Authentication Flashcards
Before accessing computer systems, a government agency requires users to swipe a card through a keyboard-embedded card reader and then provide a PIN. What is this an example of?
Bi-factor authentication
Location-based authentication
Multifactor authentication
Multifactor authentication
Multifactor authentication involves more than one item to authenticate to a system, such as something you have (a card), something you know (a PIN), something you are (a fingerprint), or something you do (handwriting)
Your traveling users require secure remote access to corporate database servers. What should you configure for them?
Modem
WLAN
VPN
VPN
A virtual private network (VPN) creates an encrypted tunnel between a remote access client and a private network over the Internet. This would allow access to corporate database servers
You are the network administrator for a national marketing firm. Employees have frequent lengthy telephone conference calls with colleagues from around the country. To reduce costs, you have been asked to recommend replacement telephony solutions. Which of the following might you suggest?
Modem
VoIP
Internet text chat
VoIP
Voice over Internet Protocol (VoIP) transmits digitized voice over a TCP/IP network such as the Internet. As such, the only cost to both parties is that of your Internet connection
You are an IT security consultant auditing a network. During your presentation of audit findings, one of your clients asks what can be used to prevent unauthorized LAN access. How do you answer the question?
NAC
Packet-filtering firewall
PKI
NAC
Network access control (NAC) technology can be a hardware or software solution that requires user or device authentication prior to gaining network access
What type of server authenticates users prior to allowing network access?
File server
Active Directory
RADIUS
RADIUS
Remote Authentication Dial-In User Service (RADIUS) servers are central user or device authentication points on the network. Authentication can occur in many ways, including Extensible Authentication Protocol (EAP) and Challenge Handshake Authentication Protocol (CHAP)
Which of the following are examples of RADIUS clients? (Choose two.)
VPN client
802.1x-capable switch
Wireless router
Windows 7 OS
Linux OS
802.1x-capable switch
Wireless router
RADIUS clients are network devices such as switches, wireless routers, or VPN concentrators that authenticate connecting devices or users to a RADIUS authentication server to grant network access
Which of the following are true regarding TACACS+? (Choose three.)
It is compatible with TACACS.
It is compatible with RADIUS.
It is a Cisco proprietary protocol.
It can be used as an alternative to RADIUS.
TACACS+ uses TCP.
It is a Cisco proprietary protocol.
It can be used as an alternative to RADIUS.
TACACS+ uses TCP.
Terminal Access Controller Access Control System (TACACS+) is a Cisco proprietary network access protocol that uses the reliable TCP transport mechanism. TACACS+ might be used instead of RADIUS because it encrypts the entire packet payload instead of only the password, as well as separates authentication, authorization, and accounting duties
You are the network administrator for a UNIX network. You are planning your network security. A secure protocol must be chosen to authenticate all users logging in. Which is a valid authentication protocol choice?
TCP
Telnet
Kerberos
Kerberos
Kerberos is an authentication protocol used by many vendors, including Microsoft with Active Directory services. Clients and servers must securely prove their identity to each other by way of a central third party referred to as a key distribution center (KDC)
A client asks you to evaluate the feasibility of a Linux client and server operating system environment. The primary concern is having a central database of user and computer accounts capable of secure authentication. What Linux options should you explore?
SSH
Samba
LDAP
LDAP
A central database that can securely authenticate users or computers sounds like a Lightweight Directory Access Protocol (LDAP)–compliant database. LDAP transmissions can be clear text (TCP port 389) or encrypted (TCP port 636), and the LDAP database can also be replicated among servers. Encrypted LDAP transmissions are referred to as Secured LDAP. Microsoft Active Directory Services and Novell eDirectory are LDAP compliant
You are configuring a Cisco network authentication appliance. During configuration, you are given a list of authentication choices. Which choice provides the best security and reliability?
RADIUS
TACACS
TACACS+
TACACS+
TACACS+ is a Cisco proprietary protocol that authenticates connecting users over TCP to a remote authentication server
A user enters her logon name to gain network access. To which of the following terms would this example apply?
Identification
Authorization
Auditing
Identification
Specifying a unique attribute of some kind (such as a logon name) is identification
A user enters a logon name and password to gain network access. Choose the best description to which this applies.
Single-factor authentication
Dual-factor authentication
Multifactor authentication
Single-factor authentication
The logon name and password combination is known as single-factor authentication (something you know). Higher security environments will either require additional factors (such as a physical card) or limit access when single-factor authentication is used
A corporation has invested heavily in the development of a much sought-after product. To protect its investment, the company would like to ensure that only specific personnel can enter a research facility. Which of the following is considered the most secure?
Voice scan
Fingerprint scanner
Retinal scanner
Retinal scanner
Retinal scanning is considered one of the most secure authentication methods. Retinal blood vessel patterns are unique to an individual and are extremely difficult to reproduce
Which of the following is considered three-factor authentication?
Building access card/username/password
Username/password/smartcard
Username/password/smartcard/PIN
Username/password/smartcard/PIN
Using a username and password combination (single-factor authentication), along with possessing a smartcard and entering a PIN to use the smartcard, results in a username/password/smartcard/PIN scan (or multifactor) authentication. Smartcard PINs that use the card’s security certificate are said to comply with the Personal Identifiable Verification (PIV) standard
To log on to a secured system, a user must enter a username, password, and passcode. The passcode is generated from a tiny handheld device and displayed on a tiny screen. What type of device is this?
Smartcard
PKI certificate
Key fob
Key fob
A key fob displays an authentication passcode that a user enters in addition to other data such as a username and password to gain access to a system or network resource
Which of the following prevents users from having to specify logon credentials when accessing multiple applications?
Single sign-on
Remember my password
Biometric authentication
Single sign-on
Single sign-on (SSO) enables access to many applications while requiring user authentication only once. SSO is often used when users access data from disparate systems to prevent multiple logons
Which authentication protocol replaces RADIUS?
TACACS
XTACACS
Diameter
Diameter
The Diameter protocol adds capabilities to the RADIUS protocol such as using TCP instead of UDP (more reliability) and being more scalable and flexible
Which of the following best describes CHAP?
PKI certificates must be used on both ends of the connection.
802.1x equipment forwards authentication requests to a RADIUS server.
Passwords are never sent over the network.
Passwords are never sent over the network.
Challenge Handshake Authentication Protocol (CHAP) involves a three-way handshake to establish a session, after which peers must periodically prove their identity by way of a changing value based on a shared secret. A shared secret (for example, a password) is known by both parties but is never sent over the network
You are configuring a WPA2 wireless network connection on a company laptop. The company has implemented a PKI. Which WPA2 network authentication method would be the best choice?
MS-CHAP
Local computer certificate
WPA2 PSK
Local computer certificate
A local computer certificate implies a PKI. A certificate is issued to users or computers and uniquely identifies those entities. It contains public and private key pairs used to secure network traffic and can be used with WPA2 wireless networks
Which of the following examples best illustrates authentication?
A user accesses a shared folder to which he has been granted permission.
A computer successfully identifies itself to a server prior to user logon.
A network contains two network links to a remote office in case one fails.
A computer successfully identifies itself to a server prior to user logon.
Authentication means proving your identity (user or computer). This can be done via username/password, smartcard, and PIN, or in this case, the computer might have a PKI certificate installed that gets validated against a server with a related PKI certificate
A technician is troubleshooting user access to an 802.1x wireless network called CORP. The same computer was previously given an IP address on the 10.17.7.0/24 network, but now for some reason it has an IP address on the 10.16.16.0/24 network. DHCP is functioning correctly on the network. The technician reports the machine was recently reimaged, and the image uses DHCP. What is the most likely cause of the problem?
The workstation has a static IP address on the 10.16.16.0/24 network.
The technician needs to issue the ipconfig /renew command.
The workstation needs to have its PKI certificate reinstalled.
The workstation needs to have its PKI certificate reinstalled.
A computer PKI certificate can grant access to an 802.1x-configured wireless network. Without the certificate, the machine is either denied network access or, in this case, placed on a guest VLAN
What type of security problem would network access control (NAC) best address?
Dictionary attack
ARP cache poisoning
WEP
ARP cache poisoning
ARP cache poisoning involves an attacker modifying host ARP caches with the attacker’s MAC address associated with a valid host IP, thus forcing network traffic to the attacker station. This can be difficult to prevent, so the key lies in controlling access to the network in the first place
A company intranet consists of various internal web servers each using different authentication stores. What would allow users to use the same username and password for all internal web sites?
NAC
SSO
VPN
SSO
SSO enables users to use only a single username and password to access multiple network resources even if those network resources use different authentication sources
While capturing network traffic, you notice clear-text credentials being transmitted. After investigating the TCP headers, you notice the destination port is 389. What type of authentication traffic is this?
EAP
EAP-TLS
LDAP
LDAP
LDAP is a standard for accessing a network directory (database)—in this case, for authentication purposes. LDAP uses TCP port 389 for clear-text transmissions and TCP port 636 for encrypted transmissions
You are evaluating public cloud storage solutions. Users will be authenticated to a local server on your network that will allow them access to cloud storage. Which identity federation standard could be configured to achieve this?
LDAP
PKI
SAML
SAML
Security Assertion Markup Language (SAML) is an XML standard that defines how authentication and authorization data can be transmitted in a federated identity environment
As the network administrator, you are asked to configure a secure VPN solution that uses multifactor authentication. Which of the following solutions should you recommend? (Choose two.)
Key fob and password
Username and password
Fingerprint scanner
Smartcard and password
Key fob and password
Smartcard and password
Key fobs are physical devices with a small display showing a number that is synchronized with a server-side component. This number changes frequently and is used in conjunction with other authentication factors, such as a password, to ensure additional security. Smartcards contain circuitry used for the secure identification of a user in conjunction with a PIN. Both of these constitute multifactor authentication
You have been hired by a university to recommend IT solutions. Currently, students and faculty use proximity cards to access buildings on campus after hours, and they have usernames and passwords to log on to lab computers. The university would like to use PKI information unique to each user to allow access to campus buildings and to log on to workstations in labs. What should you recommend?
Hardware token and password
Common access card
PKI private key
Common access card
A common access card is used to gain access to more than one type of secured resource
Android-based smart phones have been distributed to traveling employees for use with Google online services. You deploy the Google Authenticator app to the smart phones to allow user authentication based on the time as well as a unique code generated by the server. What type of authentication would you choose?
Time-based one-time password
Network Time Protocol authentication
PAP
Time-based one-time password
Time-based one-time passwords (TOTP) use the current system time and a shared secret known by both the client and the server as input to a hashing algorithm. The shared secret could be a user password. The OTP is useful for only a short period of time and is recalculated often, unlike HMAC-based one-time passwords (HOTP), which are longer-lived authentication passwords
Which of the following authentication methods is based on something you do?
Handwriting
Entering the PIN for a smartcard
Retinal scan
Handwriting
Handwriting is unique to the person doing it (something you do)
You are the Microsoft Active Directory administrator for an American government agency. The Active Directory domain in Los Angeles is configured to trust the Active Directory domain in Chicago, which in turn trusts the Active Directory domain in Orlando. Which term correctly describes the trust relationship between Los Angeles and Orlando?
Transitive trust
Wide area network trust
NTLM
Transitive trust
Transitive trusts are created where one party trusts a remote party through a middle party
Which of the following are authentication/authorization frameworks? (Choose all that apply.)
OpenID Connect
Federation
OAUTH
Shibboleth
Secure token
OpenID Connect
OAUTH
Shibboleth
OpenID Connect, OAUTH, and Shibboleth are all authentication/authorization frameworks. Shibboleth is popular in UNIX and Linux environments. Microsoft’s Active Directory Federation Services (AD FS) supports related protocols such as OAUTH. These frameworks are often used for identity federation so that a user signs on initially with a trusted identity store, which generates a unique security token for that session. The token is then used to authenticate users to other resources without prompting for credentials. These solutions are often used between organizations that need to share resources, including between cloud consumers and cloud providers
Security approaches you at work about people sometimes being able to enter the office using the voice recognition system even though they are not employees. What is the problem?
False rejection
False acceptance
Crossover error
False acceptance
False acceptance occurs when a biometric authentication system authenticates users even if they do not match the proper credentials
