Ch 6,7,8

Question 1

What is the main weakness of a hierarchical trust model?

Answer 1

The structure depends on the integrity of the root CA.

Question 2

How does a subject go about obtaining a certificate from a CA?

Answer 2

In most cases, the subject generates a key pair then adds the public key along with subject information and
certificate type in a certificate signing request (CSR) and submits it to the CA. If the CA accepts the request, it generates a certificate with the appropriate key usage and validity, signs it, and transmits it to the subject.

Question 3

What cryptographic information is stored in a digital certificate?

Answer 3

The subject’s public key and the algorithms used for encryption and hashing.
The certificate also stores a digital signature from the issuing CA, establishing the chain of trust.

Question 4

What does it mean if a certificate extension attribute is marked as critical?

Answer 4

That the application processing the certificate must be able to interpret the extension correctly. Otherwise, it
should reject the certificate

Question 5

You are developing a secure web application. What sort of certificate should you request to show
that you are the publisher of a program?

Answer 5

A code signing certificate. Certificates are issued for specific purposes. A certificate issued for one purpose
should not be reused for other functions.

Question 6

What extension field is used with a web server certificate to support the identification of the server
by multiple specific subdomain labels?

Answer 6

The subject alternative name (SAN) field. A wildcard certificate will match any subdomain label.

Question 7

What are the potential consequences if a company loses control of a private key?

Answer 7

It puts both data confidentiality and identification and authentication systems at risk

Question 8

You are advising a customer about encryption for data backup security and the key escrow services
that you offer. How should you explain the risks of key escrow and potential mitigations?

Answer 8

Escrow refers to archiving the key used to encrypt the customer’s backups with your company as a third party.
The risk is that an insider attack from your company may be able to decrypt the data backups. This risk can be mitigated by requiring M-of-N access to the escrow keys, reducing the risk of a rogue administrator.

Question 9

What mechanism informs clients about suspended or revoked keys?

Answer 9

Either a published Certificate Revocation List (CRL) or an Online Certificate Status Protocol (OCSP) responder.

Question 10

What mechanism does HPKP implement?

Answer 10

HTTP Public Key Pinning (HPKP) ensures that when a client inspects the certificate presented by a server or a code-signed application, it is inspecting the proper certificate by submitting one or more public keys to an HTTP browser via an HTTP header.

Question 11

What type of certificate format can be used if you want to transfer your private key and certificate
from one Windows host computer to another?

Answer 11

PKCS #12 / .PFX / .P12.

Question 12

What is the difference between authorization and authentication?

Answer 12

Authorization means granting the account that has been configured for the user on the computer system the right to make use of a resource. Authorization manages the privileges granted on the resource. Authentication protects the validity of the user account by testing that the person accessing that account is who she/he says
she/he is.

Question 13

What steps should be taken to enroll a new employee on a domain network?

Answer 13

Perform checks to confirm the user’s identity, issue authentication credentials securely, assign appropriate
permissions/privileges to the account, and ensure accounting mechanisms to audit the user’s activity

Question 14

What methods can be used to implement location-based authentication?

Answer 14

You can query the location service running on a device or geolocation by IP. You could use location with the network, based on switch port, wireless network name, virtual LAN (VLAN), or IP subnet.

Question 15

In what scenario would PAP be considered a secure authentication method?

Answer 15

PAP is a legacy protocol that cannot be considered secure because it transmits plaintext ASCII passwords and has no cryptographic protection. The only way to ensure the security of PAP is to ensure that the endpoints established a secure tunnel (using IPSec, for instance).

Question 16

True or false? In order to create a service ticket, Kerberos passes the user’s password to the target application server for authentication.

Answer 16

False—only the KDC verifies the user credential. The Ticket Granting Service (TGS) sends the user’s account details (SID) to the target application for authorization (allocation of permissions), not authentication.

Question 17

A user maintains a list of commonly used passwords in a file located deep within the computer’s directory structure. Is this secure password management?

Answer 17

No. This is security by obscurity. The file could probably be easily discovered using search tools.

Question 18

Which property of a plaintext password is most effective at defeating a brute-force attack?

Answer 18

The length of the password.

Question 19

True or false? When implementing smart card logon, the user’s private key is stored on the smart card.

Answer 19

True. The smart card implements a cryptoprocessor for secure generation and storage of key and certificate
material.

Question 20

You are providing consultancy to a firm to help them implement smart card authentication to premises networks and cloud services. What are the main advantages of using an HSM over server-based key and certificate management services?

Answer 20

A hardware security module (HSM) is optimized for this role and so present a smaller attack surface. Itis designed to be tamper-evident to mitigate against insider threat risks. It is also likely to have a betterimplementation of a random number generator, improving the security properties of key material.

Question 21

Which network access control framework supports smart cards?

Answer 21

Local logon providers, such as Kerberos, support smart cards, but this is not network access control as the
device has already been allowed on the network. The IEEE 802.1X framework means that network access servers (switches, access points, and VPN gateways) can accept Extensible Authentication Protocols (EAP) credentials, but block any other type of network access. They act as pass-thru for an authentication server, which stores and validates the credentials. Some EAP types support smart card or machine authentication.

Question 22

What is a RADIUS client?

Answer 22

A device or server that accepts user connections, often referred to as a network access server (NAS) or as the
authenticator. Using RADIUS architecture, the client does not need to be able to perform authentication itself; it performs pass-thru to an AAA server

Question 23

What is EAPoL?

Answer 23

A network access server that support 802.1X port-based access control can enable a port but allow only the transfer of Extensible Authentication Protocol over LAN (EAPoL) traffic. This allows the supplicant and authentication server to perform the authentication process, with the network access server acting as a pass-thru

Question 24

How does OTP protect against password guessing or sniffing attacks?

Answer 24

A one-time password mechanism generates a token that is valid only for a short period (usually 60 seconds),
before it changes again

Question 25

Apart from cost, what would you consider to be the major considerations for evaluating a biometric
recognition technology?

Answer 25

Error rates (false acceptance and false rejection), throughput, and whether users will accept the technology or reject it as too intrusive or threatening to privacy.

Question 26

Which type of eye recognition is easier to perform: retinal or iris scanning?

Answer 26

Iris scans

Question 27

What two ways can biometric technologies be used other than for logon authentication?

Answer 27

For identification based on biometric features and in continuous authentication mechanisms

Question 28

You are consulting with a company about a new approach to authenticating users. You suggest
there could be cost savings and better support for multifactor authentication (MFA) if your
employees create accounts with a cloud provider. That allows the company’s staff to focus on
authorizations and privilege management. What type of service is the cloud vendor performing?

Answer 28

The cloud vendor is acting as the identity provider.

Question 29

What is the process of ensuring accounts are only created for valid users, only assigned the
appropriate privileges, and that the account credentials are known only to the valid user?

Answer 29

onboarding

Question 30

What type of organizational policies ensure that at least two people have oversight of a critical
business process?

Answer 30

Shared authority, job rotation, and mandatory enforced vacation/holidays.

Question 31

Recently, attackers were able to compromise the account of a user whose employment had been
terminated a week earlier. They used this account to access a network share and delete important
files. What account vulnerability enabled this attack?

Answer 31

While it’s possible that lax password requirements and incorrect privileges may have contributed to the account compromise, the most glaring problem is that the terminated employee’s account wasn’t disabled. Since the account was no longer being used, it should not have been left active for a malicious user to exploit.

Question 32

For what type of account would interactive logon be disabled?

Answer 32

Interactive logon refers to starting a shell. Service accounts do not require this type of access. Default superuser accounts, such as Administrator and root, may also be disabled, or limited to use in system recovery or repair.

Question 33

What (type of info stored) in files most need to be audited to perform third-party credential management?

Answer 33

SSH and API keys are often insecurely embedded in computer code or uploaded mistakenly to repositories alongside code. Also, managing shared credentials can be difficult, and many sites resort to storing them in a shared spreadsheet.
these are authentication methods
keys are stored in files

Question 34

What container would you use if you want to apply a different security policy to a subset of objects within the same domain?

Answer 34

Organization Unit (OU).

Question 35

What is the name of the policy that prevents users from choosing old passwords again?

Answer 35

Password History

Question 36

In what two ways can an IP address be used for context-based authentication?

Answer 36

An IP address can represent a logical location (subnet) on a private network. Most types of public IP address can be linked to a geographical location, based on information published by the registrant that manages that block of IP address space

Question 37

How does accounting provide non-repudiation?

Answer 37

A user’s actions are logged on the system.

Question 38

Which information resource is required to complete usage auditing?

Answer 38

Usage events must be recorded in a log. Choosing which events to log will be guided by an audit policy.

Question 39

What is the difference between locked and disabled accounts?

Answer 39

An account enters a locked state because of a policy violation, such as an incorrect password being entered incorrectly. Lockout is usually applied for a limited duration. An account is usually disabled manually, using the account properties. A disabled account can only be re-enabled manually.

Question 40

What are the advantages of a decentralized, discretionary access control policy over a mandatory access control policy?

Answer 40

It is easier for users to adjust the policy to fit changing business needs. Centralized policies can easily become inflexible and bureaucratic.

Question 41

What is the difference between security group- and role-based permissions management?

Answer 41

In a role-based access control system, groups are tightly defined according to job functions. Also, a user should (logically) only possess the permissions of one role at a time.

Question 42

In a rule-based access control model, can a subject negotiate with the data owner for access privileges? Why or why not?

Answer 42

This sort of negotiation would not be permitted under rule-based access control; it is a feature of discretionary access control.

Question 43

What is the purpose of directory services?

Answer 43

To store information about network resources and users in a format that can be accessed and updated using standard queries.

Question 44

True or false? The following string is an example of a distinguished name: CN=ad, DC=classroom,
DC=com

Answer 44

True

Question 45

You are working on a cloud application that allows users to log on with social media accounts over
the web and from a mobile application. Which protocols would you consider and which would you
choose as most suitable?

Answer 45

Security Association Markup Language (SAML) and Oauth + OpenID Connect (OIDC). OAuth with OIDC as an authentication layer offers better support for native mobile apps so is probably the best choice.