43. In electronic authentication, which of the following controls is effective against cross site scripting (XSS) vulnerabilities?
a. Sanitize inputs to make them nonexecutable.
b. Insert random data into any linked uniform resource locator.
c. Insert random data into a hidden field.
d. Use a per-session shared secret.
43. a. In a cross site scripting (XSS) vulnerability, an attacker may use an extensible markup language (XML) injection to perform the equivalent of an XSS, in which requesters of a valid Web service have their requests transparently rerouted to an attacker-controlled Web service that performs malicious operations. To prevent XSS vulnerabilities, the relying party should sanitize inputs from claimants or subscribers to ensure they are not executable, or at the very least not malicious, before displaying them as content to the subscriber’s browser. The other three choices are incorrect because they are not applicable to the situation here.
44. In electronic authentication, which of the following controls is not effective against a cross site request forgery (CSRF) attack?
a. Sanitize inputs to make them nonexecutable.
b. Insert random data into any linked uniform resource locator.
c. Insert random data into a hidden field.
d. Generate a per-session shared secret.
44. a. A cross site request forgery (CSRF) is a type of session hijacking attack where a malicious website contains a link to the URL of the legitimate relying party. Web applications, even those protected by secure sockets layer/transport layer security (SSL/TLS), can still be vulnerable to the CSRF attack. One control to protect the CSRF attack is by inserting random data, supplied by the relying party, into any linked uniform resource locator with side effects and into a hidden field within any form on the relying party’s website. Generating a per-session shared secret is effective against a session hijacking problem. Sanitizing inputs to make them nonexecutable is effective against cross site scripting (XSS) attacks, not CSRF attacks.
45. In electronic authentication, which of the following can mitigate the threat of assertion manufacture and/or modification?
a. Digital signature and TLS/SSL
b. Timestamp and short lifetime of validity
c. Digital signature with a key supporting nonrepudiation
d. HTTP and TLS
45. a. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion manufacture and/or modification, the assertion may be digitally signed by the verifier and the assertion sent over a protected channel such as TLS/SSL. The other three choices are incorrect because they are not applicable to the situation here.
46. In electronic authentication, which of the following can mitigate the threat of assertion reuse?
a. Digital signature and TLS/SSL
b. Timestamp and short lifetime of validity
c. Digital signature with a key supporting nonrepudiation
d. HTTP and TLS
46. b. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion reuse, the assertion should include a timestamp and a short lifetime of validity. The other three choices are incorrect because they are not applicable to the situation here.
47. In electronic authentication, which of the following can mitigate the threat of assertion repudiation?
a. Digital signature and TLS/SSL
b. Timestamp and short lifetime of validity
c. Digital signature with a key supporting nonrepudiation
d. HTTP and TLS
47. c. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion repudiation, the assertion may be digitally signed by the verifier using a key that supports nonrepudiation. The other three choices are incorrect because they are not applicable to the situation here.
48. In electronic authentication, which of the following can mitigate the threat of assertion substitution?
a. Digital signature and TLS/SSL
b. Timestamp and short lifetime of validity
c. Digital signature with a key supporting nonrepudiation
d. HTTP and TLS
48. d. An assertion is a statement from a verifier to a relying party that contains identity information about a subscriber. To mitigate the threat of assertion substitution, the assertion may include a combination of HTTP to handle message order and TLS to detect and disallow malicious reordering of packets. The other three choices are incorrect because they are not applicable to the situation here.
49. Serious vulnerabilities exist when:
a. An untrusted individual has been granted an unauthorized access.
b. A trusted individual has been granted an authorized access.
c. An untrusted individual has been granted an authorized access.
d. A trusted individual has been granted an unauthorized access.
49. a. Vulnerabilities typically result when an untrusted individual is granted unauthorized access to a system. Granting unauthorized access is riskier than granting authorized access to an untrusted individual, and trusted individuals are better than untrusted individuals. Both trust and authorization are important to minimize vulnerabilities. The other three choices are incorrect because serious vulnerabilities may not exist with them.
50. In mobile device authentication, password and personal identification number (PIN) authentication is an example of which of the following?
a. Proof-by-possession
b. Proof-by-knowledge
c. Proof-by-property
d. Proof-of-origin
50. b. Proof-by-knowledge is where a claimant authenticates his identity to a verifier by the use of a password or PIN (i.e., something you know) that he has knowledge of.
Proof-by-possession and proof-by-property, along with proof-by-knowledge, are used in mobile device authentication and robust authentication. Proof-of-origin is the basis to prove an assertion. For example, a private signature key is used to generate digital signatures as a proof-of-origin.
51. In mobile device authentication, fingerprint authentication is an example of which of the following?
a. Proof-by-possession
b. Proof-by-knowledge
c. Proof-by-property
d. Proof-of-origin
51. c. Proof-by-property is where a claimant authenticates his identity to a verifier by the use of a biometric sample such as fingerprints (i.e., something you are).
Proof-by-possession and proof-by-knowledge, along with proof-by-property, are used in mobile device authentication and robust authentication. Proof-of-origin is the basis to prove an assertion. For example, a private signature key is used to generate digital signatures as a proof-of-origin.
52. Which of the following actions is effective for reviewing guest/anonymous accounts, temporary accounts, inactive accounts, and emergency accounts?