Chapter 2 Flashcards

1
Q

Authentication proves:

A

an identity with some type of credentials such as a username and password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What works together with identification to provide a comprehensive access management system?

A

Authentication

Authorization

Accounting

(AAA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define authorization:

A

access to resources based on their proven identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Accounting methods:

A

track user activity and record the activity in logs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

An audit trail allows:

A

security professionals to re-create the events that preceded a security incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Implement one factor of authentication for:

A

basic authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Implement two factors of authentication for:

A

secure authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Implement three factors of authentication for:

A

higher security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Some factors of authentication are:

A

something you know

something you have

something you are

somewhere you are

something you do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Something you know authentication factor refers to:

A

a shared secret, such as a password or even a PIN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A strong password is:

A

of sufficient length, doesn’t include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types:

Uppercase characters (26 letters A-Z)

Lowercase characters (26 letters a-z)

Numbers (10 numbers 0-9)

Special characters (32 printable characters, such as !, $, and *)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Microsoft began recommending a best practice of setting the minimum password length to at least:

A

14 characters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You can calculate the key space with the following formula:

A

n

C^N(C )

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security experts often mention that if you make a password too complex you make it:

A

less secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Windows domains use Group Policy to:

A

manage multiple users and computers in a domain.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Group Policy allows an administrator to configure a setting once in a:

A

Group Policy Object (GPO) and apply this setting to many users and computers within the domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Active Directory Domain Services (AD DS) is a:

A

directory service Microsoft developed for Windows domain networks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The great strength of Group Policy comes when you implement it in a:

A

Microsoft domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Organizational units (OUs) are used when:

A

Administrators use Group Policy to target specific groups of users or computers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Password policies typically start as:

A

a written document that identifies the organization’s security goals related to passwords

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Password policy definitions:

Enforce password history

A

remembers past passwords and prevents the user from reusing previously used passwords

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Password policy definitions:

Maximum password age

A

defines when users must change their password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Password policy definitions:

Minimum password age

A

defines how long users must wait before changing their password again

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Password policy definitions:

Minimum password length

A

enforces the character length of the password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Password policy definitions:

Password must meet complexity requirements

A

require users to have complex passwords that include at least three of the four character types (uppercase letters, lowercase letters, numbers, and special characters)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Password policy definitions:

Store passwords using reversible encryption

A

stores the password in such a way that the original password can be discovered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is included in the Password Policy in Windows?

A

Enforce password history

Maximum password age

Minimum password age

Minimum password length

Password must meet complexity requirements

Store passwords using reversible encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Accounts will typically have lockout policies to:

A

prevent users from guessing the password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Two key phrases associated with account lockout policies are:

A

Account lockout threshold

Account lockout duration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Account lockout threshold is:

A

the maximum number of times a user can enter the wrong password. When the user exceeds the threshold, the system locks the account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Account lockout duration indicates:

A

how long an account remains locked. If the duration is set to 0, the account remains locked until an administrator unlocks it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Something you have authentication factor refers to:

A

something you can physically hold

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Smart cards are:

A

credit card-sized cards that have an embedded microchip and a certificate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

How do you use a smart card?

A

Users insert the smart card into a smart card reader, which reads the information on the card, including the details from the certificate, which provides certificate-based authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Smart card provides:

A

confidentiality, integrity, authentication, and non-repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Requirements for a smart card are:

A

Embedded certificate

Public Key Infrastructure (PKI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

An Embedded certificate holds:

A

a user’s private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Public Key Infrastructure (PKI) supports:

A

issuing and managing certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

A Common Access Card (CAC) is:

A

a specialized type of smart card used by the U.S. Department of Defense.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

A Personal Identity Verification (PIV) card is:

A

a specialized type of smart card used by

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

A token or key fob is:

A

an electronic device about the size of a remote key for a car. They include an LCD that displays a number, and this number changes periodically, such as every 60 seconds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

A Hash-based Message Authentication Code (HMAC) uses:

A

a hash function and cryptographic key for many different cryptographic functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

A HMAC-based One-Time Password (HOTP) is:

A

an open standard used for creating one-time passwords, similar to those used in tokens or key fobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

A Time-based One-Time Password (TOTP) is:

A

similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Something you are authentication factor uses:

A

biometrics for authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Biometric methods are:

A

the strongest form of authentication because they are the most difficult for an attacker to falsify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Some examples of biometrics are:

A

fingerprint scanners

retina scanners

iris scanners

voice recognition

facial recognition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Retina scanners:

A

scan the retina of one or both eyes and use the pattern of blood vessels at the back of the eye for recognition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Iris scanners:

A

use camera technologies to capture the patterns of the iris around the pupil for recognition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Voice recognition methods:

A

identify who is speaking using speech recognition methods to identify different acoustic features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Facial recognition systems:

A

identify people based on facial features

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Two biometric false readings are:

A

False acceptance

False rejection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

False acceptance happens when:

A

a biometric system incorrectly identifies an unauthorized user as an authorized user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

The false acceptance rate (FAR) identifies:

A

the percentage of times false acceptance occurs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
55
Q

False rejection happens when:

A

a biometric system incorrectly rejects an authorized user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
56
Q

The false rejection rate (FRR) identifies:

A

the percentage of times false rejections occur

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
57
Q

By increasing the sensitivity of biometric systems it:

A

decreases the number of false matches and increases the number of false rejections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
58
Q

By decreasing the sensitivity of biometric systems it:

A

increases the false matches and decreases the false rejections

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
59
Q

The Crossover error rate (CER) for two biometric systems is:

A

the point where the FAR crosses over the FRR. A lower CER indicates that the biometric system is more accurate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
60
Q

Somewhere you are authentication factor identifies:

A

a user’s location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
61
Q

Geolocation is:

A

a group of technologies used to identify a user’s location and is the most common method used for the somewhere you are authentication factor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
62
Q

Many authentication systems user the:

A

Internet Protocol (IP) address for geolocation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
63
Q

The something you do authentication factor refers:

A

to actions you can take such as gestures on a touch screen, how you write or type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
64
Q

Dual-factor authentication uses:

A

two different factors of authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
65
Q

Multifactor authentication uses:

A

two or more factors of authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
66
Q

Kerberos is:

A

a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
67
Q

Kerberos provides:

A

mutual authentication that can help prevent man-in-the-middle attacks and uses tickets to help prevent replay attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
68
Q

Kerberos includes several requirements for it to work properly. They are:

A

A method of issuing tickets used for authentication

Time synchronization

A database of subjects or users

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
69
Q

The Key Distribution Center (KDC) uses:

A

a complex process of issuing ticket-granting tickets (TGTs) and other tickets. The KDC packages user credentials within a ticket. Tickets provide authentication for users when they access resources such as files on a file server.

70
Q

Kerberos version 5 requires:

A

all systems to be synchronized and within five minutes of each other

71
Q

When a user logs on with Kerberos, the KDC issues the user a:

A

ticket-granting ticket, which typically has a lifetime of 10 hours to be useful for a single workday.

72
Q

New Technology LAN Manager (NTLM) is:

A

a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems

73
Q

There are three versions of NTLM:

A

NTLM

NTLMv2

NTLM2 Session

74
Q

NTLM is:

A

a simple MD4 hash of a user’s password

75
Q

NTLMv2 is:

A

a challenge-response authentication protocol. When a user attempts to log on, NTMLv2 creates an HMAC-MD5 has composed of a combination of the username, the logon domain name, the user’s password, the current time, and more.

76
Q

NTLM2 Session:

A

improves NTLMv2 b adding in mutual authentication. In other words, the client authenticates with the server, and the server also authenticates with the client.

77
Q

Lightweight Directory Access Protocol (LDAP) specifies:

A

formats and methods to query directories

78
Q

LDAP Secure (LDAPS) uses:

A

encryption to protect LDAP transmissions. When a client connects with a server using LDAPS, the two systems establish a Transport Layer Security (TLS) session before transmitting any data

79
Q

A Transport Layer Security (TLS):

A

encrypts the data before transmission

80
Q

Single sign-on (SSO) refers to:

A

the ability of a user to log on or access multiple systems by providing credentials only once

81
Q

A transitive trust creates:

A

an indirect trust relationship

82
Q

The Security Assertion Markup Language (SAML) is:

A

an Extensible Markup Language (XML)- based data format used for SSO on web browsers

83
Q

Two organizations that trust each other can use:

A

SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site

84
Q

SAML defines three roles:

A

Principal

Identity provider

Service provider

85
Q

The SAML Principal role is:

A

typically a user that logs on once

86
Q

The SAML Identity provider:

A

creates, maintains, and manages identity information for principals

87
Q

The SAML Service provider is:

A

an entity that provides services to principals.

88
Q

A federation requires:

A

a federated identity management system that all members of the federation use.

89
Q

Shibboleth is:

A

a federated identity solution that is open source and freely available, making it affordable solution that some of the commercially available federated identity solutions

90
Q

OAuth is:

A

an open standard for authorization many companies use to provide secure access to protected resources.

91
Q

OpenID Connect works with:

A

OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials

92
Q

Account managememtn is concerned with:

A

the creation, management, disablement, and termination of accounts.

93
Q

The principle of least privilege is:

A

an example of a technical control implemented with access controls

94
Q

Least privilege specifies:

A

that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more

95
Q

The common types of accounts used within a network are:

A

End user accounts

Privileged accounts

Guest accounts

Service accounts

96
Q

End user accounts are for:

A

regular users

97
Q

Privileged accounts has:

A

additional rights and privileges beyond what a regular user has

98
Q

Guest accounts are for:

A

someone with limited access to a computer or network without having to create a new account

99
Q

Service accounts is for:

A

some applications and services that need to run under the context of an account

100
Q

One of the challenges with service accounts is that:

A

they often aren’t managed

101
Q

It’s common to require administrators to have how many accounts?

A
  1. One for regular day-to-day work and the other to perform administrative work
102
Q

What is the benefit of requiring administrators to have 2 accounts?

A

It reduces the exposure of the administrative account to an attack

103
Q

A Standard naming convention ensures:

A

user account names and email addresses are created similarly. For example first name, a dot, and the last name.

104
Q

Account management policies often dictate that:

A

personnel should not use shared or generic accounts.

105
Q

When can’t you implement basic authorization controls?

A

When multiple users share a single account

106
Q

Four key concepts of basic authorization controls are:

A

Identification

Authentication

Authorization

Accounting

107
Q

Define Identification:

A

users claim an identity with an identifier such as a username

108
Q

Define authentication:

A

users prove their identity using an authentication method such as a password

109
Q

Define authorization:

A

users are authorized access to resources based on their proven identity

110
Q

Define accounting:

A

Logs record activity using the users’ claimed identity

111
Q

A single, temporary user log on with a Guest account does:

A

support identification, authentication, authorization, and accounting

112
Q

A disablement policy specifies:

A

how to manage accounts in different situations

113
Q

Disabling is preferred over:

A

deleting the account initially because it retains any encryption and security keys associated with the account

114
Q

Some contents of an account disablement policy include:

A

Terminated employee

Leave of absence

Delete account

115
Q

Terminated employee account disablement policy specifies:

A

that accounts for ex-employees are disabled as soon as possible

116
Q

Leave of absence account disablement policy specifies:

A

if an employee will be absent for an extended period, the account should be disabled while the employee is away.

117
Q

Delete account account disablement policy specifies:

A

when the organization determines the account is no longer needed, administrators delete it

118
Q

The two primary account recovery scenarios are:

A

Enable a disabled account

Recover a deleted account

119
Q

Enabling a disabled accounts requires administrators to:

A

reset the user’s password and take control of the account, pass it to a supervisor/manager,

120
Q

Recovering a delete account is more complex than:

A

creating another account with the same name

121
Q

Time-of-day restrictions specify:

A

when users can log on to a computer

122
Q

Location-based policies restrict:

A

access based on the location of the user

123
Q

Within a network, it’s possible to restrict access based on:

A

computer names and MAC addresses

124
Q

It’s possible to set user accounts to expire automatically, When the account expires the:

A

system disables it, and the user is no longer able to log on using the account

125
Q

Account maintenance is often done with:

A

scripts to automate the process

126
Q

Account maintenance includes:

A

deleting accounts that are no longer needed

127
Q

A credential is:

A

a collection of information that provides an identity (such as a username) and proves that identity (such as a password)

128
Q

Credential management systems help:

A

users store these credentials securely

129
Q

Access control ensures that:

A

only authenticated and authorized entities can access resources

130
Q

Some examples of access control are:

A

Role-based access control (role-BAC)

Rule-based access control (rule-BAC)

Discretionary access control (DAC)

Mandatory access control (MAC)

Attribute-based access control (ABAC)

131
Q

Often when using any of the access control models, you’ll run across the following terms:

A

Subjects

Objects

132
Q

Subjects are:

A

typically users or groups that access and object

133
Q

Objects are:

A

items such as files, folders, shares, and printers that subjects access

134
Q

Role-based access control (role-BAC) uses:

A

roles to manage rights and permissions for users.

135
Q

When an administrator adds a user to a role in a role-BAC the user has:

A

all the rights and permissions of that role

136
Q

Microsoft Project Server can host:

A

multiple projects managed by different project managers.

137
Q

Microsoft Project Server includes the following roles:

A

Administrators

Executives

Project Managers

Team Members

and more

138
Q

Microsoft Project Server Administrators have:

A

complete access and control over everything on the server, including all of the projects managed on the server

139
Q

Microsoft Project Server Executives can:

A

access data from any project held on the server, but do not have access to modify system settings on the server

140
Q

Microsoft Project Server Project Managers have:

A

full control over their own projects, but do not have any control over projects owned by other project managers

141
Q

Microsoft Project Server Team Members can:

A

typically report on work that project managers assign to them, but they have little access outside the score of their assignments

142
Q

A matrix is a:

A

planning document that matches the roles with required privileges

143
Q

In a Hierarchy-based Role-BAC:

A

top-level roles have significantly more permissions than lower-level roles.

Roles may mimic the hierarchy of an organization

144
Q

In a Job-,task-, or function-based Role-BAC:

A

roles are centered on jobs or functions that users need to perform

145
Q

Group-based access control (Windows systems refer to these as security groups):

A

simplifies user administration by allowing access based on roles or groups

146
Q

Rule-based access control (Rule-BAC) is based on:

A

a set of approved instructions, such as an access control list

147
Q

In the Discretionary access control (DAC) model,

A

every object (such as files and folders) has an owner, and the owner establishes access for the objects.

148
Q

A common example of the DAC model is the

A

New Technology File System (NTFS) used in Windows

149
Q

The NTFS used in Windows provides:

A

security by allowing users and administrators to restrict access to files and folders with permissions

150
Q

Microsoft systems identify users with:

A

security identifiers (SIDs)

151
Q

A security identifier (SID) is:

A

a long string of characters that is meaningless to most, therefore the system looks up the name associated with the SID and displays the name

152
Q

Every object (such as a file or folder) includes a:

A

discretionary access control list (DACL) that identifies who can access it in a system using the DAC model

153
Q

The Discretionary access control list (DACL) is a:

A

list of Access Control Entries (ACEs)

154
Q

Each Access Control Entries (ACE) is:

A

composed of a SID and the permission(s) granted to the SID

155
Q

If users create a file, they are designated as:

A

the owner and have explicit control over the file. They can then modify the permissions on the object by adding user or group accounts to the DACL and assigning the desired permission

156
Q

An inherent flaw associated with the DAC model is the:

A

susceptibility to Trojan horses

157
Q

Trojan horses are:

A

executable files that masquerade as something useful but include malware

158
Q

In the mandatory access control (MAC) model Security administrators assign:

A

labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access

159
Q

Security-enhanced Linux (SELinux) is:

A

one of the few operating systems using the mandatory access control model.

160
Q

The Mandatory Access Control (MAC) model uses:

A

different levels of security to classify both users and the data. These levels are defined in a lattice.

161
Q

The lattice can be:

A

a complex relationship between different ordered sets of labels. These labels define the boundaries for the security levels

162
Q

An administrator is responsible for:

A

establishing access, but only someone at a higher authority can define the access for subjects and objects

163
Q

Establishing Access steps:

A
  1. a security professional identifies the specific access individuals are authorized to access via paperwork
  2. the administrator assigns rights based on the direction of the security professional
  3. Multiple approval levels are usually involved in the decision-making process
  4. Once an individual is formally granted access, a network administrator would be responsible for establishing access based on the clearances identified by the security professional
164
Q

An attribute-based access control (ABAC) evaluates:

A

attributes and grants access based on the value of these attributes and grants access when the system detects a match in the policy

165
Q

Attributes can be:

A

almost any characteristic of a user, the environment, or the resource.

166
Q

Many software defined networks (SDNs) use:

A

attribute-based access control (ABAC) models

167
Q

Policy statements typically include four elements:

A

Subject

Object

Action

Environment

168
Q

Action is:

A

what the user is attempting to do, such as reading or modifying a file, accessing specific web sites, and accessing web site applications

169
Q

Environment includes:

A

everything outside of the subject and object attributes

170
Q

An ABAC system has:

A

a lot of flexibility and can enforce both a DAC and a MAC model