Domain 5

Question 1

__ access control assigns users to groups based on their organizational functions.

Answer 1

RBAC (Role-based Access Control)

Question 2

__ aka __ is the percentage at which false rejection and false acceptance are equal. The lower this number, the more accurate the biometric device.

Answer 2

CER (Crossover Error Rate) aka EER (Equal Error Rate)

Question 3

__ identification is checking to see if you’re in a general category of people e.g. 21 or above for alcohol at a liquor store.

Answer 3

Negative

Question 4

__ identification is claiming to be a specific entity and matching up against that entity e.g. Eric boarding a flight.

Answer 4

Positive

Question 5

__ is a laser scan of blood vessels in the eye and may be seen as intrusive since you need to press up against sensor and it can provide information concerning illness.

Answer 5

Retina pattern. ‘R’ is red, blood is red

Question 6

__ is a passive scan of the eye. It is non-instrusive and can be scanned within a few feet.

Answer 6

Iris scan

Question 7

__ is a trusted third-party scheme that uses tickets to allow a user to log on to a system once and use any available services without re-authenticating to many different servers.

Answer 7

Kerberos

Question 8

__ is an authentication type that is accomplished through some form of token and is more expensive to implement since each user needs a token.

Answer 8

Something you have e.g. token, access card, cookie, magic stones. Could be stolen from adversary.

Question 9

__ is an easy type of authentication to implement however it’s also easy for an attacker to guess e.g. a password / PIN.

Answer 9

Something you know

Question 10

__ is an SSO authentication protocol invented at MIT.

Answer 10

Kerberos

Question 11

__ is based on what object the subject is trying to access and the events preceding the access attempt e.g. a user might be limited to 100 connections a day, after 100 she will be denied access. Or there is a quota where the user can access the resource as long as her data limited is not exceeded.

Answer 11

Content-Dependent Access Control aka Context-based Access Control

Question 12

__ is SSO that uses symmetric and asymmetric encryption.

Answer 12

SESAME (Secure European System for Applications in a Multi-Vendor Environment)

Question 13

__ is SSO for the cloud, sometimes also called __.

Answer 13

IDaaS (Identity as a Service), Cloud Identity e.g. Microsoft account, formerly Windows Live ID

Question 14

__ is the fluctuations in one’s voice that can uniquely identify the person.

Answer 14

Voice print

Question 15

__ is the part of IAAA that is least privilege, then there is __ when there is too much access for one person, then there is __ to prevent collusion since people become friends over time.

Answer 15

authorization, separation of duties, rotation of duties

Question 16

__ looks at the lines/shapes/depths/widths to come up with a geometric representation.

Answer 16

Hand geometry

Question 17

__ rate is the percentage of authentic persons rejected as unidentified/unverified. It is a Type __ error.

Answer 17

FRR (False Reject Rate), Type 1 error. It’s when a legitimate user is not allowed in. Just upsetting a legit user so think Type I is less than Type II (FAR)

Question 18

__ rate is the percentage of unenrolled/impostors accepts as authentic.

Answer 18

FAR (False Accept Rate), Type 2 error. It’s allowing someone in who shouldn’t be allowed in so think Type II is worse than Type 1 (FRR)

Question 19

__ targets actions based on rules for subjects operating on objects.

Answer 19

RSBAC (Rule Set-Based Access Control)

Question 20

A __ access control system where an administrator or data owner decides whether a user should have access to an object.

Answer 20

DAC (Discretionary Access Control)

Question 21

A __ attack on passwords will always work, it is just a matter of time.

Answer 21

Brute force

Question 22

A __ can be better than a password since it makes it easy for the user to remember but difficult for the adversary.

Answer 22

Passphrase

Question 23

A __ is a central trusted credential source for SSO. An example is LDAP.

Answer 23

Directory Service, LDAP (Lightweight Directory Access Protocol)

Question 24

A __ is a random number that is hashed along with the password. This makes rainbow tables impractical.

Answer 24

salt

Question 25

A __ is always running to make sure a subject’s clearance is equal to or greater than the object’s classification.

Answer 25

reference monitor

Question 26

A __ is when an owner authenticates himself to the token, then the token authenticates the owner to an information system e.g. having a USB stick in a computer to allow it to boot up

Answer 26

Static Password Token

Question 27

A __ offers reasonable tradeoff between complexity and length, offering less entropy per character but more overall entropy due to length.

Answer 27

Passphrase

Question 28

A __ token uses different challenges so responses are different and won’t be subject to a replay attack.

Answer 28

Challenge-Response Token

Question 29

A normal password with or without an expiration time that is user-picked or system-generated, and is reusable.

Answer 29

Static password

Question 30

A one-time password or __ password is ideal but also not scalable.

Answer 30

Dynamic (one time) password

Question 31

Acceptable throughput rate is __ users per minute or __ seconds per subject.

Answer 31

10 users per minute, 6-10 seconds per subject

Question 32

Account administration is sometimes also known as the __.

Answer 32

onboarding process

Question 33

AD uses __ as the primary method of authentication.

Answer 33

Kerberos

Question 34

An access control system that is not based on labels or at the discretion of an individual is __. A central authority determines the access.

Answer 34

Non-Discretionary Access Control is not based on labels (MAC) or discretion of individual (DAC) e.g. role-based, task-based

Question 35

Draw ACM (‘Access Control Matrix - Drawing 4G’) aka capability table

Answer 35

e.g. objects across top, subjects down left side; R/W/RW in the cells where they meet. Difficult to scale

Question 36

Draw out how Kerberos works

Answer 36

Refer to ‘Kerberos 1 - Quiz 5 Q40’ and ‘Kerberos 2 - D5 pg 40’

Question 37

Examples of this form of authentication are: If you are in a government building you can decrypt data, otherwise you cannot; a bank may check your IP and make you register each time it changes; blocking IP address based on country.

Answer 37

Some place you are

Question 38

Federated IdM standard that is a consumer-oriented integration.

Answer 38

OpenID, comprised of IdP (Identity Providers which are sources of identity info), RP (Relying Parties, sites that can use identity info from the IDp), Redirect URL (provided by IdP informing RP that subject been successfully authenticated

Question 39

Federated IdM standard that is an enterprise-oriented integration.

Answer 39

SAML (Security Assertions Markup Language). Allowing your users to login with their Facebook account. Comprised of SP (Service Provider, apps that can leverage identity/auth assertions from IDP), IDP (Identity Provider, origin of identity that creates assertions accepted by the SP), Assertion Consumer Service (hosted by SP and is where the IDP will send assertions)

Question 40

Fingerprints look at __ on the finger tip.

Answer 40

minutiae

Question 41

Palm scans look at __ on the hand.

Answer 41

minutiae

Question 42

For Kerberos every time you communicate with a new entity you have a new __ and at any given time only __ parties know the key which is how you do mutual authentication.

Answer 42

key pair, 2 parties; one person accessing one server uses 6 different keys

Question 43

For the CIA triad, Kerberos addresses __ and __ but not __.

Answer 43

Confidentiality, Integrity but not Availability since there’s only one KDC (single point of failure) which has the secret keys for every entity on the network.

Question 44

How often should a user change their password?

Answer 44

Before the time it takes an adversary to break it.

Question 45

Ideally passwords would be managed using an individual password manager or centrally managed via SSO (implemented at corporate level)?

Answer 45

Centrally managed

Question 46

If a generated password falls out of sync, this means you are likely using a __ password token.

Answer 46

Asynchronous Dynamic Password Token

Question 47

If a system will only allow open enrollment for medical care during a certain period of time what type of access control is this?

Answer 47

Temporal (time-based) Isolation which falls under Non-Discretionary Access Control

Question 48

If security is inserted directly into the protocol stack it would be the __ layer(s).

Answer 48

Presentation Layer 6

Question 49

If Word runs as a process and reads a configuration file what is the subject and object.

Answer 49

Word is the subject, config file is the object

Question 50

If you are using SSO from an untrusted network such as the internet or a high-risk area you must always use __.

Answer 50

Two factor authentication. Otherwise someone can get access to everything in your environment

Question 51

In access control model terminology the __ are the filters such as Read, Write and Execute for Unix.. __ are another set of rules with respect to sensitivity.

Answer 51

rules, sensitivity

Question 52

In access control model terminology the __ is the active entity (user, process or device) and the __ is the passive entity acted upon (files, directories, pipes, devices, sockets, ports).

Answer 52

subject, object

Question 53

In biometric access control, __ is how long it takes to add a new user. The standard is __ seconds per person.

Answer 53

Enrollment time, 2 min or 120 sec

Question 54

In biometrics, the __ is the recommend intrusive method. The __ is the recommended non-intrusive method.

Answer 54

fingerprint, iris

Question 55

In Kerberos if you have 100 users and 30 servers, how many keys do you have?

Answer 55

130 because you have a key for every entity

Question 56

In Kerberos, __ is used for authentication and __ is for authorization.

Answer 56

KDC (Key Distribution Center), TGS (Ticket Granting Server)

Question 57

In MAC, applying a label to a subject is called a __. Applying a label to an object is called a __.

Answer 57

clearance, classification

Question 58

In RBAC, __ is where users are granted access via ACLs. __ is where user access is mapped to applications. __ is where a user is assigned a role which is assigned access to applications or systems. __ is access controlled by roles and applied to applications and systems. It is determined on job function not application or system.

Answer 58

Non-RBAC, Limited RBAC, Hybrid RBAC, Full RBAC

Question 59

In th eprocess of employee termination, which access management activity most effectively controls access?

Answer 59

account revocation

Question 60

In the __ access control model every subject and object gets a label and any time the subject tries to access the objects, the __ checks access and either approves or denies it.

Answer 60

MAC (Mandatory Access Control), Reference Monitor

Question 61

It is critical that the screensaver locks the screen within __ minutes and does an automatic logoff within __ minutes.

Answer 61

5 min, 10 min. Can also have a physical card strapped to the person like a server at a restaurant.

Question 62

Kerberos uses tickets, SESAME uses __.

Answer 62

PACs (Privileged Attribute Certificate)

Question 63

__ is SSO that uses symmetric encryption for mutual authentication.

Answer 63

Kerberos

Question 64

Revocation in terms of the access provisioning lifecycle is sometimes known as the __.

Answer 64

Offboarding process. It includes the removal of access when necessary.

Question 65

SSO across multiple organizations e.g. logging in with Facebook credentials to other sites is called __.

Answer 65

Federated IdM (Identity Management)

Question 66

The most trusted entity in Kerberos is the __.

Answer 66

KDC (Key Distribution Center)

Question 67

The type of access control standard in most systems is __.

Answer 67

DAC (Discretionary Access Control)

Question 68

This type of authentication does not change and can cause privacy concerns.

Answer 68

Something you are. Implemented through biometrics.

Question 69

To catch advanced attacks you look for a __ such as a zero day attack.

Answer 69

Anomoly since it is unknown

Question 70

To catch traditional attacks you look for a __ which is a pattern of activity for known attacks.

Answer 70

Signature

Question 71

Two factor authentication is always better than single factor authentication. True or False

Answer 71

False. Two factor is only better if there is an overlapping element e.g. something you have and know is better than just something you have. However biometrics may be better than something you have and know. It depends on the question e.g. if there is a requirement to use a physical attribute choose something you are.

Question 72

Using a __, a password is only generated when you’re ready to authenticate e.g. Symantec VIP.

Answer 72

Asynchronous Dynamic Password Token

Question 73

What attribute of the Kerberos authentication process makes it so strong?

Answer 73

Mutual authentication

Question 74

What is one of the best methods for maintaining access?

Answer 74

put expiration dates on it like you would a license, credit card, passport

Question 75

What is the most critical criteria in making a decision?

Answer 75

COST since executive will always ask HOW MUCH and if you can’t afford it, it’s not worth looking at anything else. Reliability and user friendliness are secondary components.

Question 76

What type of token generates a new, unique token code at fixed time intervals?

Answer 76

Synchronous Dynamic Password Token. Synchronous means ‘same time’

Question 77

With a __ your token and server are synchronized so every 60 seconds, the passwords are generarted whether you’re using it or not e.g. Google Authenticator

Answer 77

Synchronous Dynamic Password Token. Synchronous means ‘same time’

Question 78

You can only submit your time card after 3pm on Friday. This is a type of __.

Answer 78

Temporal (time-based) Isolation which falls under Non-Discretionary Access Control

Question 79

A type of system where all objects are secret and all subjects are secret would be a __ system. What type of access control is typically used here.

Answer 79

Dedicated system (dedicated to a single classification), DAC is typically used here because if someone inadvertently gives access to someone you shouldn’t, it’s low risk since all files and users are at the same level.

Question 80

Type of computer system where objects are at different levels but subjects are at the highest level. Which access control method is typically used here.

Answer 80

System high (e.g. data is at unclassified, confidential, secret; all users accessing the system are at secret). DAC is typically used here since if someone inadvertently gives the wrong access to a user, the user still has the proper clearance so low risk.

Question 81

A __ environment is where there are different levels of data and different levels of users that can access the system (e.g. unclassified, secret, top secret data and users with unclassified, secret, top secret clearance). What type of access control should be used here?

Answer 81

MLS (multi-level secure system), must use MAC here to ensure the right clearance accesses the right classification. You cannot use DAC since if someone makes a mistake there would be a breach of security e.g. secret user accessing top secret content.

Question 82

Something you do is a subcategory of __.

Answer 82

Something you are (biometrics). Something you do would be signing your name or typing text on your keyboard.