Lesson 7: Implementing Authentication Controls

1. An Identity and Access Management (IAM) system has four main

processes. Which of the following is NOT one of the main processes?
A. Accounting
B. Identification
C. Integrity
D. Authentication
2. Analyze each scenario and determine which best describes the
authentication process in an Identity and Access Management (IAM)
system.
A. An account is created that identifies a user on the network.
B. A user logs into a system using a control access card (CAC) and PIN number.
C. An Access Control List (ACL) is updated to allow a new user access to only
the databases that are required to perform their job.
D. A report is reviewed that shows every successful and unsuccessful login
attempt on a server.
3. Based on knowledge of the fundamentals of One-time Passwords (OTP),
which of the following choices represents the problem that exists with
HMAC-based One-time Password Algorithm (HOTP) and is addressed by
Time-based One-time Password Algorithm (TOTP)?
A. HOTP is not configured with a shared secret.
B. The server is not configured with a counter in HOTP.
C. Only the HOTP server computes the hash.
D. Tokens can be allowed to continue without expiring in HOTP.
4. Both Remote Access Dial-In User Service (RADIUS) and Terminal Access
Controller Access-Control System (TACACS+) provide authentication,
authorization, and accounting using a separate server (the AAA server).
Based on the protocols' authentication processes, select the true
statements. (Select the best three choices.)
A. TACACS+ is open source and RADIUS is a proprietary protocol from Cisco.
B. RADIUS uses UDP by default and TACACS+ uses TCP.
C. TACACS+ encrypts the whole packet (except the header) and RADIUS only
encrypts the password.
 D. RADIUS is primarily used for network access and TACACS+ is primarily
used for device administration.
5. A user presents a smart card to gain access to a building. Authentication is
handled through integration to a Windows server that's acting as a
certificate authority on the network. Review the security processes and
conclude which are valid when using Kerberos authentication. (Select all
that apply.)
A. Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its
private key to create a Ticket Granting Ticket (TGT) request.
B. The smart card generates a one-time use Ticket Granting Service (TGS)
session key and certificate.
C. The Authentication Server (AS) trusts the user's certificate as it was issued by
a local certification authority.
D. The Authentication Server (AS) is able to decrypt the request because it has a
matching certificate.
6. A company receives a massive flood of requests which overloads the
company's intranet and services. What type of attack is the company
experiencing at this time?
A. The user is exposed to a replay attack.
B. The user is exposed to a brute force attack.
C. The user is exposed to a DoS attack.
D. The user is exposed to an offline attack.
7. Analyze the types of password cracker attacks to determine which
scenario best describes a brute force attack.
A. An attacker guesses the password using software that enumerates values in the
dictionary
B. An attacker uses a precomputed lookup table of all possible passwords and
their matching hashes
C. An attacker attempts every possible combination in the key space in order to
derive a plaintext password from a hash
D. An attacker tests dictionary words and names in combination with several
numeric prefixes
8. Evaluate how identification and authentication are distinct in their
 functions. Which of the following scenarios best illustrates a user being
authenticated?
A. A user accesses a system by having their face scanned.
B. A system administrator sets up a user account for a new employee after HR
sends employment verification.
C. An administrator sends an initial password to a new telecommuting employee
through a VPN.
D. A user is assigned an SID.
9. Which of the following options represents Two-Factor Authentication
(2FA)?
A. A user logs in using a password and a PIN.
B. A user logs in using a password and a smart card.
C. A user logs in using a fingerprint and retina scanner.
D. A user logs in using a smart card and a key fob.
10. Which of the following password cracker attacks are combined to create a
typical hybrid password attack? (Select all that apply.)
A. Brute force
B. Dictionary
C. Salt
D. PTH
11. When a network uses Extensible Authentication Protocol (EAP) as the
authentication method, what access control standard restricts local traffic
to authentication data when a client connects over a Virtual Private
Network (VPN) gateway
A. IEEE 802.1X
B. Kerberos
C. Terminal Access Controller Access-Control System Plus (TACACS+)
D. Remote Authentication Dial-in User Service (RADIUS)
12. Consider biometric methods that are used to authenticate a user. Knowing
that errors are possible, which of the following would most likely result in a
security breach?
A. False acceptance
B. False rejection
 C. A low Crossover-Error-Rate (CER)
D. A low throughput
13. A security team has just added iris scanners to two access control points
in a secure facility. They are in the process of making adjustments to
ensure authorized users have access, while unauthorized users cannot
get through. Analyze the scenario and determine what metric the team is
in the process of fine-tuning.
A. Crossover error rate (CER)
B. False rejection rate (FRR)
C. False acceptance rate (FAR)
D. Type II error
14. Based on the known facts of password attacks, critique the susceptibility of
the password "DogHouse23" to an attack.
A. This is a sufficient password. It is ten characters and contains uppercase
characters, lowercase characters, and numbers.
B. This is an insufficient password. There are not enough uppercase characters
within the password.
C. This is a sufficient password. The password is easy for the user to remember
yet long enough to meet character requirements.
D. This is an insufficient password. The password contains words that are found
in the dictionary and does not contain special characters.
15. Regarding the various tools of biometric authentication and their
capabilities/limitations, which statement is accurate?
A. Retinal scanning is less intrusive than iris scanning.
B. Fingerprint scanners are the most widely used biometric authentication
method.
C. Fingerprint scanners are more expensive but use a straightforward process.
D. Sensor modules are the most preferred biometric authentication method.
16. Biometric authentication methods have different error rates, with some
methods being easier to fool than others. An unauthorized user is unlikely
to fool which of the following methods?
A. Fingerprint scan
B. Retinal scan
 C. Facial recognition
D. Voice recognition
17. Evaluate the following controls that have been set by a system
administrator for an online retailer. Determine which statement
demonstrates the identification control within the Identity and Access
Management (IAM) system
A. A control is set to cancel automatic shipments for any customer that has an
expired credit card on file.
B. A control is set to force a customer to log into their account prior to reviewing
and editing orders.
C. A control is set to force a customer to create an account prior to reviewing and
editing orders.
D. A control is set to record the date, time, IP address, customer account number,
and order details for each order.
18. Select the explanations that accurately describe the Ticket Granting Ticket
(TGT) role within the Authentication Service (AS). (Select all that apply.)
A. The AS responds with a TGT that contains information about the client,
including their name and IP address, along with a timestamp and validity
period. The TGT is encrypted with the secret key of the Authentication Server
(AS) to ensure its confidentiality and integrity during transmission and
storage.
B. The TGS is responsible for issuing service tickets to the client, which contain
a session key that is shared between the client and the requested service.
C. The client requesting the TGT must be time synchronized with the server
within 2 minutes, or the request will fail.
D. The TGT is a credential that the client issues to authenticate to the AS, and it
contains a session key that is shared only between the client and the TGS. This
session key is used to encrypt the client's credentials and authenticate the
client to the TGS when requesting a service ticket.
19. Analyze the features of behavioral technologies for authentication, and
choose the statements that accurately depict this type of biometric
authentication. (Select all that apply.)
A. Behavioral technologies are cheap to implement, but have a higher error rate
 than other technologies.
B. Signature recognition is popular within this technology because everyone has
a unique signature that is difficult to replicate.
C. Obtaining a voice recognition template for behavioral technologies is rather
easy and can be obtained quickly.
D. Behavior technologies may use typing as a template, which matches the speed
and pattern of a user's input of a passphrase.

1.C

Integrity is the fundamental security goal of keeping organizational information

accurate, free of errors, and without unauthorized modifications. However, it is
not part of the IAM system. IAM defines the attributes that comprise an entity's
identity. The four processes include Authorization, Accounting, Identification,
and Authentication.

Accounting is tracking authorized usage of a resource or use of rights by a

subject and alerting when unauthorized use is detected or attempted.

Identification is creating an account or ID identifying the user, device, or

process on the network.

Authentication is proving that a subject is who or what it claims to be when

attempting to access the resource.

2.B

Authentication proves that a subject is who or what it claims to be when it

attempts to access the resource. A CAC and pin login are examples of
authentication.

Creating an account or ID that identifies the user, device, or process on the

network defines identification.

Authorization determines what rights subjects should have on each resource

and enforcing those rights. A company employee may need network access
but will likely not need access to every resource, and limiting access limits a
company’s risk.
Accounting tracks authorized usage of a resource or use of rights by a subject
and alerting when unauthorized use is detected or attempted. Reports and
audit logs account for who and what has been accessing network resources.

3.D

Tokens can persist unexpired in HOTP, increasing the risk of an attacker

obtaining one and decrypting data in the future. TOTP addresses this by
adding a value to the shared secret derived from the device’s and server’s
local timestamp. TOTP automatically expires each token after a short window
of time.

The authentication server and client token are configured with the same
shared secret in HOTP.

The HOTP server is configured with a counter, combining with the shared
secret to create a one-time password. When the HOTP value is authenticated,
it increments by one.

The server and the device both compute the hash and derive a 6-8 digit
HOTP value.

4.BCD

RADIUS uses UDP by default over ports 1812 and 1813 and TACACS+ uses
TCP on port 49.

TACACS+ encrypts the whole packet (except the header, which identifies the
packet as TACACS+ data) and RADIUS only encrypts the password portion of
the packet using MD5.

RADIUS is primarily used for network access for a remote user and
TACACS+ is primarily used for device administration. TACACS+ provides
centralized control for administrators to manage routers, switches, and firewall
appliances, as well as user privileges.
RADIUS is an open-source protocol, not TACACS+. TACACS+ is a Cisco
proprietary protocol.

5.AC

Inputting a correct PIN authorizes the smart card's cryptoprocessor to use its
private key to create a Ticket Granting Ticket (TGT) request to an
Authentication Server (AS).

The AS can place trust when the user's certificate is issued by a local or third-
party root certification authority.

An AS responds with a TGT and Ticket Granting Service (TGS) session key,
not the smart card.

An AS would be able to decrypt the request because it has a matching public

key and trusts the user's smart-card certificate.

6.C

Clogging a company's pipe in and out of the network would be considered a Denial of
Service (DoS) attack. The attacker can do this various ways, one example is to keep
trying to connect to a device that is externally facing. A company can throttle
connections to mitigate DoS attacks.

In a replay attack, an intercepted key or password hash is reused to gain access to a

resource. This is prevented with once-only tokens or timestamping, not restricting
logon attempts.

A brute force attack is where an attacker uses an application to exhaustively try every
possible alphanumeric combination to crack encrypted passwords. Restricting logon
attempts is a way to mitigate this threat, not be vulnerable to it.

In an offline attack, a password cracker works on a downloaded password database

without having to interact with the authentication system. It is unrelated to logon
attempts.

7.C

A brute force attack attempts every possible combination in the key space in order to
derive a plaintext password from a hash. The key space is determined by the number
of bits used.

A hybrid password attack uses a combination of dictionary and brute force attacks. It
is principally targeted against naively strong passwords. The password cracking
algorithm tests dictionary words, and names in combination with several numeric
prefixes.

A rainbow table attack refines the dictionary approach. The attacker uses a
precomputed lookup table of all possible passwords and their matching hashes.

A dictionary attack can be used where there is a good chance of guessing the likely
value of the plaintext, such as a non-complex password.

8.A

A face scan is also known as biometrics, which is a "something you are"

authentication. This is known as physiological biometric recognition.

Creating a user account based on an official company document is an identification

process called identity proofing, or verifying subjects are who they say they are.

By creating and sending the initial password over a Virtual Private Network (VPN),
the administrator is implementing secure transmission of credentials identification
process.

Identification of a subject on a computer system is done through an account. An

account consists of an identifier, credentials, and a profile. Each identifier must be
unique, which is accomplished with a Security Identifier (SID) string.

9.B

In Two-Factor Authentication (2FA), a user must possess two of the three

authentication types of “something you know”, “something you have”, or
“something you are”. Using a password and a smart card would be 2FA since
it combines “something you know” (password) with “something you have”
(smart card).

Using a password and a PIN is not 2FA since they both are “something you
know.”
Using a fingerprint and a retinal scanner is not 2FA since they both are
“something you are.”

Using a smart card and a key fob is not 2FA since they both are “something
you have.”

10.AB

A typical hybrid password attack uses a combination of dictionary and brute force
attacks.

A dictionary attack is a type of password attack that compares encrypted passwords

against a predetermined list of possible password values. A brute force attack attempts
every possible combination in the key space in order to derive a plaintext password
from a hash.

Salt is a random or pseudo-random number or string. The term salt is used specifically
in conjunction with hashing password values.

A pass the hash (PTH) attack occurs when an attacker obtains the hash of a user's
password and presents the hash (without cracking it) to authenticate to network
protocols.

11.A

The IEEE 802.1X Port-based Network Access Control (NAC) standard

provides the means of using an EAP method when a device connects to a
VPN gateway. With 802.1X, the network access server (NAS) device
accepting remote connections does not have to store any authentication
credentials. The network access server forwards only EAP authentication data
between the authentication server (implemented by TACACS+ or RADIUS)
and the supplicant requesting remote access. Full network access is only
granted once the supplicant has been authenticated.

Kerberos is designed to work over a trusted local network. Different

authentication protocols have been developed to work with remote access
protocols, where the connection is made over a serial link or virtual private
network (VPN).
TACACS+ can implement the authentication server role, but does not
provision the full set of supplicant, authenticator and authentication server
roles required for a VPN topology. Also, TACACS+ is more commonly used to
authenticate administrative access to network appliances than to authenticate
remote access VPNs.

RADIUS can implement the authentication server role, but does not provision
the full set of supplicant, authenticator and authentication server roles
required for a VPN topology.

12.A

Regarding biometric authentication, a false positive is where an unauthorized

person is accepted, leading to possible security breaches. This is the False
Acceptance Rate (FAR).

A false negative is where a legitimate user is not recognized, denying the user
access and causing the user an inconvenience. This event does not result in
a breach. This is the False Rejection Rate (FRR).

The Crossover Error Rate (CER) is the point at which FRR equals FAR. A
lower CER indicates more efficient and reliable authentication.

Throughput refers to the time required to create a user template and to

authenticate. While this is a major consideration for high-traffic access points
(airports), a low rate would be frustrating for users, but not a breach risk.

13.A

The process of fine-tuning a biometric system involves adjusting the

crossover error rate, the point at which the false rejection rate and false
acceptance rate meet.

The false rejection rate (FRR) is also known as a type I error, which rejects
authorized templates.

The false acceptance rate (FAR) is the rate at which the system lets in
unauthorized users, which constitutes a security breach.
A type II error is a false positive, measured by the false acceptance rate
(FAR). This is the rate at which unauthorized personnel gain access to the
secure facility.

14.D

The password does not contain special characters, and also contains words that are
found in the dictionary. Both of these attributes make the password vulnerable.

The length of the password may be sufficient based on the rules set forth by the
system administrator and company policy. The company policy may or may not
require the use of special characters, and this is unknown from the scenario.

The password is insufficiently complex. The inclusion of uppercase letters alone does
not make a password complex.

While it is correct that the user may be able to remember this password easily, that
also makes it susceptible to attack. Dictionary words make it that much easier for an
attacker to crack the password.

15.B

Regarding biometric authentication, Fingerprint scanning is the most widely

implemented biometric authentication method.
To the contrary, Iris scanning is less intrusive than retinal scanning and matches
patterns on the surface of the eye using near-infrared imaging.
Contrary to having more costs, the technology required for scanning and recording
fingerprints is relatively inexpensive and the process quite straightforward.
A sensor module acquires the biometric sample from the target but is not a biometric
authentication tool itself.

16.B

Biometric authentication based on a retinal scan is the hardest method to fool. Retinal
scanning is used to identify the patterns of blood vessels with the eye, whereas an iris
scan only uses the surface of the eye.

It is possible to obtain a copy of a user's fingerprint and create a mold of it that will
fool a fingerprint scanner.
Facial recognition suffers from relatively high false acceptance and rejection rates,
and as a result is vulnerable to spoofing.

Voice recognition is subject to impersonation. It is also sensitive to background noise

and other environmental factors which can interfere with authentication.

17.C

Identification controls are to ensure that customers have unique accounts, and that
only they can manage their orders and billing information. An example is to require
each customer create an account prior to allowing them to store billing or shipping
information.

Authentication controls are to ensure that customers have unique accounts, and that
only they can manage their orders and billing information. An example is to require
each customer create an account prior to allowing them to store billing or shipping
information.

Verifying address or other information is more of a validation task rather than an IAM
control.

Accounting controls include maintaining a record of each action taken by a customer

to ensure that they cannot deny placing an order. Records may include order details,
date, time, and IP address information.

18.AB

The AS issues a TGT to the client after successful authentication, and it contains
information about the client, including their name and IP address, along with a
timestamp and validity period. The TGT is encrypted with the secret key of the
Authentication Server (AS) to ensure its confidentiality and integrity during
transmission and storage.

The TGS issues service tickets to the client, and these tickets contain a session key
that is shared between the client and the requested service. The TGT does not contain
any service session key for use between the client and the application server.

The TGT is time-stamped. This means that workstations and servers on the network
must be synchronized (to within five minutes), or a TGT will be rejected. This helps
prevent replay attacks.

The TGT is not a credential that the client uses to authenticate to the AS. The TGT is
issued to the client by the AS after successful authentication, and it contains a session
key that is used to authenticate the client to the TGS when requesting a service ticket.

19.AD

Behavioral technologies are sometimes classified as "something you do."

These technologies often have a lower cost to implement than other types of
biometric cryptosystems, but they have a higher error rate.

Typing is used as a behavioral technology, and the template is based on the

speed and pattern of a user's input of a passphrase.

Signature recognition is not based on the actual signature due to it being easy
to replicate. Instead, it is based on the process of applying a signature such
as stroke, speed, and pressure of the stylus.

Obtaining a voice recognition template is not a fast process, and can be

difficult. Background noise and other environmental factors can also interfere
with authentication.