Authorization and Access Control (1) Flashcards

1
Q

Which identity federation component authenticates users?

Identity provider

Resource provider

OAuth

A

Identity provider

Identity providers (IdPs) contain user accounts and perform authentication, and along with federated identify environments, they will generate a security token that may contain assertions (claims) about the user such as date of birth, department, and so on. The security token is then digitally signed by the IdP with its private key. Applications that trust the IdP signature (using the IdP public key) accept tokens and allow user access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

After successful authentication, which SAML component contains claim information?

Security token service

PKI certificate

Token

A

Token

The SAML standard is used to transmit authentication and authorization messages between users, IdPs, and resource providers. IdPs digitally sign security tokens, which can contain claims, or assertions, about a user or device, such as a date of birth, cost center, subnet address range, and so on. Claims are often derived from user or device attributes stored with the user or device account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

You are configuring file system security such that Microsoft Active Directory user accounts with a specific manager configured in their user account properties are granted file system access. What type of access control configuration is this?

Role-based

Discretionary

Attribute-based

A

Attribute-based

User accounts contain many attributes (properties) such as manager name, group membership, last login time, city, and so on. These attributes can be compared to conditional access policies to allow or block file system access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following constitutes multifactor authentication?

Username, password

Username, PIN

Smartcard, PIN

A

Smartcard, PIN

A smartcard (something you have) is the size of a credit card and is commonly used for authenticating to IT systems. Smartcards can be used for other applications such as building access or as a credit card. Modern credit cards contain an embedded microprocessor that can perform cryptographic operations. Using a smartcard normally requires entering a PIN (something you know)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

You are configuring SSH public key authentication for a Linux host. Which statements about this configuration are correct? (Choose two.)

The public key is stored with the user.

The private key is stored with the user.

The public key is stored with the Linux host.

The private key is stored with the Linux host.

A

The private key is stored with the user.

The public key is stored with the Linux host.

SSH public key authentication uses a public and private key pair for each user that will authenticate to the Linux host. The public key is stored in the user’s home directory in a hidden directory named .ssh (the leading dot in Linux means the file or directory is hidden). The private key is stored on the user management device and should be protected with a passphrase. When users authenticate to the Linux host, they must know the username and the passphrase for the private key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

After configuring SSH public key authentication for a Linux host, users complain that they are prompted for a passphrase when using SSH to connect to the host. Why is this happening?

SSH is configured incorrectly on the Linux host.

SSH is configured incorrectly on the client device.

A passphrase has been configured to protect the private key.

A

A passphrase has been configured to protect the private key.

With SSH public key authentication, the private key is stored on the user management device. Standard security best practices dictate that private key files must be protected with a passphrase. Users are being prompted for the private key passphrase, not their user account password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which configuration limits the use of a mobile device to a specific area?

Geotagging

Geolocation

Geofencing

A

Geofencing

Geofencing uses device location tracking to present mobile device users with a message when they are within a specific geographic boundary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

While scrolling through social media posts, you come across a friend’s post stating that he had recently boarded a flight from Las Vegas en route to Toronto. What is this an example of?

Geotagging

Geolocation

GPS

A

Geotagging

Geotagging is used to provide detailed location information metadata to files such as photos or social media posts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which user password setting will prevent the reuse of old passwords?

Password complexity

Account lockout

Password history

A

Password history

Configuring password history for user accounts prevents users from reusing passwords; this option can be configured according to how many passwords should be remembered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

You have configured user workstations so that upon a user’s login, a message states that the system may be used only to conduct business in accordance with organizational security policies, and that noncompliance could result in disciplinary action. Which type of security control is this?

Detective

Corrective

Deterrent

A

Deterrent

Deterrent controls such as device login messages are designed to deter or discourage illegal or malicious behaviors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which type of access control model uses a hardened specialized operating system with resource labeling and security clearance levels to control resources access?

Discretionary access control

Role-based access control

Mandatory access control

A

Mandatory access control

Specialized security operating systems such as security enhanced (SE) Linux use mandatory access control (MAC) to control resource access. With MAC, administrators label items such as files, network ports, or running processes and create security levels that are assigned to users or remote network devices to allow or block access to labeled items. The operating system enforces MAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Your cloud-based virtual machine runs a custom application workload that requires access to resources running within on-premises virtual machines. What should you do to enable secure connectivity between the virtual machines? (Choose two.)

Configure HTTP connectivity between the virtual machines.

Configure a guest account for the application.

Configure a service account for the application.

Configure a VPN tunnel between the virtual machines.

A

Configure a service account for the application.

Configure a VPN tunnel between the virtual machines.

Service accounts can be assigned only the permissions required for software to function correctly, and the software is then configured to use the service account. Secure connectivity between virtual machines in the cloud and on-premises can be achieved with a site-to-site VPN between the on-premises network and the public cloud provider

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which term is the most closely related to the “impossible travel time” security feature?

Chain of trust

Security token

Anomaly detection

A

Anomaly detection

The impossible travel time security feature monitors user activity from different locations to identity anomalies or risky login. As an example, logging in from New York City at 10 a.m. EST and then Paris at 11 a.m. EST would mean traveling between those locations within one hour, which is not possible. If network proxy servers or personal VPN anonymizing software are used, this type of situation might be valid and must be considered when configuring this type of feature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

You are configuring file servers in the enterprise to allow read-only access to files labeled as “PII” for users accessing files from the corporate network if they have been assigned to a project named “ProjectA.” Which type of access control mechanism is being used?

Discretionary

Conditional

Mandatory

A

Conditional

Conditional access control uses rules (rule-based access control) in conditional access policies to allow or deny access to labeled resources such as files. In this example, files labeled as PII, the corporate network location, and project assignment attributes are the conditions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The IT department has been tasked with conducting a risk assessment related to the migration of a line-of-business app to the public cloud. To which security control category does this apply?

Operational

Managerial

Technical

A

Managerial

Managerial security controls are administrative in nature, from a business perspective, and include activities such as risk assessments and personnel management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

You have been tasked with the weekly tape backup rotation for backing up on-premises database servers. To which security control category does this apply?

Operational

Managerial

Technical

A

Operational

Operational security controls are the day-to-day activities related to IT management security such as the execution of daily or weekly backups