1. Network access to privileged accounts

2. Local access to privileged accounts

3. Network access to non-privileged accounts

4. Local access to non-privileged accounts

a. 1 and 2

b. 1 and 3

c. 3 and 4

d. 1, 2, 3, and 4

98. d. An information system must use multifactor authentication mechanisms for both network access (privileged and non-privileged) and local access (privileged and non-privileged) because both situations are risky. System/network administrators have administrative (privileged) accounts, and these individuals have access to a set of “access rights” on a given system. Malicious non-privileged account users are as risky as privileged account users because they can cause damage to data and program files.

99. Which of the following statements is not true about identification and authentication requirements?

a. Group authenticators should be used with an individual authenticator

b. Group authenticators should be used with a unique authenticator

c. Unique authenticators in group accounts need greater accountability

d. Individual authenticators should be used at the same time as the group authenticators

99. d. You need to require that individuals are authenticated with an individual authenticator prior to using a group authenticator. The other three choices are true statements.

100. Which of the following can prevent replay attacks in an authentication process for network access to privileged and non-privileged accounts?

1. Nonces

2. Challenges

3. Time synchronous authenticators

4. Challenge-response one-time authenticators

a. 1 and 2

b. 2 and 3

c. 3 and 4

d. 1, 2, 3, and 4

100. d. An authentication process resists replay attacks if it is impractical to achieve a successful authentication by recording and replaying a previous authentication message. Techniques used to address the replay attacks include protocols that use nonces or challenges (e.g., TLS) and time synchronous or challenge-response one-time authenticators.

101. For device identification and authentication, the authentication between devices and connections to networks is an example of a(n):

a. Bidirectional authentication

b. Group authentication

c. Device-unique authentication

d. Individual authentication

101. a. An information system authenticates devices before establishing remote and wireless network connections using bidirectional authentication between devices that are cryptographically-based. Examples of device identifiers include media access control (MAC) addresses, IP addresses, e-mail IDs, and device-unique token identifiers. Examples of device authenticators include digital/PKI certificates and passwords. The other three choices are not correct because they lack two-way authentication.

102. For device identification and authentication, dynamic address allocation process for devices is standardized with which of the following?

a. Dynamic host configuration protocol

b. Dynamic authentication

c. Dynamic hypertext markup language

d. Dynamic binding

102. a. For dynamic address allocation for devices, dynamic host configuration protocol (DHCP)-enabled clients obtain leases for Internet Protocol (IP) addresses from DHCP servers. Therefore, the dynamic address allocation process for devices is standardized with DHCP. The other three choices do not have the capability to obtain leases for IP addresses.

103. For identifier management, service-oriented architecture implementations do not reply on which of the following?

a. Dynamic identities

b. Dynamic attributes and privileges

c. Preregistered users

d. Pre-established trust relationships

103. c. Conventional approaches to identifications and authentications employ static information system accounts for known preregistered users. Service-oriented architecture (SOA) implementations do not rely on static identities but do rely on establishing identities at run-time for entities (i.e., dynamic identities) that were previously unknown. Dynamic identities are associated with dynamic attributes and privileges as they rely on pre-established trust relationships.

104. For authenticator management, which of the following presents a significant security risk?

a. Stored authenticators

b. Default authenticators

c. Reused authenticators

d. Refreshed authenticators

104. b. Organizations should change the default authenticators upon information system installation or require vendors and/or manufacturers to provide unique authenticators prior to delivery. This is because default authenticator credentials are often well known, easily discoverable, and present a significant security risk, and therefore, should be changed upon installation. A stored or embedded authenticator can be risky depending on whether it is encrypted or unencrypted. Both reused and refreshed authenticators are less risky compared to default and stored authenticators because they are under the control of the user organization.

105. For authenticator management, use of which of the following is risky and leads to possible alternatives?

a. A single sign-on mechanism

b. Same user identifier and different user authenticators on all systems

c. Same user identifier and same user authenticator on all systems

d. Different user identifiers and different user authenticators on each system

105. c. Examples of user identifiers include internal users, contractors, external users, guests, passwords, tokens, and biometrics. Examples of user authenticators include passwords, PINs, tokens, biometrics, PKI/digital certificates, and key cards. When an individual has accounts on multiple information systems, there is the risk that if one account is compromised and the individual uses the same user identifier and authenticator, other accounts will be compromised as well. Possible alternatives include (i) having the same user identifier but different authenticators on all systems, (ii) having different user identifiers and different user authenticators on each system, (iii) employing a single sign-on mechanism, or (iv) having one-time passwords on all systems.

106. For authenticator management, which of the following is the least risky situation when compared to the others?

a. Authenticators embedded in an application system

b. Authenticators embedded in access scripts

c. Authenticators stored on function keys

d. Identifiers created at run-time

106. d. It is less risky to dynamically manage identifiers, attributes, and access authorizations. Run-time identifiers are created on-the-fly for previously unknown entities. Information security management should ensure that unencrypted, static authenticators are not embedded in application systems or access scripts or not stored on function keys. This is because these approaches are risky. Here, the concern is to determine whether an embedded or stored authenticator is in the encrypted or unencrypted form.