Quiz D : Identify and Access Management
A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure?
A. Accounting Explanation/Reference: Accounting measures the resources a user consumes during access. This can include the amount of system time or the amount of data a user has sent and/or received during a session. Accounting is carried out by logging of session statistics and usage information and is used for authorization control, billing, trend analysis, resource utilization, and capacity planning activities.
A security administrator is developing controls for creating audit trails and tracking if a PHI data breach is to occur. The administrator has been given the following requirements: *All access must be correlated to a user account. *All user accounts must be assigned to a single individual. *User access to the PHI data must be recorded. *Anomalies in PHI data access must be reported. *Logs and records cannot be deleted or modified. Which of the following should the administrator implement to meet the above requirements? (Select THREE).
A. Eliminate shared accounts. C. Implement usage auditing and review. E. Copy logs in real time to a secured WORM drive. Explanation/Reference: Shared accounts cannot be attributed to a single user, rendering auditing useless. auditing is necessary to record user access to PHI. WORM means "write once, read many", meaning that once written, it cannot be modified.
A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount. On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its mission objectives. The temporary and contract personnel require access to network resources only when on the clock. Which of the following account management practices are the BEST ways to manage these accounts?
A. Employ time-of-day restrictions. Explanation/Reference: The seasonal employees should have time of day restrictions. The account expiration should be handled with offboarding the employees.
A company has been experiencing many successful email phishing attacks, which have been resulting in compromise of multiple employees' accounts when employees reply with their credential. The security administrator has been notifying each user and resetting the account passwords when accounts become compromised. Regardless of the process, the same accounts continue to be compromised even when the user do not respond to the phishing attacks. Which of the following are MOST likely to prevent similar account compromises? (Select TWO).
A. Enforce password reuse limitations. D. Configure account lockout. Explanation/Reference: The same accounts being compromised points to users re-using their compromised passwords. Configuring lockout will disable the account once a failed attempt threshold has been met. One could argue that password complexity can also be used in place of account lockout.
Which of the following is the proper order for logging a user into a system from the first step to the last step?
A. Identification, authentication, authorization
A company offers SaaS, maintaining all customers' credentials and authenticating locally. Many large customers have requested the company offer some form of federation with their existing authentication infrastructures. Which of the following would allow customers to manage authentication and authorizations from within their existing organizations?
A. Implement SAML so the company's services may accept assertions from the customers' authentication servers. Explanation/Reference: SAML is an open XML-based standard that's used to exchange authentication and authorization information. It's commonly used by SSO environments, especially those using federated identity systems in enterprise environments. p.395
A company has found that people are browsing directories they should not be accessing. Which of the following techniques should the security administrator implement to prevent this from happening?
A. Least privilege Explanation/Reference: A user should only have access to the resources that allow them to do their job.
An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring?
A. OpenID Connect Explanation/Reference: OpenID Connect is an authentication layer on top of OAuth 2.0 that allows access to other applications. For example, when you are joining an online game and it asks to access your Facebook account to see if anyone else you know plays it already, or to post your achievements as status updates.
After a security assessment was performed on the enterprise network, it was discovered that: 1. Configuration changes have been made by users without the consent of IT. 2. Network congestion has increased due to the use of social media. 3. Users are accessing file folders and network shares that are beyond the scope of their need to know. Which of the following BEST describe the vulnerabilities that exist in this environment? (Select two).
A. Poorly trained users D. Improperly configured accounts
An organization plans to implement multifactor authentication techniques within the enterprise network architecture. Each authentication factor is expected to be a unique control. Which of the following BEST describes the proper employment of multifactor authentication?
A. Proximity card, fingerprint scanner, PIN Explanation/Reference: Multifactor authentication must use different categories of authentication. A is the correct answer
Which of the following is a compensating control that will BEST reduce the risk of weak passwords?
A. Requiring the use of one-time tokens Explanation/Reference: One-time password tokens are often used as a part of two-factor and multifactor authentication. The use of one-time password tokens hardens a traditional ID and password system by adding another, dynamic credential. The other three choices do not address the problem described in the question.
A web developer wants to improve client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements?
A. SAML Explanation/Reference: SAML is a token based authentication process. OAuth is an authentication framework that is tokenized, but requires a user's permission to use another application's resources. p.395-397
An organization is expanding its network team. Currently, it has local accounts on all network devices, but with growth, it wants to move to centrally managed authentication. Which of the following are the BEST solutions for the organization? (Sect TWO)
A. TACACS+ D. RADIUS
A security administrator needs to address the following audit recommendations for a public-facing SFTP server: ~Users should be restricted to upload and download files to their own home directories only. ~Users should not be allowed to use interactive shell login. Which of the following configuration parameters should be implemented? (Select TWO).
B. ChrootDirectory C. PermitTTY Explanation/Reference: A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term "chroot" may refer to the chroot(2) system call or the chroot(8) wrapper program. The modified environment is called a chroot jail.
Which of the following BEST implements control diversity to reduce the risks associated with the authentication of employees into the company resources?
B. Enforcing the use of something you know and something you have for authentication Explanation/Reference: Multifactor Authentication.
Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources?
B. Federation Explanation/Reference: Federation allows authentication systems to be shared across multiple systems or networks.
An organization requires users to provide their fingerprints to access an application. To improve security, the application developers intend to implement multifactor authentication. Which of the following should be implemented?
B. Have users sign their name naturally Explanation/Reference: A,C,and D are in the same category as a fingerprint. they all fall into the Something You Are category. B is Something You Do, and is correct.
A security administrator is configuring a RADIUS server for wireless authentication. The configuration must ensure client credentials are encrypted end-to-end between the client and the authenticator. Which of the following protocols should be configured on the RADIUS sever? (Select TWO).
B. MSCHAP C. PEAP Explanation/Reference: Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.] The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided. MS-CHAP is the Microsoft version of the Challenge-Handshake Authentication Protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 (defined in RFC 2433) and MS-CHAPv2 (defined in RFC 2759). MSCHAPv2 was introduced with Windows NT 4.0 SP4 and was added to Windows 98 in the "Windows 98 Dial-Up Networking Security Upgrade Release"[1] and Windows 95 in the "Dial Up Networking 1.3 Performance & Security Update for MS Windows 95" upgrade. Windows Vista dropped support for MS-CHAPv1. MS-CHAP is used as one authentication option in Microsoft's implementation of the PPTP protocol for virtual private networks. It is also used as an authentication option with RADIUS[2] servers which are used with IEEE 802.1X (e.g., WiFi security using the WPA-Enterprise protocol). It is further used as the main authentication option of the Protected Extensible Authentication Protocol (PEAP). Compared with CHAP, MS-CHAP is enabled by negotiating CHAP Algorithm 0x80 (0x81 for MS-CHAPv2) in LCP option 3, Authentication Protocol provides an authenticator-controlled password change mechanism provides an authenticator-controlled authentication retry mechanism defines failure codes returned in the Failure packet message field MS-CHAPv2 provides mutual authentication between peers by piggybacking a peer challenge on the Response packet and an authenticator response on the Success packet.
A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control?
B. Mandatory access control Explanation/Reference: Instead of ACLs, MAC systems typically apply security labels to both users and resources, and the rules for access depend on how the labels match up. A good example of labels would be: Unclassified, Confidential, Secret, Top Secret, etc.
A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world. Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO)
B. Password complexity D. Group-based access control Explanation/Reference: The manager should be most concerned with unauthorized access, so password complexity and group based access control makes the most sense here. You need complex password requirements for authentication, and group-based access control to ensure the least privilege.
Despite having implemented password policies, users continue to set the same weak passwords and reuse old passwords. Which of the following technical controls would help prevent these policy violations? (Select TWO)
B. Password length D. Password history Explanation/Reference: Password history will eliminate the use of old passwords. Password length will lengthen the time for a brute force cracking of the password.
The Chief Executive Officer (CEO) has asked a junior technician to create a folder in which the CEO can place sensitive files. The technician later finds the information within these files is the topic of conversation around the company. When this information gets back to the CEO, the technician is called in to explain. Which of the following MOST likely occurred?
B. Permission issues Explanation/Reference: The junior technician did not set the folder permissions properly, allowing unauthorized access to the folder.
When attempting to secure a mobile workstation, which of the following authentication technologies rely on the user's physical characteristics? (Select TWO)
B. Retina scan C. Fingerprint scan Explanation/Reference: User's physical characteristics are referring to biometrics. therefore, a retina scan and fingerprint scan are correct.
A company wants to implement an access management solution that allows employees to use the same usernames and passwords for multiple applications without having to keep multiple credentials synchronized. Which of the following solutions would BEST meet these requirements?
B. SSO E. Federation Explanation/Reference: Single Sign On allows a user to use one set of credentials over multiple applications or networks, and Federation is a trust model for multiple networks or organizations.
An organization's employees currently use three different sets of credentials to access multiple internal resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal?
B. Single sign-on Explanation/Reference: SSO allows one set of credentials to access multiple services. Transitive trust and Federation are trust models between different networks; they allow SSO to be possible. Secure token is a method to use SSO.
After a recent security breach at a hospital, it was discovered that nursing staff members, who were working the overnight shift searched for and accessed private health information for local celebrities who were patients at the hospital. Which of the following would have enabled the hospital to discover the behavior BEFORE a breach occurred?
B. Usage reviews Explanation/Reference: Usage reviews would have alerted the hospital to the illegal accessing of PHI
An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and identity proofing. The goal of the account management policy is to ensure the highest level of security while providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners?
B. User account
A user is attempting to view an older sent email but is unable to open the email. Which of the following is the MOST likely cause?
D. The user has not authenticated to the email server
A member of the admins group reports being unable to modify the "changes" file on a server. The permissions on the file are as follows: Permissions User Group File -rwxrw-r--+ Admins Admins changes Based on the output above, which of the following BEST explains why the user is unable to modify the "changes" file?
C. An FACL has been added to the permissions for the file.
A department head at a university resigned on the first day of spring semester. It was subsequently determined that the department head deleted numerous files and directories from the server-based home directory while the campus was closed. Which of the following policies or procedures could have prevented this form occurring?
C. Offboarding Explanation/Reference: Offboarding would have disabled his credentials, making it impossible to delete files after he resigned. However, if he had deleted the files before he resigned, Time of day restrictions could have prevented this from occurring.
A security administrator wants to implement least privilege access for a network share that stores sensitive company data. The organization is particularly concerned with the integrity of the data and implementing discretionary access control. The following controls are available Read = A user can read the content of the existing file. Write = A user can modify the content of an existing file and delete an existing file Create = A user can create a new file and place data within the file. A missing control means the user does not have that access. Which of the following configurations provides the appropriate control to support the organization's requirements?
C. Owners: Read, Write Group Members: Read, Create Others: Read, Create Explanation/Reference: Using the concept of Least Privilege, C is the most restrictive. this answer only allows the Owners to modify files.
Users in a corporation currently authenticate with a username and password. A security administrator wishes to implement two-factor authentication to improve security. Which of the following authentication methods should be deployed to achieve this goal?
C. Smart card Explanation/Reference: When implementing two-factor authentication, you must use two different categories of authentication. A PIN, security question, passphrase, and captcha all fall into the category of Something You Know. Therefore, a smart card, being Something You Have, is the only possible answer. p.372
Which of the following authentication concepts is a gait analysis MOST closely associated?
C. Something you do
Which of the following would be considered multifactor authentication?
C. Strong password and fingerprint Explanation/Reference: Something You Know and Something You Are
The help desk received a call after hours from an employee who was attempting to log into the payroll server remotely. When the help desk returned the call the next morning, the employee was able to log into the server remotely without incident. However, the incident occurred again the next evening. Which of the following BEST describes the cause of the issue?
C. Time-of-day restrictions prevented the account from logging in Explanation/Reference: If a user can log in remotely at one time of day, and not a different time of day, time of day restrictions are the most likely cause.
An organization is providing employees on the shop floor with computers that will log their time based on when they sign on and off the network. Which of the following account types should the employees receive?
C. User account
A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials. Which of the following account types is the systems administrator using?
C. User account Explanation/Reference: Guest and service accounts are non-privileged accounts. A domain controller by definition must be part of a domain. Since it can't function in a local or non-domain mode, there's no need for local accounts. C. User account is the answer
A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement?
D. Time of day restrictions
A security administrator needs to configure remote access to a file share so only accountants and financial executives can establish a connection. The share must allow the owners of the data to determine which users can read and write to the data owner's files and folders. Which of the following access controls is most appropriate for this situation?
D. DAC Explanation/Reference: Discretionary Access Control. DAC is commonly used in contexts that assume that every object has an owner that controls the permissions to access the object
A group of developers is collaborating to write for a company. The developers need to work in subgroups and control who has access to their modules. Which of the following access control methods is considered usercentric?
D. Discretionary Explanation/Reference: Discretionary Access Control. DAC is commonly used in contexts that assume that every object has an owner that controls the permissions to access the object
An audit takes place after company-wide restructuring, in which several employees changed roles. The following deficiencies are found during the audit regarding access to confidential data. Employee Job Function Audit Finding Ann Sales Manager *Access to confidential payroll shares *Access to payroll processing program *Access to marketing shares Jeff Marketing Director *Access to human resources annual review folder *Access to shared human resources mailbox John Sales Manager *Active account *Access to human resources annual review folder *Access to confidential payroll shares Tim Business Development *Terminated Employee *Access to human resources annual review folder *Access to confidential payroll shares Which of the following would be the BEST method to prevent similar audit finding in the future?
D. Implement regular permission auditing and reviews Explanation/Reference: Tim, a terminated employee, still has access to company resources. a regular audit would catch this possible vulnerability, but proper offboarding procedures would have prevented this issue.
A security analyst is reviewing the password policy for a remotely accessed domain service within the organization. The active directory password policy is as follows: Enforce Password History: 3 Passwords Remembered Maximum Password Age: 60 days Minimum Password Age: 7 days Minimum Password Length: 8 Characters Complexity: Must contain 1 Uppercase r 1 Special char Lockout Threshold: 5 attempts in 1 hour Lockout Duration: 12 hour The service account has recently become the target of constant brute force attacks by a large botnet. The security analyst wishes to enhance this policy so security is improved while investigating logical controls to mitigate brute force and DoS attacks. Which of the following would be the BEST short-term mitigations to accomplish this goal? (Select TWO).
D. Increase the password length to 16. F. Change the lockout threshold to three tries in 30 minutes.
Which of the following would provide additional security by adding another factor to a smart card?
D. PIN Explanation/Reference: PIN is something you know added to something you have. the other three choices are something you have.
While trying to manage a firewall's ACL, a security administrator (User3) receives an "Access Denied" error. The manager reviews the following information: Security_admins: User1, User 2 Firewall access: ACL Read: Security_admins ACL Write: Security_admins Reboot: Managers Audit: User3 Which of the following is preventing the administrator from managing the firewall?
D. RBAC (Role-based)
To help prevent one job role from having sufficient access to create, modify,and approve payroll data, which of the following practices should be employed?
D. Separation of duties Explanation/Reference: Separation of duties takes control of a job from a single person, and helps mitigate the risk of one actor performing malicious activity.
A systems administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees. Which of the following should the administrator implement?
D. Sponsored guest Explanation/Reference: Sponsored Guest is a wireless guest authentication feature that allows guests to nominate a sponsor domain to authorize guest wireless access. With Sponsored Guest login, users must submit their name and email to be authenticated via email link by a user on an approved domain.
A security administrator wants to install an AAA server to centralize the management of network devices, such as routers and switches. The server must reauthorize each individual command executed on a network device. Which of the following should be implemented?
D. TACACS+ Explanation/Reference: TACACS+ is a CISCO designed extension to TACACS that encrypts the full content of each packet. Moreover, it provides granular control (command by command authorization).
A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials. Which of the following account types is the system administrator using?
D. User account Explanation/Reference: Guest and service accounts are non-privileged accounts. You almost never want to use shared accounts. A user account can have admin privileges.