5.10: Single Sign On (SSO) (Doshi)

Question 1

What is a single sign-on (SSO)?

Answer 1

A use authentication service that permits a user to use on set of login credentials to access multiple applications.

Question 2

Advantages of SSO:

Answer 2

(1) Multiple passwords not required. This encourages user to select a stronger password.
(2) Improves administrator’s ability to manage user’s accounts.
(3) Reduces administrative overhead cost in resetting passwords due to lower number of IT help desk calls about passwords.
(4) Reduces time taken by users to log into multiple applications.

Question 3

Disadvantages of SSO:

Answer 3

(1) SSO acts as a single authentication point for multiple applications which constitute risk of single point of failure.
(2) Support of all major operating system environments is difficult.

Question 4

What is Reduced Sign on?

Answer 4

Users need to sign in individually for each application (with same user ID and password)

Question 5

Kerberos:

Answer 5

Kerberos is an example of SSO.

Kerberos is an authentication service used to validate services and users in distributed computing environment (DCE).

The name Kerberos derived from mythical 3 headed dog guarding the gates to the underworld

In client server model, only users are authenticated. However in a distributed computing environment (DCE) both users and servers authenticate themselves.

At initial longon time, Kerberos 3rd party application is used to verify the identity of the client.

Question 6

MAJOR risks of SSO in order:

Answer 6

(1) - SSO acts as a SINGLE point of failure (best choice)

(2) SSO acts as single authentication point for multiple applications.

Question 7

What is the most important CONTROL for SSO?

Answer 7

The implementation of strong PASSWORD policy

Question 8

An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems. A MAJOR risk of using single sign-on (SSO) is that it:

A. acts as a single authentication point for multiple applications.
B. acts as a single point of failure.
C. acts as a bottleneck for smooth administration.
D. leads to a lockout of valid users in case of authentication failure.

Answer 8

A. acts as a single authentication point for multiple applications.

SSO acts as a single authentication point for multiple applications which constitute risk of single point of failure. The primary risk associated with single sign-on is the single authentication point. A Single point of failure provides a similar redundancy to the single authentication point. However, failure can be due to any other reasons also. So more specific answer to this question is option A.

Question 9

An organization is introducing a single sign-on (SSO) system. In SSO, unauthorized access:

A. will have minor impact.
B. will have major impact.
C. is not possible.
D. is highly possible.

Answer 9

B. will have major impact.

Single sign-on (SSO) is a user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. This constitutes risk of single point of failure. The impact will be greater since the hacker needs to know only one password to gain access to all the related applications and therefore, cause greater concerns than if only the password to one of the systems is known. Introduction of SSO will not have any relevance on possibility (higher or lower) of unauthorized access.

Question 10

An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems. A MAJOR risk of using single sign-on (SSO) is that:

A. It increases security administrator work load.
B. It reduces administrator’s ability to manage user’s accounts.
C. It increases time taken by users to log into multiple applications.
D. Unauthorized password disclosure can have greater impact

Answer 10

D. Unauthorized password disclosure can have greater impact.

Single sign-on (SSO) is a user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. This constitutes risk of single point of failure. The impact will be greater since the hacker needs to know only one password to gain access to all the related applications and therefore, cause greater concerns than if only the
password to one of the systems is known.SSO improves the administrator’s ability to manage user’s accounts. SSO reduces time taken by users to log into multiple applications and work load of security administration.

Question 11

An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems. To prevent unauthorized access, the MOST important action is to:

A. to monitor all failed attempts.
B. regular review of log files.
C. implement a strong password policy.
D. to deactivate all unused accounts.

Answer 11

C. implement a strong password policy.

A strong password policy is better preventive control. Other options are good practice but may not able address the risk of unauthorized access if password is compromised

Question 12

Which following is MOST important benefit of Single Sign On?

A. Easier administration of password management.
B. It can avoid a potential single point of failure issue
C. Maintaining SSO is easy as it is not prone to human errors
D. It protects network traffic

Answer 12

A. Easier administration of password management.

Easier administration of changing or deleting passwords is the major advantage of implementing SSO. The advantages of SSO include having the ability to use stronger passwords, easier administration of changing or deleting the passwords, and requiring less time to access resources

Question 13

Risk of unauthorized access can be BEST control by:

A. Before-image/after-image logging
B. Vitality detection
C. Multimodal biometrics
D. Kerberos

Answer 13

D. Kerberos

Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. Vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventative control.

Question 14

MAJOR or MOST critical risks of SSO when (1) - SSO acts as a SINGLE point of failure and (2) SSO acts as single authentication point for multiple applications are both options?

Answer 14

SSO acts as single authentication point for multiple applications

Question 15

Which of the following controls would be the MOST comprehensive in a remote access network with multiple and diverse subsystems?

A. Proxy server
B. Firewall installation
C. Network administrator
D. Password implementation and administration

Answer 15

?

Question 16

An IS auditor discovers evidence of fraud perpetrated with a manager’s user id. The manager had written the password, allocated by the system administrator, inside his/her desk drawer. The IS auditor should conclude that the:

A. manager’s assistant perpetrated the fraud.
B. perpetrator cannot be established beyond doubt.
C. fraud must have been perpetrated by the manager.
D. system administrator perpetrated the fraud.

Answer 16

?

Question 17

During an implementation review of a multiuser distributed application, the IS auditor finds minor weaknesses in three areas-the initial setting of parameters is improperly installed, weak passwords are being used and some vital reports are not being checked properly. While preparing the audit report, the IS auditor should:

A. record the observations separately with the impact of each of them marked against each respective finding.
B. advise the manager of probable risks without recording the observations, as the control weaknesses are minor ones.
C. record the observations and the risk arising from the collective weaknesses.
D. apprise the departmental heads concerned with each observation and properly document it in the report.

Answer 17

?

Question 18

The management of an organization has decided to establish a security awareness program. Which of the following would MOST likely be a part of the program?

A. Utilization of an intrusion detection system to report incidents.
B. Mandating the use of passwords to access all software.
C. Installing an efficient user log system to track the actions of each user
D. Provide training on a regular basis to all current and new employees.

Answer 18

?

Question 19

When reviewing an organization’s logical access security, which of the following would be of the MOST concern to an IS auditor?

A. Passwords are not shared.
B. Password files are encrypted.
C. Redundant logon IDs are deleted.
D. The allocation of logon IDs is controlled.

Answer 19

?

Question 20

(12)Which of the following satisfies a two-factor user authentication?
1 point

A. Iris scanning plus finger print scanning

B. Terminal ID plus global positioning system (GPS)

C. A smart card requiring the user’s PIN

D. User ID along with password

(13)The potential for unauthorized system access by way of terminals or workstations within an organization’s facility is increased when:
1 point

A. connecting points are available in the facility to connect laptops to the network.

B. users take precautions to keep their passwords confidential.

C. terminals with password protection are located in unsecured locations.

D. terminals are located within the facility in small clusters under the supervision of an administrator.

(14)An IS auditor finds that conference rooms have active network ports. Which of thefollowing is MOST important to ensure?
1 point

A. The corporate network is using an intrusion prevention system (IPS)

B. This part of the network is isolated from the corporate network

C. A single sign-on has been implemented in the corporate network

D. Antivirus software is in place to protect the corporate network

Answer 20

?