Chap 8 Q/A
11. Charles has implemented LDAP for his organization. What type of service has he enabled? A. A federation B. A directory service C. An attestation service D. A biometric identity provider
B. A directory service LDAP, the Lightweight Directory Access Protocol, is an open industry standard for directory services. LDAP is not itself a federation or an attestation service, nor does it provide biometric authentication services.
15. Password complexity, password history, and password reuse are all examples of what? A. Account audits B. Account policies C. Access policies D. Credential attributes
B. Account policies Account policies include password complexity requirements; password history to prevent password reuse; and the time of day, geolocation, and similar settings that control elements of an account. Account audits check settings and account status. Access policies determine who can use systems or devices and other related items. Credential attributes is a made-up phrase for this question and the phrase does not appear in the Security+ exam outline.
16. Scott wants to allow users to bring their own credentials to his website so that they can log in using a Google or Microsoft account without giving him their passwords. What protocol can he use that will allow those users to grant the website access to their information? A. Kerberos B. OAuth C. RADIUS D. OpenID
D. OpenID OAuth is a protocol designed to allow users to grant thirdparty sites access to their information without providing that site with their password. It is typically used by OpenID identity providers to provide both authentication and authorization. Neither Kerberos nor RADIUS fits these requirements.
18. Nina's organization uses SSH keys to provide secure access between systems. Which of the following is not a common security concern when using SSH keys? A. Inadvertent exposure of the private key B. Weak passwords/passphrases C. SSH key sprawl D. Weak encryption
D. Weak encryption Inadvertent exposure of private keys via upload to a service like GitHub; poor handling of the private key in user directories; use of weak or reused passwords and passphrases; and key sprawl, in which keys are used broadly across an organization, are all common concerns. Weak encryption is not a typical concern with the use of SSH, since it implements modern strong encryption.
12. A PIN is an example of what type of factor? A. Something you know B. Something you are C. Something you have D. Something you set
A. Something you know PINs and passwords are both examples of something you know. Something you set is not a type of factor. Biometric factors are an example of something you are, and a physical USB token would be a common example of something you have.
6. Samantha wants to set an account policy that ensures that devices can be used only while the user is in the organization's main facility. What type of account policy should she set? A. Time of day B. Geofencing C. Time-based logins D. Impossible travel time
B. Geofencing Geofencing sets a geographic boundary that can be used as part of a ruleset. In this case, Samantha should set the ruleset to prevent devices from allowing users to use them when they are outside of the geofenced area. Time-of-day limitations and timebased logins are both related account policies that are used to ensure that users cannot log in when they shouldn't be at work. This can prevent compromised credential reuse and insider threat abuses during off-hours. Finally, impossible travel time is a type of geographic login data usage that maps when logins occur and compares them to the distance between them. If the time is impossible, with a login in China 5 minutes after one in the United States, for example, the login may be reported and stopped.
7. Michelle enables the Windows 10 picture password feature to control logins for her laptop. Which type of attribute will it provide? A. Somewhere you are B. Something you can do C. Something you exhibit D. Someone you know
B. Something you can do Picture password asks users to click on specific, self-defined parts of a picture. This means that clicking on those points is something you can do. Somewhere you are involves a location, something you exhibit is typical of personality traits, and someone you know would involve a third party, which can be useful for verification when someone can't otherwise prove their identity!
8. What is a HSM used for? A. To capture biometric enrollment data B. To generate, manage, and securely store cryptographic keys C. To generate one-time passwords via a time-based code algorithm D. To enable federation between organizations
B. To generate, manage, and securely store cryptographic keys Hardware security modules (HSMs) are used to create, securely store, and manage digital signatures, cryptographic key pairs, and other cryptographic functions. They are not used for biometric enrollment data, to enable federation, or to generate one-time passwords.
19. A person's name, age, location, or job title are all examples of what? A. Biometric factors B. Identity factors C. Attributes D. Account permissions
C. Attributes A person's name, age, location, job title, and even things like their height or hair color are all attributes that may be associated with a person's identity. None of these describe biometric factors used for authentication, and identity factors are something you know, something you are, or something you have. Account permissions determine what you can do, not attributes like these.
20. What type of access control scheme best describes the Linux filesystem? A. MAC B. RBAC C. DAC D. ABAC
C. DAC Linux users can change who can read, write, or execute files and directories they own, which is discretionary access control (DAC). Mandatory access control (MAC) would enforce settings set by the systems administrator without users having the rights to make their own decisions. Rule-based access control (RBAC) and attribute-based access control (ABAC) are not a default method for setting rights for the Linux filesystem.
13. Melissa is planning on implementing biometric authentication on her network. Which of the following should be a goal for any biometric solution she selects? A. High FRR, low FAR B. High FAR, low FRR C. Low CER D. High CER
C. Low CER A low crossover error rate will ensure that there's a low false rejection rate and a low false acceptance rate. The other options each have a high element, which isn't desirable.
9. Theresa wants to implement an access control scheme that sets permissions based on what the individual's job requires. Which of the following schemes is most suited to this type of implementation? A. ABAC B. DAC C. RBAC D. MAC
C. RBAC Role-based access control (RBAC) sets permissions based on an individual's role, which is typically associated with their job. Attribute-based access control (ABAC) is typically matched to attributes other than the job role. Discretionary access control (DAC) and mandatory access control (MAC) are commonly implemented at the operating system level.
17. Trevor is deploying the Google Authenticator mobile application for use in his organization. What type of one-time password system does Google Authenticator use in its default mode? A. HMAC-based one-time passwords B. SMS-based one-time passwords C. Time-based one-time passwords D. Static codes
C. Time-based one-time passwords Google Authenticator implements time-based one-time passwords, with continuously generated codes provided to the user that expire and are refreshed on an ongoing basis.
14. What type of attack does an account lockout policy help to prevent? A. Stolen password B. Race conditions C. Buffer overflows D. Brute force
D. Brute force Account lockout policies lock out an account after a specific number of failed login attempts. This type of response helps to prevent brute-force attacks by stopping them from using repeated attempts until they can successfully log in.
10. Which of the following biometric technologies is most broadly deployed due to its ease of use and acceptance from end users? A. Voice print recognition B. Gait recognition C. Retina scanners D. Fingerprint scanner
D. Fingerprint scanner Fingerprint scanners are found on many mobile devices and laptops, making it one of the most broadly deployed biometric technologies. Facial recognition is also broadly deployed, but it is not offered as an option.
