Chapter 3 Flashcards
the Process of verifying an identity claimed by or for a system entity. An authentication process consists of two steps. What are these steps?
1) Identification Step 2) Verification Step
What are the four general means of authenticating a user’s identity, which can be used alone or in combination? All of these methods, properly implemented and used, can provide secure user authentication.
1) Something the individual knows 2) Something the individual possesses 3) Something the individual is (static biometrics) 4) Something the individual does (dynamic biometrics)
The process of verifying an identity claimed by or for a system entity is defined as______.
User Authentication
Typically, strong access controls are used to protect the system’s password file. However, experience shows that determined hackers can frequently bypass such controls and gain access to the file. The attacker obtains the system password file and compares the password hashes against hashes of commonly used passwords. If a match is found, the attacker can gain access by that ID/password combination. a. Popular Password Attack b. Workstation Hijacking c. Specific Account Attack d. Offline Dictionary Attack
d. Offline Dictionary Attack
The attacker targets a specific account and submits password guesses until the correct password is discovered. a. Exploiting Multiple Password Use b. Specific Account Attack c. Offline Dictionary Attack d. Workstation Hijacking
b. Specific Account Attack
A variation of the preceding attack is to use a popular password and try it against a wide range of user IDs. A user’s tendency it to choose a password that is easily remembered; this unfortunately makes the password easy to guess. a. Offline Dictionary Attack b. Exploiting User Mistakes c. Electronic Monitoring d. Popular Password Attack
d. Popular Password Attack
The attacker attempts to gain knowledge about the account holder and system password policies and uses that knowledge to guess the password. a. Password guessing against single user b. Popular password attack c. Electronic monitoring d. Specific account attack
a. Password guessing against single user
The attacker waits until a logged-in workstation is unattended a. Exploiting user mistakes b. Workstation hijacking c. Offline dictionary attack d. password guessing against single user.
b. Workstation hijacking
If the system assigns a password, then the user is more likely to write it down because it is difficult to remember. This situation creates the potential for an adversary to read the written password. A user may intentionally share a password, to enable a colleague to share files, for example. Also, attackers are frequently successful in obtaining passwords by using social engineering tactics that trick the user or an account manager into revealing a password. Many computer systems are shipped with preconfigured passwords for system administrators. Unless these preconfigured passwords are changed, they are easily guessed. a. Specific Account Attack b. Exploiting User Mistakes c. Offline Dictionary Attack d. Popular Password Attack
b. Exploiting User Mistakes
Attacks can also become much more effective or damaging if different network devices share the same or a similar password for a given user. a. Exploiting Multiple Password Use b, Exploiting User Mistakes c. Specific Account Attack d. Popular Password Attack
a. Exploiting Multiple Password Use
If a password is communicated across a network to log on to a remote system, it is vulnerable to eavesdropping. Simple encryption will not fix this problem, because the encrypted password is, in effect, the password and can be observed and reused by an adversary a. Specific Account Attack b. Exploiting User Mistakes c. Electronic Monitoring d. Password Guessing Against Single User
c. Electronic Monitoring
What are some countermeasures to an offline dictionary attack?
- controls to prevent unauthorized access to the password file
- ntrusion detection measures to identify a compromise
- rapid reissuance of passwords.
Countermeasures for Specific Account Attack
An account lockout mechanism, this locks out access to the account after a number of failed login attampts. Typical practice is no more than fice access attempts.
Popular Password Attack Countermeasures.
- Policies to inhibit the selection by users of common passwords
- Scanning the IP Addresses of authentication requests and client cookies for submission patterns.
Password Guessing Against Single User countermeasures.
- Training in and enforcement of password policies that make passwords difficult to guess.
Such policies address the secrecy, minimum length of the password, character set ,prohibition against using well-known user identifiers, and length of time before the password must be changed.
