Identity and Access Management (3) Flashcards
Laura is a security admin for a mid-sized mortgage company. She wants to ensure that the network is using the most secure login and authentication scheme possible. Which of the following would be her best choice?
Iris scanning
Fingerprint scanning
Multifactor authentication
Multifactor authentication
Multi-factor authentication uses at least one authentication method from at least two of the three categories. For example, a password (Type I: something you know) and a swipe card (Type II: something you have). Multi-factor authentication is the strongest authentication
Charles is a CISO for an insurance company. He recently read about an attack wherein an attacker was able to enumerate all the network resources, and was able to make some resources unavailable. All this was done by exploiting a single protocol. Which protocol should Charles secure to mitigate this attack?
SNMP
LDAP
HTTP
LDAP
Lightweight Directory Access Protocol (LDAP) is often described as a phone book for your network. It lists all the network resources. Various attacks on LDAP can give the attacker a very thorough inventory of your network. Furthermore, an attacker can remove an item from LDAP and thus render it inaccessible. LDAP can be secured with TLS, and thus become LDAPS (LDAP Secure)
Robert is using PAP for authentication in his network. What is the most significant weakness in PAP?
Unsigned authentication
Single factor
Credentials sent in cleartext
Credentials sent in cleartext
Password Authentication Protocol (PAP) is a very old protocol that sent username and password in clear text. This should no longer be used
You are responsible for account access control and authorization at a large university. There are approximately 30,000 students and 1,200 faculty/staff for whom you must manage accounts. Which of the following would be the best access control/account management approach?
Group-based
Location-based
MAC
Group-based
With larger organizations, group-based is usually the most effective. Users are placed in groups (student, faculty, IT staff, support staff, administration, etc.), and permissions are managed for the group
Which of the following is most important in managing account permissions?
Account recertification
Usage auditing
Standard naming conventions
Account recertification
Periodic recertification of accounts is critical. The recertification process verifies that the account holder still requires the permissions they have been granted
Which of the following would be the best choice for naming the account of John Smith, who is a domain administrator?
dm_jsmith
jsmithAdmin
jsmith
jsmith
While you should use standard naming conventions, the names of accounts should not reflect the actual account role
Megan is very concerned about file system security on her network servers. Which of the following is the most basic form of file system security?
Encryption
Access control
Auditing
Access control
Access control to files and directories is the most fundamental aspect of file system security. This includes selecting the correct access control methodology (MAC, DAC, RBAC)
Karen is responsible for account security in her company. She has discovered a receptionist whose account has a six-character password that has not been changed in two years, and her password history is not being maintained. What is the most significant problem with this account?
Nothing, this is adequate for a low-security position.
The password length is the most significant problem.
The lack of password history is the most significant problem.
The password length is the most significant problem.
While there are multiple issues with this account, the password length is the most significant. Shorter passwords are inherently insecure
When you’re offboarding an employee, which of the following is the first thing you should do?
Audit their computer.
Disable accounts.
Delete accounts.
Disable accounts.
Disabling all accounts for the exiting user should happen immediately
Which of the following is a difference between TACACS and TACACS+?
TACACS uses UDP, TACACS+ uses TCP
TACACS uses TCP or UDP, TACACS+ uses UDP
TACACS uses UDP, TACACS+ uses UDP or TCP
TACACS uses UDP, TACACS+ uses UDP or TCP
TACACS+ can use TCP or UDP, though it is more common to use TCP. It should also be noted that TACACS+ is not backward compatible
Greg is considering using CHAP or MS-CHAPv2 for authenticating remote users. Which of the following is a major difference between the two protocols?
CHAP provides mutual authentication, MS-CHAPv2 does not.
CHAP uses AES for the challenge, MS-CHAPv2 uses a hash.
MS-CHAPv2 provides mutual authentication, CHAP does not.
MS-CHAPv2 provides mutual authentication, CHAP does not.
CHAP uses a hash, often MD5 for authentication, as does MS-CHAPv2. However, MS-CHAPv2 provides for mutual authentication, whereas CHAP only provides authenticating the client to the server
Terrance is looking for a physical access solution that uses asymmetric cryptography (public key cryptography) to authorize the user. What type of solution is this?
Asynchronous password token
Challenge response token
TOTP token
Challenge response token
With a challenge response token, the system will encrypt some value (often a random number) with the user’s public key. If the user’s token has the correct private key, it can decrypt the value that the system sent, and confirm that
Which access control model is based on the Trusted Computer System Evaluation Criteria (TCSEC)?
MAC
RBAC
DAC
DAC
Discretionary Access Control (DAC) is based on the Trusted Computer System Evaluation Criteria (TCSEC). The data owner has control over the access control
Mary is responsible for the security of database servers at a mortgage company. The servers are Windows Server 2016. She is concerned about file system security. Which of the following Microsoft features would be most helpful to her in implementing file system security?
EFS
Account lockout
UAC
EFS
While all of these features are important to security, the Encrypted File System (EFS) allows a person to easily encrypt any file or folder. This is important to file systems security
Santiago manages database security for a university. He is concerned about ensuring that appropriate security measures are implemented. Which of the following would be most important to database security?
Password policies
Antivirus
Access control policies
Access control policies
Access control is the most important issue for database security. It is critical that the principle of least privileges is adhered to and that each database user only has access to the data necessary to do his or her job
Ingrid is reviewing her company’s recertification policy. Which of the following is the best reason to recertify?
To audit usage
To enhance onboarding
To audit permissions
To audit permissions
Recertification is a means for checking permissions. It essentially involves conducting certification of accounts, as if they were new. This can be done to audit permissions
Emma is concerned about credential management. Users on her network often have over a half-dozen passwords to remember. She is looking for a solution to this problem. Which of the following would be the best way to address this issue?
Implement a manager.
Use shorter passwords.
Implement OAUTH.
Implement a manager.
While there are security concerns with password managers, they can provide a method for storing large numbers of passwords so that users don’t have to remember them all
Magnus is concerned about someone using a password cracker on computers in his company. He is concerned that crackers will attempt common passwords in order to log in to a system. Which of the following would be best for mitigating this threat?
Password age restrictions
Account lockout policies
Account usage auditing
Account lockout policies
Accounts should lock out after a small number of login attempts. Three is a common number of attempts before the account is locked out. This prevents someone from just attempting random guesses
Lucas is looking for an XML-based open standard for exchanging authentication information. Which of the following would best meet his needs?
SAML
OAUTH
RADIUS
SAML
Security Assertion Markup Language (SAML) is an XML-based, open-standard format for exchanging authentication and authorization data between parties
Which of the following processes transpires when a user provides a correct username and password?
Identification
Authentication
Authorization
Authentication
Authentication is the process that validates an identity. When a user provides their credentials (username and password), it is compared to those on file in a database on a local operating system or within an authentication server
Min-seo is looking for a type of access control that enforces authorization rules by the operating system. Users cannot override authentication or access control policies. Which of the following best fits this description?
DAC
MAC
RBAC
MAC
Mandatory Access Control (MAC) is a type of access control that enforces authorization rules by the operating system. Users cannot override authentication or access control policies
Hinata is considering biometric access control solutions for her company. She is concerned about the crossover error rate (CER). Which of the following most accurately describes the CER?
The rate of false acceptance
The point at which false rejections outpace false acceptances
The point at which false rejections and false acceptances are equal
The point at which false rejections and false acceptances are equal
The cross-over error rate or (CER) is also sometimes called the equal error rate (EER) and is the point at which the false acceptance and false rejection rates are the same
Joshua is looking for an authentication protocol that would be effective at stopping session hijacking. Which of the following would be his best choice?
CHAP
PAP
SPAP
CHAP
Challenge Handshake Authentication Protocol (CHAP) was designed specifically for this purpose. It periodically reauthenticates, thus preventing session hijacking
David is trying to select an authentication method for his company. He needs one that will support REST as well as multiple web-based and mobile clients. Which of the following would be his best choice?
Shibboleth
RADIUS
OpenID Connect
OpenID Connect
OpenID connect works with the Oauth 2.0 protocol and supports multiple clients including web-based and mobile clients. OpenID connect also supports REST
Phillip is examining options for controlling physical access to the server room at his company. He wants a hands-free solution. Which of the following would be his best choice?
Smart cards
Proximity cards
Tokens
Proximity cards
Proximity cards only need to be very close to the card reader to work properly
Which of the following is the most significant disadvantage of federated identities?
They cannot be used with Kerberos.
Poor password management
Transitive trust
Transitive trust
Federated identities introduce transitive trust. A login account can be used across multiple business entities, thus creating an implied trust relationship between them. The security of any of the federated identities is impacted by the security of the others
Max is implementing type II authentication for his company. Which of the following would be an example of type II authentication?
Strong passwords
Retinal scan
Smart cards
Smart cards
Type II authentication is something you have. A smartcard is an item that the person has
Nicole is implementing a server authentication method that depends on a TPM in the server. Which of the following best describes this approach?
Hardware-based access control
Software-based access control
Digital certificate–based access control
Hardware-based access control
A TPM (Trusted Platform Module) can be used in authentication. These are computer chips, and thus hardware-based access control
