Complex passwords are incorrect because they may reduce the likelihood of a successful guessing attack. By requiring the use of long passwords that do not appear in common dictionaries, attackers may be forced to try every possible password.
System and network security controls are incorrect because they may be employed to prevent an attacker from gaining access to a system or installing malicious software (malware).
305. Which of the following is the correct description of roles between a registration authority (RA) and a credential service provider (CSP) involved in identity proofing?
a. The RA may be a part of the CSP.
b. The RA may be a separate entity.
c. The RA may be a trusted relationship.
d. The RA may be an independent entity.
305. c. The RA may be a part of the CSP, or it may be a separate and independent entity; however a trusted relationship always exists between the RA and CSP. Either the RA or CSP must maintain records of the registration. The RA and CSP may provide services on behalf of an organization or may provide services to the public.
306. What is spoofing?
a. Active attack
b. Passive attack
c. Surveillance attack
d. Exhaustive attack
306. a. Spoofing is a tampering activity and is an active attack. Sniffing is a surveillance activity and is a passive attack. An exhaustive attack (i.e., brute force attack) consists of discovering secret data by trying all possibilities and checking for correctness. For a four-digit password, you might start with 0000 and move to 0001 and 0002 until 9999.
307. Which of the following is an example of infrastructure threats related to the registration process required in identity proofing?
a. Separation of duties
b. Record keeping
c. Impersonation
d. Independent audits
307. c. There are two general categories of threats to the registration process: impersonation and either compromise or malfeasance of the infrastructure (RAs and CSPs). Infrastructure threats are addressed by normal computer security controls such as separation of duties, record keeping, and independent audits.
308. In electronic authentication, which of the following is not trustworthy?
a. Claimants
b. Registration authorities
c. Credentials services providers
d. Verifiers
308. a. Registration authorities (RAs), credential service providers (CSPs), verifiers, and relying parties are ordinarily trustworthy in the sense of being correctly implemented and not deliberately malicious. However, claimants or their systems may not be trustworthy or else their identity claims could simply be trusted. Moreover, whereas RAs, CSPs, and verifiers are normally trustworthy, they are not invulnerable and could become corrupted. Therefore, protocols that expose long-term authentication secrets more than are absolutely required, even to trusted entities, should be avoided.
309. An organization is experiencing excessive turnover of employees. Which of the following is the best access control policy under these situations?
a. Rule-based access control (RuBAC)
b. Mandatory access control (MAC)
c. Role-based access control (RBAC)
d. Discretionary access control (DAC)
309. c. Employees can come and go, but their roles do not change, such as a doctor or nurse in a hospital. With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Employee names may change but the roles does not. This access control is the best for organizations experiencing excessive employee turnover.
Rule-based access control and mandatory access control are the same because they are based on specific rules relating to the nature of the subject and object. Discretionary access control is a means to restrict access to objects based on the identity of subjects and/or groups to which they belong.
310. The principle of least privilege supports which of the following?
a. All or nothing privileges
b. Super-user privileges
c. Appropriate privileges
d. Creeping privileges
310. c. The principle of least privilege refers to granting users only those accesses required to perform their duties. Only the concept of “appropriate privilege” is supported by the principle of least privilege.
311. What is password management an example of?
a. Directive control
b. Preventive control
c. Detective control