Access Flashcards
Which of the following will you consider as the MOST secure way of authentication? A. Biometric B. Password C. Token D. Ticket Granting
Answer: A
Explanation: Biometric authentication systems take advantage of an individual’s unique physical characteristics in order to authenticate that person’s identity. Various forms of biometric authentication include face, voice, eye, hand, signature, and fingerprint, each have their own advantages and disadvantages. When combined with the use of a PIN it can provide two factors authentication.
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessicity of answering 2 questions:
A. what was the sex of a person and his age
B. what part of the body to be used and how to accomplish identification to be viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits
Answer: B
Explanation:
What is called the percentage of invalid subjects that are falsely accepted?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Acceptance Rate (TAR) or Type III error
Answer: B
Explanation:
Which of the following biometrics devices has the highs Crossover Error Rate (CER)? A. Iris scan B. Hang Geometry C. Voice pattern D. Fingerprints
Answer: C
Explanation:
Which of the following biometric parameters are better suited for authentication use over a long period of time? A. Iris pattern B. Voice pattern C. Signature dynamics D. Retina pattern
Answer: A
Explanation:
Which one of the following is the MOST critical characteristic of a biometrics system? A. Acceptability B. Accuracy C. Throughput D. Reliability
Answer: B
Explanation: We don’t agree with the original answer, which was throughput. Granted throughput is vital but Krutz lists accuracy is most important.
In addition to the accuracy of the biometric systems, there are OTHER factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability. Ronald Krutz The CISSP PREP Guide (gold edition) pg 51 v
Which of the following biometric devices has the lowest user acceptance level? A. Voice recognition B. Fingerprint scan C. Hand geometry D. Signature recognition
Answer: B
Explanation:
Biometric performance is most commonly measured in terms of: A. FRR and FAR B. FAC and ERR C. IER and FAR D. FRR and GIC
Answer: A
Explanation: Biometric performance is most commonly measured in two ways: False Rejection Rate (FRR), and False Acceptance Rate (FAR). The FRR is the probability that you are not authenticated to access your account. A strict definition states that the FRR is the probability that a mated comparison (i.e. 2 biometric samples of the same finger) incorrectly determines that there is no match.
What is the most critical characteristic of a biometric identifying system? A. Perceived intrusiveness B. Storage requirements C. Accuracy D. Reliability
Answer: C
Explanation
Which of the following biometric characteristics cannot be used to uniquely authenticate an individual's identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans
Answer: D
Explanation: Biometrics: Fingerprints Palm Scan Hand Geometry Retina Scan Iris Scan Signature Dynamics Keyboard Dynamic Voice Print Facial Scan Hand Topology
Pg. 128-130 Shon Harris All-In-One CISSP Certification Exam Guide
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could only be based on physical attributes of a person. This raised the necessicity of answering 2 questions:
A. What was the sex of a person and his age
B. what part of body to be used and how to accomplish identification to be viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits
Answer: B
Explanation:
You are comparing biometric systems. Security is the top priority. A low \_\_\_\_\_\_\_\_ is most important in this regard. A. FAR B. FRR C. MTBF D. ERR
Answer: A
Explanation: When comparing biometric systems, a low false acceptance rate is most important when security is the priority. Whereas, a low false rejection rate is most important when convenience is the priority. All biometric implementations balance these two criteria. Some systems use very high FAR’s such as 1 in 300. This means that the likelihood that the system will accept someone other than the enrolled user is 1 in 300. However, the likelihood that the system will reject the enrolled user (its FRR) is very low, giving them ease of use, but with low security. Most fingerprint systems should be able to run with FARs of 1 in 10,000 or better.
Almost all types of detection permit a system's sensitivity to be increased or decreased during an inspection process. To have a valid measure of the system performance: A. The CER is used. B. the FRR is used C. the FAR is used D. none of the above choices is correct
Answer: A
Explanation: “When a biometric system reject an authorized individual, it is called a Type 1 error. When the system accepts impostors who should be rejected, it is called a Type II error. The goal is to obtain low numbers for each type of error. When comparing different biometric systems, many different variables are used, but one of the most important variables is the crossover error rate (CER). This rating is stated in a percentage and represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most important measurement when determining the system’s accuracy.” Pg 113 Shon Harris: All-in-One CISSP Certification
The quality of finger prints is crucial to maintain the necessary: A. FRR B. ERR and FAR C. FAR D. FRR and FAR
Answer: D
Explanation: Another factor that must be taken into account when determining the necessary FAR and FRR for your organization is the actual quality of the fingerprints in your user population. ABC’s experience with several thousand users, and the experience of its customers, indicates that a percentage of the populations do not have fingerprints of sufficient quality to allow for authentication of the individual. Approximately 2.5% of employees fall into this group in the general office worker population. For these users, a smart card token with password authentication is recommended.
By requiring the user to use more than one finger to authenticate, you can:
A. Provide statistical improvements in EAR.
B. Provide statistical improvements in MTBF.
C. Provide statistical improvements in FRR.
D. Provide statistical improvements in ERR.
Answer: C
Explanation: Statistical improvements in false rejection rates can also be achieved by requiring the user to use more than one finger to authenticate. Such techniques are referred to as flexible verification.
Which of the following is being considered as the most reliable kind of personal identification? A. Token B. Finger print C. Password D. Ticket Granting
Answer: B
Explanation: Every person’s fingerprint is unique and is a feature that stays with the person throughout his/her life. This makes the fingerprint the most reliable kind of personal identification because it cannot be forgotten, misplaced, or stolen. Fingerprint authorization is potentially the most affordable and convenient method of verifying a person’s identity.
Which of the following methods is more microscopic and will analyze the direction of the ridges of the fingerprints for matching? A. None of the choices. B. Flow direct C. Ridge matching D. Minutia matching
Answer: D
Explanation: There are two approaches for capturing the fingerprint image for matching: minutia matching and global pattern matching. Minutia matching is a more microscopic approach that analyzes the features of the fingerprint, such as the location and direction of the ridges, for matching. The only problem with this approach is that it is difficult to extract the minutiae points accurately if the fingerprint is in some way distorted. The more macroscopic approach is global pattern matching where the flow of the ridges is compared at all locations between a pair of fingerprint images; however, this can be affected by the direction that the image is rotated.
Which of the following are the types of eye scan in use today? A. Retinal scans and body scans. B. Retinal scans and iris scans. C. Retinal scans and reflective scans. D. Reflective scans and iris scans.
Answer: B
Explanation: There are two types of eye scan in use today for authentication purposes: retinal scans and iris scans. Retinal Scan technology maps the capillary pattern of the retina, a thin (1/50th inch) nerve on the back of the eye. To enroll, a minimum of five scans is required, which takes 45 seconds. The subject must keep his head and eye motionless within 1/2” of the device, focusing on a small rotating point of green light. 320 - 400 points of reference are captured and stored in a 35-byte field, ensuring the measure is accurate with a negligible false rejection rate. This compares to 30-70 points of reference for a finger scan. Unfortunately a retinal scan is considerably more intrusive than an iris scans and many people are hesitant to use the device [Retina-scan]. In addition a significant number of people may be unable to perform a successful enrolment, and there exist degenerative diseases of the retina that alter the scan results over time. Despite these disadvantages, there are several successful implementations of this technology [Retina-scan].
Which of the following eye scan methods is considered to be more intrusive? A. Iris scans B. Retinal scans C. Body scans D. Reflective scans
Answer: B
Explanation: There are two types of eye scan in use today for authentication purposes: retinal scans and iris scans. Retinal Scan technology maps the capillary pattern of the retina, a thin (1/50th inch) nerve on the back of the eye. To enroll, a minimum of five scans is required, which takes 45 seconds. The subject must keep his head and eye motionless within 1/2” of the device, focusing on a small rotating point of green light. 320 - 400 points of reference are captured and stored in a 35-byte field, ensuring the measure is accurate with a negligible false rejection rate. This compares to 30-70 points of reference for a finger scan. Unfortunately a retinal scan is considerably more intrusive than an iris scans and many people are hesitant to use the device [Retina-scan]. In addition a significant number of people may be unable to perform a successful enrollment, and there exist degenerative diseases of the retina that alter the scan results over time. Despite these disadvantages, there are several successful implementations of this technology [Retina-scan].
Which of the following offers greater accuracy then the others? A. Facial recognition B. Iris scanning C. Finger scanning D. Voice recognition
Answer: B
Explanation: Iris scanning offers greater accuracy than finger scanning, voice or facial recognition, hand geometry or keystroke analysis. It is safer and less invasive than retinal scanning, an important legal consideration [Nuger]. Any company thinking of using biometrics would do well to ensure that they comply with existing privacy laws.
In addition to the accuracy of the biometric systems, there are other factors that must also be considered:
A. These factors include the enrollment time and the throughput rate, but not acceptability.
B. These factors do not include the enrollment time, the throughput rate, and acceptability.
C. These factors include the enrollment time, the throughput rate, and acceptability.
D. These factors include the enrollment time, but not the throughput rate, neither the acceptability.
Answer: C
Explanation: In addition to the accuracy of the biometric systems, there are OTHER factors that must also be considered. These factors include the enrollment time, the throughput rate, and acceptability. -Ronald Krutz The CISSP PREP Guide (gold edition) pg 51
What physical characteristics does a retinal scan biometric device measure?
A. The amount of light reaching the retina
B. The amount of light reflected by the retina
C. The size, curvature, and shape of the retina
D. The pattern of blood vessels at the back of the eye
Answer: D
Explanation:
Type II errors occur when which of the following biometric system rates is high? A. False accept rate B. False reject rate C. Crossover error rate D. Speed and throughput rate
Answer: A
Explanation: There are three main performance issues in biometrics. These measures are as follows:
False Rejection Rate (FRR) or Type 1 Error. The percentage of valid subjects that are falsely rejected.
False Acceptance Rate (FAR) or Type 2 Error. The percentage of invalid subjects that are falsely accepted.
Crossover Error Rate (CER). The percent in which the False Rejection Rate equals the False Acceptance Rate
pg 38 Krutz: The CISSP Prep Guide .
Which of the following are the valid categories of hand geometry scanning? A. Electrical and image-edge detection. B. Mechanical and image-edge detection. C. Logical and image-edge detection. D. Mechanical and image-ridge detection.
Answer: B
Explanation: Hand geometry reading (scanning) devices usually fall into one of two categories: mechanical or image-edge detection. Both methods are used to measure specific characteristics of a person’s hand such as length of fingers and thumb, widths, and depth.
In the world of keystroke dynamics, what represents the amount of time you hold down in a particular key? A. Dwell time B. Flight time C. Dynamic time D. Systems time
Answer: A
Explanation: Keystroke dynamics looks at the way a person types at a keyboard. Specifically, keyboard dynamics measures two distinct variables: “dwell time” which is the amount of time you hold down a particular key and “flight time” which is the amount of time it takes a person to switch between keys. Keyboard dynamics systems can measure one’s keyboard input up to 1000 times per second.
In the world of keystroke dynamics, what represents the amount of time it takes a person to switch between keys? A. Dynamic time B. Flight time C. Dwell time D. Systems time.
Answer: B
Explanation: Keystroke dynamics looks at the way a person types at a keyboard. Specifically, keyboard dynamics measures two distinct variables: “dwell time” which is the amount of time you hold down a particular key and “flight time” which is the amount of time it takes a person to switch between keys. Keyboard dynamics systems can measure one’s keyboard input up to 1000 times per second.
Which of the following are the benefits of Keystroke dynamics? A. Low cost B. Unintrusive device C. Transparent D. All of the choices.
Answer: D
Explanation: Keystroke dynamics is behavioral in nature. It works well with users that can “touch type”. Key advantages in applying keyboard dynamics are that the device used in this system, the keyboard, is unintrusive and does not detract from one’s work. Enrollment as well as identification goes undetected by the user. Another inherent benefit to using keystroke dynamics as an identification device is that the hardware (i.e. keyboard) is inexpensive. Currently, plug-in boards, built-in hardware and firmware, or software can represent keystroke dynamics systems.
DSV as an identification method check against users: A. Fingerprints B. Signature C. Keystrokes D. Facial expression
Answer: B
Explanation: Signature identification, also known as Dynamic Signature Verification (DSV), is another natural fit in the world of biometrics since identification through one’s signature occurs during many everyday transactions. Any process or transaction that requires an individual’s signature is a prime contender for signature identification.
Signature identification systems analyze what areas of an individual’s signature?
A. All of the choices EXCEPT the signing rate.
B. The specific features of the signature.
C. The specific features of the process of signing one’s signature.
D. The signature rate.
Answer: A
Explanation: Signature identification systems analyze two different areas of an individual’s signature: the specific features of the signature and specific features of the process of signing one’s signature. Features that are taken into account and measured include speed, pen pressure, directions, stroke length, and the points in time when the pen is lifted from the paper.
What are the advantages to using voice identification? A. All of the choices. B. Timesaving C. Reliability D. Flexibility
Answer: A
Explanation: The many advantages to using voice identification include: Considered a “natural” biometric technology Provides eyes and hands-free operation Reliability Flexibility Timesaving data input Eliminate spelling errors Improved data accuracy
What are the methods used in the process of facial identification? A. None of the choices. B. Detection and recognition. C. Scanning and recognition. D. Detection and scanning.
Answer: B
Explanation: The process of facial identification incorporates two significant methods: detection and recognition.
In the process of facial identification, the basic underlying recognition technology of facial identification involves: A. Eigenfeatures of eigenfaces. B. Scanand ning recognition. C. Detection and scanning. D. None of the choices.
Answer: A
Explanation: Recognition is comparing the captured face to other faces that have been saved and stored in a database. The basic underlying recognition technology of facial feature identification involves either eigenfeatures (facial metrics) or eigenfaces. The German word “eigen” refers to recursive mathematics used to analyze unique facial characteristics.
What is known as the probability that you are not authenticated to access your account? A. ERR B. FRR C. MTBF D. FAR Answer: B
Explanation: Biometric performance is most commonly measured in two ways: False Rejection Rate (FRR), and False Acceptance Rate (FAR). The FRR is the probability that you are not authenticated to access your account. A strict definition states that the FRR is the probability that a mated comparison (i.e. 2 biometric samples of the same finger) incorrectly determines that there is no match.
What is known as the chance that someone other than you is granted access to your account? A. ERR B. FAR C. FRR D. MTBF
Answer: B
Explanation: The FAR is the chance that someone other than you is granted access to your account, in other words, the probability that a non-mated comparison (i.e. two biometric samples of different fingers) match. FAR and FRR numbers are generally expressed in terms of probability.
Note: false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. * false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. FRR is a Type 1 error FAR is a Type 2 error
What is typically used to illustrate the comparative strengths and weaknesses of each biometric technology? A. Decipher Chart B. Zephyr Chart C. Cipher Chart D. Zapper Chart
Answer: B
Explanation: The Zephyr Chart illustrates the comparative strengths and weaknesses of each biometric technology. The eight primary biometric technologies are listed around the outer border, and for each technology the four major evaluation criteria are ranked from outside (better) to inside (worse). Looking at dynamic signature verification (DSV) will illustrate how the Zephyr Chart works.
In terms of the order of effectiveness, which of the following technologies is the most affective? A. Fingerprint B. Iris scan C. Keystroke pattern D. Retina scan
Answer: B
Explanation: The order of effectiveness has not changed for a few years. It is still the same today as it was three years ago. The list below present them from most effective to list effective: Iris scan Retina scan Fingerprint Hand geometry Voice pattern Keystroke pattern Signature
In terms of the order of effectiveness, which of the following technologies is the least effective? A. Voice pattern B. Signature C. Keystroke pattern D. Hand geometry
Answer: B
Explanation: The order of effectiveness has not changed for a few years. It is still the same today as it was three years ago. The list below present them from most effective to list effective: Iris scan Retina scan Fingerprint Hand geometry Voice pattern Keystroke pattern Signature
In terms of the order of acceptance, which of the following technologies is the MOST accepted? A. Hand geometry B. Keystroke pattern C. Voice Pattern D. Signature
Answer: C
Explanation: The order of acceptance has slightly changed in the past years. It was Iris that was the most accepted method three years ago but today we have Voice Pattern that is by far the most accepted. Here is the list from most accepted first to least accepted at the bottom of the list: Voice Pattern Keystroke pattern Signature Hand geometry Handprint Fingerprint Iris Retina pattern
In terms of the order of acceptance, which of the following technologies is the LEAST accepted? A. Fingerprint B. Iris C. Handprint D. Retina patterns
Answer: D
Explanation: The order of acceptance has slightly changed in the past years. It was Iris that was the most accepted method three years ago but today we have Voice Pattern that is by far the most accepted. Here is the list from most accepted first to least accepted at the bottom of the list: Voice Pattern Keystroke pattern Hand geometry Handprint Fingerprint Iris Retina pattern Signature
Which of the following biometric characteristics cannot be used to uniquely authenticate an individual’s identity? A. Retina scans B. Iris scans C. Palm scans D. Skin scans
Answer: D
Explanation:
Which of the following is true of two-factor authentication?
A. It uses the RSA public-key signature based algorithm on integers with large prime factors
B. It requires two measurements of hand geometry
C. It does not use single sign-on technology
D. It relies on two independent proofs of identity
Answer: D
Explanation:
What is Kerberos?
A. A three-headed dog from Egyptian Mythology
B. A trusted third-party authentication protocol
C. A security model
D. A remote authentication dial in user server
Answer: B
Explanation:
Which of the following is true about Kerberos?
A. It utilized public key cryptography
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text
C. It depends upon symmetric ciphers
D. It is a second party authentication system
Answer: C
Explanation: “Kerberos relies upon symmetric key cryptography, specifically Data Encryption Standard (DES), and provides end-to-end security for authentication traffic between the client and the Key Distribution Center (KDC).” Pg. 15 Tittel: CISSP Study Guide
Kerberos depends upon what encryption method? A. Public Key cryptography B. Private Key cryptography C. El Gamal cryptography D. Blowfish cryptography
Answer: B
Explanation: Kerberos uses symmetric key cryptography and provides end-to-end security, meaning that information being passed between a user and a service is protected without the need of an intermediate component. Although it allows the use of passwords for authentication, it was designed specifically to eliminate the need for transmitting passwords over the network. Most Kerberos implementations work with cryptography keys and shared secret keys (private keys) instead of passwords. Pg 148 Shon Harris All-In-One CISSP Certification Exam Guide
The primary service provided by Kerberos is which of the following? A. non-repudiation B. confidentiality C. authentication D. authorization Answer: C Explanation
Answer: C
Explanation
Which of the following are authentication server systems with operational modes that can implement SSO?
A. Kerberos, SESAME and KryptoKnight
B. SESAME, KryptoKnight and NetSP
C. Kerberos and SESAME
D. Kerberos, SESAME, KryptoKnight, and NetSP
Answer: D
Explanation: “Scripts, directory services, thin clients, Kerberos, SESAME, NetSP, scripted access, and KrtyptoKnight are examples of SSO(single sign on) mechanisms.”
Pg. 14 Tittel: CISSP Study Guide Second Edi
Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT? A. Kerberos B. SESAME C. KryptoKnight D. NetSP
Answer: A
Explanation: “Kerberos is an authentication protocol and was designed in the mid-1980s as part of MIT’s Project Athena.” Pg 129 Shon Harris: All-in-One CISSP Certification
Which of the following is true about Kerberos?
A. It utilizes public key cryptography
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers
D. It is a second party authentication system
Answer: C
Explanation:
One of the differences between Kerberos and KryptoKnight is that there is:
A. a mapped relationship among the parties takes place B. there is a peer-to-peer relationship among the parties with themselves.
C. there is no peer-to-peer relationship among the parties and the KDC
D. a peer-to-peer relationship among the parties and the KDC
Answer: D
Explanation: “Krytponight
The IBM Kryptonight system provides authentication, SSO, and key distribution services. It was designed to support computers with widely varying computational capabilities. KryptoKnight uses a trusted Key Distribution Center (KDC) that knows the secret key of each party. One of the differences between kerberos and KrytoKnight is that there is a peer-to-peer relationship among the parties and the KDC.”
Pg. 58 Krutz: The CISSP Prep Guide: Gold Edition
Which of the following is the MOST secure network access control procedure to adopt when using a callback device?
A. The user enters a userid and PIN, and the device calls back the telephone number that corresponds to the userid.
B. The user enters a userid, PIN, and telephone number, and the device calls back the telephone number entered.
C. The user enters the telephone number, and the device verifies that the number exists in its database before calling back.
D. The user enters the telephone number, and the device responds with a challenge.
Answer: A
Explanation: Usually a request for a username and password takes place and the NAS may hang up the call in order to call the user back at a predefined phone number. This is a security activity that is used to try and ensure that only authenticated users are given access to the network and it reverse the long distance charges back to the company…However, this security measure can be compromised if someone implements call forwarding. - Shon Harris All-in-one CISSP Certification Guide pg 463
What is called the access protection system that limits connections by calling back the number of a previously authorized location? A. Sendback system B. Callback forward systems C. Callback systems D. Sendback forward systems Prep Guide: Gold Edition
Answer: C
Explanation: “Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding.” Pg 48 Krutz: CISSP
A confidential number to verify a user's identity is called a: A. PIN B. userid C. password D. challenge
Answer: A
Explanation:
How are memory cards and smart cards different?
A. Memory cards normally hold more memory than smart cards
B. Smart cards provide a two-factor authentication whereas memory cards don’t
C. Memory cards have no processing power
D. Only smart cards can be used for ATM cards
Answer: C
Explanation: “The main difference between memory cards and smart cards is the processing power. A memory card holds information, but does not process information. A smart card has the necessary hardware and logic to actually process information.” Pg 121 Shon Harris CISSP All-InOne Exam Guide
They in form of credit card-size memory cards or smart cards, or those resembling small calculators, are used to supply static and dynamic passwords are called: A. Tickets B. Tokens C. Token passing networks D. Coupons
Answer: B
Explanation:
Tokens, as a way to identify users are subject to what type of error? A. Token error B. Decrypt error C. Human error D. Encrypt error
Answer: C
Explanation: Tokens are a fantastic way of ensuring the identity of a user. However, you must remember that no system is immune to “human error”. If the token is lost with it’s pin written on it, or if it were loaned with the corresponding pin it would allow for masquerading. This is one of the greatest threats that you have with tokens.
Which of the following factors may render a token based solution unusable? A. Token length B. Card size C. Battery lifespan D. None of the choices
Answer: C
Explanation: Another limitation of some of the tokens is their battery lifespan. For example, in the case of SecurID you have a token that has a battery that will last from 1 to 3 years depending on the type of token you acquired. Some token companies such as Cryptocard have introduced tokens that have a small battery compartment allowing you to change the battery when it is discharged.
Memory only cards work based on: A. Something you have. B. Something you know. C. None of the choices. D. Something you know and something you have.
Answer: D
Explanation: Memory Only Card - This type of card is the most common card. It has a magnetic stripe on the back. These cards can offer two-factor authentication, the card itself (something you have) and the PIN (something you know). Everyone is familiar with the use of an ATM (Automated Teller Machine) card. These memory cards are very easy to counterfeit. There was a case in Montreal where a storeowner would swipe the card through for the transaction; he would then swipe it through a card reader to get a copy, while a small hidden camera was registering the PIN as the user was punching it on the pad. This scheme was quickly identified as the victims had one point in common; they all visited the same store.
Which of the following is a disadvantage of a memory only card? A. High cost to develop. B. High cost to operate. C. Physically infeasible. D. Easy to counterfeit.
Answer: D
Explanation: Memory Only Card - This type of card is the most common card. It has a magnetic stripe on the back. These cards can offer two-factor authentication, the card itself (something you have) and the PIN (something you know). Everyone is familiar with the use of an ATM (Automated Teller Machine) card. These memory cards are very easy to counterfeit. There was a case in Montreal where a storeowner would swipe the card through for the transaction; he would then swipe it through a card reader to get a copy, while a small hidden camera was registering the PIN as the user was punching it on the pad. This scheme was quickly identified as the victims had one point in common; they all visited the same store.
The word “smart card” has meanings of:
A. Personal identity token containing IC-s.
B. Processor IC card.
C. IC card with ISO 7816 interface.
D. All of the choices.
Answer: D
Explanation: The word “smart card” has four different meanings (in order of usage frequency): IC card with ISO 7816 interface Processor IC card Personal identity token containing IC-s Integrated Circuit(s) Card is ad ID-1 type (specified in ISO 7810) card, into which has been inserted one or more integrated circuits. [ISO 7816]
Processor card contains which of the following components? A. Memory and hard drive. B. Memory and flash. C. Memory and processor. D. Cache and processor.
Answer: C
Explanation: Processor cards contain memory and a processor. They have remarkable data processing capabilities. Very often the data processing power is used to encrypt/decrypt data, which makes this type of card a very unique personal identification token. Data processing also permits dynamic storage management, which enables the realization of flexible multifunctional cards.
Which of the following offers advantages such as the ability to use stronger passwords, easier password administration, and faster resource access? A. Smart cards B. Single Sign-on (SSO) C. Kerberos D. Public Key Infrastructure (PKI)
Answer: B
Explanation:
What is the main concern with single sign-on?
A. Maximum unauthorized access would be possible if a password is disclosed
B. The security administrator’s workload would increase C. The users’ password would be to hard to remember D. User access rights would be increased
Answer: A
Explanation:
Which of the following describes the major disadvantage of many SSO implementations?
A. Once a user obtains access to the system through the initial log-on they can freely roam the network resources without any restrictions
B. The initial logon process is cumbersome to discourage potential intruders
C. Once a user obtains access to the system through the initial log-on, they only need to logon to some applications.
D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems
Answer: A
Reference: “The major disadvantage of many SSO implementations is that once a user obtains access to the system through the initial logon, the user can freely roam the network resources without any restrictions.” pg 53 Krutz: CISSP Prep Guide: Gold Edition
Which of the following addresses cumbersome situations where users need to log on multiple times to access different resources? A. Single Sign-On (SSO) systems B. Dual Sign-On (DSO) systems C. Double Sign-On (DS0) systems D. Triple Sign-On (TSO) systems
Answer: A
Explanation:
A method for a user to identify and present credentials only once to a system is known as: A. SEC B. IPSec C. SSO D. D. SSL
Answer: C
Explanation: Single Sign-On (SSO) - This is a method for a users to identify and present credentials only once to a system. Information needed for future system access to resources is forwarded by the initial System. BENEFITS More efficient user log-on process Users select stronger passwords Inactivity timeout and attempt thresholds applied uniformly closer to user point of entry Improved timely disabling of all network/computer accounts for terminated users
Which of the following correctly describe the features of SSO? A. More efficient log-on. B. More costly to administer. C. More costly to setup. D. More key exchanging involved.
Answer: A
Explanation: Single Sign-On (SSO) - This is a method for a users to identify and present credentials only once to a system. Information needed for future system access to resources is forwarded by the initial System. BENEFITS More efficient user log-on process Users select stronger passwords Inactivity timeout and attempt thresholds applied uniformly closer to user point of entry Improved timely disabling of all network/computer accounts for terminated users
What is the PRIMARY advantage of using a separate authentication server (e.g., Remote Access Dial-In User System, Terminal Access Controller Access Control System) to authenticate dial-in users?
A. Single user logons are easier to manage and audit. B. Each session has a unique (one-time) password assigned to it.
C. Audit and access information are not kept on the access server.
D. Call-back is very difficult to defeat.
Answer: C
Explanation: TACACS integrates the authentication and authorization processes. XTACACS keeps the authentication, authorization and accounting processes separate. TACACS+ improves XTACACS by adding two-factor authentication. - Ed Tittle CISSP Study Guide (sybex) pg 745
Within the Open Systems Interconnection (OSI) Reference Model, authentication addresses the need for a network entity to verify both
A. The identity of a remote communicating entity and the authenticity of the source of the data that are received.
B. The authenticity of a remote communicating entity and the path through which communications are received.
C. The location of a remote communicating entity and the path through which communications are received.
D. The identity of a remote communicating entity and the level of security of the path through which data are received.
Answer: A
Explanation: OSI model needs to know the source of the data and that it is who it says it is. Path it the data take is not cared about unless source routing is used. The level of security is not cared about inherently by the receiving node (in general) unless configured. A is the best option in this question.
Which of the following is the most reliable authentication device?
A. Variable callback system
B. Smart card system
C. fixed callback system
D. Combination of variable and fixed callback system
Answer: B
Explanation:
Which of the following are proprietarily implemented by CISCO? RADIUS+ B. TACACS C. XTACACS and TACACS+ D. RADIUS
Answer: C
Explanation: Cisco implemented an enhanced version of TACACS, known as XTACACS (extended TACACS), which was also compatible with TACACS. It allowed for UDP and TCP encoding. XTACACS contained several improvements: It provided accounting functionality to track length of login and which hosts a user connected to, and it also separated the authentication, authorization, and accounting processes such that they could be independently implemented. None of the three functions are mandatory. XTACACS is described in RFC 1492. TACACS+ is the latest Cisco implementation. It is best described as XTACACS with improved attribute control (authorization) and accounting.
What is a protocol used for carrying authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server? A. IPSec B. RADIUS C. L2TP D. PPTP
Answer: B
Explanation: RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS is a standard published in RFC2138 as mentioned above.
RADIUS is defined by which RFC? A. 2168 B. 2148 C. 2138 D. 2158
Answer: C
Explanation: RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS is a standard published in RFC2138 as mentioned above.
In a RADIUS architecture, which of the following acts as a client? A. A network Access Server. B. None of the choices. C. The end user. D. The authentication server.
Answer: A
Explanation: A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers, and then acting on the response, which is returned.
In a RADIUS architecture, which of the following can act as a proxy client? A. The end user. B. A Network Access Server. C. The RADIUS authentication server. D. None of the choices.
Answer: C
Explanation: A RADIUS server can act as a proxy client to other RADIUS servers or other kinds of authentication servers.
Which of the following statements pertaining to RADIUS is incorrect?
A. A RADIUS server can act as a proxy server, forwarding client requests to other authentication domains.
B. Most of RADIUS clients have a capability to query secondary RADIUS servers for redundancy
C. Most RADIUS servers have built-in database connectivity for billing and reporting purposes
D. Most RADIUS servers can work with DIAMETER servers.
Answer: D
Explanation:
Which of the following is the weakest authentication mechanism? A. Passphrases B. Passwords C. One-time passwords D. Token devices
Answer: B
Explanation:
What is the PRIMARY use of a password? A. Allow access to files B. Identify the user C. Authenticate the user D. Segregate various user’s accesses
Answer: C
Explanation:
Software generated passwords have what drawbacks? A. Passwords are not easy to remember. B. Password are too secure. C. None of the choices. D. Passwords are unbreakable.
Answer: A
Explanation: Passwords generated by a software package or some operating systems. These password generators are good at producing unique and hard to guess passwords, however you must ensure that they are not so hard that people can’t remember them. If you force your users to write their passwords down then you are defeating the purpose of having strong password management.