Security+ Mod 6 Review Questions
Which of the following are good practices for tracking user identities? (Select the two best answers.) a)Video cameras b)Key card door access systems c)Sign-in sheets d)Security guards
Answer: A and B. Explanation: Video cameras enable a person to view and visually identify users as they enter and traverse a building. Key card access systems can be configured to identify a person as well, as long as the right person is carrying the key card!
Of the following, what two authentication mechanisms require something you physically possess? (Select the two best answers.) a)Smart card b)Certificate c)USB flash drive d)Username and password
Answer: A and C. Explanation: Two of the authentication mechanisms that require something you physically possess include smart cards and USB flash drives. Key fobs and cardkeys would also be part of this category. Certificates are granted from a server and are stored on a computer as software. The username/password mechanism is a common authentication scheme, but it is something that you type and not something that you physically possess.
Kerberos uses which of the following? (Select the two best answers.) a)Ticket distribution service b)The Faraday cage c)Port 389 d)Authentication service
Answer: A and D. Explanation: Kerberos uses a ticket distribution service and an authentication service. This is provided by the Key Distribution Center. A Faraday cage is used to block data emanations. Port 389 is used by LDAP. One of the more common ports that Kerberos uses is port 88.
What types of technologies are used by external motion detectors? (Select the two best answers.) a)Infrared b)RFID c)Gamma rays d)Ultrasonic
Answer: A and D. Explanation: Motion detectors often use infrared technology; heat would set them off. They also use ultrasonic technology; sounds in higher spectrums that humans cannot hear would set these detectors off.
What would you use to control the traffic that is allowed in or out of a network? (Select the best answer.) a)Access control lists b)Firewall c)Address Resolution Protocol d)Discretionary access control
Answer: A. Explanation: Access control lists can be used to control the traffic that is allowed in or out of a network. They are usually included as part of a firewall, and they are the better answer because they specifically will control the traffic. Address Resolution Protocol (ARP) resolves IP addresses to MAC addresses. In the discretionary access control model, the owner controls permissions of resources.
Which of the following is the most common authentication model? a)Username and password b)Biometrics c)Key cards d)Tokens
Answer: A. Explanation: By far the username and password combination is the most common authentication model. Although biometrics, key cards, and tokens are also used, the username/password is still the most common.
Before gaining access to the data center, you must swipe your finger on a device. What type of authentication is this? a)Biometrics b)Single sign-on c)Multifactor d)Tokens
Answer: A. Explanation: Fingerprint technology is part of the realm of biometrics. Single sign-on means that you can use one type of authentication to get access to more than one system. While that could be going on in this scenario, it is not explicit, so biometrics is the more accurate answer. Multifactor means that more than one type of authentication is needed; for example, a fingerprint and a PIN. Let's say that users were expected to type a PIN into a keypad to gain access to the data center. You might find over time that some persons who enter don't match the owner of the PIN. That uncertainty can be avoided by incorporating biometrics. Tokens are used to gain access to systems and networks, and might include rolling one-time passwords, but do not incorporate a person's physical characteristics such as a fingerprint.
Which of the following results occurs when a biometric system identifies a legitimate user as unauthorized? a)False rejection b)FAR c)False acceptance d)CER d)False exception
Answer: A. Explanation: If a biometric system identifies a legitimate user as unauthorized, and denies that user access, it is known as a false rejection. False acceptance on the other hand is when a biometric system authorizes an illegitimate user. FAR is the false acceptance rate—the lower the better. CER stands for crossover error rate, which is the comparison of the FAR and the FRR. False exceptions have to do with software that has failed and needs to be debugged.
In a discretionary access control model, who is in charge of setting permissions to a resource? a)The owner of the resource b)The administrator c)Any user of the computer d)The administrator and the owner
Answer: A. Explanation: In the discretionary access control (DAC) model, the owner of the resource is in charge of setting permissions. In a mandatory access control model, the administrator is in charge.
When using the mandatory access control model, what component is needed? a)Labels b)Certificates c)Tokens d)RBAC
Answer: A. Explanation: Labels are required in the mandatory access control (MAC) model.
Your organization has enacted a policy where employees are required to create passwords with at least 15 characters. What type of policy does this define? a)Password length b)Password expiration c)Minimum password age d)Password complexity
Answer: A. Explanation: Password length is the policy that deals with how many characters are in a password. Password expiration and minimum (and maximum) password age define how long a password will be valid. Password complexity defines whether the password should have uppercase letters, numbers, and special characters.
In an environment where administrators, the accounting department, and the marketing department all have different levels of access, which of the following access control models is being used? a)Role-based access control (RBAC) b)Mandatory access control (MAC) c)Discretionary access control (DAC) d)Rule-based access control (RBAC)
Answer: A. Explanation: Role-based access control is when different groups or roles are assigned different levels of permissions; rights and permissions are based on job function. (Note: Attribute-based access control [ABAC] is similar to RBAC, but uses Boolean logic such as IF-THEN statements.) In the mandatory access control model, an administrator centrally controls permissions. In the discretionary access control model, the owner of the user sets permissions. In the rule-based access control model, rules are defined by the administrator and are stored in an ACL.
Which of the following access control methods uses rules to govern whether object access will be allowed? (Select the best answer.) a)Rule-based access control b)Role-based access control c)Discretionary access control d)Mandatory access control e)Attribute-based access control
Answer: A. Explanation: Rule-based access control uses rules to govern whether an object can be accessed. It is a type of mandatory access control (MAC).
A company has a high attrition rate. What should you ask the network administrator to do first? (Select the best answer.) a)Review user permissions and access control lists. b)Review group policies. c)Review Performance logs. d)Review the Application log.
Answer: A. Explanation: The first thing administrators should do when they notice that the company has a high attrition rate (high turnover of employees) is to conduct a thorough review of user permissions, rights, and access control lists. A review of group policies might also be necessary but is not as imperative. Performance logs and the Application log will probably not pertain to the fact that the company has a lot of employees being hired and leaving the company.
Which of these is a security component of Windows? a)UAC b)UPS c)Gadgets d)Control Panel
Answer: A. Explanation: User Account Control (UAC) adds a layer of security to Windows that protects against malware and user error and conserves resources. It enforces a type of separation of duties.
Which of the following best describes the proper method and reason to implement port security? a)Apply a security control that ties specific ports to end-device MAC addresses, and prevents additional devices from being connected to the network. b)Apply a security control that ties specific ports to end-device IP addresses, and prevents additional devices from being connected to the network. c)Apply a security control that ties specific ports to end-device MAC addresses, and prevents all devices from being connected to the network. d)Apply a security control that ties specific ports to end-device IP addresses, and prevents all devices from being connected to the network.
Answer: A. Explanation: You can achieve port security by applying a security control (such as 802.1X), which ties specific physical ports to end-device MAC addresses and prevents additional devices from being connected to the network. Note that port security solutions such as 802.1X are data link layer technologies (layer 2) so they deal with MAC addresses, not IP addresses. You wouldn't want to exclude all devices from being connected to the network as this would cause a severe problem with connectivity.
Robert needs to access a resource. In the DAC model, what is used to identify him or other users? a)Roles b)ACLs c)MAC d)Rules
Answer: B. Explanation: Access control lists (ACLs) are used in the discretionary access control model. This is different from role-based, rule-based, and MAC (mandatory access control) models.
You are in charge of training a group of technicians on the authentication method their organization uses. The organization currently runs an Active Directory infrastructure. Which of the following best correlates to the host authentication protocol used within that organization's IT environment? a)TACACS+ b)Kerberos c)LDAP d)802.1x
Answer: B. Explanation: If the organization runs Active Directory, that means it has a Windows Server that is acting as a domain controller. These use the Kerberos authentication system by default. TACACS+ is an example of a remote authentication system, but is owned by Cisco, and is not a part of Active Directory. LDAP is the protocol in Windows that controls Active Directory objects, and works in conjunction with Kerberos, but is not the actual authentication method used. 802.1X is an authentication method used by network adapters on the data link layer.
In the DAC model, how are permissions identified? a)Role membership. b)Access control lists. c)They are predefined. d)It is automatic.
Answer: B. Explanation: In the discretionary access control (DAC) model, permissions to files are identified by access control lists (ACLs). Role membership is used in RBAC. The mandatory access control model predefines permissions. Either way, it is not identified automatically.
What is the most secure method of authentication and authorization in its default form? a)TACACS b)Kerberos c)RADIUS d)LDAP
Answer: B. Explanation: Kerberos is the most secure method of authentication listed. It has a more complicated system of authentication than TACACS (which is outdated) and RADIUS (which is used in different scenarios than Kerberos). LDAP deals with directories (for example, the ones on a Microsoft domain controller), which Kerberos first needs to give access to.
A security administrator implements access controls based on the security classification of the data and need-to-know information. Which of the following would best describe this level of access control? a)Least privilege b)Mandatory access control c)Role-based access control d)Implicit deny
Answer: B. Explanation: When you are dealing with access controls based on the classification of data and need-to-know information, you are most likely working with a mandatory access control (MAC) system. Least privilege means the lowest amount of permissions possible. This differs from need-to-know in that a user configured as need-to-know might need to have access to a lot of data, and actually require a good deal of permissions. Role-based access control (RBAC), like MAC, is controlled by the system, but it works with sets of permissions based on user roles. Implicit deny means that unless otherwise configured, all access to data is denied.
Your data center has highly critical information. Because of this you want to improve upon physical security. The data center already has a video surveillance system. What else can you add to increase physical security? (Select the two best answers.) a)A software-based token system b)Access control lists c)A mantrap d)Biometrics
Answer: C and D. Explanation: A mantrap is a device made to capture a person. It is usually an area with two doorways, the first of which leads to the outside and locks when the person enters, the second of which leads to the secure area and is locked until the person is granted access. Biometrics can help in the granting of this access by authenticating the user in a secure way, such as thumbprint, retina scan, and so on. Software-based token systems and access control lists are both logical and do not play into physical security.
What are two examples of common single sign-on authentication configurations? (Select the two best answers.) a)Biometrics-based b)Multifactor authentication c)Kerberos-based d)Smart card-based
Answer: C and D. Explanation: Kerberos and smart card setups are common single sign-on configurations.
Which two options can prevent unauthorized employees from entering a server room? (Select the two best answers.) a)Bollards b)CCTV c)Security guard d)802.1x e)Proximity reader
Answer: C and E. Explanation: If a person doesn't have the proper proximity card, that person will be prevented from entering a server room or other protected room. Security guards can also prevent people from accessing unauthorized areas. However, bollards (short vertical posts) probably wouldn't stop a person, besides they aren't normally installed in front of a server room entrance. A barricade might stop a person, but again, would be out of place! CCTV video surveillance is a detective control, but not a preventive control. 802.1X deals with authentication, not with physical security.
What is the main purpose of a physical access log? a)To enable authorized employee access b)To show who exited the facility c)To prevent unauthorized employee access
Answer: C. Explanation: A physical access log's main purpose is to show who entered the facility and when. Different access control and authentication models will be used to permit or prevent employee access.
Which of the following is the verification of a person's identity? a)Authorization b)Accountability c)Authentication d)Password
Answer: C. Explanation: Authentication is the verification of a person's identity. Authorization to specific resources cannot be accomplished without previous authentication of the user.
Which of the following is the final step a user needs to take before that user can access domain resources? a)Verification b)Validation c)Authorization d)Authentication
Answer: C. Explanation: Before a user can gain access to domain resources, the final step is to be authorized to those resources. Previously the user should have provided identification to be authenticated.
Two items are needed before a user can be given access to the network. What are these two items? a)Authentication and authorization b)Authorization and identification c)Identification and authentication d)Password and authentication
Answer: C. Explanation: Before users can be given access to the network, the network needs to identify them and authenticate them. Later, users may be authorized to use particular resources on the network. Part of the authentication scheme may include a username and password. This would be known as an access control method.
Jason needs to add several users to a group. Which of the following will help him to get the job done faster? a)Propagation b)Inheritance c)Template d)Access control lists
Answer: C. Explanation: By using a template, you can add many users to a group at once simply by applying the template to the users. Propagation and inheritance deal with how permissions are exchanged between parent folders and subfolders. Access control lists show who was allowed access to a particular resource.
You want to mitigate the possibility of privilege creep among your long-term users. What procedure should you employ? a)Mandatory vacations b)Job rotation c)User permission reviews d)Separation of duties
Answer: C. Explanation: Conduct user permission reviews to ensure that long-term users are getting the proper permissions to data. Privilege creep is when, over time, additional permissions are given to a particular user because that user needs to access certain files on a temporary basis. Mandatory vacations are enforced on many personnel to ensure that there is no kind of fraud or other illegitimate activity going on. Job rotation is implemented so that multiple people can perform the same job, in the case that one person is not available. Separation of duties is when a group of users will each perform an individual task, which collectively forms the entire job.
What key combination helps to secure the logon process? a)Windows+R b)Ctrl+Shift+Esc c)Ctrl+Alt+Del d)Alt+F4
Answer: C. Explanation: Ctrl+Alt+Del is the key combination used to help secure the logon process. It can be added by configuring the Local Security policy.
Which of the following would fall into the category of "something a person is"? a)Passwords b)Passphrases c)Fingerprints d)Smart cards
Answer: C. Explanation: Fingerprints are an example of something a person is. The process of measuring that characteristic is known as biometrics.
Which of the following authentication systems makes use of a Key Distribution Center? a)Security tokens b)CHAP c)Kerberos d)Certificates
Answer: C. Explanation: Kerberos uses a KDC (key distribution center) to centralize the distribution of certificate keys and keep a list of revoked keys.
Which of the following about authentication is false? a)RADIUS is a client-server system that provides authentication, authorization, and accounting services. b)PAP is insecure because usernames and passwords are sent as clear text. c)MS-CHAPv2 is not capable of mutual authentication of the client and server. d)CHAP is more secure than PAP because it encrypts usernames and passwords.
Answer: C. Explanation: MS-CHAPv2 is capable of mutual authentication of the client and server. However, MS-CHAPv1 is not. That's why it is important to use MS-CHAPv2. Mutual authentication is accomplished with Kerberos. All the other statements are true.
To gain access to your network, users must provide a thumbprint and a username and password. What type of authentication model is this? a)Biometrics b)Domain logon c)Multifactor d)Single sign-on
Answer: C. Explanation: Multifactor authentication means that the user must provide two different types of identification. The thumbprint is an example of biometrics. Username and password are examples of a domain logon. Single sign-on would only be one type of authentication that enables the user access to multiple resources.
Which port number does the protocol LDAP use when it is secured? a)389 b)443 c)636 d)3389
Answer: C. Explanation: Port 636 is the port used to secure LDAP (called LDAPS). Port 389 is the standard LDAP port number. Port 443 is used by HTTPS (SSL/TLS), and port 3389 is used by RDP.
Which of the following methods could identify when an unauthorized access has occurred? a)Two-factor authentication b)Session termination c)Previous logon notification d)Session lock
Answer: C. Explanation: Previous logon notification can identify whether unauthorized access has occurred. Two-factor authentication means that person will supply two forms of identification before being authenticated to a network or system. Session termination is a mechanism that can be implemented to end an unauthorized access. Session lock mechanisms can be employed to lock a particular user or IP address out of the system.
Which of the following is an authentication system that uses UDP as the transport mechanism? a)LDAP b)Kerberos c)RADIUS d)TACACS+
Answer: C. Explanation: RADIUS is the authentication system that uses UDP as the transport mechanism. The others all use TCP. Remember, RADIUS uses ports 1812 and 1813 (or 1645 and 1646), LDAP uses 389 (or 636 for secure LDAP), Kerberos uses port 88, and TACACS+ uses port 49.
The IT director has asked you to set up an authentication model in which users can enter their credentials one time, yet still access multiple server resources. What type of authentication model should you implement? a)Smart card and biometrics b)Three-factor authentication c)SSO d)VPN
Answer: C. Explanation: SSO (single sign-on) enables users to access multiple servers and multiple resources while entering their credentials only once. The type of authentication can vary but will generally be a username and password. Smart cards and biometrics is an example of two-factor authentication. VPN is short for virtual private network.
When attempting to grant access to remote users, which protocol uses separate, multiple-challenge responses for each of the authentication, authorization, and audit processes? a)RADIUS b)TACACS c)TACACS+ d)LDAP
Answer: C. Explanation: TACACS+ is the only answer listed that uses separate processes for authentication, authorization, and auditing. That is one of the main differences between it and RADIUS. TACACS is deprecated and is not often seen in the field. LDAP deals with managing directories of information.
What does a virtual private network use to connect one remote host to another? (Select the best answer.) a)Modem b)Network adapter c)Internet d)Cell phone
Answer: C. Explanation: The Internet is used to connect hosts to each other in virtual private networks. A particular computer will probably also use a VPN adapter and/or a network adapter. Modems generally are used in dial-up connections and are not used in VPNs.
Which of the following is the strongest password? a)|ocrian# b)Marqu1sD3S0d c)This1sV#ryS3cure d)Thisisverysecure
Answer: C. Explanation: The answer This1sV#ryS3cure incorporates case-sensitive letters, numbers, and special characters and is 16 characters long. The other answers do not have the complexity of This1sV#ryS3cure.
You are consulting for a small organization that relies on employees who work from home and on the road. An attacker has compromised the network by denying remote access to the company using a script. Which of the following security controls did the attacker exploit? a)Password complexity b)DoS c)Account lockout d)Password length
Answer: C. Explanation: The attacker most likely exploited the account lockout policy, a security control originally implemented by the organization. The script modified the policy and caused all of the users to be locked out when they attempted to log in. Password complexity is the level of intricacy of a password; it usually entails using uppercase letters, numerals, and special characters, and is defined by a policy, just as the account lockout threshold is. DoS stands for denial-of-service, an attack that floods a network device (or server) with so much data that the device cannot perform its duties. Password length is the number of characters in a password, also definable by policy.
Of the following, which is not a logical method of access control? a)Username/password b)Access control lists c)Biometrics d)Software-based policy
Answer: C. Explanation: The only answer that is not a logical method of access control is biometrics. Biometrics deals with the physical attributes of a person and is the most tangible of the answers. All the rest deal with software, so they are logical methods.
Users are required to change their passwords every 30 days. Which policy should be configured? a)Password length b)Password recovery c)Password expiration d)Account lockout
Answer: C. Explanation: The password expiration policy should be configured. For example, in Windows, the maximum password age policy should be set to 30 days. Password length deals with how many characters are in the password. Password recovery defines how (and if) a user can get back his password or create a new one. Account lockout policies dictate how many times the user has to type a password incorrectly to be locked out of the system, and for how long the user will remain locked out.
Which of the following is an example of two-factor authentication? a)L2TP and IPsec b)Username and password c)Thumbprint and key card d)Client and server
Answer: C. Explanation: Two-factor authentication (or dual-factor) means that two pieces of identity are needed prior to authentication. A thumbprint and key card would fall into this category. L2TP and IPsec are protocols used to connect through a VPN, which by default require only a username and password. Username and password is considered one-factor authentication. There is no client and server authentication model.
In an attempt to detect fraud and defend against it, your company cross-trains people in each department. What is this an example of? a)Separation of duties b)Chain of custody c)Job rotation d)Least privilege
Answer: C. Explanation: When a company cross-trains people, it is known as job rotation. Separation of duties is in a way the opposite; this is when multiple people are needed to complete a single task. Chain of custody has to do with the legal paper trail of a particular occurrence. Least privilege is a mitigation technique to defend against privilege escalation attacks.
Which of the following permits or denies access to resources through the use of ports? a)Hub b)802.11n c)802.11x d)802.1x
Answer: D. Explanation: 802.1X permits or denies access to resources through the use of ports. It implements Port-based Network Access Control (PNAC). This is part of the 802.1 group of IEEE protocols. 802.1X should not be confused with 802.11x, which is an informal term used to denote any of the 802.11 standards including 802.11b, 802.11g, 802.11n, and 802.11ac. A hub connects computers by way of physical ports but does not permit or deny access to any particular resources; it is a simple physical connector of computers.
Your organization provides employee badges that are encoded with a private encryption key and specific personal information. The encoding is used to provide access to the organization's network. What type of authentication method is being used? a)Token b)Biometrics c)Kerberos d)Smart card
Answer: D. Explanation: A badge encoded with a private encryption key would be an example of a smart card. Tokens are software-based and could be used with a USB flash drive or could be stored on a mobile device. An example of biometrics is a thumbprint scan or retina scan. Kerberos is an authentication technology used by operating systems such as Windows (often in domain scenarios).
You administer a bulletin board system for a rock and roll band. While reviewing logs for the board, you see one particular IP address posting spam multiple times per day. What is the best way to prevent this type of problem? a)Block the IP address of the user. b)Ban the user. c)Disable ActiveX. d)Implement CAPTCHA
Answer: D. Explanation: By implementing CAPTCHA, another level of security is added that users have to complete before they can register to and/or post to a bulletin board. Although banning a user or the user's IP address can help to eliminate that particular person from spamming the site, the best way is to add another level of security, such as CAPTCHA. This applies to all persons who attempt to attack the bulletin board.
Which security measure should be included when implementing access control? a)Disabling SSID broadcast b)Time-of-day restrictions c)Changing default passwords d)Password complexity requirements
Answer: D. Explanation: By implementing password complexity requirements, users will be forced to select and enter complex passwords—for example, eight characters or more, uppercase characters, special characters, and more. Disabling the SSID deals with wireless networks, time-of-day restrictions are applied only after persons log in with their username and password, and changing default passwords should be part of a password policy.
Which authentication method completes the following in order: logon request, encrypts value response, server, challenge, compare encrypted results, and authorize or fail referred to? a)Security tokens b)Certificates c)Kerberos d)CHAP
Answer: D. Explanation: CHAP, the Challenge Handshake Authentication Protocol, authenticates a user or a network host to entities like Internet access providers. CHAP periodically verifies the identity of the client by using a three-way handshake; the verification is based on a shared secret. After a link has been established, the authenticator sends a challenge message to the peer; this does not happen in the other three authentication methods listed.
Which of the following is not a common criteria when authenticating users? a)Something you do b)Something you are c)Something you know d)Something you like
Answer: D. Explanation: Common criteria when authenticating users include something you do, something you are, something you know, something you have, and somewhere you are. A person's likes and dislikes are not common criteria; although, they may be asked as secondary questions when logging in to a system.
Which of the following access control models would be found in a firewall? a)Mandatory access control b)Discretionary access control c)Role-based access control d)Rule-based access control
Answer: D. Explanation: Firewalls are most often considered to be based off of the rule-based access control model. This is because you indeed create rules (ACLs) that govern how data is transmitted through the firewall.
Which password management system best provides for a system with a large number of users? a)Locally saved passwords management system b)Synchronized passwords management system c)Multiple access methods management system d)Self-service password reset management system
Answer: D. Explanation: If a network has a large number of users, the administrator should set up a system, and policies to enforce the system, that will allow for users to reset their own passwords. The passwords should be stored centrally, not locally. Also, it would be best if single sign-on were implemented and not a multiple access method.
What is a definition of implicit deny? a)Everything is denied by default. b)All traffic from one network to another is denied. c)ACLs are used to secure the firewall. d)Resources that are not given access are denied by default.
Answer: D. Explanation: If a resource is not given specific access, it will be implicitly denied by default. Access control lists are used to permit or deny access from one network to another and are often implemented on a firewall.
Which of the following statements regarding the MAC model is true? a)Mandatory access control is a dynamic model. b)Mandatory access control enables an owner to establish access privileges to a resource. c)Mandatory access control is not restrictive. d)Mandatory access control users cannot share resources dynamically.
Answer: D. Explanation: In the MAC (mandatory access control) model, users cannot share resources dynamically. MAC is not a dynamic model; it is a static model. Owners cannot establish access privileges to a resource; this would be done by the administrator. MAC is indeed very restrictive, as restrictive as the administrator wants it to be.
Your company has 1000 users. Which of the following password management systems will work best for your company? a)Multiple access methods b)Synchronize passwords c)Historical passwords d)Self-service password resetting
Answer: D. Explanation: It would be difficult for administrators to deal with thousands of users' passwords; therefore, the best management system for a company with 1000 users would be self-service password resetting.
You are tasked with setting up a wireless network that uses 802.1X for authentication. You set up the wireless network using WPA2 and CCMP; however, you don't want to use a PSK for authentication. Which of the following options would support 802.1X authentication? a)Kerberos b)CAC card c)Pre-shared key d)RADIUS
Answer: D. Explanation: RADIUS is a common back-end authenticator for 802.1X. When setting up a wireless access point, the two security mode options are usually PSK (pre-shared key), which is stored on the WAP, and Enterprise, which usually refers authentication to an external RADIUS server. Kerberos deals with authentication to Microsoft domains. CAC cards are smart cards that are used for ID and authentication to systems.
Which of the following is an authentication and accounting service that uses TCP as its transport mechanism when connecting to routers and switches? a)Kerberos b)RADIUS c)Captive portal d)TACACS+
Answer: D. Explanation: TACACS+ is an authentication, accounting, and authorization service. It uses TCP as its transport mechanism. Kerberos authenticates only, and can use TCP and UDP. RADIUS performs authentication and accounting but uses UDP as the transport mechanism. A captive portal redirects people in an effort to authenticate them. It will often do this within a web browser, and might use TCP (HTTPS), but does not perform accounting services.
Of the following access control models, which uses object labels? (Select the best answer.) a)Discretionary access control b)Role-based access control c)Rule-based access control d)Mandatory access control e)Attribute-based access control
Answer: D. Explanation: The mandatory access control (MAC) model uses object and subject labels. DAC (discretionary access control), RBAC (role-based access control), and ABAC (attribute-based access control) do not. Rule-based access control is a portion of MAC, and although it might use labels, MAC is the best answer.
How are permissions defined in the mandatory access control model? a)Access control lists b)User roles c)Defined by the user d)Predefined access privileges
Answer: D. Explanation: The mandatory access control model uses predefined access privileges to define which users have permission to resources.
Which of the following would lower the level of password security? a)After a set number of failed attempts, the server will lock the user out, forcing her to call the administrator to re-enable her account. b)Passwords must be greater than eight characters and contain at least one special character. c)All passwords are set to expire after 30 days. d)Complex passwords that users cannot change are randomly generated by the administrator.
Answer: D. Explanation: To have a secure password scheme, passwords should be changed by the user. They should not be generated by the administrator. If an administrator were to generate the password for the user, it would have to be submitted in written (and unencrypted) form in some way to the user. This creates a security issue, especially if the user does not memorize the password and instead leaves a written version of it lying around. All the other answers would increase the level of password security.
In a secure environment, which authentication mechanism performs better? a)RADIUS because it is a remote access authentication service. b)RADIUS because it encrypts client-server passwords. c)TACACS+ because it is a remote access authentication service. d)TACACS+ because it encrypts client-server negotiation dialogues.
Answer: D. Explanation: Unlike RADIUS, TACACS+ (Terminal Access Controller Access-Control System Plus) encrypts client-server negotiation dialogues. Both protocols are remote authentication protocols.
Of the following, which best describes the difference between RADIUS and TACACS+? a)RADIUS is a remote access authentication service. b)RADIUS separates authentication, authorization, and auditing capabilities. c)TACACS+ is a remote access authentication service. d)TACACS+ separates authentication, authorization, and auditing capabilities.
Answer: D. Explanation: Unlike RADIUS, TACACS+ separates authentication, authorization, and auditing capabilities. The other three answers are incorrect and are not differences between RADIUS and TACACS+.