MIS 170 CH. 9
Which of the following best describes the proper method and reason to implement port security? A. Apply a security control that ties specific ports to end-device MAC addresses, and prevents additional devices from being connected to the network. B. Apply a security control that ties specific ports to end-device IP addresses, and prevents additional devices from being connected to the network. C. Apply a security control that ties specific ports to end-device MAC addresses, and prevents all devices from being connected to the network. D. Apply a security control that ties specific ports to end-device IP addresses, and prevents all devices from being connected to the network.
A. You can achieve port security by applying a security control (such as 802.1X), which ties specific physical ports to end-device MAC addresses and prevents additional devices from being connected to the network. Note that port security solutions such as 802.1X are data link layer technologies (layer 2) so they deal with MAC addresses, not IP addresses. You wouldn't want to exclude all devices from being connected to the network as this would cause a severe problem with connectivity.
Which of the following are good practices for tracking user identities? (Select the two best answers.) A. Video cameras B. Key card door access systems C. Sign-in sheets D. Security guards
A. and B. Video cameras enable a person to view and visually identify users as they enter and traverse a building. Key card access systems can be configured to identify a person as well, as long as the right person is carrying the key card!
Kerberos uses which of the following? (Select the two best answers.) A. Ticket distribution service B. The Faraday cage C. Port 389 D. Authentication service
A. and D. Kerberos uses a ticket distribution service and an authentication service. This is provided by the Key Distribution Center. A Faraday cage is used to block data emanations. Port 389 is used by LDAP. One of the more common ports that Kerberos uses is port 88.
Which of the following authentication systems makes use of a Key Distribution Center? A. Security tokens B. CHAP C. Kerberos D. Certificates
C. Kerberos uses a KDC (Key Distribution Center) to centralize the distribution of certificate keys and keep a list of revoked keys.
What is the most secure method of authentication and authorization in its default form? A. TACACS B. Kerberos C. RADIUS D. LDAP
B. Kerberos is the most secure method of authentication listed. It has a more complicated system of authentication than TACACS (which is outdated) and RADIUS (which is used in different scenarios than Kerberos). LDAP deals with directories (for example, the ones on a Microsoft domain controller), which Kerberos first needs to give access to.
Which of the following would fall into the category of "something a person is"? A. Passwords B. Passphrases C. Fingerprints D. Smart cards
C. Fingerprints are an example of something a person is. The process of measuring that characteristic is known as biometrics.
Before gaining access to the data center, you must swipe your finger on a device. What type of authentication is this? A. Biometrics B. Single sign-on C. Multifactor D. Tokens
A. Fingerprint technology is part of the realm of biometrics.
Which of the following is an authentication system that uses UDP as the transport mechanism? A. LDAP B. Kerberos C. RADIUS D. TACACS+
C. RADIUS is the authentication system that uses UDP as the transport mechanism.
Which of the following is not a common criteria when authenticating users? A. Something you do B. Something you are C. Something you know D. Something you like
D. Common criteria when authenticating users includes something you do, something you are, something you know, something you have, and somewhere you are. A person's likes and dislikes are not common criteria; although, they may be asked as secondary questions when logging in to a system.
Which of the following results occurs when a biometric system identifies a legitimate user as unauthorized? A. False rejection B. False positive C. False acceptance D. False exception
A. If a biometric system identifies a legitimate user as unauthorized, it is known as a false rejection or a false negative. A false positive is when a system authenticates a user who should not be allowed access. False acceptance is similar to a false positive in biometric systems. False exceptions have to do with software that has failed and needs to be debugged.
Of the following, what two authentication mechanisms require something you physically possess? (Select the two best answers.) A. Smart card B. Certificate C. USB flash drive D. Username and password
A. and C. Two of the authentication mechanisms that require something you physically possess include smart cards and USB flash drives. Key fobs and cardkeys would also be part of this category. Certificates are granted from a server and are stored on a computer as software. The username/password mechanism is a common authentication scheme, but it is something that you type and not something that you physically possess.
What types of technologies are used by external motion detectors? (Select the two best answers.) A. Infrared B. RFID C. Gamma rays D. Ultrasonic
A. and D. Motion detectors often use infrared technology; heat would set them off. They also use ultrasonic technology; sounds in higher spectrums that humans cannot hear would set these detectors off.
You are in charge of training a group of technicians on the authentication method their organization uses. The organization currently runs an Active Directory infrastructure. Which of the following best correlates to the host authentication protocol used within that organization's IT environment? A. TACACS+ B. Kerberos C. LDAP D. 802.1X
B. If the organization runs Active Directory, that means they have a Windows Server that is acting as a domain controller.
What is the main purpose of a physical access log? A. To enable authorized employee access B. To show who exited the facility C. To show who entered the facility D. To prevent unauthorized employee access
C. A physical access log's main purpose is to show who entered the facility and when. Different access control and authentication models will be used to permit or prevent employee access.
1. Which of the following is the verification of a person's identity? A. Authorization B. Accountability C. Authentication D. Password
C. Authentication is the verification of a person's identity. Authorization to specific resources cannot be accomplished without previous authentication of the user.
Which of the following is the final step a user needs to take before that user can access domain resources? A. Verification B. Validation C. Authorization D. Authentication
C. Before a user can gain access to domain resources, the final step is to be authorized to those resources. Previously the user should have provided identification to be authenticated.
Two items are needed before a user can be given access to the network. What are these two items? A. Authentication and authorization B. Authorization and identification C. Identification and authentication D. Password and authentication
C. Before users can be given access to the network, the network needs to identify them and authenticate them. Later, users may be authorized to use particular resources on the network. Part of the authentication scheme may include a username and password. This would be known as an access control method.
Which of the following about authentication is false? A. RADIUS is a client-server system that provides authentication, authorization, and accounting services. B. PAP is insecure because usernames and passwords are sent as clear text. C. MS-CHAPv1 is capable of mutual authentication of the client and server. D. CHAP is more secure than PAP because it encrypts usernames and passwords.
C. MS-CHAPv1 is not capable of mutual authentication of the client and server. Mutual authentication is accomplished with Kerberos. All the other statements are true.
To gain access to your network, users must provide a thumbprint and a username and password. What type of authentication model is this? A. Biometrics B. Domain logon C. Multifactor D. Single sign-on
C. Multifactor authentication means that the user must provide two different types of identification. The thumbprint is an example of biometrics. Username and password are examples of a domain logon. Single sign-on would only be one type of authentication that enables the user access to multiple resources.
The IT director has asked you to set up an authentication model in which users can enter their credentials one time, yet still access multiple server resources. What type of authentication model should you implement? A. Smart card and biometrics B. Three-factor authentication C. SSO D. VPN
C. SSO (single sign-on) enables users to access multiple servers and multiple resources while entering their credentials only once. The type of authentication can vary but will generally be a username and password. Smart cards and biometrics is an example of two-factor authentication. VPN is short for virtual private network.
When attempting to grant access to remote users, which protocol uses separate, multiple-challenge responses for each of the authentication, authorization, and audit processes? A. RADIUS B. TACACS C. TACACS+ D. LDAP
C. TACACS+ is the only answer listed that uses separate processes for authentication, authorization, and auditing. That is one of the main differences between it and RADIUS. TACACS is deprecated and is not often seen in the field. LDAP deals with managing directories of information.
What does a virtual private network use to connect one remote host to another? (Select the best answer.) A. Modem B. Network adapter C. Internet D. Cell phone
C. The Internet is used to connect hosts to each other in virtual private networks. A particular computer will probably also use a VPN adapter and/or a network adapter. Modems generally are used in dial-up connections and are not used in VPNs.
Of the following, which is not a logical method of access control? A. Username/password B. Access control lists C. Biometrics D. Software-based policy
C. The only answer that is not a logical method of access control is biometrics. Biometrics deals with the physical attributes of a person and is the most tangible of the answers. All the rest deal with software, so they are logical methods.
Which of the following is an example of two-factor authentication? A. L2TP and IPsec B. Username and password C. Thumbprint and key card D. Client and server
C. Two-factor authentication (or dual-factor) means that two pieces of identity are needed prior to authentication. A thumbprint and key card would fall into this category. L2TP and IPsec are protocols used to connect through a VPN, which by default require only a username and password. Username and password is considered one-factor authentication. There is no client and server authentication model.
Your data center has highly critical information. Because of this you want to improve upon physical security. The data center already has a video surveillance system. What else can you add to increase physical security? (Select the two best answers.) A. A software-based token system B. Access control lists C. A mantrap D. Biometrics
C. and D. A mantrap is a device made to capture a person. It is usually an area with two doorways, the first of which leads to the outside and locks when the person enters, the second of which leads to the secure area and is locked until the person is granted access. Biometrics can help in the granting of this access by authenticating the user in a secure way, such as thumbprint, retina scan, and so on. Software-based token systems and access control lists are both logical and do not play into physical security.
What are two examples of common single sign-on authentication configurations? (Select the two best answers.) A. Biometrics-based B. Multifactor authentication C. Kerberos-based D. Smart card-based
C. and D. Kerberos and smart card setups are common single sign-on configurations.
Which two options can prevent unauthorized employees from entering a server room? (Select the two best answers.) A. Bollards B. CCTV C. Security guard D. 802.1X E. Proximity reader
C. and E. If a person doesn't have the proper proximity card, that person will be prevented from entering a server room or other protected room. Security guards can also prevent people from accessing unauthorized areas. However, bollards (short vertical posts) probably wouldn't stop a person, besides they aren't normally installed in front of a server room entrance. CCTV video surveillance is a detective control, but not a preventive control. 802.1X deals with authentication, not with physical security.
Your organization provides to its employees badges that are encoded with a private encryption key and specific personal information. The encoding is used to provide access to the organization's network. What type of authentication method is being used? A. Token B. Biometrics C. Kerberos D. Smart card
D. A badge encoded with a private encryption key would be an example of a smart card.
Which authentication method completes the following in order: logon request, encrypts value response, server, challenge, compare encrypts results, and authorize or fail referred to? A. Security tokens B. Certificates C. Kerberos D. CHAP
D. CHAP, the Challenge Handshake Authentication Protocol, authenticates a user or a network host to entities like Internet access providers. CHAP periodically verifies the identity of the client by using a three-way handshake; the verification is based on a shared secret. After a link has been established, the authenticator sends a challenge message to the peer; this does not happen in the other three authentication methods listed.
You are tasked with setting up a wireless network that uses 802.1X for authentication. You set up the wireless network using WPA2 and CCMP; however, you don't want to use a PSK for authentication. Which of the following options would support 802.1X authentication? A. Kerberos B. CAC card C. Preshared key D. RADIUS
D. RADIUS is a common back-end authenticator for 802.1X. When setting up a wireless access point, the two security mode options are usually PSK (preshared key), which is stored on the WAP, and Enterprise, which usually refers authentication to an external RADIUS server. Kerberos deals with authentication to Microsoft domains. CAC cards are smart cards that are used for ID and authentication to systems.
Which of the following is an authentication and accounting service that uses TCP as its transport mechanism when connecting to routers and switches? A. Kerberos B. RADIUS C. Captive portal D. TACACS+
D. TACACS+ is an authentication, accounting, and authorization service.
In a secure environment, which authentication mechanism performs better? A. RADIUS because it is a remote access authentication service. B. RADIUS because it encrypts client-server passwords. C. TACACS+ because it is a remote access authentication service. D. TACACS+ because it encrypts client-server negotiation dialogues.
D. Unlike RADIUS, TACACS+ (Terminal Access Controller Access-Control System Plus) encrypts client-server negotiation dialogues. Both protocols are remote authentication protocols.
Of the following, which best describes the difference between RADIUS and TACACS+? A. RADIUS is a remote access authentication service. B. RADIUS separates authentication, authorization, and auditing capabilities. C. TACACS+ is a remote access authentication service. D. TACACS+ separates authentication, authorization, and auditing capabilities.
D. Unlike RADIUS, TACACS+ separates authentication, authorization, and auditing capabilities. The other three answers are incorrect and are not differences between RADIUS and TACACS+.