CH.2 UNDERSTANDING IDENTITY AND ACCESS Flashcards
Your organization wants to identify biometric methods used for identification. The requirements are:
- Collect the data passively.
- Bypass a formal enrollment process.
- Avoid obvious methods that let the subject know data is being collected.
Which of the following biometric methods BEST meet these requirements? (Select TWO.)
A. Fingerprint
B. Retina
C. Iris
D. Facial
E. Palm vein
F. Gait analysis
D and F are correct. It’s possible to collect facial scan data and perform gait analysis without an enrollment process. You would use cameras to observe subjects from a distance and collect data passively. You need a formal enrollment process for fingerprints, retinas, irises, and palm vein methods. Retina and iris scans need to be very close to the eye and are very obvious. Palm vein methods require users to place their palm on a scanner. While it’s possible to collect fingerprints passively, you still need an enrollment process.
Your organization recently updated an online application employees use to log on when working from home. Employees enter their username and password into the application from their smartphone and the application logs their location using GPS. Which type of authentication is being used?
A. One-factor
B. Dual-factor
C. Something you are
D. Something you have
A is correct. This is using one-factor authentication—something you know. The application uses the username for identification and the password for authentication. Note that even though the application is logging the location using Global Positioning System (GPS), there isn’t any indication that it is using this information for authentication. Dual-factor authentication requires another factor of authentication such as something you are or something you have. The something you have factor referes to another source of information in your possession.
Management within your organization wants to add 2FA security for users working from home. Additionally, management wants to ensure that 2FA passwords expire after 30 seconds. Which of the following choices BEST meets this requirement?
A. HOTP
B. TOTP
C. SMS
D. Kerberos
B is correct. A Time-based One-Time Password (TOTP) meets the requirement of two-factor authentication (2FA). A user logs on with regular credentials (such as a username and password), and then must enter an additional one-time password. Some smartphone apps use TOTP and display a refreshed password at set intervals, commonly every 30-240 seconds. An HMAC-based One-Time Password (HOTP) creates passwords that do not expire until they are used. Short message service (SMS) is sometimes used to send users a one-time use password via email or a messaging app, but these passwords typically don’t expire until at least 15 minutes later. Kerberos uses tickets instead of passwords.
Management within your organization has decided to implement a biometric solution for authentication into the data center. They have stated that the biometric system needs to be highly accurate. Which of the following provides the BEST indication of accuracy with a biometric system?
A. The lowest possible FRR
B. The highest possible FAR
C. The lowest possible CER
D. The highest possible CER
C is correct. A lower crossover error rate (CER) indicates a more accurate biometric system. The false acceptance rate (FAR) and the false rejection rate (FRR) vary based on the sensitivity of the biometric system and don’t indicate accuracy by themselves. A higher CER indicates a less accurate biometric system.
The Marvin Monroe Memorial Hospital was recently sued after removing a kidney from the wrong patient. Hospital executives want to implement a method that will reduce medical errors related to misidentifying patients. They want to ensure medical personnel can identify a patient even if the patient is unconscious. Which of the following would be the BEST solution?
A. Gait analysis
B. Vein scans
C. Retina scan
D. Voice recognition
B is correct. A vein scan implemented with a palm scanner would be the best solution of the available choices. The patient would place their palm on the scanner for biometric identification, or if the patient is unconscious, medical personnel can place the patient’s palm on the scanner. None of the other biometric methods can be easily performed on an unconscious patient. Gait analysis attempts to identify someone based on the way they move. A retina scan scans the retina of an eye, but this will be difficult if someone is unconscious. Voice recognition identifies a person using speech recognition.
Users regularly log on with a username and password. However, management wants to add a second authentication factor for any users who launch the gcga application. The method needs to be user-friendly and non-disruptive. Which of the following will BEST meet these requirements?
A. An authentication application
B. TPM
C. HSM
D. Push notifications
D is correct. Push notifications are user-friendly and non-disruptive. Users receive a notification on a smartphone or tablet and can often acknowledge it by simply pressing a button. An authentication application isn’t as user-friendly as a push notification. It requires users to log on to the smartphone, find the app, and enter the code. A Trusted Platform Module (TPM) can provide for the implementation of full disk encryption, which would protect the data if someone accessed the laptop, but it doesn’t prevent access. A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers. Neither a TPM nor an HSM is relevant in this question.
Your organization hires students during the summer for temporary help. They need access to network resources, but only during working hours. Management has stressed that it is critically important to safeguard trade secrets and other confidential information. Which of the following account management concepts would be MOST important to meet these goals?
A. Account expiration
B. Account lockout
C. Time-of-day restrictions
D. Password recovery
E. Password history
C is correct. Time-of-day restrictions should be implemented to ensure that temporary workers can only access network resources during work hours. The other answers represent good practices, but don’t address the need stated in the question that “personnel need access to network resources, but only during working hours.” Account expiration should be implemented if the organization knows the last workday of these workers. Account lockout will lock out an account if the wrong password is entered too many times. Password recovery allows users to recover a forgotten password or change their password if they forgot their password. Password history remembers previously used passwords and helps prevent users from using the same password.
You need to provide a junior administrator with appropriate credentials to rebuild a domain controller after it suffers a catastrophic failure. Of the following choices, what type of account would BEST meet this need?
A. User account
B. Generic account
C. Guest account
D. Service account
A is correct. A user account is the best choice of the available answers. More specifically, it would be a user account with administrative privileges (also known as a privileged account) so that the administrator can add the domain controller. A generic account (also known as a shared account) is shared between two or more users and is not recommended. A guest account is disabled by default and it is not appropriate to grant the guest account administrative privileges. A service account is an account created to be used by a service or application, not a person.
Lisa is reviewing an organization’s account management processes. She wants to ensure that security log entries accurately report the identity of personnel taking specific actions. Which of the following steps would BEST meet this requirement?
A. Implement generic accounts.
B. Implement role-based privileges.
C. Use an SSO solution.
D. Remove all shared accounts.
D is correct. Removing all shared accounts is the best answer of the available choices. If two employees are using the same account, and one employee maliciously deletes data in a database, it isn’t possible to identify which employee deleted the data. Generic accounts are the same as shared accounts and shouldn’t be used. Role-based (or group-based) privileges assign the same permissions to all members of a group, which simplifies administration. A single sign-on (SSO) solution allows a user to log on once and access multiple resources.
A recent security audit discovered several apparently dormant user accounts. Although users could log on to the accounts, no one had logged on to them for more than 60 days. You later discovered that these accounts are for contractors who work approximately one week every quarter. Which of the following is the BEST response to this situation?
A. Remove the account expiration from the accounts.
B. Delete the accounts.
C. Reset the accounts.
D. Disable the accounts.
D is correct. The best response is to disable the accounts and then enable them when needed by the contractors. Ideally, the accounts would include an expiration date so that they would automatically expire when no longer needed, but the scenario doesn’t indicate the accounts have an expiration date. Because the contractors need to access the accounts periodically, it’s better to disable them rather than delete them. Resetting the accounts implies you are changing the password, but this isn’t needed.
A software developer is creating an application that must access files stored in the user’s Google Drive. What is the best way for the user to grant the application access to their Google account?
A. OpenID Connect
B. Provide their Google password each time they log into the application
C. OAuth
D. Store their Google password in the application
C is correct. The OAuth authorization protocol is explicitly designed for this type of situation. Users of the application can grant the application limited access to resources in their Google account without disclosing their credentials. This protects the security of their account and limits the access granted to the application. If the user discloses their password to the application, this allows the application full access to their account. OpenID Connect is used to log into one service with credentials from another service and does not provide the type of authorization required in this scenario.
Artie has been working at Ziffcorp as an accountant. However, after a disagreement with his boss, he decides to leave the company and gives a two-week notice. He has a user account allowing him to access network resources. Which of the following is the MOST appropriate step to take?
A. Ensure his account is disabled when he announces that he will be leaving the company.
B. Immediately terminate his employment.
C. Force him to take a mandatory vacation.
D. Ensure his account is disabled during his exit interview.
D is correct. His account should be disabled during the exit interview. It’s appropriate to conduct an exit interview immediately before an employee departs. Employees often give a two-week or longer notice. If their access is revoked immediately, they won’t be able to do any more work. While some companies do terminate employment when someone gives notice, from a security perspective, that doesn’t address the needed action related to the user account. The purpose of a mandatory vacation is to detect fraud, but if the employee is leaving, any potential fraud will be detected when that employee leaves.
Web developers in your organization are creating a web application that will interact with other applications running on the Internet. They want their application to receive user credentials from an app running on a trusted partner’s web domain. Which of the following is the BEST choice to meet this need?
A. SSO
B. SAML
C. Kerberos
D. RADIUS
The best choice to meet this need is B. SAML.
SAML (Security Assertion Markup Language) is specifically designed for exchanging authentication and authorization data between different domains, making it ideal for scenarios where a web application needs to interact with another trusted partner’s web domain and receive user credentials. It enables secure, web-based Single Sign-On (SSO) across different organizations or domains.
All SSO solutions are not used on the Internet, so SSO isn’t the best answer. Kerberos is an SSO solution used on internal networks such as in Microsoft Active Directory domains and Unix realms. Remote Authentication Dial-In User Service (RADIUS) provides authentication, authorization, and accounting (AAA) services for some remote access, wired, and wireless network solutions.
You administer access control for users in your organization. Some departments have a high employee turnover, so you want to simplify account administration. Which of the following is the BEST choice?
A. User-assigned privileges
B. Group-based privileges
C. Domain-assigned privileges
D. Network-assigned privileges
B is correct. Group-based privileges are a form of role-based access control and they simplify administration. Instead of assigning permissions to new employees individually, you can just add new employee user accounts into the appropriate groups to grant them the rights and permissions they need for the job. User- assigned privileges require you to manage privileges for each user separately, and they increase the account administration burden. Domain-assigned and network-assigned privileges are not valid administration practices.
An administrator needs to grant users access to different shares on file servers based on their job functions. Which of the following access control schemes would BEST meet this need?
A. Discretionary access control
B. Mandatory access control
C. Role-based access control
D. Rule-based access control
C is correct. The role-based access control (role-BAC) scheme is the best choice for assigning access based on job functions. A discretionary access control (DAC) scheme specifies that every object has an owner and owners have full control over objects, but it isn’t related to job functions. A mandatory access control (MAC) scheme uses labels and a lattice to grant access rather than job functions. A rule-based access control (rule- BAC) scheme uses rules that trigger in response to events.
Your organization is implementing a new authentication system to enhance security. The system should use two-factor authentication, where users authenticate with a smart card and a PIN. However, management wants to ensure that the system can also detect unauthorized access attempts based on the user’s location.
Which of the following authentication methods should the organization use to meet these requirements? (Select TWO.)
A. Biometrics
B. Something you know
C. Geolocation
D. Smart card
E. Retina scan
B and C are correct. The organization requires two-factor authentication, where a smart card (something you have) is paired with a PIN (something you know). The additional requirement for detecting access based on location can be achieved through geolocation. Biometrics and retina scans are not relevant in this scenario because they don’t meet the stated requirement of location detection, and the smart card already satisfies the “something you have” factor.
Your organization is implementing multi-factor authentication (MFA) for all remote workers. The MFA must include something you know and something you have. In addition, the system should automatically invalidate any authentication tokens after 30 seconds.
Which of the following options BEST meets these requirements? (Select TWO.)
A. HOTP
B. TOTP
C. Smart card
D. SMS
E. Password
B and E are correct. TOTP generates time-based one-time passwords that expire after 30 seconds, meeting the requirement for automatic invalidation. A password (something you know) combined with TOTP (something you have) provides the necessary multi-factor authentication. HOTP tokens do not expire until used, and SMS does not meet the time-based expiration requirement.
An organization has implemented biometric authentication for entry into a data center. The chosen biometric method needs to minimize user frustration and provide a balance between security and user convenience. However, the system must also be able to adjust sensitivity to minimize false rejections.
Which of the following biometric methods BEST meets these requirements?
A. Fingerprint scan
B. Iris scan
C. Facial recognition
D. Gait analysis
A. Fingerprint scan is correct.
Fingerprint scanning provides a good balance of security and user convenience. It is relatively quick, easy to use, and less intrusive compared to other biometric methods like iris scans. Additionally, fingerprint systems can adjust sensitivity to reduce false rejection rates (FRR), improving the user experience while maintaining security.
Other methods, like iris scans, tend to be more intrusive and inconvenient, and facial recognition can be affected by environmental factors, while gait analysis is less common and can be less reliable in terms of security.
Your company is setting up access controls for a new project management server. Project managers need full access to the server, while team members only need to update tasks. Executives should only have view access to the data.
Which access control model is BEST suited to meet these requirements?
A. Mandatory access control (MAC)
B. Role-based access control (RBAC)
C. Discretionary access control (DAC)
D. Attribute-based access control (ABAC)
B is correct. Role-based access control (RBAC) assigns permissions based on job roles, such as project manager, team member, or executive. This model best suits the scenario where permissions are aligned with specific job functions.
A. Mandatory Access Control (MAC):
MAC is a highly restrictive model where access is controlled by a central authority based on security classifications.
C. Discretionary Access Control (DAC):
This model isn’t well-suited for enforcing company-wide roles and permissions, as it gives individual users more control over access rights.
D. Attribute-Based Access Control (ABAC):
ABAC uses attributes (such as location, time, or other contextual factors) to determine access. While highly flexible, it is more complex than needed for this scenario, which only requires role-based access based on job functions.
A recent audit of your organization’s user accounts revealed that some employees retain access to resources from their previous job roles even after being transferred to new departments. This represents a violation of which security principle?
A. Least privilege
B. Role-based access control
C. Time-of-day restrictions
D. Authentication
A is correct. The principle of least privilege states that users should only have the permissions necessary to perform their current job functions. Retaining access to resources from previous roles violates this principle.
An organization uses an access control model where users are assigned security clearances. The clearance level is required to access sensitive data, and users cannot access data beyond their clearance level.
Which of the following BEST describes this access control model?
A. Discretionary access control (DAC)
B. Role-based access control (RBAC)
C. Mandatory access control (MAC)
D. Rule-based access control (Rule-BAC)
C is correct. Mandatory access control (MAC) assigns access based on security clearances and predefined security labels. Users can only access information for which they have the appropriate clearance and a need to know.
Your organization wants to implement a password policy that requires users to create strong passwords. The policy should enforce the use of at least one uppercase letter, one number, and one special character. Additionally, passwords must be at least 10 characters long.
Which of the following BEST meets this requirement?
A. Password complexity
B. Password history
C. Password expiration
D. Password age
A is correct. Password complexity enforces rules requiring specific character types such as uppercase letters, numbers, and special characters. The minimum length requirement is also part of password complexity settings.
Your organization is configuring a time-based login restriction policy. Regular employees can only log in between 8:00 a.m. and 6:00 p.m., Monday through Friday. However, IT staff need access at any time to perform maintenance tasks.
Which of the following is the BEST way to configure these access rules?
A. Use role-based access control (RBAC) for both IT staff and regular employees.
B. Apply time-of-day restrictions for regular employees but exempt IT staff from these restrictions.
C. Implement mandatory access control (MAC) to enforce different access levels based on department.
D. Set up password expiration policies to ensure IT staff change their passwords more frequently.
B is correct. Time-of-day restrictions should be applied to regular employees, but IT staff, who require 24/7 access, should be exempt. This provides necessary flexibility for IT maintenance work.
