Network Info. Security Ch.2 – Flashcards
Unlock all answers in this set
Unlock answersquestion
Which form of access control enforces security based on user identities and allows individual users to define access controls over owned resources?
answer
DAC (Discretionary Access Control)
question
Which type of access control focuses on assigning privileges based on security clearance and data sensitivity?
answer
MAC (Mandatory Access Control)
question
You have implemented an access control method that allows only users who are managers to access specific data. Which type of access control model is used?
answer
RBAC (Role-Based Access Control)
question
The term for the process of validating a subject's identity?
answer
Authentication
question
A remote access user needs to gain access to resources on the server. Which of the processes are performed by the remote access server to control access to resources?
answer
Authentication and authorization
question
What defines an object, as used in access control?
answer
Data, applications, systems, networks, and physical space
question
Which access control model manages rights and permissions based on job descriptions and responsibilities?
answer
RBAC (Role-Base Access Control)
question
Which is the star property of Bell-LaPadula?
answer
No write down
question
The Clark-Wilson model is primarily based on?
answer
Controlled intermediary access applications
question
The Brewer-Nash model is designed primarily to prevent?
answer
Conflicts of interest
question
Discretionary Access Control (DAC) manages access to resources using what primary element or aspect?
answer
Identity
question
What form of access control is based on job descriptions?
answer
Role-Based Access Control (RBAC)
question
Authentication method that uses tickets to provide single sign-on?
answer
Kerberos
question
The strongest form of multi-factor authentication?
answer
A password, a biometric scan, and a token device
question
What advantages can Single Sign-On (SSO) provide?
answer
Access to all authorized resources with a single instance of authentication AND the elimination of multiple user accounts and passwords for an individual
question
An example of two-factor authentication?
answer
A token device and a PIN
question
An example of three-factor authentication?
answer
Token device, keystroke analysis, and cognitive question
question
Examples of Type II authentication credentials?
answer
Smart card AND Photo ID
question
What term is used to describe an eventF in which a person is denied access to a system when they should be allowed to enter?
answer
False negative
question
A hardware device that contains identification information and can be used to control building access or computer logon?
answer
Smart card
question
Something you know
answer
PIN, Password, and Username
question
Something you have
answer
Smart card and Hardware token
question
Something you are
answer
Retina scan, Fingerprint scan, and Voice recognition
question
Something you do
answer
Typing behaviors
question
Somewhere you are
answer
Wi-Fi triangulation
question
Define the crossover rate for evaluating biometric systems?
answer
The point where the number of false positives matches the number of false negatives in a biometric system
question
Examples of single sign-on authentication solutions?
answer
Kerberos and SESAME
question
What is stronger than any biometric authentication factor?
answer
A two-factor authentication
question
A device which is synchronized to an authentication server uses which type of authentication?
answer
Synchronous token
question
The mathematical algorithm used by HMAC-based One-Time Passwords (HOTP) relies on two types of information to generate a new password based on the previously generated password. Which information is used to generate the new password?
answer
Shared secret and Counter
question
The mathematical algorithm used to generate Time-based One-Time Passwords (TOTP) uses a shared secret and a counter to generate unique, one-time passwords. Which event causes the counter to increment when creating TOTP passwords?
answer
The passage of time
question
What information is typically NOT included in an access token?
answer
User account password
question
Marcus White has just been promoted to a manager. To give him access to the files that he needs, you make his user account a member of the Managers group which has access to a special shared folder. Later that afternoon, Marcus tells you that he is still unable to access the files reserved for the Managers group. What should you do?
answer
Have Marcus log off and log back on
question
What term describes the component that is generated following authentication and which is used to gain access to resources following logon?
answer
Access token
question
Which security mechanism uses a unique list for each object embedded directly in the object itself that defines which subjects have access to certain objects and the level or type of access allowed?
answer
User ACL (Access Control List)
question
Which type of media preparation is sufficient for media that will be reused in a different security context within your organization?
answer
Sanitization
question
An example of privilege escalation?
answer
Creeping privileges
question
What security principle prevents any one administrator from having sufficient access to compromise the security of the overall IT solution?
answer
Separation of duties
question
By assigning access permissions so that users can only access those resources which are required to accomplish their specific work tasks, you would be in compliance with?
answer
Principle of least privilege
question
An access control list (ACL) contains a list of users and allowed permissions. What is it called if the ACL automatically prevents access to anyone NOT on the list?
answer
Implicit deny
question
You want to make sure that any reimbursement checks issued by your company cannot be issued by a single person. Which principle should you implement to accomplish this goal?
answer
Separation of duties
question
You are concerned that the accountant in your organization might have the chance to modify the books and steal from the company. You want to periodically have another person take over all accounting responsibilities to catch any irregularities. What solution should you implement?
answer
Job rotation
question
You want to implement an access control list where only the users you specifically authorize have access to the resource. Anyone not on the list should be prevented from having access. Which of the following will the access list use?
answer
Explicit allow, Implicit deny
question
What principle is implemented in a mandatory access control model to determine access to an object using classification levels?
answer
Need to know
question
What is the primary purpose of separation of duties?
answer
Prevent conflicts of interest
question
Separation of duties is an example of which type of access control?
answer
Preventive
question
Need to know, is required to access which types of resources?
answer
Compartmentalized resources
question
An example of a decentralized privilege management solution?
answer
Workgroup
question
What holds a copy of the Active Directory database?
answer
Domain Controller
question
What manages access for a workstation?
answer
Computer object
question
What manages access for an employee?
answer
User Object
question
What can bee created to logically organize network resources?
answer
Organizational Unit
question
What cannot be moved, renamed, or deleted?
answer
Generic Container
question
Defines a collection of network resources that share a common directory database?
answer
Domain
question
What should be done to a user account if the user goes on an extended vacation?
answer
Disable the account
question
You are the network administrator in a small nonprofit organization. Currently, an employee named Craig Jenkins handles all help desk calls for the organization. In recent months, the volume of help desk calls has exceeded what Craig can manage alone, so an additional help desk employee has been hired to carry some of the load. Currently, permissions to network resources are assigned directly to Craig's user object. Because the new employee needs exactly the same level of access, you decide to simply copy Craig's Active Directory domain user object and rename it with the new employee's name. Will this strategy work?
answer
No, permissions are not copied when a user account is copied
question
One of your users, Karen Scott, has recently married and is now Karen Jones. She has requested that her username be changed from kscott to kjones, but no other values change. Which of the following commands will accomplish this?
answer
usermod -l kjones kscott
question
You have performed an audit and have found active accounts for employees who no longer work for the company. You want to disable those accounts. What command example will disable a user account?
answer
usermod -L joer
question
A user with an account name of larry has just been terminated from the company. There is good reason to believe that the user will attempt to access and damage the files in the system in the very near future. Which command below will disable or remove the user account from the system and remove his home directory?
answer
userdel -r larry
question
In the /etc/shadow file, which character in the password field indicates that a standard user account is locked?
answer
! OR !!
question
Which utilities would you typically use to lock a user account?
answer
passwd AND usermod
question
You suspect that the gshant user account is locked. Which command will show the status of the user account?
answer
passwd -S gshant
question
An employee named Bob Smith, with a user name of bsmith, has left the company. You have been instructed by your supervisor to delete his user account along with his home directory. Which commands would produce the required outcome?
answer
userdel -r bsmith OR userdel bsmith;rm -rf /home/bsmith
question
You are the administrator for a small company. You need to add a new group of users, names sales, to the system. Which command will accomplish this?
answer
groupadd sales
question
Due to merger with another company, standardization is now being imposed throughout the company. As a result of this, the sales group must be renamed marketing. Which of the following commands will accomplish this?
answer
groupmod -n marketing sales
question
You have a group named temp_sales on your system. The group is no longer needed, and you should remove the group. Which of the following commands should you use?
answer
groupdel temp_sales
question
What is the effect of the following command? chage -M 60 -W 10 jsmith
answer
Sets the password for smith to expire after 60 days and gives a warning 10 days before it expires
question
What chage command should you use to set the password for jsmith to expire after 60 days and give a warning 10 days before it expires?
answer
chage -M 60 -W 10 jsmith
question
Which chage option keeps a user from changing password every two weeks?
answer
-m 33
question
Which file should you edit to limit the amount of concurrent logins for a specific user?
answer
/etc/security/limits.conf
question
Within the /etc/security/limits.conf file, you notice the following entry: @guests hard maxlogins 3 What effect does the line have on the Linux system?
answer
Limits the number of max logins from the guest group to three
question
You want to ensure that all users in the Development OU have a common set of network communication security settings applied. What should you do?
answer
Create a GPO computer policy for the computers in the Development OU
question
Computer policies include a special category called user rights. Which action do they allow an administrator to perform?
answer
Identify users who can perform maintenance tasks on computers in an OU
question
Regarding application of GPO settings?
answer
If a setting is defined in the Local Group Policy on the computer and not defined in the GPO linked to the OU, the setting will be applied
question
What is the single best rule to enforce when designing complex passwords?
answer
Longer passwords
question
For users on your network, you want to automatically lock their user accounts if four incorrect passwords are used within 10 minutes. What should you do?
answer
Configure account lockout policies in Group Policy
question
You want to make sure that all users have passwords over 8 characters and that passwords must be changed every 30 days. What should you do?
answer
Configure account policies in Group Policy
question
You have hired 10 new temporary workers who will be with the company for 3 months. You want to make sure that these users can only log on during regular business hours. What should you do?
answer
Configure day/time restrictions in the user accounts
question
You are configuring the local security policy of Windows 7 system. You want to prevent users from reusing old passwords. You also want to force them to use a new password for at least 5 days before changing it again. Which policies should you configure?
answer
Enforce password history AND Minimum password age
question
You are configuring the local security policy of a Windows 7 system. You want to require users to create passwords that are at least 10 characters long. You also want to prevent logon after three unsuccessful logon attempts. Which policies should you configure?
answer
Minimum password length AND Account lockout threshold
question
You have just configured the password policy and set the minimum password age to 10. What will be the effect of this configuration?
answer
Users cannot change the password for 10 days
question
You have implemented account lockout with a clipping level of 4. What will be the effect of this setting?
answer
The account will be locked after 4 incorrect attempts
question
You are teaching new users about security and passwords. Which example of the passwords would be the most secure passwords?
answer
The one with a variety of uppercase and lowercase letters, numbers, and other symbols
question
Upon running a security audit in your organization, you discover that several sales employees are using the same domain user account to log in and update the company's customer database. Which action should you take?
answer
Delete the account that the sales employees are currently using AND Train sales employees to use their own user account to update the customer database
question
You define a password and account lockout policy for a domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. What should you do?
answer
Implement a granular password policy for the users in the Directors OU
question
Organizational Units (OU's) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You would like to define a granular password policy for these users. Which tool should you use?
answer
ADSI Edit
question
Organizational Units (OU's) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You need to make the change as easily as possible. What should you do?
answer
Create a granular password policy. Apply the policy to all users in the Directors OU
question
Organizational Units (OU's) have been created for each company department. User and computer accounts have been moved into their corresponding OUs. You define a password and account lockout policy for the domain. However, members of the Directors OU want to enforce longer passwords than are required for the rest of the users. You define a new granular password policy with the required settings. All users in the Directors OU are currently members of the DirectorsGG group, a global security group in that OU. You apply the new password policy to that group. Matt Barnes is the chief financial officer. He would like his account to have even more strict password policies than is required for other members in the Directors OU. What should you do?
answer
Create a granular password policy for Matt. Apply the new policy directly to Matt's user account
question
An example of a Software Attack on a smart card?
answer
Exploiting vulnerabilities in the card's protocols or encryption methods
question
An example of an Eavesdropping smart card attack?
answer
Capturing transmission data produced by the card as it is used
question
An example of a Fault Generation smart card attack?
answer
Deliberately inducing malfunctions in the card
question
An example of Microprobing smart card attack?
answer
Accessing the chip surfaces directly to observe, manipulate, and interfere with the circuit
question
What are the methods for providing centralized authentication, authorization, and accounting for remote access?
answer
TACACS+ and RADIUS
question
You have decided to implement a remote access solution that uses multiple remote access servers. You want to implement RADIUS to centralize remote access authentication and authorization. What would be a required part of your configuration?
answer
Configure the remote access servers as RADIUS clients
question
What are some characteristics of TACACS+?
answer
Uses TCP and Allows for a possible of three different servers, one each for authentication, authorization, and accounting
question
What are the differences between RADIUS and TACACS+?
answer
RADIUS combines authentication and authorization into a single function; TACACS+ allows these services to be split between different servers
question
Which protocols can be used to centralize remote access authentication?
answer
TACACS
question
RADIUS is primarily used for what purpose?
answer
Authenticating remote clients before access to the network is granted
question
What is a characteristic of TACACS+?
answer
Encrypts the entire packet, not just authentication packets
question
What port is used with TACACS?
answer
49
question
What does a remote access server use for authorization?
answer
Remote access policies
question
What is a good example of remote access authentication?
answer
A user establishes a dialup connection to a server to gain access to shared resources
question
What is a feature of MS-CHAP v2 that is not included in CHAP?
answer
Mutual authentication
question
CHAP performs which security functions?
answer
Periodically verifies the identity of a peer using a three-way handshake
question
What authentication protocol transmits passwords in clear text, and is therefore considered too insecure for modern networks?
answer
PAP (Password Authentication Protocol)
question
Which remote access authentication protocol periodically and transparently re-authenticates during a logon session by default?
answer
CHAP
question
Which authentication protocols uses a three-way handshake to authenticate users to the network?
answer
MS-CHAP and CHAP
question
When using Kerberos authentication, which term is used to describe the token that verifies the identity of the user to the target system?
answer
Ticket
question
What are some requirements to deploy Kerberos on a network?
answer
A centralized database of users and passwords AND Time synchronization between devices
question
Which ports does LDAP use by default?
answer
636 and 389
question
You want to deploy SSL to protect authentication traffic with you LDAP-based directory service. Which port would this use?
answer
636
question
Your LDAP directory services solution uses simple authentication. What should you always do when using simple authentication?
answer
Use SSL
question
You want to use Kerberos to protect LDAP authentication. Which authentication mode should you choose?
answer
SASL (Simple Authentication and Security Layer)
question
A user has just authenticated using Kerberos. What object is issued to the user immediately following logon?
answer
Ticket granting ticket
question
What protocol uses port 88?
answer
Kerberos
question
Which authentication mechanism is designed to protect a 9-character password from attacks by hashing the first seven characters into a single hash and then hashing the remaining two characters into another, separate hash?
answer
LANMAN
question
What is mutual authentication?
answer
A process by which each party in an online communication verifies the identity of the other party
question
A manager has told you she is concerned about her employees writing their passwords for Web sites, network files, and database resources on sticky notes. Your office runs exclusively in a Windows environment. Which tool could be used to prevent this?
answer
Credential Manager
question
In and Identity Management System, what is the function of the Authoritative Source?
answer
Specify the owner of a data item
question
In and Identity Management System, what is the function of the Identity Vault?
answer
Ensure that each employee has the appropriate level of access in each system
question
Automated Provisioning
answer
Synchronizes user creation across all systems
question
Password Synchronization
answer
Allows users to manage their passwords throughout all systems
question
Identity Vault
answer
Acts as the authoritative source for user credentials for each connected system Serves as repository for the identity of each user
question
Entitlement
answer
Defines a permission a user has to access resources in connected systems
question
Automated De-provisioning
answer
Removes a user from all systems and revokes all rights
