D. Object
Answer: D It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.
Which of the following are the benefits of Keystroke dynamics? A. Low cost B. Unintrusive device C. Transparent D. All of the choices.
Answer: D Keystroke dynamics is behavioral in nature. It works well with users that can "touch type". Key advantages in applying keyboard dynamics are that the device used in this system, the keyboard, is unintrusive and does not detract from one's work. Enrollment as well as identification goes undetected by the user. Another inherent benefit to using keystroke dynamics as an identification device is that the hardware (i.e. keyboard) is inexpensive. Currently, plug-in boards, built-in hardware and firmware, or software can represent keystroke dynamics systems.
Memory only cards work based on: A. Something you have. B. Something you know. C. None of the choices. D. Something you know and something you have.
Answer: D Memory Only Card - This type of card is the most common card. It has a magnetic stripe on the back. These cards can offer two-factor authentication, the card itself (something you have) and the PIN (something you know). Everyone is familiar with the use of an ATM (Automated Teller Machine) card. These memory cards are very easy to counterfeit. There was a case in Montreal where a storeowner would swipe the card through for the transaction; he would then swipe it through a card reader to get a copy, while a small hidden camera was registering the PIN as the user was punching it on the pad. This scheme was quickly identified as the victims had one point in common; they all visited the same store.
Which of the following is a disadvantage of a memory only card? A. High cost to develop. B. High cost to operate. C. Physically infeasible. D. Easy to counterfeit.
Answer: D Memory Only Card - This type of card is the most common card. It has a magnetic stripe on the back. These cards can offer two-factor authentication, the card itself (something you have) and the PIN (something you know). Everyone is familiar with the use of an ATM (Automated Teller Machine) card. These memory cards are very easy to counterfeit. There was a case in Montreal where a storeowner would swipe the card through for the transaction; he would then swipe it through a card reader to get a copy, while a small hidden camera was registering the PIN as the user was punching it on the pad. This scheme was quickly identified as the victims had one point in common; they all visited the same store.
What type of wiretapping involves injecting something into the communications? A. Aggressive B. Captive C. Passive D. Active
Answer: D Most communications are vulnerable to some type of wiretapping or eavesdropping. It can usually be done undetected and is referred to as a passive attack versus an active attack. "(I) An attack that intercepts and accesses data and other information contained in a flow in a communication system. (C) Although the term originally referred to making a mechanical connection to an electrical conductor that links two nodes, it is now used to refer to reading information from any sort of medium used for a link or even directly from a node, such as gateway or subnetwork switch. (C) "Active wiretapping" attempts to alter the data or otherwise affect the flow; "passive wiretapping" only attempts to observe the flow and gain knowledge of information it contains. (See: active attack, end-to-end encryption, passive attack.)"
Which of the following correctly describe the difference between identification and authentication? A. Authentication is a means to verify who you are, while identification is what you are authorized to perform. B. Identification is a means to verify who you are, while authentication is what you are authorized to perform. C. Identification is another name of authentication. D. Identification is the child process of authentication.
Answer: D Not B: Authentication is not what you are authorized to perform
Which of the following is the most commonly used check on something you know? A. One time password B. Login phrase C. Retinal D. Password
Answer: D Passwords even though they are always mentioned as being unsecured, necessary evils, that put your infrastructure at risk, are still commonly used and will probably be used for quite a few years. Good passwords can provide you with a good first line of defense. Passwords are based on something the user knows. They are used to authenticate users before they can access specific resources.
Which of the following are measures against password sniffing? A. Passwords must not be sent through email in plain text. B. Passwords must not be stored in plain text on any electronic media. C. You may store passwords electronically if it is encrypted. D. All of the choices.
Answer: D Passwords must not be sent through email in plain text. Passwords must not be stored in plain text on any electronic media. It is acceptable to store passwords in a file if it is encrypted with PGP or equivalent strong encryption (once again depending on your organization policy). All vendor supplied default passwords must be changed.
What is one advantage of deploying Role based access control in large networked applications? A. Higher security B. Higher bandwidth C. User friendliness D. Lower cost
Answer: D Role based access control (RBAC) is an alternative to traditional discretionary (DAC) and mandatory access control (MAC) policies. The principle motivation behind RBAC is the desire to specify and enforce enterprise-specific security policies in a way that maps naturally to an organization's structure. Traditionally, managing security has required mapping an organization's security policy to a relatively low-level set of controls, typically access control lists.
What attack involves actions to mimic one's identity? A. Brute force B. Exhaustive C. Social engineering D. Spoofing
Answer: D Spoofing is an attack in which one person or process pretends to be a person or process that has more privileges. For example, user A can mimic behavior to make process B believe user A is user C. In the absence of any other controls, B may be duped into giving to user A the data and privileges that were intended for user C.
Monitoring electromagnetic pulse emanations from PCs and CRTs provides a hacker with that significant advantage? A. Defeat the TEMPEST safeguard B. Bypass the system security application. C. Gain system information without trespassing D. Undetectable active monitoring.
Answer: D Tempest equipment is implemented to prevent intruders from picking up information through the airwaves with listening devices. In Harris's other book CISSP PASSPORT, she talks about tempest in terms of spy movies and how a van outside is listening or monitoring to the activities of someone. This lends credence to the answer of C (trespassing) but I think D is more correct. In that all the listener must do is listen to the RF. Use your best judgment based on experience and knowledge.
Which of the following RFC talks about Rule Based Security Policy? A. 1316 B. 1989 C. 2717 D. 2828
Answer: D The RFC 2828 - Internet Security Glossary talks about Rule Based Security Policy: A security policy based on global rules imposed for all users. These rules usually rely on comparison of the sensitivity of the resource being accessed and the possession of corresponding attributes of users, a group of users, or entities acting on behalf of users.
In terms of the order of acceptance, which of the following technologies is the LEAST accepted? A. Fingerprint B. Iris C. Handprint D. Retina patterns
Answer: D The order of acceptance has slightly changed in the past years. It was Iris that was the most accepted method three years ago but today we have Voice Pattern that is by far the most accepted. Here is the list from most accepted first to least accepted at the bottom of the list: Voice Pattern Keystroke pattern Signature Hand geometry Handprint Fingerprint Iris Retina pattern
Which of the following are the advantages of using passphrase? A. Difficult to crack using brute force. B. Offers numerous characters. C. Easier to remember. D. All of the choices.
Answer: D The use of passphrases is a good way of having very strong passwords. A passphrase is easier to remember, it offers numerous characters, and it is almost impossible to crack using brute force with today's processing power. An example of a passphrase could be: "Once upon a time in the CISSP world"
The word "smart card" has meanings of: A. Personal identity token containing IC-s. B. Processor IC card. C. IC card with ISO 7816 interface. D. All of the choices.
Answer: D The word "smart card" has four different meanings (in order of usage frequency): IC card with ISO 7816 interface Processor IC card Personal identity token containing IC-s Integrated Circuit(s) Card is ad ID-1 type (specified in ISO 7810) card, into which has been inserted one or more integrated circuits. [ISO 7816]
Which of the following methods is more microscopic and will analyze the direction of the ridges of the fingerprints for matching? A. None of the choices. B. Flow direct C. Ridge matching D. Minutia matching
Answer: D There are two approaches for capturing the fingerprint image for matching: minutia matching and global pattern matching. Minutia matching is a more microscopic approach that analyzes the features of the fingerprint, such as the location and direction of the ridges, for matching. The only problem with this approach is that it is difficult to extract the minutiae points accurately if the fingerprint is in some way distorted. The more macroscopic approach is global pattern matching where the flow of the ridges is compared at all locations between a pair of fingerprint images; however, this can be affected by the direction that the image is rotated.
In a discretionary mode, which of the following entities is authorized to grant information access to other people? A. manager B. group leader C. security manager D. user E. Data Owner
Answer: E