Access Control Flashcards
A network administrator must grant the appropriate network permissions to a new employee. Which of the following is the best strategy?
Give the new employee user account the necessary rights and permissions.
Add the new employee user account to a group. Ensure that the group has the necessary rights and permissions.
Ask the new employee what network rights she would like.
Add the new employee user account to a group. Ensure that the group has the necessary rights and permissions.
The best strategy for assigning rights and permissions is to add users to groups. Working with rights and permissions for individual users becomes unmanageable beyond a small number of users. New employees can then simply be added to the appropriate group to acquire the needed access to network resources
In securing your network, you enforce complex user passwords. Users express concern about forgetting their passwords. What should you configure to allay those concerns?
Password expiration
Periodic password change
Password hints
Password hints
Password hints can help a user remember a password, without revealing the actual password
To give a contractor network access, a network administrator adds the contractor account to the Windows Administrators group. Which security principle does this violate?
Separation of duties
Least privilege
Job rotation
Least privilege
The least privilege principle states users should be given only the rights needed to perform their duties and nothing more. Adding a contractor to the Administrators group grants too much privilege to the contractor
James is the branch network administrator for ABC, Inc. Recently the company headquarters requested a network security audit, so James performed an audit himself using freely available Linux tools. What is the problem with James’s actions?
The chief security officer should have conducted the audit.
Freely available tools are not reliable and should not have been used.
A third party should have been hired to conduct the audit.
A third party should have been hired to conduct the audit.
No one person should have control of implementing, maintaining, and auditing an IT infrastructure—this violates the separation of duties principle and presents a conflict of interest
A secure computing environment labels data with various security classifications. Authenticated users must have clearance to read this classified data. What type of access control model is this?
Mandatory access control
Discretionary access control
Role-based access control
Mandatory access control
Mandatory access control (MAC) models can use security labels to classify data. These labels are then compared to a user’s sensitivity level to determine whether access is allowed
To ease giving access to network resources for employees, you decide there must be an easier way than granting users individual access to files, printers, computers, and applications. What security model should you consider using?
Mandatory access control
Discretionary access control
Role-based access control
Role-based access control
Role-based access control (RBAC) would enable you to group access privileges for files, printers, computers, and applications into a single entity (a role). Users needing these rights are then simply added as occupants of the appropriate role
Linda creates a folder called Budget Projections in her home account and shares it with colleagues in her department. Which of the following best describes this type of access control system?
Mandatory access control
Discretionary access control
Role-based access control
Discretionary access control
Discretionary access control enables the data owner—in this case, Linda—to grant other people access to the data
You require that users not be logged on to the network after 6 p.m. while you analyze network traffic during nonbusiness hours. What should you do?
Unplug their stations from the network.
Tell users to press ctrl-alt-del to lock their stations.
Configure time-of-day restrictions to ensure nobody can be logged in after 6 p.m.
Configure time-of-day restrictions to ensure nobody can be logged in after 6 p.m.
Network operating systems (NOSs) can control when users can and cannot log on, as well as end existing logon sessions based on time of day
One of your users, Matthias, is taking a three-month sabbatical because of a medical condition, after which he will return to work. What should you do with Matthias’s user account?
Delete the account and re-create it when he returns.
Disable the account and enable it when he returns.
Export his account properties to a text file for later import and then delete it.
Disable the account and enable it when he returns.
Disabling his account will prevent anyone from logging on with the account but will preserve all of the account settings. When he returns, you can simply enable the account
During an IT security meeting, the topic of account lockout surfaces. When you suggest all user accounts be locked for 30 minutes after three incorrect logon attempts, your colleague Phil states that this is a serious problem when applied to administrative accounts. What types of issues might Phil be referring to?
Dictionary attacks could break into administrative accounts.
Administrative accounts are placed into administrative groups.
DoS attacks could render administrative accounts unusable.
DoS attacks could render administrative accounts unusable.
Denial-of-service (DoS) attacks render a legitimate network service unusable. Attempting three incorrect logon attempts every half hour to privileged administrative accounts would effectively keep those accounts locked, thus preventing legitimate use of those accounts
Your VPN appliance is configured to disallow user authentication unless the user or group is listed as allowed. Regarding blocked users, what best describes this configuration?
Implicit allow
Implicit deny
Explicit allow
Implicit deny
Implicit denial means all are denied unless specifically allowed; there are no specific listings of users or computers that are denied
Margaret is the head of Human Resources for Emrom, Inc. An employee does not want to use his annual vacation allotment, but Margaret insists it is mandatory. What IT benefit is derived from mandatory vacations?
Irregularities in job duties can be noticed when another employee fills that role.
Users feel recharged after time off.
Emrom, Inc., will not be guilty of labor violations.
Irregularities in job duties can be noticed when another employee fills that role.
It is easy for another employee to spot inconsistencies or irregularities when someone is on vacation
What type of attack is mitigated by strong, complex passwords?
DoS
Dictionary
Brute force
Dictionary
Stronger passwords make it more difficult for dictionary password attacks to succeed. A stronger password is a minimum of eight characters, where those characters might be a combination of uppercase letters, lowercase letters, symbols, and numerals
A government contract requires your computers to adhere to mandatory access control methods and multilevel security. What should you do to remain compliant with this contract?
Patch your current operating system.
Purchase new network hardware.
Use a trusted OS.
Use a trusted OS.
A trusted OS uses a secured OS kernel that supports mandatory access control (MAC), which applies security centrally to adhere with security policies. This type of OS is considered too strict for general use and is typically applicable only in high-security environments
Which term is best defined as an object’s list of users, groups, processes, and their permissions?
ACE
ACL
Active Directory
ACL
Access control lists (ACLs) detail which users, groups, or processes have permissions to an object, such as a file or folder
Users complain that they must remember passwords for a multitude of user accounts to access software required for their jobs. How can this be solved?
SSO
ACL
PKI
SSO
Single sign-on (SSO) enables a user to authenticate once to multiple resources that would otherwise require separate logins
What security model uses data classifications and security clearances?
DAC
PKI
MAC
MAC
MAC is a security model that classifies data according to sensitivity that enables access only to those with proper clearance
Which of the following is an example of physical access control?
Encrypting the USB flash drive
Disabling USB ports on a computer
Using cable locks to secure laptops
Using cable locks to secure laptops
Locking laptops down with a cable lock physically prevents the theft of laptops
A technician notices unauthorized computers accessing a sensitive protected network. What solution should the technician consider?
Network encryption
VPN
NAC
NAC
Network Access Control (NAC) is software or a network appliance that can verify that connecting computers are allowed to access the network. This can be done by checking PKI certificates, checking that antivirus software is installed and updated, and so on
A network administrator, Justin, must grant various departments read access to the Corp_Policies folder and grant other departments read and write access to the Current_Projects folder. What strategy should Justin employ?
Add all departmental users to the shared folder ACLs with the appropriate permissions.
Create one group, add members, and add the group to the folder ACLs with the appropriate permissions.
Create a group for each department and add members to the groups. Add the groups to the folder ACLs with the appropriate permissions.
Create a group for each department and add members to the groups. Add the groups to the folder ACLs with the appropriate permissions.
Each department should have its own group with department employees as members. This facilitates granting group members access to the appropriate resources
What provides secure access to corporate data in accordance with management policies?
SSL
Technical controls
Integrity
Technical controls
Technical controls include any hardware or software solution using access control in adherence with established security policies
Which of the following are considered administrative controls? (Choose two.)
Personnel hiring policy
VPN policy
Disk encryption policy
Separation of duties
Personnel hiring policy
Separation of duties
Hiring correct personnel and ensuring no single employee has control of a business transaction (separation of duties) are part of creating a business management foundation; these are examples of administrative controls
What is the difference between security clearances and classification labels? (Choose two.)
There is no difference.
Classification labels identify data sensitivity.
Security clearances identify data sensitivity.
Security clearances are compared with classification labels.
Classification labels identify data sensitivity.
Security clearances are compared with classification labels.
Data sensitivity is referred to with classification labels. Security clearances are compared against these labels to determine whether access is granted
Complex passwords are considered which type of security control?
Management
Technical
Physical
Technical
Technical security controls are put in place to protect computing resources such as files, web sites, databases, and so on. Passwords prevent everybody from accessing network resources
A legitimate e-mail message ends up being flagged as spam. Which term best describes this situation?
False positive
True negative
False negative
False positive
A false positive is triggered when an occurrence is incorrectly determined to be malicious
Traveling employees are given a cable lock and told to lock down their laptops when stepping away from the device. To which class of security control does this apply?
Deterrent
Preventative
Detective
Preventative
Preventative security controls prevent security breaches, such as the theft as a laptop
Which type of access control type does a router use to allow or deny network traffic?
Role-based access control
Mandatory access control
Rule-based access control
Rule-based access control
Routers use rules to determine whether to allow or deny network traffic
As a server administrator, you configure security settings such that complex passwords at least eight characters long must be used by all user accounts. What type of management practice is this?
Expiration
Recovery
Credential
Credential
The management of usernames, passwords, security certificates, and so on, is considered credential management
You are a security auditing professional. After evaluating Linux server and file usage, you determine that members of the IT administrative team regularly log in to Linux servers using the root account while performing regular computer tasks. Which recommendations should you make based on your findings? (Choose three.)
Do not allow multiple users to use generic credentials.
Conduct periodical user access reviews.
Monitor Linux server use continuously.
Encrypt all files on Linux servers.
Do not allow multiple users to use generic credentials.
Conduct periodical user access reviews.
Monitor Linux server use continuously.
Each member of the IT team should use his or her own user account when performing regular computer tasks. Periodically reviewing user access and server usage will ensure that security controls are effective for the Linux servers
At which point should an employee sign a nondisclosure agreement (NDA)?
When the user is promoted
When the user is moved to a lower security clearance level
During the user onboarding process
During the user onboarding process
User onboarding involves user training, orientation, and, if required, the signing of a nondisclosure agreement (NDA). The NDA is necessary if the user will be working with private or secret information
You are responsible for configuring the use of tablets in a medical clinic. Doctors would like patient charts to be available only from within the facility. What should you configure?
Encryption policy
Location-based policy
VPN policy
Location-based policy
Location-based policies can use GPS and/or beacons to determine the location of a mobile device such as a tablet; this allows access to IT systems and data only from within a specific physical area
Ana is the Windows Server administrator for a federal government department. All departmental Windows servers are joined to a single Active Directory domain. New regulations require user password history to be retained to prevent password reuse. Using the least amount of administrative effort, how can Ana enforce the new settings to all departmental users?
PowerShell
Group Policy
Local Group Policy
Group Policy
In an Active Directory environment, Group Policy allows the central configuration of settings (including password settings) that can apply to many users and computers
Your IT team has documented a disaster recovery plan in the event of a web application failure. What type of control is this?
Preventative
Deterrent
Corrective
Corrective
Corrective actions mitigate damage once it has occurred, such as a disaster recovery plan
