Identity and Access Management (2) Flashcards
You are looking for an authentication method that has one-time passwords and works well with the Initiative for Open Authentication. However, the user should have unlimited time to use the password. Which of the following would be your best choice?
CHAP
TOTP
HOTP
HOTP
HMAC-based One-Time Password (HOTP) is a one-time password that is used by the Initiative for Open Authentication
Gerard is trying to find a flexible remote access protocol that can use either TCP or UDP. Which of the following should he select?
RADIUS
TACACS+
TACACS
TACACS
The original TACACS defined in RFC 1492 can use either UDP or TCP
Emiliano is considering voice recognition as part of his access control strategy. What is one weakness with voice recognition?
People’s voices change.
Systems require training.
High false negative rate
Systems require training.
Voice recognition systems have to be trained to recognize the voices of authorized users, and that training takes time
You are explaining facial recognition to a colleague. What is the most significant drawback to implementing facial recognition?
These systems can be expensive.
These systems can be fooled with facial hair, glasses, etc.
These systems have a high false positive rate.
These systems can be expensive.
The correct answer is that facial recognition is among the most expensive biometrics to implement
Mohanned is responsible for account management at his company. He is very concerned about hacking tools that rely on rainbow tables. Which of the following would be most effective in mitigating this threat?
Password age
Password expiration
Password length
Password length
Rainbow table attacks are best mitigated by longer passwords. Generating rainbow tables are computationally intensive, and longer passwords (over 14 characters) cannot be cracked by most rainbow tables
Mary is a security administrator for a mid-sized company. She is trying to securely off-board employees. What should she do with the network account for an employee who is being off-boarded?
Disable the account.
Delete the account.
Change the account password.
Disable the account.
Disabling the account will leave all resources intact, including history and logs, but will render the account unusable
Your supervisor tells you to implement security based on your users’ physical characteristics. Under which type of security would hand scanning and retina scanning fall?
CHAP
Multifactor
Biometrics
Biometrics
Biometric security is any security based on a user’s physical characteristics
What port does TACACS use?
TCP 143
TCP and UDP 49
TCP 443
TCP and UDP 49
TACACS uses TCP and UDP 49
A company-wide policy is being created to define various security levels. Which of the following systems of access control would use documented security levels like Confidential or Secret for information?
RBAC
MAC
DAC
MAC
Mandatory access control (MAC) is based on documented security levels associated with the information being accessed
There is a common security issue that is extremely hard to control in large environments. It occurs when a user has more computer rights, permissions, and privileges than what is required for the tasks the user needs to fulfill. This is the opposite of what principle?
Separation of duties
Least privileges
Transitive trust
Least privileges
All accounts should have just enough privileges to execute their job functions. This is referred to as least privileges
Users in your network are able to assign permissions to their own shared resources. Which of the following access control models is used in your network?
DAC
RBAC
MAC
DAC
Discretionary Access Control (DAC) allows data owners to assign permissions
John is performing a port scan of a network as part of a security audit. He notices that the domain controller is using secure LDAP. Which of the following ports would lead him to that conclusion?
389
443
636
636
Secure lightweight directory access protocol uses port 636 by default
Which of the following access control methods grants permissions based on the user’s position in the organization?
RBAC
DAC
ABAC
RBAC
Role-Based Access Control (RBAC) grants permissions on the user’s position within the organization
Which of the following can be used as a means for dual-factor authentication?
Password and PIN number
RADIUS and L2TP
Iris scan and password
Iris scan and password
Dual-factor authentication requires at least one authentication method from at least two categories. The categories are: Type I, which is something you know; Type II, which is something you have; and Type III, which is something you are. Option D is correct because it names authentication methods from two different categories: Type III (iris scan) and Type I (password)
Kerberos uses which of the following to issue tickets?
Certificate authority
Ticket-granting service
Key distribution center
Key distribution center
The Key Distribution Center (KDC) issues tickets. The tickets are generated by the ticket-granting service, which is usually part of the KDC
A company requires that a user’s credentials include providing something they know and something they are in order to gain access to the network. Which of the following types of authentication is being described?
Token
Two-factor
Kerberos
Two-factor
Two-factor authentication requires at least one authentication method from at least two categories. The categories are: Type I, which is something you know; Type II, which is something you have; and Type III, which is something you are. The question has two types: Type III (something you are) and Type I (something you know)
Samantha is looking for an authentication method that incorporates the X.509 standard and will allow authentication to be digitally signed. Which of the following authentication methods would best meet these requirements?
Certificate-based authentication
OAUTH
Kerberos
Certificate-based authentication
Digital certificates use the X.509 standard (or the PGP standard) and allow the user to digitally sign authentication requests
Your company relies heavily on cloud and SaaS service providers such as salesforce.com, Office365, and Google. Which of the following would you have security concerns about?
LDAP
TACACS+
SAML
SAML
SAML (Security Assertion Markup Language) is an Extensible Markup Language (XML) framework for creating and exchanging security information between partners online. The integrity of users is the weakness in the SAML identity chain. To mitigate this risk, SAML systems need to use timed sessions, HTTPS, and SSL/TLS
Greg is responsible for database security for his company. He is concerned about authentication and permissions. Which of the following should be his first step?
Implement password lockout.
Conduct a permissions audit.
Ensure least privileges.
Conduct a permissions audit.
A permissions audit will tell Greg exactly what the current situation is. He must know what is occurring now, in order to address any weaknesses
Which of the following is a step in account maintenance?
Check for time of day restrictions.
Review onboarding processes.
Check to see that all accounts are for active employees.
Check to see that all accounts are for active employees.
An essential part of account maintenance is checking all accounts to ensure there are no active accounts for employees who are no longer with the company
Tyrell works as a security officer for a mid-sized bank. All the employees only work in the office; there are no employees who work remotely or travel for company business. Tyrell is concerned about someone using an employee’s login credentials to access the bank’s network. Which of the following would be most effective in mitigating this threat?
Kerberos authentication
TOTP
Location-based policies
Location-based policies
Location-based policies can be used to prevent any login that is not from within the physical network. In this scenario, since no employees work remotely, such a policy would be practical. And it would prevent an attacker from using an employee’s login from outside the network
Henry is an employee at Acme Company. The company requires him to change his password every three months. He has trouble remembering new passwords, so he keeps switching between just two passwords. Which policy would be most effective in preventing this?
Password complexity
Password history
Password length
Password history
If the system maintains a password history, that would prevent any user from reusing an old password. Common password histories can be up to 24 passwords
Sheila is concerned that some users on her network may be accessing files that they should not—specifically, files that are not required for their job tasks. Which of the following would be most effective in determining if this is happening?
Usage auditing and review
Permissions auditing and review
Account maintenance
Usage auditing and review
Auditing and reviewing how users actually utilize their account permissions would be the best way to determine if there is any inappropriate use. A classic example would be a bank loan officer. By the nature of their job, they have access to loan documents. But they should not be accessing loan documents for loans they are not servicing
In which of the following scenarios would using a shared account pose the least security risk?
For a group of tech support personnel
For guest Wi-Fi access
For students logging in at a university
For guest Wi-Fi access
A scenario such as guest WiFi access does not provide the logins with any access to corporate resources. The people logging in merely get to access the Internet. This poses very limited security risk to the corporate network, and thus is often done with a common or shared account
Which of the following is not a part of password complexity?
Using both uppercase and lowercase letters
Minimum password length
Using numbers
Minimum password length
While password length is important, it is not part of password complexity
Jane is setting up login accounts for federated identities. She wants to avoid requiring the users to remember login credentials and allow them to use their logins from the originating network. Which of the following technologies would be most suitable for implementing this?
Credential management
OAUTH
Kerberos
Credential management
Credential management is expressly designed for this, and it is explicitly for federated identities. In fact, Microsoft has a credential management API that programmers can use to implement this
Sam is responsible for password management at a large company. Sometimes users cannot recall their passwords. What would be the best solution for him to address this?
Changing password history length
Implementing password recovery
Eliminating password complexity
Implementing password recovery
A formal password recovery process is needed. This allows users the possibility of recovering forgotten passwords
You are a security administrator for an insurance company. You have discovered that there are a few active accounts for employees who left the company over a year ago. Which of the following would best address this issue?
Password complexity
Onboarding procedures
Password expiration
Password expiration
Password expiration would mean that even if the exiting employee’s login is not disabled, the password will simply expire without anyone having to take any action
Maria is responsible for security at a small company. She is concerned about unauthorized devices being connected to the network. She is looking for a device authentication process. Which of the following would be the best choice for her?
Kerberos
- 11i
- 1x
- 1x
- 1x is the IEEE standard for port-based Network Access Control. This protocol is frequently used to authenticate devices
