Info Sec Ch 2
"Brad is teaching his employees about the company's new single sign-on log-in. However, many of them have doubts. Which of the following employee thoughts is a valid attribute of SSO? (2)"
"""This will enhance our security only if all of our users utilize strong authentication."""
______ must exist in order for Kerberos to work properly . (select all that apply) (2)
A method of issuing authentication tickets, Time synchronization across systems, A database of users
Den's organization is implementing an SDN. Management wants to use an access control model that controls access based on attributes. Which of the following is the BEST solution?
ABAC
"William was an employee that no longer works for an organization since 3 months ago. His account has been inactive ever since then, and the administratior of the company has to decide what to do with the account. What is the best option he has in this situation? (2)"
Delete the account
"At the powerplant, Julie uses Shibboleth to connect to resources of a separate network at the local school. However, the networks are not joined into one. What is Shibboleth an example of? (2)"
Federated Identity Solution
ABACs use attributes from policies to grant access to resources through matching. Caleb is researching ABACs and has noticed four elements typically included in policy statements. Which of the following is not one of these elements? (2)
Flexibility
Which method is used to create one time passwords that does not expire?(2)
HOTP
"Melissa has an important financial account to secure. She has to decide whether she uses a single-factor authentication, a dual-factor authentication, or a multifactor authentication. She decides that she will be using only a PIN number and a complex password to secure the account. What form of authentication did she decide to use? (2)"
Single-factor authentication
"The security company that conducted a threat assessment of your company infrastructure is suggesting you add a second layer of authentication to all accounts. If you wish to add something you have, what are the choices?(2)"
Smart Card, Token/Key fob
There are many types of authentication factors. Management at the small firm you work for requests the best form of authentication is used to access the computer system. What is the most secure form of authentication?(2)
Something you are
There are many types of authentication factors. Management at the small firm you work for requests the best form of authentication is used to access the computer system. What is the least secure form of authentication?(2)
Something you know
Your company requires you to provide a password and a scan of your retina to log in to your computer. Which factors of authentication are being used? (2)
Something you know, something you are
"Two organizations, Bullseye and Malwart have decided to engage in a company-wide joint venture and need to have access to each other's website resources. Both companies play softball with each other on weekends so they trust each other's authentication servers a lot. Which identity management system should they use?(2)"
Security Assertion Markup Language
"Mark is installing the MySQL application in a computer. The database application runs on a server and needs access to resources on the server and the network. Therefore, Mark creates a regular user account named mysqlapp that will only be used by the application and not an end user. What account type is he using? (2)"
Service account
What type of account in a network often poses the most challenge to manage?(2)
Service account
"April is a training instructor and she maintains a training lab with 20 computers. She has enough rights and permissions on these machines so that she can configure them as needed for classes. However, she does not have the rights to add them to the organization's domain. Which of the following choices BEST describes this example?"
least privilege
"You may have heard that Buzzfeed and several other big media companies have recently laid off a large proportion of their journalistic staff, and now need to employ some disablement policies for those employees company accounts. Which of the following are disablement policies? (2)"
leave of absence, delete account, terminated employee
"In order to log into your corporate laptop, you have to insert a smart card into a laptop and enter a password? What is this type of system called?(2)"
2-factor-authentication
Which of the following is not a true statement regarding CER? (2)
A high CER indicates a very accurate biometric system.
Developers are planning to develop an application using RBAC. Which of the following would they MOST likely include in their planning?
A matrix of functions matched with their required privileges
"Brenda and Mike are arguing over which authentication factor is the strongest individually. Brenda believes it is ""something you are"" while Mike thinks it is ""something you do."" Which of them is correct? (2)"
Brenda, "something you are" is the most difficult to falsify due to biometric methods
FRR and FAR overlap to create what? (2)
CER
Alexa E. Cho has just started as the new Active Directory manager for Apple. She noticed that the previous manager did not have any good account management policies in place and instead did strange things like only removing accounts when the number of days they were inactive was divisible by 13. What are some good account management policies that Alexa could implement? (Select all that apply)(2)
Disabling an employee's account just because they are on a leave of absence, Deleting any accounts that have been inactive for more than 60 days, Restricting the times of the day that employees can log in
Which of the following is NOT part of a disablement policy? (2)
Enabling disable accounts
"In Group Policy, administrators can configure Password Policy settings. Which of the following are a part of these settings in a Windows system? (2)"
Enforce password history, Minimum password age
Security Assertion Markup Language (SAML) is an _____-based data format used for SSO on web browsers. (2)
Extensible Markup Language (XML)
_____ is when a biometric system incorrectly identifies an unauthorized user as an authorized user. (2)
FAR
I got an email at 2am from Steam saying that they blocked an attempted login onto my account because it came from Shenzhen China while I usually login from Oklahoma. What technology was used to protect me before I (immediately after) set up 2FA. (2)
Geolocation technologies.
What does GPO stand for? (2)
Group Policy Object
"At corporate, Jacob uses a network authentication mechanism that is used within Windows Active Director domains and also some Unix environments. It has a Key Distribution Center (KDC) and uses time synchronization. Which of the following systems is Jacob using at corporate? (2)"
Kerberos
A network includes a ticket-granting ticket server used for authentication. Which authentication services does this network use?
Kerberos
What is the network authentication mechanism primarily used within Widows Active Directory and some Unix environments? (2)
Kerberos
Which network authentication protocol utilizes symmetric-key cryptography to prevent unauthorized disclosure of confidentiality?(2)
Kerbos
"Members of the project team chose to meet at a local library to complete some work on a key project. All of them are authorized to work from home using a VPN connection and have connected from home successfully. However, they found that they were unable to connect to the network using the VPN from the library and they could not access any of the project data. Which of the following choices is the MOST likely reason why they cannot access the data?"
Location-based access control
Which access control model uses sensitivity or security labels to determine access? (2)
MAC
Which of the following uses security levels in their access control model?(2)
MAC
"The _________ model uses labels(sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects(users) and objects(files of folders). When the labels match, the system can grant a subject access to an object. When the labels don't match, the model blocks access. (2)"
Mandatory Access Control
Which access control uses lattices to show the complex relationships between ordered sets of labels? (2)
Mandatory access control
Security Assertion Markup Language is an XML-based data format for SSO on browsers and is used by many web-based portals. Which of the following is not one of the roles defined by SAML? (2)
Message provider
"If a user logs in to a Windows system and a hash message of various user info is created for authentication, what has the user employed? (2)"
NTLM
"Kerberos is used for mutual authentication to prevent man-in-the-middle attacks and provides tickets against replay attacks. In order for these tools to work properly, several requirements must be met. Which of the following is not one of these requirements? (2)"
NTLM protocols
Ken's company has decided to utilize a Guest account for their visitors rather than make several temporary accounts. Which of the following key concepts are supported by having multiple users on the same Guest account? (2)
None of these
Which of the following is NOT one of the three roles Security Assertion Markup Language defines? (2)
Parent Domain
Mary has access to other parts of a website in comparison to a normal user. What is this an example of? (2)
Privileged accounts
Wyatt is reviewing an organization's management processes. He wants to ensure that security log entries accurately report the identity of personnel taking specific actions. Which of the following steps BEST meets this requirement?
Remove all shared accounts
"You have been tasked with designing your company's new access control model. Your instructions are to use the type of model that will allow each department to have access depending on their position within each group. The instructions outlined that anyone who is an administrator or executive should have access to everything, the project managers in each department should have access to project-related folders but only the for the projects they are individually assigned and everyone else should just have limited permissions. Which of the following type of access control model should you use?(2)"
Role-Based
"The University of Tulsa recently implemented a new process to log in that allows you direct access to various online accounts including Self-Service, The Portal, and Web-Advisor instead of having to manually log into each. What form of technology is this?(2)"
SSO
ABAC evaluates attributes and grants access based on those attributes. ABAC is commonly used in what type of networks? (2)
Software defined networks
Sandra is trying to create a complex password to make her Facebook account more secure. She comes up with the password: 7Y2KfAitPzN4 Sandra still feels this password isn't complex enough. What could she add to make it more complex? (2)
Special characters
Johnny's employer uses Discretionary Access Control (DAC) in which every object has an owner and that owner establishes access for the objects he or she owns. What is an inherent flaw particular to the DAC model? (2)
Susceptibility to Trojan Horses
Suzie's company uses one time passwords to log into their systems. Each user can access an application that generates a new password that is only valid for thirty seconds. Which of the following describes this type of authentication? (2)
TOTP
Vivi's organization is planning to implement remote access capabilities. Management wants strong authentication and wants to ensure that passwords expire after a predefined time interval. Which of the following choices BEST meets this requirement?
TOTP
Time is important to which of the following? Choose two (2)
TOTP, Kerberos
Michael just got fired from his IT job at AT&T for not following policies and is known to do things that don't benefit the company. AT&T should make sure that his accounts are disabled immediately so that he doesn't do anything to harm the company due to his anger at being fired. Which of the following disablement policies would Michael fall under? (2)
Terminated employee
Pierce has decided to implement a biometric solution for his company's authentication. One of the goals is to ensure that the biometric system is highly accurate. Which of the following provides the BEST indication of accuracy with the biometric system?
The lowest possible CER
"Members of the production support team at BOK Financial decide they must meet outside of standard work hours to prepare for an upcoming deployment. They arrive at the office at 4 AM, but are denied access upon entering their network credentials. Which of the following is a plausible reason why the employees were unable to log in? (2)"
Time-of-day restrictions
Account policies often require administrators to have how many accounts to prevent priviledge escalation and other attacks? (2)
Two
"In the DAC model, every object has an owner, and the owner establishes access for the objects. If Sam is using the DAC model what type operating system is he most likely using? (2)"
Windows
"Tim, from accounting, is upset that he cannot access the accounts payable excel sheet after he logs in on the company system. What concept from the AAA trio is this issue related to?(2)"
authorization
Which of the following does a smart card NOT provide? (2)
authorization
"In order to stay secure, administrators at Company A have to change the administrator password for all the computers in their domain. What is the best way they could go about doing this? (2)"
configure a GPO
"Secret Agent Man wants to set up a new biometric scanner for his secret agent headquarters as a backup means of identification. Since it will not be a primary means of identification, SAM has decided that the scanner needs to be better at detecting intruders that are NOT fellow secret agents secret agents that are denied access by the scanner will have other ways of getting into the headquarters. What error should SAM be most concerned about? (2)"
false acceptance
"Suzy Queue changed her password last year after learning one of her primary accounts got hacked. Now that it's 2019, Suzy has decided that she'd like to change her passwords once again for additional security. She opts to go back to her old password, as the hacker has probably forgotten it by now, and she still remembers it very well. What password policy had Suzy violated? (2)"
history
"Freddie wants to sign up for an lastpass account, but they require his email this is an example of what?(2)"
identification
"Joey is a summer IT intern at Mustard Systems. As he receives project assignments, his manager grants him access to system resources on a need-to-know basis. Which of the following describes Mustard Systems' access control standard? (2)"
mandatory access control
"Ned is setting up a new security system for his company which uses labels to determine access. When labels for users match labels on files and folders, the users can access that file or folder. Which type of security is this? (2)"
mandatory access control
Andrew is a trainer and is responsible for on boarding new analysts and ensuring they have the correct permissions and rights to perform their specific job function. Which type of access control model is his organization using? (2)
role-BAC
Seth's computer uses technology that allows him to make gestures on his computer's lock screen that allow him to log on to the system. Which of the following BEST describes this type of authentication? (2)
something you do
"As part of an information security class you're taking, you've been given a new yubikey to use to help you protect your accounts with two-factor authentication. What type of authentication does the ubikey help provide? (2)"
something you have
"At Company B, Fernando, a training instructor, was unfortunately let go. He is angry, and he knows the company won't disable his account until after the end of the work day. Therefore, before he leaves, he tries to delete all the customer data for the company. However, he is not able to access any of the customer accounts. Which of the following is the best reason why? (2)"
the company applied the least privilege principle
FBI documents created by agents can only be viewed by other agents of at least the same rank as the creator. This is an example of which of the following? (2)
tiered confidentiality
"It's Saturday, and Gretchen has realized that she's left her important list of weekend to-dos on her computer at work. She can't sign into her work account from outside the office, so treks back and finds that she still can't sign in to her account for some reason. Which of the following security policies best describe the situation? (2)"
time-of-day restriction, location-based restriction
"Two employees at Company A try to log into their employee accounts after 5pm, while at Starbucks. They, unfortunately, cannot login, which confuses them because they definitely were able to while at lunch at the pizza place across the street during lunchtime. What's the most likely reason why? (2)"
time-of-day restrictions
"Adam has recently purchased a security policy for his house from ADT systems. To secure his home, ADT relies on technology from 3rd Party Inc. which helps detect intruders. Adam's relationship with 3rd Party is best described as an example of which of the following? (2)"
transitive trust
John Smith got an email from Twitter this week letting him know that his password was kept in an unencrypted hash table and may have been compromised as a result. He would now like to change his password to try to keep his account secure. Which of the following options is the best password for John to use? (2)
young Pickle Violet Water9
"In an effort to make IT department's administrative work easier, your company decides to implement Group Policy on all computers. Which of these are benefits/features of using Group Policy? (Select all that apply) (2)"
Administrators can change the settings of every user in a domain with one command, Administrators can use Organization Units to make changes to subgroups of users
Which of the following allows security professionals to re-create the events that preceded a security incident? (2)
Audit Trail
"After Freddie sign up for an lastpass account using his email he then enters a password, this password provides what? (2) "
Authentication
AAA work together with identification to provide a comprehensive access management system. Which of the following is not an aspect of AAA? Please select all correct answers. (2)
Availability
Kurt needs to create an account for a contractor who will be working at your company for 60 days. Which of the following is the BEST security step to take when creating this account?
Configure an expiration date on the account
A company recently hired Jessica as a security administrator. You notice that some former accounts used by temporary employees are currently enabled. Which of the following choices is the BEST response?
Craft a script to identify inactive accounts based upon the last time they logged in
"Abraham is reviewing password security for employees of the Michaela Corp. The password policy has the following settings: - the password maximum age is 30 days; - the password minimum length is 14 characters; - passwords cannot be reused until five other passwords have been used; - passwords must include at least one of each the following four character types: uppercase, lowercase, numbers, and special characters; Abraham discovers that despite having this password policy in place, users are still using the same password that they were using more than a month ago. Which of these actions will resolve this issue?"
Create a rule in the password policy for the password minimum age to be 7 days
Help Desk analysts have created a shared account to unlock users accounts in Active Directory. The security administrator performed a security compliance audit and determined this does not meet the organization's security policy? What should the security administrator implement?(2)
Create a second account for each Help Desk employee
Group-based access control is based on roles or groups and simplifies user administration. Megan is an administrator and wants to use group based access control. What is the first step she should take to simplify administration for an Accounting group? (2)
Create an Accounting group and add each of the necessary user accounts to the Accounting group.
Which model can you use to create a list that identifies who can access your files and folders in your system?(2)
DAC
"Developers in your organization have created an application designed for the sales team. Salespeople can log on to the application using a simple password of 1234. However, this password does not meet the organization's password policy. Which of the following is the BEST response by the security administrator after learning about this?"
Direct the application team manager to ensure the application adheres to the organization's password policy.
"A recent security audit discovered several apparently dormant user accounts. Although users could log on to the accounts, no one had logged on to them for more than 60 days. You later discover that these accounts are for contractors who work approximately one week every quarter. Which of the following is the BEST response to this situation?"
Disable the accounts
Most organizations have a ____ ___ that specifies how to manages accounts in different situations. (2)
Disablement Policy
Joe jokingly tried to unlock his friend's phone using the fingerprint scanner and unsuspectedly it worked. This is an example of what? (2)
False Acceptance
"Apple iPhone X units ""facial recognition"" has a flaw that allowed a Chinese lady to access her coworkers iPhone. What scenario is happening here? (2)"
False acceptance.
"Rachael, a biometric manufacturer, took shortcuts while implementing her biometric technology. What type/types of false readings could this result in? (2)"
False rejection, False acceptance
"Which SAML role is defined as something that creates, maintains, and manages identity information for principals? (2)"
Identity Provider
"CIO Gil Bates wants to make his IT department more efficient and stop them from having to start every user off with all permissions and then have to blacklist unnecessary permissions. Instead, Dr. Bates wants the IT department to start a new user off with no permission and assign permissions as needed. What policy does this reflect?(2)"
Least Privilege
"You want to buy something off this really cool website you found (reallycool.com). However, you need to create an account to do so. Conveniently, this website allows you to login using your Amazon.com credentials. Which protocol is being used to make this possible? (2)"
OAuth
Steve would like to use an open standard for authorization to provide secure access to protected resources. Which of the following would you recommend his company? (2)
OAuth
Max recently updated an online application his employees use to log on when working from home. Employees enter their user name and password into the application from their smartphone and the application logs their location using GPS. Which type of authentication is being used?
One-factor
Which of the following is used with OAuth 2.0 as an extension to the authorization process? (2)
OpenID Connect
"T'Nia and Tim are arguing over whether or not using Single Sign-On decreases security, both have two main points to their argument. Tim believes it does decrease security as he believes having users needing multiple passwords is more secure realistically plus SSO tokens require strong authentication to be effective. T'Nia believes that SSO is secure because people are more careless when they have a lot of credentials to remember, in addition to saying that SSO tokens are designed to be secure and do not even require strong authentication. Which of their points is correct?(2)"
T'Nia and her point about people with multiple passwords being careless, Tim and his point about SSO tokens needing strong authentication
Security experts often mention that if you make a password too complex you make it less secure. Why is that? (2)
The more complex a password is the more likely users will forget it and will write it down on a sticky note.
Your company recently got hacked because an outsider gained access by using a dictionary attack. Your boss wants to implement iris scans as an authentication method to make sure someone can't compromise your systems with just the right password. They consider other options but feel that a biometric authentication is the best type (when implemented correctly). Why would they believe this?(2)
The odds of an attacker stealing someone's eye are much lower than attackers stealing something like a token