Domain 5!

Question 1

What are the 3 types of authentication factors? (in order from 1 to 3)

Answer 1

1) Something you KNOW (a password)
2) Something you HAVE (a Token)
3) Something you ARE/DO (biometrics)

Question 2

What are some examples of Type 3 (biometrics) authentication factors that are considered, “something you ARE?” (there are 6)

Answer 2

1) Fingerprints
2) Face Scan
3) Retina Scan
4) Iris Scan
5) Palm Scan
6) Hand Geometry

Question 3

What is a Biometrics Type 1 Error?

Answer 3

Type 1 Error is a False Negative. This occurs when a valid subject is not authenticated.

Question 4

What is a Biometrics Type 2 Error?

Answer 4

Type 2 Error is a FALSE POSITIVE. This occurs when an invalid subject is authenticated.

Question 5

What are some examples of Type 3 (biometrics) authentication factors that are considered “something you DO?” (there are 4)

Answer 5

1) Heart/Pulse Patterns
2) Voice Pattern Recognition
3) Signature Dynamics
4) Keystroke Patterns

Question 6

What is a False Acceptance Rate (FAR)?

Answer 6

FAR is the ratio of Type 2 Errors to valid authentications.

Question 7

What is a False Rejection Rate (FRR)?

Answer 7

FRR is the ratio of Type 1 Errors to valid authentications.

Question 8

What is a Crossover/Equal Error Rate (CER/ERR)?

Answer 8

CER/ERR is used to compare the overall quality of biometric devices.

Question 9

What is Centralized Access Control?

Answer 9

Centralized Access Control is when all authorization verification is performed by a single entity within a system

Question 10

What is Decentralized Access Control?

Answer 10

Decentralized Access Control is when various entities located throughout the system perform authorization verification.

Question 11

Name a few SSO Mechanisms (name 3).

Answer 11

LDAP, PKI, and Kerberos

Question 12

How should you think of LDAP as an SSO Mechanism?

Answer 12

Think of LDAP as a telephone directory for network services and assets.

Question 13

Describe PKI as an SSO Mechanism.

Answer 13

PKI uses LDAP when integrating digital certificates into transmissions.

Question 14

Describe Kerberos as an SSO Mechanism.

Answer 14

Kerberos is the most common/well-known ticket system. Ticket authentication employs a third-party entity to prove identification and provide authentication.

Question 15

What does Kerberos provide regarding CIA?

Answer 15

Kerberos provides Confidentiality & Integrity.

Question 16

What 2 attacks does Kerberos help prevent?

Answer 16

Kerberos helps prevent Replay & Eavesdropping attacks.

Question 17

Name the 4 Kerberos Elements.

Answer 17

1) Key Distribution Center (KDC)
2) Kerberos Authentication Server
3) Ticket-Granting Ticker
4) Ticket

Question 18

Describe Kerberos’ Key Distribution Center.

Answer 18

The KDC is the trusted third party that provides authentication services.

Question 19

Describe the Kerberos Authentication Server/

Answer 19

The Kerberos Authentication Server hosts the functions of the KDC.

Question 20

Describe the Kerberos Ticket-Granting Ticket.

Answer 20

The Ticket-Granting Ticket provides proof that a subject has authenticated through KDC and is authorized access.

Question 21

Describe the Kerberos Ticket.

Answer 21

The Ticket is an encrypted message that provides proof that a subject is authorized to access an object.

Question 22

What is Implicit Deny?

Answer 22

Implicit Deny is (an Authorization Mechanism) when access to an object hasn’t been explicitly granted, then access is (implicitly) denied.

Question 23

What is a Permission?

Answer 23

A Permission is the access granted for an object and determine what you can do w/it

Question 24

What is a Right?

Answer 24

A Right refers to the ability to take an action on an object

Question 25

What is a Privilege?

Answer 25

A Privilege is a combination of rights and permissions.

Question 26

What Authorization Mechanism consults a table that consists of subjects, objects, and assigned privileges?

Answer 26

An Access Control Matrix

Question 27

What Authorization Mechanism is subject focused and identifies privileges assigned to subjects?

Answer 27

Capability Tables

Question 28

What Authorization Mechanism is object focused and identifies all of the users that are authorized access to specific objects?

Answer 28

An Access Control List (ACL)

Question 29

What Authorization Mechanism consists of applications that use constrained/restricted interfaces to restrict what users can do or see based on their privilege?

Answer 29

Constrained Interface

Question 30

What Authorization Mechanism restricts access to data based on the content within an object? Ex: a database view

Answer 30

Content-Dependent Control

Question 31

What Authorization Mechanism requires specific activity before granting users access? Ex: users must put item in cart before making purchase.

Answer 31

Context-Dependent Control

Question 32

What strategy uses multiple layers or levels of access controls to provide layered security such as physical, administrative, and technical/logical controls? Organizations implement access controls using this strategy.

Answer 32

Defense-In-Depth

Question 33

Which Access Control model has owners, creators, or custodians that control the access to objects? *It also uses ACL’s which makes it more flexible.

Answer 33

Discretionary Access Controls (DAC)

Question 34

Which Access Control model is centrally managed; meaning, it has administrators controlling access to objects?

Answer 34

Nondiscretionary Access Controls (Non-DAC). Central management makes it easy to manage.

Question 35

What Access Control Model is based on a subjects role or task assignment?

Answer 35

Role-Based Access Control

Question 36

What Access Control Model enforces Least-Privilege by preventing Privilege Creep?

Answer 36

Role-Based Access Control

Question 37

What Access Control Model uses a set of rules to determine what can and cannot occur on a system? Ex: a firewall

Answer 37

Rule-Based Access Control

Question 38

What Access Control Model uses policies that include multiple attributes for rules? Hint: this model is an advanced implementation of Rule-BAC.

Answer 38

ABAC; Attribute-based Access Control

Question 39

What Access Control Model relies on the use of classification labels for all subjects and objects to determine access?

Answer 39

MAC; Mandatory Access Controls

Question 40

What are the three MAC Model Environments?

Answer 40

1) Hierarchical
2) Compartmentalized
3) Hybrid

Question 41

What Access Control model enforces NTK?

Answer 41

MAC

Question 42

Which Access Control model is more scalable or flexible because it uses multiple ACLs to assign permissions?

a) DAC
b) MAC

Answer 42

DAC is more scalable/flexible b/c its managed by custodians that customize permissions for each subject.

Question 43

Which Access Control model is more secure?

a) DAC
b) MAC

Answer 43

MAC

Question 44

What MAC Model Environment relates various classification labels in order from low to high security?

a) Hierarchical
b) Compartmentalized
c) Hybrid

Answer 44

Hierarchical

Question 45

In which MAC Model Environment does each security domain represent a separate isolated compartment where there is no relationship between one domain and another?

a) Hierarchical
b) Compartmentalized
c) Hybrid

Answer 45

Compartmentalized

Question 46

Which MAC Model Environment combines both hierarchical and compartmentalized so that each hierarchical level may contain numerous subdivisions that are isolated from the rest of the domain?

a) Hierarchical
b) Compartmentalized
c) Hybrid

Answer 46

Hybrid

Question 47

What are the 3 steps early in the risk management process that help to understand attacks that may occur?

Answer 47

1) Identify Assets
2) Identify Threats
3) Identify Vulnerabilities

Question 48

What is it called when asset value is identified in order to prioritizing the asset?

Answer 48

Asset Valuation

Question 49

What is Threat Modeling?

Answer 49

Threat Modeling is the process of identifying, understanding and categorizing potential threats.

Question 50

What are the 3 Threat Modeling approaches?

Answer 50

1) Asset Focused - identifies threats to assets
2) Attacker Focused - identifies potential attackers & the threats they pose
3) Software Focused - identifies potential threats to software the org develops

Question 51

What attack collects non-sensitive information and combines (aggregating) it to learn sensitive info?

Answer 51

Access Aggregation Attack

Question 52

What is considered a Strong Password?

Answer 52

8 Character minimum with a combination of at least 3 of the below:
•	Uppercase
•	Lowercase
•	Numbers
•	Special Characters

Question 53

What attack attempts discover password by using every possible password in a predefined database or list of common or expected passwords?

Answer 53

Dictionary Attack

Question 54

What attack systematically attempts all possible combinations of letters, numbers, and symbols?

Answer 54

Brute-Force Attack

Question 55

What attack attempts a dictionary attack and then performs a type of brute-force attack with a one-upped constructed password?

Answer 55

Hybrid-Attack

Question 56

What attack focuses on finding collisions?

Answer 56

Birthday Attack

Question 57

What can reduce the success rate of Birthday Attacks?

Answer 57

Salts & Hashing algorithms

Question 58

What attack is it when the attacker guesses a password, hashes it, and then puts both the guessed password and the hash into the rainbow table?

Answer 58

Rainbow Table Attack

Question 59

What is a Rainbow Table?

Answer 59

A Rainbow Table is a large database of pre-computed hashes.

Question 60

What attack is when an attacker uses a sniffer to capture information transmitted over a network?

Answer 60

Sniffer Attack

Question 61

In which attack does an attacker pretend to be someone or something else?

Answer 61

Spoofing Attack

Question 62

What attack tricks users into giving up sensitive information, opening an attachment, or clicking a link?

Answer 62

Phishing Attack

Question 63

What attack is a phishing variant that targets a specific groups of users?

Answer 63

Spear Phishing

Question 64

What attack is a phishing variant targets senior executives within a company?

Answer 64

Whaling

Question 65

What attack is a phishing variant that uses VoIP or the phone system (automated calls)?

Answer 65

Vishing