ch 11

Question 1

what are the type of authenticating credentials

Answer 1

Where you are 
What you have 
What you are  
What you know
What you do

Question 2

what is the biggest weakness to passwords

Answer 2

human memory

Question 3

Attacks that can be used to discover passwords:

Answer 3

• Attacks on Passwords

Question 4

Phishing, shoulder surfing, dumpster diving

Answer 4

-Social engineering

Question 5

Keylogger, protocol analyzer

Man-in-the-middle and replay attacks

Answer 5

Capturing

Question 6

Attacker gains physical access to computer and resets password

Answer 6

-Resetting

Question 7

Method used by most password attacks today
Attackers steal file of password digests
Compare with their own digests they have created

Answer 7

-Offline attack

Question 8

Every possible combination of letters, numbers, and characters used to create encrypted passwords and matched against stolen file
Slowest, most thorough method

Answer 8

Brute force

Question 9

(N T L M)

Answer 9

New Technology LAN Manager

Question 10

what kind of attack is when An attacker who can steal the digest of an N T L M password would not need to try to break it
He would simply pretend to be the user and send that hash to the remote system to then be authenticated

Answer 10

Known as a pass the hash attack

Question 11

A more targeted brute force attack that uses placeholders for characters in certain positions of the password

Answer 11

Mask Attack

Question 12

Conducts a statistical analysis on the stolen passwords that is used to create a mask to break the largest number of passwords

Answer 12

Rule Attack

Question 13

Attacker creates digests of common dictionary words

Compares against stolen digest file

Answer 13

Dictionary Attack

Question 14

Two key stretching algorithms

Answer 14

bcrypt and P B K D F 2

Question 15

When a user is using more than one type of authentication credential

Answer 15

Multifactor authentication

Question 16

Using just oneMost common items used for authentication

Answer 16

Single-factor authentication

Question 17

(O T P)

Answer 17

Used to create a one-time password

Question 18

Authentication code that can be used only once or for a limited period of time

Answer 18

one-time password (O T P)

Question 19

where is the hardware token generally

Answer 19

Typically a small device with a window display

Question 20

where is the software token generally stored

Answer 20

Stored on a general-purpose device like a laptop computer or smartphone

Question 21

(T O T P)

Answer 21

Time-based one-time password

Question 22

(H O T P)

Answer 22

HMAC-based one-time password

Question 23

Two types of O T P s

Answer 23

Time-based one-time password (T O T P)

HMAC-based one-time password (H O T P)

Question 24

(P I V)

Answer 24

Personal Identity Verification

Question 25

The smart card standard covering all U.S. government employees

Answer 25

Personal Identity Verification (P I V)

Question 26

what is a Contact card

Answer 26

``` a “pad” that allows electronic access to chip contents Contactless cards (proximity cards) ```

Question 27

Uses a person’s unique physical characteristics for authentication Face, hand, or eye characteristics are used to authenticate

Answer 27

Standard biometrics

Question 28

Retinal scanner uses the human retina as a biometric identifier Maps the unique patterns of a retina by directing a beam of low-energy infrared light (I R) into a person’s eye

Answer 28

Specialized Biometric Scanners

Question 29

what fingerprint scanner takes a picture and compares with image on file

Answer 29

Static fingerprint scanner

Question 30

what fingerprint scanner uses a small slit or opening

Answer 30

Dynamic fingerprint scanner

Question 31

Voice recognition uses a standard computer microphone to identify users based on the unique characteristics of a person’s voice

Answer 31

Standard Input Devices

Question 32

Biometric Disadvantages

Answer 32

``` Cost of hardware scanning devices Readers have some amount of error Reject authorized users Accept unauthorized users Biometric systems can be “tricked ```

Question 33

(FAR)

Answer 33

False acceptance rate

Question 34

(FRR)

Answer 34

False rejection Rate

Question 35

- what is it called when someone else can log into your device

Answer 35

(FAR) False acceptance rate

Question 36

what is it called when a user cannot log into their own device

Answer 36

(FRR) False rejection Rate

Question 37

(CER)

Answer 37

crossover error rate

Question 38

what is it called when nhow often FAR and FRR happen

Answer 38

(CER) crossover error rate

Question 39

Relates to perception, thought process, and understanding of the user Easier for user to remember because it is based on user’s life experiences Difficult for an attacker to imitate

Answer 39

Cognitive biometrics

Question 40

(PGA)

Answer 40

Picture password/Picture Gesture Authentication

Question 41

Users select a picture to use for which there should be at least 10 “points of interest” that could serve as “landmarks” or places to touch

Answer 41

(PGA) Picture password/Picture Gesture Authentication

Question 42

Authenticates by normal actions the user performs Keystroke dynamics Attempts to recognize user’s typing rhythm

Answer 42

Behavioral biometrics

Question 43

time it takes to press and release a key

Answer 43

Dwell time

Question 44

time between keystrokes

Answer 44

Flight time

Question 45

The identification of the location of a person or object using technology

Answer 45

• Geolocation

Question 46

(FIM)

Answer 46

federated identity management

Question 47

Using a single authentication credential shared across multiple networks

Answer 47

federated identity management (FIM)

Question 48

(S S O)

Answer 48

Single sign-on (S S O)

Question 49

Examples of popular S S O s:

Answer 49

OAuth (used the most), Open ID Connect, and Shibboleth

Question 50

Microsoft Windows group password settings Password Policy Settings Account Lockout Policy is managed by what?

Answer 50

assign privileges by group (group policy)

Question 51

A two-way relationship that is automatically created between parent and child domains in a Microsoft Active Directory Forest

Answer 51

• Transitive trust