155. Smart card authentication is an example of which of the following?

a. Proof-by-knowledge

b. Proof-by-property

c. Proof-by-possession

d. Proof-of-concept

155. c. Smart cards are credit card-size plastic cards that host an embedded computer chip containing an operating system, programs, and data. Smart card authentication is perhaps the best-known example of proof-by-possession (e.g., key, card, or token). Passwords are an example of proof-by-knowledge. Fingerprints are an example of proof-by-property. Proof-of-concept deals with testing a product prior to building an actual product.

156. For token threats in electronic authentication, countermeasures used for which one of the following threats are different from the other three threats?

a. Online guessing

b. Eavesdropping

c. Phishing and pharming

d. Social engineering

156. a. In electronic authentication, a countermeasure against the token threat of online guessing uses tokens that generate high entropy authenticators. Common countermeasures against the threats listed in the other three choices are the same and they do not use high entropy authenticators. These common countermeasures include (i) use of tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator and (ii) use of tokens that generate authenticators based on a token input value.

157. Which of the following is a component that provides a security service for a smart card application used in a mobile device authentication?

a. Challenge-response protocol

b. Service provider

c. Resource manager

d. Driver for the smart card reader

157. a. The underlying mechanism used to authenticate users via smart cards relies on a challenge-response protocol between the device and the smart card. For example, a personal digital assistant (PDA) challenges the smart card for an appropriate and correct response that can be used to verify that the card is the one originally enrolled by the PDA device owner. The challenge-response protocol provides a security service. The three main software components that support a smart card application include the service provider, a resource manager, and a driver for the smart card reader.

158. Which of the following is not a sophisticated technical attack against smart cards?

a. Reverse engineering

b. Fault injection

c. Signal leakage

d. Impersonating

158. d. For user authentication, the fundamental threat is an attacker impersonating a user and gaining control of the device and its contents. Of all the four choices, impersonating is a nonsophisticated technical attack. Smart cards are designed to resist tampering and monitoring of the card, including sophisticated technical attacks that involve reverse engineering, fault injection, and signal leakage.

159. Which of the following is an example of nonpolled authentication?

a. Smart card

b. Password

c. Memory token

d. Communications signal

159. b. Nonpolled authentication is discrete; after the verdict is determined, it is inviolate until the next authentication attempt. Examples of nonpolled authentication include password, fingerprint, and voice verification. Polled authentication is continuous; the presence or absence of some token or signal determines the authentication status. Examples of polled authentication include smart card, memory token, and communications signal, whereby the absence of the device or signal triggers a nonauthenticated condition.

160. Which of the following does not complement intrusion detection systems (IDS)?

a. Honeypots

b. Inference cells

c. Padded cells

d. Vulnerability assessment tools

160.b. Honeypot systems, padded cell systems, and vulnerability assessment tools complement IDS to enhance an organization’s ability to detect intrusion. Inference cells do not complement IDS. A honeypot system is a host computer that is designed to collect data on suspicious activity and has no authorized users other than security administrators and attackers. Inference cells lead to an inference attack when a user or intruder is able to deduce privileged information from known information. In padded cell systems, an attacker is seamlessly transferred to a special padded cell host. Vulnerability assessment tools determine when a network or host is vulnerable to known attacks.

161. Sniffing precedes which of the following?

a. Phishing and pharming

b. Spoofing and hijacking

c. Snooping and scanning

d. Cracking and scamming

161. b. Sniffing is observing and monitoring packets passing by on the network traffic using packet sniffers. Sniffing precedes either spoofing or hijacking. Spoofing, in part, is using various techniques to subvert IP-based access control by masquerading as another system by using their IP address. Spoofing is an attempt to gain access to a system by posing as an authorized user. Other examples of spoofing include spoofing packets to hide the origin of attack in a DoS, spoofing e-mail headers to hide spam, and spoofing phone numbers to fool caller-ID. Spoofing is synonymous with impersonating, masquerading, or mimicking, and is not synonymous with sniffing. Hijacking is an attack that occurs during an authenticated session with a database or system.

Snooping, scanning, and sniffing are all actions searching for required and valuable information. They involve looking around for vulnerabilities and planning to attack. These are preparatory actions prior to launching serious penetration attacks.

Phishing is tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Phishing attacks use social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. It involves Internet fraudsters who send spam or pop-up messages to lure personal information (e.g., credit card numbers, bank account information, social security number, passwords, or other sensitive information) from unsuspecting victims. Pharming is misdirecting users to fraudulent websites or proxy servers, typically through DNS hijacking or poisoning.

Cracking is breaking for passwords and bypassing software controls in an electronic authentication system such as user registration. Scamming is impersonating a legitimate business using the Internet. The buyer should check out the seller before buying goods or services. The seller should give out a physical address with a working telephone number.

162. Passwords and personal identification numbers (PINs) are examples of which of the following?

a. Procedural access controls

b. Physical access controls

c. Logical access controls

d. Administrative access controls

162. C. Logical, physical, and administrative controls are examples of access control mechanisms. Passwords, PINs, and encryption are examples of logical access controls.