Topic 4 and 5

Question 1

What is the three-level hierarchy used for XACML?

Answer 1

• Rules (define action permissions)
• Policies (sets of *rules* used in conjunction)
• PolicySets (group of *policies* used together)

Question 2

When discussing XACML, define PEP and DEP

Answer 2

Policy Enforcement Point (protects resource), Policy Decision Point (Review request, compare to policies and provide answer)

Question 3

What two kinds of VPN’s can you deploy?

Answer 3

Hardware VPN and Software VPN

Question 4

Define “Advanced Authentication”

Answer 4

A complex process required to authenticate users, grant permissions and control access to resources

Question 5

What is SPML and what two components make it up?

Answer 5

Service Provisioning Markup Language used for automating and managing the provision of network and organization resources Made up of a Requesting Authority which is a client that creates a request and Provisioning Service Point (PSP) that processes the request

Question 6

Define Authorization

Answer 6

Process of determining what rights and privileges an entity has, usually after the system has authenticated them. There are three primary types of access control: Discretionary, Mandatory and Role-based.

Question 7

What is Crossover Error Rate (CER)?

Answer 7

Point at which the FRR & FAR are equal

Question 8

Explain PEAP

Answer 8

Protected EAP - Encapsulates EAP in TLS

Question 9

What components make up an XACML rule?

Answer 9

Subject (entity requesting access), Resource (service or application being requested), Action (examples include database reading or writing, file modification)

Question 10

What are the components of “Kerberos”?

Answer 10

Key Distribution Center (KDC) - trusted 3rd party authentication service made up of Authentication Server (AS) - verifies and accepts/rejects tickets, Ticket Granting Server (TGS) - issues tickets to authorized users

Question 11

Explain USB OTG

Answer 11

Flash drive storage with a physical interface that can be connected to almost any smartphone

Question 12

What is “tethering” and what forms does it come in?

Answer 12

Connecting a device to the Internet by leveraging/sharing another devices connection. Can tether by Bluetooth, Wired Connection and USB

Question 13

When talking about “RADIUS”, what is a call back system?

Answer 13

A system that called back the user at a predefined phone number for added security

Question 14

What are Kerberos concerns?

Answer 14

Replayed credentials, physical security, single point of failure, length of the keys, encryption process is based on passwords

Question 15

Define “PAP” and explain why it shouldn’t be used

Answer 15

Password Authentication Protocol transmits credentials in clear text

Question 16

What is SPML used with?

Answer 16

Security Assertion Markup Language (SAML) and XACML

Question 17

What port does “Back Orifice” use?

Answer 17

UDP/31337

Question 18

What is “SMTP” and what port does it use?

Answer 18

Simple Mail Transfer Protocol sends mail from clients and relays mail between servers. It uses TCP/25

Question 19

What is XACML?

Answer 19

Extensible Access Control Markup Language is an XML-based standard for access control and authorization

Question 20

Name and explain the 2 biometric error types

Answer 20

FRR - False Rejection Rate - Valid subject denied FAR - False Acceptance Rate - Invalid subject allowed

Question 21

Explain “RADIUS”

Answer 21

Remote Access Dial In User Service provides centralized remote access authentication, authorization and auditing.

Question 22

What is OAuth and what is the latest version?

Answer 22

An authorization standard used by many websites that allows a user to authorize access to a third-party resource without providing the user’s credentials, instead using a token. Current version is 2.0 Example, a Facebook app being allowed access to your Facebook account.

Question 23

Define “Authentication”

Answer 23

Method of validating the identity of a person or asset

Question 24

Generally describe a “Remote Assistance” program?

Answer 24

Programs that can be used to provide temporary control of a remote computer over a network or the Internet

Question 25

What is “Domain Bridging”?

Answer 25

The connecting of two different network connections. Example home network and VPN to the office.

Question 26

“SPIM” is an acronym for receiving what types of messages?

Answer 26

Spam over Instant Message

Question 27

IntServ has what three classes?

Answer 27

Guaranteed services, controlled load and best effort.

Question 28

Name examples of collaboration sites and platforms.

Answer 28

Social media sites, storage and document sites

Question 29

Define “LDAP”

Answer 29

Lightweight Directory Access Protocol

Question 30

Define “SSO”

Answer 30

Single sign-on allows a user to authenticate once and then access all of the resources that a user is authorized to use

Question 31

In relation to VOIP, what is “convergence”?

Answer 31

Running voice over data lines

Question 32

What is a Trust Model and what types exist?

Answer 32

Defines relationships between authentication services so that they may accept each other’s assertions of users’ id’s and permissions. Two types are hierarchical (one authority that can very all resources under it) and peer (resources establish a transitive relationship)

Question 33

Explain the 3 different TACAS types

Answer 33

TACAS - Terminal Access Controller Access-Control System - Original - Integrates authentication & authorization XTACAS - Allows separation of authentication, authorization and accounting TACAS+ - Adds 2 factor authentication and uses TCP 49

Question 34

Explain EAP

Answer 34

Extensible Authentication Protocol - it’s actually a framework for wireless and wired networks

Question 35

What is “cramming”

Answer 35

Making unauthorized phone charges

Question 36

What is “slamming”

Answer 36

Switching a user’s long-distance phone carrier without their knowledge

Question 37

IAAA stands for what?

Answer 37

Identity Authentication Authorization Access (or Audit)

Question 38

Name the Apple product that is similar to Windows Remote Desktop

Answer 38

Presence

Question 39

Define “S/MIME”

Answer 39

Secure Multipurpose Internet Mail Extensions

Question 40

What is “SPIT”?

Answer 40

Spam over Internet Telephony

Question 41

What is Baseband on a mobile device?

Answer 41

All communication that requires radio transmission.

Question 42

What protocol was designed to be an improvement over “RADIUS” but isn’t widely accepted yet?

Answer 42

Diameter Benefits - Has failover due to TCP use, mandates IPSec and TLS

Question 43

What is “IMAP” and what port does it use?

Answer 43

Internet Message Access Protocol can work with mail remotely without retrieving it from the server. IMAP uses TCP/143

Question 44

Define “MS-CHAP” and which version is to be used today

Answer 44

Microsoft Challenge Handshake Authentication Protocol is currently running version 2.0 for secure authentication.

Question 45

What are centralized remote authentication services?

Answer 45

Services that keep separate the autnetication & authorization process for remote clients and LAN based clients

Question 46

List the 3 categories of Authentication

Answer 46

Something you know, something you have, something you are

Question 47

The 802.1x authentication process involves what 3 roles?

Answer 47

Supplicant (client), Authenticator (switch), Authentication Server (RAIDUS server)

Question 48

What are the terms “slamming” and “cramming” associated with?

Answer 48

Telephony

Question 49

What is “POP3” and what port does it use?

Answer 49

Post Office Protocol retrieves mail from a mail server and uses TCP/110

Question 50

Wireless authentication protocol is known as…

Answer 50

802.1x

Question 51

Define RADIUS and it’s ports

Answer 51

Remote Access Dial-In User Service UDP 1812 (unsecured) and TCP 2083 (secured)

Question 52

Outline the Kerberos logon process

Answer 52

1) User provides username and pw through a client, 2) client encrypts only the username using AES and transmits to KDC, 3) KDC verifies the username, 4) KDC generates a symmetric key to be used by the client encrypted with a hash of the users pw and generates a TGT, 5) KDC transmits encrypted symmetric key and the TGT to the client, 6) client installs the TGT and uses till expiration

Question 53

What are two early VPN tunneling protocols you want to avoid?

Answer 53

Layer 2 Forwarding (L2F) and Point-to-Point Tunneling Protocol (PPTP)

Question 54

What are “Assertions”?

Answer 54

Claims that a subject will make or provide about their identity.

Question 55

Define “CHAP” and explain why it shouldn’t be used

Answer 55

Challenge Handshake Authentication Protocol utilizes MD5 and isn’t considered secure

Question 56

“PGP” stands for?

Answer 56

Pretty Good Privacy

Question 57

“BO” stands for what early desktop sharing program?

Answer 57

Back Orifice

Question 58

Describe “Tickets” used by “Kerberos”

Answer 58

Ticket - An encrypted message that provides a form or type of proof. There are 2 types: Ticket-Granting Ticket (TGT) - Proof that a subject has been authenticated (Passport) Service Ticket (ST) - Proof that a subject is authorized (Plane ticket)

Question 59

What does “SPAN” stand for?

Answer 59

Switched Port Analyzer

Question 60

List the four different OAuth2.0 roles

Answer 60

User, Application, Resource Server, Authorization Server

Question 61

What are current VPN tunneling protocols you should use?

Answer 61

Layer 2 Tunneling Protocol (L2TP) and IP Security (IPsec)

Question 62

What are the 3 types of access modes?

Answer 62

Read, read/write, execute

Question 63

What is eFuse?

Answer 63

Developed by IBM Always the alteration of chips in real time

Question 64

Explain LEAP

Answer 64

Lightweight EAP - CISCO proprietary, used in wireless in conjunction with WEP. Shouldn’t be used

Question 65

List authentication methods/factors

Answer 65

Token, pin code/password, swipe gesture and biometric

Question 66

What is SOAP?

Answer 66

Simple Object Access Protocol is a protocol for exchanging structured information and relies on XML

Question 67

What attack is meant to sidestep a TPM?

Answer 67

A cold boot attack

Question 68

In relation to access control, explain what Subjects and Objects are

Answer 68

Subject - User/thing that is requesting access to data Object - Data

Question 69

QoS prioritizes traffic by what two models?

Answer 69

IntServ and DiffServ

Question 70

Explain the difference be tween “Jitter” and “Latency”

Answer 70

Jitter is the variation in transmission latency that can cause packet loss. Latency is a delay in the transmission of data packets

Question 71

Context based authentication is authentication controlled by what factors?

Answer 71

Their location, time, job role or even behavior

Question 72

Does VoIP rely on TCP or UDP for call transmission?

Answer 72

UDP

Question 73

List the 4 different OAuth2.0 grant types

Answer 73

Authorization code (server-side apps), implicit (used in mobile apps), Resource owner password credentials (typically used if the user trusts the app), Client credentials (typically used when an app needs to access it’s own service account)

Question 74

Explain “OEM/carrier Android fragmentation”

Answer 74

A wide variation on the version of Android operating systems in use.

Question 75

What tool deciphers any voice traffic on the same VLAN?

Answer 75

Voice Over Misconfigured Internet Telephones (VOMIT)

Question 76

Name federated identity schemes

Answer 76

XACML, SOAP, SSO, Federated Identity, certificate based authentication

Question 77

Describe “Unified Communications and Collaboration”

Answer 77

All forms of call and multimedia used for personal and business

Question 78

What term is used for defined by “proving a user is who they claim they are”?

Answer 78

Authentication

Question 79

What is the name of the framework where certificates are generated for each user and service, who then use the certificates to authenticate actions?

Answer 79

Certificate-based Authentication Framework

Question 80

Explain the differences between user-focused and resource-focused attestation

Answer 80

• Resource-focused: An attestation agent will look over each application or system and see which users have which access privileges
• User-focused: Attestation agent monitors the privileges that specific users have

Question 81

Define Least privileges

Answer 81

Has the ability to do what is needed to complete a task or job, but nothing more

Question 82

What is Itentity propagation?

Answer 82

The technique of replicatin an authenticate identity through variious processes in a system

Question 83

What is Identity Federation?

Answer 83

The practice of linking a siingle entity accross multiple disparate systems

Question 84

Explain the most common identity federation methods

Answer 84

• SAML
  
  • XML based framework
  • Sends assertions over HTTPS
• OpenID
  
  • Allows a single account for participating sites (login to Spotify with Facebook creds)
  • Used with OAuth
• Shibboleth
  
  • Used in education/public institutions
  • Uses SAML
• Where are you from (WAYF)
  
  • Asks where you are from before being sent to the service providers (e.g. please choose your country > state > city when visiting a website)