2.3 Identification and Authentication
What type of logon security is provided by OTP?
A One-Time Password is valid only for a short period (usually 60 seconds), before it changes again.
The company you work for has suffered numerous intrusions due to poor password management by employees. Given a significant budget to mitigate the problem, what type of security control would you use?
A multifactor authentication product would mitigate this type of problem by requiring users to authenticate with a smart card or biometric information as well as a password.
What is the difference between authorization and authentication?
Authorization means granting a user account configured on the computer system the right to make use of a resource (allocating the user privileges on the resource). Authentication protects the validity of the user account by testing that the person accessing that account is who s/he says s/he is.
Your company has won a contract to work with the Department of Defense. What type of site access credentials will you need to provide?
Contractors working for the DoD require a Common Access Card with an embedded token and photograph.
Apart from cost, what would you consider to be the major considerations for evaluating a biometric recognition technology?
Error rate, throughput, user resistance or acceptance.
True or false? In order to create a service ticket, Kerberos passes the user's password to the target application server for authentication.
False - only the KDC verifies the password. The Ticket Granting Service sends the user's account details (SID) to the target application for authorization (allocation of permissions) not authentication.
True or false? The holder of a Common Access Card can authenticate to a computer system using biometric information stored on the card.
False - the card contains biometric data for identity proofing but cannot be used to authenticate. It does support smart card authentication.
True or false? An account requiring a password, PIN, and one-time password is an example of three-factor authentication.
False - three factor authentication would include a biometric or behavioral element.
Which type of eye recognition is easier to perform: retinal or iris scanning?
Iris scans are simpler.
A user maintains a list of commonly used passwords in a file located deep within the computer's directory structure. Is this secure password management?
No. This is security by obscurity. The file could probably be easily discovered using Search tools.
In what scenario would PAP be an appropriate cryptographic method?
None - the Password Authentication Protocol uses plaintext ASCII passwords with no cryptographic protection. This could only be used securely if the endpoints established a secure tunnel (using IPsec for instance).
What steps should be taken to enroll a new user?
Perform identity proofing to confirm the user's identity, issue authentication credentials securely, and assign appropriate permissions / privileges to the account.
Which remote authentication protocol supports smart cards?
Some types of Extensible Authentication Protocol (EAP) support the use of client-side digital certificates, which could be presented using a smart card.
Your company creates software that requires a database of stored encrypted passwords. What security control could you use to make the password database more resistant to brute force attacks?
Using a key stretching password storage library (such as brcypt or PBKDF2) would improve resistance to brute force cracking methods.
Why might a standalone installation of Windows XP be more vulnerable to password cracking than in Windows 7?
Windows XP uses weak LM responses by default.