Chapter 2

Question 1

Authentication proves:

Answer 1

an identity with some type of credentials such as a username and password

Question 2

What works together with identification to provide a comprehensive access management system?

Answer 2

Authentication

Authorization

Accounting

(AAA)

Question 3

Define authorization:

Answer 3

access to resources based on their proven identity

Question 4

Accounting methods:

Answer 4

track user activity and record the activity in logs

Question 5

An audit trail allows:

Answer 5

security professionals to re-create the events that preceded a security incident

Question 6

Implement one factor of authentication for:

Answer 6

basic authentication

Question 7

Implement two factors of authentication for:

Answer 7

secure authentication

Question 8

Implement three factors of authentication for:

Answer 8

higher security

Question 9

Some factors of authentication are:

Answer 9

something you know

something you have

something you are

somewhere you are

something you do

Question 10

Something you know authentication factor refers to:

Answer 10

a shared secret, such as a password or even a PIN

Question 11

A strong password is:

Answer 11

of sufficient length, doesn’t include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types:

Uppercase characters (26 letters A-Z)

Lowercase characters (26 letters a-z)

Numbers (10 numbers 0-9)

Special characters (32 printable characters, such as !, $, and *)

Question 12

Microsoft began recommending a best practice of setting the minimum password length to at least:

Answer 12

14 characters

Question 13

You can calculate the key space with the following formula:

Answer 13

n

C^N(C )

Question 14

Security experts often mention that if you make a password too complex you make it:

Answer 14

less secure

Question 15

Windows domains use Group Policy to:

Answer 15

manage multiple users and computers in a domain.

Question 16

Group Policy allows an administrator to configure a setting once in a:

Answer 16

Group Policy Object (GPO) and apply this setting to many users and computers within the domain

Question 17

Active Directory Domain Services (AD DS) is a:

Answer 17

directory service Microsoft developed for Windows domain networks

Question 18

The great strength of Group Policy comes when you implement it in a:

Answer 18

Microsoft domain

Question 19

Organizational units (OUs) are used when:

Answer 19

Administrators use Group Policy to target specific groups of users or computers

Question 20

Password policies typically start as:

Answer 20

a written document that identifies the organization’s security goals related to passwords

Question 21

Password policy definitions:

Enforce password history

Answer 21

remembers past passwords and prevents the user from reusing previously used passwords

Question 22

Password policy definitions:

Maximum password age

Answer 22

defines when users must change their password

Question 23

Password policy definitions:

Minimum password age

Answer 23

defines how long users must wait before changing their password again

Question 24

Password policy definitions:

Minimum password length

Answer 24

enforces the character length of the password

Question 25

Password policy definitions:

Password must meet complexity requirements

Answer 25

require users to have complex passwords that include at least three of the four character types (uppercase letters, lowercase letters, numbers, and special characters)

Question 26

Password policy definitions:

Store passwords using reversible encryption

Answer 26

stores the password in such a way that the original password can be discovered

Question 27

What is included in the Password Policy in Windows?

Answer 27

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Password must meet complexity requirements

Store passwords using reversible encryption

Question 28

Accounts will typically have lockout policies to:

Answer 28

prevent users from guessing the password

Question 29

Two key phrases associated with account lockout policies are:

Answer 29

Account lockout threshold

Account lockout duration

Question 30

Account lockout threshold is:

Answer 30

the maximum number of times a user can enter the wrong password. When the user exceeds the threshold, the system locks the account

Question 31

Account lockout duration indicates:

Answer 31

how long an account remains locked. If the duration is set to 0, the account remains locked until an administrator unlocks it

Question 32

Something you have authentication factor refers to:

Answer 32

something you can physically hold

Question 33

Smart cards are:

Answer 33

credit card-sized cards that have an embedded microchip and a certificate.

Question 34

How do you use a smart card?

Answer 34

Users insert the smart card into a smart card reader, which reads the information on the card, including the details from the certificate, which provides certificate-based authentication.

Question 35

Smart card provides:

Answer 35

confidentiality, integrity, authentication, and non-repudiation

Question 36

Requirements for a smart card are:

Answer 36

Embedded certificate

Public Key Infrastructure (PKI)

Question 37

An Embedded certificate holds:

Answer 37

a user’s private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others).

Question 38

Public Key Infrastructure (PKI) supports:

Answer 38

issuing and managing certificates

Question 39

A Common Access Card (CAC) is:

Answer 39

a specialized type of smart card used by the U.S. Department of Defense.

Question 40

A Personal Identity Verification (PIV) card is:

Answer 40

a specialized type of smart card used by

Question 41

A token or key fob is:

Answer 41

an electronic device about the size of a remote key for a car. They include an LCD that displays a number, and this number changes periodically, such as every 60 seconds

Question 42

A Hash-based Message Authentication Code (HMAC) uses:

Answer 42

a hash function and cryptographic key for many different cryptographic functions

Question 43

A HMAC-based One-Time Password (HOTP) is:

Answer 43

an open standard used for creating one-time passwords, similar to those used in tokens or key fobs

Question 44

A Time-based One-Time Password (TOTP) is:

Answer 44

similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds

Question 45

Something you are authentication factor uses:

Answer 45

biometrics for authentication

Question 46

Biometric methods are:

Answer 46

the strongest form of authentication because they are the most difficult for an attacker to falsify

Question 47

Some examples of biometrics are:

Answer 47

fingerprint scanners

retina scanners

iris scanners

voice recognition

facial recognition

Question 48

Retina scanners:

Answer 48

scan the retina of one or both eyes and use the pattern of blood vessels at the back of the eye for recognition

Question 49

Iris scanners:

Answer 49

use camera technologies to capture the patterns of the iris around the pupil for recognition

Question 50

Voice recognition methods:

Answer 50

identify who is speaking using speech recognition methods to identify different acoustic features

Question 51

Facial recognition systems:

Answer 51

identify people based on facial features

Question 52

Two biometric false readings are:

Answer 52

False acceptance

False rejection

Question 53

False acceptance happens when:

Answer 53

a biometric system incorrectly identifies an unauthorized user as an authorized user

Question 54

The false acceptance rate (FAR) identifies:

Answer 54

the percentage of times false acceptance occurs

Question 55

False rejection happens when:

Answer 55

a biometric system incorrectly rejects an authorized user

Question 56

The false rejection rate (FRR) identifies:

Answer 56

the percentage of times false rejections occur

Question 57

By increasing the sensitivity of biometric systems it:

Answer 57

decreases the number of false matches and increases the number of false rejections

Question 58

By decreasing the sensitivity of biometric systems it:

Answer 58

increases the false matches and decreases the false rejections

Question 59

The Crossover error rate (CER) for two biometric systems is:

Answer 59

the point where the FAR crosses over the FRR. A lower CER indicates that the biometric system is more accurate

Question 60

Somewhere you are authentication factor identifies:

Answer 60

a user’s location

Question 61

Geolocation is:

Answer 61

a group of technologies used to identify a user’s location and is the most common method used for the somewhere you are authentication factor

Question 62

Many authentication systems user the:

Answer 62

Internet Protocol (IP) address for geolocation

Question 63

The something you do authentication factor refers:

Answer 63

to actions you can take such as gestures on a touch screen, how you write or type

Question 64

Dual-factor authentication uses:

Answer 64

two different factors of authentication

Question 65

Multifactor authentication uses:

Answer 65

two or more factors of authentication

Question 66

Kerberos is:

Answer 66

a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms

Question 67

Kerberos provides:

Answer 67

mutual authentication that can help prevent man-in-the-middle attacks and uses tickets to help prevent replay attacks

Question 68

Kerberos includes several requirements for it to work properly. They are:

Answer 68

A method of issuing tickets used for authentication

Time synchronization

A database of subjects or users

Question 69

The Key Distribution Center (KDC) uses:

Answer 69

a complex process of issuing ticket-granting tickets (TGTs) and other tickets. The KDC packages user credentials within a ticket. Tickets provide authentication for users when they access resources such as files on a file server.

Question 70

Kerberos version 5 requires:

Answer 70

all systems to be synchronized and within five minutes of each other

Question 71

When a user logs on with Kerberos, the KDC issues the user a:

Answer 71

ticket-granting ticket, which typically has a lifetime of 10 hours to be useful for a single workday.

Question 72

New Technology LAN Manager (NTLM) is:

Answer 72

a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems

Question 73

There are three versions of NTLM:

Answer 73

NTLM

NTLMv2

NTLM2 Session

Question 74

NTLM is:

Answer 74

a simple MD4 hash of a user’s password

Question 75

NTLMv2 is:

Answer 75

a challenge-response authentication protocol. When a user attempts to log on, NTMLv2 creates an HMAC-MD5 has composed of a combination of the username, the logon domain name, the user’s password, the current time, and more.

Question 76

NTLM2 Session:

Answer 76

improves NTLMv2 b adding in mutual authentication. In other words, the client authenticates with the server, and the server also authenticates with the client.

Question 77

Lightweight Directory Access Protocol (LDAP) specifies:

Answer 77

formats and methods to query directories

Question 78

LDAP Secure (LDAPS) uses:

Answer 78

encryption to protect LDAP transmissions. When a client connects with a server using LDAPS, the two systems establish a Transport Layer Security (TLS) session before transmitting any data

Question 79

A Transport Layer Security (TLS):

Answer 79

encrypts the data before transmission

Question 80

Single sign-on (SSO) refers to:

Answer 80

the ability of a user to log on or access multiple systems by providing credentials only once

Question 81

A transitive trust creates:

Answer 81

an indirect trust relationship

Question 82

The Security Assertion Markup Language (SAML) is:

Answer 82

an Extensible Markup Language (XML)- based data format used for SSO on web browsers

Question 83

Two organizations that trust each other can use:

Answer 83

SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site

Question 84

SAML defines three roles:

Answer 84

Principal

Identity provider

Service provider

Question 85

The SAML Principal role is:

Answer 85

typically a user that logs on once

Question 86

The SAML Identity provider:

Answer 86

creates, maintains, and manages identity information for principals

Question 87

The SAML Service provider is:

Answer 87

an entity that provides services to principals.

Question 88

A federation requires:

Answer 88

a federated identity management system that all members of the federation use.

Question 89

Shibboleth is:

Answer 89

a federated identity solution that is open source and freely available, making it affordable solution that some of the commercially available federated identity solutions

Question 90

OAuth is:

Answer 90

an open standard for authorization many companies use to provide secure access to protected resources.

Question 91

OpenID Connect works with:

Answer 91

OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials

Question 92

Account managememtn is concerned with:

Answer 92

the creation, management, disablement, and termination of accounts.

Question 93

The principle of least privilege is:

Answer 93

an example of a technical control implemented with access controls

Question 94

Least privilege specifies:

Answer 94

that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more

Question 95

The common types of accounts used within a network are:

Answer 95

End user accounts

Privileged accounts

Guest accounts

Service accounts

Question 96

End user accounts are for:

Answer 96

regular users

Question 97

Privileged accounts has:

Answer 97

additional rights and privileges beyond what a regular user has

Question 98

Guest accounts are for:

Answer 98

someone with limited access to a computer or network without having to create a new account

Question 99

Service accounts is for:

Answer 99

some applications and services that need to run under the context of an account

Question 100

One of the challenges with service accounts is that:

Answer 100

they often aren’t managed

Question 101

It’s common to require administrators to have how many accounts?

Answer 101

2. One for regular day-to-day work and the other to perform administrative work

Question 102

What is the benefit of requiring administrators to have 2 accounts?

Answer 102

It reduces the exposure of the administrative account to an attack

Question 103

A Standard naming convention ensures:

Answer 103

user account names and email addresses are created similarly. For example first name, a dot, and the last name.

Question 104

Account management policies often dictate that:

Answer 104

personnel should not use shared or generic accounts.

Question 105

When can’t you implement basic authorization controls?

Answer 105

When multiple users share a single account

Question 106

Four key concepts of basic authorization controls are:

Answer 106

Identification

Authentication

Authorization

Accounting

Question 107

Define Identification:

Answer 107

users claim an identity with an identifier such as a username

Question 108

Define authentication:

Answer 108

users prove their identity using an authentication method such as a password

Question 109

Define authorization:

Answer 109

users are authorized access to resources based on their proven identity

Question 110

Define accounting:

Answer 110

Logs record activity using the users’ claimed identity

Question 111

A single, temporary user log on with a Guest account does:

Answer 111

support identification, authentication, authorization, and accounting

Question 112

A disablement policy specifies:

Answer 112

how to manage accounts in different situations

Question 113

Disabling is preferred over:

Answer 113

deleting the account initially because it retains any encryption and security keys associated with the account

Question 114

Some contents of an account disablement policy include:

Answer 114

Terminated employee

Leave of absence

Delete account

Question 115

Terminated employee account disablement policy specifies:

Answer 115

that accounts for ex-employees are disabled as soon as possible

Question 116

Leave of absence account disablement policy specifies:

Answer 116

if an employee will be absent for an extended period, the account should be disabled while the employee is away.

Question 117

Delete account account disablement policy specifies:

Answer 117

when the organization determines the account is no longer needed, administrators delete it

Question 118

The two primary account recovery scenarios are:

Answer 118

Enable a disabled account

Recover a deleted account

Question 119

Enabling a disabled accounts requires administrators to:

Answer 119

reset the user’s password and take control of the account, pass it to a supervisor/manager,

Question 120

Recovering a delete account is more complex than:

Answer 120

creating another account with the same name

Question 121

Time-of-day restrictions specify:

Answer 121

when users can log on to a computer

Question 122

Location-based policies restrict:

Answer 122

access based on the location of the user

Question 123

Within a network, it’s possible to restrict access based on:

Answer 123

computer names and MAC addresses

Question 124

It’s possible to set user accounts to expire automatically, When the account expires the:

Answer 124

system disables it, and the user is no longer able to log on using the account

Question 125

Account maintenance is often done with:

Answer 125

scripts to automate the process

Question 126

Account maintenance includes:

Answer 126

deleting accounts that are no longer needed

Question 127

A credential is:

Answer 127

a collection of information that provides an identity (such as a username) and proves that identity (such as a password)

Question 128

Credential management systems help:

Answer 128

users store these credentials securely

Question 129

Access control ensures that:

Answer 129

only authenticated and authorized entities can access resources

Question 130

Some examples of access control are:

Answer 130

Role-based access control (role-BAC)

Rule-based access control (rule-BAC)

Discretionary access control (DAC)

Mandatory access control (MAC)

Attribute-based access control (ABAC)

Question 131

Often when using any of the access control models, you’ll run across the following terms:

Answer 131

Subjects

Objects

Question 132

Subjects are:

Answer 132

typically users or groups that access and object

Question 133

Objects are:

Answer 133

items such as files, folders, shares, and printers that subjects access

Question 134

Role-based access control (role-BAC) uses:

Answer 134

roles to manage rights and permissions for users.

Question 135

When an administrator adds a user to a role in a role-BAC the user has:

Answer 135

all the rights and permissions of that role

Question 136

Microsoft Project Server can host:

Answer 136

multiple projects managed by different project managers.

Question 137

Microsoft Project Server includes the following roles:

Answer 137

Administrators

Executives

Project Managers

Team Members

and more

Question 138

Microsoft Project Server Administrators have:

Answer 138

complete access and control over everything on the server, including all of the projects managed on the server

Question 139

Microsoft Project Server Executives can:

Answer 139

access data from any project held on the server, but do not have access to modify system settings on the server

Question 140

Microsoft Project Server Project Managers have:

Answer 140

full control over their own projects, but do not have any control over projects owned by other project managers

Question 141

Microsoft Project Server Team Members can:

Answer 141

typically report on work that project managers assign to them, but they have little access outside the score of their assignments

Question 142

A matrix is a:

Answer 142

planning document that matches the roles with required privileges

Question 143

In a Hierarchy-based Role-BAC:

Answer 143

top-level roles have significantly more permissions than lower-level roles.

Roles may mimic the hierarchy of an organization

Question 144

In a Job-,task-, or function-based Role-BAC:

Answer 144

roles are centered on jobs or functions that users need to perform

Question 145

Group-based access control (Windows systems refer to these as security groups):

Answer 145

simplifies user administration by allowing access based on roles or groups

Question 146

Rule-based access control (Rule-BAC) is based on:

Answer 146

a set of approved instructions, such as an access control list

Question 147

In the Discretionary access control (DAC) model,

Answer 147

every object (such as files and folders) has an owner, and the owner establishes access for the objects.

Question 148

A common example of the DAC model is the

Answer 148

New Technology File System (NTFS) used in Windows

Question 149

The NTFS used in Windows provides:

Answer 149

security by allowing users and administrators to restrict access to files and folders with permissions

Question 150

Microsoft systems identify users with:

Answer 150

security identifiers (SIDs)

Question 151

A security identifier (SID) is:

Answer 151

a long string of characters that is meaningless to most, therefore the system looks up the name associated with the SID and displays the name

Question 152

Every object (such as a file or folder) includes a:

Answer 152

discretionary access control list (DACL) that identifies who can access it in a system using the DAC model

Question 153

The Discretionary access control list (DACL) is a:

Answer 153

list of Access Control Entries (ACEs)

Question 154

Each Access Control Entries (ACE) is:

Answer 154

composed of a SID and the permission(s) granted to the SID

Question 155

If users create a file, they are designated as:

Answer 155

the owner and have explicit control over the file. They can then modify the permissions on the object by adding user or group accounts to the DACL and assigning the desired permission

Question 156

An inherent flaw associated with the DAC model is the:

Answer 156

susceptibility to Trojan horses

Question 157

Trojan horses are:

Answer 157

executable files that masquerade as something useful but include malware

Question 158

In the mandatory access control (MAC) model Security administrators assign:

Answer 158

labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access

Question 159

Security-enhanced Linux (SELinux) is:

Answer 159

one of the few operating systems using the mandatory access control model.

Question 160

The Mandatory Access Control (MAC) model uses:

Answer 160

different levels of security to classify both users and the data. These levels are defined in a lattice.

Question 161

The lattice can be:

Answer 161

a complex relationship between different ordered sets of labels. These labels define the boundaries for the security levels

Question 162

An administrator is responsible for:

Answer 162

establishing access, but only someone at a higher authority can define the access for subjects and objects

Question 163

Establishing Access steps:

Answer 163

1. a security professional identifies the specific access individuals are authorized to access via paperwork
2. the administrator assigns rights based on the direction of the security professional
3. Multiple approval levels are usually involved in the decision-making process
4. Once an individual is formally granted access, a network administrator would be responsible for establishing access based on the clearances identified by the security professional

Question 164

An attribute-based access control (ABAC) evaluates:

Answer 164

attributes and grants access based on the value of these attributes and grants access when the system detects a match in the policy

Question 165

Attributes can be:

Answer 165

almost any characteristic of a user, the environment, or the resource.

Question 166

Many software defined networks (SDNs) use:

Answer 166

attribute-based access control (ABAC) models

Question 167

Policy statements typically include four elements:

Answer 167

Subject

Object

Action

Environment

Question 168

Action is:

Answer 168

what the user is attempting to do, such as reading or modifying a file, accessing specific web sites, and accessing web site applications

Question 169

Environment includes:

Answer 169

everything outside of the subject and object attributes

Question 170

An ABAC system has:

Answer 170

a lot of flexibility and can enforce both a DAC and a MAC model