SSCP Practice Test

 traffic padding

Traffic padding is a countermeasure to traffic analysis.
Even if perfect cryptographic routines are used, the attacker can gain knowledge of the
amount of traffic that was generated. The attacker might not know what Alice and Bob were
talking about, but can know that they were talking and how much they talked. In certain
circumstances this can be very bad. Consider for example when a military is organising a
secret attack against another nation: it may suffice to alert the other nation for them toknow merely that there is a lot of secret activity going on.
As another example, when encrypting Voice Over IP streams that use variable bit rate
encoding, the number of bits per unit of time is not obscured, and this can be exploited to
guess spoken phrases.
Padding messages is a way to make it harder to do traffic analysis. Normally, a number of
random bits are appended to the end of the message with an indication at the end how
much this random data is. The randomness should have a minimum value of 0, a maximum
number of N and an even distribution between the two extremes. Note, that increasing 0does not help, only increasing N helps, though that also means that a lower percentage of
the channel will be used to transmit real data. Also note, that since the cryptographic
routine is assumed to be uncrackable (otherwise the padding length itself is crackable), it
does not help to put the padding anywhere else, e.g. at the beginning, in the middle, or in a
sporadic manner.
The other answers are all techniques used to do Penetration Testing.                                                           References:                                                                                                                                                           KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the Ten
Domains of Computer Security, pages 233, 238.
and
https://secure.wikimedia.org/wikipedia/en/wiki/Padding_%28cryptography%29#Traffic_anal
ysis

Synchronous dynamic password tokens

Synchronous dynamic password tokens generate a new unique password
value at fixed time intervals, so the server and token need to be synchronized for the
password to be accepted.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, John Wiley & Sons, 2001, Chapter 2: Access control
systems (page 37).
Also check out: HARRIS, Shon, All-In-One CISSP Certification Exam Guide, McGraw-
Hill/Osborne, 2002, chapter 4: Access Control (page 136).

A trusted third-party authentication protocol.

Is correct because that is exactly what Kerberos is.
The following answers are incorrect:
A three-headed dog from Egyptian mythology. Is incorrect because we are dealing with
Information Security and not the Egyptian mythology but the Greek Mythology.
A security model. Is incorrect because Kerberos is an authentication protocol and not just a
security model.
A remote authentication dial in user server. Is incorrect because Kerberos is not a remote
authentication dial in user server that would be called RADIUS.

Biometrics

The only way to be truly positive in authenticating identity for access is to
base the authentication on the physical attributes of the persons themselves (i.e., biometric
identification). Physical attributes cannot be shared, borrowed, or duplicated. They ensure
that you do identify the person, however they are not perfect and they would have to be
supplemented by another factor.
Some people are getting thrown off by the term Masquarade. In general, a masquerade is
a disguise. In terms of communications security issues, a masquerade is a type of attack
where the attacker pretends to be an authorized user of a system in order to gain access to
it or to gain greater privileges than they are authorized for. A masquerade may be attempted through the use of stolen logon IDs and passwords, through finding security
gaps in programs, or through bypassing the authentication mechanism. Spoofing is anotherterm used to describe this type of attack as well.
A UserId only provides for identification.
A password is a weak authentication mechanism since passwords can be disclosed,
shared, written down, and more.
A smart card can be stolen and its corresponding PIN code can be guessed by an intruder.
A smartcard can be borrowed by a friend of yours and you would have no clue as to who is
really logging in using that smart card.
Any form of two-factor authentication not involving biometrics cannot be as reliable as a
biometric system to identify the person.
Biometric identifying verification systems control people. If the person with the correct
hand, eye, face, signature, or voice is not present, the identification and verification cannot take place and the desired action (i.e., portal passage, data, or resource access) does not
occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully
use access cards, even those that require the addition of a PIN. This is because these
systems control only pieces of plastic (and sometimes information), rather than people.
Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, the take place and the desired action (i.e., portal passage, data, or resource access) does not
occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully
use access cards, even those that require the addition of a PIN. This is because these
systems control only pieces of plastic (and sometimes information), rather than people.
Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, thetake place and the desired action (i.e., portal passage, data, or resource access) does not
occur.
As has been demonstrated many times, adversaries and criminals obtain and successfully
use access cards, even those that require the addition of a PIN. This is because these
systems control only pieces of plastic (and sometimes information), rather than people.
Real asset and resource protection can only be accomplished by people, not cards and
information, because unauthorized persons can (and do) obtain the cards and information.
Further, life-cycle costs are significantly reduced because no card or PIN administration
system or personnel are required. The authorized person does not lose physical
characteristics (i.e., hands, face, eyes, signature, or voice), but cards and PINs are
continuously lost, stolen, or forgotten. This is why card access systems require systems
and people to administer, control, record, and issue (new) cards and PINs. Moreover, the cards are an expensive and recurring cost.
NOTE FROM CLEMENT:
This question has been generating lots of interest. The keyword in the question is:
Individual (the person) and also the authenticated portion as well.
I totally agree with you that Two Factors or Strong Authentication would be the strongest
means of authentication. However the question is not asking what is the strongest mean of
authentication, it is asking what is the best way to identify the user (individual) behind the
technology. When answering questions do not make assumptions to facts not presented in the question or answers.
Nothing can beat Biometrics in such case. You cannot lend your fingerprint and pin to
someone else, you cannot borrow one of my eye balls to defeat the Iris or Retina scan.
This is why it is the best method to authenticate the user.
I think the reference is playing with semantics and that makes it a bit confusing. I have
improved the question to make it a lot clearer and I have also improve the explanations
attached with the question.
The reference mentioned above refers to authenticating the identity for access. So the
distinction is being made that there is identity and there is authentication. In the case of
physical security the enrollment process is where the identity of the user would be validated
and then the biometrics features provided by the user would authenticate the user on a one
to one matching basis (for authentication) with the reference contained in the database of
biometrics templates. In the case of system access, the user might have to provide a
username, a pin, a passphrase, a smart card, and then provide his biometric attributes.Biometric can also be used for Identification purpose where you do a one to many match.
You take a facial scan of someone within an airport and you attempt to match it with a large
database of known criminal and terrorists. This is how you could use biometric for
Identification.
There are always THREE means of authentication, they are:
Something you know (Type 1)
Something you have (Type 2)
Something you are (Type 3)                                                                                                                                    Reference(s) used for this question:
TIPTON, Harold F. & KRAUSE, Micki, Information Security Management Handbook, 4th
edition (volume 1) , 2000, CRC Press, Chapter 1, Biometric Identification (page 7).
and
Search Security at http://searchsecurity.techtarget.com/definition/masquerade

Authentication

Biometric devices can be use for either IDENTIFICATION or
AUTHENTICATION
ONE TO ONE is for AUTHENTICATION
This means that you as a user would provide some biometric credential such as your
fingerprint. Then they will compare the template that you have provided with the one stored
in the Database. If the two are exactly the same that prove that you are who you pretend to
be.
ONE TO MANY is for IDENTIFICATION
A good example of this would be within airport. Many airports today have facial recognition
cameras, as you walk through the airport it will take a picture of your face and then
compare the template (your face) with a database full of templates and see if there is a
match between your template and the ones stored in the Database. This is for IDENTIFICATION of a person.
Some additional clarification or comments that might be helpful are: Biometrics establish
authentication using specific information and comparing results to expected data. It does
not perform well for identification purposes such as scanning for a person's face in a
moving crowd for example.
Identification methods could include: username, user ID, account number, PIN, certificate,
token, smart card, biometric device or badge.
Auditing is a process of logging or tracking what was done after the identity and
authentication process is completed.
Authorization is the rights the subject is given and is performed after the identity is
established                                                                                                                                                            Reference OIG (2007) p148, 167                                                                                                            Authentication in biometrics is a "one-to-one" search to verify claim to an identity made by
a person.
Source: KRUTZ, Ronald L. & VINES, Russel D., The CISSP Prep Guide: Mastering the
Ten Domains of Computer Security, 2001, John Wiley & Sons, Page 38.