CH19 Authentication Flashcards
David noticed that port 3389 was open on one of the POS terminals in a store during a scheduled PCI compliance scan. Based on the scan results, what service should he expect to find enabled on this terminal?
a. MySQL
b. RDP
c. LDAP
d. IMAP
b. RDP
Port 3389 is an RDP port used for the Remote Desktop Protocol. If this port isn’t supposed to be opened, then an incident response plan should be the next step since this can be used for remote access by an attacker.
MySQL runs on port 3306.
LDAP runs on port 389.
IMAP over SSL runs on port 993.
Which of the following authentication protocols was developed by Cisco to provide authentication, authorization, and accounting services?
a. RADIUS
b. CHAP
c. TACACS+
d. Kerberos
c. TACACS+
TACACS+ is an extension to TACACS (Terminal Access Controller Access Control System) and was developed as a proprietary protocol by Cisco.
The Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that operates on port 1812 and provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service, but it was not developed by Cisco.
What access control model will a network switch utilize if it requires multilayer switches to use authentication via RADIUS/TACACS+?
a. 802.1q
b. 802.3af
c. 802.11ac
d. 802.1x
d. 802.1x
If you are using RADIUS/TACACS+ with the switch, you will need to use 802.1x for the protocol.
Which role validates the user’s identity when using SAML for authentication?
a. User agent
b. SP
c. RP
d. IdP
d. IdP
OBJ-3.8: The IdP provides the validation of the user’s identity. Security assertions markup language (SAML) is an XML-based framework for exchanging security-related information such as user authentication, entitlement, and attributes. SAML is often used in conjunction with SOAP. SAML is a solution for providing single sign-on (SSO) and federated identity management. It allows a service provider (SP) to establish a trust relationship with an identity provider (IdP) so that the SP can trust the identity of a user (the principal) without the user having to authenticate directly with the SP. The principal’s User Agent (typically a browser) requests a resource from the service provider (SP). The resource host can also be referred to as the relying party (RP). If the user agent does not already have a valid session, the SP redirects the user agent to the identity provider (IdP). The IdP requests the principal’s credentials if not already signed in and, if correct, provides a SAML response containing one or more assertions. The SP verifies the signature(s) and (if accepted) establishes a session and provides access to the resource.
A cybersecurity analyst is reviewing the logs of an authentication server and saw the following output:
login: json password: password
login: json password: CompTIACySA+
login: json password: 1234
login: json password: qwerty
login: json password: abc123
————————
END LOG
What type of attack was most likely being attempted by the attacker?
a. Password spraying
b. Impersonation
c. Brute force
d. Credential stuffing
c. Brute force
OBJ-1.2: This is an example of a brute force attack. Unlike password spraying that focuses on attempting only one or two passwords per user, a brute force attack focuses on trying multiple passwords for a single user. The goal of this attack is to crack the user’s password and gain access to their account. Password spraying, instead, refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using several different passwords, but the number of passwords attempted is usually low compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users. In the scenario provided, only one or two attempts are being made to each username listed. This is indicative of a password spraying attack instead of a brute force attempt against a single user. Impersonation is the act of pretending to be another person for fraudulent purposes. Credential stuffing is the automated injection of breached username/password pairs to gain user accounts access fraudulently. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account. The attacker can then hijack the account for their purposes.
Sample Simulation – On the real exam for this type of question, you would receive 3-5 pictures and be asked to drag and drop them into place next to the correct term.)
Picture of a computer screen with lock and keys to enter. Front of it is a mobile phone with the access code
How would you appropriately categorize the authentication method being displayed here?
a. One-time password authentication
b. PAP authentication
c. Biometric authentication
d. Multifactor authentication
d. Multifactor authentication
OBJ-2.4: For the exam, you need to know the different authentication categories and what type of authentication methods belong to each category. This is an example of multifactor authentication because you are using both a username/password combination with an SMS code. This provides a knowledge factor (username/password) and a possession factor (your smartphone) to provide two factors of authentication, making this the best option.
Which of the following describes the security method used when users enter their username and password only once and can access multiple applications?
a. Permission propagation
b. Multifactor authentication
c. SSO
d. Inheritance
c. SSO
OBJ-3.8: Single sign-on (SSO) is an authentication process that allows users to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN). Permission propagation occurs when a technician sets permissions on a folder or a drive, and the folder properties apply those permissions to all of the folders under that folder in the tree. Permissions propagation secures your data by limiting access to the users specified in the top folder. Multifactor authentication is an authentication scheme that works based on something you know, something you have, something you are, something you do, or somewhere you are. These schemes can be made stronger by combining them (for example, protecting the use of a smart card certification [something you have] with a PIN [something you know]). Inheritance or inherited permissions are permissions that are given to an object because it is a child of a parent object. Inheritance occurs due to permissions propagation.
Which of the following techniques would be the most appropriate solution to implementing a multi-factor authentication system?
a. Smartcard and PIN
b. Password and security questions
c. Fingerprint and retinal scan
d. Username and password
a. Smartcard and PIN
OBJ-2.4: Multi-factor authentication (MFA) creates multiple security layers to help increase the confidence that the user requesting access is who they claim to be by requiring two distinct factors for authentication. These factors can be something you know (knowledge factor), something you have (possession factor), something you are (inheritance factor), something you do (action factor), or somewhere you are (location factor). By selecting a smartcard (something you have) and a PIN (something you know), you have implemented multi-factor authentication. Choosing a fingerprint and retinal scan would instead use only one factor (inheritance). Choosing a username, password, and security question would also be only using one factor (knowledge). For something to be considered multi-factor, you need items from at least two different authentication factor categories: knowledge, possession, inheritance, location, or action.