Lesson 7: Implementing Authentication Controls Flashcards
Analyze the features of behavioral technologies for authentication, and choose the statements that accurately depict this type of biometric authentication.
(Select all that apply.)
A. Behavioral technologies are cheap to implement, but have a higher error rate than other technologies.
B. Signature recognition is popular within this technology because everyone has a unique signature that is difficult to replicate.
C. Obtaining a voice recognition template for behavioral technologies is rather easy and can be obtained quickly.
D. Behavior technologies may use typing as a template, which matches the speed and pattern of a user’s input of a passphrase.
A, D
Which of the following options represents Two-Factor Authentication (2FA)?
A. A user logs in using a password and a PIN.
B. A user logs in using a password and a smart card.
C. A user logs in using a fingerprint and retina scanner.
D. A user logs in using a smart card and a key fob.
B
Analyze the types of password cracker attacks to determine which scenario best describes a brute force attack.
A. An attacker guesses the password using software that enumerates values in the dictionary
B. An attacker uses a precomputed lookup table of all possible passwords and their matching hashes
C. An attacker attempts every possible combination in the key space in order to derive a plaintext password from a hash
D. An attacker tests dictionary words and names in combination with several numeric prefixes
C
A brute force attack attempts every possible combination in the key space in order to derive a plaintext password from a hash. The key space is determined by the number of bits used.
A user presents a smart card to gain access to a building. Authentication is handled through integration to a Windows server that’s acting as a certificate authority on the network. Review the security processes and conclude which are valid when using Kerberos authentication. (Select all that apply.)
A. Inputting a correct PIN authorizes the smart card’s cryptoprocessor to use its private key to create a Ticket Granting Ticket (TGT) request.
B. The smart card generates a one-time use Ticket Granting Service (TGS) session key and certificate.
C. The Authentication Server (AS) trusts the user’s certificate as it was issued by a local certification authority.
D. The Authentication Server (AS) is able to decrypt the request because it has a matching certificate.
A,C
Assess the features and processes within biometric authentication to determine which scenario is accurate.
A. A company chooses to use a biometric cryptosystem due to the ease of revocation for a compromised certificate.
B. A company uses a fingerprint scanner that acts as a sensor module for logging into a system.
C. A company uses a fingerprint scanner that acts as a feature extraction module for logging into a system.
D. A company records information from a sample using a sensor module.
B
A sensor module acquires the biometric sample from the target. Examples of a sensor module can be a fingerprint scanner or retina scanner
Which of the following password cracker attacks are combined to create a typical hybrid password attack? (Select all that apply.)
A. Brute force
B. Dictionary
C. Salt
D. PTH
A,B
When a network uses Extensible Authentication Protocol (EAP) as the authentication method, what access control protocol provides the means for a client to connect from a Virtual Private Network (VPN) gateway?
A. IEEE802.1X
B. Kerberos
C. Terminal Access Controller Access-Control System Plus (TACACS+)
D. Remote Authentication Dial-in User Service (RADIUS)
A
Where EAP provides the authentication mechanisms, the IEEE 802.1X Port-based Network Access Control (NAC) protocol provides the means of using an EAP method when a device connects to a VPN gateway.
Considering how to mitigate password cracking attacks, how would restricting the number of failed logon attempts be categorized as a vulnerability?
A. The user is exposed to a replay attack.
B. The user is exposed to a brute force attack.
C. The user is exposed to a DoS attack.
D. The user is exposed to an offline attack.
C
Restricting logons can become a vulnerability by exposing a user to Denial of Service (DoS) attacks. The attacker keeps trying to authenticate, locking out valid users.
Evaluate the following controls that have been set by a system administrator for an online retailer. Determine which statement demonstrates the identification control within the Identity and Access Management (IAM) system.
A. A control is set to force a customer to log into their account prior to reviewing and editing orders.
B. A control is set to cancel automatic shipments for any customer that has an expired credit card on file.
C. A control is set to ensure that billing and primary delivery addresses are valid.
D. A control is set to record the date, time, IP address, customer account number, and order details for each order.
C
Identification controls are set to ensure that customers are legitimate. An example is to ensure that billing and primary delivery addresses are real and valid.
Select the explanations that accurately describe the Ticket Granting Ticket (TGT) role within the Authentication Service (AS). (Select all that apply.)
A. The client sends the AS a request for a TGT that is composed by encrypting the date and time on the local computer with the user’s password hash as the key.
B. The AS responds with a User Ticket that contains information about the client. This includes the name and IP address of the client, plus a timestamp and validity period.
C. The AS responds with a TGT key for use in communications between the client and the Ticket Granting Service (TGS).
D. The TGT responds with a service session key for use between the client and the application server.
A,B
The Authentication Service (AS) is responsible for authenticating user logon requests. The first step within AS is when the client sends the AS a request for a Ticket Granting Ticket (TGT). This is composed by encrypting the date and time on the local computer with the user’s password hash as a key.
A User Ticket contains information about the client and includes a timestamp and validity period. The information is encrypted using the KDC’s secret key. This occurs after the user is found in the database and the request is valid.
A security team has just added iris scanners to two access control points in a secure facility. They are in the process of making adjustments to ensure authorized users have access, while unauthorized users cannot get through. Analyze the scenario and determine what metric the team is in the process of fine-tuning.
A. Crossover error rate (CER)
B. False rejection rate (FRR)
C. False acceptance rate (FAR)
D. Type II error
A
The process of fine-tuning a biometric system involves adjusting the crossover error rate, the point at which the false rejection rate and false acceptance rate meet.
Biometric authentication methods have different error rates, with some methods being easier to fool than others. An unauthorized user is unlikely to fool which of the following methods?
A. Fingerprint scan
B. Retinal scan
C. Facial recognition
D. Voice recognition
B
Both Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access-Control System (TACACS+) provide authentication, authorization, and accounting using a separate server (the AAA server). Based on the protocols’ authentication processes, select the true statements. (Select all that apply.)
A. TACACS+ is open source and RADIUS is a proprietary protocol from Cisco.
B. RADIUS uses UDP and TACACS+ uses TCP.
C. TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password.
D. RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.
B,C,D
RADIUS uses UDP over ports 1812 and 1813 and TACACS+ uses TCP on port 49.
TACACS+ encrypts the whole packet (except the header, which identifies the packet as TACACS+ data) and RADIUS only encrypts the password portion of the packet using MD5.
RADIUS is primarily used for network access for a remote user and TACACS+ is primarily used for device administration. TACACS+ provides centralized control for administrators to manage routers, switches, and firewall appliances, as well as user privileges.
Analyze each scenario and determine which best describes the authentication process in an Identity and Access Management (IAM) system.
A. An account is created that identifies a user on the network.
B. A user logs into a system using a control access card (CAC) and PIN number.
C. An Access Control List (ACL) is updated to allow a new user access to only the databases that are required to perform their job.
D. A report is reviewed that shows every successful and unsuccessful login attempt on a server.
B
Authentication proves that a subject is who or what it claims to be when it attempts to access the resource. A CAC and pin login are examples of authentication.
Based on the known facts of password attacks, critique the susceptibility of the password “DogHouse23” to an attack.
A. This is a sufficient password. It is ten characters and contains uppercase characters, lowercase characters, and numbers.
B. This is an insufficient password. There are not enough uppercase characters within the password.
C. This is a sufficient password. The password is easy for the user to remember yet long enough to meet character requirements.
D. This is an insufficient password. The password contains words that are found in the dictionary and does not contain special characters.
D
