Please enable JavaScript.
Coggle requires JavaScript to display documents.
Week 6 - Cyber Security Answers and Explanations - Coggle Diagram
Week 6 - Cyber Security Answers and Explanations
Lauren is designing a multifactor authentication system for her company. She has decided to use a passphrase, a time-based code generator, and a PIN to provide additional security. How many distinct factors will she have implemented when she is done?
Two
While it may seem like Lauren has implemented three different factors, both a PIN and a passphrase are knowledgebased factors and cannot be considered distinct factors. She has implemented two distinct factors with her design. If she wanted to add a third factor, she could replace either the password or the PIN with a fingerprint scan or other biometric factor.
Jim was originally hired into the helpdesk at his current employer but has since then moved into finance. During a rights audit, it is discovered that he still has the ability to change passwords for other staff members. What is this issue called?
A person who has access to a resource beyond what is needed for their role.
Privilege creep occurs as staff members change roles but their rights and permissions are not updated to match their new responsibilities. This violates the concept of least privilege. Rights mismanagement and permission misalignment are both terms made up for this question.
2013’s Yahoo breach resulted in almost 1 billion MD5 hashed passwords being exposed. What user behaviour creates the most danger when this type of breach occurs?
Password Breach
Breaches of passwords stored in easily recoverable or reversible formats paired with user IDs or other identifying information create significant threats if users reused passwords. Attackers can easily test the passwords they recover against other sites and services. Poor password reset questions are a threat even without a breach, and unencrypted password storage is an issue during breaches, but this type of breach is enabled by poor storage, rather than a result of the breach. Use of federated credentials is not a critical concern in cases like this.
Authentication that uses the IP address, geographic location, and time of day to help validate the user is known as what type of authentication?
Context based
Context-based authentication allows authentication decisions to be made based on information about the user, the system they are using, or other data like their geographic location, behavior, or even time of day. Token-based authentication uses a security token to generate a onetime password or value, and NAC is network access control, a means of validating systems and users that connect to a network. System-data contextual is a made-up answer for this question.
Which of the following technologies is not a shared authentication technology?
LDAP
LDAP is sometimes used for single sign-on but is not a shared authentication technology. OpenID Connect, OAuth, and Facebook Connect are all examples of shared authentication technologies.
6.
Jason has user rights on his Linux workstation, but he wants to read his department’s financial reports, which he knows are stored in a directory that only administrators can access. He executes a local exploit, which gives him the ability to act as root. What type of attack is this?
Privilege Escalation
Jason’s exploit is a form of privilege escalation, which uses a flaw to gain elevated privileges. Local users have a far greater ability to attempt these attacks in most organizations, since flaws that are only exploitable locally often get less attention from administrators than those that can be exploited remotely. A zero-day attack would use previously unknown flaws to exploit a system, rootkits are aimed at acquiring and maintaining long-term access to systems, and session hijacking focuses on taking over existing sessions.
Which of the following methods is not an effective method for preventing brute-force password guessing attacks via login portals?
Returning an HTTP error
CAPTCHAs, login throttling, and locking out accounts after a set number of failed logins are all useful techniques to stop or delay brute-force password guessing attacks. Some sites also use unique URLs, or limit the IP ranges that systems can authenticate from. Returning an HTTP error actually works in the attacker’s favour, as they can key off of that error to try their next login attempt!
Ben’s successful attack on an authenticated user required him to duplicate the cookies that the web application put in place to identify the legitimate user. What type of attack did Ben conduct?
Session hijacking
Ben successfully conducted a session hijacking attack by copying session information and using the existing session. If he had impersonated a legitimate user, it would have been an impersonation attack, while a MiTM attack would require being in the flow of traffic between two systems or services. Privilege escalation attacks focus on acquiring higher levels of privilege.
Michelle has a security token that her company issues to her. What type of authentication factor does she have?
Possession
Michelle’s security token is an example of a possession factor, or “something you have.” A password or PIN would be a knowledge factor or “something you know,” while a fingerprint or retina scan would be a biometric, or inherence factor.
What is the intent of least privilege?
Enforce the most restrictive rights required by users to complete assigned tasks.
The principle of least privilege ensures that users (subjects) are granted only the most restrictive rights they need to perform their work tasks and job functions. Users don’t execute system processes. The least privilege principle does not enforce the least restrictive rights but rather the most restrictive rights.
A table includes multiple objects and subjects and it identifies the specific access each subject has to different objects. What is this table?
Access control matrix
An access control matrix includes multiple objects, and it lists subjects’ access to each of the objects. A single list of subjects for any specific object within an access control matrix is an access control list. A federation refers to a group of companies that share a federated identity management system for single sign‐on. Creeping privileges refers to the excessive privileges a subject gathers over time.
Who, or what, grants permissions to users in a discretionary access control model?
The data custodian
The data custodian (or owner) grants permissions to users in a discretionary access control (DAC) model. Administrators grant permissions for resources they own, but not for all resources in a DAC model. A rule‐based access control model uses an access control list. The mandatory access control model uses labels.
Which of the following models is also known as an identity-based access control model?
Discretionary access control
A discretionary access control model is an identity‐based access control model. It allows the owner (or data custodian) of a resource to grant permissions at the discretion of the owner. The role‐based access control model is based on role or group membership. The rule‐based access control model is based on rules within an ACL. The mandatory access control model uses assigned labels to identify access.
Which of the following statements is true related to the role-based access control (role-BAC) model?
A role-BAC model allows users membership in multiple groups.
The role‐BAC model is based on role or group membership and users can be members of multiple groups. Users are not limited to only a single role. Role‐BAC models are based on the hierarchy of an organization, so they are hierarchy based. The mandatory access control model uses assigned labels to identify access.
What type of access controls rely on the use of labels?
Mandatory
Mandatory access controls rely on the use of labels for subjects and objects. Discretionary access control systems allow an owner of an object to control access to the object. Nondiscretionary access controls have centralized management such as a rule‐based access control deployed on a firewall. Role‐based access controls define a subject’s access based on job‐related roles.
What type of access control model is used on a firewall?
Rule-based access control model
Which of the following best describes a characteristic of the mandatory access control model?
Prohibitive
The mandatory access control model is prohibitive and it uses an implicit‐deny philosophy (not an explicit‐deny philosophy). It is not permissive and it uses labels rather than rules.
What would an organization do to identify weaknesses?
Vunreability Anaylsis
A vulnerability analysis identifies weaknesses and can include periodic vulnerability scans and penetration tests. Asset valuation determines the value of assets, not weaknesses. Threat modelling attempts to identify threats, but threat modelling doesn’t identify weaknesses. An access review audits account management and object access practices.
Which of the following can help mitigate the success of an online brute-force attack?
Account unlock
An account lockout policy will lock an account after a user has entered an incorrect
password too many times, and this blocks an online brute‐force attack. Attackers use rainbow tables in offline password attacks. Password salts reduce the effectiveness of rainbow tables. Encrypting the password protects the password, but not against a brute‐force attack.