Identity and Access Management (1) Flashcards
Jack is using smart cards for authentication. He is trying to classify the type of authentication for a report to his CIO. What type of authentication is Jack using?
Type I
Type II
Type III
Type II
Type II authentication is something you have. A smartcard is a physical item that you have. Though more sophisticated than a key, ultimately it is still just something you have
Carole is responsible for various network protocols at her company. The network time protocol has been intermittently failing. Which of the following would be most affected?
Kerberos
RADIUS
CHAP
Kerberos
The correct answer is that Kerberos uses various tickets, each with a time limit. The service tickets are typically only good for 5 minutes or less. This means that if NTP is failing, valid tickets may appear to be expired
You are selecting an authentication method for your company’s servers. You are looking for a method that periodically reauthenticates clients to prevent session hijacking. Which of the following would be your best choice?
PAP
SPAP
CHAP
CHAP
The correct answer is that Challenge Handshake Authentication Protocol (CHAP) periodically has the client reauthenticate. This is transparent to the user, but specifically is done to prevent session hijacking
Emiliano is working for a small company. His company is concerned about authentication and wants to implement biometrics using facial recognition and fingerprint scanning. How would this authentication be classified?
Type I
Type II
Type III
Type III
Type III authentication is biometrics. Anything based on biology, or “something you are,” is type III
Lisa is setting up accounts for her company. She wants to set up accounts for the Oracle database server. Which of the following would be the best type of account to assign to the database service?
User
Admin
Service
Service
A service account is the most appropriate in this scenario. Service accounts are given the least privileges the service needs and are used by the service, without the need for a human user
You have been asked to select an authentication method that will support single sign-on, integrate with SAML, and work well over the Internet. Which of the following would be your best choice?
Shibboleth
OAUTH
SPAP
Shibboleth
Shibboleth is a middleware solution for authentication and identity management that uses SAML (Security Assertions Markup Language) and works over the Internet
Which authentication method was used as a native default for older versions of Microsoft Windows?
CHAP
OAUTH
NTLM
NTLM
NTLM (NT Lan Manager) was the method used in Windows for many years. It was eventually replaced by NTLM v2 for many years, and Microsoft networks now use Kerberos
Carl has been asked to set up access control for a server. The requirements state that users at a lower privilege level should not be able to see or access files or data at a higher privilege level. What access control model would best fit these requirements?
MAC
DAC
RBAC
MAC
Mandatory Access Control (MAC) is the correct solution. It will not allow lower privilege users to even see the data at a higher privilege level
Clarice is concerned about an attacker getting information regarding network resources in her company. Which protocol should she implement that would be most helpful in mitigating this risk?
LDAP
SNMP
LDAPS
LDAPS
Lightweight Directory Access Protocol Secure (LDAPS) will use TLS to protect the LDAP information, thus mitigating the risk of an attacker gathering information about network resources
Ahmed is looking for an authentication protocol for his network. He is very concerned about highly skilled attackers. As part of mitigating that concern, he wants an authentication protocol that never actually transmits a user’s password, in any form. Which authentication protocol would be a good fit for Ahmed’s needs?
CHAP
Kerberos
RBAC
Kerberos
Kerberos does not send the users password across the network. When the user’s name is sent to the authentication service, the service retrieves the hash of the user’s password from the database, and then uses that as a key to encrypt data to be sent back to the user. The user’s machine takes the password that the user entered, hashes it, and then uses that as a key to decrypt what was sent back by the server
You work for a social media website. You wish to integrate your users’ accounts with other web resources. To do so, you need to allow authentication to be used across different domains, without exposing your users’ passwords to these other services. Which of the following would be most helpful in accomplishing this goal?
Kerberos
SAML
OAUTH
OAUTH
OAUTH (Open Authorization) is an open standard for token-based authentication and authorization on the Internet and allows an end user’s account information to be used by third-party services, without exposing the user’s password
Mary is trying to set up remote access to her network for salespeople in her company. Which protocol would be most helpful in accomplishing this goal?
RADIUS
Kerberos
CHAP
RADIUS
Remote Authentication Dial-In User Service (RADIUS) is a protocol specifically designed for remotely accessing a network
Victor is trying to identify the protocol used by Windows for authentication to a server that is not part of the network domain. Which of the following would be most useful for Victor?
Kerberos
NTLM
CHAP
NTLM
NTLM is an older Windows authentication protocol. Microsoft no longer recommends it except for certain specific situations. One of those is attempting to authenticate to a server that is not part of the domain
You have been asked to find an authentication service that is handled by a third party. The service should allow users to access multiple websites, as long as they support the third-party authentication service. What would be your best choice?
OpenID
Kerberos
NTLM
OpenID
The correct answer is that OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID
Abigail is implementing biometrics for her company. She is trying to get the false rejection rate and false acceptance rate to the same level. What is the term used for this?
Crossover error rate
Leveling
Balanced error rate
Crossover error rate
Cross-over Error Rate (CER), also sometimes called Equal Error Rate (EER), is the point at which false rejection and false acceptance are the same
Mia is responsible for website security for a bank. When a user forgets their password, she wants a method to give them a temporary password. Which of the following would be the best solution for this situation?
Facial recognition
RBAC
TOTP
TOTP
A Time-based One-time Password (TOTP), can only be used once and is only valid for a brief period of time after issues. Users can request a password reset and a TOTP can be sent to some alternate communications, such as a text message to their phone
George wants a secure authentication protocol that can integrate with RADIUS and can use digital certificates. Which of the following would be his best choice?
CHAP
- 11i
- 1x
802.1x
IEEE 802.1x port-based network access control (PNAC) is a network authentication protocol that can integrate with RADIUS for remote access, and can use digital certificates to authenticate client
Jacob is responsible for database server security in his company. He is very concerned about preventing unauthorized access to the databases. Which of the following would be the most appropriate for him to implement?
ABAC
TOTP
DAMP
DAMP
A Database Activity Monitoring and Prevention (DAMP) system would be the most effective of the choices given. These systems work like an IPS, but specifically for databases
Mason is responsible for security at a company that has traveling salespeople. The company has been using ABAC for access control to the network. Which of the following is an issue that is specific to ABAC and might cause it to incorrectly reject logins?
Geographic location
Wrong password
Remote access is not allowed by ABAC.
Geographic location
Attribute Based Access Control (ABAC) looks at a group of attributes, in addition to the login username and password, to make decisions about whether or not to grant access. One of the attributes examined is the location of the person. Since the users in this company travel frequently, they will often be at new locations, and that might cause ABAC to reject their logins
You work for a U.S. defense contractor. You are setting up access cards that have chips embedded in them to provide access control for users in your company. Which of the following types of cards would be best for you to use?
CAC
PIV
NFC
PIV
Personal Identity Verification is a standardized FIPS 201 (Federal Information Processing Standard Publication 201) for use with federal employees
Darrell is concerned that users on his network have too many passwords to remember and might write down their passwords, thus creating a significant security risk. Which of the following would be most helpful in mitigating this issue?
OAUTH
SSO
OpenID
SSO
Single Sign-On (SSO) is designed specifically to address this risk. Users have only a single logon to remember; thus, they have no need to write down the password
Fares is a security administrator for a large company. Occasionally, a user needs to access a specific resource that they don’t have permission to access. Which access control methodology would be most helpful in this situation?
Discretionary Access Control
Role-based Access Control
Rule-based Access Control
Rule-based Access Control
Rule-Based Access Control applies a set of rules to an access request. Based on the application of the rules, the user may be given access to a specific resource that they were not explicitly granted permission to
You are comparing biometric solutions for your company, and the product you pick must have an appropriate False Acceptance Rate (FAR). Which of the following best describes FAR?
How often an unauthorized user is granted access by mistake
How readily users accept the new technology, based on ease of use
How often an authorized user is not granted access
How often an unauthorized user is granted access by mistake
The False Acceptance Rate (FAR) indicates how often the system will accept an invalid login. This is a measure of the mistakes a biometric system makes, and the lower the rate, the better
Amelia is looking for a network authentication method that can use digital certificates and does not require end users to remember passwords. Which of the following would best fit her requirements?
OAUTH
Tokens
OpenID
Tokens
Tokens are physical devices that often contain cryptographic data for authentication. They can store digital certificates for use with authentication
You are responsible for setting up new accounts for your company network. What is the most important thing to keep in mind when setting up new accounts?
Password length
Account age
Least privileges
Least privileges
Least privileges is the most fundamental concept in establishing accounts. Each user should only have just enough privileges to do his or her job. This also applies to service accounts
Stefan just became the new security officer for a university. He is concerned that student workers who work late on campus could try and log in with faculty credentials. Which of the following would be most effective in preventing this?
Time of day restrictions
Usage auditing
Password length
Time of day restrictions
Restricting each faculty account so that it is only usable when that particular faculty member is typically on campus will prevent someone from logging in with that account after hours, even if he or she has the password
Jennifer is concerned that some people in her company have more privileges than they should. This has occurred due to people moving from one position to another, and having cumulative rights that exceed the requirements of their current jobs. Which of the following would be most effective in mitigating this issue?
Permission auditing
Job rotation
Preventing job rotation
Permission auditing
A permissions audit will find what permissions each user has and compare that to his or her job requirements. Permission audits should be conducted periodically
Chloe has noticed that users on her company’s network frequently have simple passwords made up of common words. Thus, they have weak passwords. How could Chloe best mitigate this issue?
Increase minimum password length.
Have users change passwords more frequently.
Require password complexity.
Require password complexity.
Password complexity requires that passwords have a mixture of uppercase letters, lowercase letters, numbers, and special characters. This would be the best approach to correct the problem described in the question
Bart is looking for a remote access protocol for his company. It is important that the solution he selects support multiple protocols and use a reliable network communication protocol. Which of the following would be his best choice?
RADIUS
TACACS+
NTLM
TACACS+
TACACS+ (Terminal Access Controller Access Control System plus) uses TCP rather than UDP, and is therefore more reliable. It also supports a wide range of protocols