Identity and Access Management (2)

Question 1

You are looking for an authentication method that has one-time passwords and works well with the Initiative for Open Authentication. However, the user should have unlimited time to use the password. Which of the following would be your best choice?

CHAP

TOTP

HOTP

Answer 1

HOTP

HMAC-based One-Time Password (HOTP) is a one-time password that is used by the Initiative for Open Authentication

Question 2

Gerard is trying to find a flexible remote access protocol that can use either TCP or UDP. Which of the following should he select?

RADIUS

TACACS+

TACACS

Answer 2

TACACS

The original TACACS defined in RFC 1492 can use either UDP or TCP

Question 3

Emiliano is considering voice recognition as part of his access control strategy. What is one weakness with voice recognition?

People’s voices change.

Systems require training.

High false negative rate

Answer 3

Systems require training.

Voice recognition systems have to be trained to recognize the voices of authorized users, and that training takes time

Question 4

You are explaining facial recognition to a colleague. What is the most significant drawback to implementing facial recognition?

These systems can be expensive.

These systems can be fooled with facial hair, glasses, etc.

These systems have a high false positive rate.

Answer 4

These systems can be expensive.

The correct answer is that facial recognition is among the most expensive biometrics to implement

Question 5

Mohanned is responsible for account management at his company. He is very concerned about hacking tools that rely on rainbow tables. Which of the following would be most effective in mitigating this threat?

Password age

Password expiration

Password length

Answer 5

Password length

Rainbow table attacks are best mitigated by longer passwords. Generating rainbow tables are computationally intensive, and longer passwords (over 14 characters) cannot be cracked by most rainbow tables

Question 6

Mary is a security administrator for a mid-sized company. She is trying to securely off-board employees. What should she do with the network account for an employee who is being off-boarded?

Disable the account.

Delete the account.

Change the account password.

Answer 6

Disable the account.

Disabling the account will leave all resources intact, including history and logs, but will render the account unusable

Question 7

Your supervisor tells you to implement security based on your users’ physical characteristics. Under which type of security would hand scanning and retina scanning fall?

CHAP

Multifactor

Biometrics

Answer 7

Biometrics

Biometric security is any security based on a user’s physical characteristics

Question 8

What port does TACACS use?

TCP 143

TCP and UDP 49

TCP 443

Answer 8

TCP and UDP 49

TACACS uses TCP and UDP 49

Question 9

A company-wide policy is being created to define various security levels. Which of the following systems of access control would use documented security levels like Confidential or Secret for information?

RBAC

MAC

DAC

Answer 9

MAC

Mandatory access control (MAC) is based on documented security levels associated with the information being accessed

Question 10

There is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to fulfill. This is the opposite of what principle?

Separation of duties

Least privileges

Transitive trust

Answer 10

Least privileges

All accounts should have just enough privileges to execute their job functions. This is referred to as least privileges

Question 11

Users in your network are able to assign permissions to their own shared resources. Which of the following access control models is used in your network?

DAC

RBAC

MAC

Answer 11

DAC

Discretionary Access Control (DAC) allows data owners to assign permissions

Question 12

John is performing a port scan of a network as part of a security audit. He notices that the domain controller is using secure LDAP. Which of the following ports would lead him to that conclusion?

389

443

636

Answer 12

636

Secure lightweight directory access protocol uses port 636 by default

Question 13

Which of the following access control methods grants permissions based on the user’s position in the organization?

RBAC

DAC

ABAC

Answer 13

RBAC

Role-Based Access Control (RBAC) grants permissions on the user’s position within the organization

Question 14

Which of the following can be used as a means for dual-factor authentication?

Password and PIN number

RADIUS and L2TP

Iris scan and password

Answer 14

Iris scan and password

Dual-factor authentication requires at least one authentication method from at least two categories. The categories are: Type I, which is something you know; Type II, which is something you have; and Type III, which is something you are. Option D is correct because it names authentication methods from two different categories: Type III (iris scan) and Type I (password)

Question 15

Kerberos uses which of the following to issue tickets?

Certificate authority

Ticket-granting service

Key distribution center

Answer 15

Key distribution center

The Key Distribution Center (KDC) issues tickets. The tickets are generated by the ticket-granting service, which is usually part of the KDC

Question 16

A company requires that a user’s credentials include providing something they know and something they are in order to gain access to the network. Which of the following types of authentication is being described?

Token

Two-factor

Kerberos

Answer 16

Two-factor

Two-factor authentication requires at least one authentication method from at least two categories. The categories are: Type I, which is something you know; Type II, which is something you have; and Type III, which is something you are. The question has two types: Type III (something you are) and Type I (something you know)

Question 17

Samantha is looking for an authentication method that incorporates the X.509 standard and will allow authentication to be digitally signed. Which of the following authentication methods would best meet these requirements?

Certificate-based authentication

OAUTH

Kerberos

Answer 17

Certificate-based authentication

Digital certificates use the X.509 standard (or the PGP standard) and allow the user to digitally sign authentication requests

Question 18

Your company relies heavily on cloud and SaaS service providers such as salesforce.com, Office365, and Google. Which of the following would you have security concerns about?

LDAP

TACACS+

SAML

Answer 18

SAML

SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between partners online. The integrity of users is the weakness in the SAML identity chain. To mitigate this risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS

Question 19

Greg is responsible for database security for his company. He is concerned about authentication and permissions. Which of the following should be his first step?

Implement password lockout.

Conduct a permissions audit.

Ensure least privileges.

Answer 19

Conduct a permissions audit.

A permissions audit will tell Greg exactly what the current situation is. He must know what is occurring now, in order to address any weaknesses

Question 20

Which of the following is a step in account maintenance?

Check for time of day restrictions.

Review onboarding processes.

Check to see that all accounts are for active employees.

Answer 20

Check to see that all accounts are for active employees.

An essential part of account maintenance is checking all accounts to ensure there are no active accounts for employees who are no longer with the company

Question 21

Tyrell works as a security officer for a mid-sized bank. All the employees only work in the office; there are no employees who work remotely or travel for company business. Tyrell is concerned about someone using an employee’s login credentials to access the bank’s network. Which of the following would be most effective in mitigating this threat?

Kerberos authentication

TOTP

Location-based policies

Answer 21

Location-based policies

Location-based policies can be used to prevent any login that is not from within the physical network. In this scenario, since no employees work remotely, such a policy would be practical. And it would prevent an attacker from using an employee’s login from outside the network

Question 22

Henry is an employee at Acme Company. The company requires him to change his password every three months. He has trouble remembering new passwords, so he keeps switching between just two passwords. Which policy would be most effective in preventing this?

Password complexity

Password history

Password length

Answer 22

Password history

If the system maintains a password history, that would prevent any user from reusing an old password. Common password histories can be up to 24 passwords

Question 23

Sheila is concerned that some users on her network may be accessing files that they should not—specifically, files that are not required for their job tasks. Which of the following would be most effective in determining if this is happening?

Usage auditing and review

Permissions auditing and review

Account maintenance

Answer 23

Usage auditing and review

Auditing and reviewing how users actually utilize their account permissions would be the best way to determine if there is any inappropriate use. A classic example would be a bank loan officer. By the nature of their job, they have access to loan documents. But they should not be accessing loan documents for loans they are not servicing

Question 24

In which of the following scenarios would using a shared account pose the least security risk?

For a group of tech support personnel

For guest Wi-Fi access

For students logging in at a university

Answer 24

For guest Wi-Fi access

A scenario such as guest WiFi access does not provide the logins with any access to corporate resources. The people logging in merely get to access the Internet. This poses very limited security risk to the corporate network, and thus is often done with a common or shared account

Question 25

Which of the following is not a part of password complexity?

Using both uppercase and lowercase letters

Minimum password length

Using numbers

Answer 25

Minimum password length

While password length is important, it is not part of password complexity

Question 26

Jane is setting up login accounts for federated identities. She wants to avoid requiring the users to remember login credentials and allow them to use their logins from the originating network. Which of the following technologies would be most suitable for implementing this?

Credential management

OAUTH

Kerberos

Answer 26

Credential management

Credential management is expressly designed for this, and it is explicitly for federated identities. In fact, Microsoft has a credential management API that programmers can use to implement this

Question 27

Sam is responsible for password management at a large company. Sometimes users cannot recall their passwords. What would be the best solution for him to address this?

Changing password history length

Implementing password recovery

Eliminating password complexity

Answer 27

Implementing password recovery

A formal password recovery process is needed. This allows users the possibility of recovering forgotten passwords

Question 28

You are a security administrator for an insurance company. You have discovered that there are a few active accounts for employees who left the company over a year ago. Which of the following would best address this issue?

Password complexity

Onboarding procedures

Password expiration

Answer 28

Password expiration

Password expiration would mean that even if the exiting employee’s login is not disabled, the password will simply expire without anyone having to take any action

Question 29

Maria is responsible for security at a small company. She is concerned about unauthorized devices being connected to the network. She is looking for a device authentication process. Which of the following would be the best choice for her?

Kerberos

802. 11i
803. 1x

Answer 29

802. 1x
803. 1x is the IEEE standard for port-based Network Access Control. This protocol is frequently used to authenticate devices