701 - Chapter 2

Question 1

Within the access control process, what is the process of tracking user activity and recording the activity in the logs? This activity along with related others creates what?

Answer 1

Accounting, audit Trail

Question 2

What are the three main authentication factors, and what is the fourth?

Answer 2

Something you know, something you have, something you are… Somewhere you are

Question 3

Something you know typically refers to what?

Answer 3

A shared secret… Such as a password or a PIN

Question 4

What are the current password recommendations per Microsoft, NIST, and the US DHS?

Answer 4

Hash all passwords, require MTA, don’t require mandatory password resets, require passwords to be at least eight characters, check for common passwords and prevent their use, tell users not to use the same password on more than one site, allow all special characters, including spaces but don’t require them

Question 5

What are the four common character types included in passwords?

Answer 5

Uppercase, lowercase, numbers, special characters

Question 6

True or false the best practice for password security is to have password expiration policies

Answer 6

False… Allowing users to keep their passwords for as long as they like is considered best practice because the thinking is they will use very strong password when only having to do it one time

Question 7

True or false A password is considered complex if it uses at least three of the four character types

Answer 7

False, complex passwords will use a mix of all four character types

Question 8

What is the minimum number in days before a password can be changed called?

Answer 8

Password age

Question 9

What remembers past passwords for users and prevents them from reusing them?

Answer 9

A password history system

Question 10

What is a single source designed to keep most of your passwords?

Answer 10

Password manager or password vault

Question 11

What is KBA and what are the two types?

Answer 11

Knowledge based authentication…static and dynamic

Question 12

How is static KBA used?

Answer 12

For users with an account, it’s the security questions and answers

Question 13

How is dynamic KBA mostly used?

Answer 13

For users without an account, the site will query public and private data sources like credit reports, vehicle registrations, taxes to craft multiple-choice questions that only the user would know. In addition, there is a limited amount of time in order to answer these questions.

Question 14

What is the use of dynamic KBA to verify a new users identity when they are creating an account for the first time? And what is this an important step for?

Answer 14

Identity proofing…the provisioning process

Question 15

What is the maximum number of times a user can enter the wrong password? and how long an account remains locked is called what?

Answer 15

Account lockout threshold and account lockout duration

Question 16

Account lockout policies are meant to thwart what type of attacks?

Answer 16

Brute force, and dictionary attacks

Question 17

What are the four things that a smart card provides?

Answer 17

Confidentiality, integrity, authentication, non-repudiation

Question 18

True or false smart cards provide two factor authentication?

Answer 18

True… Something you have and something you know

Question 19

A random number that is provided to you and that you use to provide to an authentication server is called what?

Answer 19

One time password 0TP

Question 20

Hard tokens and soft tokens, both use what?

Answer 20

One time passwords, OTP

Question 21

What are the two different ways that tokens remain in sync with authentication servers regarding generating OTPs?

Answer 21

HMAC based one time password, HOTP and time based one time password TOTP

Question 22

When does a HOTP password expire? And when does a TOTP expire?

Answer 22

Does not expire until it is used, expires after 30 to 60 seconds

Question 23

True or false SMS for two step authentication is very secure

Answer 23

False it’s use is discouraged.

Question 24

What is the notification called that instead of using a code, it asks the user to acknowledge the request on their phone?

Answer 24

Push notification

Question 25

Smart cards, security keys, hard tokens, soft tokens, SMS and push notifications are all examples of what with regards to two factor authentication?

Answer 25

Something you have

Question 26

What measures some physical characteristic of the user to confirm their identity?

Answer 26

Biometrics

Question 27

True or false biometrics are the strongest form of authentication because they are the most difficult for an attack or to falsify?

Answer 27

True

Question 28

Name the seven biometric methods…

Answer 28

Fingerprints, vein matching, retina imaging, iris scanners, facial recognition, voice recognition, gait analysis

Question 29

Which of the biometric methods is used at many passport free border crossings around the world?

Answer 29

Iris scanners

Question 30

What uses the facial recognition system?

Answer 30

iPhones

Question 31

What two methods of bio metrics are the strongest

Answer 31

Iris and retina scans

Question 32

What two biometric methods are passive and can even bypass the enrollment process when used for identification instead of authorization?

Answer 32

Facial recognition and gait analysis

Question 33

What are the four possible results for a biometric system when attempting to authenticate the user?

Answer 33

False acceptance FAR, false rejection FRR, true acceptance, true rejection

Question 34

What is the metrics that refers to the performance of the biometric system under ideal conditions called?

Answer 34

Efficacy rate

Question 35

Increasing the sensitivity of a biometric system does what to the FAR and what to the FRR?

Answer 35

Decreases and increases

Question 36

What is the point where the FAR and the FRR cross?

Answer 36

The crossover error rate CER

Question 37

What do many authentication systems use for Geo location with somewhere you are?

Answer 37

The IP address

Question 38

True or false, using two methods in the same factor of authentication for example, something you know, is still two factor authentication

Answer 38

False… Two factor authentication uses two different authentication factors for example, something you have and something you know

Question 39

True or false password less authentication is not necessarily multifactor authentication?

Answer 39

True, it can still be a single something you have or something you are factor

Question 40

What is usually logged in the authentication log for a user login attempt?

Answer 40

What happened success or failure, when it happened, where it happened, typically an IP address or computer name and who which refers to the user account

Question 41

This type of account is for regular users or for the personnel working in that organization?

Answer 41

Personnel or end user accounts

Question 42

This account type is a privileged account that has additional rights and privileges beyond what a regular user has? For Linux Systems what is this account called?

Answer 42

Administrator and root accounts

Question 43

This account type allows an application to run under its context?

Answer 43

Service account

Question 44

This account type is for computers and other devices?

Answer 44

Device account

Question 45

This account type is for external entities that have access to your network?

Answer 45

Third-party accounts

Question 46

This account type is included with windows by default and allow limited access to a computer or network?

Answer 46

Guest account

Question 47

This account type can be used by temporary workers and will be shared, these accounts are also discouraged for normal work?

Answer 47

Shared and generic account/credentials

Question 48

This type of system implements stringent security controls over accounts with elevated privileges, such as administrator or root level accounts?

Answer 48

Privileged access management PAM Systems

Question 49

What is the concept of granting permissions at time of need? And what systems tend to use this concept?

Answer 49

Just in time permissions… PAM Systems

Question 50

What is a temporary account that are issued for a limited period of time and then are destroyed when the user is finished with their work?

Answer 50

Temporal accounts

Question 51

What are the five capabilities of a PAM system?

Answer 51

Allow users to access the privileged account without knowing the password, automatically change privileged account passwords, limit the time users can use the privilege account, allow users to check out credentials, log all access of credentials

Question 52

PAM Systems are the protection against what types of attacks?

Answer 52

Where an attacker gets access to administrative account and password

Question 53

What is common for administrators to have with regards to accounts?

Answer 53

To have two accounts, one as a regular day-to-day user and the other is the administrator account

Question 54

An administrator having two accounts minimizes what risk by using their normal day-to-day account?

Answer 54

Privilege escalation where malware can assume the privileges of the logged in account

Question 55

What is the process used to disable a users account when they leave the organization?

Answer 55

Deprovisioning

Question 56

Why is an account initially disabled rather than deleted?

Answer 56

Disabling the account ensures that the data associated with it remains available. One example is the security keys associated with that account that are used for encryption.

Question 57

What is it called when a user can only log onto computers during specific times?

Answer 57

Time based logins or time of day restrictions

Question 58

What is the process an Organization will perform that looks at the rights and permissions assigned to users, and helps enforce the least privilege principle?

Answer 58

An account audit or Permission auditing reviews

Question 59

What is a common problem that violates the principle of least privilege and occurs when a users granted more and more privileges due to changing job requirements but the unneeded privileges are never removed?

Answer 59

Privilege creep

Question 60

What is the formal process for reviewing user permissions called?

Answer 60

Attestation

Question 61

This review looks at the logs to see what users are doing, and it can be used to re-create an audit trail?

Answer 61

A usage audit review

Question 62

What refers to a user ability to log on once and access multiple systems without logging on again?

Answer 62

Single sign on

Question 63

What does SSO use for additional logins after the first sign on?

Answer 63

A secure token for authentication

Question 64

What is the power behind SSO Systems?

Answer 64

Their interoperability with the many operating systems, devices, applications, and services used in an organization

Question 65

What is a core component of many single sign-on systems?

Answer 65

LDAP or lightweight directory access protocol

Question 66

What is it called when two or more separate organizations want to utilize SSO? And what do they need for it to work?

Answer 66

Federation… a federated identity management system

Question 67

What can be used for SSO on web browsers and can act as a federated identity management system for them?

Answer 67

security assertion markup language, SAML

Question 68

What standard is SAML based on?

Answer 68

XML

Question 69

What are the three objects defined by SAML?

Answer 69

The principal which is typically a user, an identity provider, a service provider

Question 70

In SAML, this role creates, maintains and manages identity, information authentication, and authorization for principals?

Answer 70

Identity provider

Question 71

In SAML, this is the entity that provides services to the principles?

Answer 71

Service provider

Question 72

This is an open standard for authorization that many companies used to provide secure access to protected resources?

Answer 72

OAuth

Question 73

This authorization model uses roles based on jobs and functions?

Answer 73

Role based access control (role-BAC)

Question 74

What are two other names used for role-BAC?

Answer 74

Hierarchy based and job/task/function based

Question 75

What is a planning document at matches rules with the required privileges in role-BAC?

Answer 75

A roles and permissions matrix

Question 76

An implementation of role-BAC based on organizational groups is called what

Answer 76

Group based privileges

Question 77

What is a benefit of group based privileges?

Answer 77

They reduce the administrative workload of access management as users assigned to a group automatically inherit the privileges assigned to that group

Question 78

This authorization model uses a set of approved instructions such as an ACL?

Answer 78

Rule-based access control or rule-BAC

Question 79

What is a common example where rule – BAC is used?

Answer 79

Routers and firewalls

Question 80

How can an IPS extend rule – BAC?

Answer 80

By using rules that can trigger a response to an event such as modifying an ACL after detecting an attack or granting additional permissions to a user in certain situations

Question 81

What is the access control where objects have an owner and the owner establishes access to those objects? What is a common example?

Answer 81

Discretionary access control DAC…windows NTFS

Question 82

What is a deny by default policy? And what is another name for that?

Answer 82

If allow access is not granted the system denies access by default… An implicit deny

Question 83

This form of access control uses labels that are assigned to both subject and objects that require a match for both for access to be granted?

Answer 83

Mandatory access control MAC

Question 84

This version of Linux uses MAC?

Answer 84

Security enhanced Linux SELinux

Question 85

What does a MAC scheme use to define and illustrate different levels and labels of security to classify both users and data?

Answer 85

A lattice

Question 86

One other restriction that a MAC scheme provides is what?

Answer 86

A restriction based on a need to know

Question 87

This form of access access control, evaluates attributes, and grants access based on the value of these attributes?

Answer 87

Attribute based access control ABAC

Question 88

What commonly uses ABAC access control?

Answer 88

Software defined networks SDN

Question 89

With ABAC, what are the rules called?

Answer 89

Policy statements

Question 90

What are the four elements in an ABAC policy statement?

Answer 90

Subject, object, action, environment

Question 91

When reviewing authentication logs, what are some of the key things that you should be looking out for?

Answer 91

Account lockouts, concurrent session usage, impossible travel time, blocked content, resource consumption, resource, inaccessibility, log anomalies