Authorization and Access Control (2) Flashcards
Organizational security policies require that customers’ personal information be encrypted when stored. To which security control category does this apply?
Operational
Managerial
Technical
Technical
Technical security controls are processed by computing devices, such as encrypting sensitive data
You are configuring a hardware firewall to allow traffic only from a jump box in the DMZ to internal Linux hosts. Which type of security control is this?
Physical
Compensating
Preventative
Preventative
Preventative controls are configured to avoid security incidents from occurring, such as allowing unnecessary traffic through a firewall destined for an internal network
To achieve regulatory compliance, your organization must encrypt all fixed disks to protect data at rest on each station. Your company plans on using the Microsoft Windows BitLocker drive encryption feature. None of your computers has a TPM chip, so you have configured Group Policy such that decryption keys can be stored on a removable USB thumb drive. Which type of security control is this?
Physical
Compensating
Detective
Compensating
Compensating controls are used when a preferred security control, such as TPM-enabled computers, cannot be implemented because it is impractical or prohibitively expensive; compensating controls, such as decryption keys on removable storage, must still satisfy the stated security requirement
You have configured a network-based intrusion prevention system (NIPS) hardware appliance to block traffic from IP addresses that send excessive traffic to your network. Which type of security control is this?
Compensating
Deterrent
Corrective
Corrective
Corrective controls take active steps to contain or block suspicious activity, such as a security appliance blocking IP addresses from which excessive network traffic originate
You are a consultant helping a retail client with app geofencing. Which type of tracking mechanisms can you use to enable geofencing for customers with the retail app installed on their smartphones?
GPS, Wi-Fi
Wi-Fi, NFC
GPS, NAC
GPS, Wi-Fi
The GPS uses a network of satellites orbiting the Earth to track device locations using longitude and latitude coordinates. Wi-Fi can also be used to track devices through either their IP address or their presence on a specific Wi-Fi network
Your identity federation configuration creates digitally signed tokens for authenticated users that contain the user date of birth and security clearance level. Which term is used to describe this extra data added to the token?
Cookie
SAML
Claim
Claim
Federated IdPs generate a security token that may contain assertions (claims) about the user such as date of birth, security clearance level, and so on
You are viewing the contents of the Linux authorized_keys file. Which type of key is stored here?
Public
Private
Secret
Public
SSH public keys are stored in the Linux authorized_keys file
You need to assess whether Linux servers in the screened subnet need to be hardened. The servers are currently configured with SSH public key authentication. What should you check that should be in place? (Choose two.)
Password protection for the public key
Private key password protection
Default SSH port number TCP 22 has been changed to an unreserved port number
Default SSH port number TCP 25 has been changed to an unreserved port number
Private key password protection
Default SSH port number TCP 22 has been changed to an unreserved port number
Because private keys uniquely identify a user, a private key file should be password protected. Changing default settings, such as port numbers, is a part of hardening. A port between 49,152 and 65,535 should be used, since ports 0–1023 are reserved for well-known TCP/IP network services and ports 1,020–49,151 are reserved as registered ports
Which statements regarding SSH public key authentication are correct? (Choose two.)
A user password is not required.
A user password is required.
A public and private key pair is required.
A symmetric key is required.
A user password is not required.
A public and private key pair is required.
SSH public key authentication replaces standard username and password authentication. A username is required in addition to a private key (and possibly private key file passphrase). The private key must be part of the public/private key pair where the public key is stored on the server
You are an IT technician for FakeCorp1. You have configured your on-premises Microsoft Active Directory domain controller server, Dc1, as a federated identity provider during the acquisition phase of a competitor, FakeCorp2. The IT team at FakeCorp2 must configure web app servers to trust tokens issued by FakeCorp1. What should you provide to the technicians?
The private key for DC1
The administrative username for DC1
The public key for DC1
The public key for DC1
With identity federation, one common requirement to allow resource providers (FakeCorp2 web app servers) to trust IdPs (Dc1) is to install the public key certificate for the identity provider on the resource provider host. This enables the resource provider to validate security tokens digitally signed by the identity provider with its private key
What is normally required when using smartcard authentication? (Choose two.)
Smartcard reader
PIN
TPM
HSM
Smartcard reader
PIN
Smartcards require a reader for authentication, and the owner of the smartcard must enter a personal identification number (PIN) to use the card
Where are virtual smartcards stored?
RADIUS server
Identity provider
TPM
TPM
TPM is a firmware chip within a computing device that ensures device boot integrity and stores cryptographic keys used to encrypt storage devices. Virtual smartcards are a feature of TPM whereby, to the operating system on the TPM host, the smartcard always appears to be inserted
Your organization plans on issuing smartcards to users for the purposes of digitally signing and decrypting e-mail messages. What must be deployed to the smartcards?
User public key
Server private key
User private key
User private key
The user private key is used to create a digital signature. Decrypting messages requires the related private key from the key pair
What is one disadvantage of using a virtual smartcard in a Microsoft Windows environment?
It cannot be used for remote management.
It requires a virtual smartcard reader.
It is available only on a host with TPM.
It is available only on a host with TPM.
Using a physical smartcard is possible on a device with a smartcard reader. A virtual smartcard is tied to the TPM within a specific host
A user account lockout configuration helps mitigate which type of attack?
Denial of service
Ransomware
Brute-force password attacks
Brute-force password attacks
Configuring user account lockout to temporarily lock an account after consecutive login failures can help mitigate brute-force password attacks because after the account is locked, additional passwords cannot be tested against it
