Real Estate. Computer Programming. Computer Science. Graphic Design. Information Security. Information Technology. Management Information Systems. Culinary Arts. Art History. Other Fine Arts. Cultural Literacy. Knowledge Rehab. National Capitals. People You Should Know. Sports Trivia. Loading flashcards Which of the following statements correctly describes biometric methods?
They are the least expensive and provide the most protection. They are the most expensive and provide the least protection. They are the least expensive and provide the least protection. They are the most expensive and provide the most protection.
Compared with the other available authentication mechanisms, biometric methods provide the highest level of protection and are the most expensive. Which of the following statements correctly describes passwords? They are the least expensive and most secure. They are the most expensive and least secure. They are the least expensive and least secure. They are the most expensive and most secure. Passwords provide the least amount of protection, but are the cheapest because they do not require extra readers as with smart cards and memory cards , do not require devices as do biometrics , and do not require a lot of overhead in processing as in cryptography.
Passwords are the most common type of authentication method used today. This protocol is not used; cryptography is used. An authentication service generates a challenge, and the smart token generates a response based on the challenge. The token challenges the user for a username and password. The authentication service sends the user a challenge value, which the user enters into the token. The token encrypts or hashes this value, and the user uses this as her one-time password.
Which access control method is considered user-directed? Nondiscretionary B. Mandatory C. Identity-based D. The DAC model allows users, or data owners, the discretion of letting other users access their resources. Which item is not part of a Kerberos authentication implementation? Message authentication code B. Ticket granting service C. Authentication service D. Users, programs, and services. Message authentication code MAC is a cryptographic function and is not a key component of Kerberos.
Kerberos is made up of a KDC, a realm of principals users, services, applications, and devices , an authentication service, tickets, and a ticket granting service. If a company has a high turnover rate, which access control structure is best? Role-based B. Decentralized C. Rule-based D. It is easier on the administrator if she only has to create one role, assign all of the necessary rights and permissions to that role, and plug a user into that role when needed.
Otherwise, she would need to assign and extract permissions and rights on all systems as each individual came and left the company. A user authenticating to a system and the system authenticating to the user B. A user authenticating to two systems at the same time C. A user authenticating to a server and then to a process D.
A user authenticating, receiving a ticket, and then authenticating to a service. Mutual authentication means it is happening in both directions. Instead of just the user having to authenticate to the server, the server also must authenticate to the user. In discretionary access control security, who has delegation authority to grant access to data? User B. Security officer C. Security policy D. This question may seem a little confusing if you were stuck between user and owner.
Only the data owner can decide who can access the resources she owns. She may be a user and she may not. A user is not necessarily the owner of the resource. Only the actual owner of the resource can dictate what subjects can actually access the resource. Which could be considered a single point of failure within a single sign-on implementation? Authentication server B. Logon credentials D. In a single sign-on technology, all users are authenticating to one source.
If that source goes down, authentication requests cannot be processed. What role does biometrics play in access control? Authorization B. Authenticity C. Authentication D. Considered one of the most crucial assets in a company, access control systems hold significant value. These controls are used to protect resources from unauthorized access and are put into place to ensure that subjects can only access objects using secure and pre-approved methods.
DAC is a type of access control system that assigns access rights based on rules specified by users. The principle behind DAC is that subjects can determine who has access to their objects.
The security kernel within the operating system checks the tables to determine if access is allowed. This popular model is utilized by some of the most popular operating systems, like Microsoft Windows file systems. RBAC, also known as a non-discretionary access control, is used when system administrators need to assign rights based on organizational roles instead of individual user accounts within an organization. This gives an individual only the access needed to do their job, since access is connected to their job.
Each group has individual file permissions and each user is assigned to groups based on their work role. They are the most expensive and most secure. A vulnerability is the absence or weakness of a safeguard that could be exploited.
Ensuring the code conforms to applicable coding standards. Discussing bugs, design issues, and anything else that comes up about the code. Agreeing on a disposition for the code. Fuzzing the code.
Which is NOT a form of social engineering? Separation of duties. Mandatory vacations. Due diligence. Auditing does not need to take place in a routine manner.
The process of establishing and maintaining effective system controls is called:. Trusted recovery. Security management. Configuration management. The security of remote access is not important. The following should be accomplished during the requirements gathering phase:. Biometrics methods apply technologies such as fingerprint, retina, and iris scans to authenticate individuals requesting access to resources, and access control software packages manage access to resources holding information from subjects local to the information system or from those at remote locations.
Callback systems provide access protection by calling back the number of a previously authorized location, but this control can be compromised by call forwarding. Shells limit the system-level commands that an individual or process can use. Database views are mechanisms that restrict the information that a user can access in a database.
Limited keypads have a small number of keys that the user can select, and the functions that are intended not to be accessible by the user are not represented on any of the available keys. These measures are intended to restrict the physical access to areas with systems holding sensitive information. A circular security perimeter that is under access control defines the area or zone to be protected. Examples of such controls are organizational policies and procedures, background checks, vacation scheduling, the labeling of sensitive materials, increased supervision, security awareness training, and behavior awareness.
These measures include intrusion detection systems and automatically generated violation reports from audit trail information. In order to limit the amount of audit information flagged and reported by automated violation analysis and reporting mechanisms, clipping levels can be set. Clipping levels are preset allowable thresholds on a reported activity. For example, if a clipping level of 3 is set for reporting failed logon attempts at a workstation, three or fewer logon attempts by an individual at a workstation would not be reported as a violation, thus eliminating the need for reviewing normal logon entry errors.
Due to the importance of the audit information, audit records should be protected at the highest level of sensitivity in the system. Some of these control types are motion detectors, thermal detectors, and video cameras. It is important for the information security professional to understand and identify the different types of access control attacks.
These attacks are summarized in the following sections. A distributed DoS attack on a computing resource is launched from a number of other host machines. Attack software is usually installed on a large number of host computers, unbeknownst to their owners, and then activated simultaneously to launch communications to the target machine of such magnitude as to overwhelm the target machine.
A backdoor attack takes place using dial-up modems or asynchronous external connections. The strategy is to gain access to a network through bypassing of control mechanisms. The term spoofing comes up often in any discussion of security. Intruders use IP spoofing to convince a system that it is communicating with a known, trusted entity in order to provide the intruder with access to the system.
The attacker sends a packet with an IP source address of a known, trusted host instead of its own IP source address to a target host. The target host may accept the packet and act upon it. The man-in-the-middle attack involves an attacker, A, substituting his or her public key for that of another person, P. Therefore, A can read the message intended for P. Obviously, A could modify the message before resending it to P. The replay attack occurs when an attacker intercepts and saves old messages and then tries to send them later, impersonating one of the participants.
One method of making this attack more difficult to accomplish is through the use of a random number or string called a nonce. If Bob wants to communicate with Alice, he sends a nonce along with the first message to Alice. When Alice replies, she sends the nonce back to Bob, who verifies that it is the one he sent with the first message.
Then Bob changes his nonce. Anyone trying to use these same messages later will not be using the newer nonce. Another approach to countering the replay attack is for Bob to add a timestamp to his message. This timestamp indicates the time that the message was sent. Thus, if the message is used later, the timestamp will show that an old message is being used.
As an example of this type of attack, an attacker hijacks a session between a trusted client and network server. The attacking computer substitutes its IP address for that of the trusted client, and the server continues the dialog believing it is communicating with the trusted client. Simply stated, the steps in this attack are as follows:. This attack uses social skills to obtain information such as passwords or personal identification numbers PINs to be used against information systems.
For example, an attacker may impersonate someone in an organization and make phone calls to employees of that organization requesting passwords for use in maintenance operations. The following are additional examples of social engineering attacks:. The best defense against social engineering attacks is an information security policy addressing such attacks and educating the users about these types of attacks. Dumpster diving involves the acquisition of information from paper documents that have been discarded by an individual or organization.
In many cases, information found in trash can be very valuable to a cracker. Discarded information may include technical manuals, password lists, telephone numbers, and organization charts.
It is important to note that one requirement for information to be treated as a trade secret is that the information be protected and not revealed to any unauthorized individuals.
Because passwords are the most commonly used mechanism to authenticate users to an information system, obtaining passwords is a common and effective attack approach. The last approach can be done in a random or systematic manner. An effective means to prevent password guessing is to place a limit on the number of user attempts to enter a password. An interesting situation to consider in employing this type of control is the consequences of its use in a critical application such as a Supervisory Control and Data Acquisition SCADA System.
SCADA systems are used to run real-time processes such as oil refineries, nuclear power stations, and chemical plants. Consider the consequences of a panicked operator trying to respond to an emergency in the plant, typing in his or her password incorrectly a number of times, and then being locked out of the system.
Clearly, the lockout approach should be carefully evaluated before being applied to systems requiring rapid operator responses. Brute force password guessing means just that: trying a random approach by attempting different passwords and hoping that one works.
One approach is to copy an encrypted file that contains passwords and, applying the same encryption to a dictionary of commonly used passwords, compare the results.
A specific example of this approach is the LC4 password auditing and recovery tool, which performs the encrypted file comparison against a dictionary of over , possible passwords.
Some examples of software exploitation are:. Mobile code is software that is received and executed on an information system from a remote source over a network. This transfer of code can be accomplished with or without actions from the user. Mobile code can perform useful functions or malicious actions. The downloaded code might also contain viruses that can attack the local system. Trojan horses , or Trojans, hide malicious code inside a host program that seems to do something useful.
Once these programs are executed, the virus, worm, or other type of malicious code hidden in the Trojan horse program is released to attack the workstation, server, or network or to allow unauthorized access to those devices.
Trojans are common tools used to create back doors into the network for later exploitation by crackers. Trojan horses can be carried via Internet traffic such as FTP downloads or downloadable applets from Web sites, or distributed through e-mail.
Some Trojans are programmed to open specific ports to allow access for exploitation. If a Trojan is installed on a system, it often opens a high-numbered port. Then the open Trojan port can be scanned and located, enabling an attacker to compromise the system. Malicious scanning is discussed later in this chapter. A logic bomb is an instantiation of a Trojan horse that is activated upon the occurrence of a particular event. For example, the malicious code might be set to run when a specific piece of code is executed or on a certain time and date.
Similarly, a time bomb is set to activate after a designated period of time has elapsed. No computer system connected to a public network is immune from malicious or indiscriminate scanning. System scanning is a process used to collect information about a device or network to facilitate an attack on the system.
Attackers use it to discover what ports are open, what services are running, and what system software is being used. Scanning enables an attacker to detect and exploit known vulnerabilities within a target machine more easily.
Rather than an end in its own right, scanning is often one element of a network attack plan, consisting of:. Security administrators should also use scanning to determine any evidence of compromise and identify vulnerabilities. Because scanning activity is often a prelude to a system attack, detecting malicious scans should be accompanied by monitoring and analysis of the logs and by blocking of unused and exposed ports.
Penetration testing can be employed in order to evaluate the resistance of an information system to attacks that can result in unauthorized access. There are three general types of penetration tests:.
Another category used to describe penetration test types is open-box versus closed-box testing. In an open-box test, the testing team has access to internal system code. Open-box testing is appropriate for use against general-purpose operating systems such as Unix or Linux. Conversely, in closed-box testing, the testing team does not have access to internal code.
This type of testing is applied to specialized systems that do not execute user code. Obviously, the team conducting the penetration test must do so with approval of the sponsoring organization and ensure that the test does not go beyond the limits specified by the organization.
The penetration test should never cause damage or harm to the information system or its data. Identification and authentication are the keystones of most access control systems. Identification is the act of a user professing an identity to a system, usually in the form of a username or user logon ID to the system. Identification establishes user accountability for the actions on the system. User IDs should be unique and not shared among different individuals. In many large organizations, user IDs follow set standards, such as first initial followed by last name.
Authentication is based on the following three factor types:. Sometimes a fourth factor, something you do , is added to this list. Something you do may be typing your name or other phrases on a keyboard. Conversely, something you do can be considered something you are. Two-factor authentication refers to the act of requiring two of the three factors to be used in the authentication process.
Passwords can be compromised and must be protected. In the ideal case, a password should be used only once. A password that is the same for each logon is called a static password. A password that changes with each logon is termed a dynamic password. The changing of passwords can also fall between these two extremes.
Obviously, the more times a password is used, the more chance there is of it being compromised. A passphrase is a sequence of characters that is usually longer than the allotted number for a password. The passphrase is converted into a virtual password by the system. In all these schemes, a front-end authentication device or a back-end authentication server, which services multiple workstations or the host, can perform the authentication.
Passwords can be provided by a number of devices, including tokens, memory cards, and smart cards. Tokens , in the form of small, hand-held devices, are used to provide passwords. The following are the four basic types of tokens:.
Memory cards provide nonvolatile storage of information but do not have any processing capability. A memory card stores encrypted passwords and other related identifying information. A telephone calling card and an ATM card are examples of memory cards. Smart cards provide even more capability than memory cards by incorporating additional processing power on the cards.
These credit card-sized devices comprise microprocessor and memory and are used to store digital signatures, private keys, passwords, and other personal information. An alternative to using passwords for authentication in logical or technical access control is biometrics. Biometrics is based on the Type 3 authentication mechanism - something you are. Biometrics is defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics.
Authentication in biometrics is a one-to-one search to verify a claim to an identity made by a person. Biometrics is used for identification in physical controls and for authentication in logical controls. Conversely, if the sensitivity is decreased, the FAR will increase. Thus, to have a valid measure of the system performance, the CER is used.
We show these concepts in Figure In addition to the accuracy of the biometric systems, there are other factors that must be considered. These factors include the enrollment time, the throughput rate, and acceptability.
0コメント