SSCP : System Security Certified Practitioner (SSCP) : Part 40

SSCP : System Security Certified Practitioner (SSCP) : Part 40

1. What are called user interfaces that limit the functions that can be selected by a user?

   • Constrained user interfaces
   • Limited user interfaces
   • Mini user interfaces
   • Unlimited user interfaces

   Explanation:

   Constrained user interfaces limit the functions that can be selected by a user.

   Another method for controlling access is by restricting users to specific functions based on their role in the system. This is typically implemented by limiting available menus, data views, encryption, or by physically constraining the user interfaces.

   This is common on devices such as an automated teller machine (ATM). The advantage of a constrained user interface is that it limits potential avenues of attack and system failure by restricting the processing options that are available to the user.

   On an ATM machine, if a user does not have a checking account with the bank he or she will not be shown the “Withdraw money from checking” option. Likewise, an information system might have an “Add/Remove Users” menu option for administrators, but if a normal, non-administrative user logs in he or she will not even see that menu option. By not even identifying potential options for non-qualifying users, the system limits the potentially harmful execution of unauthorized system or application commands.

   Many database management systems have the concept of “views.” A database view is an extract of the data stored in the database that is filtered based on predefined user or system criteria. This permits multiple users to access the same database while only having the ability to access data they need (or are allowed to have) and not data for another user. The use of database views is another example of a constrained user interface.

   The following were incorrect answers:
   All of the other choices presented were bogus answers.

   The following reference(s) were used for this question:
   Hernandez CISSP, Steven (2012-12-21). Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 1989-2002). Auerbach Publications. Kindle Edition.

2. What would be the name of a Logical or Virtual Table dynamically generated to restrict the information a user can access in a database?

   • Database Management system
   • Database views
   • Database security
   • Database shadowing
   Explanation:

   The Answer: Database views; Database views are mechanisms that restrict access to the information that a user can access in a database.Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.

   Wikipedia has a detailed explantion as well:
   In database theory, a view is a virtual or logical table composed of the result set of a query. Unlike ordinary tables (base tables) in a relational database, a view is not part of the physical schema: it is a dynamic, virtual table computed or collated from data in the database. Changing the data in a table alters the data shown in the view.

   Views can provide advantages over tables;

   They can subset the data contained in a table
   They can join and simplify multiple tables into a single virtual table
   Views can act as aggregated tables, where aggregated data (sum, average etc.) are calculated and presented as part of the data
   Views can hide the complexity of data, for example a view could appear as Sales2000 or Sales2001, transparently partitioning the actual underlying table
   Views do not incur any extra storage overhead
   Depending on the SQL engine used, views can provide extra security.
   Limit the exposure to which a table or tables are exposed to outer world

   Just like functions (in programming) provide abstraction, views can be used to create abstraction. Also, just like functions, views can be nested, thus one view can aggregate data from other views. Without the use of views it would be much harder to normalise databases above second normal form. Views can make it easier to create lossless join decomposition.

3. Technical controls such as encryption and access control can be built into the operating system, be software applications, or can be supplemental hardware/software units. Such controls, also known as logical controls, represent which pairing?

   • Preventive/Administrative Pairing
   • Preventive/Technical Pairing
   • Preventive/Physical Pairing
   • Detective/Technical Pairing
   Explanation:
   Preventive/Technical controls are also known as logical controls and can be built into the operating system, be software applications, or can be supplemental hardware/software units.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 34.

4. What is called the use of technologies such as fingerprint, retina, and iris scans to authenticate the individuals requesting access to resources?

   • Micrometrics
   • Macrometrics
   • Biometrics
   • MicroBiometrics
   Explanation:
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.

5. A central authority determines what subjects can have access to certain objects based on the organizational security policy is called:

   • Mandatory Access Control
   • Discretionary Access Control
   • Non-Discretionary Access Control
   • Rule-based Access control
   Explanation:

   A central authority determines what subjects can have access to certain objects based on the organizational security policy.

   The key focal point of this question is the ‘central authority’ that determines access rights.

   Cecilia one of the quiz user has sent me feedback informing me that NIST defines MAC as: “MAC Policy means that Access Control Policy Decisions are made by a CENTRAL AUTHORITY. Which seems to indicate there could be two good answers to this question.

   However if you read the NISTR document mentioned in the references below, it is also mentioned that: MAC is the most mentioned NDAC policy. So MAC is a form of NDAC policy.

   Within the same document it is also mentioned: “In general, all access control policies other than DAC are grouped in the category of non- discretionary access control (NDAC). As the name implies, policies in this category have rules that are not established at the discretion of the user. Non-discretionary policies establish controls that cannot be changed by users, but only through administrative action.”

   Under NDAC you have two choices:
   Rule Based Access control and Role Base Access Control

   MAC is implemented using RULES which makes it fall under RBAC which is a form of NDAC. It is a subset of NDAC.

   This question is representative of what you can expect on the real exam where you have more than once choice that seems to be right. However, you have to look closely if one of the choices would be higher level or if one of the choice falls under one of the other choice. In this case NDAC is a better choice because MAC is falling under NDAC through the use of Rule Based Access Control.

   The following are incorrect answers:

   MANDATORY ACCESS CONTROL
   In Mandatory Access Control the labels of the object and the clearance of the subject determines access rights, not a central authority. Although a central authority (Better known as the Data Owner) assigns the label to the object, the system does the determination of access rights automatically by comparing the Object label with the Subject clearance. The subject clearance MUST dominate (be equal or higher) than the object being accessed.

   The need for a MAC mechanism arises when the security policy of a system dictates that:
   1. Protection decisions must not be decided by the object owner.
   2. The system must enforce the protection decisions (i.e., the system enforces the security policy over the wishes or intentions of the object owner).

   Usually a labeling mechanism and a set of interfaces are used to determine access based on the MAC policy; for example, a user who is running a process at the Secret classification should not be allowed to read a file with a label of Top Secret. This is known as the “simple security rule,” or “no read up.”

   Conversely, a user who is running a process with a label of Secret should not be allowed to write to a file with a label of Confidential. This rule is called the “*-property” (pronounced “star property”) or “no write down.” The *-property is required to maintain system security in an automated environment.

   DISCRETIONARY ACCESS CONTROL
   In Discretionary Access Control the rights are determined by many different entities, each of the persons who have created files and they are the owner of that file, not one central authority.

   DAC leaves a certain amount of access control to the discretion of the object’s owner or anyone else who is authorized to control the object’s access. For example, it is generally used to limit a user’s access to a file; it is the owner of the file who controls other users’ accesses to the file. Only those users specified by the owner may have some combination of read, write, execute, and other permissions to the file.

   DAC policy tends to be very flexible and is widely used in the commercial and government sectors. However, DAC is known to be inherently weak for two reasons:

   First, granting read access is transitive; for example, when Ann grants Bob read access to a file, nothing stops Bob from copying the contents of Ann’s file to an object that Bob controls. Bob may now grant any other user access to the copy of Ann’s file without Ann’s knowledge.

   Second, DAC policy is vulnerable to Trojan horse attacks. Because programs inherit the identity of the invoking user, Bob may, for example, write a program for Ann that, on the surface, performs some useful function, while at the same time destroys the contents of Ann’s files. When investigating the problem, the audit files would indicate that Ann destroyed her own files. Thus, formally, the drawbacks of DAC are as follows:

   Discretionary Access Control (DAC) Information can be copied from one object to another; therefore, there is no real assurance on the flow of information in a system.
   No restrictions apply to the usage of information when the user has received it.
   The privileges for accessing objects are decided by the owner of the object, rather than through a system-wide policy that reflects the organization’s security requirements.

   ACLs and owner/group/other access control mechanisms are by far the most common mechanism for implementing DAC policies. Other mechanisms, even though not designed with DAC in mind, may have the capabilities to implement a DAC policy.

   RULE BASED ACCESS CONTROL
   In Rule-based Access Control a central authority could in fact determine what subjects can have access when assigning the rules for access. However, the rules actually determine the access and so this is not the most correct answer.

   RuBAC (as opposed to RBAC, role-based access control) allow users to access systems and information based on pre determined and configured rules. It is important to note that there is no commonly understood definition or formally defined standard for rule-based access control as there is for DAC, MAC, and RBAC. “Rule-based access” is a generic term applied to systems that allow some form of organization-defined rules, and therefore rule-based access control encompasses a broad range of systems. RuBAC may in fact be combined with other models, particularly RBAC or DAC. A RuBAC system intercepts every access request and compares the rules with the rights of the user to make an access decision. Most of the rule-based access control relies on a security label system, which dynamically composes a set of rules defined by a security policy. Security labels are attached to all objects, including files, directories, and devices. Sometime roles to subjects (based on their attributes) are assigned as well. RuBAC meets the business needs as well as the technical needs of controlling service access. It allows business rules to be applied to access control—for example, customers who have overdue balances may be denied service access. As a mechanism for MAC, rules of RuBAC cannot be changed by users. The rules can be established by any attributes of a system related to the users such as domain, host, protocol, network, or IP addresses. For example, suppose that a user wants to access an object in another network on the other side of a router. The router employs RuBAC with the rule composed by the network addresses, domain, and protocol to decide whether or not the user can be granted access. If employees change their roles within the organization, their existing authentication credentials remain in effect and do not need to be re configured. Using rules in conjunction with roles adds greater flexibility because rules can be applied to people as well as to devices. Rule-based access control can be combined with role-based access control, such that the role of a user is one of the attributes in rule setting. Some provisions of access control systems have rule- based policy engines in addition to a role-based policy engine and certain implemented dynamic policies [Des03]. For example, suppose that two of the primary types of software users are product engineers and quality engineers. Both groups usually have access to the same data, but they have different roles to perform in relation to the data and the application’s function. In addition, individuals within each group have different job responsibilities that may be identified using several types of attributes such as developing programs and testing areas. Thus, the access decisions can be made in real time by a scripted policy that regulates the access between the groups of product engineers and quality engineers, and each individual within these groups. Rules can either replace or complement role-based access control. However, the creation of rules and security policies is also a complex process, so each organization will need to strike the appropriate balance.

   References used for this question:
   http://csrc.nist.gov/publications/nistir/7316/NISTIR-7316.pdf
   and
   AIO v3 p162-167 and OIG (2007) p.186-191
   also
   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 33.

6. What is called the act of a user professing an identity to a system, usually in the form of a log-on ID?

   • Authentication
   • Identification
   • Authorization
   • Confidentiality
   Explanation:

   Identification is the act of a user professing an identity to a system, usually in the form of a log-on ID to the system.

   Identification is nothing more than claiming you are somebody. You identify yourself when you speak to someone on the phone that you don’t know, and they ask you who they’re speaking to. When you say, “I’m Jason.”, you’ve just identified yourself.

   In the information security world, this is analogous to entering a username. It’s not analogous to entering a password. Entering a password is a method for verifying that you are who you identified yourself as.

   NOTE: The word “professing” used above means: “to say that you are, do, or feel something when other people doubt what you say”. This is exactly what happen when you provide your identifier (identification), you claim to be someone but the system cannot take your word for it, you must further Authenticate to the system to prove who you claim to be.

   The following are incorrect answers:

   Authentication: is how one proves that they are who they say they are. When you claim to be Jane Smith by logging into a computer system as “jsmith”, it’s most likely going to ask you for a password. You’ve claimed to be that person by entering the name into the username field (that’s the identification part), but now you have to prove that you are really that person.

   Many systems use a password for this, which is based on “something you know”, i.e. a secret between you and the system.
   Another form of authentication is presenting something you have, such as a driver’s license, an RSA token, or a smart card.

   You can also authenticate via something you are. This is the foundation for biometrics. When you do this, you first identify yourself and then submit a thumb print, a retina scan, or another form of bio-based authentication.

   Once you’ve successfully authenticated, you have now done two things: you’ve claimed to be someone, and you’ve proven that you are that person. The only thing that’s left is for the system to determine what you’re allowed to do.

   Authorization: is what takes place after a person has been both identified and authenticated; it’s the step determines what a person can then do on the system.

   An example in people terms would be someone knocking on your door at night. You say, “Who is it?”, and wait for a response. They say, “It’s John.” in order to identify themselves. You ask them to back up into the light so you can see them through the peephole. They do so, and you authenticate them based on what they look like (biometric). At that point you decide they can come inside the house.

   If they had said they were someone you didn’t want in your house (identification), and you then verified that it was that person (authentication), the authorization phase would not include access to the inside of the house.

   Confidentiality: Is one part of the CIA triad. It prevents sensitive information from reaching the wrong people, while making sure that the right people can in fact get it. A good example is a credit card number while shopping online, the merchant needs it to clear the transaction but you do not want your informaiton exposed over the network, you would use a secure link such as SSL, TLS, or some tunneling tool to protect the information from prying eyes between point A and point B. Data encryption is a common method of ensuring confidentiality.

   The other parts of the CIA triad are listed below:
   Integrity involves maintaining the consistency, accuracy, and trustworthiness of data over its entire life cycle. Data must not be changed in transit, and steps must be taken to ensure that data cannot be altered by unauthorized people (for example, in a breach of confidentiality). In addition, some means must be in place to detect any changes in data that might occur as a result of non-human-caused events such as an electromagnetic pulse (EMP) or server crash. If an unexpected change occurs, a backup copy must be available to restore the affected data to its correct state.

   Availability is best ensured by rigorously maintaining all hardware, performing hardware repairs immediately when needed, providing a certain measure of redundancy and failover, providing adequate communications bandwidth and preventing the occurrence of bottlenecks, implementing emergency backup power systems, keeping current with all necessary system upgrades, and guarding against malicious actions such as denial-of-service (DoS) attacks.

   Reference used for this question:

   http://whatis.techtarget.com/definition/Confidentiality-integrity-and-availability-CIA
   http://www.danielmiessler.com/blog/security-identification-authentication-and-authorization
   http://www.merriam-webster.com/dictionary/profess

   KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

7. The control measures that are intended to reveal the violations of security policy using software and hardware are associated with:

   • Preventive/physical
   • Detective/technical
   • Detective/physical
   • Detective/administrative
   Explanation:
   The detective/technical control measures are intended to reveal the violations of security policy using technical means.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 35.

8. The controls that usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists are associated with:

   • Preventive/physical
   • Detective/technical
   • Detective/physical
   • Detective/administrative
   Explanation:
   Detective/physical controls usually require a human to evaluate the input from sensors or cameras to determine if a real threat exists.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 36.

9. What is called an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics?

   • Biometrics
   • Micrometrics
   • Macrometrics
   • MicroBiometrics
   Explanation:
   The Answer: Biometrics; Biometrics are defined as an automated means of identifying or authenticating the identity of a living person based on physiological or behavioral characteristics.
   Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 37,38.

10. Which of the following is NOT true of the Kerberos protocol?

    • Only a single login is required per session.
    • The initial authentication steps are done using public key algorithm.
    • The KDC is aware of all systems in the network and is trusted by all of them
    • It performs mutual authentication
    Explanation:

    Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. It has the following characteristics:

    It is secure: it never sends a password unless it is encrypted.
    Only a single login is required per session. Credentials defined at login are then passed between resources without the need for additional logins.
    The concept depends on a trusted third party – a Key Distribution Center (KDC). The KDC is aware of all systems in the network and is trusted by all of them.
    It performs mutual authentication, where a client proves its identity to a server and a server proves its identity to the client.

    Kerberos introduces the concept of a Ticket-Granting Server/Service (TGS). A client that wishes to use a service has to receive a ticket from the TGS – a ticket is a time-limited cryptographic message – giving it access to the server. Kerberos also requires an Authentication Server (AS) to verify clients. The two servers combined make up a KDC.

    Within the Windows environment, Active Directory performs the functions of the KDC. The following figure shows the sequence of events required for a client to gain access to a service using Kerberos authentication. Each step is shown with the Kerberos message associated with it, as defined in RFC 4120 “The Kerberos Network Authorization Service (V5)”.

    

    Kerberos Authentication Step by Step
    Step 1: The user logs on to the workstation and requests service on the host. The workstation sends a message to the Authorization Server requesting a ticket granting ticket (TGT).

    Step 2: The Authorization Server verifies the user’s access rights in the user database and creates a TGT and session key. The Authorization Sever encrypts the results using a key derived from the user’s password and sends a message back to the user workstation.

    The workstation prompts the user for a password and uses the password to decrypt the incoming message. When decryption succeeds, the user will be able to use the TGT to request a service ticket.

    Step 3: When the user wants access to a service, the workstation client application sends a request to the Ticket Granting Service containing the client name, realm name and a timestamp. The user proves his identity by sending an authenticator encrypted with the session key received in Step 2.

    Step 4: The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server. The ticket contains the client name and optionally the client IP address. It also contains the realm name and ticket lifespan. The TGS returns the ticket to the user workstation. The returned message contains two copies of a server session key – one encrypted with the client password, and one encrypted by the service password.

    Step 5: The client application now sends a service request to the server containing the ticket received in Step 4 and an authenticator. The service authenticates the request by decrypting the session key. The server verifies that the ticket and authenticator match, and then grants access to the service. This step as described does not include the authorization performed by the Intel AMT device, as described later.

    Step 6: If mutual authentication is required, then the server will reply with a server authentication message.

    The Kerberos server knows “secrets” (encrypted passwords) for all clients and servers under its control, or it is in contact with other secure servers that have this information. These “secrets” are used to encrypt all of the messages shown in the figure above.
    To prevent “replay attacks,” Kerberos uses timestamps as part of its protocol definition. For timestamps to work properly, the clocks of the client and the server need to be in synch as much as possible. In other words, both computers need to be set to the same time and date. Since the clocks of two computers are often out of synch, administrators can establish a policy to establish the maximum acceptable difference to Kerberos between a client’s clock and server’s clock. If the difference between a client’s clock and the server’s clock is less than the maximum time difference specified in this policy, any timestamp used in a session between the two computers will be considered authentic. The maximum difference is usually set to five minutes.

    Note that if a client application wishes to use a service that is “Kerberized” (the service is configured to perform Kerberos authentication), the client must also be Kerberized so that it expects to support the necessary message responses.
    For more information about Kerberos, see http://web.mit.edu/kerberos/www/.

    References:
    Introduction to Kerberos Authentication from Intel
    and
    http://www.zeroshell.net/eng/kerberos/Kerberos-definitions/#1.3.5.3
    and
    http://www.ietf.org/rfc/rfc4120.txt

11. Which of the following is addressed by Kerberos?

    • Confidentiality and Integrity
    • Authentication and Availability
    • Validation and Integrity
    • Auditability and Integrity
    Explanation:

    Kerberos addresses the confidentiality and integrity of information.
    It also addresses primarily authentication but does not directly address availability.

    Reference(s) used for this question:

    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42.
    and
    https://www.ietf.org/rfc/rfc4120.txt
    and
    http://learn-networking.com/network-security/how-kerberos-authentication-works

12. Which of the following is implemented through scripts or smart agents that replays the users multiple log-ins against authentication servers to verify a user’s identity which permit access to system services?

    • Single Sign-On
    • Dynamic Sign-On
    • Smart cards
    • Kerberos
    Explanation:

    SSO can be implemented by using scripts that replay the users multiple log-ins against authentication servers to verify a user’s identity and to permit access to system services.

    Single Sign on was the best answer in this case because it would include Kerberos.

    When you have two good answers within the 4 choices presented you must select the BEST one. The high level choice is always the best. When one choice would include the other one that would be the best as well.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 40.

13. Which of the following is a trusted, third party authentication protocol that was developed under Project Athena at MIT?

    • Kerberos
    • SESAME
    • KryptoKnight
    • NetSP
    Explanation:

    Kerberos is a trusted, third party authentication protocol that was developed under Project Athena at MIT.

    Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

    The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to “sniff” passwords off of the network are in common use by systems crackers. Thus, applications which send an unencrypted password over the network are extremely vulnerable. Worse yet, other client/server applications rely on the client program to be “honest” about the identity of the user who is using it. Other applications rely on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server.

    Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that “the bad guys” are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. (After all, firewalls are simply a less extreme example of the dictum that there is nothing more secure then a computer which is not connected to the network — and powered off!) In many places, these restrictions are simply unrealistic and unacceptable.

    Kerberos was created by MIT as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server have used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

    Kerberos is freely available from MIT, under a copyright permission notice very similar to the one used for the BSD operating and X11 Windowing system. MIT provides Kerberos in source form, so that anyone who wishes to use it may look over the code for themselves and assure themselves that the code is trustworthy. In addition, for those who prefer to rely on a professional supported product, Kerberos is available as a product from many different vendors.

    In summary, Kerberos is a solution to your network security problems. It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise. We hope you find Kerberos as useful as it has been to us. At MIT, Kerberos has been invaluable to our Information/Technology architecture.

    KryptoKnight is a Peer to Peer authentication protocol incorporated into the NetSP product from IBM.

    SESAME is an authentication and access control protocol, that also supports communication confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMA-style Privilege Attribute Service. The complete Sesame protocol is a two step process. In the first step, the client successfully authenticates itself to the Authentication Server and obtains a ticket that can be presented to the Privilege Attribute Server. In the second step, the initiator obtains proof of his access rights in the form of Privilege Attributes Certificate (PAC). The PAC is a specific form of Access Control Certificate as defined in the ECMA-219 document. This document describes the extensions to Kerberos for public key based authentication as adopted in Sesame.

    SESAME, KryptoKnight, and NetSP never took off and the protocols are no longer commonly used.

    References:
    http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#whatis
    and
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 40.

14. RADIUS incorporates which of the following services?

    • Authentication server and PIN codes.
    • Authentication of clients and static passwords generation.
    • Authentication of clients and dynamic passwords generation.
    • Authentication server as well as support for Static and Dynamic passwords.
    Explanation:

    A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to
    designated RADIUS servers, and then acting on the response which is returned.

    RADIUS servers are responsible for receiving user connection requests, authenticating the user, and then returning all
    configuration information necessary for the client to deliver service to the user.

    RADIUS authentication is based on provisions of simple username/password credentials. These credentials are encrypted
    by the client using a shared secret between the client and the RADIUS server. OIG 2007, Page 513

    RADIUS incorporates an authentication server and can make uses of both dynamic and static passwords.

    Since it uses the PAP and CHAP protocols, it also incluses static passwords.

    RADIUS is an Internet protocol. RADIUS carries authentication, authorization, and configuration information between a Network Access Server and a shared Authentication Server. RADIUS features and functions are described primarily in the IETF (International Engineering Task Force) document RFC2138.

    The term ” RADIUS” is an acronym which stands for Remote Authentication Dial In User Service.

    The main advantage to using a RADIUS approach to authentication is that it can provide a stronger form of authentication. RADIUS is capable of using a strong, two-factor form of authentication, in which users need to possess both a user ID and a hardware or software token to gain access.

    Token-based schemes use dynamic passwords. Every minute or so, the token generates a unique 4-, 6- or 8-digit access number that is synchronized with the security server. To gain entry into the system, the user must generate both this one-time number and provide his or her user ID and password.

    Although protocols such as RADIUS cannot protect against theft of an authenticated session via some realtime attacks, such as wiretapping, using unique, unpredictable authentication requests can protect against a wide range of active attacks.
    RADIUS: Key Features and Benefits
    Features Benefits

    RADIUS supports dynamic passwords and challenge/response passwords.

    Improved system security due to the fact that passwords are not static.

    It is much more difficult for a bogus host to spoof users into giving up their passwords or password-generation algorithms.

    RADIUS allows the user to have a single user ID and password for all computers in a network.

    Improved usability due to the fact that the user has to remember only one login combination.

    RADIUS is able to:
    Prevent RADIUS users from logging in via login (or ftp).
    Require them to log in via login (or ftp)
    Require them to login to a specific network access server (NAS);
    Control access by time of day.

    Provides very granular control over the types of logins allowed, on a per-user basis.

    The time-out interval for failing over from an unresponsive primary RADIUS server to a backup RADIUS server is site-configurable.

    RADIUS gives System Administrator more flexibility in managing which users can login from which hosts or devices.

    Stratus Technology Product Brief
    http://www.stratus.com/products/vos/openvos/radius.htm

    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Pages 43, 44.

    Also check: MILLER, Lawrence & GREGORY, Peter, CISSP for Dummies, 2002, Wiley Publishing, Inc., pages 45-46.

15. Which of the following protects a password from eavesdroppers and supports the encryption of communication?

    • Challenge Handshake Authentication Protocol (CHAP)
    • Challenge Handshake Identification Protocol (CHIP)
    • Challenge Handshake Encryption Protocol (CHEP)
    • Challenge Handshake Substitution Protocol (CHSP)
    Explanation:

    CHAP: A protocol that uses a three way hanbdshake The server sends the client a challenge which includes a random value(a nonce) to thwart replay attacks. The client responds with the MD5 hash of the nonce and the password.

    The authentication is successful if the client’s response is the one that the server expected.

    Reference: Page 450, OIG 2007.

    CHAP protects the password from eavesdroppers and supports the encryption of communication.
    Reference: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 44.

16. Kerberos is vulnerable to replay in which of the following circumstances?

    • When a private key is compromised within an allotted time window.
    • When a public key is compromised within an allotted time window.
    • When a ticket is compromised within an allotted time window.
    • When the KSD is compromised within an allotted time window.
    Explanation:

    Replay can be accomplished on Kerberos if the compromised tickets are used within an allotted time window.

    The security depends on careful implementation:enforcing limited lifetimes for authentication credentials minimizes the threat of of replayed credentials, the KDC must be physically secured, and it should be hardened, not permitting any non-kerberos activities.

    Reference:

    Official ISC2 Guide to the CISSP, 2007 Edition, page 184
    also see:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 42.

17. Like the Kerberos protocol, SESAME is also subject to which of the following?

    • timeslot replay
    • password guessing
    • symmetric key guessing
    • asymmetric key guessing
    Explanation:

    Sesame is an authentication and access control protocol, that also supports communication confidentiality and integrity. It provides public key based authentication along with the Kerberos style authentication, that uses symmetric key cryptography. Sesame supports the Kerberos protocol and adds some security extensions like public key based authentication and an ECMA-style Privilege Attribute Service.

    The users under SESAME can authenticate using either symmetric encryption as in Kerberos or Public Key authentication. When using Symmetric Key authentication as in Kerberos, SESAME is also vulnerable to password guessing just like Kerberos would be. The Symmetric key being used is based on the password used by the user when he logged on the system. If the user has a simple password it could be guessed or compromise. Even thou Kerberos or SESAME may be use, there is still a need to have strong password discipline.

    The Basic Mechanism in Sesame for strong authentication is as follow:

    The user sends a request for authentication to the Authentication Server as in Kerberos, except that SESAME is making use of public key cryptography for authentication where the client will present his digital certificate and the request will be signed using a digital signature. The signature is communicated to the authentication server through the preauthentication fields. Upon receipt of this request, the authentication server will verifies the certificate, then validate the signature, and if all is fine the AS will issue a ticket granting ticket (TGT) as in Kerberos. This TGT will be use to communicate with the privilage attribute server (PAS) when access to a resource is needed.

    Users may authenticate using either a public key pair or a conventional (symmetric) key. If public key cryptography is used, public key data is transported in preauthentication data fields to help establish identity.
    Kerberos uses tickets for authenticating subjects to objects and SESAME uses Privileged Attribute Certificates (PAC), which contain the subject’s identity, access capabilities for the object, access time period, and lifetime of the PAC. The PAC is digitally signed so that the object can validate that it came from the trusted authentication server, which is referred to as the privilege attribute server (PAS). The PAS holds a similar role as the KDC within Kerberos. After a user successfully authenticates to the authentication service (AS), he is presented with a token to give to the PAS. The PAS then creates a PAC for the user to present to the resource he is trying to access.

    Reference(s) used for this question:

    http://srg.cs.uiuc.edu/Security/nephilim/Internal/SESAME.txt
    and
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 43.

18. What is called the percentage of valid subjects that are falsely rejected by a Biometric Authentication system?

    • False Rejection Rate (FRR) or Type I Error
    • False Acceptance Rate (FAR) or Type II Error
    • Crossover Error Rate (CER)
    • True Rejection Rate (TRR) or Type III Error
    Explanation:
    The percentage of valid subjects that are falsely rejected is called the False Rejection Rate (FRR) or Type I Error.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.

19. What is called the percentage at which the False Rejection Rate equals the False Acceptance Rate?

    • False Rejection Rate (FRR) or Type I Error
    • False Acceptance Rate (FAR) or Type II Error
    • Crossover Error Rate (CER)
    • Failure to enroll rate (FTE or FER)
    Explanation:

    The percentage at which the False Rejection Rate equals the False Acceptance Rate is called the Crossover Error Rate (CER). Another name for the CER is the Equal Error Rate (EER), any of the two terms could be used.

    Equal error rate or crossover error rate (EER or CER)
    It is the rate at which both accept and reject errors are equal. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate.

    The other choices were all wrong answers:

    The following are used as performance metrics for biometric systems:

    false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. This is when an impostor would be accepted by the system.

    False reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected. This is when a valid company employee would be rejected by the system.

    Failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs.

    Reference(s) used for this question:
    KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.
    and
    https://en.wikipedia.org/wiki/Biometrics

20. In biometrics, “one-to-many” search against database of stored biometric images is done in:

    • Authentication
    • Identification
    • Identities
    • Identity-based access control
    Explanation:
    In biometrics, identification is a “one-to-many” search of an individual’s characteristics from a database of stored images.
    Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.