Lesson 8: Implementing Identity and Account Management Controls Flashcards
Consider the challenges with providing privileged management and authorization on an enterprise network. Which of the following would the network system administrator NOT be concerned with when configuring directory services?
A. Confidentiality
B. Integrity
C. Non-repudiation
D. DoS
D
Examine the tradeoff between traditional password policy complexity requirements and updated practical suggestions from the National Institute of Standards and Technology (NIST) and select the statement that fits both practical password management and traditional complexity requirements.
A. Passwords should be easy to remember and can include spaces and repetitive strings of numbers (like 987654).
B. Passwords should be easy to remember, but should never use spaces.
C. Passwords should be written in a common password repository held secure by a member of the IT staff.
D. Passwords should not contain dictionary words or contextual information, such as a username or the company name.
D
A member of the IT team at a company launches a simulated phishing attack email to users across the organization. Which of these statements most accurately describes the purpose of such an attack?
A. The attack simulated an insider attack and alerted other members of the IT team to the presence of an attack.
B. The attack is a bug bounty, which identifies individuals in the organization who recognize the attack, who then make attempts to enhance security.
C. The attack identifies those users who respond to the phishing attempt as individuals who may require more training.
D. The attack prepares users for upcoming training, with users who respond appropriately, designated as teachers
C
An employee has arrived to work and logged into the network with their smart card. This employee now has access to the company databases, email, and shared network resources. Evaluate all of the basic authorization policies and determine the policy best illustrated in this scenario.
A. Least privilege
B. Implicit deny
C. Single Sign-On (SSO)
D. Access key
C
Many Internet companies, such as Google and Facebook, allow users to share a single set of credentials between multiple services providers. For example, a user could login to Amazon using their Facebook credentials. Which term correctly defines this example?
A. Federation
B. Single sign-on
C. Permission
D. Access control
A
Federation means the company trusts the accounts created and managed by a different network. The networks establish trust relationships, so the identity of a user (principal) from network A (identity provider), can be trusted as authentic by network B (service provider).
A company is instituting role-based training. Which type of training will the company require the data owner to most likely complete?
A. Expert knowledge of IT security and network design
B. Training to ensure technical understanding of access controls
C. Training on data management and PII plus regulatory and compliance frameworks
D. Training on compliance issues and data classification systems
D
The data owner is responsible for data guardianship and training, for this role will focus on compliance issues and data classification systems.
Many access control models are rule-based. Consider how each of the following models determines how users receive rights and determine which model is NOT rule-based.
A. RBAC
B. DAC
C. MAC
D. ABAC
B
Discretionary Access Control (DAC) is not rule-based. DAC stresses the importance of the owner, who has full control over resources and can modify the Access Control List to grant rights to others.
An employee is working on a team to build a directory of systems they are installing in a classroom. The team is using the Lightweight Directory Access Protocol (LDAP) to update the X.500 directory. Utilizing the standards of an X.500 directory, which of the following distinguished names is the employee most likely to recommend?
A. OU=Univ,DC=local,CN=user,CN=system1
B. CN=system1,CN=user,OU=Univ,DC=local
C. CN=user,DC=local,OU=Univ,CN=system1
D. DC=system1,OU=Univ,CN=user,DC=local
B
A distinguished name is a unique identifier for any given resource within an X.500-like directory and made up of attribute=value pairs, separated by commas. The most specific attribute lists first, and then successive attributes become progressively broader.
What are the most common, baseline account policies system administrators implement on a secure domain network? (Select all that apply.)
A. Use upper- and lower-case letters, numbers, and special characters for passwords.
B. Set a lockout duration period of 15 minutes.
C. Disable enforcement of a password history policy for unique passwords.
D. Use a shared account for administrative work on the network.
A,B
A company’s clean desk policy will most likely feature which of the following clauses?
A. Employees must not use multiple tabs in a browser window.
B. Employees must keep their workplace tidy and professional in appearance.
C. Employees may not use personally-owned electronic devices in the office.
D. Employees must not leave documents unattended in their workspace.
D
Which statement best describes the purpose of an acceptable use policy (AUP)?
A. An AUP governs how employees may use company equipment and internet services.
B. An AUP establishes ethical standards for employee behavior.
C. An AUP communicates a company’s values and expectations to its employees and customers.
D. An AUP defines security roles and training requirements for different types of employees.
A
Compare all of the functions within directory services and determine which statement accurately reflects the function of group memberships.
A. The key provided at authentication lists a user’s group memberships, which in turn allows certain access to resources on the network.
B. The system compares group memberships with the user’s logon credentials to determine if the user has access to the network resources.
C. Group memberships contain entries for all usernames and groups that have permission to use the resource.
D. Group memberships are like a database, where an object is similar to a record, and the attributes known about the object are similar to the fields.
A
Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE?
A. The Network service account and the Local service account have the same privileges as the standard user account.
B. Any process created using the system account will have full privileges over the local computer.
C. The local service account creates the host processes and starts Windows before the user logs on.
D. The Local Service account can only access network resources as an anonymous user.
C
An employee recently retired, and the employee received an exit interview, returned a company-issued laptop, and had company-specific programs and applications removed from a personal PC. Evaluate this employee’s offboarding process and determine what, if anything, remains to be done.
A. The offboarding process is complete; no further action is necessary.
B. IT needs to disable the employee’s user account and privileges.
C. IT needs to delete any company data encrypted with the employee’s key.
D. The employee must sign a nondisclosure agreement (NDA).
B
Analyze and compare the access control models in terms of how Access Control Lists (ACL) are written and determine which statement accurately explains the Discretionary Access Control (DAC) model.
A. A DAC model is the most flexible and weakest access control model. Administrative accounts have control of the resource and grants rights to others.
B. A DAC model is the least flexible and strongest access control model. The owner has full control over the resource and grants rights to others.
C. A DAC model is the least flexible and strongest access control model. Administrative accounts have control of the resource and grant rights to others.
D. A DAC model is the most flexible and weakest access control model. The owner has full control over the resource and grants rights to others.
D
