Chapter 5 Identity and Access Management

Question 1

What is a capabilities table?

Answer 1

Capabilities tables list the privileges assigned to subjects and identify the objects that subjects can access.

Question 2

Which of the following is NOT a weakness in Kerberos?

a) The KDC is a single Point of failure
b) Compromise of the KDC would allow attackers to impersonate any user
c) Authentication information is not encrypted
d) Susceptible to password guessing

Answer 2

C) Kerberos encrypts messages using secret keys providing protection for authentication traffic.

Question 3

Place the following in order for Kerberos authentication process

a) Client/server ticket generated
b) TGT generated
c) Client/TGS key generated
d) User accesses service
e) User provides authentication credentials

Answer 3

1) User provides authentication credentials
2) Client/TGS key is generated
3) TGT generated
4) Client/server ticket generated
5) User accesses service

Question 4

Callback to a landline phone number is an example of what type of a factor?

a) Something you know
b) Somewhere you are
c) Something you have
d) Something you are

Answer 4

b) A callback to a landline phone number is an example of a “somewhere you are” factor because the fixed physical location of a wird phone. A callback to a mobile phone would be “something you have”

Question 5

Scott needs to set up an AD trust to allow authentication with an existing Kerberos K5 domain. What type of trust does he need to create?

a) Shortcut trust
b) Forest trust
c) External turst
d) Realm trust

Answer 5

D) Kerberos uses realms, and the proper type of trust to set up for an AD environment that needs to connect to a K5 domain is a realm trust.

Question 6

When a client sends a username and password to the KDC, how is the username and password protected?

a) 3DES encryption
b) TLS encryption
c) SSL encryption
d) AES encryption

Answer 6

D) The client in Kerberos uses AES to encrypt the username and password prior to sending it to the KDC

Question 7

What two important elements does the KDC send to the client after verifing the username is valid?

a) An encrypted TGT and a public key
b) An access ticket and a public key
c) An encrypted, time stamped TGT and a symmetric key encrypted with a hash of the user’s password
d) An encypted, time stamped TGT and an access token

Answer 7

C) The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key and an encrypted time-stamped TGT to the client

Question 8

What tasks must the client perform before it can use the TGT?

Answer 8

It must accept te TGT and decrypt the symmetric key

Question 9

Biba is what type of access control model?

a) MAC
b) DAC
c) Role BAC
d) ABAC

Answer 9

A) Biba uses a lattice to control access and is a form of the MAC model. IT does not use rules, roles, or attributes, nor does it allow user discretion

Question 10

Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request message to a central server?

a) Kerberos
b) EAP
c) RADIUS
d) Oauth

Answer 10

c) Radius is an AAA protocol used to provide authentication and authorization; it is often used for modems, wireless networks, and network devices. IT uses netwrok access servers to send access requests to central Radius Servers

Question 11

What is a resource-based access control?

Answer 11

Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments.

Question 12

Scott uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should he monitor and what traffic will he be able to read?

a) UDP, none. All Radius traffic is encrypte
b) TCP, all traffic but the passwords, which are encrypted
c) UDP, all traffic but the passwords, which are encrypted
d) TCP, none. All RADIUS traffic is encrypted

Answer 12

C) By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting

Question 13

Which of the following is not part of Kerberos authentication system?

a) KDC
b) TGT
c) AS
4) TS

Answer 13

D) A Key Distribution Center (KDC) provides authentication services, and ticket-granting tickets (TGTs) provide proof that a subject has authenticated and can request tickets to access objects. Authentiction services (ASs) are part of the KDC. There is no TS in a Kerberos infrastructure.

Question 14

What is race conditions?

Answer 14

Race conditions occur when two or more processes need to access the same resource in the right order

Question 15

Which of the following is not a valid LDAP DN (distinguished name)

a) cn-ben+out-sales
b) ou=example
c) cn=ben,out=example;
d) ou=example, dc=example, dc=com+dc=org

Answer 15

C) LDAP distinguished names are made up of zero or more comma-separated components known as relative distinguished names. CN=ben,ou=example; ends with a semicolon and is not a valid DN

Question 16

What is the stored sample of a biometric factor called? 
A) Reference Template
b) Token store
c) Biometric password
d) Enrollment artfifact

Answer 16

A) The stored sample of a biometric factor is called a reference profile or a reference template.

Question 17

Scott is working to imrpvoe the strength of his organization’s passwords by changing the password policy. The password system that he is using allows for uppercase and lower case letters as well as numbers, but no characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?

a) 26 times more complex
b) 62 times more complex
c) 36 times more complex
d) 2 to the 62 power more complex

Answer 17

b) The complexity of brute-forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62 to the power of 1, or 62 possibilities, and thus the new passwords would be 62 times harder to brute-force on average

Question 18

Which pair of the following factors is key for user acceptance of biometric identification identification systems?

a) The FAR
b) The throughput rate and the time required to enroll
c) The CER and the EER
d) How often users must re enroll and the reference profile requirements

Answer 18

B) Biometric systems can face major usability challenges if the time to enroll is long (over a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow.

Question 19

What solution can best help address concerns about 3rd parties that control SSO redirects?

a) An awareness campaign about trusted third parties
b) Handling redirects at the local site
d) Implementing an IPS to capture SSO rediret attacks

Answer 19

a) While many solutions are technical, if a trusted 3rd party redirects to an unexpected authentication site, awareness is often the best defense.

Question 20

Scott needs to send information about services he is providing to a 3rd party organization, What standards based markup language should he choose to build the interface

a) SAML
b) SOAP
c) SPML
d) XACML

Answer 20

c) Service provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or simple object access protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.

Question 21

Scott configures his LDPAt client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636. What does this indicate to Jim about the configuration of the LDAP server?
A) It requires connections over SedSL/TLS
B) It supports only unencrypted connections
C) It provides global catalog services
D) It does not provide global catalog services

Answer 21

A )Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating that the server supports encrypted connections. Since neither port 3268, or 3269 are mentioned, we do not know if the server provides support for a global catalog.

Question 22

By default, in what format does open LDAP store the value of the user Password attribute

a) In the clar
b) Salted and Hashed
c) MD5 hasehd
d) Ecnrypted using AES256 encryption

Answer 22

By default, Open LDAP stores the userPassword attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is te responsibility of the administration or programmer who builds its provisioning system

Question 23

Which of the following is a ticket-based authentication protocol designed to provide secure communications? 
A) RADIUS
B) OAuth 
C) SAML 
D) Kerberos

Answer 23

D) Kerberos is an authentication protocol that uses tickets nd provides secure communications between the client, key distribution center(KDC), Ticket granting service (TGS), authentication server (AS), and endpoint services.

Question 24

In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS? 
A) A TGT
B) An AS
C) The SS
D) A session key

Answer 24

A) When clients perform a client service authorization, they send a TGT and the ID of the requested service to the TGS, and the TGS responds with a client-to-server ticket and session key back to the client if the request is validated. An AS is an authentication server, and the SS is a service server, neither of which can be sent.

Question 25

What type of attack is the creation and exchange of state tokens intended to prevent? 
A) XSS
B) CSRF
C) SQL injection 
D) XACML

Answer 25

B) The anti-forgery state token exchanged during Oauth sessions is intended to prevent cross-site request forgery. Tihs males sure hat the unique session token with the authentication response from google’s OAuth service is available to verfy that the user, not an attacker, is making a request.

Question 26

During a review of support incidents, Scott's organization discovered that password changes accounted for more than a quarter of its help desk's cases. Which of the following options would most likely drecrease that number significantly? 
A) MFA
B) Biometric authentication 
C) Self-service password reset 
D) passphrases

Answer 26

C) Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has.

Question 27

Scott wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that? 
A) Kerberos
B) OAuth 
C) OpenID
D) LDAP

Answer 27

B) OAuth provides the ability to access resources from another service and would meet Scotts needs. Open ID would allow him to to use an acount from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

Question 28

What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using RESTful API? 
A) SAML 
B) Shibboleth 
C) OpeID Connect
D) Higgins

Answer 28

C) Open ID Connect is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identiy verification and basic profile information.

Question 29

Scott has a seret clearance and is accessin fies that use a MAC scheme to apply the top secret, secret, confidential, and unclassified scheme. What classification levels of data can he access provided tat he has a valid need-to-know-?
A) Top secret and Secret
B) Secret, confidential , and unclassified
C) Secret data only
D) Secret and unclassified

Answer 29

C) In a MAC system, classifications do not have to include rights to lower levels. This means tat the only label we can be sure Scott has rights to is secret.

Question 30

Scott uses a software-based token that changes its code every minute. What type of token is he using? 
A) Asynchronous
B) Smart Card
C) Synchronous 
D) Static

Answer 30

C) Synchronous soft tokens, such as good Authentication, use a time-based algorithm that generates constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the expected response.

Question 31

What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token 
A) Asynchronous 
B) Smart Card
C) Synchronous 
D) RFID

Answer 31

A) Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user.

Question 32

What LDAP authentication mode can provide secure authentication? 
A) Anonymous 
B) SASL
C) Simple
D) S-LDAP

Answer 32

B) The simple authentication and security layer (SASL) or LDAP provides support for a range of autnetication types, including secure methods.

Question 33

Which of the following type 3 authenticators is appropriate to use by itself  rather than in combination with other biometric factors?
A) Voice pattern recognition 
B) Hand Geometry 
C) Palm Scans
D) Heart/Pulse patterns

Answer 33

C) Palm scans compare the vein patterns in the palm to a databae to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than the others listed.

Question 34

What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider?

A) It may cause incorrect selection of the proper Open ID provider
B) Creates the possibility of a phishing attack by sending data to a fake open ID provider
C) Relying party may be able to steal the client’s username and password
D) relying party may not send a signed assertion

Answer 34

B) Allowing the relying party to provide the redirect to the OpenID provider could allow a phishing attack by directing clients to a fake OpenID provider that can capture valid credentials

Question 35

RAID-5 is a example of what type of control? 
A) Administrative
B) Recovery 
C) Compensation 
D) Logical

Answer 35

B) Drives in RAID-5 array are intended to handle failure of a drive. This is an example of a recovery control, which is used to return operations to normal after a failure

Question 36

What open protocol was designed to replace RADIUS inclduing support for additional commands and protocols , replacing UDP traffic with TCP, and providing for extensible commands- but does not preserve backward compatibility with RADIUS? 
A) TACACS
B)RADIUS-NG
C) Kerberos 
D) Diameter

Answer 36

D) Diameter was designed to provide enchaced modern features to replace RADIUS. Diameter provides better reliability and a broad range of improved functionality.

Question 37

Susan is troublesooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most-likely issue

A) The Kerberos Server is offline
B)There is a protocol mismatch
C) The client’s TGT have been marked as compromised and de-authorized
D) The Kerberos Server and the local client’s time clocks are not synchronized

Answer 37

D) Kerberos relies on properly synchronized time on each end of a connection to function. If the local time is more than 5 minutes out of sync, valid TGT will be invalid and the system won’t recieve any new tickets.

Question 38

What authentication protocol does Windows use by default for Active Directory systems? 
A) RADIUS
B) Kerberos 
C) OAuth 
D) TACACS+

Answer 38

B) Windows uses Kerberos for authentication. RADIUS is typically ued for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.

Question 39

Scott configure LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP’s default ports?
A) Unsecure LDAP and unsecure global directory
B) Unsecure LDAP and secre global directory
C) Secure LDAP and secure global directory
D) Secure LDAP and unsecure global directory

Answer 39

C) Default ports for SSL/TLS LDAP directory information and global catalog services are 636 and 3269, respectively. Unsecure LDAP uses 389 and unsecure global directory services use 3268

Question 40

What is a dictionary attack?

Answer 40

An attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

Question 41

What is a birthday attack?

Answer 41

A birthday attack is an attack that focuses on finding collisions for passwords that have the same hash.

Question 42

What is a Rainbow Table Attack?

Answer 42

An attack that uses a large database of precomputed hashes to crack the hash value of a stored password.

Question 43

What is a side-channel attack on smartcards?

Answer 43

A passive, noninvasive attack intended to observe the operation of a device. When the attack is successful, the attacker can learn valuable information contained within the card, such as an encryption key. Side-channel attacks analyze the information sent to the reader.

Question 44

Who or what grants permissions to users in a DAC model? 
A) Admins
B) Access Control Lists
C) Assigned labels 
D) Data Custodian

Answer 44

D) The data custodian (or owner) grants permissions to users in a discretionary access control model.

Question 45

Which of the following best describes a characteristic of the MAC model?
A) Employs explicit-deny philosophy 
B) Permissive 
C) Rule-based
D) Prohibitive

Answer 45

D) MAC prohibitive, and it uses implicit deny (not explicit deny).