Lesson 7: Implementing Authentication Controls

A security team has just added iris scanners to two access control points in a secure facility. They are in the process of making adjustments to ensure authorized users have access, while unauthorized users cannot get through. Analyze the scenario and determine what metric the team is in the process of fine-tuning. A. Crossover error rate (CER) B. False rejection rate (FRR) C. False acceptance rate (FAR) D. Type II error

A. Crossover error rate (CER)

Evaluate how identification and authentication are distinct in their functions. Which of the following scenarios best illustrates a user being authenticated? A. A user's keyboard typing behavior is analyzed. B. A system administrator sets up a user account for a new employee after HR sends employment verification. C. An administrator sends an initial password to a new telecommuting employee through a VPN. D. A user is assigned an SID.

A. Analyzing keyboard typing behavior is a "something you do" authentication. This is known as behavioral biometric recognition. Creating a user account based on an official company document is an identification process called identity proofing, or verifying subjects are who they say they are. By creating and sending the initial password over a Virtual Private Network (VPN), the administrator is implementing secure transmission of credentials identification process. Identification of a subject on a computer system is done through an account. An account consists of an identifier, credentials, and a profile. Each identifier must be unique, which is accomplished with a Security Identifier (SID) string.

Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.) A. The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user's password hash as the key. B. The AS responds with a TGT that contains information about the client, to include name and IP address, plus a timestamp and validity period. C. The AS responds with a TGT key for use in communications between the client and the Ticket Granting Service (TGS). D. The TGT responds with a service session key for use between the client and the application server.

A. B. The Authentication Service (AS) is responsible for authenticating user logon requests. The first step within AS is when the client sends the AS a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user's password hash as a key. The Ticket Granting Ticket (TGT) contains information about the client and includes a timestamp and validity period. The information is encrypted using the KDC's secret key. This occurs after the user is found in the database and the request is valid. The AS does not respond back with a TGT key but with a Ticket Granting Service (TGS) key that is used in communications between the client and the TGS. The TGS is the service that responds with a service session key for use between the client and the application server.

Analyze and compare the features of smart cards that are used for authentication. Which options accurately describe features that are found on smart cards? (Select all that apply.) A. Smart cards can be either contact-based or contactless, which means they either are inserted into a system or must be in the proximity of the system to authenticate the user. B. ISO has published standards to promote interoperability for smart cards. ISO 14443 was published for contact cards while ISO 7816 was published for contactless cards. C. Smart cards can have multiple uses in addition to network access. Another use a company may employ is building access for users. D. Smart cards use a 2-step verification process such as a pin number the user must enter with the card. If the user loses the card there is no risk and the user simply needs to request a new card from the issuer.

A. C. A smart card is a credit card-sized device with an integrated chip and data interface. It is either contact-based, or contactless. In addition to being used for computer and network logons, smart cards can be used as a physical access control to gain access to building premises via secure gateways. ISO has published various ID card standards to promote interoperability, including ones for smart cards. ISO 7816 was published for contact cards, and ISO 14443 was published for contactless cards. While smart cards do typically have 2-factor authentication, it is still a risk if the card is lost. The card must be revoked immediately to ensure it cannot be used to access the network or buildings.

Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication. (Select all that apply.) A. Behavioral technologies are cheap to implement, but have a higher error rate than other technologies. B. Signature recognition is popular within this technology because everyone has a unique signature that is difficult to replicate. C. Obtaining a voice recognition template for behavioral technologies is rather easy and can be obtained quickly. D. Behavior technologies may use typing as a template, which matches the speed and pattern of a user's input of a passphrase.

A. D. Behavioral technologies are sometimes classified as "something you do." These technologies often have a lower cost to implement than other types of biometric cryptosystems, but they have a higher error rate. Typing is used as a behavioral technology, and the template is based on the speed and pattern of a user's input of a passphrase. Signature recognition is not based on the actual signature due to it being easy to replicate. Instead, it is based on the process of applying a signature such as stroke, speed, and pressure of the stylus. Obtaining a voice recognition template is not a fast process, and can be difficult. Background noise and other environmental factors can also interfere with authentication.

Which of the following password cracker attacks are combined to create a hybrid attack? (Select all that apply.) A. Brute force B. Dictionary C. Rainbow table D. PTH

A. Brute Force B. Dictionary A hybrid password attack uses a combination of dictionary and brute force attacks. A dictionary attack is a type of password attack that compares encrypted passwords against a predetermined list of possible password values. A brute force attack attempts every possible combination in the key space in order to derive a plaintext password from a hash. A rainbow table attack is when the attacker uses a precomputed lookup table of all possible passwords and their matching hashes. A pass the hash (PTH) attack occurs when an attacker obtains the hash of a user's password and presents the hash (without cracking it) to authenticate to network protocols.

Consider biometric methods that are used to authenticate a user. Knowing that errors are possible, which of the following would most likely result in a security breach? A. False positive B. False negative C. A low Crossover-Error-Rate (CER) D. A low throughput

A. False positive Regarding biometric authentication, a false positive is where an unauthorized person is accepted, leading to possible security breaches. This is the False Acceptance Rate (FAR). A false negative is where a legitimate user is not recognized, denying the user access and causing the user an inconvenience. This event does not result in a breach. This is the False Rejection Rate (FRR). The Crossover Error Rate (CER) is the point at which FRR equals FAR. A lower CER indicates more efficient and reliable authentication. Throughput refers to the time required to create a user template and to authenticate. While this is a major consideration for high-traffic access points (airports), a low rate would be frustrating for users, but not a breach risk.

When a network uses Extensible Authentication Protocol (EAP) as the authentication method, what access control protocol provides the means for a client to connect from a Virtual Private Network (VPN) gateway? A. IEEE802.1X B. Kerberos C. Terminal Access Controller Access-Control System Plus (TACACS+) D. Remote Authentication Dial-in User Service (RADIUS)

A. IEEE802.1X Where EAP provides the authentication mechanisms, the IEEE 802.1X Port-based Network Access Control (NAC) protocol provides the means of using an EAP method when a device connects to a VPN gateway. Kerberos is designed to work over a trusted local network. Several authentication protocols have been developed to work with remote access protocols, where the connection is made over a serial link or virtual private network (VPN). TACACS+ uses TCP communications. Authentication, authorization, and accounting (AAA) functions within TACACS+ are discrete. With authentication, authorization, and accounting (AAA), the network access server (NAS) devices (RADIUS or TACACS+) do not have to store any authentication credentials. They forward this data between the AAA server and the supplicant.

Assess the features and processes within biometric authentication to determine which scenario is accurate. A. A company chooses to use a biometric cryptosystem due to the ease of revocation for a compromised certificate. B. A company uses a fingerprint scanner that acts as a sensor module for logging into a system. C. A company uses a fingerprint scanner that acts as a feature extraction module for logging into a system. D. A company records information from a sample using a sensor module.

B. A sensor module acquires the biometric sample from the target. Examples of a sensor module can be a fingerprint scanner or retina scanner. One problem that biometric cryptosystems is the lack of revocability. A legitimate person will almost always have the same template (fingerprint, retina, etc). If a company is using a smart card and it is compromised, the card is revoked and reissued. The same cannot be done for biometric cryptosystems. A feature extraction module records the significant information from the sample. This record would include the fingerprint that was scanned when authentication was requested. A sensor module acquires the biometric sample from the target.

Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system. A. An account is created that identifies a user on the network. B. A user logs into a system using a control access card (CAC) and PIN number. C. An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job. D. A report is reviewed that shows every successful and unsuccessful login attempt on a server.

B. Authentication proves that a subject is who or what it claims to be when it attempts to access the resource. A CAC and pin login are examples of authentication. Creating an account or ID that identifies the user, device, or process on the network defines identification. Authorization determines what rights subjects should have on each resource and enforcing those rights. A company employee may need network access but will likely not need access to every resource, and limiting access limits a company's risk. Accounting tracks authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted. Reports and audit logs account for who and what has been accessing network resources.

Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols' authentication processes, select the true statements. (Select all that apply.) A. TACACS+ is open source and RADIUS is a proprietary protocol from Cisco. B. RADIUS uses UDP and TACACS+ uses TCP. C. TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password. D. RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

B. C. D. RADIUS uses UDP over ports 1812 and 1813 and TACACS+ uses TCP on port 49. TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5. RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges. RADIUS is an open-source protocol, not TACACS+. TACACS+ is a Cisco proprietary protocol.

Which of the following options represents Two-Factor Authentication (2FA)? A. A user logs in using a password and a PIN. B. A user logs in using a password and a smart card. C. A user logs in using a fingerprint and retina scanner. D. A user logs in using a smart card and a key fob.

B. A user logs in using a password and a smart card. In Two-Factor Authentication (2FA), a user must possess two of the three authentication types of "something you know", "something you have", or "something you are". Using a password and a smart card would be 2FA since it combines "something you know" (password) with "something you have" (smart card). Using a password and a PIN is not 2FA since they both are "something you know." Using a fingerprint and facial recognition is not 2FA since they both are "something you are." Using a smart card and a key fob is not 2FA since they both are "something you have."

Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods? A. Fingerprint scan B. Iris scan C. Facial recognition D. Voice recognition

B. Iris scan Biometric authentication based on features of the eye (iris or retina) is typically the hardest method to fool. Iris and retinal scanning are significantly different in cost, intrusiveness, and sensitivity to disease/injury. Due to the eye's complexity and lifelong consistency, both are more reliable than other biometric methods. It is possible to obtain a copy of a user's fingerprint and create a mold of it that will fool a fingerprint scanner. Facial recognition suffers from relatively high false acceptance and rejection rates, and as a result is vulnerable to spoofing. Voice recognition is subject to impersonation. It is also sensitive to background noise and other environmental factors which can interfere with authentication.

Analyze the types of password cracker attacks to determine which scenario best describes a brute force attack. A. An attacker guesses the password using software that enumerates values in the dictionary B. An attacker uses a precomputed lookup table of all possible passwords and their matching hashes C. An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash D. An attacker tests dictionary words and names in combination with several numeric prefixes

C. A brute force attack attempts every possible combination in the key space in order to derive a plaintext password from a hash. The key space is determined by the number of bits used. A hybrid password attack uses a combination of dictionary and brute force attacks. It is principally targeted against naively strong passwords. The password cracking algorithm tests dictionary words, and names in combination with several numeric prefixes. A rainbow table attack refines the dictionary approach. The attacker uses a precomputed lookup table of all possible passwords and their matching hashes. A dictionary attack can be used where there is a good chance of guessing the likely value of the plaintext, such as a non-complex password.

Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system. A. A control is set to force a customer to log into their account prior to reviewing and editing orders. B. A control is set to cancel automatic shipments for any customer that has an expired credit card on file. C. A control is set to ensure that billing and primary delivery addresses match. D. A control is set to record the date, time, IP address, customer account number, and order details for each order.

C. Identification controls are set to ensure that customers are legitimate. An example is to ensure that billing and primary delivery addresses match. Authentication controls are to ensure that customers have unique accounts, and that only they can manage their orders and billing information. An example is to require each customer create an account prior to allowing them to store billing or shipping information. Authorization controls are to ensure customers can only place orders when they have valid payment information in place prior to completing an order. Accounting controls include maintaining a record of each action taken by a customer to ensure that they cannot deny placing an order. Records may include order details, date, time, and IP address information.

An Identity and Account Management (IAM) system has four main processes. Which of the following is NOT one of the main processes? A. Accounting B. Identification C. Integrity D. Authentication

C. Integrity Integrity is the fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications. However, it is not part of the IAM system. IAM defines the attributes that comprise an entity's identity. The four processes include Authorization, Accounting, Identification, and Authentication. Accounting is tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted. Identification is creating an account or ID identifying the user, device, or process on the network. Authentication is proving that a subject is who or what it claims to be when attempting to access the resource.

Considering how to mitigate password cracking attacks, how would restricting the number of failed logon attempts be categorized as a vulnerability? A. The user is exposed to a replay attack. B. The user is exposed to a brute force attack. C. The user is exposed to a DoS attack. D. The user is exposed to an offline attack.

C. The user is exposed to a DoS attack. Restricting logons can become a vulnerability by exposing a user to Denial of Service (DoS) attacks. The attacker keeps trying to authenticate, locking out valid users. In a replay attack, an intercepted key or password hash is reused to gain access to a resource. This is prevented with once-only tokens or timestamping, not restricting logon attempts. A brute force attack is where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords. Restricting logon attempts is a way to mitigate this threat, not be vulnerable to it. In an offline attack, a password cracker works on a downloaded password database without having to interact with the authentication system. It is unrelated to logon attempts.

Based on the known facts of password attacks, examine the following password and critique its susceptibility to a password attack: DogHouse23. A. This is a sufficient password. It is ten characters and contains uppercase characters, lowercase characters, and numbers. B. This is an insufficient password. There are not enough uppercase characters within the password. C. This is a sufficient password. The password is easy for the user to remember yet long enough to meet character requirements. D. This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters.

D. The password does not contain special characters, and also contains words that are found in the dictionary. Both of these attributes make the password vulnerable. The length of the password may be sufficient based on the rules set forth by the system administrator and company policy. The company policy may or may not require the use of special characters, and this is unknown from the scenario. The password is insufficiently complex. The inclusion of uppercase letters alone does not make a password complex. While it is correct that the user may be able to remember this password easily, that also makes it susceptible to attack. Dictionary words make it that much easier for an attacker to crack the password.

Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)? A. HOTP is not configured with a shared secret. B. The server is not configured with a counter in HOTP. C. Only the HOTP server computes the hash. D. Tokens can be allowed to continue without expiring in HOTP.

D. Tokens can persist unexpired in HOTP, increasing the risk of an attacker obtaining one and decrypting data in the future. TOTP addresses this by adding a value to the shared secret derived from the device's and server's local timestamp. TOTP automatically expires each token after a short window of time. The authentication server and client token are configured with the same shared secret in HOTP. The HOTP server is configured with a counter, combining with the shared secret to create a one-time password. When the HOTP value is authenticated, it increments by one. The server and the device both compute the hash and derive a 6-8 digit HOTP value.