Domain 4.0 Identity and Access Management
You have been requested to modify the Accounting Group policy to permit secure file transfers. You have made the changes and now want to be sure the policy gets updated. At the Command Prompt, what command would you type to execute this? ________________________________________.
""gpupdate". (pic-in-phone) Gpupdate refreshes the local and Active directory-based Group Policy settings including security settings.
What protocol does LDAPS encrypt data with? What TCP port does it use?
-TLS -TCP port 636 (eb p245/text p145)
What are 2 benefits of TACACS+ ?
1 - Encrypts entire authentication process, whereas RADIUS doesn't. 2 - Uses multiple challenges and responses between the client and the server. (eb p350/p215)
What are 3 requirements for Kerberos to properly work?
1 - KDC: provides authentication for users who access resources like files on a file server. 2 - Time synchronization 3 - Database for users/subjects 4 - symmetric-key cryptography to prevent unauthorized disclosure and to ensure confidentiality
Because Kerberos provides network authentication what 2 things can it prevent?
1 - MITM 2 - Replay Attacks
Kerberos
A network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms.
TACACS+ separates authentication, authorization, and accounting functions. Which of these functions are combined using RADIUS? (Choose two.) A. Authorization B. Accounting C. Authentication D. Passwords
A. Authorization C. Authentication p215 RADIUS combines the authentication and authorization packets, these functions are not separate in RADIUS.
The assurance that data is not altered or destroyed in an unauthorized manner is referred to as _____________. A. Data integrity B. Data confidentiality C. Data privacy D. Data access
A. Data integrity Integrity refers to the assurance that data is not altered or destroyed in an unauthorized way.
In addition to utilizing multifactor authentication for computer access, you are going to configure a secure VPN solution that will use multifcator authentication. From the following options, select the TWO solutions that best fit your application. A. Key fob and password B. User name and password C. Fingerprint scan D. Smartcard and password
A. Key fob and password D. Smartcard and password Key fobs are physical devices with a small display showing a number that is synchronized with a server-side component. This number changes frequently and is used in conjunction with a PIN. Both of these constitute multifactor authentication.
Which of the following behavioral biometrics authenticates by the normal actions that users perform? (Choose two.) A. Keystroke dynamics B. Fingrprints C. Geolocation D. Tokens
A. Keystroke dynamics. C. Geolocation. ref: www.gemalto.com. Behavioral biometrics, or what you do, authenticates by normal actions that the user performs. Behavioral biometric technologies include keystroke dynamics and geolocation, which is the identification of location.
When access to services or resources are organized by using rules, which access control model is being used? A. MAC B. RBAC C. DSS D. None of these
A. MAC. MAC (Mandatory Access Control) is the best choice of those provided because it is the only choice that strictly manages rule based access control. When considering these detractors it is easy to pick RBAC incorrectly based on its acronym, but RBAC applies ONLY to Role Based Access Control, not rule based access control. MAC is usually used by small organizations to provide granular per employee control as opposed to the role based approach applying to larger companies typically 500 or more employees. DSS has several descriptions based on its acronym like Digital Spread Spectrum and is used here as the nonsense detractor.
Which of the following protocols does not send credentials over the network and requires that both parties have a shared secret to compute the hash? A. MS-CHAP v2 B. NTLM C. EAP-TLS D. PAP
A. MS-CHAP v2 Microsoft Challenge Handshake Authentication Protocol (MS-CHAP v2) does not send credentials, even in encrypted form, over the network at all, because it hashes credentials on both sides of a connection.
Which 2 older security protocols used to authenticate Microsoft clients are susceptible to PASS THE HASH attacks? A. Microsoft LM, NTLM B. LDAP, PAP C. CHAP, MS-CHAP D. TACACS+, RADIUS, Diameter
A. Microsoft LM, NTLM (eb p501/p311)
Your computer uses currently log into the system with two-factor authentication, using a card with a magnetic strip and a user name and password. Management would like to see this upgrade to allow the use of a card that does not require the user to swipe every time they need computer access, but simply have a card in their possession. Which of the following solutions would meet the new requirement? (Select all that apply.) A. Passive proximity cards B. Smart credit cards C. Active proximity cards D. Hardware token
A. Passive proximity cards C. Active proximity cards The proximity cards, both active and passive are contactless card technologies. Held near an electronic reader for a moment, they enable the identification of an encoded number. Passive cards are powered by the reader, and active proximity cards are powered by an internal battery.
In a Microsoft Active Directory environment, credential management is enforced in two ways: group policy Password Policy Settings and Account Lockout Policy. Which of these two domain level policy sets is responsible for the encryption of passwords? A. Password Policy Settings B. Account Lockout Policy C. Both of these D. Neither of these
A. Password Policy Settings. p102 Password Policy Settings control the password length, age, reusability, complexity, and encryption. The Account Lockout Policy controls the duration of the password lockout, the lockout threshold (unsuccessful attempts), and the length of time a lockout persists.
Which type of authentication protocol below is used with 'Password Authentication Protocol' (PAP)? A. Point-to-Point Protocol (PPP) B. Point-to-Point Protocol over Ethernet (PPPoE) C. Point-to-Point Tunneling Protocol (PPTP) D. VPN Split Tunnel
A. Point-to-Point Protocol (PPP) (eb p347)
Which of the following services are you MOST likely configuring? (Select TWO.) A. RADIUS B. Kerberos C. LDAP D. EAP-TLS
A. RADIUS C. LDAP
Which of the following services are you MOST likely configuring (Select TWO.)? A. RADIUS B. Kerberos C. LDAP D. EAP-TLS
A. RADIUS C. LDAP (eb p360)
RADIUS provides a system of distributed security for networks and network services. The primary use is to facilitate which type of connection shown below? A. Remote B. Terminal C. Local D. None of these
A. Remote. Remote Authentication Dial In User Service (RADIUS) is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for users that connect remotely. Remote Authentication Dial-In User Service. Provides central authentication for remote access clients. RADIUS encrypts the password packets and uses UDP. In contrast, TACACS+ encrypts the entire authentication process and uses TCP.
Which messaging protocol specification is used to allow programs that run on disparate operating systems - such as Windows and Linux - to communicate using HTTP, and its Extensible Markup Language (XML)? It is typically limited to pooling, as opposed to event notification. A. SOAP B. CORBA C. HOTP D. CHAP
A. SOAP SOAP (Simple Object Access Protocol) is used to provide multifactor authentication in a disparate OS environment. For example, HTTPS with XML.
When you log on to your online bank account, you are also able to access a partner's credit card site, check-ordering services, and a mortgage site without entering your credentials again. Which of the following does this describe? A. SSO B. Same sign-on C. SAML D. Kerberos
A. SSO
Your workplace is rolling out a new security system. In preparation you have been asked to sit for some tests. They fingerprinted you, took a picture of your eye and asked you to say your login name five times while typing it. Whichever type of security system is eventually deployed, which area will it NOT address? A. Something you have B. Something you know C. Something you are D. Something you do E. Where you are F. All of these are correct.
A. Something you have Even though the list of requirements appears to be comprehensive it is missing "Something you have". This could be remedied by issuing something as simple as a badge, providing a token that performs random changes or even loading a program on the user's cell phone which they would have to have handy on-site.
In a TACACS+ session which choices below best describe what gets encrypted? (Choose two.) A. The entire body of the packet B. Only data sent by the host C. Only data sent by the server D. Username, password and random packets for security. E. The information concerning username, authorized services, and other information.
A. The entire body of the packet. E. The information concerning username, authorized services, and other information. TACACS+ encrypts the entire body of the packet including username and authorized server information.p215-216
You are the network admin for a financial accounting firm. During an audit of user accounts, you find the example in (picture-in-phone). What security problem can you see with this user account configuration created by his supervisor? A. The username does not follow a naming convention. B. The password is not long enough. C. The "Password never expires" option is enabled. D. The "Account is disabled" option is not enabled.
A. The username does not follow a naming convention. Even without knowing the specific naming convention for the financial institution, the use of a nickname is not appropriate, and the other possible answers are all incorrect.
In a complex network environment, users would often be required to repeatedly authenticate themselves for different services. Kerberos solves this problem by allowing users to authenticate themselves once and then be issued a special "pass" to access services. Which of the choices below best describes this "pass"? A. Ticket-granting ticket. B. Authentication service. C. Checksum identifier D. Ticket-granting server
A. Ticket-granting ticket. Kerberos provides authentication service to users and services by granting tickets or TGT to authenticate users and services on a network.
CHAP (Challenge Handshake Authentication Protocol)
An authentication mechanism where a server challenges a client by comparing client's hash with stored hash and responds with appropriate authentication information. (eb p837)
*EAP-Tunneled TLS (EAP-TTLS)* is an extension of PEAP, allowing systems to use older authentcation methods such as ___________ ____________ ____________ within a TLS tunnel.
Answer: Password Authentication Protocol (PAP) (eb p329)
Which IEEE standard provides the highest degree of port security by using switch/port authentication, disabling the port completely if a device does not authenticate? A. 802.11e B. 802.1x C. 802.11n D. 802.11X
B. 802.1x. The 802.1x standard operates on wired and wireless networks. It encapsulates the EAP protocol. On a wired network hosts are connected to switches and each switch port is independent and dedicated to the host attached to it. In this scenario if the host fails to authenticate within the default 30 second time frame the port is turned off and no network access is possible. In a wireless network multiple hosts could be affected. The 802.11x standard is a work in progress involving many existing standards for example 802.11e which addresses QoS and 802.11n which is responsible for connections reaching speeds in excess of 100Mbps. the 802.11x working group addresses wireless LAN security and class of service next generation of wireless communications will come from the 802.11x group.
When tuning a biometric authentication system, the goal is to have the lowest number of accepted imposters and rejected legitimate users. What should the crossover error rate (CER) be? A. As high as possible B. As low as possible C. More rejected legitimate users than accepted imposters. D. More accepted imposters than rejected legitimate users.
B. As low as possible
Which of the following is NOT true about CHAP? A. CHAP uses Point-to-Point Protocol. B. CHAP sends passwords in cleartext. C. CHAP authenticates remote users. D. CHAP is more secure than PAP.
B. CHAP sends passwords in cleartext. (eb p347)
The RPC service allows one computer to execute programming on another computer. How should this service be treated in order to secure your network? A.Disable service completely B.Enable it only for use through secure access methods such as a VPN. C. Run it only in the DMZ. D. Use RPC Portmapper Service.
B. Enable it only for use through secure access methods such as a VPN.
Security approaches you at work about people sometimes being able to enter the office using the voice recognition system even though they are not employees. What is the problem? A. False rejection B. False acceptance C. Crossover error D. Crossover acceptance
B. False acceptance False acceptance occurs when a biometric authentication system authenticates users without a proper match.
When attempting to connect to a RADIUS server, the user will be prompted for a user name and password by which of the devices shown below? A. VPN B. NAS C. SLIP D. EAP
B. NAS. The network access server (NAS) is a single point of access to a remote resource. This is what is used when attempting to connect to RADIUS server and prompting username and password.
Indicate the most secure strong passwords among the alternatives provided. (Choose two.) A. password1 B. P@55w0rD C. paSsword D. p@ssword E. p@Sswo4d F. pAs5Word
B. P@55w0rD E. p@Sswo4d As it is the least secure one here, it may be hard to believe that *password1* is always in the list of the most used passwords. This has been consistent year after year. Companies have taken the precaution of requiring alternate keyboard characters, numbers and a mix of capitalized and non-capitalized letters. Of the offered alternatives, *P@55w0rD* and *p@Sswo4d* are the most secure of the options provided because they include all the required characters: Capital and lower case letters, numbers and special characters and they satisfy the minimum number of digits for a strong password which is eight (maximum is 15). When security is your concern, never use the word *password* (with a number attached or not) nor any other word available in the dictionary. Did you know that at 28% the password breach is the largest single security concern in IT?
Of the choices provided, which authentication method provides access based on transferring the username and password being exchanged and compared against an encrypted password file on the access server? If the password sent across the network is matched the associated UserID the connection is established. Since the password exchange can be intercepted the method is not considered to be secure. A. CHAP B. PAP C. OTP D. SPAP
B. PAP Based on the ability of the user/password transfer to be intercepted by a hacker the PAP password exchange method is considered insecure. p214
A nonexistent disaster recovery plan would be considered what type of weakness? A. Configuration weakness B. Policy weakness C. Technology weakness D. Physical weakness
B. Policy weakness Failure to make plans for recovery from a system crash or failure would constitute a Policy weakness.
Lack of a written security policy would be considered what type of weakness? A. Configuration weakness. B. Policy weakness. C. Technology weakness. D. Physical weakness.
B. Policy weakness.
The topmost level in the LDAP hierarchy is referred to as which choice below? A. Home B. Root C. OU D. SSO
B. Root. The topmost level in the DIT is the root and this is usually the domain name component or DC.
LDAP communication is secured through a standards-based interface. This interface is referred to by which acronym listed below? A. ACL B. SASL C. SSL D. PKI
B. SASL. There are number of additional security layers that you can have within LDAP. One is called the *Simple authentication and security layer*, or SASL. And this is in LDAP version three.
In addition to passwords, which of the following choices can be used to authenticate the user? (Choose 2) A. Firewalls B. Smart cards C. PINs D. All of the above.
B. Smart cards C. PINs. Smartcards have embedded chips with code used to identify users and PINs or personal identification numbers are usually numeric and used as additional authentication commonly used at banks.
A user has the password of password1. You have sent him an email giving him 24 hours to change it or get locked out. Which authentication credential area have you addressed? A. Something you have B. Something you know C. Something you are D. Something you do E. Where you are F. All of these are correct
B. Something you know Passwords fall under the category of "Something you know". Administratively this user could be blocked from using their next logical choice Password1 by assigning them a password and making it unchangeable. A firm, friendly phone call might be a better substitute. Did you know that weak passwords lead to 28 percent of all cyber breaches; and "password1" is the most common password?
Your tablet locks when not in use. To unlock the device, a screen is displayed with four number blocks each containing a different number between 0 and 9. To unlock the device the numbers must be pressed in the correct numeric sequence. Which Authentication credential does this address? A. Something you have B. Something you know C. Something you are D. Something you do E. Where you are F. All of these are correct.
B. Something you know. The solving of the numeric arrangement is accomplished using cognitive functions and is classified as something you know. The passphrase in question is hardly secure or unbreakable and is referenced only as a demonstration of the process.
False positives can be reduced over time by using which of the choices listed below? A. Turning B. Tuning C. Pruning D. None of these.
B. Tuning
Of the choices provided, which are the two main standards for generating OTPs? Both are governed by the Initiative for Open Standards. (Choose two) A. ATHO B. TOTP C. SOPT D. HOTP E. OTOP
B.TOTP D.HOTP The Open Standards Initiative requirement requires that: The Open Standard contains No International Secrets. It must be freely and publicly available. The patents must be freely and publicly available under royalty free terms for unrestricted use or be covered by a promise of non-assertion when practiced by open source software. There MUST NOT be any requirements for the execution of a license agreement, NDA, or other form of paperwork to deploy conforming implementation of the standard. There are no OSR-Incompatible dependencies. The standard MUST NOT require any other technology that does not meet the criteria of requirement. The HOTP requires that a HMAC-Based OneTime Algorithm (HOTP) be freely available. And the Time-Based One Time Password Algorithm (TOTP) also requires this availability.
Which port number does LDAP use as a standard SSL socket number for TCP and UDP? A. 23 B. 8080 C. 636 D. Any of these
C. 636
Improper offboarding of an employee can cause which effect? A. Provisioning B. Recertifcation C. Account orphaned D. Home folder delete
C. Account orphaned. Once an employee goes through the offboarding process, it is important that the user's account is deleted and not left orphaned. Remember, onboarding covers all aspects of adding a new user while offboarding covers all aspects of removing a current user. Recertification monitors the validity of account permissions.
The Terminal Access Controller Access Control System was developed by which company listed below? A. Microsoft B. Novell C. Cisco D. Red Hat
C. Cisco. Cisco Secure Access Control System (ACS) is a centralized identity and access policy solution that ties together an enterprise's network access policy and identity strategy. Cisco Secure ACS operates as a RADIUS and Terminal Access Controller Access Control System Plus (TACACS+) server, combining user authentication, user and administrator device access control, and policy control into a centralized identity networking solution.
Multifactor authentication uses at least two of three possible authentication methods to identify a user. Which of the following is not one of the generally accepted methods? A. Passwords B. Biometrics C. Digital Signatures D. Tokens
C. Digital Signatures - to ensure integrity that it is actually you sending the data. Multifactor authentication requires identification from at least one means of authentication from at least two of three factors. Common factors are something you know, something you have and something about you. (Tokens is included next to Key Fobs p104)
The LDAP directory is organized as a tree-like hierarchical structure. Which of the choices below represents the name of the structures? A. Directory Individual Tree. B. Distinguished Information Tree. C. Directory Information Tree. D. None of these.
C. Directory Information Tree. An LDAP directory is organized in a structure called the Directory Information Tree (DIT).
Choose the biometric authentication method that uses nodal points to identify the user. A. Iris scanner B. Retinal scanner C. Facial recognition D. All of these
C. Facial recognition. Facial recognition software creates a map of data points from an image of the users face such as the size of the eyes, width of the nose, and shape of the jawline. These data points are referred to as nodal points.
The ability to manage access control lists (ACL) in large operations is handled best by _________________________. A. File system security B. Location-based policies C. Group-based access control D. All of these
C. Group-based access control. Group-based access control allows for the configuration of hundreds of computers using a single group. For example, Microsoft Group Policy is particularly effective in AD environments.
You have recently been hired as the network administrator for a UNIX network. You are planning some upgrades to your network's security. A secure protocol must be utilized to authenticate all users logging in. Which of the following authentication protocols will meet you requirements? A. TCP B. Telnet C. Kerberos D. AES
C. Kerberos. p110 Kerberos is an authentication protocol used by many vendors, including Microsoft with Active Directory services. Clients and servers must securely prove their identity to each other by way of a central third party referred to as a key distribution center (KDC).
While capturing network traffic, you notice clear-text credentials being transmitted. After investigating the TCP headers, you notice that the destination port is 389. What type of authentication traffic are you seeing? A. PAP B. EAP-TLS C. LDAP D. CHAP
C. LDAP p111 LDAP is the standard for access to a network directory for authentication purposes. LDAP uses TCP port 389 with clear text and TCP port 636 for encrypted transmissions.
The financial institution you work for is experiencing small continued losses that were identified by the auditors as internal. Which countermeasure would you first take to stop the loss without arousing suspicion? A. Separation of duties B. Job rotation C. Least privilege D. Afternoon off scheduled to ensure no impact on Company performance
C. Least privilege. Least privilege gives users only the access they need. It could stop there. If the losses continue you would move to job rotation and separation of duties. The latter two would identify the threat as they move in and out of sensitive assignments. Giving employees time off will help you narrow down the threats as they would be unable to misappropriate anything when they are not there.
Because TACACS+ interacts with Kerberos, TACACS+ can work with a broader range of environments such as _______________. A. Sandboxing B. NTLM C. Microsoft Windows Active Directory. D. Microsoft SQL Server 2016
C. Microsoft Windows Active Directory.
When working with user accounts and password policy, you will often face the question of how to enforce password history settings so that users cannot quickly reset their passwords the required number of times and then change it back to their old password. Which Microsoft Group Policy setting is designed to prevent this potential problem? A. Password reuse B. Enforce password history C. Minimum password age D. Password expiration
C. Minimum password age. Minimum password age or password history determines how many days a new password must be kept before the user can change it.
The LDAP protocol provides authentication on three levels. Which of the choices below does NOT represent an LDAP authentication level? A. No authentication B. SASL C. PKI D. Simple authentication
C. PKI - Public Key Infrastructure, used for managing digital certificates.
Your department has been issued new laptops equipped with fingerprint readers. Which authentication credential does this address? A. Something you have B. Something you know C. Something you are D. Something you do E. Where you are F. All of these are correct.
C. Something you are
The three step process of authentication, authorization, and accounting, is usually referred to as which of the following choices below? A. Multifactor authentication B. Ticket-granting C. The AAA model D. Non repudiation
C. The AAA model AAA stands for authentication, authorization and accounting. It refers to the security architecture for distributed systems for controlling which users are allowed access to which services, and tracking which resources they have used.
Your are working at the customer service desk today, and a client calls to inquire about her inability to access her account over the Internet from her laptop. She states that she normally uses the laptop from home and it works fine, but today she is at a friend's home across town and is not able to access the account. You verify that the user name and password she is using are correct. Which of the following is the most likely reason for her difficulty? A. The system has detected a new MAC address. B. The system has detected malware on her system. C. The geolocation authentication has recognized she is not at her typical location. D. Both A and C.
C. The geolocation authentication has recognized she is not at her typical location. Using information from previous login times, IP address, and days of the week, a geolocation pattern can be established and would turn down a request for access as this may be an indication that an attacker is attempting to access the account.
Which of the choices listed accurately complete this sentence: "The more complex your password is, ________________."(Choose two) A. The easier it is to hack. B. The longer it takes to get your work done. C. The harder it is to remember. D. The more secure it is.
C. The harder it is to remember. D. The more secure it is.
Which term describes the automatic creation of a two-way relationship between child and parent domains in a Microsft AD forest? A. OAuth B. Open ID Connect C. Transitive trust D. Shibboleth
C. Transitive trust Transitive trusts are created automatically in the Microsoft Active Directory (AD) forest. The other choices describe federated SSO systems.
Which term does NOT describe open source federated identity management for SSO? A. OAuth B. Open ID Connect C. Transitive trust D. Shibboleth
C. Transitive trusts.. are created automatically in the Microsoft Active Directory forest. These trusts are proprietary and non-federated. The other choices describe federated SSO systems. p113-115
Displayed is the output of a hacker's screen. Determine the server being attacked and the attack method. Then identify the best defense against that attack. First, choose the machine that is under attack. Then, choose the attack type and the appropriate defense from the drop down menus. (*Pic in phone*)
Correct answer: Proxy Server being attacked. If a hacker is able to penetrate the proxy server they will have access to virtually all of the Internet addressing information since the proxy server is situated between the browser and the web server. As you can see the admin username is a bad idea, and the password is short and
The specification for the behavior of ports providing remote access using SNMP is controlled by which IEEE specification? A. 802.5X B. 802.31X C. 802.2X D. 802.1X
D. 802.1X IEEE 802.1X is an IEEE Standard for Port-based Network Access Control and is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
Many Trojan horse viruses use the tactics of social engineering to induce the victims into opening and executing the payload. Which method listed below would reduce the threat of Trojan horse propagation while still allowing users to perform the functions of the job? A. Prohibiting all email attachments. B. Blocking email attachments from outside the company. C. Monitoring all corporate email. D. A clear organizational policy regarding email attachments.
D. A clear organizational policy regarding email attachments. To prevent successful social engineering attacks security policies must be implemented and enforced. All employees must be informed and trained to recognize and appropriately respond to a potential social engineering attack.
Which LDAP operation will discontinue an operation that is in progress? A. Delete B. Unbind C. Bind D. Abandon D. Close
D. Abandon. Abandon is an LDAP operation that discontinues an operation that is in progress.
Where does this RADIUS client/server architecture store its security information? A. On each client. B. On specific predetermined devices. C. On the RAS. D. In a single, central database
D. In a single, central database. The RADIUS server is usually a background process running on a UNIX or Microsoft Windows server which is responsible for storing remote connection information.
A network includes a ticket-granting server used for authentication. Which authentication service does this network use? A. Shibboleth B. SAML C. LDAP D. Kerberos
D. Kerberos
Your network uses an authentication service based on x.500 specification. When encrypted, it uses TLS. Which authentication service is your network using? A. SAML B. Diameter C. Kerberos D. LDAP
D. LDAP uses x.500 based phrases to identify components and Secure LDAP can be encrypted with TLS. Security Assertion Markup Language (SAML) - Extensible Markup Language for SSO and is not based on x.500 Diameter is an alternative to RADIUS and used in some remote access solutions. Kerberos not x.500 based (ch2)
Also known as LDAPS, which protocol enabled connection allows authentication to the Microsoft DC and provides additional services? A. LDAP+ B. XTACACS C. Secure LDAP D. LDAP
D. LDAP. Secure LDAP is essential to maintaining a secure connection with the Microsoft DC. The protocol provides transport of services and applications while allowing secure authentication.
Your written password list should always be kept in which location? A. In an envelope under your keyboard. B. Taped to the bottom of your keyboard. C. On the side of your monitor. D. Locked in a drawer.
D. Locked in a drawer. If a password must be written down it should be kept in a locked drawer or storage locker.
You are the network admin for a business that values employee security. Recently, you have had access control systems installed to secure entry doors to different areas of the facility. First, you would like to integrate those access cards into computer authentication. Before accessing any computer systems, you are going to require users to swipe a card through a keyboard-embedded card reader and then provide a PIN. What is this an example of? A. Bi-factor authentication B. Biometric authentication C. Location-based authentication D. Multifactor authentication
D. Multifactor authentication Multifactor authentication uses more than one item to authenticate a user to a system.
The AAA model is an acronym for which of the choices below? A. The rules for recovering substance abusers. B. An organization that aids travelers. C. The model for a scripted internet attack. D. None of these.
D. None of these. AAA stands for authentication, authorization and accounting. It refers to the security architecture for distributed systems for controlling which users are allowed access to which services, and tracking which resources they have used.
Which of the choices listed would be considered the strongest password? A. PaSsWORd B. Pa5Sw0rd C. Pa$$word D. P^55w#r>
D. P^55w#r> Strong passwords contain a mix of upper and lower case letters, numbers, and symbols.
In a very large network environment Kerberos uses multiple authentication servers. Each of these authentication servers is responsible for subset of servers and workstations. Which of the following choices best describes these subnets? A. Scopes B. Hierarchy C. Divisions D. Realms
D. Realms. In large organizations Kerberos employs multiple authentication services each responsible for a subset of users in the network. Each subset of AS and TGS are referred to as realms.
The LDAP protocol provides the ability to authenticate users once and enable them to access mixed operating systems, different software packages, and other resources that normally would have required multiple authentications. Which acronym below represents that capability? A. X.500 B. ISO C. SAP D. SSO
D. SSO -google, fb, yahoo. Single sign-on or SSO is the ability to authenticate users against a single directory to access a mix of applications and operating systems.
What is the goal of CHAP? A. To send passwords in cleartext. B. To interact with Kerberos. C. To inspect clients for health. D. To allow clients to pass credentials over public network without attackers intercepting data.
D. To allow clients to pass credentials over public network without attackers intercepting data. (eb p348)
Which of these listed account types can create a compromise if misconfigured? A. Service account B. Guest account C. Privileged account D. Shared account E. All of these
E. All of these. It should already be obvious that the misconfiguration of ANY account can cause serious security concerns. All of the listed accounts should be monitored closely.
Donna is an executive at her bank and is often called upon at off hours to manage information from home. The company has provided her with a customized laptop to handle this work. She took it with her on vacation to visit relatives out of state. In response to a call from one of the bank branches she finds herself unable to login. Access denied. Which security factor would you consider the primary reason for failure? A. Something you have B. Something you know C. Something you are D. Something you do E. Where you are F. All of these are correct
E. Where you are. Most financial institutions employ some form of geolocation on all externally generated transactions. In this case Donna's custom laptop was configured to allow access only from her home or work. The relative's home fell outside those parameters and the connection was subsequently refused.
A newly created account must then be maintained. Which tasks are involved in auditing and maintain user accounts? A. Recertification B. Permission auditing C. Permission review D. Usage auditing E. Usage review F. All of these
F. All of these.All of the listed tasks are used to audit and maintain accounts.
T/F. TACACS+ is NOT an alternative to RADIUS and is NOT a Cisco proprietary system.
False - It IS an alternative to RADIUS and IS proprietary to Cisco systems.
You and your team are discussing the merits and disadvantages of biometric authentication. When speaking about a disadvantage of the biometric systems, you should understand the terms "false positive" and "false negative", and how systems are tuned to account for these errors. Match the terms used to describe these. Crossover error rate (CER) False acceptance rate (FAR) False reject rate (FRR) False positive False negative Equal balance of positive and negative
False acceptance rate (FAR)-False positive. False reject rate (FRR)-False negative Crossover error rate (CER)-Equal balance of positive and negative.
Fill in the blanks for the provided LDAP string: LDAP://____=Homer,____=Users,____=GetCertifiedGetAhead,____=com
In order: CN, CN, DC, DC ebook p193/book p112
LDAP
Lightweight Directory Access Protocol - used to communicate with directories such as Microsoft Active Directory or Unix. It identifies objects with query strings using codes such as CN=Users and DC=GetCertifiedGetAhead
LDAPS
Lightweight Directory Access Protocol Secure. Encrypts LDAP traffic with TLS.
When considering access control features of different access control models, choose which of the listed models is the most flexible, and least restrictive? Model: Discretionary Access Control(DAC) Mandatory Access Control (MAC) Attribute-Based Access Control (ABAC) Rank: Most restrictive model Most flexible model Least restrictive model
Mandatory Access Control (MAC)=Most restrictive model Attribute-Based Access Control (ABAC)=Most flexible model Discretionary Access Control(DAC) =Least restrictive model
What is NTLM (New Technology LAN Manager) and what do they use to challenge users and check their credentials?
NTLM (New Technology LAN Manager) - suite of protocols that provide authentication, integrity, and confidentiality within Windows systems. -The use a Message Digest hashing algorithm to challenge users. (eb p192/p111)
What are the 3 versions of NTLM?
NTLM - simple MD4 hash of user's password. NTLMv2 - challenge-response authentication protocol. Creates an HMAC-MD5 hash. NTLM2 Session - has mutual authentication.
Which NTLM protocol should you use?
None (eb p192/p111)
Select the most secure strong password of the alternatives provided. (Choose 1 pic-in-phone)
P@55w0rD&
PAP (Password Authentication Protocol)
Password Authentication Protocol - an older authentication protocol where passwords or PINs are sent across the network in cleartext. Compare with CHAP and MS-CHAPv2 (eb p857)
What do Kerberos and LDAP both include?
SSO
What is SSO?
Single Sign On. Login once to access multiple systems.
Describe the authentication method for each authentication factor listed below. Something you know Something you are Something you do Multifactor authentication Something you have Something you are
Something you are - Login from home Something you do - Tap screen twice the nonce Something you are - Voice recognition Something you have - Security badge
What authentication factor would the authentication method: RETINAL SCAN be under?
Something you are.
What authentication factor would the authentication method: 'USERNAME and PASSWORD' be under?
Something you know
Match appropriate authentication factor for the authentication methods listed below. -Username and password. -Tap screen in predetermined pattern. -Smart card and facial recognition and PIN. -Access network with tablet in cafeteria.
Something you know - Username and password. Something you do-Tap screen in predetermined pattern. Multifactor authentication-Smart card and facial recognition and PIN. Somewhere you are-Access network with tablet in cafeteria
T/F - MD4 has been cracked and neither NTLM nor MD4 are recommended.
T - (eb p192/p111)
What does Kerberos interact with in order for this proprietary Cisco system to work with a broad range of systems?
TACACS+
What is TACACS+ ?
TACACS+ (Terminal Access Controller Access-Plus) - An authentication serviced that provides central authentication for remote access clients. It can be used as an alternative to RADIUS.
LDAP TCP port?
TCP Port 389
The Microsoft Group Policy setting for password complexity is "Password must meet complexity requirements". The policy states that when the setting is enabled, the user password must contain: English uppercase characters (A through Z), English lower case characters (a through z), Digits (0 through 9), and non-alphabetic characters (!, $, #, %). According to the policy, passwords must contain characters from how many of these different groups? A. Four B. Three C. Two D. One
Three. (letters in same category) Password complexity policy must contain characters from three of the following four categories: English uppercase characters (A through Z), English lowercase characters (a through z), digits (0 through 9), and non-alphabetic characters (!, $, #, %).
T/F - While a RADIUS server has a database of users and passwords, it is common for it to pass the credentials on to another server to validate them such as LDAP.
True (eb p340/text p208) - example of how VPN server works with RADIUS to LDAP for authenticating user credentials.
T/F - Kerberos is sometimes referred to as an AAA protocol.
True (eb p351)
What UDP port does Kerberos use?
UDP port 88
What's the solution helps mitigate PASS THE HASH attacks if Microsoft LM and NTLM are not recommended?
Use NTLMv2 or Kerberos (eb p501/p311)
Indicate the most secure strong passwords amoung the alternative provided. (Choose two. pic-in-phone)
1@2B3c4D !A2b3Cd4 The number sequences such as 123456 are among the most used passwords. To fix that companies have taken the precaution of requiring alternate keyboard characters, numbers and a mix of capitalized and non-capitalized letters to remedy this weakness. 1@2B3c4D and !A2b3Cd4 are the most secure of the options provided because they include all the characters required of a strong password: Capital and lower case letters, numbers and special characters and they satisfy the minimum number of digits which is eight. It is not recommended that any number sequence or birthdates be used in practice nor any words straight out of the dictionary.
How many minutes does Kerberos require for all systems to be synchronized?
5 minutes
What is Kerberos?
A network authentication protocol within a Microsoft Windows Active Directory domain or a Unix realm.
Which network authentication protocol performs authentication of a user to a network entity? A. PAP B. CHAP C. HOTP D. SSO
B. CHAP. The CHAP Protocol ensures that the server sends a challenge to client that requires response (password). Challenge Handshake Authentication Protocol. Authentication mechanism where a server challenges a client. MS-CHAPv2 is an improvement over CHAP and uses mutual authentication.p214
In terms of security access control, which provides the stronger security level? A. Implicit deny B. Explicit deny C. Deny all clause D. Time-of-day restriction
B. Explicit deny. The Discretionary Access Control (DAC) models that use *explicit deny* have stronger security because access control to all users is denied by default and permissions must be explicitly granted to approved users. *Implicit deny* in access control means that if a condition is not explicitly met, the request for access is rejected. For example, a network router may have a rule-based access control restriction. If no conditions match the restrictions, the router rejects access because of an implicit deny all clause: any action that is not explicitly permitted is denied. When creating access control restrictions, it is *recommended that unless the condition is specifically met, access should be denied.* *Time-of-day restrictions* can be used to limit when a user can log in to a system or access resources. Although this will provide very high security under the excluded times, in this question it says nothing about what type of access control is applied *when* the user does have access and therefore time-of-day restrictions has to be discarded as a viable answer.
Which of the following are considered AAA protocols because they provide all three services? A. NTLM, Kerberos, LDAP B. X.500, Transitive Trust, Biometrics, SSO C. CHAP, MS-CHAP, Server-based Authentication D. RADIUS, TACACS+, and Diameter
D. RADIUS, TACACS+, and Diameter (eb p351/p216)