Access Control & Identity Management

Question 0

What is the main drawback of most interesting detection systems?

Answer 0

A large number false alarm scanner curb because of abnormal weather conditions animals or in proper calibration.

Question 1

Name the five intrusion detection system technologies

Answer 1

1. Proximity detector – senses changes in the electromagnetic field that surrounds a small area or object.
2. Motion detector – detects motion in a certain area.
3. Photoelectric detector – senses changes in light patterns that indicates someone is in the area.
4. Infrared detector- senses changes in the heat patterns of an area that indicate the presence of an intruder.
5. Sound detector – senses sound and vibration and can detect changes in the noise level in an area.

Question 2

What is read permissions?

Answer 2

You can read the contents of a file or directory.

Question 3

What is view permissions?

Answer 3

View the contents of a directory ;users can see that a file exists this they won’t necessarily have permissions to read the contents of that file.

Question 4

Write permissions?

Answer 4

Create and save a new file or write to an existing file.

Question 5

Print permissions?

Answer 5

Print a file.

Question 6

Copy permissions?

Answer 6

Copy a file from one location to another. The write permission would also be required in the destination directory.

Question 7

Delete permissions?

Answer 7

Delete a file or directory.

Question 8

Execute permissions?

Answer 8

Execute a program file or script.

Question 9

Modify permissions?

Answer 9

Modify the attributes of a file or directory.

Question 10

Move permissions?

Answer 10

Move a file from one location to another. The write permission would be required in the destination directory. The delete permission would be required to remove the file after the move is completed.

Question 11

Name the three different security roles?

Answer 11

1. Group
2. User
3. Role

Question 12

What is a man-trap?

Answer 12

A man-trap describes a two tier physical access control method with two physical barriers such as doors between the person and the resource he is trying to access.

Question 13

What is the difference between a smart card and a proximity reader question

Answer 13

A smart card must be swiped or inserted into a card reader a proximity reader is just passed in front of the card reader

Question 14

What type of smartcard does DoD use?

Answer 14

DoD uses a common access card [CAC].

Question 15

What is a mandatory access control model?

Answer 15

MAC is where the OS of the network is in control of access to data.

Question 16

What is a discretionary access control model?

Answer 16

DAC allows the data owners to specify what users can access certain data.

Question 17

What is role-based access control?

Answer 17

RBAC allows access to be based on the role the user holds within an organization.

Question 18

What is Rule-based access control based on?

Answer 18

Rule-based access control is based on ACLs [access control list] else and is not necessarily tied to the identity of a user it provides access rules that are applied to all users in the organization.

Question 19

Your organization has implemented a self-service password reset system. What does this provide?
(A) Password policy
(B) Certificate reset
(C) Password recovery

Answer 19

C - A self-service password reset system allows users to recover passwords without administrative intervention.

Question 20

You are defining your overall access control model for the new network. To provide a strong default access policy, you want to make sure that users are given the absolute minimum access rights they need to perform their job function. Which access control principle does this follow? 
A. Implicit deny. 
B. Separation of duties
C. Least privilege
D. Role-based access control

Answer 20

Least privileged concept ensures that a user has only the access rights they need to perform their job functions.

Question 21

You are creating access control model that will allow you to base specific access policies depending on which network a user is on, and not necessarily the actual identity of the specific user. Which privilege management access control model would you use? 
A. Rule-based access control
B. discretionary access control 
C. Role-based access control 
D. Mandatory access control

Answer 21

Rule-based access control is defined with an access control list ACL which specifies a set of rules that must be followed before access is granted.

Question 22

You must create an access control mechanism for your server and network room, which houses all your organization's servers and primary networking equipment. Which methods would be most secure?
A. access list 
B. smart card access 
C. ID badge 
D. video surveillance

Answer 22

Smart card access would provide the most security the server room door will not unlock and unless a user inserts her smartcard and has the proper authorization to enter the room.

Question 23

You are designing file security for a new file server for your sales department. Each user will have his own private and secure directory, and a shared group directory. Which of the following should be the initial default access level? 
A. Full access 
B. Read and write access
C. No access 
D. Only read access

Answer 23

No access – you should use the principle of implicit deny.

Question 24

You have recently had several laptops stolen after hours when employees have unattended laptops on their desk after they leave work which of the following policy should you implement?
A. Enforce the use of cable locks
B. Make sure users are logged out of laptops before they leave
C. Set a hardware password
D. Lock all unattended laptops in a cabinet after hours

Answer 24

D lock all unattended laptops in the cabinet after hours if they are not going to take them home.

Question 25

Which of the following best practices discourages corruption by insuring that users do not have the same amount of access and privileges for too long a time? 
A. least privilege 
B. separation of duties 
C. job rotation 
D. implicit deny

Answer 25

Job rotation ensures greater security as no single employee retains the same amount of access control for a particular area for an extended period of time.

Question 26

Your company has defined working hours for a call center department. There have been several instances of employees using company resources for downloading Internet content after hours. Which of the following can you implement to improve security?
A. use Mac address filtering
B. set access time restrictions
C. shut down all computers after work hours
D. Implement job rotation

Answer 26

Set access time restrictions, you prevent employees from being able to log in and access the network after working hours are complete.

Question 27

You have had a rash of hacking instance where weak employee passwords are being hacked through brute force methods and unauthorize users are gaining access to the network. Which security policy should be implemented?
A. password rotation
B. password length and complexity restrictions C. password expiration
D. Limiting logon attempts

Answer 27

Brute force attacks can most efficiently be stop by limiting the number of attempted logons.

Question 28

You have already implemented a password expiration and rotation policy that forces your users to change their password every 60 days. However you find many users are simply using their same password again what security should you implement?
A. password history 
B password complexity 
C. limiting logon attempts 
D. password expiry

Answer 28

Password history-the system can remember a user’s former passwords and when the current user password expires the system forces the user to use a new password that is not the same as the previous passwords.

Question 29

Military building uses strict access control when where a user must use a smartcard access to enter the main door the facility. Then he must meet a security guard at the second door to present an ID badge and enter his pin number. What security features used in this access mechanism 
A. mandatory access control 
B. implicit deny 
C. three-tier access control 
D. man trap

Answer 29

D mantrap - a user must be authenticated to be able to enter the first door of a facility. When he has entered the first door, it is closed, and the user is physically trapped between the first and second doors. The user must pass an additional round of authentication to gain access through the second door.

Question 30

What protocol stores passwords less than 15 characters long as two strings of seven characters after converting all characters to upper case?

Answer 30

LANMAN

Question 31

What can an organization issue to employees that uses a rolling password for authentication?

Answer 31

RSA token

Question 32

United States federal agency employees use a specialized type of smart card that includes photo identification and provides confidentiality, integrity, and authentication. What is this?

Answer 32

A personal identity verification (PIV) card.

Question 33

What is a central authentication system that uses a federated user database?

Answer 33

Single sign-on (SSO)

Question 34

Where you implement Group Policy for multiple users in a domain?

Answer 34

Domain controller

Question 35

What remote access protocol is used to authenticate Microsoft clients and includes mutual authentication?

Answer 35

MS-CHAPv2

Question 36

Compare TACACS+ and RADIUS. Which protocol encrypts the entire authentication process and uses multiple challenges and responses?

Answer 36

TACACS+

Question 37

Compare TACACS+ and RADIUS. Which protocol uses UDP?

Answer 37

RADIUS

Question 38

Which access control model uses group based privileges?

Answer 38

Role-based access control (RBAC)

Question 39

Which access control model is used by Microsoft’s NTFS?

Answer 39

Discretionary access control (DAC)

Question 40

Which access control model is used by trusted operating systems (such as SELinux) to prevent malware from executing?

Answer 40

Mandatory access control (MAC)

Question 41

What should door access systems using cipher locks or proximity cards do in the case of fire?

Answer 41

Fail open so people can leave without identification

Question 42

A user creates a file and the operating system grants only the user full access to the file. What principle is the operating system enforcing?

Answer 42

Principle of least privilege

Question 43

Of the following protocols, which one does not encrypt the entire authentication process, but instead, only encrypts the password in traffic between the client and server?
(A) RADIUS
(B) TACACS+
(C) XTACACS
(D) Token

Answer 43

Remote Authentication Dial-In User Service (RADIUS) will encrypt the password packets between a client and a server, but it does not encrypt the entire authentication process.

Question 44

What is used for authentication in a Microsoft Active Directory domain?

(A) RADIUS
(B) TACACS+
(C) Kerberos
(D) NID

Answer 44

Kerberos is used as a network authentication protocol in Microsoft Active Directory domains, and in UNIX realms. Kerberos uses tickets issued by a Key Distribution Center (KDC). It prevent Man-in-the-middle attacks.

Question 45

Which one of the following AAA protocols uses multiple challenges and responses?
(A) CHAP
(B) RADIUS
(C) TACACS
(D) TACACS+

Answer 45

TACACS+ uses multiple challenges and responses and is an authentication, authorization, and accounting (AAA) protocol.

Question 46

What is completed when a users password has been verified?
(A) Identification
(B) Authentication
(C) Authorization
(D) Access verification

Answer 46

Authentication

Question 47

An administrator is assigning access to users in different departments based on their job functions. What access control model is the administrator using?
(A) DAC
(B) MAC
(C) RBAC
(D) CAC

Answer 47

In a role based access control (RBAC) model, roles are used to define rights and permissions for users.

Question 48

You manage user accounts for a sales department. You have created a sales user account template to comply with the principle of least privilege. What access control model are you following?
(A) DAC
(B) MAC
(C) RBAC
(D) DACL

Answer 48

The role based access control (RBAC) model can use groups (as roles) with a user account template assigned to a group to ensure new users are granted access to only what they need and no more.

Question 49

Windows systems protect files and folders with New Technology File System (NTFS). What access control model does NTFS use?
(A) Mandatory Access Control (MAC)
(B) Discretionary Access Control (DAC)
(C) Rule-based Access Control (RBAC)
(D) Implicit allow

Answer 49

Discretionary Access Control (DAC)

Question 50

Which of the following formulas represent the complexity of a password policy that requires users to use only upper and lower case letters with a length of eight characters?
(A) 52^8
(B) 26^8
(C) 8^52
(D) 8^26

Answer 50

(A) 52^8

Question 51

Your password policy includes a password history. What else should be configured to ensure that users aren't able to easily reuse the same password?
(A) Maximum age
(B) Minimum age
(C) Password masking
(D) Password complexity

Answer 51

The minimum password age prevents users from changing the password again until some time has passed, such as one day.

Question 52

You want to ensure the data is only viewed by authorized users. What security principle are you trying to enforce?
A confidentiality
B integrity
C availability
D authentication

Answer 52

Confidentiality – ensures that data is only viewable by authorize users and can be insured with access controls and encryption.

Question 53

How can integrity be enforced?

Answer 53

Integrity can be enforced with hashing.

Question 54

How can availability be insured?

Answer 54

Power Systems
cooling systems
Various fault tolerance techniques
Redundancy techniques

Question 55

Does authentication provide confidentiality?

Answer 55

False, authentication proves a person’s identity and is the first step in axis control but by itself does not provide confidentiality

Question 56

What is the best way to protect the confidentiality of data?
A authentication
B encryption
C hashing
D P a a S

Answer 56

Encryption protects the confidentiality of data you can encrypt any type of data including sensitive data stored on a server a desktop a mobile device or within a database.

Question 57

You want to ensure that the data has not been changed between the time when it was sent and the time it arrived at its destination. What provides this assurance?
A confidentiality
B integrity
C availability
D authentication

Answer 57

Integrity provides assurance the data has not been modified and is enforced with hashing.

Question 58

A database administrator is tasked with increasing the retail prices of all products in a database by 10 percent. The administrator rights a script performing a bulk update on the database and executed. however, all retail prices are double, increased by 100% instead of 10% . What has been lost?
A confidentiality
B integrity
C hashing
D authentication

Answer 58

The databases lost integrity through an unintended change.

Question 59

Your organization is the dressing single point of failure as potential a risk to security. What are they addressing?
A confidentiality
B integrity
C availability
D authentication

Answer 59

Availability

Question 60

An organization post several days of servers used to support a large online e-commerce business. Which one of the following choices would increase the availability of the data center?
A encryption
B hashing
C generators
D integrity

Answer 60

Generators

Question 61

You are planning to host a free online forum for users to share IT security-related information with each other. Any user can anonymously view data. Users can post messages after logging in, but you do not want users to be able to modify other users posts. What levels of confidentiality integrity and availability should you seek?
A low confidentiality, low integrity, and low availability
B medium confidential, low integrity, and high-availability
C high confidentiality, low integrity, and low availability
D no confidentiality, medium integrity, and medium availability

Answer 61

D - data can be viewed anonymously, so low confidentiality is acceptable. You do not want users to modify other users post, so integrity is medium. The site is free that you do want users to be able to access it when needed, so availability is medium.

Question 62

What is the purpose of risk mitigation?
A reduce the chances that a threat will exploit a vulnerability
B reduce the chances that a vulnerability will exploit a threat
C eliminate risk
D eliminate threats

Answer 62

A - risk mitigation reduces the chances that a threat will exploit a vulnerability. Risk is the likelihood that a threat such as the attacker, will exploit a vulnerability.

Question 63

What security methods does confidentiality use?

Answer 63

It uses authentication combine with access controls and cryptography

Question 64

What are the two key concepts related to confidentiality?

Answer 64

1 confidentiality ensures the data is only viewed by authorized users. Unauthorized personnel are not able to access this information.
2 encryption also enforces confidentiality. You can use various encryption algorithms to encrypt or cipher the data to make it ureadable.

Question 65

Name two key concepts relating to integrity.

Answer 65

1 integrity provides assurances the data has not been modified, tampered with, or corrupted. Loss of integrity indicates that it is different. Unauthorized users can change data, or changes can occur through system or human errors.
2 hashing verifies integrity. A hashing is a simple numeric value created by executing a hashing algorithm against a message or a file.

Question 66

Which of the following options makes use of a token?
A. Smart card
B. Mantrap
C. DNA scanner
D. Retinal scanner

Answer 66

A. Smart card

Question 67

Which device is a smart card deployed by the DoD?
A. Mantrap
B.CCTV
C. CAC
D. Bollard

Answer 67

C. CAC (Common Access Card)

Question 68

Which examples implement the principles of the AIC triad?

A. Data classification to ensure information is available on a need-to-know basis
B. Unencrypted data that can be accessed by the general public
C. Secure update programs that limit access of information to specific authorized users
D. An active malicious code system that protects organizations from DoS attacks.
E. Data that is transferred by word of mouth to ensure integrity.

Answer 68

A, C, D

Stored and transferred info should be secured in relation to 3 principles (AIC Triad)

Question 69

What do access control systems implement?

Answer 69

Identification, authentication, authorization and accounting processes

Question 70

What does AIC Triad stand for?

Answer 70

Availability
Integrity
Confidentiality

Question 71

Name the 4 main processes that make up an Access Control System

Answer 71

Identification - unique identifier for a person
Authentication - you are who you identification says you are
Authorization - you have permissions
Accounting - monitor resource and who accesses it

Question 72

List the 4 types of authorization models

Answer 72

1. Discretionary access control (DAC) owners
2. Role-based access control (RBAC) user has a role
3. Mandatory access control (MAC) - clearance level based on rules.
4. Rule-based access control - Ex RBAC and MAC

Question 73

Rule-based access control

Answer 73

is any sort of access control with rules that are governed by the system. RBAC and MAC.
Referred to as non-discretionary because no matter who the user maybe, their access is restricted to help protect the system from configuration errors.

Question 74

List the principles that govern RBAC and MAC

Answer 74

implicit deny - when a subject requests access to a resource, the request should always be denied unless a rule specified otherwise.
Least privilege - only give access to only resources they need to perform their job.

Question 75

What is Kerberos

Answer 75

It is a network authentication protocol within MS Active Directory domain or UNIX realm. It uses a database of objects (ex AD) and a Key Distribution Center (KDC) to issue time-stamped tickets that expire after a certain period. It requires internal time synchronization and uses port 88.

Question 76

How does Kerberos help prevent replay attacks?

Answer 76

A replay attack a 3rd party attempts to impersonate a client after intercepting a ticket, the time stamp limits the amount of time an attacker can use the ticket.

Question 77

Which type of cryptology does Kerberos use?
A. Asymmetric
B. Symmetric

Answer 77

B

Question 78

Explain mutual authentication

Answer 78

when both parties in a session (client/server) authenticate with each other prior to exchanging data.
MS-CHAPv2 and MS-CHAP use mutual authentication.

Question 79

Which access control model uses security labels for each resource?

Answer 79

Mandatory Access Control (MAC)

Question 80

If the user is NOT prompted for credentials when connected to a Network Access Control (NAC) server, what is the user’s computer missing?

Answer 80

Authentication agent

Question 81

Which type of access control associates roles with each user?

Answer 81

Role-Based Access Control (RBAC)

Question 82

Which type of access control was originally developed for military use?

Answer 82

Mandatory Access Control (MAC)

Question 83

What is the purpose of Remote Access Dial-In User Service (RADIUS)?

Answer 83

It enables remote access users to log on to a network through a shared authentication database.

Question 84

Which access control model requires assigning security clearance levels to users, such as secret, top-secret, and confidential?

Answer 84

Mandatory Access Control (MAC)

Question 85

What is the purpose of technical controls?

Answer 85

Restrict access to objects and protect availability, confidentiality, and integrity

Question 86

What is the term for a device that acts as a concentrator for a wireless LAN?

Answer 86

Wireless Access Point (WAP)

Question 87

What is the purpose of Network Access Control (NAC)?

Answer 87

It ensures that the computer on the network meets an organization’s security policies.

Question 88

What is the purpose of a sandbox in a Java applet?

Answer 88

It prevents Java applets from accessing unauthorized areas on a user’s computer.

Question 89

Which Ethernet standard uses a wireless access point with a Remote Authentication Dial-In User Service (RADIUS) server to authenticate wireless users?

Answer 89

802.1x

Question 90

Which type of controls includes controlling access to different parts of a building, implementing locking systems, installing fencing, implementing environmental controls, and protecting the facility perimeter?

Answer 90

Physical Controls

Question 91

Who can change a resource’s category in a mandatory access control environment?

Answer 91

Administrators only

Question 92

Which function does a single sign-on (SSO) system provide?

Answer 92

It allows a user to present authentication credentials once and gain access to all computers within the SSO system.

Question 93

Which access control model has the lowest cost?

Answer 93

Role-Based Access Control (RBAC)

Question 94

Which audit category tracks access to all objects outside Active Directory?

Answer 94

Audit Object Access

Question 95

Define the acronym DAC?

Answer 95

Discretionary Access Control

Question 96

What is the purpose of physical controls?

Answer 96

Work with administrative and technical

controls to enforce physical access control

Question 97

What is the purpose of MAC filtering?

Answer 97

Restrict the clients that can access a wireless network

Question 98

Is the Triple-DES algorithm symmetric or asymmetric?

Answer 98

Symmetric