Access Control

Question 1

What are two types of Integrity?

Answer 1

Data Integrity & System Integrity

Question 2

What is the opposite of the CIA triad?

Answer 2

Disclosure, Alteration, & Destruction (DAD)

Question 3

What must occur before Authentication, Authorization, & Accountability(AAA)?

Answer 3

Identification

Question 4

What combines authentication and integrity?

Answer 4

Non-repudiation

Question 5

What means users should be granted the minimum amount of access(authorization) required to do their jobs?

Answer 5

Least privilege

Question 6

What is more granular than Least privilege?

Answer 6

Need to know

Question 7

An active entity that accesses a passive entity is known as?

Answer 7

Subject(active) and object(passive)

Question 8

What applies multiple controls to reduce risk on an asset?

Answer 8

Defense-in-depth

Question 9

What are the three primary access control models?

Answer 9

Mandatory, Discretionary, and Non-discretionary

Question 10

What are two types of Non-discretionary access control models?

Answer 10

Role based and task based

Question 11

What is a list of objects and for each entry describes what a subject can do?

Answer 11

Access Control List(ACL)

Question 12

What is a one logical point for controlling access through a third party system? Provides a central point for AAA and an example would be Single Sign On(SSO)

Answer 12

Centralized access control

Question 13

______ _________ occurs as individual users gain more access to systems. This can happen intentionally(SSO) or unintentionally which would result in _______ ________.

Answer 13

Access Aggregation, Authorization Creep

Question 14

What is the following?
A client/server protocol
Runs in the application layer Uses UDP port 1812(authentication) and 1813(accounting)
Considered a AAA system

Answer 14

Remote Authentication Dial-In User Service(RADIUS)

Question 15

What is the successor to RADIUS?

Answer 15

Diameter

Question 16

What is the following?
Requires user to send an ID and static(reusable) password for authentication
Goes over UDP or TCP port 49

Answer 16

TACACS

Question 17

What does TACACS+ offer over TACACS?

Answer 17

Provides better password protection through two factor authentication

Question 18

Why is PAP insecure?

Answer 18

When user enters password, it goes over the network in cleartext thus allowing someone to sniff it.

Question 19

What does CHAP protect against? What does it depend on?

Answer 19

Playback attacks. It depends on a secret only known to the authenticator and peer. This secret is not sent over the link.

Question 20

Access Control categories fall into what?

Answer 20

Administrative(Directive), Technical(Logical), Physical

Question 21

What is a combination of both the identification and authentication of a user?

Answer 21

Credential set

Question 22

What are the three basic types of authentication methods?

Answer 22

Type 1(Something you know) Type 2(Something you have) Type 3(Something you are)

Question 23

What is it when the user is required to provide more than one authentication factor?

Answer 23

Strong Authentication or multi factor authentication

Question 24

What is often the weakest form of authentication?

Answer 24

Type 1(Something you know)

Question 25

What are the four types of passwords?

Answer 25

Static
Passphrases
One-time
Dynamic

Question 26

Reusable passwords that may or may not expire, work best when combined with another authentication type such as smart card or biometrics?

Answer 26

Static passwords

Question 27

Can be made stronger using nonsense words like XYZZY, described as long static passwords?

Answer 27

Passphrases

Question 28

Used for single authentication, very secure, difficult to manage, impossible to reuse?

Answer 28

One time password

Question 29

This password changes at regular intervals, user could combine their static PIN with a token to create the password, token is expensive?

Answer 29

Dynamic passwords

Question 30

What is it called when an attacker runs a hash algorithm forward many times selecting different passwords to produce a matching hash?

Answer 30

Password cracking

Question 31

This type of attack uses a predefined list of words to run the hash algorithm through in hopes to generate a matching hash?

Answer 31

Dictionary attack

Question 32

This attack appends, prepends, or changes characters in words from a dictionary before hashing attempting to quickly crack complex passwords?

Answer 32

Hybrid attack

Question 33

This attack takes more time by calculating hash outputs for every possible password but is more effective?

Answer 33

Brute Force attack

Question 34

This attack is a precomputed compilation of passwords(or plaintext) and matching hashes(or ciphertext) that can quickly crack almost all hashes?

Answer 34

Rainbow table

Question 35

A ______ value ensures that the same password will encrypt differently when used by different users. This makes Rainbow tables far less effective depending on the length?

Answer 35

Salt

Question 36

An object that helps prove an identity claim?

Answer 36

Token

Question 37

_________ _________ ______ use time or counters to synchronize a displayed token code expected by the authentication server: the codes are synchronized.

Answer 37

Synchronous dynamic tokens

Question 38

A challenge response token authentication system requires a user to enter information into to produce an output which is sent to the system, this is also known as?

Answer 38

Asynchronous dynamic token

Question 39

Biometrics may be used to establish what?

Answer 39

An Identity or to Authenticate

Question 40

What describes the process of registering with a biometric system(ex. Creating an account for the first time)?

Answer 40

Enrollment

Question 41

What describes the process of authenticating to a biometric system(Also called a biometric system response time)?

Answer 41

Throughput

Question 42

False rejection errors are also known as?

Answer 42

Type-I error

Question 43

False acceptance errors are known as?

Answer 43

Type-II error

Question 44

What type of biometric accuracy error is the worst?

Answer 44

FARs(Type II errors) are worse than FRRs (Type I errors)

Question 45

Used to describe the overall accuracy of a biometric system(Also known as the Equal Error rate)?

Answer 45

Crossover Error rate(CER)

Question 46

When the sensitivity of a biometric system increases what also increases and what drops?

Answer 46

FRRs increase and FARs will drop

Question 47

The most widely used biometric control, stored in smart cards, and data(minutiae) must be small enough for authentication?

Answer 47

Fingerprints

Question 48

Scans the blood vessels in a eye, most intrusive, and rarely used due to the health risks/invasion of privacy issues involved?

Answer 48

Retina Scan

Question 49

This biometric control include high accuracy, passive scanning, no health risks?

Answer 49

Iris Scan

Question 50

Measurements are taken from specific points on the subject’s hand(Fairly simple, stores info as small as 9 bytes)?

Answer 50

Hand geometry

Question 51

Refers to how hard a user presses a key and the rhythm at which they are pressed(cheap to implement and can be effective)?

Answer 51

Keyboard dynamics

Question 52

Similar to keyboard dynamics, measures the handwriting of the subject while they sign their name?

Answer 52

Dynamic signature

Question 53

This uses measurements of a subject’s tone of voice while stating a specific sentence/phrase(Vulnerable to replay attacks, requires compensating controls to make secure)?

Answer 53

Voiceprint

Question 54

What is the process of passively taking a picture of a subject’s face and comparing that picture to a list stored in a database?(High cost)

Answer 54

Facial scan or facial recognition

Question 55

Considered to be the fourth type of authentication(through the use of GPS or IP based geolocation or the physical location for a point of sale purchase)?

Answer 55

Someplace you are

Question 56

This allows multiple systems to use a central authentication server to authenticate once and then access multiple, different systems?

Answer 56

Single Sign On(SSO)

Question 57

Applies SSO on a much wider scale(May use OpenID or SAML)

Answer 57

Federated Identity Management(FIdM), also known as Identity Management

Question 58

What is a third party authentication service used to support SSO?

Answer 58

Kerberos

Question 59

Kerberos uses ________ encryption and provides ________ authentication of both client and servers. It protects against _______ ________ and _______ ________.

Answer 59

Symmetric, mutual, network sniffing, replay attacks

Question 60

The authenticator within Kerberos provides a requested service to the client after validating which of the following?

Answer 60

Timestamp

Question 61

Like the Kerberos protocol, SESAME is also subject to what kind of attack?

Answer 61

Password Guessing

Question 62

What are some drawbacks of Kerberos?

Answer 62

Central server as a single point of failure, stores symmetric keys in plaintext, not scalable

Question 63

How is SESAME different from Kerberos?

Answer 63

Supports heterogeneous environments, scalability of public key systems, and use of PACs instead of tickets

Question 64

A security assessment may include what kind of ‘narrow’ tests?

Answer 64

Penetration test, vulnerability assessment, security audit

Question 65

The pen tester begins with no external or trusted information and begins the attack with public information only?

Answer 65

Zero-Knowledge

Question 66

Internal information is provided to the pen tester including network diagrams, policies and procedures, and sometimes reports from previous pen tests?

Answer 66

Full-Knowledge

Question 67

Scans a network or system for a pre-defined list of vulnerabilities such as system misconfigurations, outdated software, or lack of patching?

Answer 67

Vulnerability scanning(or vulnerability testing)

Question 68

What is a test against a published standard?

Answer 68

Security Audit

Question 69

What is a holistic approach to assessing the effectiveness of access controls?

Answer 69

Security Assessment