CertiGuide to Security+  9  Chapter 7:  Practice Exam Answers

Answers to Questions 11-15 1 Answers to Questions 21-25

16. A smartcard represents:

A. Something you know

B. Something you have

C. Something you are

D. No Answer is Correct

Explanation: Authentication is accomplished through something you know, something you have and/or something you are. One form of authentication requires possession of something ("something you have") such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to satisfy multiple authentication criteria to guarantee authenticity.

Something you know, would be a piece of data known only to you, such as a password. Something you are, would be a physical characteristic of you, like your fingerprint.

& Section 1.2: Authentication

& Section 1.2.5: Tokens

17. Which of the following is NOT a good password deployment guideline?

A. Passwords must not be the same as user id or login id.

B. Passwords must be changed at least once every 60 days, depending on your environment.

C. Password aging must be enforced on all systems.

D. Password must be easy to memorize.

Explanation: Passwords should be easy to memorize, because that minimizes the chance that users will write the password down somewhere that others could see it.

Passwords should not be the same as the user ID, because that is one of the common passwords that common "password cracker" programs try, when attempting to discover passwords for accounts. Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).

& Section 1.2.4: Username/Password

18. Which of the following is an effective measure against a certain type of brute force password attack?

A. Password reuse is not allowed.

B. Password history is used.

C. Any password used must not be word found in a dictionary.

D. No Answer is Correct

Explanation: A brute force password attack involves trying many possible password values, to see if any result in access to an account. In order to help prevent dictionary-based attacks, in which the list of password values to try comes from a dictionary, it is useful to have a policy that any password used must not be a word found in a dictionary.

"Password reuse is not allowed" (i.e., rotating passwords), is a good policy, but not the one most closely related to helping prevent brute force password attacks. Password history must be used to prevent users from reusing passwords. For example, on many systems with such a facility the last 12 passwords used will be kept in the history. But as with policies against password re-use, password history is not as relevant to preventing brute force password attacks as is the policy against dictionary words.

& Section 1.4.11.1: Brute Force

& Section 1.4.11.2: Dictionary

19. What type of attacks occurs when a rogue application has been planted on an unsuspecting user's workstation?

A. Logical attacks

B. Physical attacks

C. Trojan Horse attacks

D. Social Engineering attacks

Explanation: Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting user's workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their private key was just used against their will.

Physical attacks involve physical access to hardware such as a network cable or keyboard. Social engineering attacks are based on taking advantage of human interaction rather than technology itself. (Frequently, social engineering attacks don't even require access to a computer.) There is no such thing as a "logical" attack, although many attacks do involve the use of logic to figure out how an application works and where its security vulnerabilities may be.

& Section 1.5.2: Trojan Horses

20. Which of the following attacks could be the most successful when the security technology is properly implemented and configured?

A. Logical attacks

B. Physical attacks

C. Trojan Horse attacks

D. Social Engineering attacks

Explanation: Social Engineering attacks: in computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a low-level employee and requests their password for network servicing purposes. When using smartcards instead of passwords, this type of attack is a bit more difficult. Most people would not trust an impersonator wishing to have their smartcard and PIN for service purposes.

Logical, physical and Trojan horse attacks are often much less successful when security is properly implemented on a network.

& Section 1.4.9: Social Engineering

& Section 1.6: Social Engineering

& Section 5.1.2: Social Engineering

Answers to Questions 11-15 1 Answers to Questions 21-25