In this Chapter, you have seen the importance of physical security. Logical controls are of little good if someone can just walk in, sit down, and start accessing computer networks and data.
In this exercise, you will look at how biometrics can be used for an access control mechanism.
13.1. Biometrics and Fingerprint Recognition
You have consulted for a company that is thinking about implementing a biometric access control system. They have asked you to provide them more information about fingerprint scanners. Therefore, in this exercise, you will examine how these devices work and enable identification based on finger ridge patterns.
Estimated Time: 30 minutes.
You're consulting for an organization that would like to know which of the following ways are the best ways to prevent hackers from uncovering sensitive information from dumpster diving. (Choose all that are correct.)
Which of the following describes a programmable lock that uses a keypad for entering a pin number or password?
How can you prevent piggybacking?
You watch over Bernie's shoulder while he types the password to log on to hushmail.com. What is this type of attack called?
A retinal scan is a scan of which of the following?
Which of the following represents the second to the lowest level of data classification in the commercial system?
Which of the following types of locks is considered more secure as it has movable metal parts that prevent the wrong key from opening the lock parts?
Discernment is an advantage of which of the following physical security controls?
You are looking at several types of biometric systems. Which of the following measurements detail the percentage of legitimate users who might be denied access because of system errors or inaccuracy?
Someone claiming to be a new vendor has shown up at your office and has presented you with several small gifts. He is now asking you set up and configuration information about the company's PBX system. You believe that you might have been targeted for social engineering. Which category of attack would this possibly qualify as?
Management has become concerned that too many people can access the building and would like you to come up with a solution that only allows one person at a time entry and can hold them there if they fail authentication. Which of the following best describes what they are asking for?
Electrical fires are classified as which of the following?
Your company has become serious about security and has changed the rules. They will no longer let you control access to company information and resources. Now, your level of access is based on your clearance level and need to know. Which of the following systems have been implemented?
Frequent password changes have made it hard for you to remember your current password. New help desk policies require them to ask you several questions for proper identification. They would like to know your mother's maiden name and your first pet's name. What is this type of authentication called?
Pedro has heard about a biometric in which he can use a gummy bear to trick a fingerprint scanner into providing him access even though he is not a legitimate user. Which of the following terms is most closely associated?
Answers to Exam Questions
1. A. and B Paper shredders are the number one defense that can be used to prevent dumpster divers from being successful. By keeping the trash in a secured location, you make it much harder for individuals to obtain information from the trash. Answer C is incorrect, as strong passwords will not prevent dumpster diving. Answer D is incorrect, as dumpster divers might not have even seen the CCTV camera and as CCTV is primarily a detective control. Replaying a tape later to find that someone has gone through the trash will not have prevented the attack.
2. A. A cipher lock is one in which a keypad is used for entering a pin number or password. These are commonly used on secured doors to control access. Answer B is incorrect, as a device lock is used to secure a piece of equipment such as a laptop. Answer C is incorrect, as a ward lock is a basic low-end padlock that is easily picked. Answer D is incorrect, as a tumbler lock is an improved version of a warded lock. Instead of wards, they use tumblers that make it harder for the wrong key to open the wrong lock.
3. B. By stationing a guard by the door, you could monitor and make sure that piggybacking is not occurring. Answer A is incorrect because although installing a CCTV camera would allow you to see who piggybacked, it might not prevent it. Answer C is incorrect, as a fingerprint reader would not prevent more than one person entering at a time. Answer D is incorrect, as installing a cipher lock would be no different from the fingerprint reader and would not prevent piggybacking.
4. B. Shoulder surfing is to look over someone's shoulder to get information. Shoulder surfing is an effective way to get information in crowded places because it's relatively easy to stand next to someone and watch as they enter a password or pin number. Answer A is incorrect, as dumpster diving is performed by digging through the trash. Answer C is incorrect, as tailgating is similar to piggybacking; it's done at a parking facility or where there is a gate that controls the access of vehicles. Answer D is incorrect, as social engineering is the art of manipulating people to gain insider information.
5. D. A retinal scan examines the blood vessel patterns of the retina; it offers a unique method of identification. It's a form of biometric authentication used for high security areas, such as military and bank facilities. Answer A is incorrect, as a pupil scan does not specifically define how a retinal scan works. Answer B is incorrect, as blood vessels are not specific to the type of scan. Answer C is incorrect, as a facial shape scan does not look specifically at the eye. Facial scans are routinely done in places such as casinos.
6. D. Sensitive is the second to the lowest level of security in the commercial data classification system. The commercial system is categorized from lowest to highest level as public, sensitive, private, and confidential. Answers A, B, and C are incorrect, as secret and top secret are both from the governmental classification system, and confidential is the highest rating in the commercial system.
7. D. Tumbler locks are more complex than a basic ward lock. Instead of wards, they use tumblers that make it harder for the wrong key to open the wrong lock. Answer A is incorrect, as a cipher lock does not use a key. It requires that you input a pin or code. Answer B is incorrect, as a combination lock is also like a cipher lock and does not require a key. Answer C is incorrect, as a warded lock is considered the cheapest and easiest lock to pick.
8. C. Guards have the ability to make a decision and judgment call in situations that require discernment. Answer A is incorrect, as CCTV can only record events for later analysis. Answer B is incorrect, as dogs are not capable of making a judgment call and might bite or injure the wrong person. Answer D is incorrect, as a biometric system cannot make a judgment call; it will either allow or block access on the results of analysis of the individual's biometric attribute.
9. C. The false rejection rate measures how many legitimate users who should have gotten in, but didn't. Answer A is incorrect, as the false acceptance rate is the measurement of unauthorized individuals who are allowed access. Answer B is incorrect, as a false positive measures the number of alarms issued by and IDS, indicating an attack that is not occurring. Answer D is incorrect, as the crossover error rate indicates the overall effectiveness of a biometric device. The lower this number, the more accurate the device.
10. B. Reciprocation is the technique of giving someone a token or small gift to make them more willing to give something in return. Answers A, C, and D are incorrect, as scarcity works by attempting to make someone believe something is in short supply so immediate action is required; social validation works on the angle of a need to do something to fit in with your peers. Authority is the act of acting as someone's boss or superior and demanding action.
11. B. A mantrap is a set of two doors. The idea behind a mantrap is that one or more people must enter the mantrap and shut the outer door before the inner door will open. Some mantraps lock both the inner and outer door if authentication fails so that the individual cannot leave until a guard arrives to verify the person's identity. Answer A is incorrect, as a turnstile controls the flow of human traffic and is similar to a one-way gate. Answer C is incorrect, as piggybacking is the act of riding in on someone's coat tails. Answer D is incorrect, as biometric authentication would not prevent more than on person at a time from entering.
12. C. Electrical fires are classified as class C fires. Answers A, B, and D are incorrect, as class A fires have elements of common combustibles such as wood and paper. class B fires are composed of flammable liquids, and class D fires are caused by flammable metals.
13. B. Your company has implemented mandatory access control. Mandatory access control features a static model and is based on a predetermined list of access privileges. This means that with a MAC model, access is determined by the system rather than the user. Answer A is incorrect, as discretionary access control places control with the end user or resource owner. Answer C is incorrect, as role-based access control is considered a nondiscretionary access control, as such a system allows users to access systems based on the role they play in an organization. Answer D is incorrect, as rule-based access control is based on a predetermined set of rules.
14. C. Cognitive passwords function by asking a series of questions about facts or predefined responses that only the user should know. Answer A is incorrect, as biometric authentication uses a physical attribute. Answer B is incorrect, as a complex password uses uppercase or lowercase letters, numbers, and special characters. Answer D is incorrect, as a security token would be something you have: as an example, a SecurID.
15. A. A false acceptance rate measures the percentage of individuals gaining entry who should not be authorized. Answer B is incorrect, as false positive is a term associated with intrusion detection to indicate something that triggered the system, yet was not an attack. Answer C is incorrect, as the false rejection rate, also known as the insult rate, is the number of legitimate users denied access. Answer D is incorrect, as the crossover error rate is used to measure the accuracy of the biometric system.
Suggested Reading and Resources
www.schneier.com/crypto-gram-0205.htmlFun with fingerprint readers
www.citer.wvu.edu/members/publications/files/15-SSchuckers-Elsevior02.pdfSpoofing and antispoofing techniques
www.securityfocus.com/infocus/1527Social engineering basics
www.faqs.org/rfcs/rfc2196.htmlRFC 2196The site security handbook
http://netsecurity.rutgers.edu/everyone/basics.phpBasic physical security techniques
http://hissa.ncsl.nist.gov/rbac/proj/paper/node3.htmlRole-based access control
http://nsa2.www.conxion.com/support/guides/sd-1.pdfDefense in depth
http://codewriters.com/asites/page.cfm?usr=clfma&pageid=887Security fence height and construction
II Final Review