14.4.11 Practice Questions
Which of the following authentication combinations is an example of multi-factor authentication?
> PIN and authentication app Explanation: Multi-factor authentication means that at least two categories of authentication methods are utilized. Of these options, having the user input a PIN (something you know) and use an authentication app (something you have) is the only example of multi-factor authentication. Fingerprints and retinal scans both fall under something you are. Usernames and passwords both fall under something you know. Smart cards and one-time codes both fall under something you have.
You are working as a junior network technician at the local hospital. The security administrator has just finished rolling out a new security policy that requires users to log in to workstations using a fingerprint scanner. Which authentication category does this fall under?
> Something you are Explanation: Biometrics (fingerprint scanner) fall under the something you are authentication category. Something you have requires a user to have a physical device to authenticate. Something you know requires a user to demonstrate something that only they should know (username and password) to authenticate. A soft token is not an authentication category. A soft token is any digital key that is used to authenticate a user.
Which of the following is an example of a soft token?
> Authentication app Explanation: A soft token is any digital authentication key that is used to authenticate a user. Of these options, only the authentication app is a soft token, since an authentication app is a digital app on a phone or tablet. All the other options are examples of hard tokens, which are hardware devices that authenticate users.
Which of the following does Windows use to manage and enforce what a user is authorized to access?
> Access control list Explanation: Access control lists (ACLs) are used to manage and enforce what a user is authorized to access. A soft token is any digital authentication key used to authenticate a user. A soft token is not used to manage and enforce what a user is authorized to access. Certificate Manager is a Windows application for managing digital certificates. It is not used to manage and enforce what a user is authorized to access. Multi-factor authentication means that at least two authentication categories are used to authenticate a user. Multi-factor authentication is not used to manage and enforce what a user is authorized to access.
Which of the following processes is used to prove a user's identity?
> Authentication Explanation: Authentication is the process by which users provide credentials to prove their identity. Authorization defines what a user is able to access once he or she is authenticated. Certificate Manager is a Windows application for managing digital certificates. It is not used to prove a user's identity. Logical security refers to the security measures that are implemented through the operating system and software. Logical security is not used to prove a user's identity.
Which of the following statements is true regarding hard tokens?
> Hard tokens provide a higher level of security. Explanation: Hard tokens provide a higher level of security, but if the token is lost or stolen, the security breach can be quite severe. Implementing hard tokens can also be expensive and time-consuming. They are generally reserved for highly sensitive data.
Your company has recently implemented a BYOD policy. To protect the network, users must install an app on their devices that allows the security administrator to enforce the security policies. Which of the following is this an example of?
> Mobile device management Explanation: This is an example of mobile device management (MDM). MDM software is used by administrators to secure mobile devices and to enforce enterprise policies on the devices. MDM software is often used alongside a bring your own device(BYOD) policy and is typically deployed as a combination of an on-device application or agent that communicates with a backend server. The application receives policies and settings from the server to configure and control the mobile device. A soft token is any digital authentication key that is used to authenticate a user. A soft token is not used to enforce security policies. Certificate Manager is a Windows application for managing digital certificates. It is not used to enforce security policies. Access control lists (ACLs) are used to manage and enforce what a user is authorized to access. The ACL does not require an app to be installed on devices.
You have been hired to assess a client's security. During your testing, you discover that users have access to other departments' files. Which of the following should you recommend that the company implement?
> Principle of least privilege Explanation: The principle of least privilege states that a user should be given access to only the resources needed to perform their job. In this scenario, users have access to more than what they need. The company should implement the principle of least privilege to secure their networks. Certificate Manager is a Windows application for managing digital certificates. This would not affect the resources that users have access to. Bring Your Own Device is a policy that allows employees to use their own computers and mobile devices for work purposes. This would not affect the resources that users have access to. Mobile device management (MDM) generally describes the policies and procedures used by an organization to maintain security and permissions on mobile devices. This would not affect the resources that users have access to.
Which authentication category does a username and password fall under?
> Something you know Explanation: A username and password falls under the something you know authentication category. A soft token is not an authentication category. A soft token is any digital key that is used to authenticate a user.
Which of the following BEST describes authorization?
> The resources that a user can access. Explanation: Authorization defines which resources a user is able to access once he or she is authenticated. Authentication is the process of verifying a user's identity. The principle of least privilege is the process of giving users access to only the resources they need. A Bring Your Own Device (BYOD) policy allows employees to use their own devices for work purposes.
