Identity, Access, and Accounts Flashcards
Which of the following is an account you might use to run processes that do not require human intervention to start or stop?
Guest account
Process account
Service account
Service account
Service accounts are used to run processes that do not require human intervention to start, stop, or administer
A friend of yours who works in the IT department of a bank tells you that tellers are allowed to log in to their terminals only from 9 A.M. to 5 P.M., Monday through Saturday. What is this restriction an example of?
User auditing
Least privilege
Time-of-day restrictions
Time-of-day restrictions
Time-of-day restrictions are often used to limit the hours during which a user is allowed to log into or access a system. This helps prevent unauthorized access outside that user’s normal working hours
What is the process of ascribing a computer ID to a specific user known as?
Validation
Authorization
Identification
Identification
Identification is the process of ascribing a computer ID to a specific user, computer, network device, or computer process
You are working with a group to develop a new multifactor authentication system for your organization. Which of the following is not a valid category of authentication factors you might use?
Something you know
Something you see
Something you are
Something you see
Something you see is not one of the categories of authentication factors
Your organization is revamping its account management policies and you’ve been asked to clarify the difference between account disablement and account lockout. Which of the following statements best describes that difference?
Account disablement removes the user and all their data files; account lockout does not.
Account lockout typically only affects the ability to log in; account disablement removes all privileges.
Account lockout is permanent; account disablement is easily reversible.
Account lockout typically only affects the ability to log in; account disablement removes all privileges.
Account disablement is a step down from removing an account completely. While the account (and associated data files) still exist on the system, the account itself is disabled and has no privileges to access the system. Account lockout typically only affects logon privileges. Performing a temporary account lockout is a common approach to thwarting brute force password-guessing attacks
Which of the following would most likely be the hardest password to crack?
An eight-character password based on a common dictionary word
A six-character password using only uppercase letters
A seven-character password using a completely random mix of letters, symbols, and numbers
A seven-character password using a completely random mix of letters, symbols, and numbers
Of the examples, C would be the most difficult to crack because it is random and is composed of letters, symbols, and numbers—a much larger character set to brute force
What are accounts with greater than “normal” user access called?
Privileged accounts
System accounts
Superuser accounts
Privileged accounts
Privileged accounts are any accounts with greater than normal user access. Privileged accounts are typically root- or admin-level accounts and represent risk in that they are unlimited in their powers
You’ve been tasked to make sure every account on your mail server belongs to a valid, active employee. What is this process often called?
Recertification
Privilege auditing
Password cracking
Recertification
Recertification is the process of ensuring users are still employed and still require accounts
In a meeting discussing account management, one of your colleagues suggests you manage access control using collections of users rather than on a user-by-user basis. Your colleague is suggesting you use which type of access control?
Least privilege access control
Location-based access control
Group-based access control
Group-based access control
Group-based access control manages access control using groups of users rather than user by user
When a user no longer needs or is no longer authorized to use a system, which of the following should occur?
Account recovery
Account deletion
Account reset
Account deletion
Account disablement should occur when a user no longer has authorized use privileges on the system. Account deletion can mess with permissions
Your organization trusts authentication of accounts from a partner organization and your partner organization trusts authentication from your organization. What is this relationship known as specifically?
Two-way trust relationship
Transition trust relationship
Authentication validation relationship
Two-way trust relationship
When two domains trust each other, this is known as a two-way trust relationship. In this case, your organization trusts the partner organization and they trust your organization in return. An extended trust is a nonsense distractor
Which of the following defines policies, protocols, and practices to manage identities across systems and organizations?
Transitive trust
Single sign-on
Identity federation
Identity federation
Federation, or identity federation, defines policies, protocols, and practices to manage identities across systems and organizations. Federation’s ultimate goal is to allow users to seamlessly access data or systems across domains
Which of the following would not be considered “something you are” when discussing authentication factors?
Fingerprints
Voice
PIN code
PIN code
The authentication factor category “something you are” specifically refers to biometrics. These are uniquely identifying characteristics associated with individuals that typically do not change
In which of the following scenarios might it be acceptable to use a shared account?
On a server maintained by different personnel
On a publicly accessible PC running in kiosk mode
If the account is used only to administer e-mail accounts
On a publicly accessible PC running in kiosk mode
In general, shared accounts should be avoided when possible, but in situations where creating individual accounts is neither practical nor feasible and tracking user activity is not critical, shared accounts can be the solution. A publicly accessible PC running in kiosk mode is a good use of a shared account, as you wouldn’t be able to issue individual accounts to each person who uses the kiosk and tracking specific user activity is not critical
The processes of adding a person to a project or team and removing a person from a project or team are known as:
Account creation and account disablement
Intake and outflow
Onboarding and offboarding
Onboarding and offboarding
Onboarding and offboarding refer to the processes of adding personnel to a project or team and removing them from a project or team
