CertiGuide to Security+  9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)

Getting Ready for Chapter 1 - Questions 1 1.0  General Security Concepts

1. Bell La-Padula features:

A. DAC

B. Quack

C. MAC

D. All choices are correct

Explanation: MAC (Mandatory Access Control)

“Division (B): Mandatory Protection The notion of a TCB that preserves the integrity of sensitivity labels and uses them to enforce a set of mandatory access control rules is a major requirement in this division. Systems in this division must carry the sensitivity labels with major data structures in the system.”³⁵

DAC or Discretionary Access Control is, by definition, optional. The reference to Bell La-Padula is derived from a white paper published in November 1973 by David Ellott Bell and L. J. LaPadula titled Secure Computer Systems: A mathematical Model. This mathematical discourse is the basis for DoD Class B Trusted Computer systems.

2. Kerberos features

A. Scalability for large environments

B. Authentication over untrustworthy networks

C. Asymmetric encryption

D. Creates three session keys

Explanation: Kerberos is an authentication system created by MIT to allow for the exchange of private information on an untrusted network.³⁶ Kerberos uses symmetric encryption and the Authentication Server (AS) creates two temporary session keys³⁷.

3. CHAP:

A. Uses a three-way handshake

B. Encrypts the process using RC4

C. Repeats the challenge at random intervals

D. Is stronger than Kerberos

Explanation: The Challenge-Handshake Authentication Protocol uses a three way handshake that is repeated on a random basis³⁸.Generally speaking³⁹, Kerberos is more secure than CHAP. Note that both Kerberos⁴⁰ and CHAP⁴¹ have issues.

4. All SmartCards utilize:

A. Biometrics

B. SecureID Tokens

C. Certificates

D. All choices are correct

Explanation: Basic smart cards have a limited storage capacity (around 16k). A Certificate Authority issues a certificate to the owner of the smart card, which is stored on the card itself. When authentication is required, the user presents the physical smart card (by placing it in a card reader), and supplies a PIN number. The PIN “unlocks” the card, and allows the certificates stored on it to be retrieved and checked for authenticity. A biometric option for reading the fingerprint of the owner is an option not a requirement⁴². Similarly, some SmartCards involve the use of SecureID tokens, but this is also optional.

5. A SYN DoS attack operates by:

A. Sending repeated TCP SYNACK packets

B. Sending repeated UDP SYNACK packets

C. Sending repeated TCP SYN packets

D. Sending repeated UDP SYN packets

Explanation: Since TCP uses a 'virtual circuit', the circuit must be set up at the beginning of the conversation. UDP does not require a conversation setup, so no UDP choice is correct. The SYN attack occurs by sending SYN requests, rather than by responding to them⁴³. This is a function of the design of the protocol. The normal TCP circuit request involves a three-way handshake: the source system sending the initial SYN request, the target system replying to that SYN with a SYNACK, and then the source system replying to the target with another ACK. When the target system receives a SYN, it sends its SYNACK and keeps the request open for X time, waiting for the final ACK. If the ACK is not received, the request stays open, consuming resources on the target system. If repeated SYN’s are sent, and not completed with ACK’s, this could exhaust the target system’s resources and cause it to be unable to accept additional network connections.

Getting Ready for Chapter 1 - Questions 1 1.0  General Security Concepts