Cyber_Sec Chapter 10 Quiz Review (Full Version)

*Customer access* refers to the access to business applications by individuals such as end users of an online ecommerce site, or subcontractors of a manufacturing companies, or vendors of a semiconductor company. *Customer access* presents additional considerations and security challenges beyond those involved with system access for employees. Before providing customers with access to specific applications and information resource, a risk assessment needs to be carried out and the required controls identified. An individual or a group within the organization should be given responsibility for authorizing each customer access arrangement. Furthermore, there should be approved contracts between the organization and the customer that cover security arrangements. Any customer access to system resources should be subject to the same types of technical controls as with employees. It is a big legal and ethical responsibility of an organization to protect data about the customer. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Describe customer access from an authentication point of view. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*NIST's digital identity model involves six entities: * *Credential service provider (CSP)*—This refers to a trusted entity that issues or registers subscriber authenticators and issues electronic credentials to subscribers. A CSP may be an independent third party or may issue credentials for its own use. *Verifier*—This refers to an entity that verifies the claimant's identity by verifying the claimant's possession and control of one or two authenticators, using an authentication protocol. *Relying party (RP)*—This refers to an entity that relies on the subscriber's authenticator(s) and credentials or a verifier's assertion of a claimant's identity, typically to process a transaction or grant access to information or a system. *Applicant*—This refers to a subject undergoing the processes of enrollment and identity proofing. *Claimant*—This refers to a subject whose identity is to be verified using one or more authentication protocols. *Subscriber*—This refers to a party who has received a credential or an authenticator from a CSP. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*Name the entities* and highlight their roles in NIST's digital identity model. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

3. *The NIST 800-63 digital identity model involves three pivotal concepts:* *Digital identity*—The digital identity is the unique representation of a subject engaged in an online transaction. The representation consists of an attribute or set of attributes that uniquely describe a subject within a given context of a digital service but does not necessarily uniquely identify the subject in all contexts. *Identity proofing*—This process establishes that a subject is who he or she claims to be to a stated level of certitude. This process involves collecting, validating, and verifying information about a person. *Digital authentication*—This process involves determining the validity of one or more authenticators used to claim a digital identity. Authentication establishes that a subject attempting to access a digital service is in control of the technologies used to authenticate. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Explain the three pillars of the NIST 800-63 digital identity model. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*You can categorize authentication protocols used in a smart grid in the following manner*: Static—With a static protocol, the user authenticates himself or herself to the token, and then the token authenticates the user to the computer. The latter half of this protocol is similar to the operation of a memory token. Dynamic password generator—Here both the token and the computer system are actively involved. The token generates a unique password periodically—say every minute. This password is then entered into the computer system for authentication, either manually by the user or electronically via the token. The token and the computer system must be initialized and kept synchronized so that the computer knows the password that is current for this token. Challenge-response—In this case, the computer system generates a challenge, such as a random string of numbers. The smart token generates a response based on the challenge. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

How can you categorize authentication protocols used with a smart token? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*There are three levels of AAL*. *AAL1*—This level provides some assurance that the claimant controls an authenticator bound to the subscriber's subscriber's account. It requires either single-factor or multifactor authentication, using a wide range of available authentication technologies. Successful authentication requires that the claimant prove possession and control of the authenticator through a secure authentication protocol. *AAL2*—This level provides high confidence that the claimant controls the authenticator(s) bound to the subscriber's account. Proof of possession and control of two distinct authentication factors is required through secure authentication protocol(s). *AAL3*—This level provides very high confidence that the claimant controls the authenticator(s) bound to the subscriber's account. Authentication at AAL3 is based on proof of possession of a key through a cryptographic protocol. AAL3 authentication requires use of a hardware-based cryptographic authenticator and an authenticator that provides verifier impersonation resistance. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

How many levels are there for AAL?

*The potential drawbacks of using a memory card as an authentication device are as follows:* *Requirement of special reader*—this Increases the cost of using the hardware token and creates the requirement to maintain the security of the reader's hardware and software. *Hardware token loss*—This event can temporarily prevent the owner of a lost token from gaining system access. Thus, there is an administrative cost in replacing the lost token. In addition, if the token is found, stolen, or forged, then an adversary now need only determine the PIN to gain unauthorized access. *User dissatisfaction*—Users may find using memory cards for computer access inconvenient, unnecessary, and futile. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What are potential drawbacks of using a memory card as an authentication device? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*Possible threats to possession-based authentication are as follows:* Theft—An attacker can steal a token device. If a second factor is required, such as a PIN, the attacker must also use some means to obtain or guess the PIN. If the second factor is biometric, the attacker must come up with some way of forging the biometric characteristic. Duplication—The attacker gains access to the device and clones it. Again, if a second factor is required, the attacker's task is more formidable. Eavesdropping/replaying—The authenticator secret or authenticator output is revealed to the attacker as the subscriber is authenticating. This captured information can be used later. If there is a time-sensitive aspect to the exchange, such a nonce or the use of an OTP, this latter attack can be thwarted. Replay—If the attacker can interpose between the token device and the server, this constitutes a man-in-the-middle attack, in which the attacker assumes the role of the client to the server and the server to the client. Denial of service—The attacker makes repeated failed attempts to access the server, which may cause the server to lock out the legitimate client. Host attack—The attacker may gain sufficient control of the authentication server to enable the attacker to be authenticated to an application. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What are some likely threats to possession-based authentication? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*Major criteria in designing a biometric system* are as follows: Universality—A very high percentage of the population should have the characteristic. For example, virtually everyone has recognizable fingerprints, but there are rare exceptions. Distinctiveness—No two people should have identical characteristics. For some otherwise acceptable characteristics, identical twins share virtually the same patterns, such as facial features and DNA, but not other features, such as fingerprints and iris patterns. Permanence—The characteristic should not change with time. For otherwise acceptable characteristics, such as facial features and signatures, periodic reenrollment of the individual may be required. Collectability—Obtaining and measuring the biometric feature(s) should be easy, non-intrusive, reliable, and robust, as well as cost-effective for the application. Performance—The system must meet a required level of accuracy, perform properly in the required range of environments, and be cost-effective. Circumvention—The difficulty of circumventing the system must meet a required threshold. This is particularly important in an unattended environment, where it would be easier to use such countermeasures and a fingerprint prosthetic or a photograph of a face. Acceptability—The system must have high acceptance among all classes of users. Systems that are uncomfortable to the user, appear threatening, require contact that raises hygienic issues, or are non-intuitive are unlikely to be acceptable to the general population. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What are some of the criteria used in designing a biometric system? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

6. *Common attacks on password-based authentication along with their mitigation steps are as follows:* *Offline dictionary attack*—In this type of attack, an attacker bypasses system controls and gains access to the password file. The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords. If a match is found, the attacker can gain access by using that ID/password combination. *Countermeasures* include controls to prevent unauthorized access to the password file, intrusion detection measures to identify a compromise, and rapid reissuance of passwords in the event that the password file is compromised. *Specific account attack*—This is a variation of the preceding attack type, but here the attacker uses a popular password and tries it against a wide range of user IDs. A user's tendency is to choose a password that is easily remembered; this unfortunately makes the password easy to guess. *Countermeasures* include policies to inhibit the selection by users of common passwords and scanning the IP addresses of authentication requests and client cookies for submission patterns. *Password guessing against a single user*—Here the attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. *Countermeasures* include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, minimum length of the password, character set, prohibition against using well-known user identifiers, and length of time before the password must be changed. *Workstation hijacking*—Here the attacker waits until a logged-in workstation is unattended. The standard countermeasure is automatically logging the user out of the workstation after a period of inactivity. Intrusion detection schemes can be used to detect changes in userbehavior. *Exploiting user mistakes*—This type of attack exploits users' mistakes. A user may intentionally share a password to enable a colleague to share files, for example. Also, attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password. Countermeasures include user training, intrusion detection, and simpler passwords combined with another authentication mechanism. *Exploiting multiple password use*—Here the attacker can harm more than one system as the user has set the same password for multiple systems. Countermeasures include a policy that forbids using the same or similar password on particular network devices. Electronic monitoring—Here the attack can snoop the network traffic to extract a password that is transmitted over a network. Simple encryption will not fix this problem because the encrypted password is, in effect, the password and can be observed and reused by an adversary. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What are some typical attacks on password-based authentication? Enumerate countermeasures for each case. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*The major vulnerabilities of password file protection are as follows:* A hacker may be able to exploit a software vulnerability in the operating system to bypass the access control system long enough to extract the password file. Alternatively, the hacker may find a weakness in the file system or database management system that allows access to the file. An accident of protection or a manual slip might render the password file readable, thus compromising all the accounts. Some users may have accounts on other machines in other protection domains, for which they might use the same password. Thus, if the passwords could be read by anyone on one machine, a machine in another location might be compromised. A lack of or weakness in physical security may aid a hacker. Sometimes there is a backup to the password file on an emergency repair disk or archival disk. Access to this backup enables the attacker to read the password file. Alternatively, a user may boot from a disk running another operating system such as Linux and access the file from that operating system. Instead of capturing the system password file, another approach to collecting user IDs and passwords is through sniffing network traffic when a user is trying to log in to an unsecured channel. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What are the major vulnerabilities of password file protection? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*The salt value serves three purposes in terms of hashing:* It makes duplicate passwords invisible in the password file. Even if two users choose the same password, those passwords will be assigned different salt values. Hence,the hashed passwords of the two users will differ. It makes offline dictionary attacks significantly difficult. For a salt of length b bits, the number of possible passwords is increased by a factor of 2b, increasing the difficulty of guessing a password in a dictionary attack because and exponential order algorithm takes years of computation to solve. It becomes nearly impossible to find out whether a person with passwords on two or more systems has used the same password on all of them. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What purpose does the salt value serve with respect to a hashing function? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*There are three authentication factors in user identity authentication:* *Knowledge factor*—This is something that is partly or fully known by an individual. It requires the user to demonstrate knowledge of hidden information. Normally, it is used in single-layer authentication processes in the form of passwords, passphrases, PINs, or answers to secret questions. Examples include a password, a personal identification number (PIN), or answers to a prearranged set of questions. *Possession factor*—This is something possessed by theindividual. It is normally a physical entity possessed by the authorized user to connect to the client computer or portal. This type of authenticator is referred to as hardware token, of which there are two types. Connected hardware tokens are items that physically connect to a computer in order to authenticate identity, and disconnected hardware tokens are items that do not directly connect to the client computer but instead require input from the individual attempting to sign in. *Inherence factor*—This is something intrinsically present in the individual. It refers to the characteristics, called biometrics, that are unique or almost unique to the individual. These include static biometrics, such as fingerprint, retina, and face; and dynamic biometrics, such as voice, handwriting, and typing rhythm. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What are the three authentication factors in user identity authentication? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*There are two main functions involved in user authentication*: *Identification*—This involves presenting an identifier to the security system to verify the identity with respect to the system. *Verification*—This involves presenting or generating authentication information that corroborates the binding between the entity and the identifier. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What are the two main functions involved in user authentication? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

1. *The term AAA stands for authorization, authentication, and access control.* *Authorization* implies granting of access rights of system resources to a user, program, or process. Authorization comes after successful authentication and defines possible actions for an authenticated user or agent. *Authentication* is the process of verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. *Access control* is the process of granting or denying specific requests, such as accessing and using information and related information processing services and or entering specific physical facilities. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What does AAA mean in the context of system access? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*NIST SP 800-63 provides a useful way of characterizing the risk of an authentication system by using the concept of authentication assurance level (AAL).* The AAL describes the degree of confidence in the registration and authentication processes. A higher level of AAL indicates that an attacker must have better capabilities and expend greater resources to successfully subvert the authentication process. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What does AAL stand for, and what does it mean?

*The false match rate (FMR)* is an important measure of biometric authentication system performance. The FMR is the rate at which a biometric process mismatches biometric signals signals from two distinct individuals as coming from the same individual. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What does FMR stand for, and what does it mean? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

11. *A one-time password (OTP) is an automatically generated numeric or alphanumeric string of characters that authenticates the user for a single transaction or session.* OTP tokens are usually pocket-size fobs with a small screen that displays a number. The number changes periodically, say every 30 or 60 seconds, depending on how the token is configured. An OTP is more secure than a static password and has the potential to replace authentication login information or may be used to add another layer of security. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What does OTP stand for, and what does it mean? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*Presentation attack detection (PAD)* involves methods created to directly counter spoof attempts at the biometric sensor and are of two kinds: artifact detection and liveness detection. Artifact detection attempts to determine the originality of the sample. For example, for a voice detector, an artificial detector will attempt to determine if it is a human voice or produced by a voice synthesizer. Liveness detection attempts to determine the actuality of the sample. For instance, it will answer the question "Is the biometric sample at the sensor from a living human presenting a sample to be captured?" For example, is it a fingerprint sensed from the user's finger, or is it a fingerprint presented by the lift of a fingerprint onto a printed surface? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What does PAD stand for, and what does it mean?

*A biometric authentication system* uses unique physical characteristics of an individual to authenticate the user. These include static characteristics, such as fingerprints, hand geometry, facial characteristics, and retinal and iris patterns; and dynamic characteristics, such as voiceprint, signature, and gait movement. Internally biometrics is based on pattern recognition, and biometric authentication is both technically complex and expensive compared to other methods. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What does biometric authentication mean? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

*An out-of-band device* is a physical device with a unique address and that can communicate securely with the verifier over a distinct communications channel, referred to as the secondary channel. The device is possessed and controlled by the claimant and supports private communication over this secondary channel, separate from the primary channel for e-authentication. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What is out-of-band device authentication?