CompTIA Security+ Get Certified Get Ahead - CH2 Review Flashcards
Your organization wants to identify Biometric methods used for identification. The requirements are:
- Collect the data passively.
- Bypass a formal enrollment process.
- Avoid obvious methods that let the subject know data is being collected.
Which of the following Biometric methods BEST meets these requirements? (Choose TWO)
Fingerprint
Retina
Iris
Facial
Palm Vein
Gait Analysis
Facial
Gait Analysis
Explanation:
It’s possible to collect facial scan data and perform gait analysis without an enrollment process. You would use cameras to observe subjects from a distance and collect data passively.
You need a formal enrollment process for fingerprints, retinas, irises, and palm vein methods.
Retina and iris scans need to be very close to the eye and are very obvious.
Palm vein methods require users to place their palm on a scanner. While it’s possible to collect fingerprints passively, you still need an enrollment process.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 294). YCDA, LLC. Kindle Edition.
Your organization recently updated an online application that employees use to log on when working from home. Employees enter their Username and Password into the application from their smartphone and the application logs their location using GPS. Which type of Authentication is being used?
One-Factor
Dual-Factor
Something you are.
Something you have.
One-Factor
Explanation:
This is using one-factor authentication—something you know. The application uses the username for identification and the password for authentication. Note that even though the application is logging the location using Global Positioning System (GPS), there isn’t any indication that it is using this information for authentication.
Dual-factor authentication requires another factor of authentication such as something you are or something you have.
Something you are authentication factor refers to biometric authentication methods.
The something you have authentication factor refers to something you can hold, such as a smart card.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 295). YCDA, LLC. Kindle Edition.
Management within your organization wants to add 2FA Security for users working from home. Additionally, management wants to ensure that 2FA Passwords expire after 30 seconds. Which of the following choices BEST meets this requirement?
HOTP
TOTP
SMS
Kerberos
TOTP (Time-based One-Time Password)
Explanation:
A Time-based One-Time Password (TOTP) meets the requirement of two-factor authentication (2FA). A user logs on with regular credentials (such as a username and password), and then must enter an additional one-time password.
Some smartphone apps use HOTP and display a new password every 30 seconds. An HMAC-based One-Time Password (HOTP) creates passwords that do not expire until they are used.
Short message service (SMS) is sometimes used to send users a one-time use password via email or a messaging app, but these passwords typically don’t expire until at least 15 minutes later.
Kerberos uses tickets instead of passwords.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 295). YCDA, LLC. Kindle Edition.
Management within your organization has decided to implement a Biometric solution for Authentication into the data center. They have stated that the Biometric system needs to be highly accurate. Which of the following provides the BEST indication of accuracy with a Biometric system?
The lowest possible FRR
The highest possible FAR
The lowest possible CER
The highest possible CER
The lowest possible CER. (Crossover Error Rate)
Explanation:
A lower crossover error rate (CER) indicates a more accurate biometric system.
The false acceptance rate (FAR) and the false rejection rate (FRR) vary based on the sensitivity of the biometric system and don’t indicate accuracy by themselves.
A higher CER indicates a less accurate biometric system.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 295). YCDA, LLC. Kindle Edition.
The Marvin Monroe Memorial Hospital was recently sued after removing a kidney from the wrong patient. Hospital executives want to implement a method that will reduce medical errors related to misidentifying patients. They want to ensure medical personnel can identify a patient even if the patient is unconscious. Which of the following would be the BEST solution?
Gait Analysis
Vein Scans
Retina Scan
Voice Recognition
Vein Scans
Explanation:
A vein scan implemented with a palm scanner would be the best solution of the available choices. The patient would place their palm on the scanner for biometric identification, or if the patient is unconscious, medical personnel can place the patient’s palm on the scanner. None of the other biometric methods can be easily performed on an unconscious patient.
Gait analysis attempts to identify someone based on the way they walk.
A retina scan scans the retina of an eye, but this will be difficult if someone is unconscious.
Voice recognition identifies a person using speech recognition.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 295-296). YCDA, LLC. Kindle Edition.
Users regularly log on with a Username and Password. However, management wants to add a second Authentication factor for any users who launch the gcga application. The method needs to be user-friendly and non-disruptive. Which of the following will BEST meet these requirements?
An Authentication Application
TPM
HSM
Push Notifications
Push Notifications
Explanation:
Push notifications are user-friendly and non-disruptive. Users receive a notification on a smartphone and can often acknowledge it by simply pressing a button.
An authentication application isn’t as user-friendly as a push notification. It requires users to log on to the smartphone, find the app, and enter the code.
A Trusted Platform Module (TPM) provides full drive encryption and would protect the data if someone accessed the laptop, but it doesn’t prevent access.
A hardware security module (HSM) is a removable device that can generate and store RSA keys used with servers. Neither a TPM nor an HSM is relevant in this question.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 296). YCDA, LLC. Kindle Edition.
Your organization hires students during the summer for temporary help. They need access to Network resources, but only during working hours. Management has stressed that it is critically important to safeguard trade secrets and other confidential information. Which of the following account management concepts would be MOST important to meet these goals?
Account Expiration
Account Lockout
Time-of-day Restrictions
Password Recovery
Password History
Time-of-day Restrictions
Explanation:
Time-of-day restrictions should be implemented to ensure that temporary workers can only access network resources during work hours.
The other answers represent good practices, but don’t address the need stated in the question that “personnel need access to network resources, but only during working hours.”
Account expiration should be implemented if the organization knows the last workday of these workers.
Account lockout will lock out an account if the wrong password is entered too many times.
Password recovery allows users to recover a forgotten password or change their password if they forgot their password.
Password history remembers previously used passwords and helps prevent users from using the same password.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 296). YCDA, LLC. Kindle Edition.
A lower CER indicates that the Biometric system is what?
FRR
FAR
Less accurate
More accurate
More accurate
You need to provide a junior administrator with appropriate credentials to rebuild a domain controller after it suffers a catastrophic failure. Of the following choices, what type of account would BEST meet this need?
User Account
Generic Account
Guest Account
Service Account
User Account
Explanation:
A user account is the best choice of the available answers. More specifically, it would be a user account with administrative privileges (also known as a privileged account) so that the administrator can add the domain controller.
A generic account (also known as a shared account) is shared between two or more users and is not recommended.
A guest account is disabled by default and it is not appropriate to grant the guest account administrative privileges.
A service account is an account created to be used by a service or application, not a person.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 297). YCDA, LLC. Kindle Edition.
Lisa is reviewing an organization’s account management process. She wants to ensure that Security log entries accurately report the identity of personnel taking specific actions. Which of the following steps would BEST meet this requirement?
Implement generic accounts.
Implement Role-based Privileges
Use an SSO solution.
Remove all shared accounts.
Remove all shared accounts.
Explanation:
Removing all shared accounts is the best answer of the available choices. If two employees are using the same account, and one employee maliciously deletes data in a database, it isn’t possible to identify which employee deleted the data.
Generic accounts are the same as shared accounts and shouldn’t be used.
Role-based (or group-based) privileges assign the same permissions to all members of a group, which simplifies administration.
A single sign-on (SSO) solution allows a user to log on once and access multiple resources.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 297). YCDA, LLC. Kindle Edition.
A recent Security audit discovered serveral apparently dormant user accounts. Although users could log on to the accounts, no one held logged on to them for more than 60 days. You later discovered that these accounts are for contractors who work approximately one week every quarter. Which of the following is the BEST response to this situation?
Remove the account expiration from the accounts.
Delete the accounts.
Reset the accounts.
Disable the accounts.
Disable the accounts.
Explanation:
The best response is to disable the accounts and then enable them when needed by the contractors. Ideally, the accounts would include an expiration date so that they would automatically expire when no longer needed, but the scenario doesn’t indicate the accounts have an expiration date.
Because the contractors need to access the accounts periodically, it’s better to disable them rather than delete them.
Reset the accounts implies you are changing the password, but this isn’t needed.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (p. 297). YCDA, LLC. Kindle Edition.
Developers are planning to develop an application using Role-based Access Control. Which of the following would they MOST likely include in their planning?
A listing of labels reflecting classified levels.
A requirements list identifying Need to Know.
A listing of Owners.
A matrix of functions matched with their required privileges.
A matrix of functions matched with their required privileges.
A Network includes a Ticket-Granting Ticket Server used for Authentication. Which Authentication service does this Network use?
Shibboleth
SAML
LDAP
Kerberos
Kerberos
An Administrator is implementing a Network from scratch for a medical office. The owners want to have strong Authentication and Authorization to protect the privacy of data on all internal systems. They also want regular employees to use only a single Username and Password for all Network access. Which of the following is the BEST choice to meet these needs?
OpenID
SAML
Kerberos
RADIUS
Kerberos
Explanation:
Kerberos is the best choice of the available answers. Users claim an identity with a username for identification and prove their identity with a password for authentication. Kerberos uses a ticket-granting ticket (TGT) server for authentication and incorporates the user credentials in tickets. Users only have to sign in once with Kerberos, providing single sign-on (SSO).
OpenID is an open source standard used for authentication on the Internet, not internal networks.
Security Assertion Markup Language (SAML) is an XML-based standard that provides SSO for web-based applications.
Remote Authentication Dial-In User Service (RADIUS) is an authentication service that provides central authentication for remote access clients.
Gibson, Darril. CompTIA Security+ Get Certified Get Ahead: SY0-601 Study Guide (pp. 297-298). YCDA, LLC. Kindle Edition.
You need to create an account for a contractor who will be working at your company for only 60 days. Which of the following is the BEST security step to take when creating this account?
Configure History on the Account
Configure Password Expiration on the Account
Configure an Expiration Date on the Account
Configure Password Complexity
Configure an Expiration Date on the Account.