Identity and Access Management (3)

Question 1

Laura is a security admin for a mid-sized mortgage company. She wants to ensure that the network is using the most secure login and authentication scheme possible. Which of the following would be her best choice?

Iris scanning

Fingerprint scanning

Multifactor authentication

Answer 1

Multifactor authentication

Multi-factor authentication uses at least one authentication method from at least two of the three categories. For example, a password (Type I: something you know) and a swipe card (Type II: something you have). Multi-factor authentication is the strongest authentication

Question 2

Charles is a CISO for an insurance company. He recently read about an attack wherein an attacker was able to enumerate all the network resources, and was able to make some resources unavailable. All this was done by exploiting a single protocol. Which protocol should Charles secure to mitigate this attack?

SNMP

LDAP

HTTP

Answer 2

LDAP

Lightweight Directory Access Protocol (LDAP) is often described as a phone book for your network. It lists all the network resources. Various attacks on LDAP can give the attacker a very thorough inventory of your network. Furthermore, an attacker can remove an item from LDAP and thus render it inaccessible. LDAP can be secured with TLS, and thus become LDAPS (LDAP Secure)

Question 3

Robert is using PAP for authentication in his network. What is the most significant weakness in PAP?

Unsigned authentication

Single factor

Credentials sent in cleartext

Answer 3

Credentials sent in cleartext

Password Authentication Protocol (PAP) is a very old protocol that sent username and password in clear text. This should no longer be used

Question 4

You are responsible for account access control and authorization at a large university. There are approximately 30,000 students and 1,200 faculty/staff for whom you must manage accounts. Which of the following would be the best access control/account management approach?

Group-based

Location-based

MAC

Answer 4

Group-based

With larger organizations, group-based is usually the most effective. Users are placed in groups (student, faculty, IT staff, support staff, administration, etc.), and permissions are managed for the group

Question 5

Which of the following is most important in managing account permissions?

Account recertification

Usage auditing

Standard naming conventions

Answer 5

Account recertification

Periodic recertification of accounts is critical. The recertification process verifies that the account holder still requires the permissions they have been granted

Question 6

Which of the following would be the best choice for naming the account of John Smith, who is a domain administrator?

dm_jsmith

jsmithAdmin

jsmith

Answer 6

jsmith

While you should use standard naming conventions, the names of accounts should not reflect the actual account role

Question 7

Megan is very concerned about file system security on her network servers. Which of the following is the most basic form of file system security?

Encryption

Access control

Auditing

Answer 7

Access control

Access control to files and directories is the most fundamental aspect of file system security. This includes selecting the correct access control methodology (MAC, DAC, RBAC)

Question 8

Karen is responsible for account security in her company. She has discovered a receptionist whose account has a six-character password that has not been changed in two years, and her password history is not being maintained. What is the most significant problem with this account?

Nothing, this is adequate for a low-security position.

The password length is the most significant problem.

The lack of password history is the most significant problem.

Answer 8

The password length is the most significant problem.

While there are multiple issues with this account, the password length is the most significant. Shorter passwords are inherently insecure

Question 9

When you’re offboarding an employee, which of the following is the first thing you should do?

Audit their computer.

Disable accounts.

Delete accounts.

Answer 9

Disable accounts.

Disabling all accounts for the exiting user should happen immediately

Question 10

Which of the following is a difference between TACACS and TACACS+?

TACACS uses UDP, TACACS+ uses TCP

TACACS uses TCP or UDP, TACACS+ uses UDP

TACACS uses UDP, TACACS+ uses UDP or TCP

Answer 10

TACACS uses UDP, TACACS+ uses UDP or TCP

TACACS+ can use TCP or UDP, though it is more common to use TCP. It should also be noted that TACACS+ is not backward compatible

Question 11

Greg is considering using CHAP or MS-CHAPv2 for authenticating remote users. Which of the following is a major difference between the two protocols?

CHAP provides mutual authentication, MS-CHAPv2 does not.

CHAP uses AES for the challenge, MS-CHAPv2 uses a hash.

MS-CHAPv2 provides mutual authentication, CHAP does not.

Answer 11

MS-CHAPv2 provides mutual authentication, CHAP does not.

CHAP uses a hash, often MD5 for authentication, as does MS-CHAPv2. However, MS-CHAPv2 provides for mutual authentication, whereas CHAP only provides authenticating the client to the server

Question 12

Terrance is looking for a physical access solution that uses asymmetric cryptography (public key cryptography) to authorize the user. What type of solution is this?

Asynchronous password token

Challenge response token

TOTP token

Answer 12

Challenge response token

With a challenge response token, the system will encrypt some value (often a random number) with the user’s public key. If the user’s token has the correct private key, it can decrypt the value that the system sent, and confirm that

Question 13

Which access control model is based on the Trusted Computer System Evaluation Criteria (TCSEC)?

MAC

RBAC

DAC

Answer 13

DAC

Discretionary Access Control (DAC) is based on the Trusted Computer System Evaluation Criteria (TCSEC). The data owner has control over the access control

Question 14

Mary is responsible for the security of database servers at a mortgage company. The servers are Windows Server 2016. She is concerned about file system security. Which of the following Microsoft features would be most helpful to her in implementing file system security?

EFS

Account lockout

UAC

Answer 14

EFS

While all of these features are important to security, the Encrypted File System (EFS) allows a person to easily encrypt any file or folder. This is important to file systems security

Question 15

Santiago manages database security for a university. He is concerned about ensuring that appropriate security measures are implemented. Which of the following would be most important to database security?

Password policies

Antivirus

Access control policies

Answer 15

Access control policies

Access control is the most important issue for database security. It is critical that the principle of least privileges is adhered to and that each database user only has access to the data necessary to do his or her job

Question 16

Ingrid is reviewing her company’s recertification policy. Which of the following is the best reason to recertify?

To audit usage

To enhance onboarding

To audit permissions

Answer 16

To audit permissions

Recertification is a means for checking permissions. It essentially involves conducting certification of accounts, as if they were new. This can be done to audit permissions

Question 17

Emma is concerned about credential management. Users on her network often have over a half-dozen passwords to remember. She is looking for a solution to this problem. Which of the following would be the best way to address this issue?

Implement a manager.

Use shorter passwords.

Implement OAUTH.

Answer 17

Implement a manager.

While there are security concerns with password managers, they can provide a method for storing large numbers of passwords so that users don’t have to remember them all

Question 18

Magnus is concerned about someone using a password cracker on computers in his company. He is concerned that crackers will attempt common passwords in order to log in to a system. Which of the following would be best for mitigating this threat?

Password age restrictions

Account lockout policies

Account usage auditing

Answer 18

Account lockout policies

Accounts should lock out after a small number of login attempts. Three is a common number of attempts before the account is locked out. This prevents someone from just attempting random guesses

Question 19

Lucas is looking for an XML-based open standard for exchanging authentication information. Which of the following would best meet his needs?

SAML

OAUTH

RADIUS

Answer 19

SAML

Security Assertion Markup Language (SAML) is an XML-based, open-standard format for exchanging authentication and authorization data between parties

Question 20

Which of the following processes transpires when a user provides a correct username and password?

Identification

Authentication

Authorization

Answer 20

Authentication

Authentication is the process that validates an identity. When a user provides their credentials (username and password), it is compared to those on file in a database on a local operating system or within an authentication server

Question 21

Min-seo is looking for a type of access control that enforces authorization rules by the operating system. Users cannot override authentication or access control policies. Which of the following best fits this description?

DAC

MAC

RBAC

Answer 21

MAC

Mandatory Access Control (MAC) is a type of access control that enforces authorization rules by the operating system. Users cannot override authentication or access control policies

Question 22

Hinata is considering biometric access control solutions for her company. She is concerned about the crossover error rate (CER). Which of the following most accurately describes the CER?

The rate of false acceptance

The point at which false rejections outpace false acceptances

The point at which false rejections and false acceptances are equal

Answer 22

The point at which false rejections and false acceptances are equal

The cross-over error rate or (CER) is also sometimes called the equal error rate (EER) and is the point at which the false acceptance and false rejection rates are the same

Question 23

Joshua is looking for an authentication protocol that would be effective at stopping session hijacking. Which of the following would be his best choice?

CHAP

PAP

SPAP

Answer 23

CHAP

Challenge Handshake Authentication Protocol (CHAP) was designed specifically for this purpose. It periodically reauthenticates, thus preventing session hijacking

Question 24

David is trying to select an authentication method for his company. He needs one that will support REST as well as multiple web-based and mobile clients. Which of the following would be his best choice?

Shibboleth

RADIUS

OpenID Connect

Answer 24

OpenID Connect

OpenID connect works with the Oauth 2.0 protocol and supports multiple clients including web-based and mobile clients. OpenID connect also supports REST

Question 25

Phillip is examining options for controlling physical access to the server room at his company. He wants a hands-free solution. Which of the following would be his best choice?

Smart cards

Proximity cards

Tokens

Answer 25

Proximity cards

Proximity cards only need to be very close to the card reader to work properly

Question 26

Which of the following is the most significant disadvantage of federated identities?

They cannot be used with Kerberos.

Poor password management

Transitive trust

Answer 26

Transitive trust

Federated identities introduce transitive trust. A login account can be used across multiple business entities, thus creating an implied trust relationship between them. The security of any of the federated identities is impacted by the security of the others

Question 27

Max is implementing type II authentication for his company. Which of the following would be an example of type II authentication?

Strong passwords

Retinal scan

Smart cards

Answer 27

Smart cards

Type II authentication is something you have. A smartcard is an item that the person has

Question 28

Nicole is implementing a server authentication method that depends on a TPM in the server. Which of the following best describes this approach?

Hardware-based access control

Software-based access control

Digital certificate–based access control

Answer 28

Hardware-based access control

A TPM (Trusted Platform Module) can be used in authentication. These are computer chips, and thus hardware-based access control