Information Security Chapter 2 Quiz

Questions and Answers

What does identification in the context of authentication refer to?

• Proving that someone is who they claim to be.
• Asserting who a person is. (correct)
• Providing a unique password.
• Making personal details public.

Which of the following is NOT a type of authentication mechanism?

• Something you know
• Something you have
• Something you feel (correct)
• Something you are

What is a common method attackers might use to compromise passwords?

• Phishing
• Data Encryption
• Guessing (correct)
• Eavesdropping

How does a dictionary attack function?

By employing a list of common words and phrases. (C)

Which method is an example of authentication based on something you are?

Fingerprint (B)

What is a significant risk to password protection systems?

Human practices sometimes degrade their quality. (B)

Which of the following represents a potential password weakness during an attack?

Choosing a password derived from a personal name. (B)

What is the primary purpose of an authentication mechanism?

To confirm a user’s identity. (A)

What does Top Secret clearance allow John to access?

Files of Secret, Confidential level and Top Secret (C)

In Discretionary Access Control (DAC), who primarily determines access to an object?

The object owner (C)

What does the command 'wmic useraccount get sid, name' retrieve in a Windows environment?

The Security ID (SID) of a user (C)

Which role would primarily be responsible for creating new accounts in a Role-Based Access Control system?

Administrator (D)

Role-Based Access Control is designed to account for what main aspect?

Distinguishing various users' privileges (B)

What is the primary purpose of authentication in the context of AAA?

To identify the user (A)

Which of the following is an example of a one-time password scheme?

Having a shared secret list of passwords (C)

Which account type typically has the fewest permissions?

Guest Account (C)

What does access control refer to in the context of information security?

Limiting user access to resources (D)

Which of the following best describes 'Out-of-Band Communication' related to security?

Delivering PINs separately from related materials (B)

Which access mode allows a user to view data without making changes?

Read Only (C)

Which factor is NOT typically used in multifactor authentication?

Something you saw (B)

What is the main focus of auditing in the context of accounting within AAA?

Tracking user activities (A)

Which utilities can be used by an administrator to scan for weak passwords?

COPS, Crack, and SATAN (C)

Which of the following is considered a strong password practice?

Choosing long passwords with various characters (C)

What type of authentication relies on the unique characteristics of a person?

Biometric Authentication (A)

In authentication methods, what is a passive token?

A token that does not change, like a photo ID (C)

What is the primary purpose of a brute force attack?

To sequentially check all possible passwords (C)

What does the term 'dynamic token' refer to?

Tokens that change their value regularly (B)

Which of these is NOT a good password practice?

Using actual names for convenience (D)

Single sign-on (SSO) allows for what benefit in authentication?

Convenience by only needing to sign in once (B)

Which of the following describes a common attack method for discovering weak passwords?

Guessing probable passwords (A)

What is the primary goal of the principle of least privilege in access control?

To restrict users and processes to only necessary permissions (D)

What does an access log primarily help identify during a system failure?

Which objects were accessed prior to the failure (C)

In which access control model are labels used to identify access?

Mandatory Access Control (A)

What is the purpose of the Access Control List?

To assign permissions per user for each object accessed (D)

Which statement describes the concept of 'Need to Know Policy'?

Users may access only specific data necessary for their tasks (C)

Which of the following is NOT a reason for logging access?

To minimize user access restrictions (A)

How is an Access Control Matrix typically represented?

As a list of triples representing subject, object, and rights (B)

What is a reference monitor responsible for in access control systems?

Enforcing access rights based on subject requests (D)

Flashcards

Authentication

Authentication is the process of verifying a user's identity. It ensures that the person claiming to be a specific user is actually who they say they are.

Identification

Identification is the first step in authentication. It involves a user claiming to be a specific person, often by providing a username or email address.

Authentication Proof

Authentication aims to prove the identity claimed in the identification phase. This can be done using passwords, security questions, or other methods.

Authentication Factors

Authentication mechanisms depend on factors a user possesses or utilizes to verify their identity. These factors can be something you know, something you are, or something you have.

Password Security

Weak passwords are a common security vulnerability. They can be easily guessed or cracked using various methods.

Dictionary Attack

Dictionary attacks involve trying common words and phrases against a password. Often, they use pre-compiled lists of frequently used passwords.

Brute Force Attack

Brute force attacks systematically test every possible combination of characters to try and crack a password. This can be very time-consuming, but may succeed if the password is short or simple.

Short Password Weakness

A short password can be easily guessed or brute forced. Even simple passwords can be cracked quickly.

Strong Password

Strong passwords consist of a random combination of uppercase and lowercase letters, numbers, and symbols. They are hard to guess and more resistant to cracking.

Biometric Authentication

Biometrics uses distinctive physical attributes like fingerprints, facial features, or voice patterns to identify individuals. It is often used in security systems.

Token Authentication

Tokens can be either active or passive. Active tokens change their value dynamically, while passive tokens remain constant.

Dynamic Tokens

Dynamic tokens, like RFID cards with changing values, offer higher security than static tokens, which have a fixed value.

Static Tokens

Static tokens are unchanging and have a fixed value. They are like traditional IDs, keys, or passports.

Single Sign-On (SSO)

SSO allows users to log in once and access multiple applications without needing to re-authenticate for each one. It streamlines the login process significantly.

Multi-Factor Authentication (MFA)

MFA adds an extra layer of security by requiring users to provide multiple factors of authentication. This makes it much harder for unauthorized users to gain access.

Secure Authentication

Authentication requires careful consideration of threats and available defenses to ensure secure access to sensitive information.

One-Time Password (OTP)

One-Time Passwords (OTPs) are unique codes generated for a single use, typically used for additional security during logins.

Continuous Authentication

Continuous Authentication ensures that a user's identity is continuously verified throughout their session, using encryption or other methods.

Out-of-Band Communication

Out-of-Band Communication involves transmitting sensitive information through independent channels, such as mailing a bank PIN separately from the card.

AAA Framework

The AAA framework is a security model that encompasses three key concepts: Authentication, Authorization, and Accounting.

Authorization

Authorization determines what a user is allowed to access and what actions they can perform on specific resources. It sets permissions based on user privileges.

Accounting (Security)

Accounting records all user access activities, such as login times, accessed resources, and performed actions. It helps track and audit security events.

Access Control

Access Control mechanisms define rules about what users (subjects) can do with specific resources (objects). It's a core part of security.

Access Control Lists (ACLs)

Access Control lists (ACLs) keep track of permissions for each user on specific resources. Each entry in the list corresponds to a user and their allowed access rights.

Least Privilege

The principle of Least Privilege restricts users' access to only the resources they absolutely need to perform their jobs. This minimizes the risk of unauthorized actions.

Need to Know

The Need to Know principle restricts access to information to only those who need it for their work. It emphasizes data confidentiality and security.

Mandatory Access Control (MAC)

MAC (Mandatory Access Control) is a strict model that assigns access rights based on predefined security levels. Often used in highly secure environments.

Discretionary Access Control (DAC)

DAC (Discretionary Access Control) allows owners of resources to set permissions for who can access them. Control is decentralized and flexible.

Role-Based Access Control (RBAC)

Role-BAC (Role-Based Access Control) assigns permissions to roles within an organization. Each role represents a set of responsibilities and associated privileges.

Study Notes

Part I: Authentication

• Authentication involves confirming a user's identity through verification processes.
• Identification asserts who a person is, typically using a username or email.
• Authentication proves the asserted identity, often through passwords or security questions.
• Authentication mechanisms rely on three qualities:
  • Something you know (e.g., passwords, PINs)
  • Something you are (e.g., biometrics such as fingerprints, voice patterns)
  • Something you have (e.g., identity badges, physical keys)

Passwords and Security

• Password protection’s security can be undermined by poor user practices.

• Common methods for password attacks include:

  • Guessing based on obvious patterns or common words
  • Dictionary attacks, leveraging lists of common passwords
  • Brute force attacks, systematically testing every possible combination

• Counting passwords of length three or less yields a total of 18,278 combinations (non-case sensitive).

• Passwords should be long, complex, and varied to enhance security.

• Good practices include:

  • Avoiding personal names or common words
  • Regularly updating passwords
  • Not sharing or writing them down

Biometric Authentication

• Biometrics utilize unique physical characteristics for identification, including:
  • Fingerprints, hand geometry, facial recognition, and retinal patterns
  • Voice recognition and handwriting dynamics

Token-Based Authentication

• Tokens can be categorized as active (dynamic, changeable) or passive (static, unchanging).
• Examples include:
  • Static tokens: IDs, keys, passports
  • Dynamic tokens: RFID cards that change their value to enhance security

Authentication Methods

• Single Sign-On (SSO) simplifies user authentication to one initial login session.
• Multifactor Authentication (MFA) uses multiple factors for added security.
• Secure authentication requires careful consideration of potential threats and available defenses.

Successful Identification and Authentication

• Shared secrets like One-Time Passwords (OTP) enhance security by providing unique, temporary access codes.
• Continuous Authentication can be maintained through encryption, ensuring ongoing identity verification.
• Out-of-Band Communication involves separate methods of conveying sensitive information, e.g., mailing bank PINs separately from cards.

Part II: Access Control

• The AAA framework includes:
  • Authentication: Verifying user's identity
  • Authorization: Determining user permissions
  • Accounting: Auditing access activities

Access Control Concepts

• Access Control limits what subjects (users) can do with particular objects (data/resources).
• Access modes vary from read/write to execute/delete.
• The principles of Least Privilege and Need to Know restrict access to only what is necessary.

Access Control Mechanisms

• Access Control Directory maintains user-specific access lists.
• Access Control Matrix and Access Control Lists define user permissions.

Access Control Models

• Mandatory Access Control (MAC) assigns access rights based on security clearance levels, often used in military contexts.
• Discretionary Access Control (DAC) allows object owners to set access levels.
• Role-Based Access Control (Role-BAC) assigns permissions based on user roles, differentiating access levels for different types of users.

Role-Based Access Control Example

• Roles within a banking context can include:
  • Teller: Crediting and debiting accounts
  • Clerk: Transferring funds
  • Administrator: Full access, including creating new accounts

This hierarchical framework streamlines permission management according to organizational needs.

Description

This quiz covers key concepts in Chapter 2 of Information & Computer Security, focusing on authentication and identification. Test your understanding of how computer systems determine user identity without face-to-face cues. Ideal for students in Computer Science and Information Systems.