CH4

Question 1

The security features that govern how users and processes communicate and interact with systems and resources. The primary function is to protect information from unauthorized access (confidentiality), modification (integrity), or disruption (availability).

Answer 1

Access Controls

Question 2

Used to identify unique records in a set, such as a username. This is the process of the subject supplying an identifier to the object.

Answer 2

Identification

Question 3

This is how identification is proven to be genuine. The process of the subject supplying verifiable credentials to the object.

Answer 3

Authentication

Question 4

Defines how access rights and permissions are granted. The process of assigning authenticated subjects the permission to carry out a specific operation.

Answer 4

Authorization.

Question 5

States that all users - whether they are individual contributors, managers, directors, or executives - should be granted only the level of privilege they need to do their jobs, and no more.

Answer 5

Principle of least privilege

Question 6

An administrative control that dictates that a single individual should not perform all critical - or privileged-level duties. Important duties must be separated or divided among several individuals within the organization.

Answer 6

Separation of duties

Question 7

List 4 key concepts of identification.

Answer 7

Identities should be unique, nondescriptive, securely issued AND Identities can be location based.

Question 8

What are the 3 categories of factors

Answer 8

knowledge (something the user knows), possession (something the user has), inherence (something the user is).

Question 9

A knowledge-based authentication that requires a user to answer a question based on something familiar to them.

Answer 9

cognitive password

Question 10

With this type of authentication, a user is asked to provide proof that he owns something specific (security badge, token, smart card, etc.).

Answer 10

Authentication by ownership or possession.

Question 11

An authentication method that holds user info within a magnetic strip and relies on a reader to process the info. The user inserts the card into the reader and supplies their PIN.

Answer 11

Memory Card

Question 12

Similar to memory card, this has a microprocessor and integrated circuits. The user inserts the card into a reader, enters pin.

Answer 12

Smartcard

Question 13

This type of authentication requires communication over a channel that is distinct from the first factor.

Answer 13

Out-of-band authentication

Question 14

Authenticates a user based on some physical or behavioral characteristic, sometimes referred to as a biometric attribute.

Answer 14

Authentication by Characteristic

Question 15

Authentication in which 2 or more factors must be presented.

Answer 15

Multi-factor Authentication

Question 16

Company acquired by Cisco that has a very popular multifactor authentication solution.

Answer 16

Duo Security

Question 17

With this Duo product, you can configure Trusted Endpoints policies to check the posture of the device that is trying to connect to the network, application, or cloud resources.

Answer 17

Duo Beyond

Question 18

This Duo product provides multifactor authentication access to cloud applications using SAML.

Answer 18

Duo Access Gateway

Question 19

This concept assumes that no system or user will be “trusted” when requesting access to the corporate netowrk, systems, and applicatinos hosted on-prem or in the cloud. You must first verify their trustworthiness before granting access.

Answer 19

Zero Trust

Question 20

What are the 3 primary authorization models

Answer 20

object capability, security labels, and ACLs

Question 21

Used programmatically and is based on a combination of an unforgeable reference and an operational message.

Answer 21

Object Capability

Question 22

Mandatory access controls embedded in object and subject properties. Examples are “confidential, secret, top secret”.

Answer 22

Security Labels

Question 23

Used to determine access based on some combination of specific criteria, such as a user ID, group membership, classification, location, address, and date.

Answer 23

Access Control List

Question 24

An authorization policy should implement what 2 concepts.

Answer 24

Implicit Deny, Need to know

Question 25

Access controls defined by policy that cannot be modified by the information owner. Primarily used in military and government systems.

Answer 25

Mandatory Access Control

Question 26

Access controls used in commercial operating systems that are defined by the owner of the object. The object owner builds an ACL that allows or denies access to the object based on the user’s unique identity.

Answer 26

Discretionary Access Controls

Question 27

Access controls based on a specific role or function. Administrators grant access rights and permissions to roles. Users are then associated with a single role.

Answer 27

RBAC (Role-based Access Control)

Question 28

Access controls based on criteria independent of the user or group account. Commonly used criteria are source/dest address, geo location, time of day.

Answer 28

Rule-Based Access Control

Question 29

Logical access control model that controls access to objects by evaluating rules against the attributes of entities (both subject and object), operations, and the environment relevant to a request.

Answer 29

Attribute-based Access control

Question 30

A method for implementing various access control models.

Answer 30

Access Control Mechanisms

Question 31

List 5 access control mechanisms

Answer 31

ACLs, Capability Tables, ACMs (access control matrix), Content-dependent access control, Context-dependent access control.

Question 32

What are the 3 most well-known AAA protocols.

Answer 32

Radius, TACACS+, Diameter

Question 33

List some of the advantages of TACACS+ over RADIUS

Answer 33

Full payload encrypted with TACACS, granular command authorization with TACACS, Authentication Authorization and accounting performed with separate exchanges, TACACS uses TCP protocol (reliability)

Question 34

IEEE standard that is used to implement port-based access control.

Answer 34

802.1x

Question 35

3 main roles of an 802.1x enabled network

Answer 35

authentication server, supplicant, authenticator

Question 36

An encapsulation defined in 802.1X that’s used to encapsulate EAP packets to be transmitted from the supplicant to the authenticator.

Answer 36

EAPoL

Question 37

An authentication protocol used
between the supplicant and the authentication server to transmit authentication
information.

Answer 37

EAP

Question 38

The AAA protocol used for communication between the
authenticator and authentication server.

Answer 38

RADIUS or Diameter

Question 39

ACL that implements access control based on
the security group assigned to a user (for example, based on his role within the organization)
and the destination resources.

Answer 39

SGACL - security group ACL

Question 40

also called a per-user ACL, is an ACL that can be applied
dynamically to a port.

Answer 40

downloadable ACL ( dACL)

Question 41

provides a cross-platform integration capability among security monitoring
applications, threat detection systems, asset management platforms, network policy systems,
and practically any other IT operations platform.

Answer 41

pxGrid

Question 42

this functionality allows you to dynamically detect and classify endpoints connected to the network

Answer 42

ISE Profiling Services

Question 43

ISE rules that enforce policy after authentication is performed

Answer 43

Authorization rules

Question 44

a solution and architecture that provides the ability to perform network
segmentation and enables access controls primarily based on the role of the user (and other
attributes) requesting access to the network.

Answer 44

Cisco TrustSec

Question 45

The protocol that allows software-enabled devices to participate in the TrustSec architecture

Answer 45

SGT Exchange Protocol (SXP)

Question 46

a set of rules in a security policy that define a series of checks
before an endpoint is granted access to the network

Answer 46

posture assessment

Question 47

3 types of agents that can be deployed for posture assessment

Answer 47

Temporal Agent, Stealth AnyConnect, AnyConnect

Question 48

a feature that allows a RADIUS server to adjust
an active client session. For instance, ISE can issue the (***) RADIUS attribute to an access
device to force the session to be reauthenticated.

Answer 48

Change of Authorization (CoA)

Question 49

a feature that enables ISE to collect threat and vulnerability data from many third-party threat and vulnerability scanners and software. The
purpose of this feature is to allow ISE to have a threat and risk view into the hosts it is
controlling access rights for

Answer 49

TC-NAC (Threat-Centric Network Access Control)

Question 50

3 methods of authentication on a switch port

Answer 50

802.1X, MAB, WebAuth