Security + (SY0-501) 4.0
Having been asked to add two-factor authentication to each computer based on something the user has, what would you do?
"Something the user has" would be a physical device. The physical device could be a cell phone, a Personal Identity Verification (PIV) card, a Common Access Card (CAC), etc.
You have been asked to verify that the authentication system is running optimally. One way you might do that is by calculating which of the following?
Cross over Error Rate (CER) The CER is the value when the FAR and the FRR are equal. Low CER values indicate that the authentication system is running optimally.
You have been asked to provide a relatively inexpensive biometric authentication system in a noisy office with bad lighting. Which option is best for this situation?
Fingerprint recognition will work in any environment, regardless of the noise level or quality of the lighting.
Although you are not a full administrator, you are asked to manage a protected document, allowing access to anyone who asks. The access control protocol you put on that file would use which of the following?
Discretionary Access Control (DAC) access to each object is controlled on a customized basis, depending on a subject's identity.
You want to control access to folders based on Access Control Lists (ACLs). Which access control model do you implement?
Discretionary Access Control (DAC) is based on ACLs.
Which of the following is the most secure security measure for protecting credential managers?
Multi-factor authentication is a very strong measure to protect credentials. Multi-factor authentication is any authentication scheme that requires validation of two or more authentication factors, such as a combination of something you have and something you are. (e.g. A physical ID card and a PIN code)
Identity federation typically operates on which principle?
Transitive trust is the principle of implicit trust of a third entity based on mutual trust from other entities.
One way to spot privilege escalation attacks, or simply alert you to behavior that a particular account should not be engaging in, is through which of the following?
Usage auditing monitors how accounts are being used in the organization.
At a minimum, which components are essential for implementing Lightweight Directory Access Protocol (LDAP)?
LDAP server, LDAP client, and LDAP management tools. An LDAP server provides the LDAP services and directory, the LDAP client queries the directory, and the management tools allow administrators to work with LDAP objects.
As new employees enter the organization, you will need to create new accounts for them. Likewise, employees that leave the organization must have their accounts disabled and removed from your systems. Which of the following refers to the planning of these tasks?
Onboarding/offboarding is a structure for guiding an organization through the process of hiring and terminating employees smoothly. This includes managing accounts, training, and other activities.
Each user at Develetech is required to enter a password to gain access to network resources, such as printers and network shares. Which authentication factor do they use?
A password is "something you know" and usually select for yourself.
You have been asked to provide a supervisor with access to multiple systems at a high level. Which type of account will you create?
A privileged account has greater access rights to data and systems in an organization.
You have been asked to provide a biometric authentication system that is more accurate than a fingerprint scanner. Which method will you choose?
A retinal scanner, retinal scanners are among the most accurate forms of biometric authentication.
You are required to assure the identity of each user every five minutes or so without disturbing the user's workflow. What solution will you decide on?
A security token (sometimes called an authentication token) is a small hardware device that the owner carries to authorize access to a network service.
What is the major advantage of using the OpenID system for user authentication?
A single user account exists for all participating sites.
You have been asked to provide a token-based authentication device that is easy to carry. Which of the following methods will you choose?
A smart card (is a plastic card containing an embedded computer chip that can store, among other things, authentication tokens.)
Which device provides an extra layer of security as "something you have" for entering secure areas of a building or facility?
A smart card is "something you have."
You have been asked to implement a token-based security system. If you decide to use a hardware-based token, which method will you choose?
A smart card is a plastic card containing an embedded computer chip that can store different types of electronic information. It is a common example of token-based authentication.
In a Microsoft Active Directory forest, what does "transitive trust" mean?
A two-way relationship is automatically created between parent and child domains.
There are multiple account types in any organization. Which of the following accounts is defined as a standard account type with limited privileges that may be restricted from modifying certain things?
A user account is the standard account type for general users in your organization. These accounts are almost always limited in privileges, especially when it comes to privileges otherwise reserved for IT members.
A user suggested that the company use hardware tokens for multi-factor authentication. Which of the following is an example of a hardware token?
A wireless keycard is a hardware token; plus, it generates a random number to unlock doors or to access other secure resources.
You have been asked to implement file-level system security on your Microsoft-based network. Which method will you use to accomplish this?
Access Control Lists (ACLs) are lists of access control entries (ACEs). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee, to any directory or file.
You have been asked to institute a security control in which user access privileges are audited to ensure they are accurate and adhere to relevant standards and regulations. Which control will you use?
Access recertification involves permission auditing and review to determine if the accounts are still adhering to the principle of least privilege.
A system administrator periodically performs a permission audit and review to ensure that the principle of least privilege is being adhered to and that no user has gathered elevated permissions. What is this process of permission auditing better known as?
Access recertification is a regular process that administrators perform, using automated tools, to ensure that users have appropriate permissions and privileges.
The administrators at Develetech have set a policy that requires users to wait 15 minutes after typing their passwords incorrectly five times. What is this policy known as?
Account lockout denies access for a set time period, with the default being 15 minutes. This is the correct name of the policy.
A manager is going on extended leave. You are asked to ensure that no one can access the account during that time; however, all the contents should be available for the manager's return. Which of the following will you use in this case?
Account lockout/disablement means the user's account is still active and all the data is intact, but that no one can log in to the account until it is unlocked. This is not to be confused with locking out an account due to too many incorrect authentication attempts.
Because of a merger, there have been a lot of people who have changed jobs, or are now using different accounts. To keep things in order, what should you plan?
Account maintenance is a process whereby you modify existing accounts based on organizational changes or remove accounts that are no longer in use.
A junior system administrator has been given the task of disabling and removing accounts that are no longer used or are suspected of no longer being used. What is this process called?
Account maintenance is a routine administrative duty that includes modifying, disabling, or removing unused accounts.
You are asked to set up access to a database based on specific criteria that each individual must meet before he or she is allowed access. What type of control would you use?
Attribute-based Access Control (ABAC) With ABAC, access is controlled based on a set of attributes that each subject possesses.
A system administrator implements an access control methodology that compares a user's characteristics with the list of required properties to access a resource. Which access control method is the administrator using?
Attribute-based Access Control (ABAC) evaluates each attribute to allow or deny access.
The acronym AAA stands for which of the following choices?
Authentication, Authorization, and Accounting is a security concept where a centralized platform verifies object identification, ensures the object is assigned relevant permissions, and then logs these actions to create an audit trail.
Why is Challenge Handshake Authentication Protocol (CHAP) considered to be legacy and no longer acceptable for general use?
Because it uses Message Digest 5 (MD5) encryption, which is weak. MD5 has been cracked and should not be used.
The Chief Security Officer (CSO) at Develetech wants to ensure that only authorized Active Directory domain devices can authenticate to the Local Area Network (LAN). How do the system administrators comply with this new directive?
By implementing 802.1x with Remote Authentication Dial-in User Service (RADIUS) This port authentication method is used with Active Directory to ensure that only domain controlled systems may connect to the production LAN.
Which protocol would you use to periodically authenticate a user or network host to an authenticating entity?
CHAP authenticates a user or network host to an authenticating entity. CHAP provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge value.
You have been asked to identify weaknesses in the passwords used by the employees of your organization. Which software program can you use to check the password database?
Cain & Abel is a common password-cracking utility used to identify weaknesses in your employees' passwords.
You have been asked to implement a token-based security system. If you decide to use a software-based token, which method will you choose?
Certificate-based authentication can be a smart card, authorization from a certificate server, or something similar that serves as a verifying software token.
New Technology LAN Manager (NTLM) is which type of authentication protocol?
Challenge-response, NTLM is a challenge-response authentication protocol created by Microsoft for use in its products and initially released in early versions of Windows NT.
Which type of access control device might be mandatory to use if a company is a federal contractor?
Common access card is a standard issue for federal government contractors and employees. It is a "something you have" access control factor.
To keep track of many different, lengthy passwords, you might use a product like LastPass or KeePass. What are these products examples of?
Credential managers help users and organizations more easily store and organize account user names and passwords. These applications typically store credentials in an encrypted database on the local machine.
Given a specific subfolder, only administrators should be able to access that folder. What would be the first step in setting that up?
Disable inheritance. Removing inheritance assures that there are no lingering, legacy permissions conferred from parent folders. This is the first step in setting up a clean set of permissions.
You have been asked to provide biometric authentication without spending a lot of additional money to get everyone's laptop secured. Which method will you use?
Facial recognition (Almost all laptops today come with a built-in user-facing camera that can be used (often with built-in software) to provide facial recognition biometric authentication.)
You have been asked to estimate the number of users who have been incorrectly refused authorization by your current biometric system. What is this error rate called?
False Rejection Rate (FRR) The FRR is the percentage of authorized users who were incorrectly rejected by the biometric authentication system.
You have been asked to estimate the number of users who have been incorrectly authenticated by your current biometric system. What is this error rate called?
False acceptance rate (FAR) is the percentage of users who have been incorrectly allowed into the system.
Which resource is protected through the use of permissions such as read, write, and execute?
File system-level security focuses on permissions such as read, write, and execute.
System administrators prefer to enforce security restrictions and certain business policies from Active Directory. Which of the following provides system administrators with the ability to enforce such policies that users cannot alter?
Group policies are written in Active Directory and enforced onto each user's workstation as they log on to the domain.
You have been asked to make sure that all the employees in a particular department have the same set of network permissions and that they can all access the same set of files and printers. Which of the following is the fastest and simplest method of doing so?
Group policy lets you create a set of policies for a group. When you put a user in a group, they inherit that group's policies immediately. This also helps add or revoke specific permissions for many users at once.
Your company has now grown large enough that you do not know everyone in the organization's multiple departments personally. To simplify account management, which of the following will you institute?
Group-based access control makes it easy to add or revoke permissions for multiple users by group rather than individually, saving you time and effort. It's also easier to understand the role that each user has in the organization if they are attached to a certain group.
For several years, system administrators at Develetech created individual user accounts and managed permission for each user separately. The company has grown to more than 100 employees and this is no longer a manageable solution. A system administrator from a larger company suggested that they should transition to separating users by job function. Which security control has the administrator suggested that they transition to?
Group-based access control. Managing group-based access rather than individual accounts makes user management easier and more scalable.
You have been asked to provide an account for an outside consultant, who needs limited access to the network. Which type of account will you give this person?
Guest account are provided to non-personnel who may need limited access to the network. People logging in as guests will have almost no ability to create, modify, or delete files.
Develetech needs to implement a secure login solution for one of its government contract systems. One system administrator suggested using an encrypted code that is only good for a single user session. Which solution fulfills this suggestion for securing logins?
HMAC-based One-Time Password (HOTP) is an algorithm that generates one-time passwords using a hash-based authentication code.
A system administrator found that several employees were using the company Virtual Private Network (VPN) for Internet access in the evenings, so the administrator decided to impose some extra security. Which security measure did the administrator use to eliminate the problem?
Imposed time-of-day restrictions. Time-of-day restrictions are the least intrusive remedy for those who connect to the network unnecessarily.
What would you do when asked to add two-factor authentication to each computer based on "something the users are?"
Install a fingerprint reader on each computer, "Something you are" includes fingerprints, retinal scans, voice prints, etc.
Which two biometric devices are the MOST similar to each other in terms of technique, accuracy, and the biometric factor measured?
Iris scanners and retina scanners scan the eye. They have a comparable level of accuracy and use a non-touch scanning technique.
Retinal scanners, while extremely accurate, bother some employees because the scanner must be so close to the eye. In addition, retinal patterns can change because of certain diseases. Which biometric alternative is equally accurate and much less susceptible to disease or damage?
Iris scanning happens farther from the eye, and the iris is much less likely to change because of disease.
What is the primary purpose for setting up Kerberos authentication?
It is for single sign-on (SSO) services. Kerberos was originally developed by MIT to use with SSO.
Which protocol would best serve to authorize users to access a network?
Kerberos is a network authentication protocol designed to provide strong authentication and confidentiality for client/server and multi-tier applications.
Which principle dictates that users and software should have the minimal level of access that is necessary for them to perform the duties required of them?
Least privilege The principle of least privilege dictates that access should be granted only to the level required to perform the necessary task.
Which of the following principles do system administrators need to apply when determining what access and abilities accounts will receive?
Least privilege. Applying the principle of least privilege ensures that users will only have access to do what is required for their jobs.
Which protocol would best serve to authorize users to access directory services?
Lightweight Directory Access Protocol (LDAP) is a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network,
Your company now has employees logging in from remote sites. To maintain security, what will you institute?
Location-based policies restrict both the physical and virtual locations from which users can gain access. Though this can be inconvenient for certain organizations with highly-mobile users, it can also increase security by ensuring that devices only within specific, approved locations can gain access to accounts.
Develetech has experienced many breach attempts that originate from foreign countries. The system administrator team has decided to set up some restrictive access rules to combat any possibilities of a breach. To reduce the possibility of breach attempts from foreign countries, what can the system administrators implement?
Location-based policies will limit the possibility that attackers from foreign Internet Protocol (IP) addresses can attempt to log in to the network.
Which measurement or biometric factor do security administrators look for MOST in their chosen access control methods?
Low Cross over Error Rate (CER) values means that the FAR and FRR are equal, which indicates that the authentication system is running optimally.
Which of the following authentication protocols should NOT be used in a production environment?
MS-CHAP is vulnerable to brute force attacks and should not be used.
Which access control model is based on a user's security clearance?
Mandatory Access Control (MAC) is based on a user's security clearance.
You are asked to protect a "Top Secret" file so that only specific individuals can access it. Which protection option will you use?
Mandatory Access Control (MAC) subjects are assigned a security level or clearance, and when they try to access an object, their clearance level must correspond to the object's security level.
You have been asked to provide a challenge-response protocol on your Active Directory network. What is MS-CHAP?
Microsoft's version of the Challenge Handshake Authentication Protocol
Which identity federation method is usually coupled with another to further strengthen security?
OAuth is usually coupled with another identity federation protocol, OpenID, to add a layer of authentication.
Which of the following is a challenge-response authentication protocol intended to provide security at every level (sign-in, access, etc.) of a Windows network, but has since been identified as vulnerable to brute force and pass the hash attacks?
NT LAN Manager (NTLM) is a challenge-response authentication protocol created by Microsoft for use in its products and initially released in early versions of Windows NT. Several weaknesses have been identified in NTLM, including its outdated encryption algorithms, which are susceptible to brute force cracking attempts. NTLM is also vulnerable to pass the hash attacks, enabling attackers who steal the NTLM hashes to log in without actually knowing the passwords.
You need to be able to authenticate your users to a third-party service, but you need to keep your users' information (including their passwords) private. What solution would you implement?
Open Authorization (OAuth) is an open standard for token-based authentication and authorization on the Internet. OAuth allows an end user's account information to be used by third-party services without exposing the user's password.
You have been tasked with securing your company's internal, private web server, and authenticating users who access it using a secure, industry-standard method. What method will you use?
OpenID Connect (OIDC) OIDC is a protocol that allows web applications (also called relying parties, or RP) to authenticate users with an external server called the OpenID Connect Provider (OP).
If you only need to authenticate to a simple user name and password, what method can you use?
PAP Password Authentication Protocol (PAP) works like a standard login procedure; the remote system authenticates itself using a static user name and password combination.
Which of the following authentication protocols should one NEVER use due to it lacking encryption of any kind?
Password Authentication Protocol (PAP) PAP passes everything in plaintext and is not secure.
Requiring users to create passwords that contain alphanumeric characters, punctuation or special characters, lowercase letters, and uppercase letters is known as what in Windows Local Security Policy?
Password complexity deals with many factors, such as types of characters required for a password. Complex passwords have many characters of many varieties.
Your organization forces you to reset your account password every so often. When resetting an account, your organization requires you to create a password that includes numbers, punctuation, uppercase letters, and lowercase letters. Having these requirements for password creation is known as what?
Password complexity requirements ensure a diversity of characters. Complex passwords are those that have a variety of character types, including numbers, punctuation, uppercase letters, and lowercase letters. Password length is also a feature of a complex password, with most logins requiring at least 8 characters.
Rather than ever removing a user account from Active Directory, some company administrators rely on which particular method to ensure that no one can log in to the account after it is no longer in use?
Password disablement. Disabling the password is very effective in disabling the use of an account because it means that even if someone knows the account password, they cannot use it.
An employee is leaving the company. You have been asked to ensure that the employee will no longer be able to log in to their account. However, you need to keep the employee's files intact for a replacement hire. Which of the following will you use?
Password disablement. Disabling the user's password locks the user out of the account, but leaves all the contents intact.
You have been asked to ensure that users change their passwords every 180 days. To do that, which of the following will you set?
Password expiration deals with when the user's current password will expire and the frequency for when a password will need to changed again.
System administrators at Develetech decided to implement a new policy that requires users to change their passwords every 90 days. What is this policy known as?
Password expiration requires that the users change passwords on a timetable set by the system administrator. This helps increase security by ensuring the password does not remain the same for too long.
You have been asked to ensure that users cannot simply switch between a series of passwords instead of creating a truly unique one every time they're required to change their password. You might set a group policy concerning which of the following?
Password history dictates the number of old passwords the system remembers in order to ensure users aren't just reusing the same password or set of passwords every time they are forced to change it. Password history forces a user to utilize a password they haven't used before.
Some administrators configure their Active Directory policy so that a certain number of passwords are remembered to prevent their reuse. What is this policy known as in Active Directory?
Password history is a defined parameter in Active Directory and in most other user databases. Password history is how long a system will "remember" old passwords so that they cannot be reused.
You have been asked to ensure that users do not reuse old passwords when changing them. Which of the following will you use?
Password history is how long the system will "remember" old passwords so that they cannot be reused.
You have been asked to ensure that passwords will be hard to break, even via brute forcing character combinations. You've already added a policy for password complexity, requiring users to have passwords with uppercase letters, lowercase letters, numbers, and punctuation. What other policy should you set to make it difficult to effectively brute force users' passwords?
Password length. Setting a minimum password length ensures it is more difficult to crack through brute forcing. The longer and more complex a password, the longer it will take to break.
There are certain parameters that administrators set to assist users in creating sufficiently unguessable and uncrackable passwords. One such parameter is complexity. To enforce the use of a range of complexity, what else must an administrator enforce to ensure that complex passwords are used?
Password length. To comply with complexity requirements, passwords must have a minimum length of at least eight characters.
What is the only non-invasive recourse for retrieving a lost administrator password?
Password recovery is the only method that can retrieve, or possibly retrieve, a lost password without invasively prying into a system or account to determine one. Recovery can often be done by the user themselves via a password reset or security question.
You have been asked to take over as the administrator for an online application used by your organization, but the current administrator cannot remember the administrator password. What will you need to use in this case?
Password recovery lets you retrieve a lost or forgotten password from a system or application. It often involves answering security questions or having the system email a temporary password to the email address attached to the account to reset the password.
Having been asked to add multi-factor authentication to each computer, you might start with something the user knows and set up what?
Password requirements for each user's login ("Something the user knows" is generally a password, or the answer to a secret question. The knowledge required is specific to the user.)
Some users at Develetech were found to be breaking policy by changing their passwords to previously-used passwords that had expired. The administrators set a new policy to remedy this security violation. What is the new policy called?
Password reuse. The administrators place a password reuse restriction by having the system "remember" a certain number of passwords. This disallows individuals from reusing previous passwords.
Which of the following is a formal review of the access levels for an account?
Permission audit is a review of the permissions granted to a class or user to assure that those permissions are still relevant and reasonable to the job at hand.
Which task should be regularly performed by security personnel to ensure that the principle of least privilege is being adhered to and to check for unauthorized privileged escalation?
Permission auditing and review. Privilege management should include auditing and review components to track privilege use and privilege escalation.
A new system administrator has joined the Develetech IT department and needs to be onboarded. Which type of account does the new employee ultimately gain access to as part of the onboarding process?
Privileged account. System administrators require privileged accounts to be able to fix system problems. Typically, they all have standard user accounts and can then elevate their privileges through a privileged account.
You need to authenticate managers, but you have been asked to make it as simple for them as possible. One way is to set up authentication so that all a person has to do is approach the computer, and it will recognize them and log them in. Which of the following is a method to accomplish this?
Proximity cards simply require the card to be within a set physical distance from the computer. All the other methods require some sort of activation process on the part of the user.
A system administrator wants a more convenient method of moving between security zones at work. The administrator wants to move freely without having to authenticate via a retina scanner or other interactive means. Which solution will work?
Proximity cards use location to authenticate the bearer of a card.
Which of the following is NOT an example of a "something you are" access control mechanism?
Proximity cards use location to authenticate the bearer of a card. They are not something you are; they are something you have.
Which of the following is NOT a feature of Remote Authentication Dial-In User Service (RADIUS)?
RADIUS does allow an organization to maintain and manage user profiles within a central database.
You have been asked to provide authentication, authorization, and accounting for dial-up users. Which solution will you consider?
Remote Authentication Dial-In User Service (RADIUS) provides centralized authentication, authorization, and accounting (AAA) management for users who connect and use a network service. Although it was originally designed for dial-up services, it has been adapted for standard network access as well.
Develetech senior database administrators have decided to lock down access to proprietary databases. Which method did they select that allows for high security but also for ease of maintenance?
Role-based Access Control (RBAC) allows administrators to assign roles to users that grant permissions based on job function.
You are asked to set up access based on each person's position in the company. Which method will you use?
Role-based Access Control subjects are assigned to predefined roles, and network objects are configured to allow access only to specific roles. Access is controlled based on a subject's assigned role.
A new group of employees has started at Develetech and the system administrator assigns privileges based on each employee's job title or job function. Which access control model is the administrator using?
Role-based access control (RBAC) is based on a person's job or role.
A system administrator does not want any employee logging in to critical systems on weekends, so the administrator implements an access control to prevent it. Which access control did the administrator implement?
Rule-based Access Control to create a rule that denies access during the weekend.
You have to limit access to a database to certain hours of the day. Which method will you use?
Rule-based Access Control, access is controlled by a set of rules. The access is allowed or denied to resource objects based on a set of rules defined by a system administrator.
You need to provide Extensible Markup Language (XML)-based security between your network and your outsourced Virtual Private Network (VPN) service. Which product will you choose?
SAML Security Assertions Markup Language (SAML) is an XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
How is Security Assertion Markup Language (SAML) information communicated?
Security Assertions Markup Language (SAML) uses assertions over a secure HTTP connection. These assertions convey the identity of subjects and authorization decisions about the access level of the subjects.
You have created a new database server. To allow automated systems to access and maintain the new database, which type of account will you create?
Service account are used for programs that need limited access to certain system assets.
A student was hired to create new user accounts at Develetech. This student needs to create multiple accounts on a *nix (Unix-like) system to supply a non-interactive shell to multiple applications. Which type of account does the student need to create?
Service accounts are used to grant a computer limited access to other systems and resources for the purpose of fulfilling that computer's specific duties. Service accounts help maintain security by ensuring a computer only has the permissions and access needed to do its job, instead of just granting full access to another system.
You have been asked to set up a system that allows people to log in based only on where they are. What would you do?
Set up a system that verifies the person's Internet Protocol (IP) address or Global Positioning System (GPS) coordinates
Your company has purchased two other companies. You are tasked with consolidating software so that any user logged in to any of these three companies can run the software. What action should you take?
Set up federated identity management with all three companies (Federated identity management provides coordinated login information across disparate systems.)
What account type is typically associated with a specific role or purpose, but not with a specific user or computer?
Shared accounts are typically associated with a specific role or purpose that many users can share, as opposed to traditional unshared accounts that are accessed by a single user or resource.
On most production systems, which type of account does NOT exist?
Shared accounts are typically not allowed on production systems. These are accounts accessed by more than one user or resource and, likewise, not associated with any one individual. Shared accounts are an inherent security risk because many individuals use and manage a single account and its activities.
Which account type is accessed by more than one user or resource, and is not associated with any one individual?
Shared or generic accounts are accessed by more than one user or resource. Unlike traditional unshared accounts, they are not associated with any one individual. Shared accounts are typically associated with a specific role or purpose that many users can share for a variety of reasons.
In terms of a general description, what is Shibboleth?
Shibboleth provides standard web-based SSO services that adhere to standards and support services outside of a user's organization.
You have been asked to provide single sign-on (SSO) capabilities for all your systems. What does this mean?
Signing on to any system gives you access to everything you need.
Which of the following is a subset of identity federation that eliminates the need to sign in to federated systems more than once?
Single sign-on (SSO) eliminates the need for re-authentication.
You have been asked to implement a commonly available token-based authentication method. Which method will you choose?
Smart cards are a common example of token-based authentication. A smart card is a plastic card containing an embedded computer chip that can store different types of electronic information.
To secure the company website, the webmaster suggests that the company purchase a secure certificate to encrypt all communications to and from the site. A certificate is which type of secure token?
Software, A certificate is a software token.
Which authentication factor is a retina scan?
Something you are (Your retina never changes; it is something you are.)
To log in to Develetech's proprietary development system, the user must use a specific keystroke pattern that changes each week. Which authentication factor have they implemented?
Something you do (Entering this particular key sequence is the factor, and it is something you do.)
A security administrator wants company employees to carry a key fob that generates random numbers for a second factor when logging in to systems and for accessing external doors. What is this second factor known as?
Something you have (The key fob is something you have, a physical device that must be carried and used each time an authentication event is started.)
A security administrator has set up a wireless perimeter at Develetech to connect to employee badges so that their proximity to sensors will allow them into the building and into secure areas, if permitted. Which authentication factor is the administrator using?
Somewhere you are (The badge and sensors are proximity based; therefore, their location is important for authentication.)
A new system administrator created a batch of new user accounts using the first letter of the first name and the first seven letters of the last name. What is this pattern of consistency in account creation known as?
Standard naming convention. Having a consistent process for naming accounts helps future administrators maintain order in large user databases such as Active Directory.
Your company is merging with another, and there is no consistency in what accounts are called. Which of the following will you institute to fix this issue?
Standard naming conventions dictate a uniform method of nomenclature for accounts. For example, if your convention is to name users in your domain firstname.lastname, then Nora Lenderbee's account would be nora.lenderbee, not nlenderbee.
You have been asked to implement an 802.11-based security protocol. Which protocol will you choose?
Temporal Key Integrity Protocol (TKIP) TKIP is a security protocol created by the Institute of Electrical and Electronic Engineers (IEEE) 802.11i task group to replace Wired Equivalent Privacy (WEP).
If you want to encrypt all authorization information as it passes through your network, what could you use?
Terminal Access Controller Access Control System Plus (TACACS+) encrypts not only the user's password, but also the user name, authorization, and accounting information.
Which current authentication protocol works on multiple platforms and encrypts the entire authentication process?
Terminal Access Controller Access Control System Plus (TACACS+) is a currently used, multi-platform protocol (Windows, Linux, etc.) and encrypts the entire authentication process.
You need to establish federated identity-based authentication and authorization on your network. Which solution will you decide to implement?
The Shibboleth Internet2 middleware initiative created an architecture and open-source implementation for identity management and federated identity-based authentication and authorization (or access control) infrastructure based on Security Assertions Markup Language (SAML).
What is the advantage of using a secure token in authentication schemes?
They can only be used once for a short time period, which makes secure tokens very secure.
You have been asked to implement a messaging system that uses a time-sensitive authentication code. Which method will you choose?
Time-based One-time Password (TOTP) adds a time-based factor to one-time password authentication using a Hashed Message Authentication Code (HMAC). If a one-time password is not used within the specified time (e.g., 60 seconds), it becomes invalid.
Which of the following will prevent a user from logging in when that user is not working?
Time-of-day restrictions restrict an account's access to only certain times of the day, when the employee is working.
During the offboarding process for an employee leaving an organization, which of the following is the most important reason to disable or remove a user's accounts?
To prevent that user's account from becoming an attack vector. Disabling and/or removing accounts ensures disgruntled employees, or even those with overlapping personal and business accounts, cannot negatively impact organization systems on purpose or accidentally.
You have been asked to verify the user's login by something they do. What would you ask the user to do?
Tracing a pattern on your screen (either with the mouse or your finger) is both easier to do and much harder to spoof than the other answers. Microsoft currently gives you the ability to use this technique to sign in to your computer.
A system administrator suspects that a developer may be exfiltrating data by logging in to the systems at odd hours during the night. Which practice can determine if the user is exfiltrating data or if there has been a compromise?
Usage auditing will tell the system administrator when the user logs in and what the user is doing while logged in.
Which account type is limited in privileges, especially when it comes to privileges reserved for IT members, and is provided to most general employees of an organization?
User account are the standard account type for general users in your organization. These accounts are almost always limited in privileges, especially when it comes to privileges reserved for IT members (e.g., full administrative access to servers). Most general, non-IT personnel in an organization will use this type of account.
You have been asked to provide a biometric security system for managers in their offices. Some of them object to having their fingerprints on file. Which alternative meets these requirements?
Voice recognition is a biometric authentication system that does not require recording the user's fingerprints.