Access Control

Question 1

A network administrator must grant the appropriate network permissions to a new employee. Which of the following is the best strategy?

Give the new employee user account the necessary rights and permissions.

Add the new employee user account to a group. Ensure that the group has the necessary rights and permissions.

Ask the new employee what network rights she would like.

Answer 1

Add the new employee user account to a group. Ensure that the group has the necessary rights and permissions.

The best strategy for assigning rights and permissions is to add users to groups. Working with rights and permissions for individual users becomes unmanageable beyond a small number of users. New employees can then simply be added to the appropriate group to acquire the needed access to network resources

Question 2

In securing your network, you enforce complex user passwords. Users express concern about forgetting their passwords. What should you configure to allay those concerns?

Password expiration

Periodic password change

Password hints

Answer 2

Password hints

Password hints can help a user remember a password, without revealing the actual password

Question 3

To give a contractor network access, a network administrator adds the contractor account to the Windows Administrators group. Which security principle does this violate?

Separation of duties

Least privilege

Job rotation

Answer 3

Least privilege

The least privilege principle states users should be given only the rights needed to perform their duties and nothing more. Adding a contractor to the Administrators group grants too much privilege to the contractor

Question 4

James is the branch network administrator for ABC, Inc. Recently the company headquarters requested a network security audit, so James performed an audit himself using freely available Linux tools. What is the problem with James’s actions?

The chief security officer should have conducted the audit.

Freely available tools are not reliable and should not have been used.

A third party should have been hired to conduct the audit.

Answer 4

A third party should have been hired to conduct the audit.

No one person should have control of implementing, maintaining, and auditing an IT infrastructure—this violates the separation of duties principle and presents a conflict of interest

Question 5

A secure computing environment labels data with various security classifications. Authenticated users must have clearance to read this classified data. What type of access control model is this?

Mandatory access control

Discretionary access control

Role-based access control

Answer 5

Mandatory access control

Mandatory access control (MAC) models can use security labels to classify data. These labels are then compared to a user’s sensitivity level to determine whether access is allowed

Question 6

To ease giving access to network resources for employees, you decide there must be an easier way than granting users individual access to files, printers, computers, and applications. What security model should you consider using?

Mandatory access control

Discretionary access control

Role-based access control

Answer 6

Role-based access control

Role-based access control (RBAC) would enable you to group access privileges for files, printers, computers, and applications into a single entity (a role). Users needing these rights are then simply added as occupants of the appropriate role

Question 7

Linda creates a folder called Budget Projections in her home account and shares it with colleagues in her department. Which of the following best describes this type of access control system?

Mandatory access control

Discretionary access control

Role-based access control

Answer 7

Discretionary access control

Discretionary access control enables the data owner—in this case, Linda—to grant other people access to the data

Question 8

You require that users not be logged on to the network after 6 p.m. while you analyze network traffic during nonbusiness hours. What should you do?

Unplug their stations from the network.

Tell users to press ctrl-alt-del to lock their stations.

Configure time-of-day restrictions to ensure nobody can be logged in after 6 p.m.

Answer 8

Configure time-of-day restrictions to ensure nobody can be logged in after 6 p.m.

Network operating systems (NOSs) can control when users can and cannot log on, as well as end existing logon sessions based on time of day

Question 9

One of your users, Matthias, is taking a three-month sabbatical because of a medical condition, after which he will return to work. What should you do with Matthias’s user account?

Delete the account and re-create it when he returns.

Disable the account and enable it when he returns.

Export his account properties to a text file for later import and then delete it.

Answer 9

Disable the account and enable it when he returns.

Disabling his account will prevent anyone from logging on with the account but will preserve all of the account settings. When he returns, you can simply enable the account

Question 10

During an IT security meeting, the topic of account lockout surfaces. When you suggest all user accounts be locked for 30 minutes after three incorrect logon attempts, your colleague Phil states that this is a serious problem when applied to administrative accounts. What types of issues might Phil be referring to?

Dictionary attacks could break into administrative accounts.

Administrative accounts are placed into administrative groups.

DoS attacks could render administrative accounts unusable.

Answer 10

DoS attacks could render administrative accounts unusable.

Denial-of-service (DoS) attacks render a legitimate network service unusable. Attempting three incorrect logon attempts every half hour to privileged administrative accounts would effectively keep those accounts locked, thus preventing legitimate use of those accounts

Question 11

Your VPN appliance is configured to disallow user authentication unless the user or group is listed as allowed. Regarding blocked users, what best describes this configuration?

Implicit allow

Implicit deny

Explicit allow

Answer 11

Implicit deny

Implicit denial means all are denied unless specifically allowed; there are no specific listings of users or computers that are denied

Question 12

Margaret is the head of Human Resources for Emrom, Inc. An employee does not want to use his annual vacation allotment, but Margaret insists it is mandatory. What IT benefit is derived from mandatory vacations?

Irregularities in job duties can be noticed when another employee fills that role.

Users feel recharged after time off.

Emrom, Inc., will not be guilty of labor violations.

Answer 12

Irregularities in job duties can be noticed when another employee fills that role.

It is easy for another employee to spot inconsistencies or irregularities when someone is on vacation

Question 13

What type of attack is mitigated by strong, complex passwords?

DoS

Dictionary

Brute force

Answer 13

Dictionary

Stronger passwords make it more difficult for dictionary password attacks to succeed. A stronger password is a minimum of eight characters, where those characters might be a combination of uppercase letters, lowercase letters, symbols, and numerals

Question 14

A government contract requires your computers to adhere to mandatory access control methods and multilevel security. What should you do to remain compliant with this contract?

Patch your current operating system.

Purchase new network hardware.

Use a trusted OS.

Answer 14

Use a trusted OS.

A trusted OS uses a secured OS kernel that supports mandatory access control (MAC), which applies security centrally to adhere with security policies. This type of OS is considered too strict for general use and is typically applicable only in high-security environments

Question 15

Which term is best defined as an object’s list of users, groups, processes, and their permissions?

ACE

ACL

Active Directory

Answer 15

ACL

Access control lists (ACLs) detail which users, groups, or processes have permissions to an object, such as a file or folder

Question 16

Users complain that they must remember passwords for a multitude of user accounts to access software required for their jobs. How can this be solved?

SSO

ACL

PKI

Answer 16

SSO

Single sign-on (SSO) enables a user to authenticate once to multiple resources that would otherwise require separate logins

Question 17

What security model uses data classifications and security clearances?

DAC

PKI

MAC

Answer 17

MAC

MAC is a security model that classifies data according to sensitivity that enables access only to those with proper clearance

Question 18

Which of the following is an example of physical access control?

Encrypting the USB flash drive

Disabling USB ports on a computer

Using cable locks to secure laptops

Answer 18

Using cable locks to secure laptops

Locking laptops down with a cable lock physically prevents the theft of laptops

Question 19

A technician notices unauthorized computers accessing a sensitive protected network. What solution should the technician consider?

Network encryption

VPN

NAC

Answer 19

NAC

Network Access Control (NAC) is software or a network appliance that can verify that connecting computers are allowed to access the network. This can be done by checking PKI certificates, checking that antivirus software is installed and updated, and so on

Question 20

A network administrator, Justin, must grant various departments read access to the Corp_Policies folder and grant other departments read and write access to the Current_Projects folder. What strategy should Justin employ?

Add all departmental users to the shared folder ACLs with the appropriate permissions.

Create one group, add members, and add the group to the folder ACLs with the appropriate permissions.

Create a group for each department and add members to the groups. Add the groups to the folder ACLs with the appropriate permissions.

Answer 20

Create a group for each department and add members to the groups. Add the groups to the folder ACLs with the appropriate permissions.

Each department should have its own group with department employees as members. This facilitates granting group members access to the appropriate resources

Question 21

What provides secure access to corporate data in accordance with management policies?

SSL

Technical controls

Integrity

Answer 21

Technical controls

Technical controls include any hardware or software solution using access control in adherence with established security policies

Question 22

Which of the following are considered administrative controls? (Choose two.)

Personnel hiring policy

VPN policy

Disk encryption policy

Separation of duties

Answer 22

Personnel hiring policy

Separation of duties

Hiring correct personnel and ensuring no single employee has control of a business transaction (separation of duties) are part of creating a business management foundation; these are examples of administrative controls

Question 23

What is the difference between security clearances and classification labels? (Choose two.)

There is no difference.

Classification labels identify data sensitivity.

Security clearances identify data sensitivity.

Security clearances are compared with classification labels.

Answer 23

Classification labels identify data sensitivity.

Security clearances are compared with classification labels.

Data sensitivity is referred to with classification labels. Security clearances are compared against these labels to determine whether access is granted

Question 24

Complex passwords are considered which type of security control?

Management

Technical

Physical

Answer 24

Technical

Technical security controls are put in place to protect computing resources such as files, web sites, databases, and so on. Passwords prevent everybody from accessing network resources

Question 25

A legitimate e-mail message ends up being flagged as spam. Which term best describes this situation?

False positive

True negative

False negative

Answer 25

False positive

A false positive is triggered when an occurrence is incorrectly determined to be malicious

Question 26

Traveling employees are given a cable lock and told to lock down their laptops when stepping away from the device. To which class of security control does this apply?

Deterrent

Preventative

Detective

Answer 26

Preventative

Preventative security controls prevent security breaches, such as the theft as a laptop

Question 27

Which type of access control type does a router use to allow or deny network traffic?

Role-based access control

Mandatory access control

Rule-based access control

Answer 27

Rule-based access control

Routers use rules to determine whether to allow or deny network traffic

Question 28

As a server administrator, you configure security settings such that complex passwords at least eight characters long must be used by all user accounts. What type of management practice is this?

Expiration

Recovery

Credential

Answer 28

Credential

The management of usernames, passwords, security certificates, and so on, is considered credential management

Question 29

You are a security auditing professional. After evaluating Linux server and file usage, you determine that members of the IT administrative team regularly log in to Linux servers using the root account while performing regular computer tasks. Which recommendations should you make based on your findings? (Choose three.)

Do not allow multiple users to use generic credentials.

Conduct periodical user access reviews.

Monitor Linux server use continuously.

Encrypt all files on Linux servers.

Answer 29

Do not allow multiple users to use generic credentials.

Conduct periodical user access reviews.

Monitor Linux server use continuously.

Each member of the IT team should use his or her own user account when performing regular computer tasks. Periodically reviewing user access and server usage will ensure that security controls are effective for the Linux servers

Question 30

At which point should an employee sign a nondisclosure agreement (NDA)?

When the user is promoted

When the user is moved to a lower security clearance level

During the user onboarding process

Answer 30

During the user onboarding process

User onboarding involves user training, orientation, and, if required, the signing of a nondisclosure agreement (NDA). The NDA is necessary if the user will be working with private or secret information

Question 31

You are responsible for configuring the use of tablets in a medical clinic. Doctors would like patient charts to be available only from within the facility. What should you configure?

Encryption policy

Location-based policy

VPN policy

Answer 31

Location-based policy

Location-based policies can use GPS and/or beacons to determine the location of a mobile device such as a tablet; this allows access to IT systems and data only from within a specific physical area

Question 32

Ana is the Windows Server administrator for a federal government department. All departmental Windows servers are joined to a single Active Directory domain. New regulations require user password history to be retained to prevent password reuse. Using the least amount of administrative effort, how can Ana enforce the new settings to all departmental users?

PowerShell

Group Policy

Local Group Policy

Answer 32

Group Policy

In an Active Directory environment, Group Policy allows the central configuration of settings (including password settings) that can apply to many users and computers

Question 33

Your IT team has documented a disaster recovery plan in the event of a web application failure. What type of control is this?

Preventative

Deterrent

Corrective

Answer 33

Corrective

Corrective actions mitigate damage once it has occurred, such as a disaster recovery plan