Answers and Explanations
Answer: B. The three types of controls are as follows:
Administrative: These controls are composed of the policies and procedures the organization has put in place to prevent problems and to ensure that the technical and physical controls are known, understood, and implemented.
Technical: These controls are used to control access and monitor potential violations. They may be either hardware- or software-based.
Physical: These control systems are used to protect the welfare and safety of the employees and the organization. Physical controls include such items as smoke alarms, security guards, cameras, and mantraps.
Answer: B. Authentication can take one of three forms: something you know, something you have, or something you are. Something you are, such as biometrics, is by far the strongest form of authentication. Systems such as retina and iris scans have high levels of accuracy. The accuracy of a biometric device can be assessed by means of the crossover error rate. Remember: On the exam, questions are sometimes vague, and you will be asked to pick the best available answer.
Answer: C. The question states that a password and PIN are required. Both passwords and PINs are examples of something you know. Authentication is something you know, something you have, or something you are. Therefore, passwords and PINs are examples of authentication. Answer B is incorrect because two-factor authentication requires two of the three primary categories of authentication to be used. Two-factor authentication is considered more secure than single-factor authentication. Three-factor authentication requires all three categories. Authorization is what you allow the user to do or accomplish.
Answer: A. Authentication can be based on one or more of the following three factors:
Something you know: This could be a password, passphrase, or secret number.
Something you have: This could be a token, bank debit card, or smart card.
Something you are: This could be a retina scan, fingerprint, DNA sample, or facial recognition.
Answer: A. Passwords, which belong to the “something you know” category, are the weakest form of authentication. Although there are many more stringent forms of authentication, passwords remain the most widely used. Passwords are insecure because people choose weak ones, don’t change them, and have a tendency to write them down or allow others to gain knowledge of them. If more than one person is using the same password, there is no way to properly execute the audit function, and at this point, loss of security occurs. Passwords are also susceptible to cracking and brute-force attacks.
Answer: A. The general order of accuracy of biometric systems is fingerprint, palm scan, hand geometry, retina scan, and iris scan. However, the accuracy of an individual system is not the only item a security professional needs to consider before implementing a biometric system. Security professionals must examine usability, employee acceptance, and the crossover error rate of the proposed system.
The employee acceptance rate examines the employees’ willingness to use the system. For example, technology innovations with Radio Frequency Identifier (RFID) tags have made it possible to inject an extremely small tag into an employee’s arm. This RFID tag could be used for identification, for authorization, and to monitor employee movement throughout the organization’s facility. However, most employees would be hesitant to allow their employer to embed such a device in their arm. Currently issued passports have RFID tags, which has created an issue with identity theft (RFID sniffers).
The crossover error rate examines the capability of the proposed systems to accurately identify the individual. If the system has a high false reject rate, employees will soon grow weary of the system and look for ways to bypass it. Therefore, each of these items is important to consider.
Answer: D. Before implementing any type of access control system, the security professional needs to consider potential vulnerabilities because these give rise to threats. Threats must also be considered because they lead to risks. Risk is the potential that the vulnerability may be exploited. Answer D is incorrect because it relates to the formula used for risk analysis.
Answer: A. Kerberos is a single sign-on system for distributed systems. It is unlike authentication systems such as NT LAN MAN (NTLM) that perform only one-way authentication. It provides mutual authentication for both parties involved in the communication process. Kerberos operates under the assumption that there is no trusted party; therefore, both client and server must be authenticated. After mutual authentication occurs, Kerberos makes use of a ticket stored on the client machine to access network resources. Answers B and C are incorrect because they describe access control models. Answer D describes centralized authentication.
Answer: D. Only Password Authentication protocol (PAP) is not susceptible to a dictionary attack; no attack is needed because the password is transmitted in plaintext. Challenge Handshake Authentication Protocol (CHAP), Lightweight Extensible Authentication Protocol (LEAP), and WiFi Protected Access Pre-shared Key (WPA-PSK) are all susceptible to dictionary attacks. When you are forced to use one of these mechanisms, the only security precaution you can take is to choose passwords that will not be in any contrived dictionary—although precomputed hashes are now being used for that purpose.
Answer: B. FAR (False Acceptance Rate) is the percentage of illegitimate users who are granted access to the organization’s resources. Keeping this number low is important to keeping unauthorized individuals out of the company’s resources.
Answer: C. The only choice for copper cabling would be Category 6. Single-mode and multimode fiber are not examples of copper cabling. However, fiber is considered a more secure transmission medium than copper cabling because it does not emit any Electromagnetic Interference (EMI). All types of copper cabling emit a certain amount of EMI. Unauthorized personnel can clamp probes to these cables and decode the transmitted messages. Wireless is not an example of copper cabling.
Answer: D. There are four types of access control models. Discretionary access control places the data owners in charge of access control. Mandatory access control uses labels to determine who has access to data. Role-based access control is based on the user’s role in the organization. Answer D is incorrect because there is no category called delegated access control. A valid answer would have been rule-based access control.
Answer: C. Auditing is considered an administrative control. The three types of controls are discussed in answer 1.
Answer: C. Bank tellers would most likely fall under a role-based access control system. These systems work well for organizations in which employee roles are identical.
Answer: B. Dictionary attacks are an easy way to pick off insecure passwords. Passwords based on dictionary words allow attackers to simply perform password guessing or to use more advanced automated methods employing software programs. LCP, Cain and Able, and John the Ripper are commonly used password-cracking programs that can launch dictionary attacks. A hybrid attack must try a combination of words and special characters. A brute-force attack must try all combinations of characters, numbers, and special characters. A man-in-the-middle attack is one in which the attacker stands between the victim and the service and attempts to steal or sniff passwords or information.
Answer: C. Tempest is the standard for electromagnetic shielding of computer equipment. Answer B is a distracter, answer A is the name of a radioactive gas, and answer D is the name of the individual who discovered the radiation belts that surround the Earth.
Answer: A. Security Assertion Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between between an identity provider and a service provider. Lightweight Directory Access Protocol (LDAP) is a protocol designed to allow individuals to locate organizations, individuals, and other resources such as files and devices in a network. Open Authentication (OAUTH) is an authentication protocol that allows users to approve applications to act on their behalf without sharing their password. Single sign-on is implemented by using ticket-based systems such as KryptoKnight.
Answer: A. A discretionary access system places the data owners in charge of access control. Mandatory access control uses labels to determine who has access to data, and role-based access control is based on organizational roles. This is also known as “nondiscretionary” and is based on the user’s role in the organization.
Answer: D. Challenge/response authentication is a secure authentication scheme that works in the following way: First, a randomly generated string of values is presented to the user, who then returns a calculated number based on those random values. Second, the server performs the same process locally and compares the result to the saved value. Finally, if these values match, the user is granted access; otherwise, access is denied. Answer A is a distracter. Answer B is an example of Kerberos. Answer C is an example of Challenge Handshake Authentication Protocol (CHAP).
Answer: A. FRR (False Rejection Rate) measures the number of authorized users who were incorrectly denied access. If a system has a high FRR, many valid users will be denied access. Valid users who are denied access may attempt to bypass or subvert the authentication system because they believe it does not work correctly. The FRR is separate from the False Acceptance Rate (FAR). The FAR is used to measure statistics of unauthorized users. Answer D is incorrect because FRR has nothing to do with the rate of return.
Answer: C. Password attacks are the easiest way to attempt to bypass access control systems. Password attacks can range from simple password guessing to more advanced automated methods in which software programs are used. Dictionary attacks may be the fastest, but brute-force attacks are considered the most time-intensive. If the user has chosen a complex password, however, this may be the attacker’s only choice. Brute-force uses a combination of all numbers and letters, making substitutions as it progresses. It continues until all possible combinations have been attempted. If the password is very long or complex, this may take a considerable amount of time. A plaintext password would require no cracking at all.
Answer: B. CVE stands for Common Vulnerabilities and Exposures. CVE is a database developed to standardize the naming system of security vulnerabilities. It also serves as a centralized depository of information on vendor software and discovered vulnerabilities. You can find more information about the CVE database at http://cve.mitre.org.
Answer: C. Telnet transmits username and password information in clear text and thus can be used by attackers to gain unauthorized access. Secure Shell (SSH) and HTTP Secure (HTTPS) are secure protocols. Although some versions of SSH are more secure than others, it is always better to go with some form of encryption. Even though Trivial FTP (TFTP) transmits in plaintext, no username and password information is exchanged because TFTP does not require authentication.
Answer: A. Fingerprints are most closely associated with law enforcement. Close behind this is facial recognition. Facial recognition technology has made great strides since the terrorist attacks of September 11. Common methods include the Markov model, eigenface, and fisherface. Iris and retina recognition are not typically associated with law enforcement.
Answer: B. Under the mandatory access control model, the system administrator establishes file, folder, and account rights. It is a very restrictive model in which users cannot share resources dynamically.
Answer: B. Password-based authentication systems can be made more secure if complex passwords are used, account lockouts are put in place, and tools such as Passprop are implemented. Passprop places remote lockout restrictions on the administrator account. Passprop is Microsoft-specific, and the test will not quiz you on that level of detail. Just understand that tools are available on both Windows and OS X platforms to accomplish this task. Many routers, switches, and network gear also support varying degrees of lockout (usually tied to RADIUS). Disabling password-protected screensavers would decrease security, as would allowing users to reuse passwords.
Answer: A. Signature-based Intrusion Detection System (IDSs) can detect only attack signatures that have been previously stored in their databases. These systems rely on the vendor for updates. Until then they are vulnerable to new zero-day or polymorphic attacks. Answer B is incorrect because it describes a statistical-based IDS. Answer C is incorrect because signature-based IDSs are available as both host and network configurations. Answer D is incorrect because the costs of signature-based IDS and statistical anomaly-based IDS are comparable.
Answer: B. Policies provide a high-level overview of how security should be practiced throughout the organization. Answers A, C, and D all describe the details of how these policies are to be implemented. What is most important about these particular concepts is that security policy must flow from the top of the organization.
Answer: B. A Network Intrusion Prevention System (NIPS) provides protective/reactive responses to a network. This malicious attack was submitted via port 80 HTTP service and is identified by network monitoring. A Host Intrusion Detection System (HIDS) focuses on services that cannot be seen from the network. A Host Intrusion Prevention System (HIPS) is focused on the system but can respond. A Network Intrusion Detection System (NIDS) identifies suspicious activity in a log file, but cannot take action.
Answer: B. Sniffing is an example of a passive attack. Attackers performing the sniff simply wait and capture data when they find the information they are looking for. This might be usernames, passwords, credit card numbers, or proprietary information. All other answers are incorrect because installing programs, dumpster diving, and social engineering (which uses the art of deception) are all active attacks.
Answer: D. Forcing collusion is one of the primary reasons why separation of duties should be practiced. Simply stated, collusion requires two or more employees to work together to bypass security. This means that one person working alone cannot pull off an attack. The practice of separation of duties vastly reduces this risk.
Answer: A. The best access control policy is “deny all.” This strategy starts by denying all access and privileges to all employees. Then, access and privilege are granted only as required by job needs. Some organizations start with “allow all.” This presents a huge security risk.
Answer: B. Honeypots, which also have been expanded into honeynets, are network decoys or entire networks that are closely monitored systems. These devices allow security personnel to monitor when the systems are being attacked or probed. They can also provide advance warning of a pending attack and act as a jail until you have decided how to respond to the intruder.
Answer: D. Access Control List (ACLs), as seen in the context of the CISSP exam, are used to set discretionary access controls. The three basic types are read, write, and execute. RBAC refers to role-based access controls, MITM is an acronym for man-in-the-middle, and ABS is simply a distracter.
Answer: C. Although job rotation does provide backup for key personnel and may help in all the other ways listed, its primary purpose is to prevent fraud or financial deception.
Answer: C. The primary legal issues surrounding honeypots includes entrapment. Entrapment is illegal as it might encourage a person to commit a crime that was not intended. Enticement is legal and is used to lure someone into leaving evidence after committing a crime. Although liability could be an issue if the honeypot is compromised and then used to attack an outside organization, entrapment is illegal and unethical, and ISC2-certified professionals are bound by a code of ethics. Statute 1029 is related to hacking and is not the primary concern of honeypots. Although liability is an issue, it is not the primary concern in the context of this question.
Answer: D. The major disadvantages of ACLs are the lack of centralized control and the fact that many operating systems default to full access. This method of access control is burdened by the difficulty of implementing a robust audit function. Therefore, answers A, B, and C are incorrect.
Answer: B. A warning banner is an example of a technical deterrent. Answer A, an acceptable use policy (AUP) is an example of an administrative deterrent. Answer C is a technical detective control. Answer D is a technical recovery control.
Answer: A. Terminal Access Controller Access-Control System+ (TACACS+) uses TCP port 49 for communication. The strength of TACACS+ is that it supports authentication, authorization, and accounting. Each is implemented as a separate function, which allows the organization to determine which services it wants to deploy. This makes it possible to use TACACS+ for authorization and accounting, while choosing a technology such as RADIUS for authentication.
Answer: D. Mandatory Access Control (MAC) is typically built in and is a component of most operating systems. MAC’s attributes include the following: It’s nondiscretionary because it is hard-coded and cannot easily be modified, it’s capable of multilevel control, it’s label-based because it can be used to control access to objects in a database, and it’s universally applied because changes affect all objects.
Answer: C. CCTV, mantraps, biometrics, and badges are just some of the items that are part of physical access control. Data classification and labeling are preventive access control mechanisms.
Answer: C. The CER (Crossover Error Rate) is used to determine the device’s accuracy. A lower CER means that the device is more accurate. The CER is determined by mapping the point at which the FAR (False Acceptance Rate) and the FRR (False Rejection Rate) meet. The CER does not determine speed, customer acceptance, or cost per employee.
Answer: B. Kerberos is a network authentication protocol that provides single sign-on service for client/server networks. A ticket is a block of data that allows users to prove their identity to a service. The ticket is valid only for a limited amount of time. Allowing tickets to expire helps raise the barrier for possible attackers because the ticket becomes invalid after a fixed period. An authentication server provides each client with a ticket-granting ticket. Clients use a ticket-granting server to grant session tickets and reduce the workload of the authentication server. The ticket is not used to prove identity to Kerberos server it is used to prove identity to service or principal.
Answer: B. Identification is defined as the act of claiming a specific identity. Authentication is the act of verifying your identity, validation is the act of finding or testing the truth, and auditing is the act of inspecting or reviewing a user’s actions.
Answer: C. Nonrepudiation is closely tied to accountability. It is defined as a means to ensure that users cannot deny their actions. Therefore, nonrepudiation is what makes users accountable. Digital signatures and timestamps are two popular methods used to prove nonrepudiation. Accountability is more closely related to activities, intrusions, events, and system conditions. Auditing is the act of review. Validation is more closely associated with certification and accreditation.
Answer: A. SESAME uses public key cryptography to distribute secret keys. It also uses the MD5 algorithm to provide a one-way hashing function. It does not distribute keys in plaintext, use SHA, or use secret key encryption.
Answer: C. There are six categories of security controls: preventive, detective, corrective, deterrent, recovery, and compensation. Job rotation would help in the detective category because it could be used to uncover violations. It would not help in recovery, corrective, or compensation.
Answer: A. RADIUS (Remote Authentication Dial-in User Service) uses UDP ports 1812 and 1813. RADIUS performs authentication, authorization, and accounting for remote users. RADIUS can also use UDP 1645 for authentication and UDP 1646 for accounting. Answers B, C, and D are wrong because RADIUS does not use TCP or ICMP as a transport protocol.
Answer: A. Diameter is a centralized access control system that supports UDP, SCTP, and TCP. SESAME is a single sign-on (SSO) technology that uses both symmetric and asymmetric cryptograph, thereby allowing for the use of non-repudiation and authentication within the principles. RADIUS only supports UDP, not TCP or SCTP. Kerberos does not support asymmetric cryptography. The CIO requires non-repudiation and authentication, a service that symmetric cryptography does not support. Kerberos does not support asymmetric cryptography. Answer D is not the best answer as the CIO said the he does not require split AAA services. It is important that test takers are very familiar with the advantages and disadvantages of the SSO and centralized access control technologies that are referenced in the Common body of knowledge (CBK). Each alternative are potential solutions based in the different environments of the customer.
Answer: B. The principle of least privilege refers to a user having the minimum access control to information systems to do their job. Separation of duties states that critical functions should be divided up among employees. Need-to-know states that users should only have access to information needed to do their job, and answer D is incorrect because privilege creep refers to a user’s obtaining privileges over time as they rotate jobs within a company.
Answer: C. Each answer is a good authentication method, but C is the best description of two-factor authentication. Answer A describes asymmetric encryption. Answer B does not specify what types or categories are being used. Answer D could be the description of IPsec or another tunneling protocol.
Answer: D. Single sign-on (SSO) can be difficult in a heterogeneous environment, where not all manufacturers may support the same authentication method. But it is a great solution in a homogeneous environment, where all vendors support the same mechanism. But the password must be complex, or you’ve given a malicious hacker a single point where he can breach your network.
53. Answer: A. Type 1 errors result from rejection of authenticated persons. You lower this count by relaxing the precision of the equipment (decreasing precision), which increases type 2 errors (accepting unauthenticated persons). You stop your tuning when type 1 errors equal type 2 errors (the crossover error rate [CER]). Under no circumstances do you want to let in more unauthenticated persons because then you risk rejecting authorized persons.
Answer: D. Your token uses the nonce to create a one-time password. This is called asynchronous authentication. Answers A, B, and C are incorrect because synchronous token authentication takes place when the token has a timing device that is in sync with a timing mechanism on the server.
Answer: B. Because SESAME uses asymmetric authentication, it can be used for nonrepudiation, whereas Kerberos cannot. Both Kerberos and SESAME support single sign-on (SSO), and both can be accessed by applications that use GSS-API function calls.
Answer: C. A mantrap is a preventive control because it prevents the entry of unauthorized individuals. Deterrent controls slow down unauthorized behavior, corrective controls remove inappropriate actions, and detective controls discover that unauthorized behavior occurred. The CISSP exam expects you to understand the difference between various types of controls.
Answer: A. A salted, one-way encrypted file is the best way to store passwords. Cryptographic solutions to accomplish this include MD5, SHA, and HAVAL. Symmetric, asymmetric, and digital signatures are not the preferred way of storing passwords.
Answer: D. The act of professing to be a specific user is identification. It is not validation, authorization, or authentication.
Answer: B. A Zephyr chart can be used to compare and measure different types of biometric systems. For example, consider a situation in which you are asked to compare a fingerprint scanner to a palm scanner. Answer A is incorrect because the Crossover Error Rate (CER) is better suited for that task. Answer C also refers to the CER. A Zephyr chart is not used for intrusion detection.
Answer: C. Authentication can best be described as the act of verifying identity.
Answer: B. The best answer is a self-service password reset. Many websites allow users to reset their passwords by supplying some basic information. This is not an example of single sign-on, centralized authentication, or assisted passwords.
Answer: D. A federated identity is portable and can be used across business boundaries. Federated identity is not SSO or one that is restricted for use within a single domain. Federated identity also is not restricted to type I authentication.
Answer: A. The lower the crossover error rate (CER), the more accurate the biometric system. Therefore, a system with a CER of 1 would be the most accurate.
Answer: B. Preventive systems are designed to stop an unwanted event from occurring. Detective controls are designed to discover an event. Corrective controls are designed to provide a countermeasure to the unwanted event, and deterrent controls are used for discouragement.
Answer: A. Nondiscretionary access control includes role- and task-based mechanisms. Mandatory access controls are an example of label-based security and are not considered nondiscretionary. Rule-based access control is most commonly seen in ACLs and is used with routers.
Answer: D. A trust can be defined as a security bridge that is established between two domains. The trust can be one-way, two-way, or transitive and is not restricted to any mode.
Answer: C. Labels are associated with Mandatory Access Control (MAC). MAC is not permissive; it is considered prohibitive. MAC is more secure and less flexible than DAC; if access is not specifically granted, it is forbidden. Answers A, B, and D are not associated with labels.
Answer: B. A static token can be a swipe card, smart card, or USB token. These tokens are not active and are not considered type I (something you know) or type III (something you are) authentication.
Answer: A. The Equal Error Rate (EER) is simply another name for the Crossover Error Rate (CER). It is not the CER minus 10 percent, or where the FAR is lowest or highest.
Answer: C. Biometric systems are the most expensive means of performing authentication. They cost more than tokens, single sign-on, or passwords.
Answer: A. The optic disk and the fovea are parts of the eye, but an iris scan looks at the colored portion of the eye. A retina scan looks at the blood vessels at the back of the eye.
Answer: D. A rainbow table is a type of precomputed hash. It utilizes the time memory trade-off principle. It is not an attack against a biometric or fingerprint system and has nothing to do with digital certificates.
Answer: B. The ticket-granting service is a component of Kerberos.
Answer: D. SESAME uses a PAC in much the same way that Kerberos uses a key distribution center. RADIUS and TACACS do not use PACs.
Answer: D. Phishing is a nontechnical attack that attempts to trick the victim into giving up account or password information. Pretexting is the act of using established personal information to gain access to accounts, cell phone records, or other information. Social engineering is a more general term used to describe this entire category of attacks. Dumpster diving is accomplished by digging through the trash.
Answer: C. Web-access management allows web users to share user credentials across multiple domains without having to log into each site. Cookies will not work because they are domain-specific, and a unique certificate for each domain would not address the problems.
Answer: C. Under the Biba model, users cannot write up. Answer A describes the Bell-LaPadula model. Answer B describes the Clark Wilson Model. Answer D described the Brewer Nash model.
Answer: D. Provisioning is the management of user access. Answers A. B, and C are incorrect because they do not define the term.
Answer: A. Object reuse refers to the allocation or reallocation of system resources (storage objects) to a subject. RAM-scraping attacks, such as the cold boot attack, demonstrates that object reuse can be a real problem. The authentication method, biometric system, or strength of the password do not apply.
Answer: D. Core RBAC makes use of a many-to-many relationship and is useful in organizations that have well-defined roles. Answer A describes MAC, which makes use of labels. Answer B describes DAC, which is a nondiscretionary model. Answer C describes rule-based access control, which makes use of ACLs.
Answer: B. A good example of a capability table is Kerberos. When a ticket is issued, it is bound to the user and specifies what resources a user can access. Answers A, C, and D do not meet that specification.
Answer: A. Diameter is the only option that provides an upgrade path from RADIUS.
Answer: A. Investigations are a good example of a detective control.
Answer: B. Switched networks are segmented, and as such require a port to be spanned. An IDS does not block traffic. An IPS would, but that type of control is not discussed in this question. MAC filtering would have most likely disabled the port. No traffic would have been captured.
Answer: C. A rainbow table uses a table of precomputed hashes. Answers A, B, and D are incorrect.
Answer: False. War dialing is the act of using a phone dialer program to dial a series of numbers in search of an open modem. Some people now use VoIP for war dialing, such as the I-War tool, WarVOX and IAX protocol (Asterisk).
Answer: True. Encryption is an example of a technical control. Policies are an example of an administrative control, whereas a fence is a physical control.
Answer: False. Access control should default to no access. You should also restrict the user to allow access to only what is needed and nothing more. As a default, no access should be provided unless a business justification can be shown as to why access should be provided.
Answer: True. TACACS, RADIUS, and Diameter are all examples of centralized access controls. For example, RADIUS is widely used by ISPs to authenticate dialup users. This central point of authentication provides an easy mechanism if users do not pay their monthly fees.
Answer: False. Although Kerberos provides single sign-on capability, it does not provide availability. Kerberos is a network authentication protocol created at the Massachusetts Institute of Technology that uses secret-key cryptography. Kerberos has three parts: a client, a server, and a trusted third party (KDC) to mediate between them. Clients obtain tickets from the Kerberos Key Distribution Center (KDC) and present these tickets to servers when connections are established.
Answer: True. IDS engines typically include signature and anomaly. Valid types of IDSs include host and network. Knowing the difference in these terms is an important distinction for the exam.
Answer: True. Signature-based IDSs can be pattern-matching or stateful. Pattern matching looks to map the results to a known signature. Stateful compares patterns to the user’s activities.
Answer: True. SATAN was actually the first vulnerability assessment tool ever created. The cocreator was fired for releasing the program. The creator released a second tool named repent to rename the program SANTA. Although the CISSP exam is not platform-specific, you may be asked about well-known tools and open-source technologies, such as SATAN or Tripwire.
Answer: True. Watchdog timers can prevent timing problems, infinite loops, deadlocks, and other software issues.
Answer: False. Password Authentication Protocol (PAP) is not a secure protocol because passwords are passed in plaintext.
Answer: False. Diameter got its name as a takeoff on RADIUS. Diameter is considered a centralized AAA protocol. Diameter was designed for all forms of remote connectivity, not just dialup.
Answer: False. Attribute pairs are used with RADIUS. RADIUS is a UDP-based client/server protocol defined in RFCs 2058 and 2059. RADIUS provides three services: authentication, authorization, and accounting. RADIUS facilitates centralized user administration and keeps all user profiles in one location that all remote services share. SESAME is a single sign-on mechanism created in Europe.
Answer: True. A capability can be a token, ticket, or key. Capabilities define specific use. For example, a movie ticket lets the holder watch the show. As another example, before access is granted to read a file, the capability is verified.
Answer: False. MAC is mandatory access control and, as such, the user has little freedom. Therefore, in a MAC-based system, access is determined by the system rather than the user. The MAC model typically is used by organizations that handle highly sensitive data, such as the DoD, NSA, CIA, and FBI.
Answer: True. Static separation of duties is one way to restrict the combination of duties. This means of control is commonly found in RBAC environments. For example, the individual who initiates the payment cannot also authorize the payment.
Answer: False. ID as a Service (IDaaS) solutions provide a range of identity and access management services such as single sign on functionality through the cloud and federated identity management.
Answer: True. Retina scanning matches blood vessels on the back of the eye and is very accurate. Iris scanning looks at the colored portion of the eye.
Answer: True. Terminal Access Controller Access Control System (TACACS) is available in three variations: TACACS, XTACACS (Extended TACACS), and TACACS+, which features two-factor authentication. TACACS also allows the division of the authentication, authorization, and accounting function, which gives the administrator more control over its deployment.
Answer: False. This is actually a description of single sign-on (SSO).
Answer: True. Tokens are an example of type II authentication. Tokens, which are something you have, can be synchronous dynamic password tokens or asynchronous password devices. These devices use a challenge-response scheme and are form-factored as smart cards, USB plugs, key fobs, or keypad-based units. These devices generate authentication credentials that often are used as one-time passwords. Another great feature of token-based devices is that they can be used for two-factor authentication.
Answer: True. Keyboard dynamics is an example of type III authentication. Keyboard dynamics analyzes the speed and pattern of typing. Different biometric systems such as keyboard dynamics have varying levels of accuracy. The accuracy of a biometric device is measured by the percentage of type 1 and type 2 errors it produces.
Answer: False. Scrubbing is an activity undertaken by a user to erase evidence of illegal or unauthorized acts.
Answer: False. Keystroke monitoring can be used to watch employees’ activities. Keystroke monitors can be either hardware or software devices. One important issue with their use is acceptable use policies (AUPs). Users must understand that their activities can be monitored and that privacy is not implied.
Answer: True. A federated identity is an IdM that is considered portable. For example, consider someone who travels by both plane and rental car. If both the airline and the rental car company use a federated identity management system, the traveler’s authentication can be used between the two organizations.
Answer: True. Type I authentication systems typically have a clipping level set to 3. This limits logon attempts to three tries or successive attempts.
The answers are as follows:
Smurf: 4. Uses a ping packet to broadcast addresses spoofed from the victim. The victim is flooded with ping replies.
LAND: 2. Sends a spoofed SYN packet that is addressed with the target’s address and port as the source and destination.
TRINOO: 5. An early type of DDoS attack.
SYN attack: 3. Sends a rapid series of spoofed SYN packets that are designed fill up the receiver queue.
Chargen: 1. Loops traffic between echo and chargen on ports 7 and 19.
Ping of death: 6. Sends ICMP ping packets that are at or exceed maximum size.
Being able to identify common DoS and DDoS attacks will help you be prepared for the exam.
Match each access control type with its definition.
A. Discretionary access control:
4. Classification labeling of objects by owner
B. Mandatory access control:
3. Uses sensitivity labels
C. Role-based access control:
1. Assigns access to groups not users
D. Rule-based access control:
2. Used with firewalls and routers
E. Constrained user interfaces:
5. Works by restricting users to specific functions based on their role in the system
Match each item with the correct authentication type
2. Something you are
B. Weakest form of encryption:
1. Something you know
C. Common access card:
3. Something you have
D. Type II error:
2. Something you are
E. Memory card:
3. Something you have
F. Pronounceable passwords:
1. Something you know
Match each authentication type with its definition.
A. Centralized authentication:
B. Uses ticket-granting service:
C. Allows secure web domains to exchange user authentication data:
D. Uses a single authentication server:
E. Uses port 389:
F. Introduced by Cisco: