Public credentials are shared widely, do not lead to an exposure of the token secret, and have little or no confidentiality requirements. Paper credentials are documents that attest to the identity of an individual (e.g., passports, birth certificates, and employee identity cards) and are based on written signatures, seals, special papers, and special inks. Electronic credentials bind an individual’s name to a token with the use of X.509 certificates and Kerberos tickets.
36. Authorization controls are a part of which of the following?
a. Directive controls
b. Preventive controls
c. Detective controls
d. Corrective controls
36. b. Authorization controls such as access control matrices and capability tests are a part of preventive controls because they block unauthorized access. Preventive controls deter security incidents from happening in the first place.
Directive controls are broad-based controls to handle security incidents, and they include management’s policies, procedures, and directives. Detective controls enhance security by monitoring the effectiveness of preventive controls and by detecting security incidents where preventive controls were circumvented. Corrective controls are procedures to react to security incidents and to take remedial actions on a timely basis. Corrective controls require proper planning and preparation as they rely more on human judgment.
37. In electronic authentication, after a credential has been created, which of the following is responsible for maintaining the credential in storage?
a. Verifier
b. Relying party
c. Credential service provider
d. Registration authority
37. c. The credential service provider (CSP) is the only one responsible for maintaining the credential in storage. The verifier and the CSP may or may not belong to the same entity. The other three choices are incorrect because they are not applicable to the situation here.
38. Which of the following is the correct definition of privilege management?
a. Privilege management = Entity attributes + Entity policies
b. Privilege management = Attribute management + Policy management
c. Privilege management = Resource attributes + Resource policies
d. Privilege management = Environment attributes + Environment policies
38. b Privilege management is defined as a process that creates, manages, and stores the attributes and policies needed to establish criteria that can be used to decide whether an authenticated entity’s request for access to some resource should be granted. Privilege management is conceptually split into two parts: attribute management and policy management. The attribute management is further defined in terms of entity attributes, resource attributes, and environment attributes. Similarly, the policy management is further defined in terms of entity policies, resource policies, and environment policies.
39. The extensible access control markup language (XACML) does not define or support which of the following?
a. Trust management
b. Privilege management
c. Policy language
d. Query language
39. a. The extensible access control markup language (XACML) is a standard for managing access control policy and supports the enterprise-level privilege management. It includes a policy language and a query language. However, XACML does not define authority delegation and trust management.
40. For intrusion detection and prevention system (IDPS) security capabilities, which of the following prevention actions should be performed first to reduce the risk of inadvertently blocking benign activity?
1. Alert enabling capability.
2. Alert disabling capability.
3. Sensor learning mode ability.
4. Sensor simulation mode ability.
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
40. d. Some intrusion detection and prevention system (IDPS) sensors have a learning mode or simulation mode that suppresses all prevention actions and instead indicates when a prevention action should have been performed. This ability enables administrators to monitor and fine-tune the configuration of the prevention capabilities before enabling prevention actions, which reduces the risk of inadvertently blocking benign activity. Alerts can be enabled or disabled later.
41. In the electronic authentication process, which of the following is weakly resistant to man-in-the-middle (MitM) attacks?
a. Account lockout mechanism
b. Random data
c. Sending a password over server authenticated TLS
d. Nonce
41. c. A protocol is said to have weak resistance to MitM attacks if it provides a mechanism for the claimant to determine whether he is interacting with the real verifier, but still leaves the opportunity for the nonvigilant claimant to reveal a token authenticator to an unauthorized party that can be used to masquerade as the claimant to the real verifier. For example, sending a password over server authenticated transport layer security (TLS) is weakly resistant to MitM attacks. The browser enables the claimant to verify the identity of the verifier; however, if the claimant is not sufficiently vigilant, the password will be revealed to an unauthorized party who can abuse the information. The other three choices do not deal with MitM attacks, but they can enhance the overall electronic authentication process.
An account lockout mechanism is implemented on the verifier to prevent online guessing of passwords by an attacker who tries to authenticate as a legitimate claimant. Random data and nonce can be used to disguise the real data.
42. In the electronic authentication process, which of the following is strongly resistant to man-in-the-middle (MitM) attacks?
a. Encrypted key exchange (EKE)
b. Simple password exponential key exchange (SPEKE)
c. Secure remote password protocol (SRP)
d. Client authenticated transport layer security (TLS)
42. d. A protocol is said to be highly resistant to man-in-the-middle (MitM) attacks if it does not enable the claimant to reveal, to an attacker masquerading as the verifier, information (e.g., token secrets and authenticators) that can be used by the latter to masquerade as the true claimant to the real verifier. For example, in client authenticated transport layer security (TLS), the browser and the Web server authenticate one another using public key infrastructure (PKI) credentials, thus strongly resistant to MitM attacks. The other three choices are incorrect, because they are examples of being weakly resistant to MitM attacks and are examples of zero-knowledge password protocol where the claimant is authenticated to a verifier without disclosing the token secret.