Authorization and Access Control (1) Flashcards
Which identity federation component authenticates users?
Identity provider
Resource provider
OAuth
Identity provider
Identity providers (IdPs) contain user accounts and perform authentication, and along with federated identify environments, they will generate a security token that may contain assertions (claims) about the user such as date of birth, department, and so on. The security token is then digitally signed by the IdP with its private key. Applications that trust the IdP signature (using the IdP public key) accept tokens and allow user access
After successful authentication, which SAML component contains claim information?
Security token service
PKI certificate
Token
Token
The SAML standard is used to transmit authentication and authorization messages between users, IdPs, and resource providers. IdPs digitally sign security tokens, which can contain claims, or assertions, about a user or device, such as a date of birth, cost center, subnet address range, and so on. Claims are often derived from user or device attributes stored with the user or device account
You are configuring file system security such that Microsoft Active Directory user accounts with a specific manager configured in their user account properties are granted file system access. What type of access control configuration is this?
Role-based
Discretionary
Attribute-based
Attribute-based
User accounts contain many attributes (properties) such as manager name, group membership, last login time, city, and so on. These attributes can be compared to conditional access policies to allow or block file system access
Which of the following constitutes multifactor authentication?
Username, password
Username, PIN
Smartcard, PIN
Smartcard, PIN
A smartcard (something you have) is the size of a credit card and is commonly used for authenticating to IT systems. Smartcards can be used for other applications such as building access or as a credit card. Modern credit cards contain an embedded microprocessor that can perform cryptographic operations. Using a smartcard normally requires entering a PIN (something you know)
You are configuring SSH public key authentication for a Linux host. Which statements about this configuration are correct? (Choose two.)
The public key is stored with the user.
The private key is stored with the user.
The public key is stored with the Linux host.
The private key is stored with the Linux host.
The private key is stored with the user.
The public key is stored with the Linux host.
SSH public key authentication uses a public and private key pair for each user that will authenticate to the Linux host. The public key is stored in the user’s home directory in a hidden directory named .ssh (the leading dot in Linux means the file or directory is hidden). The private key is stored on the user management device and should be protected with a passphrase. When users authenticate to the Linux host, they must know the username and the passphrase for the private key
After configuring SSH public key authentication for a Linux host, users complain that they are prompted for a passphrase when using SSH to connect to the host. Why is this happening?
SSH is configured incorrectly on the Linux host.
SSH is configured incorrectly on the client device.
A passphrase has been configured to protect the private key.
A passphrase has been configured to protect the private key.
With SSH public key authentication, the private key is stored on the user management device. Standard security best practices dictate that private key files must be protected with a passphrase. Users are being prompted for the private key passphrase, not their user account password
Which configuration limits the use of a mobile device to a specific area?
Geotagging
Geolocation
Geofencing
Geofencing
Geofencing uses device location tracking to present mobile device users with a message when they are within a specific geographic boundary
While scrolling through social media posts, you come across a friend’s post stating that he had recently boarded a flight from Las Vegas en route to Toronto. What is this an example of?
Geotagging
Geolocation
GPS
Geotagging
Geotagging is used to provide detailed location information metadata to files such as photos or social media posts
Which user password setting will prevent the reuse of old passwords?
Password complexity
Account lockout
Password history
Password history
Configuring password history for user accounts prevents users from reusing passwords; this option can be configured according to how many passwords should be remembered
You have configured user workstations so that upon a user’s login, a message states that the system may be used only to conduct business in accordance with organizational security policies, and that noncompliance could result in disciplinary action. Which type of security control is this?
Detective
Corrective
Deterrent
Deterrent
Deterrent controls such as device login messages are designed to deter or discourage illegal or malicious behaviors
Which type of access control model uses a hardened specialized operating system with resource labeling and security clearance levels to control resources access?
Discretionary access control
Role-based access control
Mandatory access control
Mandatory access control
Specialized security operating systems such as security enhanced (SE) Linux use mandatory access control (MAC) to control resource access. With MAC, administrators label items such as files, network ports, or running processes and create security levels that are assigned to users or remote network devices to allow or block access to labeled items. The operating system enforces MAC
Your cloud-based virtual machine runs a custom application workload that requires access to resources running within on-premises virtual machines. What should you do to enable secure connectivity between the virtual machines? (Choose two.)
Configure HTTP connectivity between the virtual machines.
Configure a guest account for the application.
Configure a service account for the application.
Configure a VPN tunnel between the virtual machines.
Configure a service account for the application.
Configure a VPN tunnel between the virtual machines.
Service accounts can be assigned only the permissions required for software to function correctly, and the software is then configured to use the service account. Secure connectivity between virtual machines in the cloud and on-premises can be achieved with a site-to-site VPN between the on-premises network and the public cloud provider
Which term is the most closely related to the “impossible travel time” security feature?
Chain of trust
Security token
Anomaly detection
Anomaly detection
The impossible travel time security feature monitors user activity from different locations to identity anomalies or risky login. As an example, logging in from New York City at 10 a.m. EST and then Paris at 11 a.m. EST would mean traveling between those locations within one hour, which is not possible. If network proxy servers or personal VPN anonymizing software are used, this type of situation might be valid and must be considered when configuring this type of feature
You are configuring file servers in the enterprise to allow read-only access to files labeled as “PII” for users accessing files from the corporate network if they have been assigned to a project named “ProjectA.” Which type of access control mechanism is being used?
Discretionary
Conditional
Mandatory
Conditional
Conditional access control uses rules (rule-based access control) in conditional access policies to allow or deny access to labeled resources such as files. In this example, files labeled as PII, the corporate network location, and project assignment attributes are the conditions
The IT department has been tasked with conducting a risk assessment related to the migration of a line-of-business app to the public cloud. To which security control category does this apply?
Operational
Managerial
Technical
Managerial
Managerial security controls are administrative in nature, from a business perspective, and include activities such as risk assessments and personnel management