Authentication

Question 1

Before accessing computer systems, a government agency requires users to swipe a card through a keyboard-embedded card reader and then provide a PIN. What is this an example of?

Bi-factor authentication

Location-based authentication

Multifactor authentication

Answer 1

Multifactor authentication

Multifactor authentication involves more than one item to authenticate to a system, such as something you have (a card), something you know (a PIN), something you are (a fingerprint), or something you do (handwriting)

Question 2

Your traveling users require secure remote access to corporate database servers. What should you configure for them?

Modem

WLAN

VPN

Answer 2

VPN

A virtual private network (VPN) creates an encrypted tunnel between a remote access client and a private network over the Internet. This would allow access to corporate database servers

Question 3

You are the network administrator for a national marketing firm. Employees have frequent lengthy telephone conference calls with colleagues from around the country. To reduce costs, you have been asked to recommend replacement telephony solutions. Which of the following might you suggest?

Modem

VoIP

Internet text chat

Answer 3

VoIP

Voice over Internet Protocol (VoIP) transmits digitized voice over a TCP/IP network such as the Internet. As such, the only cost to both parties is that of your Internet connection

Question 4

You are an IT security consultant auditing a network. During your presentation of audit findings, one of your clients asks what can be used to prevent unauthorized LAN access. How do you answer the question?

NAC

Packet-filtering firewall

PKI

Answer 4

NAC

Network access control (NAC) technology can be a hardware or software solution that requires user or device authentication prior to gaining network access

Question 5

What type of server authenticates users prior to allowing network access?

File server

Active Directory

RADIUS

Answer 5

RADIUS

Remote Authentication Dial-In User Service (RADIUS) servers are central user or device authentication points on the network. Authentication can occur in many ways, including Extensible Authentication Protocol (EAP) and Challenge Handshake Authentication Protocol (CHAP)

Question 6

Which of the following are examples of RADIUS clients? (Choose two.)

VPN client

802.1x-capable switch

Wireless router

Windows 7 OS

Linux OS

Answer 6

802.1x-capable switch

Wireless router

RADIUS clients are network devices such as switches, wireless routers, or VPN concentrators that authenticate connecting devices or users to a RADIUS authentication server to grant network access

Question 7

Which of the following are true regarding TACACS+? (Choose three.)

It is compatible with TACACS.

It is compatible with RADIUS.

It is a Cisco proprietary protocol.

It can be used as an alternative to RADIUS.

TACACS+ uses TCP.

Answer 7

It is a Cisco proprietary protocol.

It can be used as an alternative to RADIUS.

TACACS+ uses TCP.

Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary network access protocol that uses the reliable TCP transport mechanism. TACACS+ might be used instead of RADIUS because it encrypts the entire packet payload instead of only the password, as well as separates authentication, authorization, and accounting duties

Question 8

You are the network administrator for a UNIX network. You are planning your network security. A secure protocol must be chosen to authenticate all users logging in. Which is a valid authentication protocol choice?

TCP

Telnet

Kerberos

Answer 8

Kerberos

Kerberos is an authentication protocol used by many vendors, including Microsoft with Active Directory services. Clients and servers must securely prove their identity to each other by way of a central third party referred to as a key distribution center (KDC)

Question 9

A client asks you to evaluate the feasibility of a Linux client and server operating system environment. The primary concern is having a central database of user and computer accounts capable of secure authentication. What Linux options should you explore?

SSH

Samba

LDAP

Answer 9

LDAP

A central database that can securely authenticate users or computers sounds like a Lightweight Directory Access Protocol (LDAP)–compliant database. LDAP transmissions can be clear text (TCP port 389) or encrypted (TCP port 636), and the LDAP database can also be replicated among servers. Encrypted LDAP transmissions are referred to as Secured LDAP. Microsoft Active Directory Services and Novell eDirectory are LDAP compliant

Question 10

You are configuring a Cisco network authentication appliance. During configuration, you are given a list of authentication choices. Which choice provides the best security and reliability?

RADIUS

TACACS

TACACS+

Answer 10

TACACS+

TACACS+ is a Cisco proprietary protocol that authenticates connecting users over TCP to a remote authentication server

Question 11

A user enters her logon name to gain network access. To which of the following terms would this example apply?

Identification

Authorization

Auditing

Answer 11

Identification

Specifying a unique attribute of some kind (such as a logon name) is identification

Question 12

A user enters a logon name and password to gain network access. Choose the best description to which this applies.

Single-factor authentication

Dual-factor authentication

Multifactor authentication

Answer 12

Single-factor authentication

The logon name and password combination is known as single-factor authentication (something you know). Higher security environments will either require additional factors (such as a physical card) or limit access when single-factor authentication is used

Question 13

A corporation has invested heavily in the development of a much sought-after product. To protect its investment, the company would like to ensure that only specific personnel can enter a research facility. Which of the following is considered the most secure?

Voice scan

Fingerprint scanner

Retinal scanner

Answer 13

Retinal scanner

Retinal scanning is considered one of the most secure authentication methods. Retinal blood vessel patterns are unique to an individual and are extremely difficult to reproduce

Question 14

Which of the following is considered three-factor authentication?

Building access card/username/password

Username/password/smartcard

Username/password/smartcard/PIN

Answer 14

Username/password/smartcard/PIN

Using a username and password combination (single-factor authentication), along with possessing a smartcard and entering a PIN to use the smartcard, results in a username/password/smartcard/PIN scan (or multifactor) authentication. Smartcard PINs that use the card’s security certificate are said to comply with the Personal Identifiable Verification (PIV) standard

Question 15

To log on to a secured system, a user must enter a username, password, and passcode. The passcode is generated from a tiny handheld device and displayed on a tiny screen. What type of device is this?

Smartcard

PKI certificate

Key fob

Answer 15

Key fob

A key fob displays an authentication passcode that a user enters in addition to other data such as a username and password to gain access to a system or network resource

Question 16

Which of the following prevents users from having to specify logon credentials when accessing multiple applications?

Single sign-on

Remember my password

Biometric authentication

Answer 16

Single sign-on

Single sign-on (SSO) enables access to many applications while requiring user authentication only once. SSO is often used when users access data from disparate systems to prevent multiple logons

Question 17

Which authentication protocol replaces RADIUS?

TACACS

XTACACS

Diameter

Answer 17

Diameter

The Diameter protocol adds capabilities to the RADIUS protocol such as using TCP instead of UDP (more reliability) and being more scalable and flexible

Question 18

Which of the following best describes CHAP?

PKI certificates must be used on both ends of the connection.

802.1x equipment forwards authentication requests to a RADIUS server.

Passwords are never sent over the network.

Answer 18

Passwords are never sent over the network.

Challenge Handshake Authentication Protocol (CHAP) involves a three-way handshake to establish a session, after which peers must periodically prove their identity by way of a changing value based on a shared secret. A shared secret (for example, a password) is known by both parties but is never sent over the network

Question 19

You are configuring a WPA2 wireless network connection on a company laptop. The company has implemented a PKI. Which WPA2 network authentication method would be the best choice?

MS-CHAP

Local computer certificate

WPA2 PSK

Answer 19

Local computer certificate

A local computer certificate implies a PKI. A certificate is issued to users or computers and uniquely identifies those entities. It contains public and private key pairs used to secure network traffic and can be used with WPA2 wireless networks

Question 20

Which of the following examples best illustrates authentication?

A user accesses a shared folder to which he has been granted permission.

A computer successfully identifies itself to a server prior to user logon.

A network contains two network links to a remote office in case one fails.

Answer 20

A computer successfully identifies itself to a server prior to user logon.

Authentication means proving your identity (user or computer). This can be done via username/password, smartcard, and PIN, or in this case, the computer might have a PKI certificate installed that gets validated against a server with a related PKI certificate

Question 21

A technician is troubleshooting user access to an 802.1x wireless network called CORP. The same computer was previously given an IP address on the 10.17.7.0/24 network, but now for some reason it has an IP address on the 10.16.16.0/24 network. DHCP is functioning correctly on the network. The technician reports the machine was recently reimaged, and the image uses DHCP. What is the most likely cause of the problem?

The workstation has a static IP address on the 10.16.16.0/24 network.

The technician needs to issue the ipconfig /renew command.

The workstation needs to have its PKI certificate reinstalled.

Answer 21

The workstation needs to have its PKI certificate reinstalled.

A computer PKI certificate can grant access to an 802.1x-configured wireless network. Without the certificate, the machine is either denied network access or, in this case, placed on a guest VLAN

Question 22

What type of security problem would network access control (NAC) best address?

Dictionary attack

ARP cache poisoning

WEP

Answer 22

ARP cache poisoning

ARP cache poisoning involves an attacker modifying host ARP caches with the attacker’s MAC address associated with a valid host IP, thus forcing network traffic to the attacker station. This can be difficult to prevent, so the key lies in controlling access to the network in the first place

Question 23

A company intranet consists of various internal web servers each using different authentication stores. What would allow users to use the same username and password for all internal web sites?

NAC

SSO

VPN

Answer 23

SSO

SSO enables users to use only a single username and password to access multiple network resources even if those network resources use different authentication sources

Question 24

While capturing network traffic, you notice clear-text credentials being transmitted. After investigating the TCP headers, you notice the destination port is 389. What type of authentication traffic is this?

EAP

EAP-TLS

LDAP

Answer 24

LDAP

LDAP is a standard for accessing a network directory (database)—in this case, for authentication purposes. LDAP uses TCP port 389 for clear-text transmissions and TCP port 636 for encrypted transmissions

Question 25

You are evaluating public cloud storage solutions. Users will be authenticated to a local server on your network that will allow them access to cloud storage. Which identity federation standard could be configured to achieve this?

LDAP

PKI

SAML

Answer 25

SAML

Security Assertion Markup Language (SAML) is an XML standard that defines how authentication and authorization data can be transmitted in a federated identity environment

Question 26

As the network administrator, you are asked to configure a secure VPN solution that uses multifactor authentication. Which of the following solutions should you recommend? (Choose two.)

Key fob and password

Username and password

Fingerprint scanner

Smartcard and password

Answer 26

Key fob and password

Smartcard and password

Key fobs are physical devices with a small display showing a number that is synchronized with a server-side component. This number changes frequently and is used in conjunction with other authentication factors, such as a password, to ensure additional security. Smartcards contain circuitry used for the secure identification of a user in conjunction with a PIN. Both of these constitute multifactor authentication

Question 27

You have been hired by a university to recommend IT solutions. Currently, students and faculty use proximity cards to access buildings on campus after hours, and they have usernames and passwords to log on to lab computers. The university would like to use PKI information unique to each user to allow access to campus buildings and to log on to workstations in labs. What should you recommend?

Hardware token and password

Common access card

PKI private key

Answer 27

Common access card

A common access card is used to gain access to more than one type of secured resource

Question 28

Android-based smart phones have been distributed to traveling employees for use with Google online services. You deploy the Google Authenticator app to the smart phones to allow user authentication based on the time as well as a unique code generated by the server. What type of authentication would you choose?

Time-based one-time password

Network Time Protocol authentication

PAP

Answer 28

Time-based one-time password

Time-based one-time passwords (TOTP) use the current system time and a shared secret known by both the client and the server as input to a hashing algorithm. The shared secret could be a user password. The OTP is useful for only a short period of time and is recalculated often, unlike HMAC-based one-time passwords (HOTP), which are longer-lived authentication passwords

Question 29

Which of the following authentication methods is based on something you do?

Handwriting

Entering the PIN for a smartcard

Retinal scan

Answer 29

Handwriting

Handwriting is unique to the person doing it (something you do)

Question 30

You are the Microsoft Active Directory administrator for an American government agency. The Active Directory domain in Los Angeles is configured to trust the Active Directory domain in Chicago, which in turn trusts the Active Directory domain in Orlando. Which term correctly describes the trust relationship between Los Angeles and Orlando?

Transitive trust

Wide area network trust

NTLM

Answer 30

Transitive trust

Transitive trusts are created where one party trusts a remote party through a middle party

Question 31

Which of the following are authentication/authorization frameworks? (Choose all that apply.)

OpenID Connect

Federation

OAUTH

Shibboleth

Secure token

Answer 31

OpenID Connect

OAUTH

Shibboleth

OpenID Connect, OAUTH, and Shibboleth are all authentication/authorization frameworks. Shibboleth is popular in UNIX and Linux environments. Microsoft’s Active Directory Federation Services (AD FS) supports related protocols such as OAUTH. These frameworks are often used for identity federation so that a user signs on initially with a trusted identity store, which generates a unique security token for that session. The token is then used to authenticate users to other resources without prompting for credentials. These solutions are often used between organizations that need to share resources, including between cloud consumers and cloud providers

Question 32

Security approaches you at work about people sometimes being able to enter the office using the voice recognition system even though they are not employees. What is the problem?

False rejection

False acceptance

Crossover error

Answer 32

False acceptance

False acceptance occurs when a biometric authentication system authenticates users even if they do not match the proper credentials