If the correct value is provided, the log-in is permitted, and the user is granted access to the computer system. Electronic monitoring is not a problem with one-time passwords because each time the user is authenticated to the computer, a different “password” is used. A hacker could learn the one-time password through electronic monitoring, but it would be of no value.
Passwords and personal identification numbers (PINs) have weaknesses such as disclosing and guessing. Passwords combined with PINs are better than passwords only. Both passwords and PINs are subject to electronic monitoring. Simple encryption of a password that will be used again does not solve the monitoring problem because encrypting the same password creates the same cipher-text; the cipher-text becomes the password.
211. Some security authorities believe that re-authentication of every transaction provides stronger security procedures. Which of the following security mechanisms is
a. Recurring passwords
b. Nonrecurring passwords
c. Memory tokens
d. Smart tokens
Nonrecurring passwords are incorrect because they provide a strong form of re-authentication. Examples include a challenge-response protocol or a dynamic password generator where a unique value is generated for each session. These values are not repeated and are good for that session only.
Tokens can help in re-authenticating a user or transaction. Memory tokens store but do not process information. Smart tokens expand the functionality of a memory token by incorporating one or more integrated circuits into the token itself. In other words, smart tokens store and process information. Except for passwords, all the other methods listed in the question are examples of advanced authentication methods that can be applied to re-authentication.
212. Which of the following lists a pair of compatible functions within the IT organization?
a. Computer operations and applications programming
b. Systems programming and data security administration
c. Quality assurance and data security administration
d. Production job scheduling and computer operations
The other three choices are incorrect because they are examples of incompatible functions. The rationale is to minimize such functions that are not conducive to good internal control structure. For example, if a computer operator is also responsible for production job scheduling, he could submit unauthorized production jobs.
213. A security label, or access control mechanism, is supported by which of the following access control policies?
a. Role-based policy
b. Identity-based policy
c. User-directed policy
d. Mandatory access control policy