MIS379 Exam Two

Ace your homework & exams now with Quizwiz!

Terminal Access Controller Access Control System (TACACS)

used for mostly device administration. All data packets encrypted, flexible, reliable,

NTLM

Revised LM, uses unicode for better complexity

domain validation (DV), extended validation, subject alternative name, wildcard

SSL Web Server Certificates

Mandatory Access Control (MAC)

Admin sets security controls. End user can't change (implement, modify, or transfer) controls

Explain public key infrastructure (PKI)

3rd party (registration authority) verifies identity of a person and instructs the certificate authority to issue a digital certificate which also contains that person's public key. Certificate can then be used to prove identity and enable secure transactions

Privilege Bracketing

A company tells the IT department user access needs to be changed so privileges are only granted when needed, then revoked as soon as the task is finished, or the need has passed. Based on Account Management practices, what is the company asking the IT department to implement? A. Onboarding B. Identity and Access Managment (IAM) C. Offboarding D. Privilege bracketing

Permission Auditing

A network administrator regularly reviews group membership and access control lists for each resource. They also look for unnecessary accounts to disable. What is the administrator executing in this situation? A. Recertification B. Logging C. Permission auditing D. Usage auditing

%SystemRoot%\System32\Drivers\etc\hosts

A primary target for a hacker gaining access to a network is user passwords. Consider the file locations where Windows and Linux each store passwords and determine which of the following is NOT used for password storage. A. %SystemRoot%\System32\config\SAM B. /etc/passwd C. %SystemRoot%\System32\Drivers\etc\hosts D. /etc/shadow

Lightweight Directory Access Protocol (LDAP)

A protocol for a client application to access an X.500 directory.

The system's time setting is incorrect or the certificate has expired

A user enters the web address of a favorite site and the browser returns: "There is a problem with this website's security certificate." The user visits this website frequently and has never had a problem before. What could be the reasoning for this?

Password Recovery

Admin pass reset, pass recovery disks, active directory restore mode password, password recovery via web

Role-Based Access Control (RBAC)

Access decisions are based on the roles of individual users as part of an organization

Guest Zone

Allows untrusted or semi-trusted hosts on local network

Kerberos Authentication

An authentication protocol used in a Windows domain environment or on a Linux system; uses OS-generated keys, which makes this protocol more secure than having an administrator enter keys.

Honeynet

An entire dummy network used to lure attackers.

Pass the Hash Attack

An expoit in which an attacker steals a hashed user credential and, without cracking it, reuses it to trick an authentication system into creating a new authenticated session on the same network.

- Intrusion detection are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. - Wireless monitoring can reveal whether there are unauthorized access points.

Analyze the techniques that are available to perform rogue machine detection and select the accurate statements. (Select two) A. Visual inspection of ports and switches will prevent rogue devices from accessing the network. B. Network mapping is an easy way to reveal the use of unauthorized protocols on the network or unusual traffic volume. C. Intrusion detection are security suites and appliances that combine automated network scanning with defense and remediation suites to prevent rogue devices from accessing the network. D. Wireless monitoring can reveal whether there are unauthorized access points.

An account consists of an identifier, credentials, and a profile.

Apply knowledge of identity and authentication concepts to select the true statement. A. A user profile must be unique. B. Credentials could include name, contact details, and group memberships. C. An identifier could be a username and password, or smart card and PIN code. D. An account consists of an identifier, credentials, and a profile.

The user is exposed to a DoS attack

Applying an understanding of how to mitigate password cracking attacks, how would restricting the number of failed logon attempts be categorized as a vulnerability? A. The user is exposed to a replay attack. B. The user is exposed to a brute force attack. C. The user is exposed to a DoS attack. D. The user is exposed to an offline attack.

Problems from weaknesses in network design

Single points of failure, complex overdependencies, availability over confidentiality or integrity, lack of documentation / change control, overdependence on perimeter security

Tokens can be allowed to continue without expiring in HTOP.

Based on knowledge of the fundamentals of One-time Passwords (OTP), which of the following choices represents the problem that exists with HMAC-based One-time Password Algorithm (HOTP) and is addressed by Time-based One-time Password Algorithm (TOTP)? A. HOTP isn't configured with a shared secret. B. The server isn't configured with a counter in HOTP. C. Only the HOTP server computes the hash. D. Tokens can be allowed to continue without expiring in HTOP.

Iris Scan

Biometric authentication methods have different error rates, with some methods being easier to fool than others. Which of the following methods is least likely to be tricked by an unauthorized user? A. Fingerprint scan B. Iris scan C. Facial recognition D. Voice recognition

TACACS+ is open source and RADIUS is a proprietary protocol from Cisco.

Both RADIUS (Remote Access Dial-In User Service) and TACACS+ (Terminal Access Controller Access-Control System) provide authentication, authorization, and accounting using a separate server (the AAA server). Apply an understanding of the protocols' authentication processes and select the FALSE statement. A. TACACS+ is open source and RADIUS is a proprietary protocol from Cisco. B. RADIUS uses UDP and TACACS+ uses TCP. C. TACACS+ encrypts the whole packet (except the header) and RADIUS only encrypts the password. D. RADIUS is primarily used for network access and TACACS+ is primarily used for device administration.

Password Cracker Attack Types

Brute force, dictionary attack / rainbow tables, hybrid attack

Password Crackers

Cain and Abel, John the Ripper, THC Hydra, Aircrack, l0phtcrack

Pretty Good Privacy (PGP)

Commercial encryption product owned by Symantec

All of the above

Compare X.509 certificates with Pretty Good Privacy (PGP) certificates and identify which of the following are true. A. X.509 certificates are signed by a single Certificate Authority, where PGPs are signed by multiple users. B. X.509 operates under a hierarchical trust model, where PGP uses a web of trust. C. X.509 and PGP are both implementations of the PKI Trust Model. D. All of the above

Kerberos uses timestamps and PKI does not.

Compare and contrast methods used by Kerberos and Private Key Infrastructure (PKI) to authenticate users and identify the true statement. A. Kerberos uses asymmetric cryptography while PKI uses symmetric cryptography. B. Kerberos and PKI both use passwords to authenticate users. C. Kerberos uses timestamps and PKI does not. D. Kerberos and PKI both provide Single Sign-On (SSO).

Password Authentication Protocol (PAP)

Completely unsecure

Credential Management Policies

Complexity rules, user (bad) practice, history and aging

Offline CA

Consider the Public Key Infrastructure (PKI) Trust Model. Are the following root the single point of failure? A. Single CA B. Intermediate CA C. Self-signed CA D. Offline CA

Non-repudiation

Consider the challenges with providing privilege management and authorization on an enterprise network. Which of the following would the network system administrator NOT be concerned with when configuring directory services? A. Confidentiality B. Integrity C. Non-repudiation D. DoS

Verification

Consider the lifecycle of an encryption key. Which of the following is NOT a stage in a key's lifecycle? A. Storage B. Verification C. Expiration and renewal D. Revocation

Yes

Consider the process of obtaining a digital certificate, are the following true? A. CAs ensure the validity of certificates and the identity of those applying for them. B. The registration function may be delegated by the CA to one or more RAs. C. When a subject wants to obtain a certificate, it completes a CSR.

SAML, Shibboleth, OpenID

Consider the role trust plays in federated identity management and determine which models rely on networks to establish trust relationships. (Choose three) A. SAML B. Shibboleth C. OpenID D. LDAP

802.1X provides PNAC, The authentication server is typically a RADIUS server

Determine which of the following statements about 802.1x are true. (Select two) A. The device requesting access is the authenticator under 802.1X. B. 802.1X provides PNAC. C. The authentication server is typically a RADIUS server. D. In port-based authentication, the port acts as a firewall.

Rule-Based Access Control

Determines what accesses should be granted based on a list of predefined rules

The purpose for which a certificate was issued.

Define key usage with regard to standard extensions?

True

Digital Certificates contain subject's public key and information identifying subject and validity (T/F)

Not all hosts on the network can talk to one another.

Evaluate the following choices based on their potential to lead to a network breach. Select the choice that is NOT a network architechture weakness. A. The network architechture is flat. B. Services rely on the availability of several different systems. C. The network relies on a single hardware server. D. Not all hosts on the network can talk to one another.

ARP operates at layer 2, Mutual authentication is not prevalent at layer 2

Evaluate the following statements and determine which explains why layer 2 is vulnerable to Man-in-the-Middle (MitM) attacks. (Select two) A. ARP operates at layer 2 B. DNS operates at layer 2 C. Mutual authentication is not prevalent at layer 2 D. Firewalls are not secure at layer 2

Digital Certificates

Establish association with subject identity and public key, once identity is verified and certificate is created, the CA digitally signs it with the private key

A user logs in using a password and a smart card

Give an example representing Two-Factor Authentication (2FA)?

STP

Given layer 2 does not recognize Time to Live, evaluate the potential possible problems to determine which of the following options prevents this issue. A. ICMP B. L2TP C. NTP D. STP

Purpose of a server certificate

Guarantee the identity of e-commerce sites and other websites that gather and store confidential information.

One-Time Password Tokens

Hardware Token: Code generated on fob, not transmitted Software Token: 2-step verification, sent to trusted resource

Authentication, Authorization, and Accounting (AAA) Architecture

Host credentials of access devices (network access devices bad place to store credentials)

172.20.26.1

If a company's IP address is in the Class B private range, which of the following IP addresses is can be utilized? A. 172.20.26.1 B. 192.168.0.1 C. 10.10.1.0 D. 172.16.256.1

- It is exponentially more difficult to ensure the key is not compromised with multiple backups of a private key. - If a private key or secret key is not backed up, the storage system represents a single point of failure.

If not managed properly, is the following true of certificate and key management representing critical vulnerabilities?

Pros of Encryption

Keeps data safe / Prevents data breaches Assists in confidentiality, availability, and integrity Secures personal data across many devices (and through transfer)

Key Generation, certificate generation, storage, revocation, expiration / renewal

Key life-cycle

Cons of Encryption

Lose keys, lose data associated with that key Expensive to maintain and upkeep systems Performance penalties for retrieving data

Network zone

Manage / filter traffic between zones, containers for hosts with the same security requirements

Federation

Many Internet companies, such as Google and Facebook, allow users to share a single set of credentials between multiple services providers. For example, a user could logon to Amazon using their Facebook credentials. Which term correctly defines this example? A. Federation B. Single sign-on C. Permission D. Access control

DAC

Many access control models are rule-based. Consider how each of the following models determines how users receive rights and determine which model is NOT rule-based. A. RBAC B. DAC C. MAC D. ABAC

Asymmetric encryption

More complex, newer, uses public and private keys

Core, Permission, Access

Network topology design has a hierarchy. Reflect on Physical and Data layers of the OSI model implementation and select the layers Cisco recommends for campus design. (Choose three) A. Core B. Permission C. Access D. Distribution

Federation

Networks under separate administrative control share users (Facebook/Google Sign-In)

Outline and explain requirements of good password policy

No personally identifying information, no shorter than 16 characters MINIMUM, complexity in passwords (numbers, letters, upper/lower, special chars), unique passwords across accounts, do not share or write them down, change frequently, use password manager

Challenge Handshake Authentication Protocol (CHAP)

One-way authentication. However, performed through a 3-way, local handshake (challenge, response, and acceptance messages) between a server and a client.

OpenPGP

Open source version of PGP (GNU Privacy Guard (GPG))

Key Recovery

Process allows for lost keys to be recovered

Key stretching

Protects against brute force, uses additional rounds to strengthen keys

Escrow

Placing archived keys with a trusted third party

Certificate life-cycle

Registration and generation, certificate signing request, renewal, revocation, suspension, key destruction

Explain certificate life-style

Registration/generation-creation of public/private keys Certificate signing request - Renewal - owner an request renewal, then granted with new public/private keys Revocation - cert can be revoked at anytime Suspension - Temporary suspension of certificate Key destruction - Once lifetime of cert is up, all copies of cert must be destroyed from all locations

Mutual authentication

Server authenticates to client before client authenticates server

Key uses

Server authentication, client authentication, code signing, email protection

Symmetric Encryption

Simplest, older, uses one key to encrypt and decrypt; both parties need to know the key

List five different factors that can be used to establish identity and give an example of each

Something you are, something you have, something you do, something you know, somewhere you are

Authentication

Something you know (password), something you have (smart card - NFC), something you are (fingerprint), something you do (signature), somewhere you are (mobile device w/ gps)

Multi-factor authentication

Strong authentication requires two or three types (not two of the same kind)

Public Key Infrastructure (PKI)

System for creating public and private keys using a certificate authority (CA) and digital certificates for authentication.

True

T/F: Hardware security modules (HSM) may be less susceptible to tampering and insider threats than software-based storage.

Biometric Technologies

Terrible. Fingerprint, retinal/iris, facial recognition, behavioral technologies,

Extensions, public key, version

The X.509 standard defines the fields (information) that must be present in a digital certificate for what required fields?

Attribute-Based Access Control (ABAC)

The organization specifies the use of objects based on some attribute of the user or system.

Discretionary Access Control (DAC)

The subject has total control over any object that the subject owns along with the programs that are associated with those objects

Screened Host

There are several types of security zones on a network. Analyze network activities to determine which of the following does NOT represent a security zone. A. Honeypot B. Screened host C. Wireless D. Guest

Hierarchal, peer-to-peer, hybrid

Trust models

Private, extranet, internet/guest

Types of network zones

Lan Manager (LM) authentication

Uses password as key rather than sending it over network

Authorization, accounting, identification, authentication

What are some of the main processes for an identity and account management (IAM) system?

A user's keyboard typing behavior is analyzed

What illustrates a user being authenticated, based on how identification and authentication are distinct in their functions.

DMZ

Where should an administrator place an internet-facing host on the network? A. DMZ B. Bastion host C. Extranet D. Private network

- Implement the principle of least privilege when assigning user and group account access. - Draft a password policy and include requirements to ensure passwords are resistant to cracking attempts.

Which of the following are considered best practices for Account Management? (Choose two) A. Implement the principle of least privilege when assigning user and group account access. B. Draft a password policy and include requirements to ensure passwords are resistant to cracking attempts. C. Identify group or role account types and how they will be allocated to users. D. Identify user account types to implement within the model, such as standard users and types of privileged users.

Hub

Which of the following devices contain all of the ports in the same collision domain? A. Switch B. Bridge C. Hub D. Ad hoc network

Manually configured routers use routing protocols.

Which of the following is NOT the function of a router? A. Routers can serve as a firewall. B. Routers can join networks together. C. Routers can subdivide networks. D. Manually configured routers use routing protocols.

Brute Force, Dictionary

Which of the following password cracker attacks are combined to create a hybrid attack? (Select two) A. Brute force B. Dictionary C. Rainbow table D. PTH

The local service account creates the host processes and starts Windows before the user logs on.

Windows has several service account types, typically used to run processes and background services. Which of the following statements about service accounts is FALSE? A. The Network service account and the Local service account have the same privileges as the standard user account. B. Any process created using the system account will have full privileges over the local computer. C. The local service account creates the host processes and starts Windows before the user logs on. D. The Local Service account can only access network resources as an anonymous user.

Digital Certificate Standards

X.509 and PKCS are standards for what?

ARP poisoning

an attack that convinces the network that the attacker's MAC address is the one associated with an allowed address so that traffic is wrongly sent to the attacker's machine


Related study sets

geometry b - unit 5: three-dimensional figures lessons 20-23

View Set

Lesson 4 - 6th grade Han Dynasty

View Set

El Conde Lucanor - lo que hay que saber

View Set

General Chemistry UWORLD Atoms and molecules

View Set

Pediatrics Hematology and Oncology Exam Review

View Set

Chapter 44: Nursing Management: Patients With Oncologic Disorders of the Brain and Spinal Cord

View Set