Principles of Computer Security Chapter 6 & 8 Quiz 3
What is a certification practices statement (CPS), and what is its purpose?
A CPS outlines the steps a CA goes through to validate identities and generate certificates. Companies should review this document to ensure that the CA follows the necessary steps the company requires and provides the necessary level of protection.
Which of the following properly describes what a public key infrastructure (PKI) actually is?
A framework that does not specify any technologies, but provides a foundation for confidentiality, integrity, and availability services
On whom should a company perform background checks?
All individuals who have unescorted physical access to the facility
Within a PKI environment, where does the majority of the trust actually lie?
All users and devices within an environment trust the CA, which allows them to indirectly trust each other.
Why is physical security so important to good network security?
Because physical access defeats nearly all network security measures
How does multiple-factor authentication improve security?
By using a combination of authentications, it is more difficult for some to gain illegitimate access
The ________________ is the trusted authority that certifies individuals' identities and creates electronic documents indicating that individuals are who they say they are.
Certificate Authority
A(n) ________________ is a holding place for individuals' certificates and public keys that are participating in a particular PKI environment.
Certificate Recovery
A(n) ________________ is used when independent CAs establish peer-to-peer trust relationships.
Cross-certification certificate
A perfect bit-by-bit copy of a drive is called what?
Drive image
Requiring two individuals to recover a lost key together is called _______________, which simply means that two people have to be present to carry out a specific task.
Dual controls
Which of the following certificate characteristics was expanded upon with version 3 of the X.509 standard?
Extensions
Which fire detection device relies on the temperature in an area rising above some predefined level to activate it?
Fixed-temperature fire detector
Why is enrollment important to biometrics?
If enrollment is not done carefully, false positives will increase
If an extension is marked as critical, what does this indicate?
If the end-entity is not programmed to understand and process this extension, the certificate and corresponding keys cannot be used.
Why would a digital certificate be added to a certificate revocation list (CRL)?
If the private key had become compromised
What is the purpose of a digital certificate?
It binds an individual to a public key.
What is a bridge CA, and what is its function?
It is a CA that handles the cross-certification certificates for two or more CAs in a peer-to-peer relationship.
What about physical security makes it more acceptable to other employees?
It protects the employees themselves
What is the most common example of an access token?
Key
Allowing a third party to possess a copy of a private key so that they can decrypt and read sensitive information if the need arises is:
Key escrow
_______________ is the mechanism that allows keys to be retrieved in the event of a user losing access.
Key recovery
What is a common threat to token-based access controls?
Loss or theft of the token
The _________________ is a method of determining whether a certificate has been revoked that does not require local machine storage of CRLs.
Online Certificate Status Protocol
Probably the simplest physical attack on the computer system is:
Outright theft of the computers
In a(n) _______________, one CA is not subordinate to another CA, and these is no established trust anchor between the CAs involved.
Peer-to-peer trust model
A(n) ________________ is a structure that provides all of the necessary components for different types of users and entities to be able to communicate securely and in a predictable manner.
Public key infrastructure
The ___________________ is the PKI component that accepts requests for a digital certificate and performs the necessary steps of registering and authenticating the person requesting the certificate.
Registration authority
Why is HVAC important to computer security?
Sabotage of the AC unit would make the computers overheat and shut down
Which one is not commonly used as a biometric?
Shoulder-to-waist geometry
How can users have faith that the CRL was not modified to present incorrect information?
The CRL is digitally signed by the CA.
Once an individual validates another individual's certificate, what is the use of the public key that is extracted from this digital certificate?
The user can now encrypt session keys and messages with this public key and can validate the sender's digital signatures.
How does a user validate a digital certificate that is received from another user?
The user first sees whether her system has been configured to trust the CA that digitally signed the other user's certificate and then validates that CA's digital signature.
What is the first step a user takes to obtain a digital certificate?
The user submits a certificate request to the RA.
When a user wants to participate in a PKI, what component does he or she need to obtain, and how does that happen?
The user submits a certificate request to the RA.
What steps does a user's software take to validate a CA's digital signature on a digital certificate?
The user's software creates a message digest for the digital certificate and decrypts the encrypted message digest included within the digital certificate. If the decryption performs properly and the message digest values are the same, the certificate is validated.
Why should security guards get cross-training in network security?
They are the eyes and ears of the corporation when it comes to security
Why can USB flash drives be a threat?
They can bring malicious code past other security mechanisms
Which of the following properly explains the m of n control?
This is a control in key recovery to enforce separation of duties.
Why would a company implement a key archiving and recovery system within the organization?
To make sure all data encryption keys are available for the company if and when it needs them
Why is water not used for fire suppression in data centers?
Water would ruin all the electronic equipment