AAA from Lens of ISM

Questions and Answers

What is the purpose of Access Control?

To estimate the security strength of a given password

To authenticate users

To manage passwords for multiple accounts

To authorize system resources against unauthorized access (correct)

What type of access control allows the owner to define access control rules?

Risk-Based Access Control

Discretionary Access Control (correct)

Attribute-Based Access Control

Role-Based Access Control

What is the primary function of a Password Manager?

To estimate the security strength of a given password

To manage credentials of multiple accounts (correct)

To authorize system resources

To authenticate users

What is a recovery system used for in authentication?

To reset passwords when forgotten

What is the main concern in Non-User Authentication?

Authenticating physical objects and information

What is the purpose of NCSC guidance?

To reinforce password policies

What is the primary focus of user authentication?

Confirming the claim of a human user

What type of authentication factor is based on 'what you possess'?

Possession-based

What is the primary difference between authentication and identification?

Authentication is about verifying a claim, while identification is about uncovering an identity

Which type of access control considers the attribute of an entity as the basis for access decisions?

Attribute-Based Access Control (ABAC)

What is a common disadvantage of possession-based authentication factors?

They are prone to loss and theft

What is the primary goal of authentication in the context of identity management?

To confirm the truth of an attribute of a single piece of data

What is the primary goal of the Bell-LaPadula model?

Data confidentiality

Which access control model is designed to prevent a user from writing to objects at a higher level than their own?

Biba model

What is the primary advantage of knowledge-based authentication factors?

They are easy to use for non-expert users

What is the purpose of an Identity Management (IdM) system?

To manage identities, including mappings to entities

What is the difference between an identity and an identifier?

An identity is normally identified via a unique identifier to avoid ambiguity

Which of the following is an example of a real-world application of Risk-Based Access Control (RAC)?

Online shops selling alcohol

Match the following password managers with their characteristics:

Local password managers = Run from a local computer and store the data locally Web-based password managers = Run from the Web or the cloud and store the data remotely Cloud-based password managers = Run from local computer or the Web and store the data remotely in a cloud All of the above = Types of password managers

Match the following authentication factors with their descriptions:

What you know = Password, PIN, or secret questions and answers What you have = Something you possess, such as a smart card or token What you are = Biometric characteristics, such as fingerprints or face recognition Where you are = Location-based authentication

Match the following access control models with their characteristics:

DAC (Discretionary Access Control) = The owner of an object defines the access control rules MAC (Mandatory Access Control) = Based on a set of rules that are defined by the operating system RBAC (Role-Based Access Control) = Access control based on a user's role within an organization ABAC (Attribute-Based Access Control) = Based on attributes associated with the user, object, or environment

Match the following password meters with their purposes:

Proactive password checker = Estimate the security strength of a given password Reactive password checker = Verify the strength of a password after it has been entered Password manager = Manage credentials of multiple accounts of the user Password reset system = Recover a forgotten password

Match the following authentication methods with their characteristics:

Multi-factor authentication = Requires two or more factors to authenticate Single-factor authentication = Requires only one factor to authenticate Context-based authentication = Takes into account the context of the user's request Biometric authentication = Uses unique biological characteristics to authenticate

Match the following password guidance with their purposes:

NCSC guidance = Reinforced as policies for password management Password policy = Defines the rules for creating and managing passwords Password reset policy = Defines the process for recovering a forgotten password Password strength policy = Defines the minimum requirements for password strength

Match the following authentication factors with their descriptions:

Knowledge-based = What you know (e.g., passwords) Possession-based = What you possess / have (e.g., hardware security tokens and smart cards) Inherence-based = What you are (e.g., biometric authentication) Location-based = Where you are (e.g., geographic location)

Match the following authentication types with their characteristics:

User Authentication = About the claimant, usually a human user, and the verifier is usually a computer. Device Authentication = About the device, usually a computer or a server. Message Authentication = About the message, ensuring its integrity and authenticity. Humanness Authentication = About verifying the humanness of the entity.

Match the following authentication methods with their advantages:

Knowledge-based = Cheap and simple to deploy, widely used and well tested, easy to use for non-expert users. Possession-based = High security, difficult to replicate or clone. Inherence-based = Unique and difficult to replicate or steal. Location-based = Context-aware and convenient.

Match the following biometric authentication elements with their descriptions:

Fingerprint = Capturing biometric features and adding them into the database as a template Enrolment = Checking if a live template matches the enrolled template corresponding to a given ID Verification = Matching an input live template against one or all enrolled templates Biometrics spoofing = A type of attack where fake biometric data is used to gain unauthorized access

Match the following authentication processes with their descriptions:

Authentication = An entity makes an explicit claim, and a verifier checks if the claim is legitimate. Identification = An entity presents with an unknown identity, and an identifier tries to uncover the present entity's identity. Authorization = The process of granting access to a resource based on an entity's identity. Accountability = The process of tracking and monitoring an entity's actions.

Match the following authentication factors with their examples:

Biometric = Fingerprint scanning, facial recognition, voice recognition Token-based = Hardware security tokens, smart cards Password-based = Login credentials, passwords Context-based = Location, time, behavior

Match the following context-based authentication elements with their descriptions:

Location = A type of authentication that uses a single factor to verify a user's identity Context-based = A type of authentication that uses a user's location to verify their identity Password-based = A type of authentication that uses a secret textual string to verify a user's identity Multi-factor = A type of authentication that uses a combination of factors to verify a user's identity

Match the following authentication factors with their vulnerabilities:

Possession-based = Loss and theft, clone attacks, side channel attacks. Knowledge-based = Weak passwords, phishing, social engineering. Inherence-based = Spoofing, biometric theft, identity theft. Location-based = GPS spoofing, location tracking, context manipulation.

Match the following multi-factor authentication elements with their descriptions:

SMS = A type of authentication factor that uses a physical token to verify a user's identity Authenticator mobile application = A type of authentication factor that uses a one-time password sent to a user's mobile device PIN = A type of authentication factor that uses a secret numerical string to verify a user's identity Graphical password = A type of authentication factor that uses a sequence of images to verify a user's identity

Match the following password-based authentication elements with their descriptions:

Hashed password = A type of password storage that stores passwords in plaintext Salt = A random value added to a password to make it more secure Key stretching = A method of storing passwords that uses a hash function to slow down the verification process Password manager = A type of software that stores and generates strong passwords for a user

Match the following authentication modes with their descriptions:

Verification = 1:N matching, checking if a live template matches all enrolled templates in the database Identification = 1:1 matching, checking if a live template matches the enrolled template corresponding to a given ID Authentication = The process of verifying a user's identity using one or more authentication factors Enrolment = The process of capturing biometric features and adding them into the database as a template

Match the following biometric authentication disadvantages with their descriptions:

Privacy = The risk of an attacker using a fake biometric to gain unauthorized access Safety = The risk of a biometric system being compromised due to a user's sensitive information Limited security = The risk of a biometric system being vulnerable to certain types of attacks Cannot be easily damaged or replaced = The risk of a user's biometric data being lost or compromised