D430 Fundamentals of Information Security

Correct Answer

C. Authentication verifies identity; authorization determines access rights

Explanation

Authentication and authorization are two distinct processes in security systems. Authentication is the process of verifying a user's identity, typically through methods like passwords, biometrics, or tokens. Authorization, on the other hand, determines the access rights or permissions a user has after their identity has been authenticated. These processes work together to ensure that users are who they claim to be and that they are only able to access resources they are permitted to use.

Why other options are wrong

A. There is no difference between the two

This is incorrect because authentication and authorization serve different purposes. Authentication verifies identity, while authorization determines access levels. They are not the same and have distinct roles in securing systems.

B. Authentication determines access rights; authorization verifies identity

This is incorrect because the definitions are reversed. Authentication verifies identity, not access rights. Authorization is responsible for determining the access rights after identity verification.

D. None of the above

This option is incorrect because option C provides the correct distinction between authentication and authorization. The statement "None of the above" does not apply in this case.

Correct Answer

B. Information Security Office

Explanation

The Information Security Office is typically responsible for ensuring that an organization's security protocols are robust enough to safeguard sensitive intellectual property, personal data, and other confidential information. This department develops, implements, and enforces security policies and practices to protect the organization from cyber threats and ensure compliance with data protection regulations.

Why other options are wrong

A. Risk Management Department

The Risk Management Department focuses on identifying, assessing, and mitigating risks across various aspects of the business. While it may involve data security to some degree, its primary role is broader, dealing with all types of organizational risks, including financial, operational, and reputational risks. It is not specifically focused on information security or compliance with security protocols.

C. Compliance and Ethics Division

The Compliance and Ethics Division ensures that the organization complies with laws, regulations, and internal policies, particularly those related to ethical conduct and legal compliance. While this division may be involved in data privacy regulations, its role is not as specialized in information security as the Information Security Office.

D. Corporate Governance Board

The Corporate Governance Board is primarily concerned with overseeing the overall governance of the corporation, including strategic decisions and the alignment of the company’s policies with corporate standards and regulations. It is not typically involved in the day-to-day enforcement of security protocols or compliance with security-specific regulations.

Correct Answer

C. A user sends a digitally signed email to the entire finance department about an upcoming meeting.

Explanation

Non-repudiation ensures that the sender of a message cannot deny having sent it. In this case, the user sending a digitally signed email provides proof of the origin of the message, as digital signatures can be traced back to the sender’s private key. This prevents the sender from later denying they were the author of the email, as the digital signature serves as irrefutable evidence of their involvement in sending the message.

Why other options are wrong

A. A user logs into a domain workstation and accesses network file shares for another department.

This scenario does not demonstrate non-repudiation because simply logging into a workstation and accessing files does not ensure proof of action or prevent the user from later denying their access. Non-repudiation requires a form of verification, such as digital signatures or logs that conclusively link the user to specific actions, which is not provided in this case.

B. A user remotely logs into the mail server with another user's credentials.

While this scenario is a violation of security protocols, it does not involve non-repudiation. The act of using someone else’s credentials can be traced, but it doesn’t prove non-repudiation since the real user could later deny their involvement, and the unauthorized user could escape identification without proper logging or auditing mechanisms.

D. A user accesses the workstation registry to make unauthorized changes to enable functionality within an application.

This action demonstrates unauthorized activity but does not provide any form of non-repudiation. Non-repudiation requires clear proof that the user performed a specific action, such as digital signatures or logging mechanisms that can’t be easily denied by the user, which is not implied in this scenario.

Correct Answer

A. Malware from phishing attempts

Explanation

Phishing is a type of social engineering attack where malicious emails are crafted to appear as if they are from trusted sources. In this scenario, the employee clicked on a link in an unsolicited email, which is a classic example of a phishing attempt that leads to malware installation, such as ransomware.

Why other options are wrong

B. Malware from untrusted sources

This option is incorrect because the attack in question uses a trusted vendor's name to deceive the employee. While the source might appear trusted, the actual vector is phishing, not from a completely untrusted source.

C. Malware from legitimate software

This option is incorrect. In this case, the ransomware was installed via phishing, not from legitimate software. Malware from legitimate software typically refers to malicious code that hides within trusted software applications, which is not the scenario described here.

D. Malware from social engineering tactics

This option is partially correct but not as precise as option A. Social engineering tactics are involved in phishing, but the specific threat vector being exploited is phishing, which is more precise and directly related to the method of attack.

Correct Answer

D. Hash the message, and then encrypt the digest with the private key.

Explanation

The process of creating a digital signature involves hashing the message to create a fixed-size digest, which is then encrypted using the sender's private key. This ensures that the signature is unique to the message and can be verified by others using the sender's public key.

Why other options are wrong

A. Encrypt the message with a symmetric key.

This option describes symmetric encryption, not digital signatures. In symmetric encryption, both the sender and recipient use the same key for encryption and decryption, but digital signatures use asymmetric encryption, with the sender using a private key and the recipient using the corresponding public key for verification.

B. Sign the message with the recipient's public key.

This is incorrect because digital signatures are created using the sender's private key, not the recipient's public key. The recipient's public key is used later for verifying the signature, not for creating it.

C. Hash the message, and then encrypt the message with the private key.

This is incorrect because encrypting the entire message with the private key would not be a digital signature. Instead, the hash of the message is encrypted with the private key to create the signature, not the entire message itself.

Correct Answer

D. OAuth

Explanation

OAuth is a protocol commonly used in cloud-based authorization systems. It is an open standard for token-based authentication and authorization that allows third-party services to exchange access rights without sharing passwords. OAuth is widely used for granting access to cloud-based resources by enabling authorization without sharing the user’s credentials directly.

Why other options are wrong

A. OpenID

OpenID is a decentralized authentication protocol, but OAuth is typically used in conjunction with OpenID for authorization purposes. While OpenID allows users to authenticate, OAuth is specifically designed to handle authorization (granting access to resources).

B. Kerberos

Kerberos is a network authentication protocol designed for secure authentication within a single domain. It is not typically used for cloud-based systems, as it is more suitable for enterprise environments requiring ticket-based authentication in a trusted network.

C. SAML

SAML (Security Assertion Markup Language) is also an authentication and authorization protocol used in enterprise Single Sign-On (SSO) systems. While it can be used in cloud environments, OAuth is more commonly employed in cloud-based applications for its flexibility and support for modern web services.

Correct Answer

A. Integration with existing systems

Explanation

Integration with existing systems is critical for ensuring the effectiveness of biometric recognition systems because it ensures smooth interoperability with current infrastructure. A system that can seamlessly integrate with other organizational tools and security systems will be more efficient, reliable, and user-friendly. This also improves the user experience by reducing disruptions and making the system more accessible and functional for daily operations.

Why other options are wrong

B. Cost of implementation

While the cost is an important factor, it is not directly related to user satisfaction or system effectiveness. Focusing too heavily on the cost could result in choosing a solution that is not well-suited to the organization's needs or does not integrate effectively with existing systems.

C. Aesthetic design of the hardware

Aesthetic design, while important for user comfort, is not a crucial factor in the system’s overall effectiveness. Functionality, security, and integration are far more important for ensuring that the biometric system performs well and serves its intended purpose.

D. Brand reputation of the vendor

Although vendor reputation can offer some assurances about product quality and support, it is not as directly related to the user experience or the system's effectiveness as integration with existing systems. A well-integrated system can be more important than the vendor's reputation when considering long-term functionality.

Correct Answer

B. Employing user's phone geolocation data to verify their credentials to access a secure website

Explanation

Using geolocation data from a user's phone to verify their credentials provides a more precise and practical method for location-based authentication. This technique is effective in confirming that the user is physically located in a trusted location, such as their home or workplace, before granting access to sensitive systems. It leverages a readily available technology that is secure and has minimal disadvantages compared to other methods.

Why other options are wrong

A. Pinpointing an individual user's terminal by tracing their IP address back to their physical location

This method has several disadvantages, including inaccuracies in pinpointing a user's physical location due to the use of VPNs or proxy servers. It also doesn't consider situations where the user may be traveling or using a different device, making it less reliable for authentication purposes.

C. Enforcing a mandatory "check in" policy on social media for users on remote access calls

This approach is not secure because it relies on social media platforms, which could be compromised or exploited. It also places a significant burden on users and opens up potential privacy issues, making it less practical for authentication purposes.

D. Activating location-based technology to operate a Virtual Private Network (VPN) gateway to restrict access to users from foreign countries

While this could prevent access from unauthorized locations, it is a restrictive and blunt approach. It limits access for legitimate users who may be traveling internationally or using mobile devices, and it could cause legitimate users to be blocked, making it a less efficient solution compared to using phone geolocation data.

Correct Answer

C. Both A and B

Explanation

To effectively defeat brute-force attacks, a password must be both long and complex. A long password increases the number of possible combinations an attacker must guess, while complexity (using a mix of uppercase, lowercase, numbers, and special characters) makes it harder for attackers to guess or crack the password. Combining both length and complexity makes it significantly more difficult for an attacker to break the password via brute force.

Why other options are wrong

A. Long

While a long password can help improve security, it needs to be paired with complexity to be truly effective against brute-force attacks. A very long but simple password (e.g., "aaaaaaaaaaaa") can still be cracked relatively quickly.

B. Complex

A complex password is important, but without sufficient length, it may not provide enough protection against brute-force attacks. For instance, a complex but short password (e.g., "x7#eF!") can still be vulnerable.

D. Neither A nor B

This is incorrect because both long and complex passwords are necessary to effectively defend against brute-force attacks. Simply relying on one without the other is not sufficient.