Information Security Chapter 2 Quiz

Questions and Answers

What does identification in the context of authentication refer to?

Proving that someone is who they claim to be.

Asserting who a person is. (correct)

Providing a unique password.

Making personal details public.

Which of the following is NOT a type of authentication mechanism?

Something you know

Something you have

Something you feel (correct)

Something you are

What is a common method attackers might use to compromise passwords?

Phishing

Data Encryption

Guessing (correct)

Eavesdropping

How does a dictionary attack function?

By employing a list of common words and phrases.

Which method is an example of authentication based on something you are?

Fingerprint

What is a significant risk to password protection systems?

Human practices sometimes degrade their quality.

Which of the following represents a potential password weakness during an attack?

Choosing a password derived from a personal name.

What is the primary purpose of an authentication mechanism?

To confirm a user’s identity.

What does Top Secret clearance allow John to access?

Files of Secret, Confidential level and Top Secret

In Discretionary Access Control (DAC), who primarily determines access to an object?

The object owner

What does the command 'wmic useraccount get sid, name' retrieve in a Windows environment?

The Security ID (SID) of a user

Which role would primarily be responsible for creating new accounts in a Role-Based Access Control system?

Administrator

Role-Based Access Control is designed to account for what main aspect?

Distinguishing various users' privileges

What is the primary purpose of authentication in the context of AAA?

To identify the user

Which of the following is an example of a one-time password scheme?

Having a shared secret list of passwords

Which account type typically has the fewest permissions?

Guest Account

What does access control refer to in the context of information security?

Limiting user access to resources

Which of the following best describes 'Out-of-Band Communication' related to security?

Delivering PINs separately from related materials

Which access mode allows a user to view data without making changes?

Read Only

Which factor is NOT typically used in multifactor authentication?

Something you saw

What is the main focus of auditing in the context of accounting within AAA?

Tracking user activities

Which utilities can be used by an administrator to scan for weak passwords?

COPS, Crack, and SATAN

Which of the following is considered a strong password practice?

Choosing long passwords with various characters

What type of authentication relies on the unique characteristics of a person?

Biometric Authentication

In authentication methods, what is a passive token?

A token that does not change, like a photo ID

What is the primary purpose of a brute force attack?

To sequentially check all possible passwords

What does the term 'dynamic token' refer to?

Tokens that change their value regularly

Which of these is NOT a good password practice?

Using actual names for convenience

Single sign-on (SSO) allows for what benefit in authentication?

Convenience by only needing to sign in once

Which of the following describes a common attack method for discovering weak passwords?

Guessing probable passwords

What is the primary goal of the principle of least privilege in access control?

To restrict users and processes to only necessary permissions

What does an access log primarily help identify during a system failure?

Which objects were accessed prior to the failure

In which access control model are labels used to identify access?

Mandatory Access Control

What is the purpose of the Access Control List?

To assign permissions per user for each object accessed

Which statement describes the concept of 'Need to Know Policy'?

Users may access only specific data necessary for their tasks

Which of the following is NOT a reason for logging access?

To minimize user access restrictions

How is an Access Control Matrix typically represented?

As a list of triples representing subject, object, and rights

What is a reference monitor responsible for in access control systems?

Enforcing access rights based on subject requests

Study Notes

Part I: Authentication

• Authentication involves confirming a user's identity through verification processes.
• Identification asserts who a person is, typically using a username or email.
• Authentication proves the asserted identity, often through passwords or security questions.
• Authentication mechanisms rely on three qualities:
  • Something you know (e.g., passwords, PINs)
  • Something you are (e.g., biometrics such as fingerprints, voice patterns)
  • Something you have (e.g., identity badges, physical keys)

Passwords and Security

• Password protection’s security can be undermined by poor user practices.

• Common methods for password attacks include:

  • Guessing based on obvious patterns or common words
  • Dictionary attacks, leveraging lists of common passwords
  • Brute force attacks, systematically testing every possible combination

• Counting passwords of length three or less yields a total of 18,278 combinations (non-case sensitive).

• Passwords should be long, complex, and varied to enhance security.

• Good practices include:

  • Avoiding personal names or common words
  • Regularly updating passwords
  • Not sharing or writing them down

Biometric Authentication

• Biometrics utilize unique physical characteristics for identification, including:
  • Fingerprints, hand geometry, facial recognition, and retinal patterns
  • Voice recognition and handwriting dynamics

Token-Based Authentication

• Tokens can be categorized as active (dynamic, changeable) or passive (static, unchanging).
• Examples include:
  • Static tokens: IDs, keys, passports
  • Dynamic tokens: RFID cards that change their value to enhance security

Authentication Methods

• Single Sign-On (SSO) simplifies user authentication to one initial login session.
• Multifactor Authentication (MFA) uses multiple factors for added security.
• Secure authentication requires careful consideration of potential threats and available defenses.

Successful Identification and Authentication

• Shared secrets like One-Time Passwords (OTP) enhance security by providing unique, temporary access codes.
• Continuous Authentication can be maintained through encryption, ensuring ongoing identity verification.
• Out-of-Band Communication involves separate methods of conveying sensitive information, e.g., mailing bank PINs separately from cards.

Part II: Access Control

• The AAA framework includes:
  • Authentication: Verifying user's identity
  • Authorization: Determining user permissions
  • Accounting: Auditing access activities

Access Control Concepts

• Access Control limits what subjects (users) can do with particular objects (data/resources).
• Access modes vary from read/write to execute/delete.
• The principles of Least Privilege and Need to Know restrict access to only what is necessary.

Access Control Mechanisms

• Access Control Directory maintains user-specific access lists.
• Access Control Matrix and Access Control Lists define user permissions.

Access Control Models

• Mandatory Access Control (MAC) assigns access rights based on security clearance levels, often used in military contexts.
• Discretionary Access Control (DAC) allows object owners to set access levels.
• Role-Based Access Control (Role-BAC) assigns permissions based on user roles, differentiating access levels for different types of users.

Role-Based Access Control Example

• Roles within a banking context can include:
  • Teller: Crediting and debiting accounts
  • Clerk: Transferring funds
  • Administrator: Full access, including creating new accounts

This hierarchical framework streamlines permission management according to organizational needs.

Description

This quiz covers key concepts in Chapter 2 of Information & Computer Security, focusing on authentication and identification. Test your understanding of how computer systems determine user identity without face-to-face cues. Ideal for students in Computer Science and Information Systems.