IT 366 Final Exam Questions with Correct Answers

The concept of identity (who a person is, or what a system component is) is critical: - Should someone/something be allowed to use system resources? - Did a message really come from the entity it appears to be from? - Can a recipient convince a third-party a message could only have come from one entity? Which service applies to each of the questions above? authentication of origin. The IATF defined 4 steps for access control: - Identification and authentication (I&A); authorization; decision; enforcement. What is meant by each of these? I&A is having someone identify themselves. Authorization is authroizing them into the system. Decision is the decision that was made to allow them into the system. Role-based access control considers not only "who" someone is, but something else - what is it? Based on what their role is, they are granted different access. There are three fundamental ways to authenticate a person's identity. What are they? Can you give an example of each? Something you know: a password. Something you have: access card Something you are/do: Biometrics Multi-factor authentication combines two or more methods, typically from different fundamental ways as described above. Can you give an example? having a password and a key card would be an example of multi-factor authentication. Passwords (or similar) must never be stored in a database, file, or other permanent storage, even if encrypted. What is the acceptable technique? Salted hash of a password. -The least significant 7 bits are taken and the system generates a pseudorandom 12 bit value called the salt. -normally derived from a number generator which is seeded from a date-time value. Passwords and similar authentication data must not be sent "in the clear" over an insecure channel. Why not? It is thought that if the system can obtain your password then so can a hacker.