Domain 2: Access Control Flashcards
What does “Subject” mean in the Access Control context?
An active entity on an information system
What does “Object”mean in the access control context?
A passive data file
What is Discretionary Access Control (DAC)?
An access control method that gives subjects full control of objects they have been given access to including sharing the objects with other subjects.
What is Mandatory Access Control (MAC)?
It is a method where the system enforces access control based on subject’s clearances and object labels.
What is Role Based Access Control (RBAC)
A type of non-discretionary access control where subjects are given roles and access is granted to roles and not the individual.
What does DAC stand for in the Access Control context?
Discretionary Access Control
What does MAC stand for in the access control context?
Mandatory Access Control
What does RBAC stand for in the Access Control context?
Roles Based Access Control
What is the purpose of Access Control?
To protect the Confidentiality, Integrity, and Availability (CIA) of data.
What does CIA stand for in the Access Control context?
Confidentiality, Integrity, and Availability
Name two access control concerns.
Concern 1: Is the system flexible enough to allow users to run a wide variety of software that is not centrally controlled?
Concern 2: How to manage access control when legacy systems are running mission critical applications?
What are the three elements to the Access Control Triad?
Involves implementing three strong measures:
1: technical
2: physical
3: Administrative
Name three CIA Characteristics in the access control context.
1: All three work together to provide access control.
2: No one of the three is more important than the other two.
3: Every IT system will require a different prioritization of the three depending on the data, the user community and the required timeliness for data access.
Draw the CIA Pyramid
Confidentiality -> Disclosure
Integrity - Alteration
Availability - Destruction
What does DAD stand for in the Access Control context?
Disclosure
Alteration
Destruction
Name three examples of Disclosure from DAD.
1: Unauthorized access to the system
2: The unencrypted transmission of data across an insecure network
3: A trusted user relaying information to an unauthorized user.
Name two kinds of Alteration (DAD)
1: Accidental Alteration of data.
2: Purposeful Alteration of data.
Name on example of Destruction (DAD)
The North Korean scorched earth attack against South Korea.
What does IAAA stand for in the access control context?
Identification and Authentication
Authorization
Accountability
What does Identification mean in the IAAA context?
Identification: A claim by a subject to be somebody.
Name two characteristics of Indentification in the IAAA contex.
1: Must be unique or they cannot be accountable
2: Ideally, user names should not be descriptive: x3345 instead of Richard.howard.
What does Authentication mean in the IAAA context?
Verifying the Identification claim.
What does Authorization mean in the IAAA context?
Allowing the subject access to objects.
What does Accountability mean in the IAAA context?
Establishing the ability to determin which actions each subject performed on a system.
What does Access Creep mean in the Access Control context?
When one subject maintains old access rights as he moves from one division to another gaining additional access rights.
When can a subject and an object refere to the same thing?
The IE Browser is a Subject when it is running but is an Object when its executable is stored on the hard drive.
Name the two types of entities in Access Control
Subjects
Objects
Keep all access control examples simple by determining which elements are subjects and which elements are objects.
Name the three primary access control models
1: Discretionary Access Control (DAC)
2: Mandatory Access Control (MAC)
3: Non-Discretionary Access Control
Is any one Access Control Model
1: Discretionary Access Control (DAC)
2: Mandatory Access Control (MAC)
3: Non-Discretionary Access Control
better than the other?
No one model is better than the other, rather each model is used for a specific information security purpose.
Is Non-Discretionary Access Control a form of Mandatory Access Control (MAC)
No
What is Discretionary Access Control (DAC)?
Gives subjects full control of objects they have been given access to including sharing with other subjects.
DAC allows subjects the ability to grant other subjects access to their files (objects), change their attributes, alter them or delete them.
Name two operating systems that use Discretionary Access Control (DAC)
1: Windows
2: Linux
Name one weakness in Discretionary Access Control (DAC)
Confidentiality Protection because the system depends on user discretion; a user can mistakenly send a file to someone who has no business of seeing the information in that file.
What is Mandatory Access Control (MAC)?
A system enforced access control model based on the subject’s clearance and the object’s labels.
In Mandatory Access Control (MAC) systems, Subjects and Objects have
labels like SECRET and TOP SECRET.
In Mandatory Access Control (MAC) systems, when can a subject access an object?
A subject may access any object if the subject’s label is equal to or greater than the object’s label.
What is the main difference in who enforces access to objects between Discretionary Access Control (DAC) and Mandatory Access Control (MAC):
MAC uses the system to enforce access control based on the subject’s clearance and the object’s labels.
DAC counts on the Subject to use discretion in providing other subjects access to his objects
What part of the CIA model does Mandatory Access Control (MAC) systems focus on?
MAC systems focus on protecting Confidentiality in the CIA model.
Name two liabilities of Mandatory Access Control (MAC) systems compared to Discretionary Access Control (DAC) systems.
1: MAC systems are expensive compared to DAC. Clearing users is expensive.
2: MAC systems are difficult to implement especially when attempting to separate different confidentiality levels within the same interconnected IT system.
Name three Mandatory Access Control (MAC) systems
1: Honeywell’s SCOMP developed in conjunction with the US and the UK
2: Purple Penelope developed in conjunction with the US and the UK
3: LINUX Intrusion Detection System (Standard LINUX is DAC)
What is Non-Discretionary Access Control?
A system enforced access control model that cannot be changed at the discretion of ordinary users.
Users do not have discretion regarding the groups of objects they are allowed to access and they are unable to transfer objects to other subjects.
Is Role Based Access Control (RBAC) a type of
Non-Discretionary Access Control
or
Discretionary Access Control (DAC)
or
Mandatory Access Control (MAC)
Non-Discretionary Access Control
Name the three characteristics (Rules) of Role Based Access Control (RBAC) ?
1: Role Assignment:
2: Role Authorization:
3: Transaction Authorization:
In Role Based Access Control systems, is the Identification and Authentication process (Login) considered a transaction.
The Identification and Authentication process (Login) is not considered a transaction.
What does Role Assignement mean as the first Rule of Role Based Acces Control?
A subject can execute a transaction only if the subject has been assigned the proper role.
Subjects are grouped into roles. Users can take on only roles for which they authorized.
What does Role Authorization mean as the second rule of Role Based Access Control?
A subject’s role must be authorized.
Each role has access permissions based upon the role and not the position.
What does Transaction Authorization mean as the third rule in Role Based Access Control?
A subject can execute a transaction only if the transaction is authorized for the role.
Users can execute only transactions for which they are authorized.
Why is Role Based Access Control (RBAC) a form of Non-Discretionary Access Control and not Discretionary Access Control (DAC)?
RBAC is a type of non-discretionary access control becuase subjects do not have the discretion regarding groups of objects they are allaowed to access,and are unable to transfer objects to other subjects.
Why is Role Based Access Control (RBAC) a form of Non-Discretionary Access Control and not Mandatory Access Control (DAC)?
There is a superficial similarity between RBAC roles and traditional groups (MAC).
As normally implemented, a MAC group is a collection of users, rather than a collection of permissions
The ability to tie permissions directly to users in a group-based mechanism can be regarded as a “loophole” that makes it difficult to control user-permission relationships.
RBAC requires all access through roles, and permissions are connected only to roles, not directly to users.
What type of access control is Task Based Access Control?
Non-Discretionary Access Control
Is Content Dependent Access Control a full fledged access control system like DAC, MAC or RBAC?
No
Not full-fledged access controls like MAC and DAC but added in, like defense in depth, for extra protection.
Is Context Dependent Access Control a full fledged access control system like DAC, MAC or RBAC?
No
Not full-fledged access controls like MAC and DAC but added in, like defense in depth, for extra protection.
What is Content Dependent Access Control?
They add additional criteria beyond Identification and Authentication. They consider the actual content.
Example: Subjects can view their Timesheet but not the CEOs.
What is Context Dependent Access Controls?
Applies additional context before granting access.
Example: Login time.
What is Centralized Access Control?
Centralized Access Control concentrates access control in one logical point for a system or organization like Single Sign On.
What is Decentralized Access Control?
Decentralized Access Control (Distributed Access Control) distributes control to local sites and independent systems.
What is one advantage to Decentralized Access Control?
Provides more local power
Example: A US Soldier in a battlefield situation cannot call back to the help desk.
What is one disadvantage to Decentralized Access Control?
One risk is an inconsistent view across the organization even if there is a uniform policy.
Example: A US Soldier in a battlefield situation cannot call back to the help desk.
Can both Centralized Access Control and Decentralized Access Control support remote users authenticating to local systems.
Yes
Are DAC (Discretionary Access Control) and Decentralized Access Control the same thing?
No
Decentralized Access Control will always be spelled out in the exam.
What are the 7 Remote frameworks and protocols to support remote login?
- RADIUS
- Diameter
- TACACS
- TACACS+
- PAP
- CHAP
- Microsoft Active Directory
What does Radius stand for in the Access Control Protocols and Frameworks contrext?
Remote Authentication Dial In User Service
What two RFCs describe Radius?
RFC 2865 and 2866
What protocol and port does Radius officially use for authentication?
Radius officially uses the User Datagram Protocol (UDP) on port 1812 (authentication)
What protocol and port does Radius officially use for accounting?
Radius officially uses the User Datagram Protocol (UDP) on port 1813 (accounting).
What protocol and port does Radius unofficially use for authentication?
Some Radius systems unofficially usethe the User Datagram Protocol (UDP) on ports 1645 (authentication) a
What protocol and port does Radius unofficially use for accounting?
Some Radius systems unofficially use the User Datagram Protocol (UDP) on port 1646 (accounting).
Why do experts consider RADIUS to be an AAA system and not an IAAA?
Does not provide any Identiy function.
It does
Authenticate a subject’s credentials against an authentication database.
Authorize users by allowing specific user’s access to specific data objects.
Provide Accountability by creating a log entry for RADIUS connection made.
In Radius,request and response data is carried in what?
Attribute Value Pairs (AVP)
According to RFC 2865, what are the 8 Radius Attribute Value Pairs (AVPs)?
Access-Request
Access-Accept
Access-Reject
Accounting-Request
Accounting-Response
Access-Challenge
Status-Server (Experimental)
Status-Client (Experimental)
In Radius, how large is the field that holds Attribute Value Pairs (AVPs)?
Uses an 8-bit field for Attribute Value Pairs (AVPs) which gives a max of 256 total pairs.
Iin radius, what is the only element that is encrypted?
Radius Only encrypts the password; sends other data (ID for example) in the clear.
Name five problems with Radius.
1: Limited Accountability - just logs login transactions
2: Flexibility – limited functionality with 8 bit AVPs
3: Scalability – Decentralized nature makes it hard to scale
4: Reliability – Uses UDP TCP
5: Security – Does not encrypt everything
Whys is Diameter considered to be an improved successor to Radius?
1: Accounability Improved – more robust accounting capability
2: Flexibility Improved - 32 bit field provides for billions AVPs
3: Scalability Improved – Centralized server makes it easier to scale
4: Reliability Improved – Uses TCP
5: Security Improved –End to end encryption
What is the Draft standard that describes the Diameter protocol?
RFC 3588.
What does TACACS stand for?
Terminal Access Controller Access Control System (TACACS).
What is TACACS?
An older authentication protocol common to UNIX networks that allows a remote access server to forward a user’s logon password to an authentication server, sometimes called a TACACS daemon or simply TACACSD, to determine whether access can be allowed to a given system.
What does TACACS stand for?
Terminal Access Controller Access Control System
What port does TACACS communicate with?
UDP 49
Why is TACACS less secure than TACACS+ and Radius?
It was orignially designed to be an encryption protocol, not an authentication protcol.
Is TACACS+ backward compatible with TACACS?
No
Whys is TACACS+ more reliable than TACACS?
Because it uses TCP instead of UDP.
What port does TACACS+ communicate with?
TCP 49
Why is TACACS+ more secure than TACACS.
1: Improves password protection by allowing two-factor authentication;
Why is TACACS+ more secure than Radius?
Encrypts all data below the header (Better security than RADIUS)
Name two Sniffers.
SNORT
Cain & Abel
What does PAP stand for?
Password Authentication Protocol
What is the Password Authentication Protocol (PAP)?
The client authenticates itself by sending a user name and an (optionally encrypted) password to the server, which the server compares to its shared secrets database.
What RFC defines the Password Authentication Protocol (PAP)?
Defined by RFC 1334.
Why is security weak with the Password Authentication Protocol (PAP)?
Password are sent in the clear; Sniffers can pick them up. This technique is vulnerable to eavesdroppers who may try to obtain the password by listening in on the serial line, and to repeated trial and error attacks.
How does the Challenge Handshake Authentication Protocol (CHAP) work?
The server sends a randomly generated ``challenge’’ string to the client, along with its hostname.
The client uses the hostname to look up the appropriate secret, combines it with the challenge, and encrypts the string using a one-way hashing function.
The result is returned to the server along with the client’s hostname. The server now performs the same computation, and acknowledges the client if it arrives at the same result.
What does CHAP stand for?
Challenge Handshake Authentication Protocol (CHAP)
What RFC defines the CHallenge Handshake Authentication Protocol (CHAP)?
Defined by RFC 1994
In the Challenge Handshake Authentication Protocol (CHAP), is authentication one way or both ways?
Authentication is one waybut using the same secret, negotiating CHAP in both directions can be facilitate authentication in both directions.
Why is the Challenge Handshake Authentication Protocol (CHAP) more secure then the Password Authentication Protocol (PAP)?
Depends on a shared secret that is not sent across the wire. Provides protection against Playback Attacks since a Sniffer will not know the shared secret.
What protocol is Microsoft’s Active Directory based on?
Kerberos
What RFC describes the Kerberos protocol ?
RFC 1510
How long has Kerberos been integrated into the Windows Operating system?
Since Windows 2000
In Active Directory (Kerberos) does each domain operate in its own authentication space?
Yes
In Active Directory (Kerberos) can each domain contain different users, network assets, and data objects?
Yes
In Active Directory (Kerberos) how does Active Directory control access to data objects?
!: Users are placed into Groups
2: Each group may be granted access to various domains within the system.
In Active Directory (Kerberos), If a two-way trust is established between two domains, can users and data objects from each domain access groups belonging to either domain?
Yes
In Active Directory (Kerberos), If a one-way trust is established between two domains, can users from the trusted domain access resources in the trusting domain?
Yes
In Active Directory (Kerberos), can Trusts be either transitive or non-transitive.
Yes
In Active Directory (Kerberos), non-transitive trusts only exist between
two trust partners.and nobody else.
In Active Directory (Kerberos), transitive trusts exist between
the two partners and all of their partner domains.
What are the three concepts that affect Access Control but must be addressed by an organizations procedures:
1: Least Privilege:
2: Separation of Duties:
3: Rotation of Duties
In the Procedural Issues for Access Control context, what is Least Privilege?
Limiting the access of authorized users to data they require to perform their duties only.
In the Procedural Issues for Access Control context, what is Separation of Duties?
1: Allows an organization to maintain checks and balances among employees for privileged access.
2: Mandating that more than one person is required for a sensitive transaction.
In the Procedural Issues for Access Control context, what is a Separation of Duties example?
Nuke Control
In the Procedural Issues for Access Control context, what is Rotation of Duties?
When leadership rotates the staff through the same duties.
In the Procedural Issues for Access Control context, what risk does Rotation of Duties mitigate?
Collusion
In an Access Control context, objects have ______ for classification?
Labels
In an Access Control context, name three typical labels used by governments.
Confidential
Secret
Top Secret
In an Access Control context,
Unauthorized disclosure of which could reasonably expect to cause damage to national security.
is the definition of which label?
Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret
Confidential
In an Access Control context,
Unauthorized disclosure of which could reasonably expect to cause serious damage to national security.
is the definition of which label?
Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret
Secret
In an Access Control context,
Unauthorized disclosure of which could reasonably expect to cause grave damage to national security.
is the definition of which label?
Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret
Top Secret
In an Access Control context,
Which US executive order defines classification criteria?
Executive Order 12356 – National Security Information
In an Access Control context,
Data that is not sensitive
is the definition of which label?
Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret
Unclassified
In an Access Control context,
Sensitive but unclassified and is not a matter of national security (Example: Healthcare).
is the definition of which label?
Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret
Sensitive But Unclassified (SBU)
In an Access Control context,
Certain types of unclassified information require access and distribution controls;
is the definition of which label?
Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret
Controlled Unclassified Information (CUI):
In an Access Control context,
Unauthorized disclosure of which could adversely impact a person’s privacy or welfare, the conduct of Federal programs, or other programs or operations essential to the national interest.
is the definition of which label?
Unclassified
Sensitive But Unclassified (SBU):
Controlled Unclassified Information (CUI):
For Official Use Only (FOUO)
Confidential
Secret
Top Secret
For Official Use Only (FOUO):
In an Access Control context,
Labels enforce which CIA (Confidentiality, Integrity, Availability) Concept?
Kneed to Know
ot
Least Privelege
Least Privelege
In an Access Control context,
Compartments enforce which CIA (Confidentiality, Integrity, Availability) Concept?
Kneed to Know
ot
Least Privelege
Kneed to Know
In an Access Control context,
In the US Government, these programs are examples of what
HCS
COMINT (SI)
GAMMA (G)
TALENT KEYHOLE (TK)
Sensitive Compartmented Information (SCI)
In an Access Control context,
In the private sector, name two typical compartments of information.
Internal Use Only
Proprietary
In an Access Control context, subjects have ______ for determining access to certain objects?
Clearances
In an Access Control context,
What is a subject’s Clearance?
1: A determination about whether or not a person can be trusted with a specific level of information.
2: Assesses current and potential trustworthiness.
In an Access Control context,
True or False
In many world governments, the clearance name mirrors the object label name.
True
In an Access Control context,
To receive each level of clearance, subjects must undergo _____
A myriad of different investigations and the collection of personal data.
In an Access Control context,
Name three areas of investigation that are typically reviewed to get a clearance
1: Credit Score
2: Arrest Record
3: Neighbor and friend Interviews
In an Access Control context,
Once the clearance investigation is complete, who an makes a determination for approval?
administrative judge
In an Access Control context,
In a clearance investigation,what are two common reasons to disapprove a clearance?
Drug Use
Foreign Influence
In an Access Control context,
What is the definition of a Formal Access Approval process?
Documented approval from the Data Owner for a subject to access certain objects.
In an Access Control context,
In a Formal Access Approval process, name two requirements.
1: Requires the subject to understand the rules for accessing data.
2: Requires the subject to understand the consequences should the data become
Lost
Destroyed
Compromised
In an Access Control context,
What are two methods that you can use to control subjects access to objects?
1: Rule Based Access Controls
2: Access Control Lists
In an Access Control context,
What are Rule Based Access Controls?
Use a series of defined rules, restrictions and filters for accessing objects.
Uses If-Then statements.
Example: If the subject is authorized to surf the web, and the site is on the authorized list, then allow access.
In an Access Control context,
What are Access Control Lists?
A list of objects that specific subjects can access.
These technologies use a form of Access Control Lists
In an Access Control context,
List three typical technologies that use Access Control Lists.
1: Firewalls
2: Routers
3: Border Access Devices
In an Access Control context,
For both “Rules Based Access Control” and “Access Control Lists”, what procedure must you have in place?
Must plan for and implement a routine update procedure.
In an Authentication Method context,
What is a Credential Set?
A Credential Set is the combination of the Identification and the Authentication of a subject.
What are the three Access Control Categories?
1: Administrative or Directive
2: Technical Controls
3: Physical Controls
What are five typical programs for the Administrative Category?
1: Policy
2: Procedure
3: Regulating
4: Training
5: Awareness
What is a Technical Control?
automated controls that provide logical restrictions
Routers
Firewalls
Encryption
etc
What is a Physical Control?
Uses physical devices to provide barriers
Locks
Fences
Gates
Security Guards
Etc
In a Access Control Category context, what is a Preventive Control?
Prevents actions from occurring.
Applies restrictions to what a potential subject can do.
Potential subjects can be authorized or not
In a Access Control Category context,
Give an example of a Administrative Preventive Control?
Pre-employment drug screening designed to prevent an organization from hiring a drug user.
In a Access Control Category context,
Give an example of a **Technical Preventive ** Control?
Establishing privileges on a system for specific subjects.
In a Access Control Category context,
Give an example of a **Physical Preventive ** Control?
A fence to protect a facility.
In a Access Control Category context,
True or False
Preventive and Preventative are synonyms for the test.
True
In a Access Control Category context,
What is a Detective Control?
Controls that alert during or after a successful attack.
In a Access Control Category context,
Give two examples of Technical Detective Controls
1: Intrusion Detection Systems (IDS)
2: Closed Circuit TV (CCTV)
In a Access Control Category context,
What is a Corrective Control?
Corrects damaged system or process.
Typically works hand-in-hand with Detective Controls
In a Access Control Category context,
What is a Recovery Control?
Actions taken to recover from a security incident like
Rebuild the laptop
Restore from tapes
In a Access Control Category context,
What is a Administrative Corrective Control exmple?
Intrusion Detection System alerts to a possible attack on port 446 and blocks the port (Corrective). Anti-Virus discovers that the target is still infected. You have to rebuild the machine (Recovery).
In a Access Control Category context,
What is a Deterrent Control?
Deter subjects from performing actions on a system.
In a Access Control Category context,
What is a Physical Deterrent Example?
Beware of Dog Sign
In a Access Control Category context,
What are two Administrative Deterrent Example?
1: Large fines for speeding
2: Sanction Policy that says employees will be fired of surfing porn sites.
In a Access Control Category context,
What is a Compensating Control?
Additional controls put in place to compensate for other control weaknesses.
In a Access Control Category context,
Name three types of Authentication Types and an extra
Type 1: Something You Know
Type 2: Something You Have
Type 3: Something You Are
Extra: Some Place You Are
In a Access Control Category context,
What is Strong Authentication?
By using two of the three types of authentication together
Type 1: Something You Know
Type 2: Something You Have
Type 3: Something You Are
Extra: Some Place You Are
In a Access Control Category context,
What is Something You Know?
Requires testing the subject with some sort of Challenge and Response.
In a Access Control Category context,
What are four typical Challenge and Response Mechanisms for Something You Know?
1: Static Password
2: Passphrase
3: One Time Password
4: Dynamic Passwords
.
In a Access Control Category context,
What is a static password?
Reusable and may not expire.
User generated
In a Access Control Category context,
What are two weaknesses to a static password?
1: Good ones are hard to remember; Subjects may be tempted to write them down in order to remember them.
2: Inherently limited, regardless of the complexity, because it can be stolen.
In a Access Control Category context,
What is the easiest and often weakest form of authentication?
Static Passwords
Passphrase
One Time Password
Dynamic Passwords
Static Passwords
In a Access Control Category context,
What is another name for Strong Autentication?
multi-factor authentication
In a Access Control Category context,
What is a password hash?
Typically – clear text passwords are not store on IT systems; their hashes are.
Hashing is a one-way encryption using an algorithm and no key and cannot be reversed.
In a Access Control Category context,
What does Microsoft LanMan do to passwords before it creates the hash?
.
converts all passwords to uppercase before hashing
In a Access Control Category context,
What is password cracking?
.
When the attacker guesses at the password and runs them through the hash algorithm.
In a Access Control Category context,
What are three password cracking techniques?
.
1: Dictionary Attacks:
2: Brute Force Attacks
3: Hybrid Attacks
In a Password Cracking context,
what is a Dictionary Attack?
.
The attacker uses a predefined list of words and runs them through the hash algorithm.
In a Password Cracking context,
what is a mitigating control against a Dictionary Attack?
.
Subjects can thwart dictionary attacks by adding special characters to their password.
In a Password Cracking context,
What is a Brute Force attack ?
.
The attacker calculates the hash of every possible word and stores them in Rainbow Tables.
In a Password Cracking context,
What is a Rainbow Table?
.
For Brute Force Attacks, the attacker calculates the hash of every possible word and stores them in Rainbow Tables.
In a Password Cracking context,
What is are two weaknesses to Brute Force Attacks?
.
1: Take time
2: Rainbow Tables may not be complete.
In a Password Cracking context,
What is more effective:
Brute Force Attacks
or
Dictionary Attacks?
Brute Force Attacks
In a Password Cracking context,
What is a Hybrid Attack?
Taking a dictionary list and appending hashes for word combinations like replacing the letter “o” with the number “0.”
In a Password Cracking context,
Where does UNIX typicall store password hashes?
Typically stores password hashes in /etc/shadow only accessible by root.
In a Password Cracking context,
Where does Windows typicall store password hashes?
Stores password hashes locally and on the Domain Controller in a file called the Security Account Management (SAM) file.
If a subject cannot reach the Domain Controller, then the local system may use the local hash.
In a Password Cracking context,
What is a mitigating control against Brute Force Attacks?
Access to the SAM file and the Shadow file should be limited.
In a Password Cracking context,
What is the SAM file on Windows Systems?
The Security Account Management (SAM) file
In a Password Cracking context,
What is the Shadow file on UNIX Systems?
Typically stores password hashes
In a Password Cracking context,
What are two tools used by hackers to crack the SAM (Security Account Management ) File on Windows?
fgdump
“Cain and Abel”
In a Password Cracking context,
What is a SALT?
UNIX / LINUX systems combine passwords with SALTS so that two subjects using the same password will generate completely different hashes
In a Password Cracking context,
What is a Mitigating control for UNIX/LINUX systems to protect against Brute Force Attacks?
SALTS
the attacker now has to hash the same password many times with each salt used.
In a Password Cracking context,
According to both Microsoft and the US Department of Defense.
What is the number of passwords the OS should remember?
24
In a Password Cracking context,
According to both Microsoft and the US Department of Defense.
What is the maximum number of days that a password can be used.?
90
In a Password Cracking context,
According to both Microsoft and the US Department of Defense.
What is the minimum number of days that a password can be used; to ensure that subjects do not cycle through their password history 24 times in one session to get back to their original password.?
2
In a Password Cracking context,
According to both Microsoft and the US Department of Defense.
What is the minimum number of characters allowed in a password?
8
In a Password Cracking context,
According to both Microsoft and the US Department of Defense.
True or False
Passwords must meet complexity requirements?
True
What is Type 2 Authentication: Something You Have
Requires something that a user possesses.
In a Access Control Category context,
What is Type 1 Authentication?
Type 1: Something You Know
In a Access Control Category context,
What is Type 2 Authentication?
Type 2: Something You Have
In a Access Control Category context,
What is Type 3 Authentication?
Type 3: Something You Are
In a Access Control Category context,
What is an extra type of authentication besides the first three?
Extra: Some Place You Are
In a Type 2 Authentication (Something You Have) context,
What is a token?
An object that helps prove an identity claim.
In a Type 2 Authentication (Something You Have) context,
Name three examples of typical tokens
Car Keys
Credit Cards
Paper Documents
In a Type 2 Authentication (Something You Have) context,
What is a Synchronous Dynamic Token?
Uses time or counters to synchronize a displayed token code with the same code on an authentication server.
In a Type 2 Authentication (Something You Have) context,
What is a Time-Based Synchronous Dynamic Token?
Codes change frequently
The authentication server knows the serial number of each authorized token, the subject associated to it and the time. With these three parameters, it can predict the valid dynamic code for each token.
In a Type 2 Authentication (Something You Have) context,
What is a Counter-Based Synchronous Dynamic Token?
The Authentication Server expects Token 1 first, then Token 2, then Token 3, etc.
In a Type 2 Authentication (Something You Have) context,
With both Time-based and Counter-based Synchronous Dynamic Tokens
What are the typical two factors used?
1: Authentication pair (username and password/pin) (Something they know)
2: The dynamic token code (Something they have).
In a Type 2 Authentication (Something You Have) context,
What is a Asynchronous Dynamic Token?
Not synchronized with a authentication server
In a Type 2 Authentication (Something You Have) context,
with a Asynchronous Dynamic Token model, what is the typical method called?
A challenge-response Token
In a Type 2 Authentication (Something You Have) context,
how does the Asynchronous Dynamic token challenge-response model work?
1: Subject enters username (Identity Claim)
2: System sends challenge
3: Subject enters challenge-answer and pin (Something you know [Type 1] and something you Have[Type 2])
4: Token generates response and sends to system
What is Type 3 Authentication: Something You Are
Biometrics
What is Biometrics?
Uses physical characteristics as a means of Identification or Authentication.
From the Greek words bios (life) and metric (measurement).
What is a weakness in Type 1 Authentication (Something You Know)?
The subject has to remember a password.
What is one pro of biometrics over Type 1 Authentication (Something You Know)
Eliminates the need for the subject to remember a password.
True or False
Biometric data is considered PII and should be protected accordingly.
True
Name 5 characteristics of a good Biometric System
1: Must be reliable and resistant to counterfeiting.
2: The data storage requirement (template or file size) should be small (1000 bytes or less).
3: Should not cause undue psychological stress (Retina scans are rairly used for this reason)
4: Must be useable by all staff or compensating controls must exist.
5: Any biometric that facilitates the exchange of body fluids is a serious negative (Retina Scans, Fingerprint scans).
In a biometric context,
what is enrollment?
A one-time process to register with a biometric system that should take less than two minutes
Creating the account with Identity-Authentication pair associated with the biometric information.
In a biometric context,
what is Throughput?
Describes the process of authenticating with a biometric system.
In a biometric context,
what is good Throughput number?
The biometric response time should be no more than 6-10 seconds.
What are the three biometric accuracy metrics?
1: False Reject Rate (FRR) (Type I Errors)
2: False Accept Rate (FAR) (Type II Errors)
3: Crossover Error Rate (CER)
In a biometric accuracy metric context,
what is a FRR
False Reject Rate (FRR) (Type I Errors)
In a biometric accuracy metric context,
what type of error is Type I Error?
False Reject Rate (FRR) (Type I Errors)
In a biometric accuracy metric context,
what type of error is Type II Error?
False Accept Rate (FAR) (Type II Errors)
In a biometric accuracy metric context,
what is a Type II Error?
False Accept Rate (FAR) (Type II Errors)
In a biometric accuracy metric context,
What is False Reject Rate (FRR) (Type 1 Error)?
The rate at which an authorized subject is rejected by the biometric system.
In a biometric accuracy metric context,
What are three problems high False Reject Rates (FRR) (Type 1 Errors) cause?
1: Authorized subject frustration
2: Reduction in work dueto poor access conditions
3: Expenditure of resources to revalidate authorized users
In a biometric accuracy metric context,
What is the main problem with any False Accept Rates (FARs) (Type 2 Errors)?
Unauthorized subjects gain access to the system.
In a biometric accuracy metric context,
What is worse?
False Reject Rate (FRR) (Type 1 Errors)
False Accept Rates (FARs) (Type 2 Errors)?
A False Accept Rate (FAR – Type 2 Error) is worse than a False Reject Rate (FRR – Type 1 Error) because it is better to reject a legitimate subject then it is to accept an imposter.
In a biometric accuracy metric context,
What is the Crossover Error Rate (CER)?
The point where the False Reject Rate (FRR – Type I Error) and False Accept Rate (FAR – Type 2 Error) are equal.
In a biometric accuracy metric context,
What is another name for the Crossover Error Rate (CER)?
Equal Error Rate (ERR)
In a biometric accuracy metric context,
What is the purpose of the Crossover Error Rate (CER)?
Crossover Error Rate (CER) is a comparison metric for different biometric devices and technologies.
In a biometric accuracy metric context,
What is the significance of the Crossover Error Rate (CER)?
As an identification device becomes more sensitive or accurate, its FAR decreases while its FRR increases. The CER is the point at which these two rates are equal, or cross over.
Using the CER as an impartial judgment of a biometric system helps create standards by which products from different vendors can be fairly judged and evaluated.
In a biometric accuracy metric context,
What are 8 typical biometric controls?
1: Fingerprints
2: Retina Scan
3: Iris Scan
4: Hand Geometry
5: Keyboard Dynamics
6: Dynamic Signature
7: Voice Prints
8: Facial Scans
In a biometric accuracy metric context,
What is the widely used Biometric Control today?
1: Fingerprints
In a biometric accuracy metric context,
How do fingerprint scans work?
The data stored is a mathematical representation of fingerprint minutiae (Friction Ridges) like
Whorls
Ridges
Bifurcation
In a biometric accuracy metric context,
How do retina scans work?
A laser scan of the capillaries which feed the retina of the back of the eye; Maps the blood vessels of the eye.
In a biometric accuracy metric context,
Why are retina scans rarely used?
Retina scans are rarely used because of the health risks and invasion-of-privacy issues.
In a biometric accuracy metric context,
How do Iris scans work?
A passive biometric control where a camera takes a picture of the iris (the colored portion of the eye). The system compares the picture to the stored info in the database.
In a biometric accuracy metric context,
Name 4 pros to Iris scans?
1: It works through contact lenses and glasses.
2: High accuracy
3: Passive (May be done without the subject knowing)
4: No exchange of body fluids.
In a biometric accuracy metric context,
How do Hand Geometry scans work?
A passive biometric control that takes measurements from specific points in the hand.
Length
Width
Thickness
Surface Area
In a biometric accuracy metric context,
Name one pro for Hand Geometry scans?
Simple devices where the stored information (template or file size) is very small.
In a biometric accuracy metric context,
How do Keyboard Dynamics systems work?
Measures how hard a subject presses each key and the rhythm that each key is pressed.
In a biometric accuracy metric context,
Name two pros to Keyboard Dynamics systems?
1: Cheap to implement
2: Reliable but not perfect.
In a biometric accuracy metric context,
How do Dynamic Signature system work?
Measures the process by which a subject signs his name. It is similar to Keyboard Dynamics. It measures
Time
Pressure
Loops
Beginning and end points
In a biometric accuracy metric context,
Name two pros to Dynamic Signature systems?
1: Cheap to implement
2: Reliable but not perfect.
Similar to Keyboard Dynamics systems
In a biometric accuracy metric context,
How do Voice Print systems work?
Measures the subject’s tone of voice while saying a specific sentence or phrase
In a biometric accuracy metric context,
Name two cons to Voice Print systems?
1: Vulnerable to replay attacks
2: Vulnerable to changes in the subject’s voice due to illness.
In a biometric accuracy metric context,
Name a countermeasure to Voice Print replay attack?
Subjects insert random words.
In a biometric accuracy metric context,
How do facial scan systems work?
Passively takes a picture of the subject’s face and compares it to other pictures in a stored database.
Uses facial geometry to distinguish between faces.
Measures unique distances between facial features compared to the size of the face.
In a biometric accuracy metric context,
Name one pro to facial scan systems?
Disguises do not fool it.
In a biometric accuracy metric context,
Name one con to facial scan systems?
Expensive
In a biometric accuracy metric context,
What is a good use facial scan systems?
Not typically used for Biometric authentication control because of the high cost but is a good solution for very important systems.
In a biometric accuracy metric context,
What is the extra authentication type besides Types 1, 2 and 3?
Authentication: Somewhere You Are
In a biometric accuracy metric context,
How does Authentication (Somewhere You Are) systems work?
Global Positioning System (GPS)
IP-Based Geo-location
Physical location of Point of Sale Devices
To deny access if the subject is in the wrong location.
In a Access Control Technologies context,
What is a Single Sign-On (SSO) system?
Allows multiple subjects to use a central authentication server (AS) to access and maintain multiple systems.
In a Access Control Technologies context,
Name three benefits to Single Sign-On (SSO) systems?
1: Improved User Productivity because subjects do not have to remember Identity – Authentication pairs for multiple systems.
2: Improved Developer Productivity because by providing a common authentication framework.
3: Simplified Administration because system admins only have to maintain one system.
In a Access Control Technologies context,
Name three disadvantages to Single Sign-On (SSO) systems?
1: Difficult to retrofit; especially legacy systems.
2: Unattended Computer: With SSO, if a subject walks away from his computer, then anybody could have access to all of his resources. With a Multiple Sign On system, the damage is limited to only the one device.
3: Single point of Attack: A hacker only has to compromise one system to have the keys to the city.
In a Access Control Technologies context,
Name three disadvantages to Single Sign-On (SSO) systems?
1: Difficult to retrofit; especially legacy systems.
2: Unattended Computer: With SSO, if a subject walks away from his computer, then anybody could have access to all of his resources. With a Multiple Sign On system, the damage is limited to only the one device.
3: Single point of Attack: A hacker only has to compromise one system to have the keys to the city.
In a Access Control Technologies context,
What is Kerberos?
It is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schoreder.
In a Access Control Technologies context,
What is Kerberos named after in Greek mythology?
The name (also called Cerebrus) of the Three Headed Dog in Greek Mythology that guards the entrance to Hades.
In a Access Control Technologies context,
What do the three heads of Cerebrus signify in the Kerberos system?
Authentication
Authorization
Accountability
but the original Kerberos only provided authentication.
or
The Client
the KDC (Key Distribution Center)
and the server
In a Access Control Technologies context,
Name three advantages of the Kerberos system?
1: ProvidesAAA while preventing eavesdropping attacks.
2: Provides for data stream integrity (Detection and Modification)
3: Prevents unauthorized Reading
In a Access Control Technologies context,
In the Kerberos system, what is a Principlal?
Client or Service
In a Access Control Technologies context,
In the Kerberos system,
what is a Realm?
A logical Kerberos network;
In a Access Control Technologies context,
Does the Kerberos system use
Asymmetric or Symmertric encryption?
All entities have a common shared secret in order to communicate with trust.
All messages are encrypted using Symmetric Key Encryption (Not PKI).
In a Access Control Technologies context,
with the Kerberos system,
what is a Ticket?
: Data that authenticates a principal’s identity.
In a Access Control Technologies context,
with the Kerberos system,
what is a Credential?
A Ticket and a Service Key
In a Access Control Technologies context,
with the Kerberos system,
what is the KDC?
Key Distribution Center
In a Access Control Technologies context,
with the Kerberos system,
what idoes the Key Distribution Center do??
Authenticates principals by storing a cryptographic key known only to the security principal and the KDC. This key is used in exchanges between the security principal and the KDC and is known as a long term key.
In a Access Control Technologies context,
with the Kerberos system,
How is the Long Term Key derived
from a user’s logon password.
In a Access Control Technologies context,
with the Kerberos system,
what is the TGT
Ticket Granting Ticket
In a Access Control Technologies context,
with the Kerberos system,
what does the TGT (Ticket Granting Ticket) do?
Allows the client to request service tickets and is analogous to a passport - i.e. it is valid for a certain period after which it expires; however once the TGT has been issued, there is no further use of passwords or other logon factors.
In a Access Control Technologies context,
with the Kerberos system,
name two attacks that Kerberos does not protect agasint
1: “Denial of service” attacks
2: “Password guessing” attacks
In a Access Control Technologies context,
with the Kerberos system,
name three assumptions that Kerberos uses in its design
1: Principals must keep their secret keys secret.
2: Each host on the network must have a clock which is “loosely synchronized” to the time of the other hosts
3: Principal identifiers are not recycled on a short-term basis.
In a Access Control Technologies context,
with the Kerberos system,
name four reasons why authentication is secure
1: Passwords do not appear as plaintext
2: Does not rely on authentication by the host operating system
3: Does not base trust on IP addresses
4: Does not require physical security of the network hosts
In a Access Control Technologies context,
with the Kerberos system,
name four strengths
1: Provides mutual authentication
2: Defends against Rogue KDCs because passwords are never passed across the network
3: Mitigates replay attacks because of the use of timestamps. .
4: Stateless: credentials issued by the TGS or the KDC are good for the lifetime even if those systems are down.
In a Access Control Technologies context,
with the Kerberos system,
name four weaknesses
1: The KDC stores the plain text keys of all principlas. (Single Point of Failure)
2: Replay attacks are still possible for the lifetime of the authenticator.
3: In version 4, any user may request a session key. Eve may want to authenticate with Alice. The KDC sends a session key to Eve encrypted with Alice’s secret key. Eve can then try to brute force the key.
In version 5, Kerberos added one additional step. Alice encrypts the current time with her key, thus If the authenticator’s timestamp is off by more than the clock skew (usually set to 5 minutes), the request is rejected.
4: Does not mitigate a malicious local host’; Plaintext keys may exist in memory. A malicious local user ot prpocess may be able to steal locally cached credentials.
In a Access Control Technologies context,
with the Kerberos system,
Describe the authentication process
Client → KRB_AS_REQ (Authenticator Alice Secret Key, Alice’s SID) → KDC
KDC → Uses Alice’s SID to lookup Alice’s Secret Key
KDC → Decrypts (Authenticator Alice Secret Key) with Alice Secret Key.
If successful,
KDC → KRB_AS_REP (TGT)TGS Secret Key → Client
KDC → KRB_AS_REP (Session Key)Alice Secret Key → Client
If Alice cannot decrypt (Session Key)Alice Secret Key, then the session key in invalid (Rogue KDC)
If Alice can decrypt, Alice now has a valid Session Key.
In a Access Control Technologies context,
with the Kerberos system,
Describe The Ticket-Granting Service Exchange
Client → KRB_TGS_REQ (TGT)TGS Secret Key , Resource Request → TGS
TGS → Decrypts (TGT)TGS Secret Key , with its own TGS Secret Key.
If successful,
TGS → KRB_TGS_REP (TGT)Resource Secret Key → Client
In a Access Control Technologies context,
with the Kerberos system,
Describe Getting access to a resource
Client → KRB_AP_REQ (TGT)Resource Secret Key → Resource
Resource → Decrypts (TGT)Resource Secret Key with its own Resource Secret Key
If Successful, the Resource knows the request is authenticated
Resource → Checks if Alice is authorized to use the resource.
In a Access Control Technologies context,
with the Kerberos system and Active Directory.
Are the TGS and the KDC on the same server
(True or False)
True
In a Access Control Technologies context,
with the Kerberos system,
Does the TGS authorize the principal to use a resource?
No
Note: The TGS cannot determine if the user will be able to get access to the target server. It simply returns a valid ticket. Authentication does not imply authorization.
In a Access Control Technologies context,
what does SESAME stand for?
Secure European System for Applications in a Multi-vendor Environment
In a Access Control Technologies context,
what isSESAME?
A sequel to Kerberos that adds asymmetric public key encryption.
Mitigates Kerbero’s weakness of storing symmetric plain text keys on the KDC.
In a Access Control Technologies context,
what does SESAME use in place of the Kerberos Tickets?
Uses Privilege Attribute Certificates (PACs) in place of the Kerberos Tickets.
In a Access Control Technologies context,
What is one of the easiest way to verify that access controls are working ?
Audit security logs
In a Access Control Technologies context,
name seven typical hardware and software devices that generate useful security logs
1: AV
2: IDS/IPS
3: Remote Access Software
4: Web Proxy
5: Vulnerability Management
6: Authentication Servers
7: Routers and Firewalls
In a Access Control Technologies,
name six useful items to log on an operating system
1: System Events
2: Audit Records
3: Applications
4: Client Requests and Server Responses
5: Usage Information
6: Significant Operational Actions
In a Access Control Technologies,
name five typical mistakes made during log analysis?
1: Logs are not reviewed on a timely or regular basis
2: Logs re not stored for long enough periods
3: Logs are not standardized or viewable by correlation toolsets
4: Log entries and alerts are not prioritized.
5: Logs are only reviewed for the bad stuff.
What are three general categories to describe attackers?
1: White Hat
2: Black Hat
3: Grey Hat
In the Assessing Access Control context,
Name three narrow scope tests
1: Penetration Tests
2: Vulnerability Assessments
3: Security Audits
In the Assessing Access Control context,
What is a Penetration Test?
A white hat hacker who receives permission to attempt to break into the system.
Internet
DMZ
Wardialing
Wireless
Physical
In the Assessing Access Control context,
What is a
Zero-Knowledge (Black Box) Pen Tests
The White hat hacker has no knowledge of the system he is trying to break into.
In the Assessing Access Control context,
What kind of box is a Zero-Knowledge Pen Tests
Black Box
In the Assessing Access Control context,
What kind of box is a Full-Knowledge Pen Tests
Crystal Box
In the Assessing Access Control context,
What is a Full-Knowledge (Crystal Box) Pen Test?
Full-Knowledge (Crystal Box) Pen Tests mean that the White Hat Hacker has inside knowledge
In the Assessing Access Control context,
What is a Partial knowledge Pen Test?
Partial knowledge means that the white hat hacker has some knowledge.
In the Assessing Access Control context,
Name three typical tools used by Pen Testers
1: Metasploit
2: CoreImpact
3: Immunity Canvas
In the Assessing Access Control context,
Name the five step Pen Test methodology
1: Planning
2: Recon
3: Scanning (enumeration)
4: Exploitation
5: Reporting
In the Assessing Access Control context,
What must a Pen Tester do If he finds evidence of a previous attack or violation of confidentiality or integrity,
stop and escalate to the customers.
A Pen Tester Must protecting the confidentiality and Integrity of the systems they are testing.
In the Assessing Access Control context,
Name to Vulnerability Assessment tools
1: Nessus
2: OpenVAS
In the Assessing Access Control context,
What is a Security Audit?
A test against a published standard
In the Assessing Access Control context,
Name five Broad Scope areas to assess and three narrow scope areas.
1: Policies
2: Procedures
3: Admin Controls
4: Change Management
5: Architectural Review
1: Pen Tests
2: Vuln Assessments
3: Security Audits
What type of password cracking will always be successful?
A: Brute Force
B: Dictionary
C: Hybrid
D:Rainbow Table
A: Brute Force
What is the difference between password cracking and password guessing
A: They are the Same
B: Password guessing attempts to log into the system. Password cracking attempts to determine a password used to create a hash.
C: Password guessing uses Salts, password cracking does not.
D: Password cracking risks account lockout, password cracking does not.
B: Password guessing attempts to log into the system. Password cracking attempts to determine a password used to create a hash.
The most insidious part of Phishing and Spear Phishing attacks come from which part of the attack anatomy?
A: Each Phishing and Spear Phishing attack is socially engineered to trick the user to provide information to the attacker.
B: Phishing and Spear Phishing attacks always have malicious code downloaded onto the user’s computer.
C: Phishing and Spear Phishing attacks are poorly written.
D: Phishing and Spear Phishing attacks are rarely successful.
A: Each Phishing and Spear Phishing attack is socially engineered to trick the user to provide information to the attacker.
What is the term used for describing when an attacker, through a command and control network, controls hundreds of, thousands, or even tens of thousands of computers and instructs all of these computers to perform actions all at once
A: Flooding
B: Spamming
C: Phishing
D: Botnets
D: Botnets
What are the main differences between retina scans iris scans?
A: Retina scans are not invasive and iris scans are
B: Iris scans invade a person’s privacy and retina scans do not.
C: iris scans change depending on the person’s health, retina scans are stable.
D: Retina scans change depending on the person’s health, iris scans are stable.
D: Retina scans change depending on the person’s health, iris scans are stable.
What is the most important decision an organization needs to make when implementing RBAC?
A: Each user’s security clearance needs to be finalized.
B: The roles users have on the system need to be clearly defined.
C: User’s data need to be clearly labeled.
D: Users must be segregated from one another on the IT system to prevent spillage of sensitive data.
B: The roles users have on the system need to be clearly defined.
What access control method weighs additional factors such as time of attempted access before granting access?
A: Content-dependent access control
B: Context-dependent access control
C: Role-based access control
D: Task-based access control
B: Context-dependent access control
An attacker sees a building is protected by security guards, and attacks a building next door with no security guards. What control combination are the security guards?
A: Physical / Compensating
B: Physical / Detective
C: Physical / Deterrent
D: Physical/Preventative
C: Physical / Deterrent
A Type II biometric is also known as
A: Crossover Error Rate (CER)
B: Equal Error Rate (EER)
C: False Accept Rate (FAR)
D: False Reject Rate (FRR)
C: False Accept Rate (FAR)
With Kerberos, which part is the single point of failure?
A: The Ticket Granting Ticket
B: The realm
C: The Key Distribution Center
D: The Client-Server session key
C: The Key Distribution Center
Scenario: Your company has hired a third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are
1: The tests will be conducted on live, business functional, networks. These networks must be functional in order for the business to run and cannot be shutdown, even for an evaluation.
2: The company wants the most in-depth test possible.
What kind of test should be recommended?
A: Zero Knowledge
B: Partial Knowledge
C: Full Knowledge
D: Vulnerability Testing
C: Full Knowledge
Scenario: Your company has hired a third-party company to conduct a penetration test. Your CIO would like to know if exploitation of critical business systems is possible. The two requirements the company has are
1: The tests will be conducted on live, business functional, networks. These networks must be functional in order for the business to run and cannot be shutdown, even for an evaluation.
2: The company wants the most in-depth test possible.
While conducting a penetration test, the tester discovers a critical business system is currently compromised. What should the tester do?
A: Note the results in the pen testing report.
B: Immediately end the pen test and call the CIO
C: remove the malware
D: Shut the system down.
B: Immediately end the pen test and call the CIO
A policy that states a user must have a business requirement to view data before attempting to do so is an example of enforcing what?
A: Least privilege
B: Kneed to know
C: Rotation of duties
D: Separation of duties
B: Kneed to know
What technique could raise the False Accept Rate (FAR) and lower the False Reject Rate (FRR) in a fingerprint scanning system?
A: Decrease the amount of minutiae that is verified.
B: Increase the amount of minutiae that is verified.
C: Lengthen the enrollment time
D: Lower the throughput time
A: Decrease the amount of minutiae that is verified.
