Identity-based and user-directed policies are incorrect because they are examples of discretionary access control. Identity-based access control is based only on the identity of the subject and object. In user-directed access controls, a subject can alter the access rights with certain restrictions. Rule-based policy is incorrect because it is an example of a mandatory type of access control and is based on specific rules relating to the nature of the subject and object.

209. Which of the following access mechanisms creates a potential security problem?

a. Location-based access mechanism

b. IP address-based access mechanism

c. Token-based access mechanism

d. Web-based access mechanism

209. b. IP address-based access mechanisms use Internet Protocol (IP) source addresses, which are not secure and subject to IP address spoofing attacks. The IP address deals with identification only, not authentication.

Location-based access mechanism is incorrect because it deals with a physical address, not IP address. Token-based access mechanism is incorrect because it uses tokens as a means of identification and authentication. Web-based access mechanism is incorrect because it uses secure protocols to accomplish authentication. The other three choices accomplish both identification and authentication and do not create a security problem as does the IP address-based access mechanism.

210. Rank the following authentication mechanisms providing most to least protection against replay attacks?

a. Password only, password and PIN, challenge response, and one-time password

b. Password and PIN, challenge response, one-time password, and password only

c. Challenge response, one-time password, password and PIN, and password only

d. Challenge-response, password and PIN, one-time password, and password only

210. c. A challenge-response protocol is based on cryptography and works by having the computer generate a challenge, such as a random string of numbers. The smart token then generates a response based on the challenge. This is sent back to the computer, which authenticates the user based on the response. Smart tokens that use either challenge-response protocols or dynamic password generation can create one-time passwords that change periodically (e.g., every minute).

If the correct value is provided, the log-in is permitted, and the user is granted access to the computer system. Electronic monitoring is not a problem with one-time passwords because each time the user is authenticated to the computer, a different “password” is used. A hacker could learn the one-time password through electronic monitoring, but it would be of no value.

Passwords and personal identification numbers (PINs) have weaknesses such as disclosing and guessing. Passwords combined with PINs are better than passwords only. Both passwords and PINs are subject to electronic monitoring. Simple encryption of a password that will be used again does not solve the monitoring problem because encrypting the same password creates the same cipher-text; the cipher-text becomes the password.

211. Some security authorities believe that re-authentication of every transaction provides stronger security procedures. Which of the following security mechanisms is least efficient and least effective for re-authentication?

a. Recurring passwords

b. Nonrecurring passwords

c. Memory tokens

d. Smart tokens

211. a. Recurring passwords are static passwords with reuse and are considered to be a relatively weak security mechanism. Users tend to use easily guessed passwords. Other weaknesses include spoofing users, users stealing passwords through observing keystrokes, and users sharing passwords. The unauthorized use of passwords by outsiders (hackers) or insiders is a primary concern and is considered the least efficient and least effective security mechanism for re-authentication.

Nonrecurring passwords are incorrect because they provide a strong form of re-authentication. Examples include a challenge-response protocol or a dynamic password generator where a unique value is generated for each session. These values are not repeated and are good for that session only.

Tokens can help in re-authenticating a user or transaction. Memory tokens store but do not process information. Smart tokens expand the functionality of a memory token by incorporating one or more integrated circuits into the token itself. In other words, smart tokens store and process information. Except for passwords, all the other methods listed in the question are examples of advanced authentication methods that can be applied to re-authentication.

212. Which of the following lists a pair of compatible functions within the IT organization?

a. Computer operations and applications programming

b. Systems programming and data security administration

c. Quality assurance and data security administration

d. Production job scheduling and computer operations

212. c. Separation of duties is the first line of defense against the prevention, detection, and correction of errors, omissions, and irregularities. The objective is to ensure that no one person has complete control over a transaction throughout its initiation, authorization, recording, processing, and reporting. If the total risk is acceptable, then two different jobs can be combined. If the risk is unacceptable, the two jobs should not be combined. Both quality assurance and data security are staff functions and would not handle the day-to-day operations tasks.

The other three choices are incorrect because they are examples of incompatible functions. The rationale is to minimize such functions that are not conducive to good internal control structure. For example, if a computer operator is also responsible for production job scheduling, he could submit unauthorized production jobs.

213. A security label, or access control mechanism, is supported by which of the following access control policies?

a. Role-based policy

b. Identity-based policy

c. User-directed policy

d. Mandatory access control policy

213. d. Mandatory access control is a type of access control that cannot be made more permissive by subjects. They are based on information sensitivity such as security labels for clearance and data classification. Rule-based and administratively directed policies are examples of mandatory access control policy.

Role-based policy is an example of nondiscretionary access controls. Access control decisions are based on the roles individual users are taking in an organization. This includes the specification of duties, responsibilities, obligations, and qualifications (e.g., a teller or loan officer associated with a banking system).

Both identity-based and user-directed policies are examples of discretionary access control. It is a type of access control that permits subjects to specify the access controls with certain limitations. Identity-based access control is based only on the identity of the subject and object. User-directed control is a type of access control in which subjects can alter the access rights with certain restrictions.