Access Control Flashcards

1
Q

Which of the following is true related to a subject?

A. A subject is always a user account.
B. The subject is always the entity that provides or hosts the information or data.
C. The subject is always the entity that receives information about or data from the object.
D. A single entity can never change roles between subject and object.

A

C. The subject is active and is always the entity that receives information about or data from the object. A subject can be a user, a program, a process, a file, a computer, a database, and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which of the following is considered a primary goal of access control?

A. Preserve confidentiality, integrity, and availability of systems.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.

A

A. Access control mechanisms help to prevent losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system and objects are accessed. A first step in access control is the identification and authentication of subjects, but access control also includes authorization and accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?

A. Preventive
B. Detective
C. Corrective
D. Authoritative

A

A. A preventive access control is deployed to stop an unwanted or unauthorized activity from occurring. Detective controls discover the activity after it has occurred, and corrective controls attempt to reverse any problems caused by the activity. Access controls are not categorized as authoritative.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What type of access controls are hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems?

A. Administrative
B. Logical/technical
C. Physical
D. Preventive

A

B. Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems. Administrative controls are managerial controls and physical controls use physical items to control physical access. A preventive control attempts to prevent security incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

All of the following are needed for system accountability except for one. Which one is not needed?

A. Identification
B. Authentication
C. Auditing
D. Authorization

A

D. Authorization is not needed for accountability. However, users must be identified and authenticated and their actions logged using some type of auditing to provide accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following is an example of a Type 2 authentication factor?

A. “Something you have,” such as a smart card, ATM card, token device, and memory card
B. “Something you are,” such as fingerprints, voice print, retina pattern, iris pattern, face shape, palm topology, and hand geometry
C. “Something you do,” such as typing a passphrase, or signing your name
D. “Something you know,” such as a password, personal identification number (PIN), lock combination, passphrase, mother’s maiden name, and favorite color

A

A. A Type 2 authentication factor is “something you have,” including a smart card, token device, or memory card. Type 3 authentication is “something you are,” and some behavioral biometrics include “something you do.” Type 1 authentication is “something you know.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Users are given a device that generates one-time passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?

A. Synchronous token
B. Asynchronous token
C. Smart card
D. Common access card

A

A synchronous token generates one-time passwords and displays them in an LCD, and this password is synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the token. Smart cards do not generate one-time passwords, and common access cards are a version of a smart card that includes a picture of the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What can be used as an authentication factor that is a behavioral or physiological characteristic unique to a subject?

A. Account ID
B. Biometric factor
C. Token
D. PIV

A

B. A biometric factor is a behavioral or physiological characteristic that is unique to a subject, such as fingerprints and face scans, and is also known as a Type 3 authentication factor. An account ID provides identification. A token is a Type 2 authentication factor. A Personal Identity Verification (PIV) card is a smart card that includes a picture of the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does the crossover error rate (CER) for a biometric device indicate?

A. It indicates that the sensitivity is tuned too high.
B. It indicates that the sensitivity is tuned too low.
C. It indicates the point where false rejection rate and the false acceptance rate are equal.
D. It indicates that the biometric device is not properly configured.

A

C. The point at which biometric Type 1 errors (false rejection rate) and Type 2 errors (false acceptance rate) are equal is the crossover error rate (CER). The CER level is used as a standard assessment point to compare biometric authentication systems. It does not indicate that sensitivity is too high or too low or whether the device is configured properly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A biometric system has falsely rejected a valid user, indicating that the user is not recognized. What type of error is this?

A. Type 1 error
B. Type 2 error
C. Crossover error rate
D. Equal error rate

A

A. A Type 1 error occurs when a valid subject is not authenticated and is also known as a false negative authentication. A Type 2 error occurs when an invalid subject is authenticated. This is also known as a false positive authentication. The crossover error rate (also called equal error rate) compares the rate of Type 1 errors to Type 2 errors and provides a measurement of the accuracy of the biometric system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A large table includes multiple subjects and objects. It identifies the specific access each subject has to different objects. What is this table called?

A. Access control list
B. Access control matrix
C. Federation
D. Creeping privilege

A
  1. B. An access control matrix includes multiple subjects and objects and lists subjects’ access to various objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign-on. Creeping privileges refers to excessive privileges a subject gathers over time.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an access control list (ACL) based on?

A. An object
B. A subject
C. A role
D. An account

A

A. An ACL is based on an object and includes a list of subjects that are granted access. A capability table is focused on a subject and includes a list of objects the subject can access. Roles and accounts are examples of subjects and may be included in an ACL, but they aren’t the focus.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type of access controls rely upon the use of labels?

A. Discretionary
B. Nondiscretionary
C. Mandatory
D. Role based

A

C. Mandatory access controls rely on use of labels for subjects and objects. Discretionary access control systems allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management such as a rule-based access control deployed on a firewall. Role-based access controls define a subject’s access based on job-related roles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An organization has created an access control policy that grants specific privileges to accountants. What type of access control is this?

A. Discretionary
B. Mandatory
C. Rule based
D. Role based

A

D. A role-based access control policy grants specific privileges based on roles, and roles are frequently job based or task based. Discretionary access controls allow owners to control privileges, mandatory access controls use labels to control privileges, and rule-based access controls use rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following is not used to support single sign-on?

A. Kerberos
B. Federated identity management system
C. TACACS+
D. SPML

A

C. TACACS+ is a centralized authentication service used for remote access clients but not for single sign-on. Kerberos and federated identity management systems are used to support single sign-on. Service Provisioning Markup Language (SPML) is a language used with some federated identity systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Which of the following is the best choice to support federated identity management systems?

A. Kerberos
B. Hypertext Markup Language (HTML)
C. Extensible Markup Language (XML)
D. Service Provisioning Markup Language (SPML)

A

D. SPML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. XML could be used, but it would require redefining tags already defined in SPML.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following authentication, authorization, and accounting (AAA) protocols is based on RADIUS and supports Mobile IP and Voice over IP?

A. Distributed access control
B. Diameter
C. TACACS+
D. TACACS

A

B. Diameter is based on RADIUS and it supports Mobile IP and Voice over IP. Distributed access control systems such as a federated identity management system are not a specific protocol, and they don’t necessarily provide authentication, authorization, and accounting. TACACS and TACACS+ are AAA protocols, but they are alternatives to RADIUS, not based on RADIUS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Name at least seven access control types.

A

Access control types include preventive access control, deterrent access control, detective access control, corrective access control, recovery access control, compensation access control, directive access control, administrative access control, logical or technical access control, and physical control. They are implemented as administrative controls, logical/technical controls, and/or physical controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Describe the three primary authentication factor types.

A

A Type 1 authentication factor is “something you know.” A Type 2 authentication factor is “something you have.” A Type 3 authentication factor is “something you are.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Name the method that allows users to log on once and access resources in multiple organizations without authenticating again.

A

Federated identity management systems allow single sign-on to be extended beyond a single organization. Single sign-on allows users to authenticate once and access multiple resources without authenticating again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Identify the three primary elements within the identity and access provisioning life cycle.

A

The identity and access provisioning life cycle includes provisioning accounts, periodically reviewing and managing accounts, and revocation of accounts when they are no longer being used.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When an organization is attempting to identify risks, what should they identify first?

A. Assets
B. Threats
C. Vulnerabilities
D. Public attacks

A

A. An organization must first identify the value of assets when identifying risks so that they can focus on risks to their most valuable assets. They can then identify threats and vulnerabilities. Public attacks can be evaluated to determine if they present a risk to the organization, but this should not be the first step.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What would an organization do to identify weaknesses?

A. Asset valuation
B. Threat modeling
C. Vulnerability analysis
D. Access review

A

C. A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modeling attempts to identify threats, and threats are often paired with vulnerabilities to identify risk, but threat modeling doesn’t identify weaknesses. An access review audits account management and object access practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which of the following is not a valid measure to take to improve protection against brute-force and dictionary attacks?

A. Enforce strong passwords through a security policy.
B. Maintain strict control over physical access.
C. Require all users to log in remotely.
D. Use two-factor authentication.

A

C. Requiring users to log in remotely does not protect against password attacks such as brute-force or dictionary attacks. Strong password policies, physical access control, and two-factor authentication all improve the protection against brute-force and dictionary password attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What type of attack can detect passwords sent across a network in cleartext?

A. Spoofing attack
B. Spamming attack
C. Sniffing attack
D. Side-channel attack

A

C. A sniffing attack uses a sniffer (also called a packet analyzer or protocol analyzer) to capture data and can be used to read passwords sent across a network in cleartext. A spoofing attack attempts to hide the identity of the attacker. A spamming attack involves sending massive amounts of email. A side-channel attack is a passive, noninvasive attack used against smart cards.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following can help mitigate the success of an online brute-force attack?

A. Rainbow table
B. Account lockout
C. Salting passwords
D. Encryption of password

A

B. An account lockout policy will prevent someone from logging into an account after they have entered an incorrect password too many times. A rainbow table is used by an attacker in offline password attacks, and password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the password, but not against a brute-force attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is an attack that attempts to detect flaws in smart cards?

A. Whaling
B. Side-channel attack
C. Brute-force
D. Rainbow table attack

A

B. A side-channel attack is a passive, noninvasive attack to observe the operation of a device. Methods include power monitoring, timing, and fault analysis attacks. Whaling is a type of phishing attack that targets high-level executives. A brute-force attack attempts to discover passwords by using all possible character combinations. A rainbow table attack is used to crack passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What type of attack uses email and attempts to trick high-level executives?

A. Phishing
B. Spear phishing
C. Whaling
D. Vishing

A

C. Whaling is a form of phishing that targets high-level executives. Spear phishing targets a specific group of people but not necessarily high-level executives. Vishing is a form of phishing that commonly uses Voice over IP (VoIP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What provides data for recreating the history of an event, intrusion, or system failure?

A. Security policies
B. Log files
C. Audit reports
D. Business continuity planning

A

B. Log files provide an audit trail for recreating the history of an event, intrusion, or system failure. An audit trail includes log files and can reconstruct an event, extract information about an incident, and prove or disprove culpability. Security policies are documents that define security requirements for an organization. An audit report includes details gleaned from log files. Business continuity planning occurs before an event, in an attempt to reduce the impact.

30
Q

What can be used to reduce the amount of logged or audited data using nonstatistical methods?

A. Clipping levels
B. Sampling
C. Log analysis
D. Alarm triggers

A

A. Clipping is a form of nonstatistical sampling that reduces the amount of logged data based on a clipping-level threshold. Sampling is a statistical method that extracts meaningful data from audit logs. Log analysis reviews log information looking for trends, patterns, and abnormal or unauthorized events. An alarm trigger is a notification sent to administrators when specific events or thresholds occur.

31
Q

Which of the following focuses more on the patterns and trends of data than on the actual content?

A. Keystroke monitoring
B. Traffic analysis
C. Event logging
D. Security auditing

A

B. Traffic analysis focuses more on the patterns and trends of data rather than the actual content. Keystroke monitoring records specific keystrokes to capture data. Event logging logs specific events to record data. Security auditing records security events and/or reviews logs to detect security incidents.

32
Q

What is used to keep subjects accountable for their actions while they are authenticated to a system?

A. Authentication
B. Monitoring
C. Account lockout
D. User entitlement reviews

A

B. Accountability is maintained by monitoring the activities of subjects and objects as well as core system functions that maintain the operating environment and the security mechanisms. Authentication is required for effective monitoring, but it doesn’t provide accountability by itself. Account lockout prevents login to an account if the wrong password is entered too many times. User entitlement reviews can identify excessive privileges.

33
Q

Audit trails are considered to be what type of security control?

A. Administrative
B. Passive detective
C. Corrective
D. Physical

A

B. Audit trails are a passive form of detective security control. Administrative controls are management practices. Corrective controls can correct problems related to an incident, and physical controls are controls that you can physically touch.

34
Q

The absence of which of the following can result in the perception that due care is not being maintained?

A. Periodic security audits
B. Deployment of all available controls
C. Performance reviews
D. Audit reports for shareholders

A

A. Failing to perform periodic security audits can result in the perception that due care is not being maintained. Such audits alert personnel that senior management is practicing due diligence in maintaining system security. An organization should not indiscriminately deploy all available controls but should choose the most effective ones based on risks. Performance reviews are useful managerial practices but not directly related to due care. Audit reports should not be shared with the public.

35
Q

Which of the following options is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes?

A. Penetration testing
B. Auditing
C. Risk analysis
D. Entrapment

A

B. Auditing is a methodical examination or review of an environment to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Penetration testing attempts to exploit vulnerabilities. Risk analysis attempts to analyze risks based on identified threats and vulnerabilities. Entrapment is tricking someone into performing an illegal or unauthorized action.

36
Q

When performing access review audits, which type of account is the most important to audit?

A. None is more important. They are all equal.
B. Regular user accounts
C. Auditor accounts
D. Privileged accounts

A

D. Privileged accounts (such as administrator accounts) are granted the most access and should be a primary focus in an access review audit. Regular user and auditor accounts don’t have as much access as privileged accounts and are not as important to audit.

37
Q

What would detect when a user has more privileges than necessary?

A. Account management
B. User entitlement audit
C. Logging
D. Reporting

A

B. A user entitlement audit can detect when users have more privileges than necessary. Account management practices attempt to ensure that privileges are assigned correctly. The audit detects whether the management practices are followed. Logging records activity, but the logs need to be reviewed to determine if practices are followed. Reporting is the result of an audit.

38
Q

Why should access to audit reports be controlled and restricted?

A. They contain copies of confidential data stored on the network.
B. They contain information about the vulnerabilities of the system.
C. They are useful only to upper management.
D. They include the details about the configuration of security controls.

A

B. Audit reports should be secured because they contain information about the vulnerabilities of the system and disclosure of such vulnerabilities to the wrong person could lead to security breaches. They would not normally contain confidential data from the network. They are useful to both upper management and security professionals. They would not normally include details about security control configuration.

39
Q

List three elements to identify when evaluating access control attacks.

A

Assets, threats, and vulnerabilities should be identified through asset valuation, threat modeling, and vulnerability analysis.

40
Q

Name at least three types of attacks used to discover passwords.

A

Brute-force attacks, dictionary attacks, sniffer attacks, rainbow table attacks, and social engineering attacks are all methods used to discover passwords.

41
Q

Describe the relationship between auditing and audit trails.

A

Auditing is a methodical examination or review of an environment and encompasses a wide variety of different activities to ensure compliance with regulations and to detect abnormalities, unauthorized occurrences, or outright crimes. Audit trails provide the data that supports such examination or review and essentially are what make auditing and subsequent detection of attacks and misbehavior possible.

42
Q

What should an organization do to verify that accounts are managed properly?

A

Organizations should regularly perform access reviews and audits. These can detect when an organization is not following its own policies and procedures related to account management.

43
Q

Electronic authentication begins with which of the following?

a. Token
b. Credential
c. Subscriber
d. Credential service provider

A

c. An applicant applies to a registration authority (RA) to become a subscriber of a credential service provider (CSP) and, as a subscriber, is issued or registers a secret, called a token, and a credential (public key certificate) that binds the token to a name and other attributes that the RA has verified. The token and credential may be used in subsequent authentication events.

44
Q

In the electronic authentication process, who performs the identity proofing?

a. Subscriber
b. Registration authority
c. Applicant
d. Credential service provider

A

b. The RA performs the identity proofing after registering the applicant with the CSP. An applicant becomes a subscriber of the CSP.

45
Q

In electronic authentication, which of the following provides the authenticated information to the relying party for making access control decisions?

a. Claimant/subscriber
b. Applicant/subscriber
c. Verifier/claimant
d. Verifier/credential service provider

A

d. The relying party can use the authenticated information provided by the verifier/CSP to make access control decisions or authorization decisions. The verifier verifies that the claimant is the subscriber/applicant through an authentication protocol. The verifier passes on an assertion about the identity of the subscriber to the relying party. The verifier and the CSP may or may not belong to the same identity.

46
Q

In electronic authentication, an authenticated session is established between which of the following?

a. Claimant and the relying party
b. Applicant and the registration authority
c. Subscriber and the credential service provider
d. Certifying authority and the registration authority

A

a. An authenticated session is established between the claimant and the relying party. Sometimes the verifier is also the relying party. The other three choices are incorrect because the correct answer is based on facts.

47
Q

Under which of the following electronic authentication circumstances does the verifier need to directly communicate with the CSP to complete the authentication activity?

a. Use of a digital certificate
b. A physical link between the verifier and the CSP
c. Distributed functions for the verifier, relying party, and the CSP
d. A logical link between the verifier and the CSP

A

b. The use of digital certificates represents a logical link between the verifier and the CSP rather than a physical link. In some implementations, the verifier, relying party, and the CSP functions may be distributed and separated. The verifier needs to directly communicate with the CSP only when there is a physical link between them. In other words, the verifier does not need to directly communicate with the CSP for the other three choices.

48
Q

In electronic authentication, who maintains the registration records to allow recovery of registration records?

a. Credential service provider
b. Subscriber
c. Relying party
d. Registration authority

A

a. The CSP maintains registration records for each subscriber to allow recovery of registration records.

49
Q

Which of the following is used in the unique identification of employees and contractors?

a. Personal identity verification card token
b. Passwords
c. PKI certificates
d. Biometrics

A

a. It is suggested that a personal identity verification (PIV) card token is used in the unique identification of employees and contractors.

50
Q

In electronic authentication, which of the following produces an authenticator used in the authentication process?

a. Encrypted key and password
b. Token and cryptographic key
c. Public key and verifier
d. Private key and claimant

A

b. The token may be a piece of hardware that contains a cryptographic key that produces the authenticator used in the authentication process to authenticate the claimant. The key is protected by encrypting it with a password.

51
Q

For electronic authentication, which of the following is not an example of assertions?

a. Cookies
b. Security assertions markup language
c. X.509 certificates
d. Kerberos tickets

A

c. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. Assertions may be digitally signed objects, or they may be obtained from a trusted source by a secure protocol.

52
Q

In electronic authentication, electronic credentials are stored as data in a directory or database. Which of the following refers to when the directory or database is trusted?

a. Signed credentials are stored as signed data.
b. Unsigned credentials are stored as unsigned data.
c. Signed credentials are stored as unsigned data.
d. Unsigned credentials are stored as signed data.

A

b. Electronic credentials are digitally signed objects, in which case their integrity is verified. When the directory or database server is trusted, unsigned credentials may be stored as unsigned data.

53
Q

In electronic authentication, electronic credentials are stored as data in a directory or database. Which of the following refers to when the directory or database is untrusted?

a. Self-authenticating
b. Authentication to the relying party
c. Authentication to the verifier
d. Authentication to the credential service provider

A

a. When electronic credentials are stored in a directory or database server, the directory or database may be an untrusted entity because the data it supplies is self-authenticated.

54
Q

The correct flows and proper interactions between parties involved in electronic authentication include:

a. Applicant⇒Registration Authority⇒Subscriber⇒Claimant
b. Registration Authority⇒Applicant⇒Claimant⇒Subscriber
c. Subscriber⇒Applicant⇒Registration Authority⇒Claimant
d. Claimant⇒Subscriber⇒Registration Authority⇒Applicant

A

a. The correct flows and proper interactions between the various parties involved in electronic authentication include the following:
An individual applicant applies to a registration authority (RA) through a registration process to become a subscriber of a credential service provider (CSP)
The RA identity proofs that applicant
On successful identity proofing, the RA sends the CSP a registration confirmation message
A secret token and a corresponding credential are established between the CSP and the new subscriber for use in subsequent authentication events
The party to be authenticated is called a claimant (subscriber) and the party verifying that identity is called a verifier

55
Q

In electronic authentication, which of the following represents the correct order of passing information about assertions?

a. Subscriber⇒Credential Service Provider⇒Registration Authority
b. Verifier⇒Claimant⇒Relying Party
c. Relying Party⇒Claimant⇒Registration Authority
d. Verifier⇒Credential Service Provider⇒Relying Party

A

b. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber (i.e., claimant).

56
Q

In electronic authentication using tokens, the authenticator in the general case is a function of which of the following?

a. Token secret and salt or challenge
b. Token secret and seed or challenge
c. Token secret and nonce or challenge
d. Token secret and shim or challenge

A

c. The authenticator is generated through the use of a token. In the trivial case, the authenticator may be the token secret itself where the token is a password. In the general case, an authenticator is generated by performing a mathematical function using the token secret and one or more optional token input values such as a nonce or challenge.

57
Q

In electronic authentication, using one token to gain access to a second token is called a:

a. Single-token, multifactor scheme
b. Single-token, single-factor scheme
c. Multitoken, multifactor scheme
d. Multistage authentication scheme

A

b. Using one token to gain access to a second token is considered a single token and a single factor scheme because all that is needed to gain access is the initial token. Therefore, when this scheme is used, the compound solution is only as strong as the token with the lowest assurance level. The other choices are incorrect because they are not applicable to the situation here.

58
Q

In electronic authentication, which of the following statements is not true about a multistage token scheme?

a. An additional token is used for electronic transaction receipt.
b. Multistage scheme assurance is higher than the multitoken scheme assurance using the same set of tokens.
c. An additional token is used as a confirmation mechanism.
d. Two tokens are used in two stages to raise the assurance level.

A

b. In a multistage token scheme, two tokens are used in two stages, and additional tokens are used for transaction receipt and confirmation mechanism to achieve the required assurance level. The level of assurance of the combination of the two stages can be no higher than that possible through a multitoken authentication scheme using the same set of tokens.

59
Q

Online guessing is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the online guessing threat?

a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.

A

a. Entropy is the uncertainty of a random variable. Tokens that generate high entropy authenticators prevent online guessing of secret tokens registered to a legitimate claimant and offline cracking of tokens. The other three choices cannot prevent online guessing of tokens or passwords.

60
Q

Token duplication is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the token duplication threat?

a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.

A

b. In token duplication, the subscriber’s token has been copied with or without the subscriber’s knowledge. A countermeasure is to use hardware cryptographic tokens that are difficult to duplicate. Physical security mechanisms can also be used to protect a stolen token from duplication because they provide tamper evidence, detection, and response capabilities. The other three choices cannot handle a duplicate tokens problem.

61
Q

Eavesdropping is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the eavesdropping threat?

a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.

A

c. A countermeasure to mitigate the eavesdropping threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator. The other choices are incorrect because they cannot provide dynamic authentication.

62
Q

Identifier management is applicable to which of the following accounts?

a. Group accounts
b. Local user accounts
c. Guest accounts
d. Anonymous accounts

A

b. All users accessing an organization’s information systems must be uniquely identified and authenticated. Identifier management is applicable to local user accounts where the account is valid only on a local computer, and its identity can be traced to an individual. Identifier management is not applicable to shared information system accounts, such as group, guest, default, blank, anonymous, and nonspecific user accounts.

63
Q

Phishing or pharming is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the phishing or pharming threat?

a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.

A

c. A countermeasure to mitigate the phishing or pharming threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator.

64
Q

Theft is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the theft threat?

a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.

A

d. A countermeasure to mitigate the threat of token theft is to use multifactor tokens that need to be activated through a PIN or biometric. The other choices are incorrect because they cannot provide multifactor tokens.

65
Q

Social engineering is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the social engineering threat?

a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.

A

c. A countermeasure to mitigate the social engineering threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator. The other choices are incorrect because they cannot provide dynamic authentication.

66
Q

In electronic authentication, which of the following is used to verify proof-of-possession of registered devices or identifiers?

a. Lookup secret token
b. Out-of-band token
c. Token lock-up feature
d. Physical security mechanism

A

b. Out-of-band tokens can be used to verify proof-of-possession of registered devices (e.g., cell phones) or identifiers (e.g., e-mail IDs). The other three choices cannot verify proof-of-possession.

67
Q

Authorization controls are a part of which of the following?

a. Directive controls
b. Preventive controls
c. Detective controls
d. Corrective controls

A

b. Authorization controls such as access control matrices and capability tests are a part of preventive controls because they block unauthorized access. Preventive controls deter security incidents from happening in the first place.

68
Q

In electronic authentication, after a credential has been created, which of the following is responsible for maintaining the credential in storage?

a. Verifier
b. Relying party
c. Credential service provider
d. Registration authority

A

c. The credential service provider (CSP) is the only one responsible for maintaining the credential in storage. The verifier and the CSP may or may not belong to the same entity. The other three choices are incorrect because they are not applicable to the situation here.

69
Q

The extensible access control markup language (XACML) does not define or support which of the following?

a. Trust management
b. Privilege management
c. Policy language
d. Query language

A

a. The extensible access control markup language (XACML) is a standard for managing access control policy and supports the enterprise-level privilege management. It includes a policy language and a query language. However, XACML does not define authority delegation and trust management.

70
Q

In the electronic authentication process, which of the following is weakly resistant to man-in-the-middle (MitM) attacks?

a. Account lockout mechanism
b. Random data
c. Sending a password over server authenticated TLS
d. Nonce

A

c. A protocol is said to have weak resistance to MitM attacks if it provides a mechanism for the claimant to determine whether he is interacting with the real verifier, but still leaves the opportunity for the nonvigilant claimant to reveal a token authenticator to an unauthorized party that can be used to masquerade as the claimant to the real verifier.