Identity and Access Management (1)

Question 1

Jack is using smart cards for authentication. He is trying to classify the type of authentication for a report to his CIO. What type of authentication is Jack using?

Type I

Type II

Type III

Answer 1

Type II

Type II authentication is something you have. A smartcard is a physical item that you have. Though more sophisticated than a key, ultimately it is still just something you have

Question 2

Carole is responsible for various network protocols at her company. The network time protocol has been intermittently failing. Which of the following would be most affected?

Kerberos

RADIUS

CHAP

Answer 2

Kerberos

The correct answer is that Kerberos uses various tickets, each with a time limit. The service tickets are typically only good for 5 minutes or less. This means that if NTP is failing, valid tickets may appear to be expired

Question 3

You are selecting an authentication method for your company’s servers. You are looking for a method that periodically reauthenticates clients to prevent session hijacking. Which of the following would be your best choice?

PAP

SPAP

CHAP

Answer 3

CHAP

The correct answer is that Challenge Handshake Authentication Protocol (CHAP) periodically has the client reauthenticate. This is transparent to the user, but specifically is done to prevent session hijacking

Question 4

Emiliano is working for a small company. His company is concerned about authentication and wants to implement biometrics using facial recognition and fingerprint scanning. How would this authentication be classified?

Type I

Type II

Type III

Answer 4

Type III

Type III authentication is biometrics. Anything based on biology, or “something you are,” is type III

Question 5

Lisa is setting up accounts for her company. She wants to set up accounts for the Oracle database server. Which of the following would be the best type of account to assign to the database service?

User

Admin

Service

Answer 5

Service

A service account is the most appropriate in this scenario. Service accounts are given the least privileges the service needs and are used by the service, without the need for a human user

Question 6

You have been asked to select an authentication method that will support single sign-on, integrate with SAML, and work well over the Internet. Which of the following would be your best choice?

Shibboleth

OAUTH

SPAP

Answer 6

Shibboleth

Shibboleth is a middleware solution for authentication and identity management that uses SAML (Security Assertions Markup Language) and works over the Internet

Question 7

Which authentication method was used as a native default for older versions of Microsoft Windows?

CHAP

OAUTH

NTLM

Answer 7

NTLM

NTLM (NT Lan Manager) was the method used in Windows for many years. It was eventually replaced by NTLM v2 for many years, and Microsoft networks now use Kerberos

Question 8

Carl has been asked to set up access control for a server. The requirements state that users at a lower privilege level should not be able to see or access files or data at a higher privilege level. What access control model would best fit these requirements?

MAC

DAC

RBAC

Answer 8

MAC

Mandatory Access Control (MAC) is the correct solution. It will not allow lower privilege users to even see the data at a higher privilege level

Question 9

Clarice is concerned about an attacker getting information regarding network resources in her company. Which protocol should she implement that would be most helpful in mitigating this risk?

LDAP

SNMP

LDAPS

Answer 9

LDAPS

Lightweight Directory Access Protocol Secure (LDAPS) will use TLS to protect the LDAP information, thus mitigating the risk of an attacker gathering information about network resources

Question 10

Ahmed is looking for an authentication protocol for his network. He is very concerned about highly skilled attackers. As part of mitigating that concern, he wants an authentication protocol that never actually transmits a user’s password, in any form. Which authentication protocol would be a good fit for Ahmed’s needs?

CHAP

Kerberos

RBAC

Answer 10

Kerberos

Kerberos does not send the users password across the network. When the user’s name is sent to the authentication service, the service retrieves the hash of the user’s password from the database, and then uses that as a key to encrypt data to be sent back to the user. The user’s machine takes the password that the user entered, hashes it, and then uses that as a key to decrypt what was sent back by the server

Question 11

You work for a social media website. You wish to integrate your users’ accounts with other web resources. To do so, you need to allow authentication to be used across different domains, without exposing your users’ passwords to these other services. Which of the following would be most helpful in accomplishing this goal?

Kerberos

SAML

OAUTH

Answer 11

OAUTH

OAUTH (Open Authorization) is an open standard for token-based authentication and authorization on the Internet and allows an end user’s account information to be used by third-party services, without exposing the user’s password

Question 12

Mary is trying to set up remote access to her network for salespeople in her company. Which protocol would be most helpful in accomplishing this goal?

RADIUS

Kerberos

CHAP

Answer 12

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a protocol specifically designed for remotely accessing a network

Question 13

Victor is trying to identify the protocol used by Windows for authentication to a server that is not part of the network domain. Which of the following would be most useful for Victor?

Kerberos

NTLM

CHAP

Answer 13

NTLM

NTLM is an older Windows authentication protocol. Microsoft no longer recommends it except for certain specific situations. One of those is attempting to authenticate to a server that is not part of the domain

Question 14

You have been asked to find an authentication service that is handled by a third party. The service should allow users to access multiple websites, as long as they support the third-party authentication service. What would be your best choice?

OpenID

Kerberos

NTLM

Answer 14

OpenID

The correct answer is that OpenID is an authentication service often done by a third party, and it can be used to sign into any website that accepts OpenID

Question 15

Abigail is implementing biometrics for her company. She is trying to get the false rejection rate and false acceptance rate to the same level. What is the term used for this?

Crossover error rate

Leveling

Balanced error rate

Answer 15

Crossover error rate

Cross-over Error Rate (CER), also sometimes called Equal Error Rate (EER), is the point at which false rejection and false acceptance are the same

Question 16

Mia is responsible for website security for a bank. When a user forgets their password, she wants a method to give them a temporary password. Which of the following would be the best solution for this situation?

Facial recognition

RBAC

TOTP

Answer 16

TOTP

A Time-based One-time Password (TOTP), can only be used once and is only valid for a brief period of time after issues. Users can request a password reset and a TOTP can be sent to some alternate communications, such as a text message to their phone

Question 17

George wants a secure authentication protocol that can integrate with RADIUS and can use digital certificates. Which of the following would be his best choice?

CHAP

802. 11i
803. 1x

Answer 17

802.1x

IEEE 802.1x port-based network access control (PNAC) is a network authentication protocol that can integrate with RADIUS for remote access, and can use digital certificates to authenticate client

Question 18

Jacob is responsible for database server security in his company. He is very concerned about preventing unauthorized access to the databases. Which of the following would be the most appropriate for him to implement?

ABAC

TOTP

DAMP

Answer 18

DAMP

A Database Activity Monitoring and Prevention (DAMP) system would be the most effective of the choices given. These systems work like an IPS, but specifically for databases

Question 19

Mason is responsible for security at a company that has traveling salespeople. The company has been using ABAC for access control to the network. Which of the following is an issue that is specific to ABAC and might cause it to incorrectly reject logins?

Geographic location

Wrong password

Remote access is not allowed by ABAC.

Answer 19

Geographic location

Attribute Based Access Control (ABAC) looks at a group of attributes, in addition to the login username and password, to make decisions about whether or not to grant access. One of the attributes examined is the location of the person. Since the users in this company travel frequently, they will often be at new locations, and that might cause ABAC to reject their logins

Question 20

You work for a U.S. defense contractor. You are setting up access cards that have chips embedded in them to provide access control for users in your company. Which of the following types of cards would be best for you to use?

CAC

PIV

NFC

Answer 20

PIV

Personal Identity Verification is a standardized FIPS 201 (Federal Information Processing Standard Publication 201) for use with federal employees

Question 21

Darrell is concerned that users on his network have too many passwords to remember and might write down their passwords, thus creating a significant security risk. Which of the following would be most helpful in mitigating this issue?

OAUTH

SSO

OpenID

Answer 21

SSO

Single Sign-On (SSO) is designed specifically to address this risk. Users have only a single logon to remember; thus, they have no need to write down the password

Question 22

Fares is a security administrator for a large company. Occasionally, a user needs to access a specific resource that they don’t have permission to access. Which access control methodology would be most helpful in this situation?

Discretionary Access Control

Role-based Access Control

Rule-based Access Control

Answer 22

Rule-based Access Control

Rule-Based Access Control applies a set of rules to an access request. Based on the application of the rules, the user may be given access to a specific resource that they were not explicitly granted permission to

Question 23

You are comparing biometric solutions for your company, and the product you pick must have an appropriate False Acceptance Rate (FAR). Which of the following best describes FAR?

How often an unauthorized user is granted access by mistake

How readily users accept the new technology, based on ease of use

How often an authorized user is not granted access

Answer 23

How often an unauthorized user is granted access by mistake

The False Acceptance Rate (FAR) indicates how often the system will accept an invalid login. This is a measure of the mistakes a biometric system makes, and the lower the rate, the better

Question 24

Amelia is looking for a network authentication method that can use digital certificates and does not require end users to remember passwords. Which of the following would best fit her requirements?

OAUTH

Tokens

OpenID

Answer 24

Tokens

Tokens are physical devices that often contain cryptographic data for authentication. They can store digital certificates for use with authentication

Question 25

You are responsible for setting up new accounts for your company network. What is the most important thing to keep in mind when setting up new accounts?

Password length

Account age

Least privileges

Answer 25

Least privileges

Least privileges is the most fundamental concept in establishing accounts. Each user should only have just enough privileges to do his or her job. This also applies to service accounts

Question 26

Stefan just became the new security officer for a university. He is concerned that student workers who work late on campus could try and log in with faculty credentials. Which of the following would be most effective in preventing this?

Time of day restrictions

Usage auditing

Password length

Answer 26

Time of day restrictions

Restricting each faculty account so that it is only usable when that particular faculty member is typically on campus will prevent someone from logging in with that account after hours, even if he or she has the password

Question 27

Jennifer is concerned that some people in her company have more privileges than they should. This has occurred due to people moving from one position to another, and having cumulative rights that exceed the requirements of their current jobs. Which of the following would be most effective in mitigating this issue?

Permission auditing

Job rotation

Preventing job rotation

Answer 27

Permission auditing

A permissions audit will find what permissions each user has and compare that to his or her job requirements. Permission audits should be conducted periodically

Question 28

Chloe has noticed that users on her company’s network frequently have simple passwords made up of common words. Thus, they have weak passwords. How could Chloe best mitigate this issue?

Increase minimum password length.

Have users change passwords more frequently.

Require password complexity.

Answer 28

Require password complexity.

Password complexity requires that passwords have a mixture of uppercase letters, lowercase letters, numbers, and special characters. This would be the best approach to correct the problem described in the question

Question 29

Bart is looking for a remote access protocol for his company. It is important that the solution he selects support multiple protocols and use a reliable network communication protocol. Which of the following would be his best choice?

RADIUS

TACACS+

NTLM

Answer 29

TACACS+

TACACS+ (Terminal Access Controller Access Control System plus) uses TCP rather than UDP, and is therefore more reliable. It also supports a wide range of protocols