Podcast
Questions and Answers
What does identification in the context of authentication refer to?
What does identification in the context of authentication refer to?
Which of the following is NOT a type of authentication mechanism?
Which of the following is NOT a type of authentication mechanism?
What is a common method attackers might use to compromise passwords?
What is a common method attackers might use to compromise passwords?
How does a dictionary attack function?
How does a dictionary attack function?
Signup and view all the answers
Which method is an example of authentication based on something you are?
Which method is an example of authentication based on something you are?
Signup and view all the answers
What is a significant risk to password protection systems?
What is a significant risk to password protection systems?
Signup and view all the answers
Which of the following represents a potential password weakness during an attack?
Which of the following represents a potential password weakness during an attack?
Signup and view all the answers
What is the primary purpose of an authentication mechanism?
What is the primary purpose of an authentication mechanism?
Signup and view all the answers
What does Top Secret clearance allow John to access?
What does Top Secret clearance allow John to access?
Signup and view all the answers
In Discretionary Access Control (DAC), who primarily determines access to an object?
In Discretionary Access Control (DAC), who primarily determines access to an object?
Signup and view all the answers
What does the command 'wmic useraccount get sid, name' retrieve in a Windows environment?
What does the command 'wmic useraccount get sid, name' retrieve in a Windows environment?
Signup and view all the answers
Which role would primarily be responsible for creating new accounts in a Role-Based Access Control system?
Which role would primarily be responsible for creating new accounts in a Role-Based Access Control system?
Signup and view all the answers
Role-Based Access Control is designed to account for what main aspect?
Role-Based Access Control is designed to account for what main aspect?
Signup and view all the answers
What is the primary purpose of authentication in the context of AAA?
What is the primary purpose of authentication in the context of AAA?
Signup and view all the answers
Which of the following is an example of a one-time password scheme?
Which of the following is an example of a one-time password scheme?
Signup and view all the answers
Which account type typically has the fewest permissions?
Which account type typically has the fewest permissions?
Signup and view all the answers
What does access control refer to in the context of information security?
What does access control refer to in the context of information security?
Signup and view all the answers
Which of the following best describes 'Out-of-Band Communication' related to security?
Which of the following best describes 'Out-of-Band Communication' related to security?
Signup and view all the answers
Which access mode allows a user to view data without making changes?
Which access mode allows a user to view data without making changes?
Signup and view all the answers
Which factor is NOT typically used in multifactor authentication?
Which factor is NOT typically used in multifactor authentication?
Signup and view all the answers
What is the main focus of auditing in the context of accounting within AAA?
What is the main focus of auditing in the context of accounting within AAA?
Signup and view all the answers
Which utilities can be used by an administrator to scan for weak passwords?
Which utilities can be used by an administrator to scan for weak passwords?
Signup and view all the answers
Which of the following is considered a strong password practice?
Which of the following is considered a strong password practice?
Signup and view all the answers
What type of authentication relies on the unique characteristics of a person?
What type of authentication relies on the unique characteristics of a person?
Signup and view all the answers
In authentication methods, what is a passive token?
In authentication methods, what is a passive token?
Signup and view all the answers
What is the primary purpose of a brute force attack?
What is the primary purpose of a brute force attack?
Signup and view all the answers
What does the term 'dynamic token' refer to?
What does the term 'dynamic token' refer to?
Signup and view all the answers
Which of these is NOT a good password practice?
Which of these is NOT a good password practice?
Signup and view all the answers
Single sign-on (SSO) allows for what benefit in authentication?
Single sign-on (SSO) allows for what benefit in authentication?
Signup and view all the answers
Which of the following describes a common attack method for discovering weak passwords?
Which of the following describes a common attack method for discovering weak passwords?
Signup and view all the answers
What is the primary goal of the principle of least privilege in access control?
What is the primary goal of the principle of least privilege in access control?
Signup and view all the answers
What does an access log primarily help identify during a system failure?
What does an access log primarily help identify during a system failure?
Signup and view all the answers
In which access control model are labels used to identify access?
In which access control model are labels used to identify access?
Signup and view all the answers
What is the purpose of the Access Control List?
What is the purpose of the Access Control List?
Signup and view all the answers
Which statement describes the concept of 'Need to Know Policy'?
Which statement describes the concept of 'Need to Know Policy'?
Signup and view all the answers
Which of the following is NOT a reason for logging access?
Which of the following is NOT a reason for logging access?
Signup and view all the answers
How is an Access Control Matrix typically represented?
How is an Access Control Matrix typically represented?
Signup and view all the answers
What is a reference monitor responsible for in access control systems?
What is a reference monitor responsible for in access control systems?
Signup and view all the answers
Study Notes
Part I: Authentication
- Authentication involves confirming a user's identity through verification processes.
- Identification asserts who a person is, typically using a username or email.
- Authentication proves the asserted identity, often through passwords or security questions.
- Authentication mechanisms rely on three qualities:
- Something you know (e.g., passwords, PINs)
- Something you are (e.g., biometrics such as fingerprints, voice patterns)
- Something you have (e.g., identity badges, physical keys)
Passwords and Security
-
Password protection’s security can be undermined by poor user practices.
-
Common methods for password attacks include:
- Guessing based on obvious patterns or common words
- Dictionary attacks, leveraging lists of common passwords
- Brute force attacks, systematically testing every possible combination
-
Counting passwords of length three or less yields a total of 18,278 combinations (non-case sensitive).
-
Passwords should be long, complex, and varied to enhance security.
-
Good practices include:
- Avoiding personal names or common words
- Regularly updating passwords
- Not sharing or writing them down
Biometric Authentication
- Biometrics utilize unique physical characteristics for identification, including:
- Fingerprints, hand geometry, facial recognition, and retinal patterns
- Voice recognition and handwriting dynamics
Token-Based Authentication
- Tokens can be categorized as active (dynamic, changeable) or passive (static, unchanging).
- Examples include:
- Static tokens: IDs, keys, passports
- Dynamic tokens: RFID cards that change their value to enhance security
Authentication Methods
- Single Sign-On (SSO) simplifies user authentication to one initial login session.
- Multifactor Authentication (MFA) uses multiple factors for added security.
- Secure authentication requires careful consideration of potential threats and available defenses.
Successful Identification and Authentication
- Shared secrets like One-Time Passwords (OTP) enhance security by providing unique, temporary access codes.
- Continuous Authentication can be maintained through encryption, ensuring ongoing identity verification.
- Out-of-Band Communication involves separate methods of conveying sensitive information, e.g., mailing bank PINs separately from cards.
Part II: Access Control
- The AAA framework includes:
- Authentication: Verifying user's identity
- Authorization: Determining user permissions
- Accounting: Auditing access activities
Access Control Concepts
- Access Control limits what subjects (users) can do with particular objects (data/resources).
- Access modes vary from read/write to execute/delete.
- The principles of Least Privilege and Need to Know restrict access to only what is necessary.
Access Control Mechanisms
- Access Control Directory maintains user-specific access lists.
- Access Control Matrix and Access Control Lists define user permissions.
Access Control Models
- Mandatory Access Control (MAC) assigns access rights based on security clearance levels, often used in military contexts.
- Discretionary Access Control (DAC) allows object owners to set access levels.
- Role-Based Access Control (Role-BAC) assigns permissions based on user roles, differentiating access levels for different types of users.
Role-Based Access Control Example
- Roles within a banking context can include:
- Teller: Crediting and debiting accounts
- Clerk: Transferring funds
- Administrator: Full access, including creating new accounts
This hierarchical framework streamlines permission management according to organizational needs.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz covers key concepts in Chapter 2 of Information & Computer Security, focusing on authentication and identification. Test your understanding of how computer systems determine user identity without face-to-face cues. Ideal for students in Computer Science and Information Systems.