Prac 9 Flashcards
(20 cards)
- How is the Security Assertion Markup Language (SAML) used?
a. It serves as a backup to a RADIUS server.
b. It allows secure web domains to exchange user authentication and authorization data.
c. It is an authenticator in IEEE 802.1x.
d. It is no longer used because it has been replaced by LDAP.
Analysis:
a. Incorrect. SAML is not associated with a RADIUS server.
b. Correct. Security Assertion Markup Language (SAML) is an XML standard that allows secure web
domains to exchange user authentication and authorization data. This allows a user’s login
credentials to be stored with a single identity provider instead of being stored on each web service
provider’s server.
c. Incorrect. SAML is not associated with IEEE 802.1x.
d. Incorrect. SAML is still being used.
- Which of the following is the Microsoft version of EAP?
a. EAP-MS
b. AD-EAP
c. PAP-Microsoft
d. MS-CHAP
Analysis:
a. Incorrect. This is fictitious and does not exist.
b. Incorrect. This is fictitious and does not exist.
c. Incorrect. This is fictitious and does not exist.
d. Correct. EAP was created as a more secure alternative than the weak Challenge-Handshake
Authentication Protocol (CHAP), and the Microsoft version of CHAP is MS-CHAP.
- Which of the following is NOT used for authentication?
a. Somewhere you are
b. Something you exhibit
c. Something you can do
d. Something you can find
Analysis:
a. Incorrect. A restricted location can be used for authentication.
b. Incorrect. Genetically determined characteristics can be used for authentication.
c. Incorrect. Performing an activity that cannot be copied exactly can be used for authentication.
d. Correct. Something you can find is not used for authentication..
- Ilya has been asked to recommend a federation system technology that is an open source
federation framework that can support the development of authorization protocols. Which of these
technologies would he recommend?
a. OAuth
b. Open ID
c. Shibboleth
d. NTLM
Analysis:
a. Correct. OAuth is a federation system technology that is an open source federation framework
that can support the development of authorization protocols.
b. Incorrect. Open ID is the authentication protocol that can be used with OAuth.
c. Incorrect. Shibboleth is an open source software package for designing SSO.
d. Incorrect. This is fictitious for the context of this question.
- How is key stretching effective in resisting password attacks?
a. It takes more time to generate candidate password digests.
b. It requires the use of GPUs.
c. It does not require the use of salts.
d. The license fees are very expensive to purchase and use it.
Analysis:
a. Correct. Using general-purpose hash algorithms like MD5 and SHA is not considered secure for
creating digests because these hashing algorithms are designed to create a digest as quickly as
possible. The fast speed of general-purpose hash algorithms works in an attacker’s favor. When an
attacker is creating candidate digests, a general-purpose hashing algorithm can rapidly create a very
large number of passwords for matching purposes. A more secure approach for creating password
digests is to use a specialized password hash algorithm that is intentionally designed to be slower.
b. Incorrect. Key stretching does not require a GPU.
c. Incorrect. Key stretching does not require salts.
d. Incorrect. There are no license fees associated with key stretching.
- Which of these is NOT a reason that users create weak passwords?
a. A lengthy and complex password can be difficult to memorize.
b. A security policy requires a password to be changed regularly.
c. Having multiple passwords makes it hard to remember all of them.
d. The length and complexity required force users to circumvent creating strong passwords.
Analysis:
a. Incorrect. This statement accurately reflects why users create weak passwords.
b. Incorrect. This statement accurately reflects why users create weak passwords.
c. Incorrect. This statement accurately reflects why users create weak passwords.
d. Correct. Length and complexity do not force users to circumvent creating strong passwords.
- Fernando is explaining to a colleague how a password cracker works. Which of the following is a
valid statement about password crackers?
a. Most states prohibit password crackers unless they are used to retrieve a lost password.
b. Due to their advanced capabilities, they require only a small amount of computing power.
c. A password cracker attempts to uncover the type of hash algorithm that created the digest
because once it is known, the password is broken.
d. Password crackers differ as to how candidates are created.
Analysis:
a. Incorrect. States do not prohibit the use of password crackers.
b. Incorrect. Password crackers require a significant amount of computing power.
c. Incorrect. Password crackers cannot “break” a hash.
d. Correct. These programs create known digests (called candidates) and then compare them against
the stolen digests. When a match occurs, then the attacker knows the underlying password.
Password crackers differ as to how these candidates are created.
- Which attack uses one or a small number of commonly used passwords to attempt to log in to
several different user accounts?
a. Online brute force attack
b. Offline brute force attack
c. Password spraying attack
d. Role attack
Analysis:
a. Incorrect. Unlike a password spraying attack in which one password is used on multiple accounts,
in an online brute force attack, the same account is continuously attacked (called pounded) by
entering different passwords.
b. Incorrect. An offline brute force attack begins with a stolen digest file. Attackers load this onto
their computer and then use password cracking software to create candidate digests of every
possible combination of letters, numbers, and characters.
c. Correct. A password spraying attack uses one or a small number of commonly used passwords
(Password1 or 123456) and then uses this same password when trying to log in to several different
user accounts. Because this targeted guess is spread across many different accounts instead of
attempting multiple password variations on a single account, it is much less likely to raise any alarms
or lock out the user account from too many failed password attempts.
d. Incorrect. This is fictitious and does not exist.
- Why are dictionary attacks successful?
a. Password crackers using a dictionary attack require less RAM than other types of password
crackers.
b. They link known words together in a “string” for faster processing.
c. Users often create passwords from dictionary words.
d. They use pregenerated rules to speed up the processing.
Analysis:
a. Incorrect. Dictionary attacks do not require less RAM.
b. Incorrect. Dictionary attacks do not link together words.
c. Correct. Because users often create passwords from dictionary words, this makes the attack
successful.
d. Incorrect. Dictionary attacks do not use pregenerated rules.
- Which of these attacks is the last-resort effort in cracking a stolen password digest file?
a. Hybrid
b. Mask
c. Rule list
d. Brute force
Analysis:
a. Incorrect. Hybrid is not the last resort.
b. Incorrect. Mask is not the last resort.
c. Incorrect. A rule list is not the last resort.
d. Correct. As the slowest attack, a brute force attack is the last resort.
- Which of the following should NOT be stored in a secure password database?
a. Iterations
b. Password digest
c. Salt
d. Plaintext password
Analysis:
a. Incorrect. The number of iterations can be stored in a password database.
b. Incorrect. The digest of a password is stored in the database.
c. Incorrect. A salt is stored in the database.
d. Correct. Passwords should never be stored in plaintext.
- Which of the following is NOT an MFA using a smartphone?
a. Authentication app
b. Biometric gait analysis
c. SMS text message
d. Automated phone call
Analysis:
a. Incorrect. An authentication app can be used for multifactor authentication on a smartphone.
b. Correct. Gait analysis requires more technology than a smartphone to measure.
c. Incorrect. A text message can be used for multifactor authentication on a smartphone.
d. Incorrect. An automated phone call can be used for multifactor authentication on a smartphone.
- Timur was making a presentation regarding how attackers break passwords. His presentation
demonstrated the attack technique that is the slowest yet most thorough attack that is used against
passwords. Which of these password attacks did he demonstrate?
a. Dictionary attack
b. Hybrid attack
c. Custom attack
d. Brute force attack
Analysis:
a. Incorrect. This is not the slowest attack.
b. Incorrect. This is not the slowest attack.
c. Incorrect. This is not the slowest attack.
d. Correct. A brute force attack is the slowest yet most thorough type.
- Which human characteristic is NOT used for biometric identification?
a. Retina
b. Iris
c. Height
d. Fingerprint
Analysis:
a. Incorrect. Retina is used for biometric identification.
b. Incorrect. Iris is used for biometric identification.
c. Correct. Height cannot be used for biometric identification because many people share the same
height.
d. Incorrect. Fingerprints are the most common type of biometric identification.
- _____ biometrics is related to the perception, thought processes, and understanding of the user.
a. Cognitive
b. Standard
c. Intelligent
d. Behavioral
Analysis:
a. Correct. Cognitive biometrics is considered to be much easier for the user to remember because it
is based on the user’s life experiences. This also makes it more difficult for an attacker to imitate.
Cognitive biometrics is also called knowledge-based authentication.
b. Incorrect. This is fictitious and does not exist.
c. Incorrect. This is fictitious and does not exist.
d. Incorrect. One type of authentication is based on actions that the user is uniquely qualified to
perform, or something you do. This is called behavioral biometrics.
- Which of the following is an authentication credential used to access multiple accounts or
applications?
a. Single sign-on
b. Credentialization
c. Identification authentication
d. Federal login
Analysis:
a. Correct. One application of federation is single sign-on (SSO) or using one authentication
credential to access multiple accounts or applications. SSO holds the promise of reducing the
number of usernames and passwords that users must memorize.
b. Incorrect. This is fictitious and does not exist.
c. Incorrect. This is fictitious and does not exist.
d. Incorrect. This is fictitious and does not exist.
- What is a disadvantage of biometric readers?
a. Speed
b. Cost
c. Weight
d. Standards
Analysis:
a. Incorrect. Biometric readers are very fast, and speed is not a disadvantage.
b. Correct. Biometric readers can be very expensive.
c. Incorrect. The weight is not a drawback to these readers.
d. Incorrect. Standards do not exist for biometric readers.
- Which of these creates a format of the candidate password to significantly reduce the time
needed to crack a password?
a. Rainbow
b. Mask
c. Overlay
d. Pass the hash
Analysis:
a. Incorrect. A rainbow does not create a format.
b. Correct. A mask can reduce the time needed to crack a password by creating a format.
c. Incorrect. An overlay does not create a format.
d. Incorrect. This is fictitious for the context of this question.
- Pablo has been asked to look into security keys that have a feature of a key pair that is “burned”
into the security key during manufacturing time and is specific to a device model. What feature is
this?
a. Authorization
b. Authentication
c. Attestation
d. Accountability
Analysis:
a. Incorrect. This is fictitious for the context of this question.
b. Incorrect. This is fictitious for the context of this question.
c. Correct. Attestation is a key pair that is “burned” into the security key during manufacturing and is
specific to a device model. It can be used to crypto-graphically prove that a user has a specific model
of device when it is registered.
d. Incorrect. This is fictitious for the context of this question.
- Which one-time password is event driven?
a. HOTP
b. TOTP
c. ROTP
d. POTP
Analysis:
a. Correct. Instead of changing after a set number of seconds, an HMAC-based one-time password
(HOTP) password is “event driven” and changes when a specific event occurs, such as when a user
enters a personal identification number (PIN) on the token’s keypad, which triggers the token to
create a random code.
b. Incorrect. A time-based one-time password (TOTP) changes after a set period of time.
c. Incorrect. This is fictitious for the context of this question.
d. Incorrect. This is fictitious for the context of this question.
