b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.
26. b. In token duplication, the subscriber’s token has been copied with or without the subscriber’s knowledge. A countermeasure is to use hardware cryptographic tokens that are difficult to duplicate. Physical security mechanisms can also be used to protect a stolen token from duplication because they provide tamper evidence, detection, and response capabilities. The other three choices cannot handle a duplicate tokens problem.
27. Eavesdropping is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the eavesdropping threat?
a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.
27. c. A countermeasure to mitigate the eavesdropping threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator. The other choices are incorrect because they cannot provide dynamic authentication.
28. Identifier management is applicable to which of the following accounts?
a. Group accounts
b. Local user accounts
c. Guest accounts
d. Anonymous accounts
28. b. All users accessing an organization’s information systems must be uniquely identified and authenticated. Identifier management is applicable to local user accounts where the account is valid only on a local computer, and its identity can be traced to an individual. Identifier management is not applicable to shared information system accounts, such as group, guest, default, blank, anonymous, and nonspecific user accounts.
29. Phishing or pharming is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the phishing or pharming threat?
a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.
29. c. A countermeasure to mitigate the phishing or pharming threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator. The other choices are incorrect because they cannot provide dynamic authentication.
Phishing is tricking individuals into disclosing sensitive personal information through deceptive computer-based means. Phishing attacks use social engineering and technical subterfuge to steal consumers’ personal identity data and financial account credentials. It involves Internet fraudsters who send spam or pop-up messages to lure personal information (e.g., credit card numbers, bank account information, social security numbers, passwords, or other sensitive information) from unsuspecting victims. Pharming is misdirecting users to fraudulent websites or proxy servers, typically through DNS hijacking or poisoning.
30. Theft is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the theft threat?
a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.
30. d. A countermeasure to mitigate the threat of token theft is to use multifactor tokens that need to be activated through a PIN or biometric. The other choices are incorrect because they cannot provide multifactor tokens.
31. Social engineering is a threat to the tokens used for electronic authentication. Which of the following is a countermeasure to mitigate the social engineering threat?
a. Use tokens that generate high entropy authenticators.
b. Use hardware cryptographic tokens.
c. Use tokens with dynamic authenticators.
d. Use multifactor tokens.
31. c. A countermeasure to mitigate the social engineering threat is to use tokens with dynamic authenticators where knowledge of one authenticator does not assist in deriving a subsequent authenticator. The other choices are incorrect because they cannot provide dynamic authentication.
32. In electronic authentication, which of the following is used to verify proof-of-possession of registered devices or identifiers?
a. Lookup secret token
b. Out-of-band token
c. Token lock-up feature
d. Physical security mechanism
32. b. Out-of-band tokens can be used to verify proof-of-possession of registered devices (e.g., cell phones) or identifiers (e.g., e-mail IDs). The other three choices cannot verify proof-of-possession. Lookup secret tokens can be copied. Some tokens can lock up after a number of repeated failed activation attempts. Physical security mechanisms can be used to protect a stolen token from duplication because they provide tamper evidence, detection, and response capabilities.
33. In electronic authentication, which of the following are examples of weakly bound credentials?
1. Unencrypted password files
2. Signed password files
3. Unsigned public key certificates
4. Signed public key certificates
a. 1 only
b. 1 and 3
c. 1 and 4
d. 2 and 4
33. b. Unencrypted password files and unsigned public key certificates are examples of weakly bound credentials. The association between the identity and the token within a weakly bound credential can be readily undone, and a new association can be readily created. For example, a password file is a weakly-bound credential because anyone who has “write” access to the password file can potentially update the association contained within the file.
34. In electronic authentication, which of the following are examples of strongly bound credentials?
1. Unencrypted password files
2. Signed password files
3. Unsigned public key certificates
4. Signed public key certificates
a. 1 only
b. 1 and 3
c. 1 and 4
d. 2 and 4
34. d. Signed password files and signed public key certificates are examples of strongly bound credentials. The association between the identity and the token within a strongly bound credential cannot be easily undone. For example a digital signature binds the identity to the public key in a public key certificate; tampering of this signature can be easily detected through signature verification.
35. In electronic authentication, which of the following can be used to derive, guess, or crack the value of the token secret or spoof the possession of the token?
a. Private credentials
b. Public credentials
c. Paper credentials
d. Electronic credentials
35. a. A private credential object links a user’s identity to a representation of the token in a way that the exposure of the credential to unauthorized parties can lead to any exposure of the token secret. A private credential can be used to derive, guess, or crack the value of the token secret or spoof the possession of the token. Therefore, it is important that the contents of the private credential be kept confidential (e.g., a hashed password values).