Mandatory access control uses labels to determine who has access to data, and role-based access control is based on organizational roles. Second, the server performs the same process locally and compares the result to the saved value. Finally, if these values match, the user is granted access; otherwise, access is denied.
Answer A is a distracter. Answer B is an example of Kerberos. If a system has a high FRR, many valid users will be denied access.
Valid users who are denied access may attempt to bypass or subvert the authentication system because they believe it does not work correctly. The FAR is used to measure statistics of unauthorized users.
Answer D is incorrect because FRR has nothing to do with the rate of return. Password attacks are the easiest way to attempt to bypass access control systems. Password attacks can range from simple password guessing to more advanced automated methods in which software programs are used. Dictionary attacks may be the fastest, but brute-force attacks are considered the most time-intensive.
Brute-force uses a combination of all numbers and letters, making substitutions as it progresses. It continues until all possible combinations have been attempted. If the password is very long or complex, this may take a considerable amount of time. A plaintext password would require no cracking at all. CVE is a database developed to standardize the naming system of security vulnerabilities.
It also serves as a centralized depository of information on vendor software and discovered vulnerabilities. Telnet transmits username and password information in clear text and thus can be used by attackers to gain unauthorized access. Although some versions of SSH are more secure than others, it is always better to go with some form of encryption.
Fingerprints are most closely associated with law enforcement. Close behind this is facial recognition. Facial recognition technology has made great strides since the terrorist attacks of September Common methods include the Markov model, eigenface, and fisherface.
Iris and retina recognition are not typically associated with law enforcement. Under the mandatory access control model, the system administrator establishes file, folder, and account rights. It is a very restrictive model in which users cannot share resources dynamically. Password-based authentication systems can be made more secure if complex passwords are used, account lockouts are put in place, and tools such as Passprop are implemented.
Passprop places remote lockout restrictions on the administrator account. Passprop is Microsoft-specific, and the test will not quiz you on that level of detail. Just understand that tools are available on both Windows and OS X platforms to accomplish this task. Disabling password-protected screensavers would decrease security, as would allowing users to reuse passwords. Signature-based Intrusion Detection System IDSs can detect only attack signatures that have been previously stored in their databases.
These systems rely on the vendor for updates. Until then they are vulnerable to new zero-day or polymorphic attacks. Answer B is incorrect because it describes a statistical-based IDS.
Answer C is incorrect because signature-based IDSs are available as both host and network configurations. Policies provide a high-level overview of how security should be practiced throughout the organization. Answers A, C, and D all describe the details of how these policies are to be implemented.
What is most important about these particular concepts is that security policy must flow from the top of the organization. This malicious attack was submitted via port 80 HTTP service and is identified by network monitoring. Sniffing is an example of a passive attack. Attackers performing the sniff simply wait and capture data when they find the information they are looking for.
This might be usernames, passwords, credit card numbers, or proprietary information. All other answers are incorrect because installing programs, dumpster diving, and social engineering which uses the art of deception are all active attacks. Forcing collusion is one of the primary reasons why separation of duties should be practiced. Simply stated, collusion requires two or more employees to work together to bypass security. This means that one person working alone cannot pull off an attack.
The practice of separation of duties vastly reduces this risk. Then, access and privilege are granted only as required by job needs. Honeypots, which also have been expanded into honeynets, are network decoys or entire networks that are closely monitored systems. These devices allow security personnel to monitor when the systems are being attacked or probed. They can also provide advance warning of a pending attack and act as a jail until you have decided how to respond to the intruder.
The three basic types are read, write, and execute. Although job rotation does provide backup for key personnel and may help in all the other ways listed, its primary purpose is to prevent fraud or financial deception. The primary legal issues surrounding honeypots includes entrapment. Entrapment is illegal as it might encourage a person to commit a crime that was not intended.
Enticement is legal and is used to lure someone into leaving evidence after committing a crime. Although liability could be an issue if the honeypot is compromised and then used to attack an outside organization, entrapment is illegal and unethical, and ISC 2 -certified professionals are bound by a code of ethics.
Statute is related to hacking and is not the primary concern of honeypots. Although liability is an issue, it is not the primary concern in the context of this question. The major disadvantages of ACLs are the lack of centralized control and the fact that many operating systems default to full access.
This method of access control is burdened by the difficulty of implementing a robust audit function. Therefore, answers A, B, and C are incorrect. A warning banner is an example of a technical deterrent. Answer A, an acceptable use policy AUP is an example of an administrative deterrent.
Answer C is a technical detective control. Answer D is a technical recovery control. Each is implemented as a separate function, which allows the organization to determine which services it wants to deploy.
CCTV, mantraps, biometrics, and badges are just some of the items that are part of physical access control. Data classification and labeling are preventive access control mechanisms. A lower CER means that the device is more accurate. The CER does not determine speed, customer acceptance, or cost per employee.
A ticket is a block of data that allows users to prove their identity to a service. The ticket is valid only for a limited amount of time. Allowing tickets to expire helps raise the barrier for possible attackers because the ticket becomes invalid after a fixed period.
An authentication server provides each client with a ticket-granting ticket. Clients use a ticket-granting server to grant session tickets and reduce the workload of the authentication server. The ticket is not used to prove identity to Kerberos server it is used to prove identity to service or principal. Identification is defined as the act of claiming a specific identity.
Nonrepudiation is closely tied to accountability. It is defined as a means to ensure that users cannot deny their actions. Therefore, nonrepudiation is what makes users accountable. Digital signatures and timestamps are two popular methods used to prove nonrepudiation. Accountability is more closely related to activities, intrusions, events, and system conditions. Auditing is the act of review. Validation is more closely associated with certification and accreditation.
It also uses the MD5 algorithm to provide a one-way hashing function. It does not distribute keys in plaintext, use SHA, or use secret key encryption. There are six categories of security controls: preventive, detective, corrective, deterrent, recovery, and compensation.
Job rotation would help in the detective category because it could be used to uncover violations. It would not help in recovery, corrective, or compensation. SESAME is a single sign-on SSO technology that uses both symmetric and asymmetric cryptograph, thereby allowing for the use of non-repudiation and authentication within the principles.
Kerberos does not support asymmetric cryptography. The CIO requires non-repudiation and authentication, a service that symmetric cryptography does not support. It is important that test takers are very familiar with the advantages and disadvantages of the SSO and centralized access control technologies that are referenced in the Common body of knowledge CBK.
Each alternative are potential solutions based in the different environments of the customer. The principle of least privilege refers to a user having the minimum access control to information systems to do their job. Separation of duties states that critical functions should be divided up among employees. Each answer is a good authentication method, but C is the best description of two-factor authentication. Answer A describes asymmetric encryption. Answer B does not specify what types or categories are being used.
Answer D could be the description of IPsec or another tunneling protocol. Single sign-on SSO can be difficult in a heterogeneous environment, where not all manufacturers may support the same authentication method.
But it is a great solution in a homogeneous environment, where all vendors support the same mechanism. Type 1 errors result from rejection of authenticated persons. You lower this count by relaxing the precision of the equipment decreasing precision , which increases type 2 errors accepting unauthenticated persons. You stop your tuning when type 1 errors equal type 2 errors the crossover error rate [CER].
Under no circumstances do you want to let in more unauthenticated persons because then you risk rejecting authorized persons. Your token uses the nonce to create a one-time password. This is called asynchronous authentication. Answers A, B, and C are incorrect because synchronous token authentication takes place when the token has a timing device that is in sync with a timing mechanism on the server.
A mantrap is a preventive control because it prevents the entry of unauthorized individuals. Deterrent controls slow down unauthorized behavior, corrective controls remove inappropriate actions, and detective controls discover that unauthorized behavior occurred. A salted, one-way encrypted file is the best way to store passwords. Symmetric, asymmetric, and digital signatures are not the preferred way of storing passwords. The act of professing to be a specific user is identification.
It is not validation, authorization, or authentication. A Zephyr chart can be used to compare and measure different types of biometric systems. For example, consider a situation in which you are asked to compare a fingerprint scanner to a palm scanner.
Answer C also refers to the CER. A Zephyr chart is not used for intrusion detection. Authentication can best be described as the act of verifying identity. The best answer is a self-service password reset. Many websites allow users to reset their passwords by supplying some basic information. This is not an example of single sign-on, centralized authentication, or assisted passwords. A federated identity is portable and can be used across business boundaries. Federated identity is not SSO or one that is restricted for use within a single domain.
Federated identity also is not restricted to type I authentication. The lower the crossover error rate CER , the more accurate the biometric system. Therefore, a system with a CER of 1 would be the most accurate.
The type of authentication required for authorization may vary; passwords may be required in some cases but not in others. In some cases, there is no authorization; any user may be use a resource or access a file simply by asking for it. Most of the web pages on the Internet require no authentication or authorization.
Encryption Encryption involves the process of transforming data so that it is unreadable by anyone who does not have a decryption key. All data in SSL transactions is encrypted between the client browser and the server web server before the data is transferred between the two. All data in SSH sessions is encrypted between the client and the server when communicating at the shell.
By encrypting the data exchanged between the client and server information like social security numbers, credit card numbers, and home addresses can be sent over the Internet with less risk of being intercepted during transit.
Using authentication, authorization, and encryption Authentication, authorization, and encryption are used in every day life. Encryption is used when a person buys their ticket online at one of the many sites that advertises cheap ticket. Upon finding the perfect flight at an ideal price, a person goes to buy the ticket.
Airports need to authenticate that the person is who he or she says she is and has purchased a ticket, before giving him or her a boarding pass. Authorization is used when a person shows his or her boarding pass to the flight attendant so he or she can board the specific plane he or she is supposed to be flying on.
My GK. Checkout Cart Loading Create an Account Forgot Your Password? Access MyGK. What is multi-factor authentication? What are the types of multi-factor authentication? There are generally three recognized types of authentication factors: Type 1 — Something You Know — includes passwords, PINs, combinations, code words, or secret handshakes.
Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category. Type 2 — Something You Have — includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices.
0コメント