Chapter 8 - Physical Security and Authentication Models Flashcards

1
Q
Which of the following is the verification of a person’s identity?
A. Authorization
B. Accountability
C. Authentication
D. Password
A

C. Authentication is the verification of a person’s identity. Authorization to specific resources cannot be accomplished without previous authentication of the user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
Which of the following would fall into the category of “something a person is”?
A. Passwords
B. Passphrases
C. Fingerprints
D. Smart cards
A

C. Fingerprints are an example of something a person is. The process of measuring that characteristic is known as biometrics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
Which of the following are good practices for tracking user identities? (Select the two best answers.)
A. Video cameras
B. Key card door access systems
C. Sign-in sheets
D. Security guards
A

A and B. Video cameras enable a person to view and visually identify users as they enter and traverse through a building. Key card access systems can be configured to identify a person as well, as long as the right person is carrying the key card!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
What are two examples of common single sign-on authentication configurations?  (Select the two best answers.)
A. Biometrics-based
B. Multifactor authentication
C. Kerberos-based
D. Smart card-based
A

C and D. Kerberos and smart card setups are common single sign-on configurations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
Which of the following is an example of two factor authentication?
A. L2TP and IPSec
B. Username and password
C. Thumb print and key card
D. Client and server
A

C. Two-factor authentication (or dual-factor) means that two pieces of identity are needed prior to authentication. A thumbprint and key card would fall into this category. L2TP and IPSec are protocols used to connect through a
VPN, which by default require only a username and password. Username and password is considered one-factor authentication. There is no client and server
authentication model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the main purpose of a physical access log?
A. To enable authorized employee access
B. To show who exited the facility
C. To show who entered the facility
D. To prevent unauthorized employee access

A

C. A physical access log’s main purpose is to show who entered the facility and when. Different access control and authentication models will be used to permit or prevent employee access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
Which of the following is not a common criteria when authenticating users?
A. Something you do
B. Something you are
C. Something you know
D. Something you like
A

D. Common criteria when authenticating users includes something you do, something you are, something you know, and something you have. A person’s likes and dislikes are not common criteria; although, they may be asked as secondary questions when logging in to a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
Of the following, what two authentication mechanisms require something you physically possess? (Select the two best answers.)
A. Smart card
B. Certificate
C. USB flash drive
D. Username and password
A

A and C. Two of the authentication mechanisms that require something you physically possess include smart cards and USB flash drives. Key fobs and cardkeys would also be part of this category. Certificates are granted from a server and are stored on a computer as software. The username/password
mechanism is a common authentication scheme, but they are something that you type and not something that you physically possess.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
Which of the following is the final step a user needs to take before that user can access domain resources?
A. Verification
B. Validation
C. Authorization
D. Authentication
A

C. Before a user can gain access to domain resources, the final step is to be authorized to those resources. Previously the user should have provided identification to be authenticated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
To gain access to your network, users must provide a thumbprint and a username and password.  What type of authentication model is this?
A. Biometrics
B. Domain logon
C. Multifactor
D. Single sign-on
A

C. Multifactor authentication means that the user must provide two different types of identification. The thumbprint is an example of biometrics. Username and password are examples of a domain logon. Single sign-on would only be one type of authentication that enables the user access to multiple resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q
The IT director has asked you to set up an authentication model in which users can enter their credentials one time, yet still access multiple server resources.  What type of authentication model should you implement?
A. Smart card and biometrics
B. Three factor authentication
C. SSO
D. VPN
A

C. Single sign-on or SSO enables users to access multiple servers and multiple resources while entering their credentials only once. The type of authentication can vary but will generally be a username and password. Smart cards and
biometrics are an example of two-factor authentication. VPN is short for virtual private network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following about authentication is false?
A. RADIUS is a client/server system that provides authentication, authorization, and accounting services.
B. PAP is insecure because usernames and passwords are sent as clear text.
C. MS-CHAPv1 is capable of mutual authentication of the client and server.
D. CHAP is more secure than PAP because it encrypts usernames and passwords.

A

C. MS-CHAPv1 is not capable of mutual authentication of the client and server. Mutual authentication is accomplished with Kerberos. All the other statements are true.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
What types of technologies are used by external motion detectors? (Select the two best answers.)
A. Infrared
B. RFID
C. Gamma rays
D. Ultrasonic
A

A and D. Motion detectors often use infrared technology; heat would set them off. They also use ultrasonic technology; sounds in higher spectrums that humans cannot hear would set these detectors off.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

In a secure environment, which authentication mechanism performs better?
A. RADIUS because it is a remote access authentication service.
B. RADIUS because it encrypts client/server passwords.
C. TACACS because it is a remote access authentication service.
D. TACACS because it encrypts client/server negotiation dialogues.

A

D. Unlike RADIUS, TACACS (Terminal Access Control or Access Control System) encrypts client/server negotiation dialogues. Both protocols are remote authentication protocols.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
Which port number does the protocol LDAP use when it is secured?
A. 389
B. 443
C. 636
D. 3389
A

C. Port 636 is the port used to secure LDAP. Port 389 is the standard LDAP port number. Port 443 is used by HTTPS (SSL/TLS), and Port 3389 is used by RDP.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
Which of the following results occurs when a biometric system identifies a legitimate
user as unauthorized?
A. False rejection
B. False positive
C. False acceptance
D. False exception
A

A. If a biometric system identifies a legitimate user as unauthorized, it is known as a false rejection or a false negative. A false positive is when a system authenticates a user who should not be allowed access. False acceptance is similar to a false positive in biometric systems. False exceptions have to do with software that has failed and needs to be debugged.

17
Q
Of the following, which is not a logical method of access control?
A. Username/password
B. Access control lists
C. Biometrics
D. Software-based policy
A

C. The only answer that is not a logical method of access control is biometrics. Biometrics deals with the physical attributes of a person and is the most tangible of the answers. All the rest deal with software, so they are logical methods.

18
Q
Which of the following permits or denies access to resources through the use of ports?
A. Hub
B. 802.11n
C. 802.11x
D. 802.1X
A

D. 802.1X permits or denies access to resources through the use of ports. It implements port-based Network Access Control or PNAC. This is part of the 802.1 group of IEEE protocols. 802.1X should not be confused with 802.11x, which is an informal term used to denote any of the 802.11 standards including 802.11b, 802.11g, and 802.11n. A hub connects computers by way of
physical ports but does not permit or deny access to any particular resources; it is a simple physical connector of computers.

19
Q
Your data center has highly critical information. Because of this you want to improve upon physical security. The data center already has a video surveillance system. What else can you add to increase physical security? (Select the two best answers.)
A. A software-based token system
B. Access control lists
C. A mantrap
D. Biometrics
A

C and D. A mantrap is a device made to capture a person. It is usually an area with two doorways, the first of which leads to the outside and locks when the person enters, the second of which leads to the secure area and is locked until the person is granted access. Biometrics can help in the granting of this access by authenticating the user in a secure way, such as thumbprint, retina scan, and so on. Software-based token systems and access control lists are both logical and do not play into physical security.

20
Q
Which authentication method completes the following in order: Logon request, encrypts value response, server, challenge, compare encrypts results, and authorize or fail referred to?
A. Security tokens
B. Certificates
C. Kerberos
D. CHAP
A

D. CHAP, the Challenge Handshake Authentication Protocol, authenticates a user or a network host to entities like Internet access providers. CHAP periodically verifies the identity of the client by using a three-way handshake; the verification is based on a shared secret. After a link has been established, the authenticator sends a challenge message to the peer; this does not happen in the other three authentication methods listed.

21
Q
What does a virtual private network use to connect one remote host to another?  (Select the best answer.)
A. Modem
B. Network adapter
C. Internet
D. Cell phone
A

C. The Internet is used to connect hosts to each other in virtual private networks. A particular computer will probably also use a VPN adapter and/or a network adapter. Modems are generally used in dial-up connections and not used in VPNs.

22
Q
Two items are needed before a user can be given access to the network.  What are these two items? (Select the two best answers.)
A. Authentication and authorization
B. Authorization and identification
C. Identification and authentication
D. Password and authentication
A

C. Before users can be given access to the network, the network needs to identify them and authenticate them. Later users may be authorized to use particular resources on the network. Part of the authentication scheme may include a username and password. This would be known as an access control method.

23
Q
Kerberos uses which of the following? (Select the two best answers.)
A. Ticket distribution service
B. The Faraday cage
C. Port 389
D. Authentication service
A

A and D. Kerberos uses a ticket distribution service and an authentication service. This is provided by the Key Distribution Center. A Faraday cage is used to block data emanations. Port 389 is used by LDAP. One of the more common ports that Kerberos uses is port 88.

24
Q
Which of the following authentication systems make use of a Key Distribution Center?
A. Security tokens
B. CHAP
C. Kerberos
D. Certificates
A

C. Kerberos uses a KDC or Key Distribution Center to centralize the distribution of certificate keys and keep a list of revoked keys.

25
Q

Of the following, which best describes the difference between RADIUS and TACACS?
A. RADIUS is a remote access authentication service.
B. RADIUS separates authentication, authorization, and auditing capabilities.
C. TACACS is a remote access authentication service.
D. TACACS separates authentication, authorization, and auditing capabilities.

A

D. Unlike RADIUS, TACACS separates authentication, authorization, and auditing capabilities. The other three answers are incorrect and are not differences between RADIUS and TACACS.

26
Q

Which of the following best describes the proper method and reason to implement port security?
A. Apply a security control that ties specific ports to end-device MAC addresses, and prevents additional devices from being connected to the network.
B. Apply a security control that ties specific ports to end-device IP
addresses, and prevents additional devices from being connected to the network.
C. Apply a security control that ties specific ports to end-device MAC addresses, and prevents all devices from being connected to the network.
D. Apply a security control that ties specific ports to end-device IP
addresses, and prevents all devices from being connected to the network.

A

A. You can achieve port security by applying a security control (such as 802.1X), which ties specific physical ports to end-device MAC addresses and prevents additional devices from being connected to the network. Note that port security solutions such as 802.1X are Data Link Layer technologies (layer 2) so they deal with MAC addresses, not IP addresses. You wouldn’t want to exclude all devices from being connected to the network as this would cause a severe problem with connectivity.

27
Q
You are tasked with setting up a wireless network that uses 802.1X for authentication.  You set up the wireless network using WPA2 and CCMP; however, you don’t want to use a PSK for authentication.  Which of the following options would support 802.1X authentication?
A. Kerberos
B. CAC card
C. Preshared key
D. RADIUS
A

D. RADIUS is a common back-end authenticator for 802.1X. When setting up a wireless access point, the two security mode options are usually PSK (preshared key), which is stored on the WAP, and Enterprise, which usually refers authentication to an external RADIUS server. Kerberos deals with authentication
to Microsoft domains. CAC cards are smart cards that are used for ID and authentication to systems.

28
Q
Which two options can prevent unauthorized employees from entering a server room? (Select the two best answers.)
A. Bollards
B. CCTV
C. Security guard
D. 802.1X
E. Proximity reader
A

C and E. If a person doesn’t have the proper proximity card, that person will be prevented from entering a server room or other protected room. Security guards can also prevent people from accessing unauthorized areas. However, bollards (short vertical posts) probably wouldn’t stop a person, besides they
aren’t normally installed in front of a server room entrance. CCTV video surveillance is a detective control, but not a preventive control. 802.1X deals with authentication, not with physical security.

29
Q
What is the most secure method of authentication and authorization in its default form?
A. TACACS
B. Kerberos
C. RADIUS
D. LDAP
A

B. Kerberos is the most secure method of authentication listed. It has a more complicated system of authentication than TACACS (which is outdated) and RADIUS (which is used in different scenarios than Kerberos). LDAP deals with directories, for example, the ones on a Microsoft domain controller, which Kerberos first needs to give access to.

30
Q
When attempting to grant access to remote users, which protocol uses separate, multiple-challenge responses for each of the authentication, authorization, and audit processes?
A. RADIUS
B. TACACS
C. TACACS+
D. LDAP
A

C. TACACS+ is the only answer listed that uses separate processes for authentication, authorization, and auditing. That is one of the main differences between it and RADIUS. TACACS is deprecated and is not often seen in the field. LDAP deals with managing directories of information.

31
Q
Before gaining access to the datacenter, you must swipe your finger on a device.  What type of authentication is this?
A. Biometrics
B. Single sign-on
C. Multifactor
D. Tokens
A

A. Fingerprint technology is part of the realm of biometrics. Single sign-on means that you can use one type of authentication to get access to more than one system. While that could be going on in this scenario, it is not explicit, so biometrics is the more accurate answer. Multifactor means that more than one type of authentication is needed, for example, a fingerprint and a PIN. Let’s say that users were expected to type a PIN into a keypad to gain access to the datacenter. You might find over time that some persons who enter don’t match the owner of the PIN. That uncertainty can be avoided by incorporating biometrics. Tokens are used to gain access to systems and networks, and might include rolling one-time passwords, but do not incorporate a person’s physical characteristics such as a fingerprint.