Operating System Security Module 8
Which of the following is the strongest form of multi-factor authentication?
A password, a biometric scan, and a token device A password, a biometric scan, and a token device together are the strongest form of multi-factor authentication listed here. Multifactor authentication is any combination of two or more of the same or different authentication factors. The three common authentication factor types are Something You Know (such as a password), Something You Have (such as a smart card or a token device), and Something You Are (such as a biometric quality, like a fingerprint). The other three options are all weaker forms of multi-factor authentication. A password and a biometric scan is a multi-factor authentication system, but it is also an example of two-factor authentication. Two-factor authentication is any combination of two or more different authentication factors. Two passwords is an example of multi-factor authentication, but since it uses two of the same type of factors, it is not a true two-factor authentication method.
Which of the following advantages can single sign-on (SSO) provide? (Select two.)
Access to all authorized resources with a single instance of authentication The elimination of multiple user accounts and passwords for each individual A properly designed single sign-on (SSO) system can reduce human error and system administration time by providing access to all authorized resources with a single instance of authentication through a single set of user credentials. Enhanced password complexity is not a direct function of SSO, although enhanced security may be achieved by eliminating multiple credentials for individual authentication and enforcing password complexity policies. SSO is not a replacement for sound security policies or properly configured systems. Implementation of an SSO system can be challenging, as all systems and applications must be capable of utilizing a common method of authentication.
Which of the following terms describes the component that is generated following authentication and is used to gain access to resources following login?
Access token When a security principal logs on, an access token is generated. The access token is used to control access to resources and contains the following information: The SID for the user or computer The SID for all groups the user or computer is a member of User rights granted to the security principal When the security principal tries to access a resource or take an action, information in the access token is checked. For example, when a user tries to access a file, the access token is checked for the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL to identify permissions that apply. Account policies in Group Policy control requirements for passwords, such as minimum length and expiration times. Cookies are text files that are stored on a computer to save information about your preferences, browser settings, and Web page preferences. They identify you (or your browser) to websites. A proxy is a server that stands between a client and destination servers.
What is the most important aspect of a biometric device?
Accuracy The most important aspect of a biometric device is accuracy. If an access control device is not accurate, it does not offer reliable security. Enrollment time is how long it takes for a new user to be defined in the biometric database. Typically, an enrollment time less than two minutes is preferred. The size of the reference profile is irrelevant in most situations. Throughput is how many users a biometric device can scan and verify within a given time period. Typically, a throughput of 10 users per minute is preferred.
Match the exploit on the right with the appropriate description on the left. Watering hole attack Arbitrary code execution exploit LSO exploit Zero-day attack
An attacker compromises a Web site, hoping that a target individual will access the site and be exposed to the exploit. A vulnerability in a running process allows an attacker to inject malicious instructions and run them. A Flash cookie is used to collect information about the user's browsing habits without their permission. An attacker exploits computer application vulnerabilities before they are known and patched by the application's developer.
A remote access user needs to gain access to resources on the server. Which of the following processes are performed by the remote access server to control access to resources?
Authentication and authorization A remote access server performs the following functions: Authentication is the process of proving identity. After devices agree on the authentication protocol to use, the login credentials are exchanged and login is allowed or denied. Authorization is the process of identifying the resources that a user can access over the remote access connection. Authorization is controlled through the use of network policies (remote access policies) as well as access control lists. Accounting is an activity that tracks or logs the use of the remote access connection. Accounting is used to keep track of resource use, but is not typically used to control resource use. If access is allowed or denied based on time limits, information provided by accounting might be used by authorization rules to allow or deny access. Identity proofing occurs during the identification phase as the user proves that they are who they say they are in order to obtain credentials. Identification is the initial process of confirming the identity of a user requesting credentials and occurs when a users types in a user ID to log on.
Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject?
Attribute-Based Access Control (ABAC) The ABAC model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject. The MAC model is based on classification labels being assigned to objects and clearance labels assigned to subjects. When a subject's clearance lines up with an objects classification, the subject is granted access. The RBAC model grants access based on the subjects role in an organization. The Rule-Based Access Control model grants access based on a set of rules or policies.
Which of the following is the term for the process of validating a subject's identity?
Authentication Authentication is the process of validating a subject's identity. It includes the identification process, the user providing input to prove identity, and the system accepting that input as valid. Authorization is granting or denying a subject's access to an object based on the level of permissions or the actions allowed on the object. Identification identifies the subject. Examples include a user name or a user ID number. Auditing is maintaining a record of a subject's activity within the information system.
A programmer that fails to check the length of input before processing leaves his code vulnerable to what form of common attack?
Buffer overflow Buffer overflow attacks are made possible by oversight of programmers. A simple check on the length (and sometimes format) of input data before processing eliminates buffer attacks. Abackdoor is a developer-planted or cracker-planted entry device that bypasses security to gain access to a system or software. A developer-planted backdoor is often a debugging tool that was mistakenly left in place when the software went to market. A cracker-planted device is often a remote access server that listens for inbound connections on a specific port. Either method can be used by an intruder to gain entry into a secured environment. Session hijacking is the concept of being able to take over a communication session between a client and server. This usually involves taking over the identity of the client and fooling the server into communicating with the pseudo client. Privilege escalation is the act of a user to steal or obtain higher level privileges in a computer system.
Having poor software development practices and failing to program input validation checks during development of custom software can result in a system vulnerable to which type of attack?
Buffer overflow Poor software development practices and failing to program input validation checks can leave a system vulnerable to buffer overflows. A buffer overflow occurs when software code receives more input than it was designed to handle and the programmer of that code failed to include input validation checks. When a buffer overflow occurs, the extra data is pushed into the execution stack and processed with the security context of the system itself. In other words, a buffer overflow attack often allows the attacker to perform any operation on a system. Denial of service attacks exploit vulnerabilities in implementation and coding errors. Dictionary attacks are waged against logon prompts or stolen copies of a security accounts database. Superzapping attacks are specific attacks using a specialized utility named superzap to bypass the security of IBM mainframes to perform system alterations.
Which type of attack is the act of exploiting a software program's free acceptance of input in order to execute arbitrary code on a target?
Buffer overflow The act of exploiting a software program's free acceptance of input in order to execute arbitrary code on a target is called a buffer overflow. Data diddling is the changing or corrupting of data. TOC/TOU is a logon session replay attack. Covert channel exploitation is the use of timing or storage mechanisms to bypass security controls in order to leak information out of a secured environment.
You want to prevent your browser from running JavaScript commands that are potentially harmful. Which of the following would you restrict to accomplish this?
Client-side scripts JavaScript is an example of client-side scripting, where the client system runs the scripts that are embedded in Web pages. When pages download, the scripts are executed. ActiveX runs executable code within a browser, but ActiveX controls are not written using the JavaScript language. Server-side scripts execute on the server, and modify the Web pages served to clients based on the results of the scripts. The Common Gateway Interface (CGI) is scripting language that is often used to capture data from forms in a Web page and pass the data to an external program. CGI runs on the server to process Web form data. References
Which of the following is a password that relates to things that people know, such as a mother's maiden name or the name of a pet?
Cognitive Cognitive passwords relate to things that people know, such as a mother's maiden name or the name of a pet. Dynamic passwords change upon each consecutive login. One-time passwords are only valid for a single use. A pass phrase is a password based on a phrase.
Which access control type is used to implement short-term repairs to restore basic functionality following an attack?
Corrective Corrective access controls are used for short-term repairs and to restore basic functionality. Following the implementation of corrective controls, an incident might also require recovery access control methods, which are long-term activities that restore full functionality. Compensative access controls are alternatives to primary access controls. Detective access controls search for details about the attack or the attacker.
Which of the following defines an object as an entity in the context of access control?
Data, applications, systems, networks, and physical space. Objects are entities that represent data, applications, systems, networks, and physical space. Subjects are the users, applications, or processes that need access to objects. The access control system includes the policies, procedures, and technologies that are implemented to control a subject's access to an object.
Which of the following are subject to SQL injection attacks?
Database servers A SQL injection attack occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. The injection attack succeeds if the server does not properly validate the input to restrict entry of characters that could end and begin a database command.
Audit trails produced by auditing activities are which type of security control?
Detective Audit trails produced by auditing activities are a detective security control. Audit trails are used to detect the occurrence of unwanted or illegal actions by users. Audit trails give administrators the ability to reconstruct historical events and locate aberrant activities. Once an issue is discovered in an audit trail, the collected information can be used to guide the corrective or recovery procedure to restore resources, prevent re-occurrence, and prosecute the perpetrator. The security function of auditing the activities of user accounts on a secured system is considered a preventative or deterrent security control.
Which form of access control enforces security based on user identities and allows individual users to define access controls over owned resources?
Discretionary access control (DAC) DAC (discretionary access control) uses identities to control resource access. Users can make their own decisions about how much access to grant to other users. RBAC (role-based access control), MAC (mandatory access control), and TBAC (task-based access control) enforce security based on rules. The rules of RBAC are job descriptions The rules of MAC are classifications The rules of TBAC are work tasks
You have a system that allows the owner of a file to identify users and their permissions to the file. Which type of access control model is implemented?
Discretionary access control (DAC) This is an example of a discretionary access control list (DACL), which uses the Discretionary Access Control (DAC) model. With DAC, individuals use their own discretion (decisions or preferences) for assigning permissions and allowing or denying access. Mandatory access control (MAC) uses labels for both subjects (users who need access) and objects (resources with controlled access). When a subject's clearance lines up with an object's classification, and when the user has a need to know (referred to as a category), the user is granted access. Role-based access control (RBAC) allows access based on a role in an organization, not individual users. Roles are defined based on job description or a security access level. Users are made members of a role and receive the permissions assigned to the role. Rule-based access control (RBAC) uses characteristics of objects or subjects along with rules to restrict access. Access control entries identify a set of characteristics that are be examined for a match. If all characteristics match, access is either allowed or denied based on the rule.
When you browse to a website, a pop-up window tells you that your computer has been infected with a virus. You click on the window to see what the problem is. Later, you find out that the window has installed spyware on your system. What type of attack has occurred?
Drive-by download A drive-by download is an attack where software or malware is downloaded and installed without explicit consent from the user. Drive-by downloads can occur in a few different ways: Through social engineering, the user is tricked into downloading the software. The user might not realize that clicking a link will install software, or the user might know that something is being installed, but not have a full understanding of what it is or what it does. By exploiting a browser or operating system bug, a site is able to install software without the user's knowledge or consent. A SQL injection attack occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. A DLL injection attack occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application, and executes malicious code included with the injected DLL. A Trojan horse is a program that masquerades as a legitimate program. In this scenario, you were not necessarily aware that a program was being installed, nor did the program present itself as a useful program for you to install.
Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make his user account a member of the Managers group, which has access to a special shared folder. Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do?
Have Marcus log off and log back in On a Microsoft system, the access token is only generated during authentication. Changes made to group memberships or user rights do not take effect until the user logs in again and a new access token is created. Use NTFS and share permissions, not Group Policy, to control access to files. In addition, Group Policy is periodically refreshed, with new settings applied on a regular basis.
An attacker inserts SQL database commands into a data input field of an order form used by a Web-based application. When submitted, these commands are executed on the remote database server, causing customer contact information from the database to be sent to the malicious user's Web browser. Which practice would have prevented this exploit?
Implementing client-side validation. Client-side validation should have been used on the local system to identify input errors in the order form before the data was ever sent to the server. In this example, if the user entered SQL commands in an order form field, the error would have been immediately detected and blocked before the data was submitted to the server. Using the latest browser version and patch level, installing anti-malware software, and using a script blocker are valuable security measures, but would not have prevented the exploit in this scenario.
While using a Web-based order form, an attacker enters an unusually large value in the Quantity field. The value she entered is so large that it exceeds the maximum value supported by the variable type used to store the quantity in the Web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the Web application processes the order as a return instead of a purchase, and the attacker's account is credited with a large sum of money. Which practices would have prevented this exploit? (Select two.)
Implementing client-side validation. Implementing server-side validation. lient-side validation and server-side validation should have been used to identify input errors in the order form. In this example, if the user entered an invalid quantity in an order form field, client-side validation would have detected and blocked the error before the data was submitted to the server. Server-side validation should have also been used after the data was sent to the server to detect errors. Experienced attackers can circumvent client-side validation techniques by sending data to the server from outside the application's standard user interface, bypassing any input validation measures that may have been implemented on the client. Using the latest browser version and patch level, installing the latest operating system updates, and using a script blocker are valuable security measures, but would not have prevented the exploit in this scenario.
While using a Web-based order form, an attacker enters an unusually large value in the Quantity field. The value she entered is so large that it exceeds the maximum value supported by the variable type used to store the quantity in the Web application. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the Web application processes the order as a return instead of a purchase, and the attacker's account is refunded a large sum of money. What type of attack has occurred in this scenario?
Integer overflow An integer overflow occurs when a computational operation by a running process results in a numeric value that exceeds the maximum size of the integer type used to store it in memory. When this occurs, the value will wrap around and start again at its minimum value, in much the same way a mechanical odometer in a car rolls over to zero when the maximum number of miles it can record has been exceeded. This can allow an attacker to manipulate the value of variables, leading to unintended behavior by the system. In this scenario, the attacker has manipulated the quantity while purchasing items from an online store. This causes the value of the quantity variable to wrap around to the minimum possible value, which is a negative number. As a result, the web application processes the order form as a return instead of a purchase and the attacker's account is refunded a large sum of money. A buffer overflow occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted. In a watering hole attack, the attacker uses reconnaissance to identify which Web sites the target person or organization frequently uses. The attacker then compromises one or more of those sites in some way, hoping that the target will access the site and be exposed to the exploit. URL hijacking occurs when an attacker registers domain names that correlate to common typographical errors made by users when trying to access a legitimate Web site.
Which of the following is an example of a single sign-on authentication solution?
Kerberos Kerberos is a single sign-on authentication solution. A single sign-on authentication solution is a mechanism that allows a user to log in to a network once and then roam the entire network without re-authenticating. This does not mean that the user is granted unlimited access to all of the resources within the network; it just means that as the user accesses resources and performs activities he is authorized to perform, he is not required to re-authenticate each time he connects to a new system on the network. Kerberos is only one example of a single sign-on solution. Others include directory services, scripting, thin clients, and SESAME. Biometrics, RADIUS, and digital certificates are authentication mechanisms, but not single sign-on authentication solutions.
Which of the following are examples of single sign-on authentication solutions? (Select two.)
Kerberos SESAME Kerberos and SESAME are single sign-on authentication solutions. A single sign-on authentication solution is a mechanism that allows a user to log in to a network once and then be able to roam the entire network without re-authenticating. This does not mean that the user is granted unlimited access to all of the resources within the network--it just means that the user is not required to re-authenticate each time he connects to a new system on the network as he accesses resources and performs activities he is authorized to perform. Biometrics and digital certificates are used in authentication, but are not single sign-on authentication solutions. RADIUS and DIAMETER are centralized remote access authentication methods.
While using a Web-based game created using Adobe Flash, a Flash cookie is set on a user's computer. The game saves legitimate data in the Flash cookie, such as statistics and user preferences. However, the game creator also programmed the game to track the Web sites that that user visits while the game is running and save them in the Flash cookie. This data is transferred to a server over an Internet connection without the user's permission. What type of exploit has occurred in this scenario?
Locally shared object (LSO) exploit A locally shared object (LSO) exploit has occurred in this scenario. LSOs are also referred to as Flash cookies. Adobe Flash uses LSOs to save data locally on a computer, such as information for a Flash game being played or user preferences. However, LSOs can also be used to collect information about the user's browsing habits without their permission. The Flash Player Settings Manager can be used to configure Flash to prevent LSOs from being saved on the local computer. A buffer overflow occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted. Header manipulation is the process of including invalid data in an HTTP response header. A zero-day attack is an attack that exploits computer application vulnerabilities before they are known and patched by the application's developer.
Which access control model is based on multilevel security where objects are assigned a security classification and subjects are granted a security clearance which allows them to access objects at or below that security classification?
Mandatory Access Control (MAC) The MAC model is based on classification labels being assigned to objects and clearance labels assigned to subjects. When a subject's clearance lines up with an objects classification, the subject is granted access. The DAC model grants access directly to subjects based on the object owners discretion. The RBAC model grants access based on the subjects role in an organization. The ABAC model grants access when the subject meets all the attributes that are assigned to an object.
Which of the following best describes one-factor authentication?
Multiple authentication credentials may be required, but they are all of the same type. One-factor authentication uses credentials of only one type, but may require multiple methods within the same type. For example, you might log in with just a password or use a password and answer a cognitive question (such as your mother's maiden name). One-factor authentication that uses multiple credentials of the same type is also sometimes called strong authentication. One-factor authentication can use one or multiple credentials from any of the three authentication types. Supplying a user name does not provide authentication credentials, as the user name is used for identification, not authentication. Anonymous access occurs when only a user name is required.
What is another term for the type of login credentials provided by a token device?
One-time Password A token device provides a type of one-time password. There are several types of token devices. Generally, a token device requires you to enter a code or a PIN. The device then displays a code that you must enter into the login prompt. Some tokens are time-based so that the code provided by the token is only valid for a short period of time. Other tokens are challenge/response-based--the login prompt displays a challenge message that you enter into the token. The response from the token must match that expected by the secured system. A token device may require the use of a biometric, or it may be involved in a mutual or two-factor authentication system.
What type of password is maryhadalittlelamb?
Pass phrase A pass phrase is a password based on a phrase, such as maryhadalittlelamb. Cognitive passwords are passwords that relate to things that people know, such as a mother's maiden name or the name of a pet. A static password is created by a user and overseen by an administrator. Composition passwords are created by the system and are usually two or more unrelated words divided by symbols on the keyboard.
Which of the following is the most common form of authentication?
Password Passwords are the most common form of authentication. Most secure systems require only a user name and password to provide users with access to the computing environment. Many forms of online intrusion attacks focus on stealing passwords. This makes using strong passwords very important. Without a strong password policy and properly trained users, the reliability of your security system is greatly diminished. Photo ID, fingerprint, and digital certificate on a smart card are not the most common forms of authentication.
As you browse the Internet, you notice that when you go to some sites, multiple additional windows are opened automatically. Many of these windows contain advertisements for products that are inappropriate for your family to view. Which tool can you implement to prevent these windows from showing?
Pop-up blocker Use a pop-up blocker to prevent windows from automatically opening when you visit a Web site. Pop-up blockers typically do not block pop-ups that show when you click a button or a link, but will prevent the pop-up windows that open automatically as you navigate to other sites. Use anti-virus software to scan attachments, downloads, or your system for malicious programs. Use anti-adware and anti-spyware software to prevent software that tracks your browsing history. While removing adware might prevent some pop-ups, it will not prevent all pop-ups unless the anti-adware software includes a pop-up blocker. Use a phishing filter to remove phishing e-mails or to prevent navigating to links that are disguised as legitimate links.
What form of access control is based on job descriptions?
Role-based access control (RBAC) RBAC is based on job descriptions. DAC is based on identity. MAC is based on rules. LBAC is based on geography or logical designations.
You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is used?
Role-based access control (RBAC) Role-based access control (RBAC) allows access based on a role in an organization, not individual users. Roles are defined based on job description or a security access level. Users are made members of a role and receive the permissions assigned to the role. Discretionary access control (DAC) assigns access directly to subjects based on the discretion (or decision) of the owner. Objects have a discretionary access control list (DACL) with entries for each subject. Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perform on the object. Mandatory access control (MAC) uses labels for both subjects (users who need access) and objects (resources with controlled access). When a subject's clearance lines up with an object's classification and when the user has a need to know (referred to as a category), the user is granted access.
Which access control model manages rights and permissions based on job descriptions and responsibilities?
Role-based access control (RBAC) Role-based access control (RBAC) is the access control model that manages rights and permissions based on job descriptions. RBAC focuses on job descriptions or work tasks instead of employing user accounts to define access. RBAC is best suited for environments that have a high rate of employee turnover. By defining access based on roles rather than individuals, administration is simplified when granting a new person access to common activities. DAC is based on user accounts. MAC is based on security labels, classifications, or clearances. TBAC is based on work tasks.
Which of the following is an example of a Rule Based Access Control (RBAC)?
Router access control lists that allows or denies traffic based on the characteristics of an IP packet. A router access control list that allows or denies traffic based on the characteristics of an IP packet is an example of Rule-Based Access Control. A subject with a government clearance that allows access to government classification labels of confidential, secret and top secret is an example of Mandatory Access Control. A member of the accounting team is given access to the accounting department documents is an example of Role-Based Access Control. A computer file owner grants access to the file by adding other users to an access control list is an example of Discretionary Access Control.
A router access control list uses information in a packet, such as the destination IP address and port number, to make allow or deny forwarding decisions. This is an example of which kind of access control model?
Rule set-based access control (RSBAC) Rule set-based access control (RSBAC) uses characteristics of objects or subjects along with rules to restrict access. Access control entries identify a set of characteristics that are examined for a match. If all characteristics match, access is either allowed or denied based on the rule. An example of a rule-based access control implementation is a router access control list that allows or denies traffic based on characteristics within the packet (such as IP address or port number). Discretionary access control (DAC) assigns access directly to subjects based on the discretion (or decision) of the owner. Objects have a discretionary access control list (DACL) with entries for each subject. Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perform on the object. Mandatory access control (MAC) uses labels for both subjects (users who need access) and objects (resources with controlled access). When a subject's clearance lines up with an object's classification and when the user has a need to know (referred to as a category), the user is granted access. Role-based access control (RBAC) allows access based on a role in an organization, not individual users. Roles are defined based on job description or a security access level. Users are made members of a role and receive the permissions assigned to the role.
You have a website that accepts input from users for creating customer accounts. Input on the form is passed to a database server where the user account information is stored. An attacker is able to insert database commands in the input fields and have those commands execute on the server. Which type of attack has occurred?
SQL injection A SQL injection attack occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. The injection attack succeeds if the server does not properly validate the input to restrict entry of characters that could end and begin a database command. SQL injection attacks are prevented by proper programming methods that prevent commands from occurring within form data or that filter data to prevent such attacks. A buffer overflow occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted. Hackers submit data beyond the size reserved for the data in the memory buffer, and the extra data overwrites adjacent memory locations. The extra data sent by the attacker could include executable code that might then be able to execute in privileged mode. Cross-site scripting (XSS) is an attack that injects scripts into Web pages. When the user views the Web page, the malicious scripts run allowing the attacker to capture information or perform other actions. A DLL injection attack occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application, and executes malicious code included with the injected DLL.
Lori Redford, who has been a member of the Project Management group, was recently promoted to manager of the team. She has been added as a member of the Managers group. Several days after being promoted, Lori needs to have performance reviews with the team she manages but she cannot access the performance management system. As a member of the Managers group, she should have the Allow permission to access this system. What is most likely preventing her from accessing this system?
She is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions. The most likely cause of this problem is that Lori is still a member of the Project Management group which has been denied permission to this system. Deny permissions always override Allow permissions. Allow permissions do not override Deny permissions, unless the Allow permission is explicitly assigned and the Deny permission is inherited. It is unlikely that her user object has been assigned an explicit Deny permission to the performance management system since best practice is to assign permissions to groups, not to users.
Which of the following is a hardware device that contains identification information and can be used to control building access or computer logon?
Smart card A smart card is a hardware device that contains identification information. Smart cards can contain a magnetic strip, radio frequency transmitter, or hardware contacts that allow it to interact with a smart card reader. The reader uses information on the card to allow or deny access. A biometric is a physical characteristic of a human that can be scanned to control access. A WAP is a wireless access point. The SSID is the name of a wireless network. A security policy is a written document outlining the policies that are applied to create a secure network. In Windows, the Local Security policy is a collection of settings that control how the system behaves.
Match the authentication factor types on the left with the appropriate authentication factor on the right. Each authentication factor type can be used more than once. PIN Smart card Password Retina scan Fingerprint scan Hardware token Pass phrase Voice recognition Wi-Fi triangluation Typing behaviors
Something you know Something you have Something you know Something you are Something you are Something you have Something you know Something you are Something you are Something you do
Encryption is which type of access control?
Technical Technical controls are computer mechanisms that restrict access. Examples are encryption, one-time passwords, access control lists, and firewall rules. Administrative controls are policies that describe accepted practices. Examples are directive policies and employee awareness training. Physical controls restrict physical access. Examples are perimeter security, site location, networking cables, and employee segregation.
Which of the following defines the crossover error rate for evaluating biometric systems?
The point where the number of false positives matches the number of false negatives in a biometric system. The crossover error rate, or the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. A false negative (or Type I error) occurs when a person who should be allowed access is denied access. A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated.
Which of the following is not a form of biometric?
Token Device A token device is not a form of biometric. Biometrics rely on personal characteristics (such as fingerprints, face recognition, or a retina scan) to prove identity. A token device is an example of a Something You Have authentication factor. A token device is a small device that produces a response when a user types in a code or PIN. The response is along with your name and password to gain access to a secure system.
Which of the following is stronger than any biometric authentication factor?
Two-factor authentication A two-factor authentication system is always stronger than a single authentication system, even if that single factor is a biometric. When a single authentication factor is compared to other single authentication factors, they are all roughly the same in terms of strength of security protection. Thus, the single factors of a password, a non-PIN token device, and a USB drive with PKI certificates are all equally weak.
Recently, a Web site named www.vidshare.com has become extremely popular with users around the world. An attacker registers the following domain names: www.videoshare.com www.vidshar.com www.vidsshare.com Each of these URLs points to a phishing Web site that tricks users into supplying their vidshare.com user names and passwords. What type of attack has occurred in this scenario?
Typosquatting Typosquatting (also called URL hijacking) occurs when an attacker registers domain names that correlate to common typographical errors made by users when trying to access a legitimate Web site. The typosquatter's intentions may be benign or malicious in nature. They may be simply trying to coerce the legitimate site owner to buy the domain name from them. Alternatively, they may be attempting to compromise unsuspecting users by redirecting them to a phishing site that looks like the legitimate Web site. They may even use this exploit to install drive-by malware. A buffer overflow occurs when the operating system or an application does not properly enforce boundaries for how much and what type of data can be inputted. In a watering hole attack, the attacker uses reconnaissance to identify which Web sites the target person or organization frequently uses. The attacker then compromises one or more of those sites in some way, hoping that the target will access the site and be exposed to the exploit. In a command injection attack, the attacker injects and executes unwanted commands on the application.
Which security mechanism uses a unique list that meets the following specifications: The list is embedded directly in the object itself The list defines which subjects have access to certain objects The list specifies the level or type of access allowed to certain objects
User ACL A user ACL (access control list) is a security mechanism that defines which subjects have access to certain objects and the level or type of access allowed. This security mechanism is unique for each object and embedded directly in the object itself. Mandatory access control (MAC) is an access control system based on classifications of subjects and objects to define and control access. Kerberos is a form of single sign-on that uses hashed passwords to verify a user's identity. Hashing is a cryptographic tool that creates an identification code that is employed to detect changes in data.
Which of the following information is typically not included in an access token?
User account password The access token does not contain the user account password. The password is only used during authentication. Following authentication, the access token is used to gain access to resources. When a security principal logs in, an access token is generated. The access token is used to control access to resources and contains the following information: The SID for the user or computer The SID for all groups the user or computer is a member of User rights granted to the security principal When the security principal tries to access a resource or take an action, information in the access token is checked. For example, when a user tries to access a file, the access token is checked for the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL to identify permissions that apply.
Which of the following is an attack that injects malicious scripts into Web pages to redirect users to fake websites or gather personal information?
XSS Cross-site scripting (XSS) is an attack that injects scripts into Web pages. When the user views the Web page, the malicious scripts run allowing the attacker to capture information or perform other actions. XSS often relies on social engineering or phishing to entice users to click on links to Web pages that contain the malicious scripts. Some scripts redirect users to legitimate websites, but run the script in the background to capture information sent to the legitimate site. Scripts can be written to read (steal) cookies that contain identity information (such as session information). Scripts can also be designed to run under the security context of the current user. For example, scripts might execute with full privileges on the local system, or the scripts might run using the credentials used on a financial website. A drive-by download is an attack where software or malware is downloaded and installed without explicit consent from the user. A SQL injection attack occurs when an attacker includes database commands within user data input fields on a form, and those commands subsequently execute on the server. A DLL injection attack occurs when a program is forced to load a dynamic-link library (DLL). This DLL then executes under the security context of the running application, and executes malicious code included with the injected DLL.