1. What are the three major categories used to provide authentication of an individual? a) something you know (e.g., a password) b) something you have (e.g., a certificate with associated private key or smart card) c) something you are (a biometric)
2. What is Authorization and how is this concept aligned with Identification and Authentication? a) Authorization is the process of determining whether an entity, once authenticated, is permitted to access a specific asset. b) Authorization is what takes place after a person has been both identified and authenticated; it’s the step that determines what a person can then do on the system.
3. Provide at least 3 examples of Network Architecture Controls that help enforce data access policies at the LAN-to-WAN Domain level. a) Firewalls: Controls the traffic flow between a trusted network and an untrusted network. Usually firewalls are used to protect the boundaries of a network. b) Access control lists (ACL): Include restrictions on inbound and outbound connections, as well as connections between LAN segments internal to the site/enclave. c) Logical IDS: Network and workstation mechanisms that monitors network traffic and provide real-time alarms for network-based attacks Service Network.
4. When a computer is physically connected to a network port, manual procedures and/or an automated method must exist to perform what type of security functions at the Network Port and Data Switch level for access control? Name and define at least three. a) Physical Security – Is intended to detect and deter unauthorized personnel from gaining access. b) Logical Network Port Security – Implemented by configuring the network switch such that specific ports accept connections from one or more specific MAC address (es). Only a device configured with the authorized MAC address is allowed to access that network port. c) Port Authentication Using 802.1X – Is an authentication standard that can be used for wired or wireless networks. This standard provides for user/device authentication as well as distribution and management of encryption keys.
5. What is a Network Access Control (NAC) System? Explain its benefits in securing access control to a network. a) NAC is a networking solution for wired and Wi-Fi connections that identifies potential problems on a computer before it accesses the network. NAC uses a set of protocols to define and implement a policy that describes how to secure access to network nodes by devices when they initially attempt to access the network. b) A benefit of NAC is the ability to control access to a network access to the LAN without putting the network in danger. Based on a computer’s credentials and the software installed on it, a NAC system may give it full access to the LAN, deny it any access, or give it partial access.
6. Explain the purpose of a Public Key Infrastructure (PKI) and give an example of how you would implement it in a large organization whose major concern is the proper distribution of certificates across many sites. a) A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. b) Work with one of the globally trusted roots, Cybertrust, to deploy a CA on your premises that is subordinate to a Cybertrust root CA. You can build and operate a CA that runs locally on your own equipment.
7. PKI provides the capabilities of digital signatures and encryption to implement what security services? Name at least three. a) Identification and authentication through digital signature of a challenge b) Data integrity through digital signature of the information c) Confidentiality through encryption
8. What is the X.509 standard and how does it relate to PKI? a) The X.509 standard defines a standard for managing public keys through a Public Key Infrastructure (PKI). b) It specifies standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
9. What is the difference between Identification and Verification in regard to Biometric Access Controls? a) When biometrics is used in the identification process, users do not state who they are. In identification, the process is one-to-many. When biometrics is used in the verification process, users first declare who they are by entering their logon name or presenting an identification card. Then biometric technology is used to verify that identity. This process is considered to be one-to-one.
10. Provide a written explanation of what implementing Separation of Duties would look like in regard to managing a PKI Infrastructure for a large organization. a) Managing a PKI Infrastructure for a large organization would require controls to the levels of administrative access to a CA. There would be different roles for the different processes. The separation of duties would look something like: CA or PKI Administrator whose role is to manage the CA itself. Certificate Manager who issues and revokes certificates.
Enrollment Agent is typically a role used in conjunction with smart cards; an Enrollment Agent enrolls for a certificate on behalf of another user. Key Recovery Manager if using key archival. The Key Recovery Manager is responsible for recovering private keys. An EFS Recovery Agent role may be created to recover data encrypted using EFS. Backup Operator who is responsible for backing up the CA and restoring data in case of failure. Auditor who is responsible for reviewing audit logs and ensuring policy is not being violated.
11. What are the 3 categories of vulnerability severity codes? a) CAT I – Any vulnerability, the exploitation of which will, directly and immediately result in loss of Confidentiality, Availability, or Integrity. b) CAT II – Any vulnerability, the exploitation of which has a potential to result in loss of Confidentiality, Availability, or Integrity. c) CAT III – Any vulnerability, the existence of which degrades measures to protect against loss of Confidentiality, Availability, or Integrity.
12. True or False. The use of 802.11i configured to use AES encryption, 802.1X authentication services along with the Extensible Authentication Protocol (EAP) provides the best solution for the enterprise level WLAN, particularly a high security environment. a) True
13. True or False. It is a best practice to write a password down and store it near the vicinity of the computer for easy access. a) False
14. True or False. From a security perspective, biometric verification is best deployed as a component of two-factor or three-factor authentication.
15. From an access control security perspective, why is performing an asset valuation or alignment to a data classification standard the first step in designing proper security controls? a) You need to know the level of sensitivity, value and criticality of the data in order to properly determine who or what should have access to it. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data.