CHAPTER 2
Access Control
This domain includes questions from the following topics:
• Identification methods and technologies
• Authentication methods, models, and technologies
• Discretionary, mandatory, and nondiscretionary models
• Accountability, monitoring, and auditing practices
• Emanation security and technologies
• Intrusion detection systems
• Possible threats to access control practices and technologies
Controlling access to resources is a vital element of any information security program. Controlling who can access what and when helps protect information assets and company resources from unauthorized modification and disclosure. Thus, access controls address all three services in the AIC triad—availability, integrity, and confidentiality—be they technical, physical, or administrative in nature. Security professionals should understand the principles behind access controls to ensure their adequacy and proper implementation.
QUESTIONS
1. Which of the following does not correctly describe a directory service?
A. It manages objects within a directory by using namespaces.
B. It enforces security policy by carrying out access control and identity management functions.
C. It assigns namespaces to each object in databases that are based on the X.509 standard and are accessed by LDAP.
D. It allows an administrator to configure and manage how identification takes place within the network.
2. Hannah has been assigned the task of installing Web access management (WAM) software. What is the best description for what WAM is commonly used for?
A. Control external entities requesting access through X.500 databases
B. Control external entities requesting access to internal objects
C. Control internal entities requesting access through X.500 databases
D. Control internal entities requesting access to external objects
3. There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised?
A. Management password reset
B. Self-service password reset
C. Password synchronization
D. Assisted password reset
4. A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesn’t try to compromise a flaw or weakness. Which of the following is not a side-channel attack?
A. Differential power analysis
B. Microprobing analysis
C. Timing analysis
D. Electromagnetic analysis
5. Which of the following does not describe privacy-aware role-based access control?
A. It is an example of a discretionary access control model.
B. Detailed access controls indicate the type of data that users can access based on the data’s level of privacy sensitivity.
C. It is an extension of role-based access control.
D. It should be used to integrate privacy policies and access control policies.
6. What was the direct predecessor to Standard Generalized Markup Language (SGML)?
A. Hypertext Markup Language (HTML)
B. Extensible Markup Language (XML)
C. LaTeX
D. Generalized Markup Language (GML)
7. Brian has been asked to work on the virtual directory of his company’s new identity management system. Which of the following best describes a virtual directory?
A. Meta-directory
B. User attribute information stored in an HR database
C. Virtual container for data from multiple sources
D. A service that allows an administrator to configure and manage how identification takes place
8. Emily is listening to network traffic and capturing passwords as they are sent to the authentication server. She plans to use the passwords as part of a future attack. What type of attack is this?
A. Brute-force attack
B. Dictionary attack
C. Social engineering attack
D. Replay attack
9. Which of the following correctly describes a federated identity and its role within identity management processes?
A. A nonportable identity that can be used across business boundaries
B. A portable identity that can be used across business boundaries
C. An identity that can be used within intranet virtual directories and identity stores
D. An identity specified by domain names that can be used across business boundaries
10. Phishing and pharming are similar. Which of the following correctly describes the difference between phishing and pharming?
A. Personal information is collected from victims through legitimate-looking Web sites in phishing attacks, while personal information is collected from victims via e-mail in pharming attacks.
B. Phishing attacks point e-mail recipients to a form where victims input personal information, while pharming attacks use pop-up forms at legitimate Web sites to collect personal information from victims.
C. Victims are pointed to a fake Web site with a domain name that looks similar to a legitimate site’s in a phishing attack, while victims are directed to a fake Web site as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack.
D. Phishing is a technical attack, while pharming is a type of social engineering.
11. Security countermeasures should be transparent to users and attackers. Which of the following does not describe transparency?
A. User activities are monitored and tracked without negatively affecting system performance.
B. User activities are monitored and tracked without the user knowing about the mechanism that is carrying this out.
C. Users are allowed access in a manner that does not negatively affect business processes.
D. Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is carrying this out.
12. What markup language allows for the sharing of application security policies to ensure that all applications are following the same security rules?
A. XML
B. SPML
C. XACML
D. GML
13. The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of today’s regulations. Which of the following does not explain why audit logs should be protected?
A. If not properly protected, these logs may not be admissible during a prosecution.
B. Audit logs contain sensitive data and should only be accessible to a certain subset of people.
C. Intruders may attempt to scrub the logs to hide their activities.
D. The format of the logs should be unknown and unavailable to the intruder.
14. Harrison is evaluating access control products for his company. Which of the following is not a factor he needs to consider when choosing the products?
A. Classification level of data
B. Level of training that employees have received
C. Logical access controls provided by products
D. Legal and regulation issues
15. There are several types of intrusion detection systems (IDSs). What type of IDS builds a profile of an environment’s normal activities and assigns an anomaly score to packets based on the profile?
A. State-based
B. Statistical anomaly–based
C. Misuse detection system
D. Protocol signature–based
16. A rule-based IDS takes a different approach than a signature-based or anomaly-based system. Which of the following is characteristic of a rule-based IDS?
A. Uses IF/THEN programming within expert systems
B. Identifies protocols used outside of their common bounds
C. Compares patterns to several activities at once
D. Can detect new attacks
17. Sam plans to establish mobile phone service using the personal information he has stolen from his former boss. What type of identity theft is this?
A. Phishing
B. True name
C. Pharming
D. Account takeover
18. Of the following, what is the primary item that a capability listing is based upon?
A. A subject
B. An object
C. A product
D. An application
19. Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures?
A. They are the same thing with different titles.
B. They are administrative controls that enforce access control and protect the company’s resources.
C. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position.
D. Job rotation ensures that one person cannot perform a high-risk task alone, and separation of duties can uncover fraud because more than one person knows the tasks of a position.
20. What type of markup language allows company interfaces to pass service requests and the receiving company provision access to these services?
A. XML
B. SPML
C. SGML
D. HTML
21. There are several different types of centralized access control protocols. Which of the following is illustrated in the graphic that follows?
A. Diameter
B. Watchdog
C. RADIUS
D. TACACS+
22. An access control matrix is used in many operating systems and applications to control access between subjects and objects. What is the column in this type of matrix referred to as?
Access Control Matrix
A. Capability table
B. Constrained interface
C. Role-based value
D. ACL
23. What technology within identity management is illustrated in the graphic that follows?
B. Federated identity
C. Directories
D. Web access management
24. There are several different types of single sign-on protocols and technologies in use today. What type of technology is illustrated in the graphic that follows?
A. Kerberos
B. Discretionary access control
C. SESAME
D. Mandatory access control
25. There are different ways that specific technologies can create one-time passwords for authentication purposes. What type of technology is illustrated in the graphic that follows?
A. Counter synchronous token
B. Asynchronous token
C. Mandatory token
D. Synchronous token
QUICK ANSWER KEY
1. C
2. B
3. C
4. B
5. A
6. D
7. C
8. D
9. B
10. C
11. A
12. C
13. D
14. B
15. B
16. A
17. B
18. A
19. C
20. B
21. A
22. D
23. B
24. C
25. D
ANSWERS
1. Which of the following does not correctly describe a directory service?
A. It manages objects within a directory by using namespaces.
B. It enforces security policy by carrying out access control and identity management functions.
C. It assigns namespaces to each object in databases that are based on theX.509 standard and are accessed by LDAP.
D. It allows an administrator to configure and manage how identification takes place within the network.
C. Most enterprises have some type of directory that contains information pertaining to the company’s network resources and users. Most directories follow a hierarchical database format, based on the X.500 standard (not X.509), and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows subjects and applications to interact with the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a specific resource by using a similar request. A directory service assigns distinguished names (DNs) to each object in databases based on the X.500 standard that are accessed by LDAP. Each distinguished name represents a collection of attributes about a specific object and is stored in the directory as an entry.
A is incorrect because objects within hierarchical databases are managed by a directory service. The directory service allows an administrator to configure and manage how identification, authentication, authorization, and access control take place within the network. The objects within the directory are labeled and identified with namespaces, which is how the directory service keeps the objects organized.
B is incorrect because directory services do enforce the configured security policy by carrying out access control and identity management functions. For example, when a user logs into a domain controller in a Windows environment, the directory service (Active Directory) determines what network resources she can and cannot access.
D is incorrect because directory services do allow an administrator to configure and manage how identification takes place within the network. It also allows for the configuration and management of authentication, authorization, and access control.
2. Hannah has been assigned the task of installing Web access management (WAM) software. What is the best description for what WAM is commonly used for?
A. Control external entities requesting access through X.500 databases
B. Control external entities requesting access to internal objects
C. Control internal entities requesting access through X.500 databases
D. Control internal entities requesting access to external objects
B. Web access management (WAM) software controls what users can access when using a Web browser to interact with Web-based enterprise assets. This type of technology is continually becoming more robust and experiencing increased deployment. This is because of the increased use of e-commerce, online banking, content providing, Web services, and more. The basic components and activities in a Web access control management process are as follows:
1. User sends in credentials to Web server.
2. Web server validates user’s credentials.
3. User requests to access a resource (object).
4. Web server verifies with the security policy to determine if the user is allowed to carry out this operation.
5. Web server allows/denies access to the requested resource.
A is incorrect because a directory service should be carrying out access control in the directory of an X.500 database—not Web access management software. The directory service manages the entries and data, and enforces the configured security policy by carrying out access control and identity management functions. Examples of directory services include Active Directory and Novell NetWare Directory Service (NDS). While Web-based access requests may be to objects held within a database, WAM mainly controls communication between Web browsers and servers. The Web servers should communicate to a backend database, commonly through a directory service.
C is incorrect because a directory service should be carrying out access control for internal entities requesting access to a X.500 databases using the LDAP. This type of database provides a hierarchical structure for the organization of objects (subjects and resources). The directory service develops unique distinguished names for each object and appends the corresponding attribute to each object as needed. The directory service enforces a security policy (configured by the administrator) to control how subjects and objects interact. While Web-based access requests may be to objects held within a database, WAM mainly controls communication between Web browsers and servers. WAM was developed mainly for external to internal communication, although it can be used for internal-to-internal communication also. Answer B is the best answer out of the four provided.
D is incorrect because WAM software is most commonly used to control external entities requesting access to internal objects; not the other way around, as stated by the answer option. For example, WAM may be used by a bank to control its customers’ access to backend account data.
3. There are several types of password management approaches used by identity management systems. Which of the following reduces help-desk call volume, but is also criticized for the ease with which a hacker could gain access to multiple resources if a password is compromised?
A. Management password reset
B. Self-service password reset
C. Password synchronization
D. Assisted password reset
C. Password synchronization is designed to reduce the complexity of keeping up with different passwords for different systems. Password synchronization technology can allow users to maintain a single password across multiple systems by transparently synchronizing the password to other systems and applications. This reduces help-desk call volume. One criticism of this approach is that since only one password is used to access different resources, now the hacker only has to figure out one credential set to gain unauthorized access to all resources.
A is incorrect because there is no such thing as a management password reset. This answer is a distracter. The most common password management approaches are password synchronization, self-service password reset, and assisted password reset.
B is incorrect because self-service password reset does not necessarily deal with multiple passwords. However, it does help reduce the overall volume of password-related help desk calls. In the case of self-service password reset, users are allowed to reset their own passwords. For example, when a user forgets his password, he may be prompted to answer questions that he identified during the registration process. If the answer he gives matches the information he provided during registration, then he is granted the ability to change his password.
D is incorrect because assisted password reset does not necessarily deal with multiple passwords. It reduces the resolution process for password issues by allowing the help desk to authenticate a user before resetting her password. The caller must be identified and authenticated through the password management tool before the password can be changed. Once the password is updated, the system that the user is authenticating to should require the user to change her password again. This would ensure that only she (and not she and the help-desk person) knows her password. The goal of an assisted password reset product is to reduce the cost of support calls and ensure that all calls are processed in a uniform, consistent, and secure fashion.
4. A number of attacks can be performed against smart cards. Side-channel is a class of attacks that doesn’t try to compromise a flaw or weakness. Which of the following is not a side-channel attack?
A. Differential power analysis
B. Microprobing analysis
C. Timing analysis
D. Electromagnetic analysis
B. A noninvasive attack is one in which the attacker watches how something works and how it reacts in different situations instead of trying to “invade” it with more intrusive measures. Examples of side-channel attacks are fault generation, differential power analysis, electromagnetic analysis, timing, and software attacks. These types of attacks are used to uncover sensitive information about how a component works without trying to compromise any type of flaw or weakness. A more intrusive smart card attack is microprobing. Microprobing uses needles and ultrasonic vibration to remove the outer protective material on the card’s circuits. Once this is complete, data can be accessed and manipulated by directly tapping into the card’s ROM chips.
A is incorrect because differential power analysis (DPA) is a noninvasive attack. DPA involves examining the power emissions released during processing. By statistically analyzing data from multiple cryptographic operations, for example, an attacker can determine the intermediate values within cryptographic computations. This can be done without any knowledge of how the target device is designed. Thus, an attacker can extract cryptographic keys or other sensitive information from the card.
C is incorrect because a timing analysis is a noninvasive attack. It involves calculating the time a specific function takes to complete its task. They are attacks based on measuring how much time various computations take to perform. For example, by observing how long it takes a smart card to transfer key information, it is sometimes possible to determine how long the key is in this instance.
D is incorrect because electromagnetic analysis is a noninvasive attack that involves examining the frequencies emitted. All electric currents emit electromagnetic emanations. In smart cards, the power consumption—and, therefore, the electromagnetic emanation field—varies as data is processed. An electromagnetic analysis attempts to make correlations between the data and the electromagnetic emanations in an effort to uncover cryptographic keys or other sensitive information on the smart card.
5. Which of the following does not describe privacy-aware role-based access control?
A. It is an example of a discretionary access control model.
B. Detailed access controls indicate the type of data that users can access based on the data’s level of privacy sensitivity.
C. It is an extension of role-based access control.
D. It should be used to integrate privacy policies and access control policies.
A. A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner. Many times department managers, or business unit managers, are the owners of the data within their specific department. Being the owner, they can specify who should have access and who should not. Privacy-aware role-based access control is an extension of role-based access control (RBAC). There are three main access control models: DAC, mandatory access control (MAC), and RBAC. Privacy-aware role-based access control is a type of RBAC, not DAC.
B is incorrect because privacy-aware role-based access control is based on detailed access controls that indicate the type of data that users can access based on the data’s level of privacy sensitivity. Other access control models, such as MAC, DAC, and RBAC, do not lend themselves to protect the level of privacy of data, but the functions that users can carry out. For example, managers may be able to access a privacy folder, but there needs to be more detailed access control that indicates, for example, that they can access customers’ home addresses but not Social Security numbers. The industry has advanced to needing much more detail-oriented access control when it comes to sensitive privacy information as in social security numbers and credit card data, which is why privacy-aware role-based access control was developed.
C is incorrect because privacy-aware role-based access control is an extension of role-based access control. Access rights are determined based on the user’s role and responsibilities within the company, and the level of privacy of the data they need access to.
D is incorrect because the languages used for privacy policies and access control policies should be either the same or integrated when using privacy-aware role-based access control. The goal of the use of privacy-aware role-based access control is to make access control much more detailed and focused on privacy-related data, thus it should be using the same type of terms and language as the organization’s original access control policy and standards.
6. What was the direct predecessor to Standard Generalized Markup Language (SGML)?
A. Hypertext Markup Language (HTML)
B. Extensible Markup Language (XML)
C. LaTeX
D. Generalized Markup Language (GML)
D. A markup language is a way to structure text and also how it will be viewed. When you adjust margins and other formatting capabilities in a word processor, you are marking up the text in the word processor’s markup language. If you develop a Web page, you are using some type of markup language. You can control how it looks and some of the actual functionality the page provides. Hypertext Markup Language (HTML) came out in the early 1990s. It came from Standard Generalized Markup Language (SGML), which came from the Generalized Markup Language (GML). GML is a macrolanguage developed in the 1960s for the IBM text formatter, SCRIPT/VS. GML markup simplifies the description of how a document appears (font, structure, etc.). Once the document is marked up, it can be formatted for different devices (a printer, for example) without changing the document. GML was used as the foundation for the industry-developed SGML. While GML is a structured document description language, SGML is a set of rules for the creation of such languages. SGML was developed for the purpose of enabling the sharing of machine-readable documents. It is used in a number of industries, including the government, military, and law.
A is incorrect because HTML came from SGML. HTML came out in the early 1990s and was developed as a system for annotating text for Web pages. SGML is an ISO standard that defines generalized markup languages for documents. Hypertext Markup Language (HTML) was created by physicist Tim Berners-Lee for the use and sharing of documents while he was at CERN. Based on an in-house version of SGML called SGMLguid, HTML was initially defined as an application of SGML. Today the text and image formatting language is used by Web browsers to dynamically format Web pages.
B is incorrect because Extensible Markup Language (XML) was developed after SGML. XML was developed as a specification to create various markup languages. From this specification more specific XML standards were created to be able to provide individual industries the functions they required. Individual industries have different needs in how they use markup languages. SGML was not a specification that was designed to allow the creation of individual and different markup languages.
C is incorrect because LaTeX was written in the early 1980s as the successor to TeX. LaTeX is the markup language and document preparation system used with the TeX typesetting program. Academic scholars are the most common users of LaTeX. Together with TeX, LaTeX provides a high quality of typesetting.
7. Brian has been asked to work on the virtual directory of his company’s new identity management system. Which of the following best describes a virtual directory?
A. Meta-directory
B. User attribute information stored in an HR database
C. Virtual container for data from multiple sources
D. A service that allows an administrator to configure and manage how identification takes place
C. A network directory is a container for users and network resources. One directory does not contain (or know about) all of the users and resources within the enterprise, so a collection of directories must be used. A virtual directory gathers the necessary information used from sources scattered throughout the network and stores them in a central virtual directory (virtual container). This provides a unified view of all users’ digital identity information throughout the enterprise. The virtual directory periodically synchronizes itself with all of the identity stores (individual network directories) to ensure the most up-to-date information is being used by all applications and identity management components within the enterprise.
A is incorrect because whereas a virtual directory is similar to a meta-directory, the meta-directory works with one directory while a virtual directory works with multiple data sources. When an identity management component makes a call to a virtual directory, it has the capability to scan different directories throughout the enterprise, whereas a meta-directory only has the capability to scan the one directory it is associated with.
B is incorrect because it best describes an identity store. A lot of information stored in an identity management directory is scattered throughout the enterprise. User attribute information (employee status, job description, department, and so on) is usually stored in the HR database; authentication information could be in a Kerberos server; role and group identification information might be in a SQL database; and resource-oriented authentication information can be stored in Active Directory on a domain controller. These are commonly referred to as identity stores and are located in different places on the network. Many identity management products use virtual directories to call upon the data in these identity stores.
D is incorrect because it describes the directory service. The directory service allows an administrator to configure and manage how identification, authentication, authorization, and access control occur within the network. It manages the objects within a directory by using namespaces and enforces the configured security policy by carrying out access control and identity management functions.
8. Emily is listening to network traffic and capturing passwords as they are sent to the authentication server. She plans to use the passwords as part of a future attack. What type of attack is this?
A. Brute-force attack
B. Dictionary attack
C. Social engineering attack
D. Replay attack
D. A replay attack occurs when an intruder obtains and stores information, and later uses it to gain unauthorized access. In this case, Emily is using a technique called electronic monitoring (sniffing) to obtain passwords being sent over the wire to an authentication server. She can later use the passwords to gain access to network resources. Even if the passwords are encrypted, the retransmission of valid credentials can be sufficient to obtain access.
A is incorrect because a brute-force attack is performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password. One way to prevent a successful brute-force attack is to restrict the number of login attempts that can be performed on a system. An administrator can set operating parameters that allow a certain number of failed logon attempts to be accepted before a user is locked out; this is a type of clipping level.
B is incorrect because a dictionary attack involves the automated comparison of the user’s password to files of thousands of words until a match is found. Dictionary attacks are successful because users tend to choose passwords that are short, are single words, or are predictable variations of dictionary words.
C is incorrect because in a social engineering attack the attacker falsely convinces an individual that she has the necessary authorization to access specific resources. Social engineering is carried out against people directly and is not considered a technical attack necessarily. The best defense against social engineering is user education. Password requirements, protection, and generation should be addressed in security-awareness programs so that users understand why they should protect their passwords, and how passwords can be stolen.
9. Which of the following correctly describes a federated identity and its role within identity management processes?
A. A nonportable identity that can be used across business boundaries
B. A portable identity that can be used across business boundaries
C. An identity that can be used within intranet virtual directories and identity stores
D. An identity specified by domain names that can be used across business boundaries
B. A federated identity is a portable identity, and its associated entitlements, that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises. Identity federation is based upon linking a user’s otherwise distinct identities at two or more locations without the need to synchronize or consolidate directory information. Federated identity offers businesses and consumers a more convenient way of accessing distributed resources and is a key component of e-commerce.
A is incorrect because a federated identity is portable. It could not be used across business boundaries if it was not portable—and that’s the whole point of a federated identity. The world continually gets smaller as technology brings people and companies closer together. Many times, when we are interacting with just one Web site, we are actually interacting with several different companies—we just don’t know it. The reason we don’t know it is because these companies are sharing our identity and authentication information behind the scenes. This is done to improve ease of use for the user.
C is incorrect because a federated identity is meant to be used across business boundaries—not within the organization. In other words, its use extends beyond the organization that owns the user data. Using federated identities, organizations with different technologies for directory services, security, and authentication can share applications, thereby allowing users to sign in to multiple applications with the same user ID, password, etc.
D is incorrect because a federated identity is not specified by a domain name. A federated identity is a portable identity and its associated entitlements. It includes the username, password and other personal identification information used to sign in to an application.
10. Phishing and pharming are similar. Which of the following correctly describes the difference between phishing and pharming?
A. Personal information is collected from victims through legitimate-looking Web sites in phishing attacks, while personal information is collected from victims via e-mail in pharming attacks.
B. Phishing attacks point e-mail recipients to a form where victims input personal information, while pharming attacks use pop-up forms at legitimate Web sites to collect personal information from victims.
C. Victims are pointed to a fake Web site with a domain name that looks similar to a legitimate site’s in a phishing attack, while victims are directed to a fake Web site as a result of a legitimate domain name being incorrectly translated by the DNS server in a pharming attack.
D. Phishing is a technical attack, while pharming is a type of social engineering.
C. In both phishing and pharming, attackers can create Web sites that look very similar to legitimate sites in an effort to collect personal information from victims. In a phishing attack, attackers can provide URLs with domain names that look very similar to the legitimate site’s address. For example, www.amazon.com might become www.amzaon.com. Or use a specially placed @ symbol. For example, [email protected] would actually take the victim to the Web site notmsn.com and provide the username of www.msn.com to this Web site. The username www.msn.com would not be a valid username for notmsn.com, so the victim would just be shown the home page of notmsn.com. Now, notmsn.com is a nefarious site created to look and feel just like www.msn.com. The victim feels he is at the legitimate site and logs in with his credentials. In a pharming attack, the victim is given a legitimate domain name, but that domain name is redirected to the attacker’s Web site as a result of DNS poisoning. When the DNS server is poisoned to carry out a pharming attack, the records have been changed so that instead of sending the correct IP address for www.logicalsecurity.com, it sends the IP address of a legitimate looking, but fake Web site created by the attacker.
A is incorrect because a pharming attack does commonly not involve the collection of information via e-mail. In fact, the benefit of a pharming attack to the attacker is that it can affect a large amount of victims without the need to send out e-mails. Like a phishing attack, a pharming attack involves a seemingly legitimate, yet fake, Web site. Victims are directed to the fake Web site because the host name is incorrectly resolved as a result of DNS poisoning.
B is incorrect because both descriptions are true of phishing attacks. Pharming attacks do not use pop-up forms. However, some phishing attacks use pop-up forms when a victim is at a legitimate site. So if you were at your bank’s actual Web site and a pop-up window appeared asking you for some sensitive information, this probably wouldn’t worry you, since you were communicating with your actual bank’s Web site. You may believe the window came from your bank’s Web server, so you fill it out as instructed. Unfortunately, this pop-up window could be from another source entirely, and your data could be placed right in the attacker’s hands, not your bank’s.
D is incorrect because both attacks are technical ways of carrying out social engineering. Phishing is a type of social engineering with the goal of obtaining personal information, credentials, credit card numbers, or financial data. The attackers lure, or fish, for sensitive data through various different methods, such as e-mail and pop-up forms. Pharming involves DNS poisoning. The attacker modifies the records in a DNS server so that it resolves a host name into an incorrect IP address. The victim’s system sends a request to a poisoned DNS server, which points the victim to a different Web site. This different Web site looks and feels just like the requested Web site, so the user enters his username and password and may even be presented with Web pages that look legitimate.
11. Security countermeasures should be transparent to users and attackers. Which of the following does not describe transparency?
A. User activities are monitored and tracked without negatively affecting system performance.
B. User activities are monitored and tracked without the user knowing about the mechanism that is carrying this out.
C. Users are allowed access in a manner that does not negatively affect business processes.
D. Unauthorized access attempts are denied and logged without the intruder knowing about the mechanism that is carrying this out.
A. Unfortunately, security components usually affect system performance in one fashion or another, although many times it is unnoticeable to the user. There is a possibility that if a system’s performance is noticeably slow, this could be an indication that security countermeasures are in place. The reason that controls should be transparent is so that users and intruders do not know enough to be able to disable or bypass them. The controls should also not stand in the way of the company being able to carry out its necessary functions.
B is incorrect because transparency is about activities being monitored and tracked without the user’s knowledge of the mechanism that is doing the monitoring and the tracking. While it is a best practice to tell users if their computer use is being monitored, it is not necessary to tell them how they are being monitored. If users are aware of the mechanisms that monitor their activities, then they may attempt to disable or bypass them.
C is incorrect because there must be a balance between security and usability. This means that users should be allowed access—where appropriate—without affecting business processes. They should have the means to get their job done.
D is incorrect because you do not want intruders to know about the mechanisms in place to deny and log unauthorized access attempts. An intruder could use this knowledge to disable or bypass the mechanism and successfully gain unauthorized access to network resources.
12. What markup language allows for the sharing of application security policies to ensure that all applications are following the same security rules?
A. XML
B. SPML
C. XACML
D. GML
C. Two or more companies can have a trust model set up to share identity, authorization, and authentication methods. This means that if Bill authenticates to his company’s software, this software can pass the authentication parameters to its partner’s software. This allows Bill to interact with the partner’s software without having to authenticate twice. This can happen through eXtensible Access Control Markup Language (XACML), which allows two or more organizations to share application security policies based upon their trust model. XACML is a markup language and processing model that is implemented in XML. It declares access control policies and describes how to interpret them.
A is incorrect because XML (Extensible Markup Language) is a method for electronically coding documents and representing data structures such as those in Web services. XML is not used to share security information. XML is an open standard that is more robust than its predecessor, HTML. In addition to serving as a markup language in and of itself, XML serves as the foundation for other more industry-specific XML standards. XML allows companies to use a markup language that meets their different needs while still being able to communicate with each other.
B is incorrect because Service Provisioning Markup Language (SPML) is used by companies to exchange user, resource, and service provisioning information, not application security information. SPML is an XML-based framework developed by OASIS with the goal of allowing enterprise platforms (such as Web portals and application servers) to generate provisioning requests across multiple companies for the purpose of the secure and quick setup of Web services and applications.
D is incorrect because Generalized Markup Language (GML) is a method created by IBM for formatting documents. It describes a document in terms of its parts (chapters, paragraphs, lists, etc.) and their relationship (heading levels). GML was a predecessor to Standard Generalized Markup Language (SGML) and Hypertext Markup Language (HTML).
13. The importance of protecting audit logs generated by computers and network devices is highlighted by the fact that it is required by many of today’s regulations. Which of the following does not explain why audit logs should be protected?
A. If not properly protected, these logs may not be admissible during a prosecution.
B. Audit logs contain sensitive data and should only be accessible to a certain subset of people.
C. Intruders may attempt to scrub the logs to hide their activities.
D. The format of the logs should be unknown and unavailable to the intruder.
D. Auditing tools are technical controls that track activity within a network, on a network device, or on a specific computer. Even though auditing is not an activity that will deny an entity access to a network or computer, it will track activities so that a security administrator can understand the types of access that took place, identify a security breach, or warn the administrator of suspicious activity. This information can be used to point out weaknesses of other technical controls and help the administrator understand where changes must be made to preserve the necessary security level within the environment. Intruders can also use this information to exploit those weaknesses, so audit logs should be protected through permissions, rights, and integrity controls, as in hashing algorithms. However, the format of systems logs is commonly standardized with all like systems. Hiding log formats is not a usual countermeasure and is not a reason to protect audit log files.
A is incorrect because due care must be taken to protect audit logs in order for them to be admissible in court. Audit trails can be used to provide alerts about any suspicious activities that can be investigated at a later time. In addition, they can be valuable in determining exactly how far an attack has gone and the extent of the damage that may have been caused. It is important to make sure a proper chain of custody is maintained to ensure any data collected can later be properly and accurately represented in case it needs to be used for later events such as criminal proceedings or investigations.
B is incorrect because only the administrator and security personnel should be able to view, modify, and delete audit trail information. No other individuals should be able to view this data, much less modify or delete it. The integrity of the data can be ensured with the use of digital signatures, message digest tools, and strong access controls. Its confidentiality can be protected with encryption and access controls, if necessary, and it can be stored on write-once media to prevent loss or modification of the data. Unauthorized access attempts to audit logs should be captured and reported.
C is incorrect because the statement is true. If an intruder breaks into your house, he will do his best to cover his tracks by not leaving fingerprints or any other clues that can be used to tie him to the criminal activity. The same is true in computer fraud and illegal activity. The intruder will work to cover his tracks. Attackers often delete audit logs that hold this discriminating information. (Deleting specific incriminating data within audit logs is called scrubbing.) Deleting this information can cause the administrator to not be alerted or aware of the security breach, and can destroy valuable data. Therefore, audit logs should be protected by strict access control.
14. Harrison is evaluating access control products for his company. Which of the following is not a factor he needs to consider when choosing the products?
A. Classification level of data
B. Level of training that employees have received
C. Logical access controls provided by products
D. Legal and regulation issues
B. When a company needs to decide upon the type of access control products they need, they should understand the company’s legal requirements, the sensitivity of the data on their systems that need to be protected, and the types of technical controls used by the access control system. However, an access control system choice should not be based on the previous training the staff has received. Employees will need to be trained after the access control system’s rollout, but training is the least important issue listed in this question.
A is incorrect because it is important for a company to consider the classification level of data when choosing an access control product. Different security mechanisms can supply different degrees of availability, integrity, and confidentiality. The environment, the classification of data that is to be protected, and the security goals must be evaluated to ensure the proper security mechanisms are bought and put into place. Many corporations have wasted a lot of time and money not following these steps but instead buying the new “gee whiz” product that recently hit the market.
C is incorrect because the company should consider the logical access controls that are necessary for its identification, authentication, authorization, and accountability requirements. Logical access controls are software components that enforce access control measures for systems, programs, processes, and information. The logical access controls can be embedded within operating systems, applications, add-on security packages, or database and telecommunication management systems.
D is incorrect because legal and regulation issues should be considered when choosing and setting up an access control product. The company must ensure that due care is being taken to control access to data that may be sensitive and is protected under different laws and regulations. Such measures may protect the company from fines and other penalties should they experience a data breach.
15. There are several types of intrusion detection systems (IDSs). What type of IDS builds a profile of an environment’s normal activities and assigns an anomaly score to packets based on the profile?
A. State-based
B. Statistical anomaly–based
C. Misuse detection system
D. Protocol signature–based
B. A statistical anomaly–based IDS is a behavioral-based system. Behavioral-based IDS products do not use predefined signatures but rather are put in a learning mode to build a profile of an environment’s “normal” activities. This profile is built by continually sampling the environment’s activities. The longer the IDS is put in a learning mode, in most instances, the more accurate a profile it will build and the better protection it will provide. After this profile is built, all future traffic and activities are compared to it. With the use of complex statistical algorithms, the IDS looks for anomalies in the network traffic or user activity. Each packet is given an anomaly score, which indicates its degree of irregularity. If the score is higher than the established threshold of “normal” behavior, then the preconfigured action will take place.
A is incorrect because a state-based IDS has rules that outline which state transition sequences should sound an alarm. The initial state is the state prior to the execution of an attack, and the compromised state is the state after successful penetration. The activity that takes place between the initial and compromised state is what the state-based IDS looks for, and it sends an alert if any of the state-transition sequences match its preconfigured rules.
C is incorrect because a misuse-detection system is simply another name for a signature-based IDS, which compares network or system activity to signatures or models of how attacks are carried out. Any action that is not recognized as an attack is considered acceptable. Signature-based IDS are the most popular IDS products today, and their effectiveness depends upon regularly updating the software with new signatures, as with antivirus software. This type of IDS is weak against new types of attacks because it can only recognize those that have been previously identified and have had signatures written for them.
D is incorrect because a protocol signature–based IDS is not a formal IDS. This is a distracter answer.
16. A rule-based IDS takes a different approach than a signature-based or anomaly-based system. Which of the following is characteristic of a rule-based IDS?
A. Uses IF/THEN programming within expert systems
B. Identifies protocols used outside of their common bounds
C. Compares patterns to several activities at once
D. Can detect new attacks
A. Rule-based intrusion detection is commonly associated with the use of an expert system. An expert system is made up of a knowledge base, an inference engine, and rule-based programming. Knowledge is represented as rules, and the data to be analyzed is referred to as facts. The knowledge of the system is written in rule-based programming (IF situation THEN action). These rules are applied to the facts, the data that comes in from a sensor, or a system that is being monitored. For example, an IDS pulls data from a system’s audit log and stores it temporarily in its fact database. Then, the preconfigured rules are applied to this data to indicate whether anything suspicious is taking place. In our scenario, the rule states “IF a root user creates File1 AND creates File2 SUCH THAT they are in the same directory THEN there is a call to Administrative Tool TRIGGER send alert.” This rule has been defined such that if a root user creates two files in the same directory and then makes a call to a specific administrative tool, an alert should be sent.
B is incorrect because a protocol anomaly–based IDS identifies protocols used outside of their common bounds. The IDS has specific knowledge of each protocol that it will monitor. A protocol anomaly pertains to the format and behavior of a protocol. If a protocol is formatted differently or is demonstrating abnormal behavior, then the IDS triggers an alarm.
C is incorrect because a stateful matching IDS compares patterns to several activities at once. It is a type of signature-based IDS, meaning that it does pattern matching, similar to antivirus software. State is a snapshot of an operating system’s values in volatile, semipermanent, and permanent memory locations. In a state-based IDS, the initial state is the state prior to the execution of an attack, and the compromised state is the state after successful penetration. The IDS has rules that outline which state transition sequences should sound an alarm.
D is incorrect because a rule-based IDS cannot detect new attacks. An anomaly-based IDS can detect new attacks because it doesn’t rely on predetermined rules or signatures, which are only available after security researchers have had time to study an attack. Instead, an anomaly-based IDS learns the “normal” activities of an environment and triggers an alarm when it detects activity that differs from the norm. The three types of anomaly-based IDS are statistical, protocol, and traffic. They are also called behavior-or heuristic-based.
17. Sam plans to establish mobile phone service using the personal information he has stolen from his former boss. What type of identity theft is this?
A. Phishing
B. True name
C. Pharming
D. Account takeover
B. Identity theft refers to a situation where someone obtains key pieces of personal information such as a driver’s license number, bank account number, credentials, or Social Security number, and then uses that information to impersonate someone else. Typically, identity thieves will use the personal information to obtain credit, merchandise, or services in the name of the victim. This can result in such things as ruining the victim’s credit rating, generating false criminal records, and issuing arrest warrants for the wrong individuals. Identity theft is categorized in two ways: true name and account takeover. True name identity theft means the thief uses personal information to open new accounts. The thief might open a new credit card account, establish mobile phone service like Sam, or open a new checking account in order to obtain blank checks.
A is incorrect because phishing is a type of social engineering attack with the goal of obtaining personal information, credentials, credit card number, or financial data. The attackers lure, or fish, for sensitive data through various methods. While the goal of phishing is to dupe a victim into handing over his personal information, the goal of identity theft is to use that personal information for personal or financial gain. An attacker can employ a phishing attack as a means to carry out identity theft.
C is incorrect because pharming is a technical attack that is carried out to trick victims into sending their personal information to an attacker via an illegitimate Web site. The victim types in a Web address, such as www.nicebank.com, into his browser. The victim’s system sends a request to a poisoned DNS server, which points the victim to a Web site that is under the attacker’s control. Because the site looks and feels like the requested Web site, the user enters his personal information, which the attacker can then use to commit identity theft.
D is incorrect because account takeover identity theft means the imposter uses personal information to gain access to the person’s existing accounts, rather than opening a new account. Typically, the thief will change the mailing address on an account and run up a huge bill before the person, whose identity has been stolen, realizes there is a problem. The Internet has made it easier for an identity thief to use the information they’ve stolen because transactions can be made without any personal interaction.
18. Of the following, what is the primary item that a capability list is based upon?
A. A subject
B. An object
C. A product
D. An application
A. A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability list (also referred to as a capability table) is different from an access control list (ACL) because the subject is bound to the capability table, whereas the object is bound to the ACL. A capability can be in the form of a token, ticket, or key. When a subject presents a capability component, the operating system (or application) will review the access rights and operations outlined in the capability component and allow the subject to carry out just those functions. A capability component is a data structure that contains a unique object identifier and the access rights the subject has to that object. The object may be a file, array, memory segment, or port.
B is incorrect because an object is bound to an access control list (ACL), not a capability component. ACLs are used in several operating systems, applications, and router configurations. They are lists of subjects that are authorized to access a specific object, and they define what level of authorization is granted. Authorization can be specified to an individual or group. ACLs map values from the access control matrix to the object. Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix.
C is incorrect because a product can be an object or subject. If a user attempts to access a product (such as a program), the user is the subject and the product is the object. If a product attempts to access a database, the product is the subject and the database is the object. While a product could be a subject in a capability list for example, the best answer is A. A capability list indicates what objects a subject can access and the operations that can be carried out on those objects.
D is incorrect because this is similar to answer C. If a user attempts to access an application, the user is the subject and the application is the object. If an application attempts to access a database, the application is the subject and the database is the object. While an application could be a subject in a capability list for example, the best answer is A. A capability list indicates what objects a subject can access and the operations that can be carried out on those objects.
19. Alex works for a chemical distributor that assigns employees tasks that separate their duties and routinely rotates job assignments. Which of the following best describes the differences between these countermeasures?
A. They are the same thing with different titles.
B. They are administrative controls that enforce access control and protect the company’s resources.
C. Separation of duties ensures that one person cannot perform a high-risk task alone, and job rotation can uncover fraud because more than one person knows the tasks of a position.
D. Job rotation ensures that one person cannot perform a high-risk task alone, and separation of duties can uncover fraud because more than one person knows the tasks of a position.
C. Separation of duties and job rotation are two security controls commonly used within companies to prevent and detect fraud. Separation of duties is put into place to ensure that one entity cannot carry out a task that could be damaging or risky to the company. It requires two or more people to come together to do their individual tasks to accomplish the overall task. Rotation of duties helps ensure that one person does not stay in one position for a long period of time because he may end up having too much control over a segment of the business. Such total control could result in fraud, data modification, and misuse of resources.
A is incorrect because separation of duties and job rotation are two different concepts. They are, however, both put into place to reduce the possibilities of fraud, sabotage, misuse of information, theft, and other security compromises. Separation of duties makes sure that one individual cannot complete a critical task by herself. When a submarine captain needs to launch a nuclear torpedo, the launch usually requires three codes to be entered into the launching mechanism by three different senior crewmembers. This is an example of separation of duties. Job rotation ensures that no single person ends up having too much control over a segment of the business as a result of staying in one position for a long period of time.
B is incorrect because answer C is a more detailed and definitive answer. Answer C describes both of these controls properly and their differences. Both of these controls are administrative in nature and are put into place to control access to company assets, but the CISSP exam requires the best answer out of four.
D is incorrect because the description is backward. Separation of duties, not job rotation, ensures that one person cannot perform a high-risk task alone. Job rotation moves individuals in and out of an specific role to ensure that fraudulent activities are not taking place.
20. What type of markup language allows company interfaces to pass service requests and the receiving company provision access to these services?
A. XML
B. SPML
C. SGML
D. HTML
B. Service Provisioning Markup Language (SPML) is a markup language built on the XML framework that exchanges information on which users should get access to what resources and services. So let’s say that an automobile company and tire company only allow Inventory Managers within the automobile company to order tires. If Bob logs in to the automobile company’s inventory software and orders 40 tires, how does the tire company know that this request is coming from an authorized vendor and user with the Inventory Managers group? The automobile company’s software can pass user and group identity information to the tire company’s software. The tire company uses this identity information to make an authorization decision that then allows Bob’s request for 40 tires to be filled. Since both the sending and receiving companies are following one standard (XML), this type of interoperability can take place.
A is incorrect because it is not the best answer to the question. Service Provisioning Markup Language (SPML)—which is based on XML—allows company interfaces to pass service requests and the receiving company to provision access to these services. This interoperability is made possible because the companies are both using Extensible Markup Language (XML). XML is a set of rules for electronically encoding documents and Web-based communication. It is also used to encode arbitrary data structures as in Web services. It allows groups or companies to create information formats, like SPML, that enable a consistent means of sharing data.
C is incorrect because Standard Generalized Markup Language (SGML) was one of the first markup languages developed. It does not provide user access or provisioning functionality. SGML was a standard that defines generalized markup tags for documents. It is a successor to Generalized Markup Language and came long before XML or SPML.
D is incorrect because Hypertext Markup Language (HTML) was developed to annotate Web pages. HTML is a precursor to XML and SGML. HTML provides a means of denoting structural semantics for text and other elements found on a Web page. It can be used to embed images and objects, and create interactive forms. However, it cannot allow company interfaces to pass service requests and the receiving company to provision access to these services.
21. There are several different types of centralized access control protocols. Which of the following is illustrated in the graphic that follows?
A. Diameter
B. Watchdog
C. RADIUS
D. TACACS+
A. Diameter is an authentication, authorization, and auditing (AAA) protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks. At one time, all remote communication took place over PPP and SLIP connections and users authenticated themselves through PAP or CHAP. Technology has become much more complicated and there are more devices and protocols to choose from than ever before. The Diameter protocol allows wireless devices, smart phones, and other devices to be able to authenticate themselves to networks using roaming protocols, Mobile IP, Ethernet over PPP, Voice over IP (VoIP), and others.
B is incorrect because Watchdog timers are commonly used to detect software faults, such as a process ending abnormally or hanging. The Watchdog functionality sends out a type of “heartbeat” packet to determine whether a service is responding. If it is not, the process can be terminated or reset. These packets help prevent against software deadlocks, infinite loops, and process prioritization problems. This functionality can be used in AAA protocols to determine whether packets need to be re-sent and whether connections experiencing problems should be closed and reopened, but it is not an access control protocol itself.
C is incorrect because Remote Authentication Dial-In User Service (RADIUS) is a network protocol and provides client/server authentication, authorization, and audit for remote users. A network may have access servers, DSL, ISDN, or a T1 line dedicated for remote users to communicate through. The access server requests the remote user’s logon credentials and passes them back to a RADIUS server, which houses the usernames and password values. The remote user is a client to the access server, and the access server is a client to the RADIUS server.
D is incorrect because TACACS+ provides basically the same functionality as RADIUS. The RADIUS protocol combines the authentication and authorization functionality. TACACS+ uses a true authentication, authorization, accounting, and audit (AAA) architecture, which separates each function out. This gives a network administrator more flexibility in how remote users are authenticated. Neither TACACS+ or RADIUS can carry out these services for devices that need to communicate over VoIP, mobile IP, or other types of the similar types of protocols.
22. An access control matrix is used in many operating systems and applications to control access between subjects and objects. What is the column in this type of matrix referred to?
Access Control Matrix
B. Constrained interface
C. Role-based value
D. ACL
D. Access control lists (ACLs) map values from the access control matrix to the object. Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix. ACLs are used in several operating systems, applications, and router configurations. They are lists of subjects that are authorized to access specific objects, and they define what level of authorization is granted. Authorization can be specified to an individual or group. So the ACL is bound to an object and indicates what subjects can access it and a capability table is bound to a subject and indicates what objects that subject can access.
A is incorrect because a capability can be in the form of a token, ticket, or key and is a row within an access control matrix. When a subject presents a capability component, the operating system (or application) will review the access rights and operations outlined in the capability component and allow the subject to carry out just those functions. A capability component is a data structure that contains a unique object identifier and the access rights the subject has to that object. The object may be a file, array, memory segment, or port. Each user, process, and application in a capability system has a list of capabilities it can carry out.
B is incorrect because constrained user interfaces restrict users’ access abilities by not allowing them to request certain functions or information, or to have access to specific system resources. Three major types of restricted interfaces exist: menus and shells, database views, and physically constrained interfaces. When menu and shell restrictions are used, the options users are given are the commands they can execute. For example, if an administrator wants users to be able to execute only one program, that program would be the only choice available on the menu. If restricted shells were used, the shell would contain only the commands the administrator wants the users to be able to execute.
C is incorrect because a role-based access control (RBAC) model, also called nondiscretionary access control, uses a centrally administered set of controls to determine how subjects and objects interact. This type of model lets access to resources be based on the role the user holds within the company. It is referred to as nondiscretionary because assigning a user to a role is unavoidably imposed. This means that if you are assigned only to the Contractor role in a company, there is nothing you can do about it. You don’t have the discretion to determine what role you will be assigned.
23. What technology within identity management is illustrated in the graphic that follows?
A. User provisioning
B. Federated identity
C. Directories
D. Web access management
B. A federated identity is a portable identity, and its associated entitlements, that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises. Identity federation is based upon linking a user’s otherwise distinct identities at two or more locations without the need to synchronize or consolidate directory information. Federated identity offers businesses and consumers a more convenient way of accessing distributed resources and is a key component of e-commerce.
A is incorrect because user provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications, in response to business processes. User provisioning software may include one or more of the following components: change propagation, self-service workflow, consolidated user administration, delegated user administration, and federated change control. User objects may represent employees, contractors, vendors, partners, customers, or other recipients of a service. Services may include electronic mail, access to a database, access to a file server or mainframe, and so on. User provisioning can be a function with federation identification, but this is not what the graphic illustrates.
C is incorrect because while most enterprises have some type of directory that contains information pertaining to the company’s network resources and users, they do not commonly spread across different businesses. Most directories follow a hierarchical database format, based on the X.500 standard, and a type of protocol, as in Lightweight Directory Access Protocol (LDAP), that allows subjects and applications to interact with the directory. Applications can request information about a particular user by making an LDAP request to the directory, and users can request information about a specific resource by using a similar request. While directories can work within a federated framework, this is not what the graphic shows.
D is incorrect because Web access management (WAM) software controls what users can access when using a Web browser to interact with Web-based enterprise assets. This type of technology is continually becoming more robust and experiencing increased deployment. This is because of the increased use of e-commerce, online banking, content providing, Web services, and more. More complexity comes in with all the different ways a user can authenticate (password, digital certificate, token, and others), the resources and services that may be available to the user (transfer funds, purchase product, update profile, and so forth), and the necessary infrastructure components. The infrastructure is usually made up of a Web server farm (many servers), a directory that contains the users’ accounts and attributes, a database, a couple of firewalls, and some routers, all laid out in a tiered architecture.
24. There are several different types of single sign-on protocols and technologies in use today. What type of technology is illustrated in the graphic that follows?
A. Kerberos
B. Discretionary access control
C. SESAME
D. Mandatory access control
C. The Secure European System for Applications in a Multivendor Environment (SESAME) project has been a single sign-on technology developed to extend Kerberos functionality and improve upon its weaknesses. SESAME uses symmetric and asymmetric cryptographic techniques to authenticate subjects to network resources. Kerberos uses tickets to authenticate subjects to objects, whereas SESAME uses Privileged Attribute Certificates (PACs), which contain the subject’s identity, access capabilities for the object, access time period, and lifetime of the PAC. The PAC is digitally signed so that the object can validate it came from the trusted authentication server, which is referred to as the Privileged Attribute Server (PAS). The PAS holds a similar role to that of the Key Distribution Center (KDC) within Kerberos. After a user successfully authenticates to the authentication service (AS), he is presented with a token to give to the PAS. The PAS then creates a PAC for the user to present to the resource he is trying to access.
A is incorrect because Kerberos is an authentication protocol and is based on symmetric key cryptography. Kerberos is an example of a single sign-on system for distributed environments (as is SESAME) but is the de facto standard for heterogeneous networks today. Kerberos incorporates a wide range of security capabilities, which gives companies much more flexibility and scalability when they need to provide an encompassing security architecture. It has four elements necessary for enterprise access control: scalability, transparency, reliability, and security. The differences between these technologies are described more in the previous answer. While SESAME and Kerberos are close in the functionality they present, SESAME is the technology shown in the graphic.
B is incorrect because discretionary access control (DAC) is an access control model that is built right into an operating system or application, not something that works as a single sign-on technology. A system that uses discretionary access control (DAC) enables the owner of the resource to specify which subjects can access specific resources. This model is called discretionary because the control of access is based on the discretion of the owner. Many times department managers, or business unit managers, are the owners of the data within their specific department. Being the owner, they can specify who should have access and who should not. In a DAC model, access is restricted based on the authorization granted to the users. This means users are allowed to specify what type of access can occur to the objects they own. The most common implementation of DAC is through ACLs, which are dictated and set by the owners and enforced by the operating system. This can make a user’s ability to access information dynamic versus the more static role of mandatory access control (MAC).
D is incorrect because mandatory access control (MAC) is an access control model that is built right into an operating system or application, not something that works as a single sign-on technology. In a MAC model, users and data owners do not have as much freedom to determine who can access files. The operating system makes the final decision and can override the users’ wishes. This model is much more structured and strict and is based on a security label system. Users are given a security clearance (secret, top secret, confidential, and so on), and data is classified in the same way. The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects. When the system makes a decision about fulfilling a request to access an object, it is based on the clearance of the subject, the classification of the object, and the security policy of the system. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.
25. There are different ways that specific technologies can create one-time passwords for authentication purposes. What type of technology is illustrated in the graphic that follows?
B. Asynchronous token
C. Mandatory token
D. Synchronous token
D. A synchronous token device synchronizes with the authentication service by using time or a counter as the core piece of the authentication process. If the synchronization is time-based, as shown in this graphic, the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create the one-time password, which is displayed to the user. The user enters this value and a user ID into the computer, which then passes them to the server running the authentication service. The authentication service decrypts this value and compares it to the value it expected. If the two match, the user is authenticated and allowed to use the computer and resources.
A is incorrect because if the token device and authentication service use counter-synchronization, it is not based on time as shown in the graphic. When using a counter-synchronization token device, the user will need to initiate the creation of the one-time password by pushing a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated. In either time- or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption.
B is incorrect because a token device using an asynchronous token–generating method employs a challenge/response scheme to authenticate the user. This technology does not use synchronization but instead uses discrete steps in its authentication process. In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value the user uses as a one-time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value sent earlier, the user is authenticated.
C is incorrect because there is no such thing as a mandatory token. This is a distracter answer.