Chapter 3 Review Questions

superfluitysmackoverSecurity

Feb 23, 2014 (3 years and 5 months ago)

102 views

Security+ Guid
e to Network Security Fundamentals, 2e

Solutions 3
-
1



Chapter 3 Review Questions

1.

A security plan that is initiated by a(n) _____ would be defined as a bottom
-
up approach.

a.

Chief
i
nformation
o
ffice
r

(CIO)

b.

Help
d
esk technician

c.

Chief
s
ecurity
o
fficer

d.

Financial
c
ounselor

2.

The advantage of layerin
g is

_________.

a.

there is no single point of failure

b.

it is less expensive

c.

it provides redundant services
such as

dual firewalls

d.

it does not require security personnel to implement

3.

Restricting users to the lowest level of permissions
they need

to do their job is
called

____________.

a.

restrictive access listing (RAL)

b.

limiting

c.

constraint leveling

d.

concise security administration (CSA)

4.

Each of the following is an example of how diversity can be achieved
except

________.

a.

o
ne firewal
l filters one type of traffic while a second firewall
filters other traffic

b.

d
evices purchased from a variety of vendors

c.

s
ervers running different operating systems

d.

r
equiring one type of hard disk drive

5.

Which of the following is an example of se
curity by obscurity?

a.

Posting the company’s security plan on the Web site

b.

Advertising for bids for a specific brand of firewall in the
local newspaper

Security+ Guid
e to Network Security Fundamentals, 2e

Solutions 3
-
2



c.

Removing a log
o
n
window
message that indicates the
name of the operating system

d.

Requiring vend
ors to ship equipment that does not have a
serial number

6.

Layering is no longer considered a proper means of creating a security
environment. True

or
f
alse
?

7.

A disadvantage of layering is that uncoordinated layers
can

create security
holes in the defen
se.
True
or
f
alse?

8.

Complex security systems are preferred over simple systems. True or
f
alse
?

9.

Authentication verifies that a trusted person who has been preapproved for
access is actually the one who now demands that access.
True
or
f
alse?

10.

The on
ly time
you are
asked to authenticate
your
self is when using a
computer. True or
f
alse
?

11.

Authenticati
o
n based on a secret code you have memorized is an example of
authentication by ___.
what you know

12.

The term used to describe an employee who activel
y tries to prevent security
attacks from passing through them is a(n) _____.
human firewall

13.

A subject, such as a person or a computer program, interacts with a(n) _____.
object

14.

Using your fingerprint to access a system is an example of authenticati
on by
_____.
what you are

15.

A(n) _____ is a security device that is used to authenticate the user by having
the appropriate permission (
such as

a password) embedded into it.
token

16.

What are some
of the
weaknesses
of
biometrics and how can
they

be
over
come?

Biometrics has its weaknesses. Many high
-
end scanners are relatively
expensive, can be difficult to use, and can reject authorized users while
accepting unauthorized users. These errors are mainly due to the large
number of characteristics of a fac
e or hand that must be scanned and
then compared. Also, it is possible to “steal” someone’s characteristics by
lifting a fingerprint from a glass, photographing an iris, or recording a
voice and then use these to trick the scanner. Biometric security is s
till in
its early developmental stages. Many industry experts recommend that
Security+ Guid
e to Network Security Fundamentals, 2e

Solutions 3
-
3



at the present time it should be used along with passwords and other
forms of authentication.

17.

Explain how a digital certificate works.

Although encrypting messages with keys

is an excellent means of sending
messages so that unauthorized users cannot see them, one of the
weaknesses of the key system is that it does not prove that the sender is
actually who they he claims to be. How does the receiver know who
actually sent the

message? The answer is a certificate (sometimes called a
digital certificate). A certificate links or binds a specific person to a key.
Digital certificates are provided by a certification authority (CA), which
is an independent third
-
party organizatio
n. A user requesting a CA must
provide personal information, such as name, former last name (if
changed in last twelve months), home address, social security number,
date of birth, driver's license number, e
-
mail address, work phone and
home phone numbers
. In some instances the CA may require that the
person actually make a personal visit to the CA office in order to prove
his existence and identity. Once the person’s identity is established then
the CA will then issue a certificate.

18.

Where is Kerbero
s used and how does it work?

Kerberos is typically used when a user on a network is attempting to
make use of a network service, and the service wants assurance that the
user is who he says he is. The user is provided a
ticket

that is issued by
the Kerbero
s
authentication server

(AS)
. This ticket contains information
linking it to the user. The user presents this ticket to the network for a
service. The service then examines the ticket to verify the identity of the
user. If all checks out, then the user i
s accepted. Kerberos tickets are
difficult to copy (because they are encrypted), they contain specific user
information, they restrict what a user can do, and they expire after a few
hours or a day.

19.

What is the difference between one
-
way authentication

and mutual
authentication? What attacks
does

mutual authentication combat?

Two
-
way authentication, known as mutual authentication, can be used to
combat identity attacks, such as man in the middle and replay attacks.
With mutual authentication the user i
s authenticated through a
password, tokens, or other means by the server. The server likewise is
authenticated: that is, the user verifies that he is actually connected to the
“real” server and not an imposter. Mutual authentication provides a
means for
both sides of a connection to verify the authenticity of each
other.

20.

How does Role Based Access Control function? What are its advantages?

Handling the permissions for individual users can be a time
-
consuming
task. Not only must they be initially set
up, but there may be constant
Security+ Guid
e to Network Security Fundamentals, 2e

Solutions 3
-
4



“tweaking” necessary as users take on new responsibilities or assume new
job titles. A model that can be used assigns permissions to a position or
“role” and then user and other objects are assigned to that role,
inheriting a
ll of the permissions for the role. This is known as Role Based
Access Control (RBAC).
RBAC reduces the amount of “adjusting” that
must be done on an account as an employee ads additional responsibilities
to his or her title.