a. Static authentication

b. Robust authentication

c. Intermittent authentication

d. Continuous authentication

5. d. Continuous authentication protects against impostors (active attacks) by applying a digital signature algorithm to every bit of data sent from the claimant to the verifier. Also, continuous authentication prevents session hijacking. Static authentication uses reusable passwords, which can be compromised by replay attacks. Robust authentication includes one-time passwords and digital signatures, which can be compromised by session hijacking. Intermittent authentication is not useful because of gaps in user verification.

6. What is the basis for a two-factor authentication mechanism?

a. Something you know and a password

b. Something you are and a fingerprint

c. Something you have and a key

d. Something you have and something you know

6. d. A two-factor authentication uses two different kinds of evidence. For example, a challenge-response token card typically requires both physical possession of the card (something you have, one factor) and a PIN (something you know, another factor). The other three choices have only one factor to authenticate.

7. Individual accountability does not include which of the following?

a. Unique identifiers

b. Access rules

c. Audit trails

d. Policies and procedures

7. d. A basic tenet of IT security is that individuals must be accountable for their actions. If this is not followed and enforced, it is not possible to successfully prosecute those who intentionally damage or disrupt systems or to train those whose actions have unintended adverse effects. The concept of individual accountability drives the need for many security safeguards, such as unique (user) identifiers, audit trails, and access authorization rules. Policies and procedures indicate what to accomplish and how to accomplish objectives. By themselves, they do not exact individual accountability.

8. Which of the following user identification and authentication techniques depend on reference profiles or templates?

a. Memory tokens

b. Smart tokens

c. Cryptography

d. Biometric systems

8. d. Biometric systems require the creation and storage of profiles or templates of individuals wanting system access. This includes physiological attributes such as fingerprints, hand geometry, or retina patterns, or behavioral attributes such as voice patterns and hand-written signatures. Memory tokens and smart tokens involve the creation and distribution of token/PINs and data that tell the computer how to recognize valid tokens or PINs. Cryptography requires the generation, distribution, storage, entry, use, distribution, and archiving of cryptographic keys.

9. Some security authorities believe that re-authentication of every transaction provides stronger security procedures. Which of the following security mechanisms is least efficient and least effective for re-authentication?

a. Recurring passwords

b. Nonrecurring passwords

c. Memory tokens

d. Smart tokens

9. a. Recurring passwords are static passwords with reuse and are considered to be a relatively weak security mechanism. Users tend to use easily guessed passwords. Other weaknesses include spoofing users, users stealing passwords through observing keystrokes, and users sharing passwords. The unauthorized use of passwords by outsiders (hackers) or insiders is a primary concern and is considered the least efficient and least effective security mechanism for re-authentication.

Nonrecurring passwords is incorrect because they provide a strong form of re-authentication. Examples include a challenge-response protocol or a dynamic password generator where a unique value is generated for each session. These values are not repeated and are good for that session only. Tokens can help in re-authenticating a user or transaction. Memory tokens store but do not process information. Smart tokens expand the functionality of a memory token by incorporating one or more integrated circuits into the token itself. In other words, smart tokens store and process information. Except for passwords, all the other methods listed in the question are examples of advanced authentication methods that can be applied to re-authentication.

Sources and References

“Access Control in Support of Information Systems, Security Technical Implementation Guide (DISA-STIG, Version 2 and Release 2),” Defense Information Systems Agency (DISA), U.S. Department of Defense (DOD), December 2008.

“Assessment of Access Control Systems (NISTIR 7316),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, September 2006.

“Electronic Authentication Guideline (NIST SP800-63R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, December 2008.

“Guide to Enterprise Password Management (NIST SP800-118 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, April 2009.

“Guide to Intrusion Detection and Prevention Systems (NIST SP800-94),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, February 2007.

“Guide to Storage Encryption Technologies (NIST SP 800-111),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2007.

“Interfaces for Personal Identity Verification (NIST SP 800-73R1),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, March 2006.

“Privilege Management (NISTIR 7657 V0.4 Draft),” National Institute of Standards and Technology (NIST), U.S. Department of Commerce, Gaithersburg, Maryland, November 2009.

Domain 2

Telecommunications and Network Security

Traditional Questions, Answers, and Explanations

1. If QoS is quality of service, QoP is quality of protection, QA is quality assurance, QC is quality control, DoQ is denial of quality, and DoS is denial of service, which of the following affects a network system’s performance?

1. QoS and QoP

2. QA and QC

3. DoQ

4. DoS

a. 1 only

b. 1 and 4

c. 2 and 3

d. 1, 2, 3, and 4

1. d. All four items affect a network system performance. QoS parameters include reliability, delay, jitter, and bandwidth, where applications such as e-mail, file transfer, Web access, remote login, and audio/video require different levels of the parameters to operate at different quality levels (i.e., high, medium, or low levels).

QoP requires that overall performance of a system should be improved by prioritizing traffic and considering the rate of failure or average latency at the lower layer protocols.

QA is the planned systematic activities necessary to ensure that a component, module, or system conforms to established technical requirements. QC is the prevention of defective components, modules, and systems. DoQ results from not implementing the required QA methods and QC techniques for delivering messages, packets, and services.