6.1.8 Practice Questions, 6.5.15 Practice Questions, 6.2.8 Section Quiz, 6.3.5 Section Quiz, 6.4.9 Section Quiz, 6.6.13 Practice Questions, 7.5.11, 7.4.10, 7.3.6, 7.2.6, 7.1.14, 6.9.5, 6.8.6, 6.7.13, 6.10.9
You have downloaded a file from the internet. You generate a hash and check it against the original file's hash to ensure the file has not been changed. Which information security goal is this an example of?
Integrity
To obtain a digital certificate and participate in a public key infrastructure (PKI), what must be submitted and where?
Identifying data and a certification request to the registration authority (RA)
You want to protect data on hard drives for users with laptops. You want the drive to be encrypted, and you want to prevent the laptops from booting unless a special USB drive is inserted. In addition, the system should not boot if a change is detected in any of the boot files. What should you do?
Implement BitLocker without a TPM
You manage a single domain named widgets.com.Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs.Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs.You need to make the change as easily as possible. Which of the following actions should you take?
Implement a granular password policy for the users in the Directors OU. Use granular password policies to force different password policy requirements for different users. Password and account lockout policies are enforced only in GPOs linked to the domain, not to individual OUs. Prior to Windows Server 2008, the only way to configure different password policies was to create a different domain.
What is the process of adding random characters at the beginning or end of a password to generate a completely different hash called?
Salting
Which type of group can be used for controlling access to objects?
Security Only security groups can be used for controlling access to objects. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). Distribution groups cannot be used for controlling access to objects. Authorization is the process of controlling access to resources such as computers, files, or printers.
Lori Redford, who has been a member of the Project Management group, was recently promoted to manager of the team. She has been added as a member of the Managers group.Several days after being promoted, Lori needs to have performance reviews with the team she manages. However, she cannot access the performance management system. As a member of the Managers group, she should have the Allow permission to access this system.What is MOST likely preventing her from accessing this system?
She is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions. The most likely cause of this problem is that Lori is still a member of the Project Management group, which has been denied permission to this system. Deny permissions always override Allow permissions. Allow permissions do not override Deny permissions unless the Allow permission is explicitly assigned and the Deny permission is inherited. It is unlikely that her user object has been assigned an explicit Deny permission to the performance management system since best practice is to assign permissions to groups, not to users.
Which of the following are examples of Something You Have authentication controls? (Select two.)
Smart card Photo ID Something You Have authentication controls include physical items that you have on your possession, such as a smart card, photo ID, token device, or swipe card. Something You Know authentication requires you to provide a password, PIN, pass phrase, or the answer to a cognitive question (such as your mother's maiden name). Something You Are authentication uses a biometric system, such as a fingerprint, retina scan, voice recognition, keyboard, or writing recognition.
Match each smart card attack on the left with the appropriate description on the right.
Software attacks Exploits vulnerabilities in a card's protocols or encryption methods Eavesdropping Captures transmission data produced by a card as it is used Fault generation Deliberately induces malfunctions in a card Microprobing Accesses the chip's surface directly to observe, manipulate, and interfere with a circuit Smart cards are subject to the following weaknesses: > Microprobing is the process of accessing a chip's surface directly to observe, manipulate, and interfere with the circuit. > Software attacks exploit vulnerabilities in the card's protocols or encryption methods. > Eavesdropping captures transmission data produced by the card as it is used. > Fault generation deliberately induces malfunctions in a card.
Click on the object in the TESTOUTDEMO.com Active Directory domain that is used to manage individual desktop workstation access.
*Click "CORPWS7" Computer objects are used to manage access for individual computer systems in the domain, including servers, desktops, and notebooks. In this example, the desktop named CORPWS7 is represented by a corresponding computer object in the domain. A domain (in this case, TESTOUTDEMO.com) is an administratively defined collection of network resources that share a common directory database and security policies. An organizational unit (OU) subdivides and organizes network resources within a domain. Several OUs are displayed in this scenario, including MarketingManagers, PermMarketing, and TempMarketing. User objects are used to manage access for individual employees. In this scenario, the employee named Tom Plask is represented by a corresponding user object in the domain.
You are creating a new Active Directory domain user account for the Rachel McGaffey user account. During the account setup process, you assigned a password to the new account.However, you know that the system administrator should not know any user's password for security reasons. Only the user should know his or her own password.Click the option you would use in the New Object - User dialog to remedy this situation.
*Click "User must change password at next logon When creating a new user account or resetting a forgotten password, a common practice is to reset the user account password and select User must change password at next logon. This forces the user to reset the password immediately following logon, ensuring the user is the only person who knows the password. Enable the User cannot change password option when you want to maintain control over a guest, service, or temporary account. For example, many applications use service accounts for performing system tasks. The application must be configured with the user account name and password. In this situation, you may also need to enable the Password never expires option. The Account is disabled option is used in situations where you want to create an account in the present, but the user will not actually need the account until a future date.
Which of the following terms describes the component that is generated following authentication and is used to gain access to resources following login?
Access token When a security principal logs on, an access token is generated. The access token is used to control access to resources and contains the following information: > The security identifier (SID) for the user or computer > The SID for all groups the user or computer is a member of > User rights granted to the security principal When the security principal tries to access a resource or take an action, information in the access token is checked. For example, when a user tries to access a file, the access token is checked for the SID of the user and all groups. The SIDs are then compared to the SIDs in the object's DACL to identify permissions that apply. Account policies in Group Policy control requirements for passwords, such as minimum length and expiration times. Cookies are text files that are stored on a computer to save information about your preferences, browser settings, and web page preferences. Cookies identify you (or your browser) to websites. A proxy is a server that stands between a client and destination servers.
What is the MOST important aspect of a biometric device?
Accuracy The most important aspect of a biometric device is accuracy. If an access control device is not accurate, it does not offer reliable security. Enrollment time is how long it takes for a new user to be defined in the biometric database. Typically, an enrollment time less than two minutes is preferred. The size of the reference profile is irrelevant in most situations. Throughput is how many users a biometric device can scan and verify within a given time period. Typically, a throughput of 10 users per minute is preferred.
What is the name of the service included with the Windows Server operating system that manages a centralized database containing user account and security information?
Active Directory Active Directory (AD) is a centralized database that is included with the Windows Server operating system. Active Directory is used to store information about a network. It stores such things as user accounts, computers, printers, and security policies.
A private key has been stolen. Which action should you take to deal with this crisis?
Add the digital certificate to the CRL
There are registry-based settings that can be configured within a GPO to control the computer and the overall user experience, such as:> Use Windows features such as BitLocker, Offline Files, and Parental Controls> Customize the Start menu, taskbar, or desktop environment> Control notifications> Restrict access to Control Panel features> Configure Internet Explorer features and optionsWhat are these settings known as?
Administrative templates Administrative templates are registry-based settings that can be configured within a GPO to control the computer and the overall user experience. These include: > Use Windows features such as BitLocker, Offline Files, and Parental Controls > Customize the Start menu, taskbar, or desktop environment > Control notifications > Restrict access to Control Panel features > Configure Internet Explorer features and options Use software restriction policies to define the software permitted to run on any computer in the domain. These policies can be applied to specific users or all users. Security options allow you to apply or disable rights for all users the Group Policy applies to. Use account policies to control password settings, account lockout settings, and Kerberos settings.
A PKI is an implementation for managing which type of encryption?
Asymmetric
Which access control model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject?
Attribute-Based Access Control (ABAC) The ABAC model is based on assigning attributes to objects and using Boolean logic to grant access based on the attributes of the subject. The MAC model is based on classification labels being assigned to objects and clearance labels being assigned to subjects. When a subject's clearance lines up with an objects classification, the subject is granted access. The RBAC model grants access based on the subject's role in an organization. The Rule-Based Access Control model grants access based on a set of rules or policies.
A remote access user needs to gain access to resources on the server. Which of the following processes are performed by the remote access server to control access to resources?
Authentication and authorization A remote access server performs the following functions: > Authentication is the process of proving identity. After devices agree on the authentication protocol to use, the login credentials are exchanged and login is allowed or denied. > Authorization is the process of identifying the resources that a user can access over the remote access connection. Authorization is controlled through the use of network policies (remote access policies) as well as access control lists. Accounting is an activity that tracks or logs the use of the remote access connection. Accounting is used to keep track of resource use but is not typically used to control resource use. If access is allowed or denied based on time limits, information provided by accounting might be used by authorization rules to allow or deny access. Identification is the initial process of confirming the identity of a user requesting credentials and occurs when a users types in a user ID to log on. Identity proofing occurs during the identification phase as the user proves that they are who they say they are in order to obtain credentials.
What is the process of controlling access to resources such as computers, files, or printers called?
Authorization Authorization is the process of controlling access to resources such as computers, files, or printers. Mandatory access control (MAC) is an access control system based on classifications of subjects and objects to define and control access. Conditional access is a way to enforce access control while also encouraging users to be productive wherever they are. Authentication is the verification of the issued identification credentials.
Which of the following account types is a cloud-based identity and access management service that provides access to both internal and external resources?
Azure AD Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is similar to on-premises Active Directory except that Azure AD runs in Microsoft's Azure cloud. Administrator is a local user account that has complete control of a system. Domain accounts are created and stored in Active Directory on a domain controller server. This provides central management of users and groups. Microsoft accounts use a single sign-on system. This means that you can sign into different systems while maintaining the same user settings and password. A Microsoft account is a cloud-based Active Directory account type.
A smart card can be used to store all but which of the following items?
Biometric template original A smart card cannot store biometric template originals, as those are physical components of the human body. A smart card can store digital signatures, cryptography keys, and identification codes.
You want a security solution that protects the entire hard drive and prevents access even if the drive is moved to another system. Which solution should you choose?
BitLocker
You've used BitLocker to implement full volume encryption on a notebook system. The notebook motherboard does not have a TPM chip, so you've used an external USB flash drive to store the BitLocker startup key. You use EFS to encrypt the C:\Secrets folder and its contents. Which of the following is true in this scenario? (Select two.)
By default, only the user who encrypted the C:\Secrets\confidential.docx file will be able to open it.,If the C:\Secrets\confidential.docx file is copied to an external USB flash drive, the file will be saved in an unencrypted state.
You manage a group of 20 Windows workstations that are currently configured as a workgroup. You have been thinking about switching to an Active Directory configuration.Which advantages would there be to switching to Active Directory? (Select two.)
Centralized configuration control Centralized authentication Installing an Active Directory database provides several advantages, including: > Improved scalability > Centralized configuration control > Reduced data backup complexity > Centralized authentication > Centrally applied security settings Active Directory also includes some drawbacks, for example: > Increased cost > Specialized hardware and software needs > Increased planning time for implementation
You are configuring a small workgroup. You open System Properties on each computer that will be part of the workgroup.Click the System Properties options you can use to configure each computer's workgroup association. (Select two. Each option is part of a complete solution.)
Click Network ID Click Change In System Properties on each computer, you can click Change to manually configure the workgroup of each computer or network ID to use a wizard to join the computers together.
You are consulting a small startup company that needs to know which kind of Windows computer network model they should implement.The company intends to start small with only 12 employees, but they plan to double or triple in size within 12 months. The company founders want to make sure they are prepared for growth.Which networking model should they implement?
Client-server This startup company should invest in a client-server network if they want to be prepared to double or triple in size within 12 months. A client-server network that uses Active Directory as a centralized database to manage network resources is the most scalable networking model. The workgroup (peer-to-peer) networking model would be less expensive and easier to set up for a dozen employees, but it would become too difficult to manage when the company increases in size. The standalone networking model would not connect the company's computers to each other. Employees would not be able to share any resources, such as printers or data storage. Wired and wireless networks are not networking models. These network configurations provide connectivity between computers and can be used for any of the networking models. A public network, such as the internet, would be the only way computers using the standalone networking model could communicate with each other.
Which of the following are networking models that can be used with the Windows operating system? (Select two.)
Client-server Workgroup The following networking models can be used with the Windows operating system: > Workgroup - computers that are physically connected to a wired or wireless network can be set up as a simple peer-to-peer network, which Microsoft refers to as a workgroup. Computers that are part of a workgroup are both workstations and servers. A workgroup is easy to set up, but it can become very difficult to manage if the number of computers exceeds 10 to 15. > Client-server - in a client-server network, which Microsoft refers to as a domain, computers are joined to a network domain that uses an Active Directory database to contain user accounts and network security policies. Organizational units are logical containers in Active Directory that are used to hold and organize network resources. A domain controller is a server that holds a copy of the Active Directory database. Active Directory is a centralized database that contains user account and security information.
Which of the following is a password that relates to things that people know, such as a mother's maiden name or a pet's name?
Cognitive Cognitive passwords relate to things that people know, such as a mother's maiden name or a pet's name. Dynamic passwords change upon each consecutive login. One-time passwords are only valid for a single use. A passphrase is a password long enough to be a phrase.
When two different messages produce the same hash value, what has occurred?
Collision
You create a new document and save it to a hard drive on a file server on your company's network. Then you employ an encryption tool to encrypt the file using AES. This activity is an example of accomplishing which security goal?
Confidentiality
Cryptographic systems provide which of the following security services? (Select two.)
Confidentiality,Non-repudiation
For users on your network, you want to automatically lock user accounts if four incorrect passwords are used within ten minutes.What should you do?
Configure account lockout policies in Group Policy Account lockout disables a user account after a specified number of incorrect login attempts. The account lockout threshold identifies the allowed number of incorrect login attempts. The account lockout counter identifies a time period for keeping track of incorrect attempts (such as 10 minutes). If account lockout locks a user account, use the unlock feature to allow login. Use the enable/disable feature to prevent or allow login using the user account. Configure account (password) policies in Group Policy to enforce rules about the composition of passwords, such as minimum length, complexity, and history requirements. Use account expiration in a user account to disable an account after a specific day. Use day/time restrictions to prevent login during certain days or hours.
You want to make sure that all users have passwords over eight characters in length and that passwords must be changed every 30 days.What should you do?
Configure account policies in Group Policy Configure account (password) policies in Group Policy to enforce rules about the composition of passwords, such as minimum length, complexity, and history requirements. Use account expiration in a user account to disable an account after a specific day. Use day/time restrictions to prevent login during certain days or hours. Account lockout disables a user account after a specified number of incorrect login attempts.
You have hired ten new temporary employees to be with the company for three months.How can you make sure that these users can only log on during regular business hours?
Configure day/time restrictions in user accounts Use day/time restrictions to limit the days and hours when users can log on. Configure account expiration to disable an account after a specific date. Use account policies in Group Policy to configure requirements for passwords. Use account lockout settings in Group Policy to automatically lock accounts when a specific number of incorrect passwords are entered.
You want to ensure that all users in the Development OU have a common set of network communication security settings applied.Which action should you take?
Create a GPO computer policy for the computers in the Development OU. Network communication security settings are configured in the Computer Policies section of a GPO. Built-in containers (such as the Computers container) and folders cannot be linked to a GPO.
You manage an Active Directory domain. All users in the domain have a standard set of internet options configured by a GPO linked to the domain, but you want users in the Administrators OU to have a different set of internet options.What should you do?
Create a GPO user policy for the Administrators OU. Internet options are configured in the User Policies section of a GPO. Linking this policy to the Administrators OU only applies it to users in that OU because GPOs linked to OUs are applied last. If Local Group Policies are created on the Administrator's computers, the policies are overwritten by the GPO that is linked to the domain, which applies a standard set of internet options to all users in the domain. There is already a GPO user policy linked to the domain.
You manage a single domain named widgets.com.Organizational units (OUs) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. Members of the Directors OU want to enforce longer passwords than are required for the rest of the users.You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, which is a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer, and he would like his account to have even more strict password policies than are required for other members in the Directors OU.What should you do?
Create a granular password policy for Matt. Apply the new policy directly to Matt's user account. To use a different set of policies for a specific user, create a Password Settings Object (PSO) for the user and apply it directly to the user account. If a PSO has been applied directly to a user, that PSO is in effect regardless of the precedence value. You could create a second group only for Matt's account and password policy. However, this policy must have a lower precedence value than the value set for the policy applied to the DirectorsGG group. Removing Matt's account from the DirectorsGG group is unnecessary and would probably affect his permissions to network resources.
Which of the following functions are performed by a TPM?
Create a hash of system components
Hashing algorithms are used to perform which of the following activities?
Create a message digest.
What is the main function of a TPM hardware chip?
Generate and store cryptographic keys
Which of the following objects identifies a set of users with similar access needs?
Group A group is an object that identifies a set of users with similar access needs. Microsoft systems have two kinds of groups, distribution groups and security groups. Only security groups can be used for controlling access to objects. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). A system access control list (SACL) is used by Microsoft for auditing in order to identify past actions performed by users on an object. Permissions define the rights and access users and groups have with objects.
Which of the following is a message authentication code that allows a user to verify that a file or message is legitimate?
HMAC
Which of the following is used to verify that a downloaded file has not been altered?
Hash
Which of the following should you set up to ensure encrypted files can still be decrypted if the original user account becomes corrupted?
DRA
Audit trails produced by auditing activities are which type of security control?
Detective Audit trails produced by auditing activities are a detective security control. Audit trails are used to detect the occurrence of unwanted or illegal actions by users. Audit trails give administrators the ability to reconstruct historical events and locate aberrant activities. Once an issue is discovered in an audit trail, the collected information can be used to guide the corrective or recovery procedure to restore resources, prevent re-occurrence, and prosecute the perpetrator. The security function of auditing the activities of user accounts on a secured system is considered a preventative or deterrent security control.
Which of the following is a direct integrity protection?
Digital signature
What is the most obvious means of providing non-repudiation in a cryptography system?
Digital signatures
What should you do to a user account if the user goes on an extended vacation?
Disable the account Disabling the account is the best measure to protect an inactive account. This prevents the account from being used for login. If you delete the account or the rights assigned to the account, you have to re-create the account or the rights when the user returns. Leaving the account active might expose it to attack, even if you regularly monitor it.
Which of the following security solutions would prevent a user from reading a file that she did not create?
EFS
A birthday attack focuses on which of the following?
Hashing algorithms
Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make his user account a member of the Managers group, which has access to a special shared folder.Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do?
Have Marcus log off and log back in. On a Microsoft system, an access token is only generated during authentication. Changes made to group memberships or user rights do not take effect until the user logs in again and a new access token is created. Use NTFS and share permissions, not Group Policy, to control access to files. In addition, Group Policy is periodically refreshed, and new settings are applied on a regular basis.
You would like to implement BitLocker to encrypt data on a hard disk, even if it is moved to another system. You want the system to boot automatically without providing a startup key on an external USB device. What should you do?
Enable the TPM in the BIOS.
You are configuring the Local Security Policy of a Windows system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least five days before changing it again.Which policies should you configure? (Select two.)
Enforce password history Minimum password age Set the Enforce password history policy to prevent users from reusing old passwords. Set the Minimum password age policy to prevent users from changing passwords too soon. Passwords must remain the same for at least the time period specified. Use the Maximum password age policy to force periodic changes to the password. After the maximum password age has been reached, the user must change the password. Use the Password must meet complexity requirements policy to require that passwords include letters, numbers, and symbols. This makes it harder for hackers to guess or crack passwords.
Which of the following terms is used to describe an event in which a person who should be allowed access is denied access to a system?
False negative A false negative occurs when a person who should be allowed access is denied access. A false positive occurs when a person who should be denied access is allowed access. The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated. The crossover error rate, also called the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system.
Which utility would you MOST likely use on OS X to encrypt and decrypt data and messages?
GPG
John, a user, is attempting to install an application but receives an error that he has insufficient privileges. Which of the following is the MOST likely cause?
John has a local standard user account. If John is receiving an error that he has insufficient privileges to install an application, the most likely cause is that he has a local standard user account. Standard users have limited permissions. For example, standard users: > Can use applications (but they cannot install them) > Can change some settings that apply only to them > Cannot run applications in an elevated state John is not a local administrator, as he would not receive an error message in that case. The application is a valid Windows application, otherwise, the installation would not be able to start. Logging in with a Microsoft account would not give John the privileges to install an application.
You are concerned that if a private key is lost, all documents encrypted with your private key will be inaccessible. Which service should you use to solve this problem?
Key escrow
Which of the following are true of Triple DES (3DES)?
Key length is 168 bits
Group Policy Objects (GPOs) are applied in which of the following orders?
Local Group Policy, GPO linked to site, GPO linked to domain, GPO linked to organizational unit (highest to lowest). Group Policy Objects (GPOs) are applied in the following order: > The Local Group Policy on the computer. > GPOs linked to the site. > GPOs linked to the domain that contains the User or Computer object. > GPOs linked to the organizational unit (OU) that contains the User or Computer object (from the highest-level OU to the lowest-level OU).
Match each Active Directory term on the left with its corresponding definition on the right.
Logical organization of resources Organizational unit Collection of network resources Domain Collection of related domain trees Forest Network resource in the directory Object Group of related domains Tree The Active Directory structure includes the following components: > A tree is a group of related domains that share the same contiguous DNS namespace. > A forest is a collection of related domain trees. > A domain is an administratively defined collection of network resources that share security policies and a common directory database. > An organizational unit (OU) is like a folder. > An OU subdivides and organizes network resources within a domain. > An object is a network resource as identified within Active Directory.
Which of the following is the weakest hashing algorithm?
MD5
Mary, a user, is attempting to access her OneDrive from within Windows and is unable to.Which of the following would be the MOST likely cause?
Mary needs to log in with a Microsoft account. Microsoft accounts use a single sign-on system. This means that you can sign into different systems while maintaining the same user settings and password. You can even access your favorites websites. Microsoft accounts also provide synchronized access to other Microsoft services, such as Office 365, Outlook, Skype, OneDrive, Xbox Live, Bing, and Microsoft Store. A local user account can be created and used to sign in and access a Windows 10 computer instead of using a Microsoft account. When a local account is used, some features offered to Microsoft accounts are not available. These include Microsoft's OneDrive and synced settings. Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is similar to on-premises Active Directory except that Azure AD runs in Microsoft's Azure cloud.
Which of the following account types uses a single sign-on system that lets you access Windows, Office 365, Xbox Live, and more?
Microsoft Microsoft accounts use a single sign-on system. This means that you can sign into different systems while maintaining the same user settings and password. You can even access your favorites websites. Microsoft accounts also provide synchronized access to other Microsoft services, such as Office 365, Outlook, Skype, OneDrive, Xbox Live, Bing, and Microsoft Store. Administrator is a local user account that has complete control of a system. Domain accounts are created and stored in Active Directory on a domain controller server. This provides central management of users and groups. Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft. It is similar to on-premises Active Directory except that Azure AD runs in Microsoft's Azure cloud.
Which of the following principles is implemented in a mandatory access control model to determine object access by classification level?
Need to Know Need to Know is used with mandatory access control environments to implement granular control over access to segmented and classified data. Separation of duties is the security principle that states that no single user is granted sufficient privileges to compromise the security of an entire environment. Clearance is the subject classification label that grants a user access to a specific security domain in a mandatory access control environment. Ownership is the access right in a discretionary access control environment that gives a user complete control over an object. This is usually because he or she created the object.
When a sender encrypts a message using their own private key, which security service is being provided to the recipient?
Non-repudiation
Your computer system is a participant in an asymmetric cryptography system. You've crafted a message to be sent to another user. Before transmission, you hash the message and then encrypt the hash using your private key. You then attach this encrypted hash to your message as a digital signature before sending it to the other user. Which protection does the private key-signing activity of this process provide?
Non-repudiation
Which technology was developed to help improve the efficiency and reliability of checking the validity status of certificates in large, complex environments?
Online Certificate Status Protocol
Match the authentication factor types on the left with the appropriate authentication factor on the right. Each authentication factor type may be used more than once.
PIN Something You Know Smart Card Something You Have Password Something You Know Retina Scan Something You Are Fingerprint Scan Something You Are Hardware Token Something You Have Passphrase Something You Know Voice Recognition Something You Are Wi-Fi Triangulation Somewhere You Are Typing Behaviors Something You Do Something You Know authentication requires you to provide a password or some other data that you know. This is the weakest type of authentication. Examples of Something You Know authentication controls include: > Passwords, codes, or IDs > PINs > Passphrases (long multi-word passwords) Something You Have (also called token-based authentication) is authentication based on something users have in their possession. Examples of Something You Have controls include: > Swipe cards > Photo IDs > Smart cards > Hardware tokens Something You Are authentication uses a biometric system. A biometric system attempts to identify a person based on metrics or a mathematical representation of the subject's biological attribute. Biometric systems are the most expensive and least accepted system type, but are generally considered the most secure form of authentication. Common attributes used for biometric systems include: > Fingerprints > Hand topology (side view) or geometry (top-down view) > Palm scans > Retina scans > Iris scans > Facial scans > Voice recognition Somewhere You Are authentication (also known as geolocation) is a supplementary authentication factor that uses physical location to verify a user's identity. Examples of implementations include: > An account is locked unless the user has passed through the building's entrance using an ID card. > If the user is within RFID range of the workstation, authentication requests are allowed. > GPS or Wi-Fi triangulation location data is used to determine a device's location. If the user and the device are in a specified location, authentication requests are allowed. If not, the device is locked. Something You Do is a supplementary authentication factor that requires an action to verify a user's identity. Example implementations include: > Analyzing a user's handwriting sample against a baseline sample before allowing authentication. > Analyzing a user's typing behaviors against a baseline sample before allowing authentication.
What type of password is maryhadalittlelamb?
Passphrase A passphrase is a password long enough to be a phrase, such as maryhadalittlelamb. Cognitive passwords relate to things that people know, such as a mother's maiden name or a pet's name, A static password is created by a user and overseen by an administrator. Composition passwords are created by the system and are usually two or more unrelated words divided by symbols on the keyboard.
Which of the following identifies the type of access that is allowed or denied for an object?
Permissions Permissions define the rights and access users and groups have with objects. Permissions are applied to objects such as files and folders. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time. A system access control list (SACL) is used by Microsoft for auditing in order to identify past actions performed by users on an object.
What is the primary purpose of separation of duties?
Prevent conflicts of interest The primary purpose of separation of duties is to prevent conflicts of interest by dividing administrative powers between several trusted administrators. This prevents a single person from having all of the privileges over an environment, which would create a primary target for attack and a single point of failure. Increasing administrative difficulty, informing managers that they are not trusted, or granting a greater range of control to senior management are not the primary purposes of separation of duties. Separation of duties might seem to increase administrative difficulty, but this separation provides significant security benefits. A manager is informed they are not trusted when they are not given any responsibility as opposed to a reasonable portion of responsibility. Senior management already has full control over their organization.
You assign access permissions so that users can only access the resources required to accomplish their specific work tasks. Which security principle are you complying with?
Principle of least privilege The principle of least privilege is the assignment of access permissions so that users can only access the resources required to accomplish their specific work tasks. Job rotation and cross-training involve training groups of employees how to perform multiple job roles and periodically rotating those roles. Need to know is a feature of MAC environments where data within your classification level is compartmentalized and requires specific work-task needs for privilege access.
Which of the following is an example of privilege escalation?
Privilege creep Privilege creep occurs when a user's job position changes and he or she is granted a new set of access privileges for their new work tasks, but their previous access privileges are not removed. As a result, the user accumulates privileges over time that are not necessary for their current work tasks. This is a form of privilege escalation. Principle of least privilege and separation of duties are countermeasures against privilege escalation. Mandatory vacations are used to perform peer reviews, which requires cross-trained personnel and help detect mistakes and fraud.
You have implemented an access control method that only allows users who are managers to access specific data. Which type of access control model is being used?
RBAC Role-based access control (RBAC) allows access based on a role in an organization, not individual users. Roles are defined based on job description or a security-access level. Users are made members of a role and receive the permissions assigned to the role. Discretionary access control (DAC) assigns access directly to subjects based on the discretion of the owner. Objects have a discretionary access control list (DACL) with entries for each subject. Owners add subjects to the DACL and assign rights or permissions. The permissions identify the actions the subject can perform on the object. Mandatory access control (MAC) uses labels for both subjects (users who need access) and objects (resources with controlled access). When a subject's clearance lines up with an object's classification, and when the user has a need to know (referred to as a category), the user is granted access.
An attacker is attempting to crack a system's password by matching the password hash to a hash in a large table of hashes he or she has. Which type of attack is the attacker using?
Rainbow
In the certificate authority trust model known as a hierarchy, where does trust start?
Root CA
Which of the following is an example of rule-based access control?
Router access control lists that allow or deny traffic based on the characteristics of an IP packet. A router access control list that allows or denies traffic based on the characteristics of an IP packet is an example of rule-based access control. A subject with a government clearance that allows access to government classification labels of Confidential, Secret, and Top Secret is an example of mandatory access control. A member of the accounting team that is given access to the accounting department documents is an example of role-based access control. A computer file owner who grants access to the file by adding other users to an access control list is an example of discretionary access control.
Which of the following is used by Microsoft for auditing in order to identify past actions performed by users on an object?
SACL A system access control list (SACL) is used by Microsoft for auditing in order to identify past actions performed by users on an object. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time. Permissions define the rights and access users and groups have with objects. Permissions are applied to objects such as files and folders.
Which of the following does not or cannot produce a hash value of 128 bits?
SHA-1
Which form of cryptography is best suited for bulk encryption because it is so fast?
Symmetric key cryptography
You are teaching new users about security and passwords.Which of the following is the BEST example of a secure password?
T1a73gZ9! The most secure password is T1a73gZ9! because it is eight or more characters in length and combines uppercase and lowercase characters, special symbols, and numbers. The least secure password is 8181952 because it appears to be a birthday. JoHnSmITh is not secure because it is still a name. Stiles_2031 is more secure but not as secure as random numbers and letters.
An SSL client has determined that the certificate authority (CA) issuing a server's certificate is on its list of trusted CAs. What is the next step in verifying the server's identity?
The CA's public key must validate the CA's digital signature on the server certificate.
The Hide Programs and Features page setting is configured for a specific user as follows:| Policy - Setting |Local Group Policy - EnabledDefault Domain Policy GPO - Not ConfiguredGPO Linked to the user's organizational unit - DisabledAfter logging in, the user is able to see the Programs and Features page. Why does this happen?
The GPO linked to the user's organizational unit is applied last, so this setting takes precedence. The GPO linked to the user's organizational unit is applied last. With this in mind, the setting that disables the policy to hide the Programs and Features page takes precedence. In this question's scenario, Local Group Policy enables the policy to hide the Programs and Features page. When the Default Domain Policy GPO is applied, this policy is set to Not configured. It doesn't change anything. When the GPO linked to the user's organizational unit is applied, the setting for this policy is disabled. This reverses the setting in the Local Group Policy and makes the Programs and Features page visible to the user. The Local Group Policy is applied first. GPOs linked to the user's domain are applied second and take precedence over settings in the Local Group Policy. GPOs linked to the user's organizational unit are applied last and take precedence over any preceding policy settings.
You have transferred an encrypted file across a network using the Server Message Block (SMB) Protocol. What happens to the file's encryption?
The file is unencrypted when moved.
Which of the following defines the crossover error rate for evaluating biometric systems?
The point where the number of false positives matches the number of false negatives in a biometric system. The crossover error rate, or the equal error rate, is the point where the number of false positives matches the number of false negatives in a biometric system. A false negative (or Type I error) occurs when a person who should be allowed access is denied access. A false positive (or Type II error) occurs when a person who should be denied access is allowed access. The processing rate, or system throughput, identifies the number of subjects or authentication attempts that can be validated.
Which of the following would require that a certificate be placed on the CRL?
The private key is compromised.
Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database.Which action should you take? (Select two. Each response is part of a complete solution.)
Train sales employees to use their own user accounts to update the customer database. Delete the account that the sales employees are currently using. You should prohibit the use of shared user accounts. Allowing multiple users to share an account increases the likelihood of the account being compromised. Because the account is shared, users tend to take security for the account less seriously. In the scenario, the following tasks need to be completed: > The existing shared user account needs to be deleted. Until you delete the account, users can continue to use it for authentication. You could just change the password on the account, but there is a high chance that the new password would be shared again. > Train sales employees to use their own user accounts to update the customer database. Ensure that these accounts have the level of access required for users to access the database. Applying time-of-day login restrictions in a Group Policy object does not address the issue in this scenario.
Which of the following database encryption methods encrypts the entire database and all backups?
Transparent Data Encryption (TDE)
Which security mechanism uses a unique list that meets the following specifications:> The list is embedded directly in the object itself.> The list defines which subjects have access to certain objects.> The list specifies the level or type of access allowed to certain objects.
User ACL A user ACL (user access control list) is a security mechanism that defines which subjects have access to certain objects and the level or type of access allowed. This security mechanism is unique for each object and embedded directly in the object itself. Mandatory access control (MAC) is an access control system based on classifications of subjects and objects to define and control access. Conditional access is a way to enforce access control while also encouraging users to be productive wherever they are. Hashing is a cryptographic tool that creates an identification code that is employed to detect changes in data.
Which of the following is a privilege or action that can be taken on a system?
User rights On a Microsoft system, a user right is a privilege or action that can be taken on a system, such as logging on, shutting down, backing up the system, or modifying the system date and time. User rights apply to the entire system. A discretionary access control list (DACL) is an implementation of discretionary access control (DAC). Microsoft uses a system access control list (SACL) for auditing in order to identify past actions performed by users on an object. Permissions define the rights and access users and groups have with objects. Permissions are applied to objects such as files and folders.
Which of the following is used for identification?
Username Identification is the initial process of confirming the identity of a user requesting credentials and occurs when a users types in a user ID to log on. The username is used for identification, while a password, PIN, or some other cognitive information is used for authentication. Authentication is the verification of the issued identification credentials. It is usually the second step after identification and establishes the user's identity, ensuring that users are who they say they are.
Which of the following identification and authentication factors are often well known or easily discovered by others on the same network or system?
Username The username is typically the least protected identification and authentication factor. Therefore, usernames are often well known or easy to discover, especially by others on the same network or system. The key to maintaining a secure environment is to keep authentication factors secret. Often, usernames are constructed using a standard naming convention, such as first and middle initials plus the full last name, or the first name and last name separated by a period. If these simple construction conventions are known, building usernames from an employee list is very simple. Passwords, your PGP secret key, and your biometric reference profile are less likely to be well known or easy to discover.
You have just configured the password policy and set the minimum password age to 10.What is the effect of this configuration?
Users cannot change the password for 10 days. The minimum password age setting prevents users from changing the password too frequently. After the password is changed, it cannot be changed again for at least 10 days. The maximum password age setting determines how frequently a password must be changed. The minimum password length setting controls the minimum number of characters that must be in the password. Password history is used to prevent previous passwords from being reused.
Which of the following items are contained in a digital certificate? (Select two.)
Validity period.,Public key
Which of the following are disadvantages of biometrics? (Select two.)
When used alone, they are no more secure than a strong password. They have the potential to produce numerous false negatives. When a biometric is used by itself, it is no more secure than a strong password. A single successful attack can subvert a biometric in much the same way that a single successful attack can subvert a password. Biometric attacks need not be based on physical harm (such as cutting off a finger), but can include a wide variety of realistic reproductions that fool the biometric reader device. When a biometric device's sensitivity is set too high, it results in numerous false rejections (when authorized users are not recognized and are therefore rejected). The advantage of biometrics is that no two people have the same biometric characteristics. Most characteristics, such as retinal patterns, are unique, even among identical twins. A password can be discovered using a brute force attack, but there is no such attack against biometrics.
Which networking model is based on peer-to-peer networking?
Workgroup A workgroup model is based on peer-to-peer networking. In the workgroup model: > No hosts in a workgroup have a specific role. - All hosts can function as both workstations and servers. - All hosts in a workgroup can provide network services or consume network services. > Hosts are linked together by some type of local network connection. > Hosts in the same workgroup can access shared resources on other hosts. > No specialized software is required. In a standalone model, each Windows system functions independently of other systems. In the client-server model, each host has a specific role in the network. Servers provide services such as file storage, user management, security configuration, and printing. Clients request services from servers.
You are a contract support specialist managing the computers in a small office. You see that all the computers are only using local user accounts.Which of the following models could this office be using? (Select two.)
Workgroup Standalone The standalone and workgroup models can only use local user accounts for storing usernames and passwords. Active Directory is used to create client-server networks where domains are used to organize network resources. On these networks, user account information is stored in a centralized database on a network server. Azure AD is similar to Active Directory, but the domain is hosted on Microsoft servers in the cloud. This is where user account information would also be stored.
Which standard is most widely used for certificates?
X.509
You have just downloaded a file. You create a hash of the file and compare it to the hash posted on the website. The two hashes match. What do you know about the file?
Your copy is the same as the copy posted on the website.