Chapter 2 SP
When configuring settings in a mandatory access control environment, which of the following specifies the subjects that can access specific data objects?
Administrator
A security analyst is mitigating a pass-the-hash vulnerability on a Windows infrastructure. Given the requirement, which of the following should the security analyst do to MINIMIZE the risk?
Disable NTLM
Which of the following is the MAIN disadvantage of using SSO?
The architecture can introduce a single point of failure
A call center company wants to implement a domain policy primarily for its shift workers. The call center has large groups with different user roles. Management wants to monitor group performance. Which of the following is the BEST solution for the company to implement?
Time-of-day restrictions
Which of the following BEST describes the purpose of authorization?
Authorization provides permissions to a resource and comes after authentication.
Which of the following are considered to be "something you do"? (Choose two.)
-Handwriting -Gait
Which of the following would enhance the security of accessing data stored in the cloud? (Select TWO)
-SAML authentication -Multifactor authentication
A company has three divisions, each with its own networks and services. The company decides to make its secure web portal accessible to all employees utilizing their existing usernames and passwords. The security administrator has elected to use SAML to support authentication. In this scenario, which of the following will occur when users try to authenticate to the portal? (Select two.)
-The portal will function as a service provider and request an authentication assertion. -The back-end networks will function as an identity provider and issue an authentication assertion.
Developers are planning to develop an application using role-based access control. Which of the following would they MOST likely include in their planning?
A matrix of functions matched with their required privileges
Which of the following represents a multifactor authentication system?
A one-time password token combined with a proximity badge.
Which of the following would meet the requirements for multifactor authentication?
Fingerprint and password
The IT department needs to prevent users from installing untested applications. Which of the following would provide the BEST solution?
Least privilege
Which of the following would be considered multifactor authentication?
Strong password and fingerprint
A systems developer needs to provide machine-to-machine interface between an application and a database server in the production environment. This interface will exchange data once per day. Which of the following access control account practices would BEST be used in this situation?
Use a service account and prohibit users from accessing this account for development work.
Multiple organizations operating in the same vertical want to provide seamless wireless access for their employees as they visit the other organizations. Which of the following should be implemented if all the organizations use the native 802.1x client on their mobile devices?
RADIUS federation
A system administrator wants to provide for and enforce wireless access accountability during events where external speakers are invited to make presentations to a mixed audience of employees and non-employees. Which of the following should the administrator implement?
Sponsored guest
You are the security administrator for your company, and the IT manager has asked you to brief him on XML authentication methods. Which of the following should you tell him uses XML-based authentication? Select all that apply:
-TOTP -Federation services -SAML
Which of the following is an example of federated access management?
Using a popular website login to provide access to another website
Which of the following technologies employ the use of SAML? (Select two.)
-Single sign-on -Federation
An organization has hired a new remote workforce. Many new employees are reporting that they are unable to access the shared network resources while traveling. They need to be able to travel to and from different locations on a weekly basis. Shared offices are retained at the headquarters location. The remote workforce will have identical file and system access requirements, and must also be able to log in to the headquarters location remotely. Which of the following BEST represent how the remote employees should have been set up initially? (Choose two.)
-Group-based access control -Individual accounts
A systems administrator has been assigned to create accounts for summer interns. The interns are only authorized to be in the facility and operate computers under close supervision. They must also leave the facility at designated times each day. However, the interns can access intern file folders without supervision. Which of the following represents the BEST way to configure the accounts? (Select TWO.)
-Implement time-of-day restrictions. -Enforce least privilege.
An administrator is implementing a secure web server and wants to ensure that if the web server application is compromised, the application does not have access to other parts of the server or network. Which of the following should the administrator implement? (Choose two.)
-Mandatory access control -Rule-based access control
While reviewing the security controls in place for a web-based application, a security controls assessor notices that there are no password strength requirements in place. Because of this vulnerability, passwords might be easily discovered using a brute force attack. Which of the following password requirements will MOST effectively improve the security posture of the application against these attacks? (Select two)
-Minimum complexity -Minimum length
A security manager is creating an account management policy for a global organization with sales personnel who must access corporate network resources while traveling all over the world. Which of the following practices is the security manager MOST likely to enforce with the policy? (Select TWO)
-Password complexity -Group-based access control
Despite having implemented password policies, users continue to set the same weak passwords and reuse old passwords. Which of the following technical controls would help prevent these policy violations? (Select two.)
-Password complexity -Password history
A company has migrated to two-factor authentication for accessing the corporate network, VPN, and SSO. Several legacy applications cannot support multifactor authentication and must continue to use usernames and passwords. Which of the following should be implemented to ensure the legacy applications are as secure as possible while ensuring functionality? (Choose two.)
-Password complexity requirements -Account disablement
When attempting to secure a mobile workstation, which of the following authentication technologies rely on the user's physical characteristics? (Select TWO)
-Retina scan -Fingerprint scan
A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select Three)
-Role-based permissions -Separation of duties -Lease privilege
An organization would like to allow employees to use their network username and password to access a third-party service. The company is using Active Directory Federated Services for their directory service. Which of the following should the company ensure is supported by the thirdparty? (Select TWO.)
-SAML -Kerberos
Which of the following are the characteristics of a third-party to third-party authentication protocol that uses XML based authentication? Select the best three answers:
-Single sign on (SSO) -SAML -Federation services
A security administrator needs to configure remote access to a file share so it can only be accessed between the hours of 9:00 a.m. and 5:00 p.m. Files in the share can only be accessed by members of the same department as the data owner. Users should only be able to create files with approved extensions, which may differ by department. Which of the following access controls would be the MOST appropriate for this situation?
ABAC
During a routine audit, it is discovered that someone has been using a stale administrator account to log into a seldom used server. The person has been using the server to view inappropriate websites that are prohibited to end users. Which of the following could best prevent this from occurring again?
Account expiration policy
A network administrator is brute forcing accounts through a web interface. Which of the following would provide the BEST defense from an account password being discovered?
Account lockout
Stan notices there are several user accounts on the local network generating spam with embedded malicious code. Which of the following technical control should Stan put in place to BEST reduce these incidents?
Account lockout
A security technician is configuring an access management system to track and record user actions. Which of the following functions should the technician configure?
Accounting
A small- to medium-sized company wants to block the use of USB devices on its network. Which of the following is the MOST cost-effective way for the security analyst to prevent this?
Apply a GPO
Which of the following implements two-factor authentication?
At ATM requiring a credit card and PIN
During an application design, the development team specifics a LDAP module for single sign-on communication with the company's access control database. This is an example of which of the following?
Authentication
Which of the following access management concepts is MOST closely associated with the use of a password or PIN??
Authentication
An auditor has identified an access control system that can incorrectly accept an access attempt from an unauthorized user. Which of the following authentication systems has the auditor reviewed?
Biometric-based
A security administrator is tasked with implementing centralized management of all network devices. Network administrators will be required to logon to network devices using their LDAP credentials. All command executed by network administrators on network devices must fall within a preset list of authorized commands and must be logged to a central facility. Which of the following configuration commands should be implemented to enforce this requirement?
CN=company, CN=com, OU=netadmin, DC=192.32.10.233
An organization needs to integrate with a third-party cloud application. The organization has 15000 users and does not want to allow the cloud provider to query its LDAP authentication server directly. Which of the following is the BEST way for the organization to integrate with the cloud application?
Configure a RADIUS federation between the organization and the cloud provider.
A security administrator returning from a short vacation receives an account lock-out message when attempting to log into the computer. After getting the account unlocked the security administrator immediately notices a large amount of emails alerts pertaining to several different user accounts being locked out during the past three days. The security administrator uses system logs to determine that the lock-outs were due to a brute force attack on all accounts that has been previously logged into that machine. Which of the following can be implemented to reduce the likelihood of this attack going undetected?
Continuous monitoring
A new intern in the purchasing department requires read access to shared documents. Permissions are normally controlled through a group called "Purchasing", however, the purchasing group permissions allow write access. Which of the following would be the BEST course of action?
Create a new group that has only read permissions for the files.
An organization uses SSO authentication for employee access to network resources. When an employee resigns, as per the organization's security policy, the employee's access to all network resources is terminated immediately. Two weeks later, the former employee sends an email to the help desk for a password reset to access payroll information from the human resources server. Which of the following represents the BEST course of action?
Deny the former employee's request, as a password reset would give the employee access to all network resources.
A group of developers is collaborating to write software for a company. The developers need to work in subgroups and control who has access to their modules. Which of the following access control methods is considered usercentric?
Discretionary
A security administrator wants to implement a company-wide policy to empower data owners to manage and enforce access control rules on various resources. Which of the following should be implemented?
Discretionary access control
An organization is trying to decide which type of access control is most appropriate for the network. The current access control approach is too complex and requires significant overhead. Management would like to simplify the access control and provide user with the ability to determine what permissions should be applied to files, document, and directories. The access control method that BEST satisfies these objectives is:
Discretionary access control
A security administrator is evaluating three different services: radius, diameter, and Kerberos. Which of the following is a feature that is UNIQUE to Kerberos?
It uses tickets to identify authenticated users
A business sector is highly competitive, and safeguarding trade secrets and critical information is paramount. On a seasonal basis, an organization employs temporary hires and contractor personnel to accomplish its mission objectives. The temporary and contract personnel require access to network resources only when on the clock. Which of the following account management practices are the BEST ways to manage these accounts?
Employ time-of-day restrictions.
A company recently installed fingerprint scanners at all entrances to increase the facility's security. The scanners were installed on Monday morning, and by the end of the week it was determined that 1.5% of valid users were denied entry. Which of the following measurements do these users fall under?
FRR
A company is developing a new system that will unlock a computer automatically when an authorized user sits in front of it, and then lock the computer when the user leaves. The user does not have to perform any action for this process to occur. Which of the following technologies provides this capability?
Facial recognition
Company A has acquired Company B. Company A has different domains spread globally, and typically migrates its acquisitions infrastructure under its own domain infrastructure. Company B, however, cannot be merged into Company A's domain infrastructure. Which of the following methods would allow the two companies to access one another's resources?
Federation
An application team is performing a load-balancing test for a critical application during off-hours and has requested access to the load balancer to review which servers are up without having the administrator on call. The security analyst is hesitant to give the application team full access due to other critical applications running on the load balancer. Which of the following is the BEST solution for security analyst to process the request?
Give the application team read-only access.
A user is presented with the following items during the new-hire onboarding process: ̶ Laptop ̶ Secure USB drive ̶ Hardware OTP token ̶ External high-capacity HDD ̶ Password complexity policy ̶ Acceptable use policy ̶ HASP key ̶ Cable lock Which of the following is one component of multifactor authentication?
Hardware OTP token
An organization requires users to provide their fingerprints to access an application. To improve security, the application developers intend to implement multifactor authentication. Which of the following should be implemented?
Have users sign their name naturally
Which of the following is the proper order for logging a user into a system from the first step to the last step?
Identification, authentication, authorization
A company is deploying a file-sharing protocol access a network and needs to select a protocol for authenticating clients. Management requests that the service be configured in the most secure way possible. The protocol must also be capable of mutual authentication, and support SSO and smart card logons. Which of the following would BEST accomplish this task?
Implement Kerberos
A company offers SaaS, maintaining all customers' credentials and authenticating locally. Many large customers have requested the company offer some form of federation with their existing authentication infrastructures. Which of the following would allow customers to manage authentication and authorizations from within their existing organizations?
Implement SAML so the company's services may accept assertions from the customers' authentication servers.
An organization finds that most help desk calls are regarding account lockout due to a variety of applications running on different systems. Management is looking for a solution to reduce the number of account lockouts while improving security. Which of the following is the BEST solution for this organization?
Implement SSO (Same Sign-On)
You are the security administrator for a multinational corporation based in Miami, and your company has recently suffered a replay attack. After learning the lessons following the attack learned, you have decided to use a protocol that uses time stamps and USN to prevent replay attacks. Which of the following protocols is being implemented here? Select the best answer:
Kerberos
A security analyst is hardening an authentication server. One of the primary requirements is to ensure there is mutual authentication and delegation. Given these requirements, which of the following technologies should the analyst recommend and configure?
Kerberos services
A systems administrator has created network file shares for each department with associated security groups for each role within the organization. Which of the following security concepts is the systems administrator implementing?
Least privilege
Company policy requires the use if passphrases instead if passwords. Which of the following technical controls MUST be in place in order to promote the use of passphrases?
Length
A user has attempted to access data at a higher classification level than the user's account is currently authorized to access. Which of the following access control models has been applied to this user's account?
MAC
A systems administrator is configuring a system that uses data classification labels. Which of the following will the administrator need to implement to enforce access control?
Mandatory access control
A network administrator was concerned during an audit that users were able to use the same passwords the day after a password change policy took effect. The following settings are in place: ― Users must change their passwords every 30 days ― Users cannot reuse the last 10 passwords Which of the following settings would prevent users from being able to immediately reuse the same passwords?
Minimum password age of five days
A web developer improves client access to the company's REST API. Authentication needs to be tokenized but not expose the client's password. Which of the following methods would BEST meet the developer's requirements?
OAuth
Which of the following uses tokens between the identity provider and the service provider to authenticate and authorize users to resources?
OAuth
A company that is allowing people to access their internet application wants the people who log into the application to use an account managed by someone else. An example of such an arrangement is using their Facebook account with a technology called Open ID Connect. Which of the following protocols is this based on? Select the best choice:
OAuth 2.0
An organization wants to utilize a common, Internet-based third-party provider for authorization and authentication. The provider uses a technology based on OAuth 2.0 to provide required services. To which of the following technologies is the provider referring?
Open ID Connect
The help desk is receiving numerous password change alerts from users in the accounting department. These alerts occur multiple times on the same day for each of the affected users' accounts. Which of the following controls should be implemented to curtail this activity?
Password Minimum age
A security team has downloaded a public database of the largest collection of password dumps on the Internet. This collection contains the cleartext credentials of every major breach for the last four years. The security team pulls and compares users' credentials to the database and discovers that more than 30% of the users were still using passwords discovered in this list. Which of the following would be the BEST combination to reduce the risks discovered?
Password reuse, password complexity, password expiration
An organization has an account management policy that defines parameters around each type of account. The policy specifies different security attributes, such as longevity, usage auditing, password complexity, and identity proofing. The goal of the account management policy is to ensure the highest level of security while providing the greatest availability without compromising data integrity for users. Which of the following account types should the policy specify for service technicians from corporate partners?
Privileged user account
An organization plans to implement multifactor authentication techniques within the enterprise network architecture. Each authentication factor is expected to be a unique control. Which of the following BEST describes the proper employment of multifactor authentication?
Proximity card, fingerprint scanner, PIN
A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA?
Push notifications
A systems administrator wants to implement a wireless protocol that will allow the organization to authenticate mobile devices prior to providing the user with a captive portal login. Which of the following should the systems administrator configure?
RADIUS federation
A Chief Executive Officer (CEO) suspects someone in the lab testing environment is stealing confidential information after working hours when no one else is around. Which of the following actions can help to prevent this specific threat?
Require swipe-card access to enter the lab.
Which of the following is a compensating control that will BEST reduce the risk of weak passwords?
Requiring the use of one-time tokens
A system uses an application server and database server. Employing the principle of least privilege, only database administrators are given administrative privileges on the database server, and only application team members are given administrative privileges on the application server. Audit and log file reviews are performed by the business unit (a separate group from the database and application teams). The organization wants to optimize operational efficiency when application or database changes are needed, but it also wants to enforce least privilege, prevent modification of log files, and facilitate the audit and log review performed by the business unit. Which of the following approaches would BEST meet the organization's goals?
Restrict privileges on the log file directory to "read only" and use a service account to send a copy of these files to the business unit.
Which of the following allows an application to securely authenticate a user by receiving credentials from a web domain?
SAML
Which of the following is commonly used for federated identity management across multiple organizations?
SAML
A company wants to implement an access management solution that allows employees to use the same usernames and passwords for multiple applications without having to keep multiple credentials synchronized. Which of the following solutions would BEST meet these requirements?
SSO
A security administrator is developing training for corporate users on basic security principles for personal email accounts. Which of the following should be mentioned as the MOST secure way for password recovery?
Sending a PIN to a smartphone through text message
A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials. Which of the following account types is the systems administrator using?
Service account
While reviewing system logs, a security analyst notices that a large number of end users are changing their passwords four times on the day the passwords are set to expire. The analyst suspects they are cycling their passwords to circumvent current password controls. Which of the following would provide a technical control to prevent this activity from occurring?
Set password aging requirements.
A systems administrator is auditing the company's Active Directory environment. It is quickly noted that the username "company\bsmith" is interactively logged into several desktops across the organization. Which of the following has the systems administrator MOST likely come across?
Shared credentials
An organization's employees currently use three different sets of credentials to access multiple internal resources. Management wants to make this process less complex. Which of the following would be the BEST option to meet this goal?
Single sign-on
Which of the following identity access methods creates a cookie on the first login to a central authority to allow logins to subsequent applications without re-entering credentials?
Single sign-on
Users in a corporation currently authenticate with a username and password. A security administrator wishes to implement two factor authentication to improve security. Which of the following authentication methods should be deployed to achieve this goal?
Smart card
When used together, which of the following qualify as two-factor authentication?
Smart card and PIN
Which of the following authentication concepts is a gait analysis MOST closely associated?
Something you do
An employer requires that employees use a key-generating app on their smartphones to log into corporate applications. In terms of authentication of an individual, this type of access policy is BEST defined as:
Something you have.
Management wishes to add another authentication factor in addition to fingerprints and passwords in order to have three-factor authentication. Which of the following would BEST satisfy this request?
Token fob
A technician needs to implement a system which will properly authenticate users by their username and password only when the users are logging in from a computer in the office building. Any attempt to authenticate from a location other than the office building should be rejected. Which of the following MUST the technician implement?
Transitive authentication
Company XYZ has decided to make use of a cloud-based service that requires mutual, certificate- based authentication with its users. The company uses SSLinspecting IDS at its network boundary and is concerned about the confidentiality of the mutual authentication. Which of the following model prevents the IDS from capturing credentials used to authenticate users to the new service or keys to decrypt that communication?
Use of active directory federation between the company and the cloudbased service
An organization is providing employees on the shop floor with computers that will log their time based on when they sign on and off the network. Which of the following account types should the employees receive?
User account
Which of the following can be provided to an AAA system for the identification phase?
Username
An organization hosts a public-facing website that contains a login page for users who are registered and authorized to access a secure, non-public section of the site. That non-public site hosts information that requires multifactor authentication for access. Which of the following access management approaches would be the BEST practice for the organization?
Username/password with a CAPTCHA
Which of the following would provide additional security by adding another factor to a smart card?
Which of the following would provide additional security by adding another factor to a smart card?
Using a one-time code that has been texted to a smartphone is an example of:
something you have.