Domain 5: Review Questions Flashcards
Which of the following is not an example of a knowledge authentication factor?
A. Password
B. Mother’s maiden name
C. City of birth
D. Smart card
D. Knowledge factors are something a person knows, including passwords, mother’s maiden name, city of birth, and date of birth. Ownership factors are something a person has, including a smart card.
Which of the following statements about memory cards and smart cards is false?
A. A memory card can be a swipe card that contains user authentication information.
B. Memory cards are also known as integrated circuit cards (ICCs).
C. Smart cards contain memory and an embedded chip.
D. Smart card systems are more reliable than memory card systems.
B. Memory cards are not also known as integrated circuit cards (ICCs). Smart cards are also known as ICCs.
Which biometric method is most effective as far as accuracy?
A. Iris scan
B. Retina scan
C. Fingerprint
D. Handprint
B. Retina scans are considered more effective as far as accuracy than iris scans, fingerprints, and handprints. Retina Scan examines unique blood vessel patterns in the back of the eye.
What is a Type I error in a biometric authentication system?
A. Crossover error rate (CER)
B. False rejection rate (FRR)
C. False acceptance rate (FAR)
D. Throughput rate
B. A Type I error in a biometric system is false rejection rate (FRR).
A Type II error in a biometric system is false acceptance rate (FAR). Crossover error rate (CER) is the point at which FRR equals FAR. Throughput rate is the rate at which users are authenticated.
Which access control model is a desirable model used by routers and firewalls to control access to secure networks?
A. Discretionary access control
B. Mandatory access control
C. Role-based access control
D. Rule-based access control
D. Rule-based access control is a desirable model used by routers and firewalls to control access to networks.
The other three types of access control models are not usually implemented by routers and firewalls.
Which threat is not considered a social engineering threat?
A. Phishing
B. Pharming
C. DoS attack
D. Dumpster diving
C. A denial-of-service (DoS) attack is not considered a social engineering threat. The other three options are considered to be social engineering threats.
Which of the following statements best describes an IDaaS implementation?
A. Ensures that any instance of identification and authentication to a resource is managed properly.
B. Collects and verifies information about an individual to prove that the person who has a valid account is who that person claims to be.
C. Provides a set of identity and access management functions to target systems on customers’ premises and/or in the cloud.
D. Exchanges authentication and authorization data between organizations or security domains.
C. An Identity as a Service (IDaaS) implementation provides a set of identity and access management functions to target systems on customers’ premises and/or in the cloud. Session management ensures that any instance of identification and authentication to a resource is managed properly. A proof of identity process collects and verifies information about an individual to prove that the person who has a valid account is who that person claims to be.
Which of the following is an example of multifactor authentication?
A. Username and password
B. Username, retina scan, and smart card
C. Retina scan and finger scan
D. Smart card and security token
B. Using a username, retina scan, and smart card is an example of multifactor authentication. The username is something you know, the retina scan is something you are, and the smart card is something you have.
You decide to implement an access control policy that requires that users only log on from certain workstations within your organization’s facility. Which type of authentication factor are you implementing?
A. Knowledge factor
B. Location factor
C. Ownership factor
D. Characteristic factor
B. You are implementing a location factor, which is based on where a person is located when logging in.
Which threat is considered a password threat?
A. Buffer overflow
B. Sniffing
C. Spoofing
D. Brute-force attack
D. A brute-force attack is considered a password threat.
Which session management mechanisms are often used to manage desktop sessions?
A. Screensavers and timeouts
B. FIPS 201.2 and NIST SP 800-79-2
C. Bollards and locks
D. KDC, TGT, and TGS
A. Desktop sessions can be managed through screensavers, timeouts, logon, and schedule limitations. FIPS PUB 201.2 and NIST SP 800-79-2 are documents that provide guidance on proof of identity.
Physical access to facilities can be provided securely using locks, fencing, bollards, guards, and CCTV. In Kerberos, the Key Distribution Center (KDC) issues a ticket-granting ticket (TGT) to the principal. The principal sends the TGT to the ticket-granting service (TGS) when the principal needs to connect to another entity.
Which of the following is a major disadvantage of implementing an SSO system?
A. Users are able to use stronger passwords.
B. Users need to remember the login credentials for a single system.
C. User and password administration is simplified.
D. If a user’s credentials are compromised, an attacker can access all resources.
D. If a user’s credentials are compromised in a single sign-on (SSO) environment, attackers have access to all resources to which the user has access. All other choices are advantages to implementing an SSO system.
Which type of attack is carried out from multiple locations using zombies and botnets?
A. TEMPEST
B. DDoS
C. Backdoor
D. Emanating
B. A distributed DoS (DDoS) attack is a DoS attack that is carried out from multiple attack locations. Vulnerable devices are infected with software agents, called zombies. They turn the vulnerable devices into botnets, which then carry out the attack.
Devices that meet TEMPEST standards implement an outer barrier or coating, called a Faraday cage or Faraday shield. A backdoor or trapdoor is a mechanism implemented in many devices or applications that gives the user who uses the backdoor unlimited access to the device or application. Emanations are electromagnetic signals that are emitted by an electronic device. Attackers can target certain devices or transmission mediums to eavesdrop on communication without having physical access to the device or medium.
Which type of attack is one in which an unauthorized person gains access to a network and remains for a long period of time with the intention of stealing data?
A. APT
B. ABAC
C. Access aggregation
D. FIM
A. An advanced persistent threat (APT) is an attack in which an unauthorized person gains access to a network and remains for a long period of time with the intention of stealing data. Attribute-based access control (ABAC) grants or denies user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized. Access aggregation is a term that is often used synonymously with privilege creep. Access aggregation occurs when users gain more access across more systems. In federated identity management (FIM), each organization that joins the federation agrees to enforce a common set of policies and standards. These policies and standards define how to provision and manage user identification, authentication, and authorization.
Which of the following is a formal process for creating, changing, and removing users that includes user approval, user creation, user creation standards, and authorization?
A. NIST SP 800-63
B. Centralized access control
C. Decentralized access control
D. Provisioning life cycle
D. The provisioning life cycle is a formal process for creating, changing, and removing users. This process includes user approval, user creation, user creation standards, and authorization. Users should sign a written statement that explains the access conditions, including user responsibilities. NIST SP 800-63 provides a suite of technical requirements for federal agencies implementing digital identity services, including an overview of identity frameworks; and using authenticators, credentials, and assertions in digital systems. In centralized access control, a central department or personnel oversee the access for all organizational resources. This administration method ensures that user access is controlled in a consistent manner across the entire enterprise. In decentralized access control, personnel closest to the resources, such as department managers and data owners, oversee the access control for individual resources.
