logo image

SY0-401:5 TS Quiz Access Control and Identity Management

” Which statement is true of the Key Distribution Center (KDC) when the Kerberos protocol is being used?
The KDC is only used to store secret keys.
The KDC is used to capture secret keys over the network.
The KDC is used to maintain and distribute public keys for each session.
The KDC is used to store, distribute, and maintain cryptographic session keys.

Answer:
The KDC is used to store, distribute, and maintain cryptographic session keys.

Explanation:
During the use of the Kerberos protocol, the Key Distribution Center (KDC) stores, distributes, and maintains both cryptographic session keys and secret keys. The master key is used to exchange the session keys. The keys are automatically distributed to the communicating client and the server. The KDC also provides the authentication services for the users.

The client requests resource access through the KDC. As a response to the request, the KDC generates a session key that is a combination of the secret keys of the client and the server. The session key is decrypted by both the client and the server to successfully authenticate to each other and to initiate communication.

The KDC cannot be used to capture secret keys over the network. Data capturing is performed by packet sniffer software.

The KDC is responsible for storing secret keys of the users and for generating session keys. Therefore, KDC does not deal with public keys for a user session.

” You have recently been hired as the security administrator for company who recently won a government contract. As part of this contract, the company must implement mandatory access control (MAC) for all governmental data. Under this access control type, which entities would exist as an object? (Choose all that apply.)
a file
a user
a group
a printer
a computer

Answer:
a file
a printer
a computer

Explanation:
Under mandatory access control (MAC), a file, printer, or computer would exist as an object. These are resources that are accessed by groups, users, or processes.

A user or group would exist as a subject. These are entities that access objects.

In a MAC environment, a privilege that is not expressly permitted is forbidden. A clearance is a privilege. If a subject needs access to an object, the administrator is the only person who can determine if access is allowed based on the security policy.

” Which password setting is most important to ensure password strength?
password age
password history
password lockout
password complexity

Answer:
password complexity

Explanation:
Password complexity is the most important setting to ensure password strength. Password complexity allows you to configure which characters should be required in a password to reduce the possibility of dictionary or brute force attacks. A typical password complexity policy would force the user to incorporate numbers, letters, and special characters. Both uppercase and lowercase letters can be required. A password that uses a good mix, such as Ba1e$23q, is more secure than a password that only implements parts of these requirements, such as My32birthday, NewYears06, and John$59.

Password age, sometimes referred to as password expiration, allows you to configure the minimum or maximum number of days before a user is required to change the user’s password. It is a good security practice to enforce a password age of 30 to 60 days. Some companies force users to change their passwords monthly or quarterly. This interval should be determined based on how critical the information is and on how frequently passwords are used.

Password history allows you to configure how many new passwords must be created before an old one can be reused. This setting enhances security by allowing the administrators to ensure that old passwords are not being reused continually. Passwords that are used repeatedly are sometimes referred to as rotating passwords.

Password lockout allows you to configure the number of invalid logon attempts that can occur before an account is locked. Usually this password lockout policy also allows you to configure the number of days that the account remains in this state. In some cases, you may want to configure the account lockout policy so that an administrator must be contacted to re-enable the account.

Other password factors that you should consider include:
Password reuse – specifies whether users can reuse old passwords. In most cases, this setting allows you to configure the number of previous passwords that will be retained. In this case, an old password can be reused if it is old enough to no longer be retained. For example, if you must change your password every 30 days and your system is configured to remember the last 6 passwords, then you will be able to reuse a password 6 months after it is no longer used.
Password length – specifies the minimum number of characters that must be included in the user’s password.
The use of strong passwords will help to prevent password cracking, which is the process of cracking the password using a dictionary or brute force attack. A security administrator should periodically test the strength of user passwords. The best method for testing is to copy the user password database to a stand-alone server, and use a password-cracking program against the database.

” Which security policy will likely strengthen password security?
requiring users to decrease the length of their passwords from eight characters to six characters
requiring users to omit symbols, such as the $ character and the % character, from their passwords
requiring users to use dictionary words as passwords
requiring users to periodically change their passwords

Answer:
requiring users to periodically change their passwords

Explanation:
Requiring users to periodically change their passwords will likely strengthen password security and limit hackers’ abilities to gain access to a network by guessing user passwords. Password recovery is the feature that allows users to perform a self-service password reset. Shorter passwords are weaker than longer passwords; eight characters is the recommended minimum number of characters in a password.

Dictionary word passwords are the weakest passwords because they are the easiest for hackers to guess. By the same token, passwords that include symbols and numbers are more difficult to guess than passwords that contain only alphabetic characters.

” What is the primary objective of privilege management?
to evaluate group memberships
to ensure password management
to ensure proper reporting structure
to ensure control over user permissions and access rights

Answer:
to ensure control over user permissions and access rights

Explanation:
Privilege management is the process of determining the security requirements of users, providing access authorization, monitoring the resources accessed by users, and ensuring that the privileges assigned to users in the form of permissions and access rights to information resources corroborate with their job requirements.

The primary objective of privilege management is to define the entitlement rights of users to access the organization’s information. The standard practices for an effective privilege management are use of the “”need to know”” and “”least privilege”” principles. The need to know principle is based on the premise that users should be provided access to information that they absolutely require to fulfill their job responsibilities. Access to any additional information is denied to users who work under the least privilege principle.

Need to know policies dictate that information should be limited to only those individuals who require it, to minimize unauthorized access to information.

A group membership refers to a set of users sharing common access rights and permissions to accomplish a given task. For example, users performing accounting activities can be grouped into an accounting group.

Password management refers to the standard security practices of generating and maintaining resource passwords. It includes aspects such as complex passwords, non-sharing of passwords, passwords changes at regular intervals, and password transfers in a secure manner.

A clear reporting structure establishes the process of authorization and accountability because each employee needs to get approvals from the concerned supervisor and is accountable to the supervisor for meeting the security objectives of the organization.

Group-based privileges are always easier to manage than user-based privileges. If your organization uses groups, you should add users to the group accounts and assign permissions to the groups. Otherwise you will need to assign permissions to users. As the user amount grows, so grows the administrative effort that you will need to manage privileges.

” Your company’s network consists of multiple sub-networks that each implements its own authentication system. Often users must log in separately to each sub-network to which they want access. You have been asked to implement technology that allows users to freely access all systems to which their account has been granted access after the initial authentication. Which of the following should you implement?
DAC
MAC
smart cards
single sign-on
biometric device

Answer:
single sign-on

Explanation:
Single sign-on allows users to freely access all systems to which their account has been granted access after the initial authentication. The single sign-on process addresses the issue of multiple user names and passwords. It is based on granting users access to all the systems, applications, and resources they need when they start a computer session. This is considered both an advantage and a disadvantage. It is an advantage because the user only has to log in once and does not have to constantly re-authenticate when accessing other systems. Multiple directories can be browsed using single sign-on. It is a disadvantage because the maximum authorized access is possible if a user account and its password are compromised. All the systems that are enrolled in the single sign-on (SSO) system are referred to as a federation. In most cases, transitive trusts are configured between the systems for authentication. Systems that can be integrated into an SSO solution include Kerberos, LDAP, smart cards, Active Directory, and SAML.

Discretionary access control (DAC) and mandatory access control (MAC) are access control models that help companies design their access control structure. They provide no authentication mechanism by themselves.

Smart cards are authentication devices that can provide increased security by requiring insertion of a valid smart card to log on to the system. They do not determine the level of access allowed to a system. Most smart cards have expiration dates. If a user was reissued a smart card after the previous smart card had expired and the user is able to log into the domain but is now unable to send digitally signed or encrypted email, you should publish the new certificates to the global address list.

A biometric device can provide increased security by requiring verification of a personal asset, such as a fingerprint, for authentication. They do not determine the level of access allowed to a system.

Single sign-on was created to dispose of the need to maintain multiple user accounts and passwords to access multiple systems. With single sign-on, a user is given an account and password that logs on to the system and grants the user access to all systems to which the user’s account has been granted. User accounts and passwords are stored on each individual server in a decentralized privilege management environment.

” You are investigating the authentication protocols used on your network. You discover that several authentication protocols are being used on your network.

Which authentication protocol is the oldest?
Kerberos
NTLMv1
NTLMv2
LANMan


Answer:
LANMan

Explanation:
LAN Manager (LANMan) is the oldest authentication protocol listed. LANMan uses a hash and two Digital Encryption Standard (DES) keys. LANMan is seen as non-secure based on its ability to only store seven uppercase characters of data, making it susceptible to brute force attacks.

Kerberos is the preferred authentication protocol for Windows 2000 Server, Windows Server 2003, and Windows Server 2008. It uses DES for encryption.

NT LAN Manager version 1 (NTLMv1) and NTLMv2 replaced LANMan and use the MD4/MD5 hashing algorithm. NTLM is backwards compatible with LANMan.

” Your organization has recently implemented a new security policy that includes the implementation of the principle of least privilege. You need to ensure that users understand this principle and implement the appropriate procedures to adhere to this principle. What is the best implementation of this principle?
Completing administrative tasks at a computer that functions only as a server
Issuing the Run as command to execute administrative tasks during a regular user session
Ensuring that all services use the main administrative account to execute their processes
Issuing a single account to each user, regardless of his job function

Answer:
Issuing the Run as command to execute administrative tasks during a regular user session

Explanation:
The best implementation of the principle of least privilege is to issue the Run as command to execute administrative tasks during a regular user session. You should never use an administrative account to perform routine operations such as creating a document or checking your e-mail. Administrative accounts should only be used to perform an administrative task, such as configuring services or backing up the computer. By issuing the Run as command to execute administrative tasks during a regular user session, you execute the task as needed, but limit the administrative account to only running the particular task. If you logged off and back on using the administrative account, there is a possibility that you would forget to return to using your regular user account when performing routine tasks.

Completing administrative tasks at a computer that functions only as a server is not an implementation of the principle of least privilege. Users should be able to perform administrative tasks at servers and workstations.

Ensuring that all services use the main administrative account to execute their processes is an example of NOT ensuring the principle of least privilege. Services should use a service account specifically created for the service that is only configured with those rights, permissions, and privileges for the service to carry out its functions.

Issuing a single account to each user, regardless of his job functions, is an example of NOT ensuring the principle of least privilege. Those users charged with administrative duties should be issued a minimum of two accounts: one regular user account for performing normal user tasks and one administrative user account configured with those rights, permissions, and privileges for the user to carry out the administrative duties.

A proper implementation of the principle of least privilege ensures users are given only the user rights they need to execute their authorized tasks. The concept of least privilege exists within the Trusted Computer System Evaluation Criteria (TCSEC), which is used to categorize and evaluate security in all computer software.

The principle of least privilege is usually implemented by limiting the number of administrative accounts. Tools that are likely to be used by hackers should have permissions that are as restrictive as possible.

” Employees must use a combination photo identification and security key card to enter a company office building. You need to implement a secure method of determining whether an employee who lost a key card should be allowed to enter the office building.

Which method should you implement?
Place digitized photographs of the employees in employee records.
Require employees to sign a log book.
Allow employees to enter the building without a key card.
Require a second key card to gain access to the company data center.


Answer:
Place digitized photographs of the employees in employee records.

Explanation:
Without a secure method of authenticating employees who do not have security key cards, the loss of a key card becomes a potential security risk. Placing photographs in employee records is a secure method of determining whether an employee who lost their key card should be allowed to enter the company office building. A security guard can access a digitized photograph and determine whether to allow an employee to enter the office building. A security guard is a physical security measure. Another option would be to issue employee personal identification verification cards at the time of employment. Often these cards can serve as identification cards as well as smart cards or proximity cards to grant physical access to a facility.

Requiring employees who do not have key cards to sign a log book does not match an employee with known information about who should be allowed to enter an office building. Allowing employees who have lost their key cards to enter a building where key cards are required for entry defeats the purpose of using key cards. Requiring a second key card to gain access to the data center offers additional limitations on access to company information stores, but does not address the immediate concern of authenticating the employee for entry into the office building.

” You have been asked to configure a new file server. Management has stipulated that you need to implement an authentication method that checks the identity of both ends of the connection. Which authentication method should you use?
biometric authentication
mutual authentication
Kerberos authentication
RADIUS authentication

Answer:
mutual authentication

Explanation:
Mutual authentication checks the identity of both ends of the connection. It is often referred to as two-way authentication.

Biometric authentication authenticates a user based on some physical quality, such as a fingerprint, iris scan, retina scan, and so on.

Kerberos authentication requires a centralized management database of all user accounts and resource passwords. It does not authenticate both ends of the connection.

RADIUS provides centralized remote user authentication, authorization, and accounting. It does not authenticate both ends of the connection.

” Match the authentication mechanisms on the left with the authentication types given on the right.
” Explanation:
The authentication mechanisms and their authentication types should be matched in the following manner:
Smart card – certificate authentication
Retina scan – biometric authentication
Token – one-time password authentication
Password – PAP authentication
” Which RADIUS implementation was created to deal with Voice over IP (VoIP) and wireless services?
TACACS
XTACACS
TACACS+
Diameter

Answer:
Diameter

Explanation:
Diameter was created to deal with Voice over IP (VoIP) and wireless services. It was created to address new technologies that RADIUS was not designed to handle. Although Diameter was designed to be backwards compatible with RADIUS, some RADIUS servers have trouble working with Diameter servers. Diameter can utilize EAP, thereby providing better security than RADIUS.

Terminal Access Controller Access Control System (TACACS) is the CISCO implementation of RADIUS. TACACS is the first generation and combines the authentication and auditing processes. XTACACS is the second generation and separates the authentication, authorization, and auditing processes. TACACS+ is the third generation, and provides all of the features of XTACACS along with extended two-factor user authentication. TACACS+ uses multiple challenge responses for authentication, authorization, and auditing.

Kerberos is a method of access, authentication, and authorization that is more secure than RADIUS, TACACS, or LDAP.

Another authentication service that you need to be familiar with is Security Assertion Markup Language (SAML), which is an XML-based data format for exchanging authentication and authorization data between an identity provider and a service provider.

” Which password policy setting allows you to configure how many new passwords must be created before an old one can be reused?
password age
password length
password history
password lockout
password complexity

Answer:
password history

Explanation:
Password history allows you to configure how many new passwords must be created before an old one can be reused. This setting enhances security by allowing the administrators to ensure that old passwords are not being reused continually. Reused passwords are sometimes referred to as rotating passwords.

Password age allows you to configure the minimum or maximum number of days that must pass before a user is required to change the password. It is a good security practice to enforce a password age of 30 to 60 days. Some companies force users to change their passwords monthly or quarterly. This interval should be determined based on how critical the information is and on how frequently passwords are used.

Password length allows you to configure the minimum number of characters that must be used in a password. At minimum, this policy should be configured to 7 or 8 characters. Be careful not to configure this value too high, as it can make the password very hard to remember.

Password lockout allows you to configure the number of invalid logon attempts that can occur before an account is locked. Usually this password lockout policy also allows you to configure the number of days that the account remains in this state. In some cases, you may want to configure the account lockout policy so that an administrator must be contacted to enable the account again.

Password complexity allows you to configure which characters should make up a password to reduce the possibility of dictionary or brute force attacks. A typical password complexity policy would force the user to incorporate numbers, letters, and special characters. In addition, both uppercase and lowercase letters can be required. A password that uses a good mix, such as Ba1e$23q, is more secure than a password that only implements parts of these requirements, such as My32birthday, NewYears06, and John$59. A password complexity policy that enforces lowercase passwords using a to z letters, where n is the password length, would be represented as 26n.

Account policies should be enforced on all systems in the company. It is also a good practice to make sure that passwords are masked or encrypted. This encryption should occur on the storage device on which they are located. Also, encryption should be used when they are transmitted across the network.

As a good practice, a user’s password should never be the same as the login account name.

” As a security professional, you have been asked to advise an organization on which access control model to use. You decide that role-based access control (RBAC) is the best option for the organization. What are two advantages of implementing this access control model? (Choose two.)
user friendly
low security cost
easier to implement
discretionary in nature
highly secure environment

Answer:
low security cost
easier to implement

Explanation:
Role-based access control (RBAC) has a low security cost because security is configured based on roles. For this reason, it is also easier to implement than the other access control models. During the information gathering stage of a deploying RBAC model, you will most likely need a matrix of job titles with their required access privileges.

RBAC is NOT the most user friendly option. Discretionary access control (DAC) is more user friendly than RBAC because it allows the data owner to determine user access rights. If a user needs access to a file, he only needs to contact the file owner.

RBAC is NOT discretionary is nature. DAC is discretionary, meaning access to objects is determined at the discretion of the owner.

RBAC is NOT a highly secure environment. Mandatory access control (MAC) is considered a highly secure environment because every subject and object is assigned a security label.

With RBAC, it is easy to enforce minimum privilege for general users. You would create the appropriate role, configure its permissions, and then add the users to the role. A role is defined based on the operations and tasks that the role should be granted. Roles are based on the structure of the organization and are usually hierarchical.

RBAC is a popular access control model used in commercial applications, especially large networked applications.

Rule-based access control is often confused with RBAC because their names are similar. With rule-based access control, access to resources is based on a set of rules. The user is given the permissions of the first rule that he matches.

” Which technology provides centralized remote user authentication, authorization, and accounting?
VPN
DMZ
RADIUS
Single sign-on

Answer:
RADIUS

Explanation:
Remote Authentication Dial-In User Service (RADIUS) provides centralized remote user authentication, authorization, and accounting.

A virtual private network (VPN) is a technology that allows users to access private network resources over a public network, such as the Internet. Tunneling techniques are used to protect the internal resources. A VPN by itself does not provide centralized authentication, authorization, and accounting.

A demilitarized zone (DMZ) is an isolated subnet on a corporate network that contains resources that are commonly accessed by public users, such as Internet users. The DMZ is created to isolate those resources to ensure that other resources that should remain private are not compromised. A DMZ is usually implemented with the use of firewalls.

Single sign-on is a feature whereby a user logs in once to access all network resources.

RADIUS is defined by RFC 2138 and 2139. A RADIUS server acts as either the authentication server or a proxy client that forwards client requests to other authentication servers. The initial network access server, which is usually a VPN server or dial-up server, acts as a RADIUS client by forwarding the VPN or dial-up client’s request to the RADIUS server. RADIUS is the protocol that carries the information between the VPN or dial-up client, the RADIUS client, and the RADIUS server. RADIUS will support 802.1x authentication.

The centralized authentication, authorization, and accounting features of RADIUS allow central administration of all aspects of remote login. The accounting features allow administrators to track usage and network statistics by maintaining a central database.

” What replaced NTLM for network user authentication on Windows 2000 Server or later networks?
IETF
Kerberos
KMS
PKI
” Kerberos

Explanation:
Kerberos replaced NT LAN Manager (NTLM) for network user authentication on Windows 2000 Server or later networks.

The Internet Engineering Task Force (IETF) specifies standards for Kerberos, and Microsoft Kerberos generally follows these IETF standards. Public Key Infrastructure (PKI) contains encryption and digital signature services, which provide non-repudiation, authentication, and privacy for files. Exchange Key Management Service (KMS) is a component of Microsoft Exchange Server that stores and retrieves keys that can be used to digitally sign and encrypt e-mail messages.

” A company implements an application that accesses confidential information from a database. You need to allow guest access that uses time-sensitive passwords. Which device will generate these passwords?
digital certificate
EAP
Kerberos
security token

Answer:
security token

Explanation:
A security token is a small device that generates time-sensitive passwords. A security token generates a new password when the old password has expired and helps to secure remote authentication attempts to a network.

Token-based authentication is not as easy to attack as other forms of authentication because tokens are devices that are physically owned.

A digital certificate is a document that contains a user’s public key pair and owner information. Extensible Authentication Protocol (EAP) extends Point-to-Point Protocol (PPP) to enable PPP to use multiple types of authentication. Kerberos is a network authentication protocol.

” Recently, several desktop computers were stolen from your company’s offices. It was discovered that the thieves gained access through a delivery entrance. Management decides that it wants to implement a transponder system-sensing card mechanism at all building entrances. What is NOT a component of this system?
battery
receiver
transmitter
spread spectrum

Answer:
spread spectrum

Explanation:
Spread spectrum is not a component of a transponder system-sensing card. Spread spectrum is a part of wireless technology.

Proximity readers can be either user-activated or system-sensing readers. If the proximity reader is user activated, the user swipes the card and provides a valid sequence number as access credentials to the reader. This grants the user authorized access to the facility. In a system-sensing proximity reader, the user need not perform any action or provide credentials. The access control system automatically detects the user’s presence in a specified area and authenticates the user based on the credentials transmitted to the reader. The reader sends the user credentials to an authentication server for processing. A proximity reader is used to prevent unauthorized employees from entering the data center. If a proximity reader is not used, another alternative is to use a guard. Some companies implement security cameras instead of multiple security guards. The security cameras allow a single security guard to actively monitor more than one entrance.

System-sensing cards are classified into the following categories:
Transponders have a receiver, a transmitter, a place to store the access code, and a battery. Following an authentication request from the reader, the card sends an access code to the reader and is granted authorized access to the facility area.
Passive devices use the power from the reader. The reader transmits an electromagnetic field that is sensed by the passive device to ensure user credential authentication.
Field-powered devices have their own power supply, and the card does not depend on the reader for power.

” You are a security consultant. An organization hires you to implement a biometric system. This system should work in conjunction with a password to provide increased security. Which method should you implement?
password aging
keystroke dynamics
password checkers
password encryption

Answer:
keystroke dynamics

Explanation:
Keystroke or keyboard dynamics can work in conjunction with a password to provide increased security. Keystroke dynamics records a user’s speed and motion when entering a phrase and compares it to stored data. This type of authentication, when used with a password or passphrase, increases security because it is harder to duplicate a person’s typing style than just a password or passphrase.

None of the other options is a biometric method. Password aging is a security method in which a password policy is created to force a user to change his or her password after a certain amount of time. A password checker is a tool that detects a weak password. Its primary benefit is that it can protect your network against dictionary or brute force attacks. Password encryption is a password protection mechanism whereby the password is encrypted before it is transported across the network.

Keystroke dynamics is considered a low cost, non-intrusive biometric device that is transparent to users. One important keystroke dynamics term is dwell time, which refers to the amount of time a user holds down a key. Another is flight time, or the time it takes to switch between keys.

If the security administrator discovers that an employee who entered the data center does not match the owner of the PIN that was entered, the security administrator should implement some sort of biometric authentication. Biometrics would validate that the correct user was being authenticated.

Biometric authentication requires the use of a biometric reader. Biometric readers can authenticate users before they are granted access to a building, a section of a building, or even to a single device. In most cases, biometrics are used to authenticate users entering a highly secure data center. Implementing biometric authentication is often expensive because of the equipment and configuration costs. Biometric readers can be implemented at the device level if the device contains highly sensitive and confidential information and if the device can be easily stolen. It would not be cost-effective to implement biometrics on a mainframe system, no matter how sensitive the data is, because the device would be hard to steal. However, implementing biometrics on a laptop that contains confidential data might be a good idea if you can justify the cost.

” Your CIO has decided that the organization needs to implement password policies for better security. Which password policy will NOT strengthen password security?
requiring users to use a minimum of eight characters in a password
requiring users to use symbols and numbers in their passwords
requiring users to use only alphabetic words as passwords
requiring users to periodically change their passwords

Answer:
requiring users to use only alphabetic words as passwords

Explanation:
Requiring users to use only alphabetic words as passwords will likely weaken password security because dictionary words are typically the easiest passwords for a hacker to crack.

Strong passwords should typically be at least eight characters in length and contain a mixture of alphabetic, numeric, and symbolic characters. Requiring users to use a minimum of eight characters, including symbols, numbers, and letters, in their passwords and requiring that users periodically change their passwords will likely strengthen password security.

In addition, as part of your organization’s password policy, you should configure an account lockout to occur after a certain number of invalid logins. You should configure a password expiration policy. You should also configure a password reuse policy that ensures that passwords cannot be reused until a certain number of password changes have occurred. For example, if you configure a policy such that a password expires in 90 days and that you cannot reuse the last 6 passwords, a user could simply reset the password 7 times to be able to reuse the original password when it comes time for the password to be reset. To prevent users from resetting the password in this manner to bypass your organization’s password policy, you should configure a password policy that ensures that passwords cannot be changed more than once a day.

Any generic accounts that are included with any software or device, such as the default administrative or guest accounts, should be removed or disabled. If you do not want to remove or disable these accounts, you should at minimum assign the accounts a complex password. The generic accounts are commonly known, and that is why generic account prohibition or account disablement is encouraged.

If a user forgets his password, your organization should have a password recovery policy in place. If you have to reset the password, you should reset it with something generic and configure the user account so that the user must change the password at the next login.

” You have been hired as a security administrator by your company. You have recommended that the organization implement a biometric system to control access to the server room. You recommend implementing a system that identifies an employee by the pattern of blood vessels at the back of the employee’s eyes. Which biometric system are you recommending?
iris scan
facial scan
retina scan
eye recognition

Answer:
retina scan

Explanation:
A retina scan is a biometric system that examines the unique pattern of the blood vessels at the back of an individual’s eye. In a retina scan, a beam is projected inside the eye to capture the pattern, and compare it with the reference records of the individual. The employee is authenticated only if a match is found. Retina scans provide better accuracy than iris scans.

There are some disadvantages of using a retina scan. Employees are sometimes reluctant to pass through a retina scan because the test is considered too intrusive. Also, retina scan results can alter over time. Other disadvantages are the expense, the enrollment time, and the complexity involved in its implementation.

An iris scan is based on the examination of unique patterns, colors, rings, and coronas of an individual’s eye. Each characteristic is captured by a camera and compared with the reference records of an employee gathered during the enrollment process. Iris scanning provides better accuracy than fingerprinting, voice recognition, or facial recognition.

A facial scan is based on an individual’s bone structure, nose ridge, eye width, forehead structure, and chin shape. Such characteristics are captured by a camera and compared with the reference records of an employee gathered during the enrollment process.

Eye recognition is not a biometric scan technology used for the authentication of an individual.

” When users log in to the network locally, they must provide their username and password. When users log in to the network remotely, they must provide their username, password, and smart card.

Which two statements are true regarding your organization’s security? (Choose two.)
The local network login uses one-factor authentication.
The local network login uses two-factor authentication.
The remote network login uses three-factor authentication.
The remote network login uses two-factor authentication.


Answer:
The local network login uses one-factor authentication.
The remote network login uses two-factor authentication.

Explanation:
The local network login uses one-factor authentication. Although two items are being presented, both items are considered to be something you know.

An example of a two-factor authentication system is an ATM card and personal identification number (PIN).

The remote network login uses two-factor authentication. Although three items are being presented, two items are something you know and one is something you have.

Three-factor authentication uses something you know (i.e. username or password), something you have (i.e., smart card), and something you are (i.e., biometric authentication). Any form of authentication that uses more than one factor is considered multifactor authentication.


You are responsible for designing your company’s identification, authentication, and authorization system to ensure that the company’s network is protected from unauthorized access. What is the purpose of authentication on this network?
encrypting files
verifying the identity of users
allowing users to access resources
backing up data stored on hard disks

Answer:
verifying the identity of users

Explanation:
Authentication refers to the process of verifying the identity of users. Authentication technologies that you need to understand include the following:
Tokens – a small device that generates time-sensitive passwords
Common access cards – similar to smart cards and are used by the U.S. federal government for active-duty military personnel
Smart cards – small plastic cards that contains authentication information
Multifactor authentication – when multiple authentication factors are used to authenticate a user. Authentication factors include something you are, something you have, something you know, somewhere you are, and something you do.
TOTP – A time-based one-time password is an extension of the HOTP that is modified to support a time-based moving factor. If an organization introduces token-based authentication to system administrators due to risk of password compromise, and the tokens have a set of numbers that automatically change every 30 seconds, TOTP is being used.
HOTP – An HMAC one-time password is an algorithm that is used to generate a password that is used once.
CHAP – Challenge Handshake Authentication Protocol is an authentication protocol that validates the identity of the remote user.
PAP – Password Authentication Protocol is an authentication protocol that uses a password.
Single sign-on – an authentication technology that allows a user to log in once and be granted access to different systems configured as part of the network
Implicit deny – when a user inherits a deny permission based on his membership is a group or role
Trusted OS – an operating system that provides support for multilevel security
Authorization allows users to access resources. Authorization is typically applied to a user account after a user is authenticated on a network. You need to understand the following authorization technologies:
Least privilege – This principle ensures that users are granted only those permissions they need to do their work
Separation of duties – This principle ensures that tasks are divided between users to ensure that one user cannot commit fraud.
ACLs – Access control lists are configured to control permissions to resources.
Time of day restrictions – This method configures the time(s) and day(s) that users are allowed to access resources. In some cases, this policy also allows administrators to configure the location from which the user can log in.
Encrypting files is an example of protecting the confidentiality of the contents of a file. Backing up the data stored on a hard disk is an example of protecting the availability of network resources.

” Which option is a protocol that enables LDAP servers to share directory entries?
L2TP
LDIF
PPTP
TLS

Answer:
LDIF

Explanation:
Lightweight Directory Access Protocol (LDAP) is a directory service that enables users to find resources on a network. LDAP operates on the well-known port 389. LDAP Data Interchange Format (LDIF) is a protocol that is designed to enable LDAP servers to exchange directory information. To work with an LDAP server, servers must be able to authenticate to the server using the correct format. For example, DC=ServerName and DC=COM.

LDAP can use Transport Layer Security (TLS) to secure directory entry transmissions. LDAP over TLS operates on the well-known port 636. Layer 2 Tunneling Protocol (L2TP) and Point-to-Point Tunneling Protocol (PPTP) encapsulate data packets to create a communications tunnel through the public Internet.

” You have been asked to implement a biometric method that analyzes both the physical motions that are performed when a signature is signed and the specific features of a person’s signature. Which biometric system should you implement?
hand geometry
digital signature
signature dynamics
keystroke dynamics

Answer:
signature dynamics

Explanation:
Signature dynamics is the biometric method that analyzes both the physical motions performed when a signature is signed and the specific features of a person’s signature. It usually captures the speed of the signing, the pressure of the pen when signing, and the way the pen is held.

Hand geometry is a biometric method that analyzes the length and width of the hand. A digital signature is a method whereby the identity of the person sending the data is verified. It ensures that the original data has not been modified. Keystroke dynamics records a user’s speed and motion when entering a phrase and compares it to stored data.

Dynamic signature verification (DSV) is another term for signature dynamics.

” What is the most important component in a Kerberos environment?
principals
session keys
ticket granting ticket (TGT)
authentication service (AS)
Key Distribution Center (KDC)

Answer:
Key Distribution Center (KDC)

Explanation:
The Key Distribution Center (KDC) is the most important component in a Kerberos environment. It is responsible for managing all of the secret keys, authenticating all users, and issuing tickets to valid users.

Kerberos authentication requires a centralized management database of all user accounts and resource passwords.

None of the other components listed is as important as the KDC.

Principals are the entities to which the KDC provides services. They may be users, applications, or services.

Session keys are symmetric keys used to encrypt and decrypt information that passed between the principals and the KDC.

A ticket-granting ticket (TGT) is the entity issued by the authentication service (AS) on the KDC to a principal. The TGT proves principal identity throughout the communication process.

” You are performing user account reviews. You need to determine whether user accounts are active. Which property should you verify?
when the password was last configured
whether a password is required
whether user accounts are disabled
when the last login occurred

Answer:
when the last login occurred

Explanation:
To determine whether user accounts are being actively used, you should verify when the last login occurred for every user account. If a user account has not been logged in recently, either the user is not logging out properly or the user account is no longer being used. It is a good policy to periodically perform user account reviews such as this to ensure that all accounts are valid. Continuous monitoring is essential to any organization.

You should not check when the password was last configured. Doing so will ensure that users are changing their passwords as stipulated in the password expiration policy. Passwords may not be changed if the user is not properly logging out each day. A password expiration policy is vital for security. Users should be required to change their passwords monthly or quarterly, based on the organization’s needs. In addition, if a user forgets his password and asks an administrator to recover it, the user should be required to immediately change the password once again when logging in.

You should not check whether a password is required. Doing so will ensure that user accounts are required to have a password.

You should not check whether user accounts are disabled. Disabled user accounts are not used. User accounts are often retained in a disabled state for a period of time. Restoring a user account once it is deleted is difficult.

It may also be necessary to check on when users are using administrative-level or normal user accounts. Administrative-level accounts should only be used while performing administrative duties. The rest of the time, users should use their regular user account. Your organization should ensure that users understand this principle of least privilege so that issues associated with users who have multiple accounts are minimized. Credential management is one of the most important considerations for any organization.

Any organization should mitigate issues associated with users with multiple accounts or shared accounts. Any training for users who have multiple accounts should include instructions on when to use each account type. Remember that administrative-level accounts should only be used when performing duties that require those accounts.


You have been hired as a security consultant by a real estate agency. The company currently implements discretionary access control (DAC) on its network. Who is primarily responsible for determining access control using this access control model?
manager
data user
data owner
security administrator

Answer:
data owner

Explanation:
The data owner is primarily responsible for determining access control using discretionary access control (DAC).

None of the other options is correct. None of the other persons named has any primary responsibilities when using DAC.

Using mandatory access control (MAC), the security label assigned to subjects and objects is primarily responsible for determining access control. This security label is defined for each subject and object based on strict rules. Using role-based access control (RBAC), the security administrator is primarily responsible for determining access control based on the roles defined and the written security policy.


Which entities can group policies be used to manage? (Choose all that apply.)
users
client computers
server computers
domain controllers

Answer:
users
client computers
server computers
domain controllers

Explanation:
Group policies can be used to manage users, client computers, server computers, and domain controllers. Group policies are the most efficient way to manage a large number of users or computers. For example, you can configure a group policy that forces users to change their password at the next login.

Item: 3″

” Match the password control on the left with the descriptions given on the right.
” Explanation:
The password controls and their descriptions should be matched in the following manner:
Salting – adds text to each password before the password is hashed to prevent stored passwords from being decrypted
Lockout – allows you to configure the number of invalid logon attempts that can occur before an account is inaccessible for a pre-determined amount of time
History – allows you to configure how many new passwords must be created before an old one can be reused
Age – allows you to configure the minimum or maximum number of days that must pass before a user is required to change the password
” You need to enforce several security settings for all of the computers on your Windows network in as efficient manner as possible. What should you do?
Use a distribution group.
Use a security group.
Use remote access.
Use group policies.

Answer:
Use group policies.

Explanation:
You should use group policies. This is the most efficient way to enforce multiple security settings for all computers on your Windows network. The group policies would be applied to the computers on your network from the domain controllers. This method allows for centralized deployment and management. For example, you could use group policies to ensure that users must change their password at the next logon and must follow certain password guidelines.

Distribution groups are used to create a set of e-mail recipients. For example, you could create a distribution group for each department so that e-mail messages can be sent to just departmental users.

Security groups are used to create a set of users to assign resource permissions. For example, you could create a security group for each department so that certain folders could only be accessed by a single department.

Remote access allows you to log in to remote computers. While you could configure the security policies in this manner, it would require that you remotely access each computer individually to configure the settings, which is a less efficient method.

” You are explaining access control permissions to another administrator. The administrator must ensure that certain users do not have access to a particular file. All other users should be able to access the file based on their group permissions. What should you use to provide this functionality?
least privilege
job rotation
explicit deny
explicit allow
implicit deny

Answer:
explicit deny

Explanation:
An explicit deny can ensure that certain users do not have access to a particular file. Users that do NOT have an explicit deny can be allowed to access the file based on their user or group permissions. An implicit deny occurs when a user is denied permission based on his membership in a group or role, where the user inherits the permission.

The principle of least privilege grants users only those permissions they need to do their work. An example of using the principle of least privilege is when a security administrator is given rights only to review logs and update security-related network devices.

Job rotation protects your data by providing redundancy. By implementing job rotation, you ensure that more than one administrator knows how to do every job.

An explicit allow permits the specifically named users to have access to a particular file. This permission does not prevent users from accessing a certain file.

” Which Kerberos 5 entity authenticates users?
AS
CS
TGS
TGT

Answer:
AS

Explanation:
In Kerberos 5, Authentication Service (AS) Exchange authenticates users and provides users with a ticket-granting ticket (TGT). When a user wants to gain access to a network resource, that user’s TGT is sent to a computer that provides Kerberos Ticket Granting Service (TGS) Exchange. A TGS server uses a TGT to create a session key for the client requesting service and the server providing service. A client requesting service sends a session key to a server, and Client-Server (CS) exchange is used to enable a client and a server to authenticate one another. After these processes are completed, a client can gain access to services on a server.

AS, CS, and TGS are the three main protocols used on a Kerberos network to provide authentication and authorization for use of resources.


You need to ensure that the identity of the remote host is verified and that the data received is authentic. Which OSI function should you implement?
routing
encryption
segmentation
authentication
” Answer:
authentication

Explanation:
Authentication is the OSI function that ensures that the identity of the remote host is verified and that the data received is authentic. This process takes place at the Session layer of the OSI model.

Routing is the OSI function that ensures that a packet can reach its destination. This process takes place at the Network layer.

Encryption is the OSI function that ensures data confidentiality by encrypting the data. This process takes place at the Presentation layer.

Segmentation is the OSI function that divides data into easily transmitted packets. This process takes place at the Transport layer.

Security professionals should understand the OSI and its relevance to security. Different mechanisms can be implemented to provide security at different layers of the OSI model.

” Your company’s electronic access control (EAC) security system is not working. You need to check the components of the system to determine where the failure has occurred. Which option is NOT a component of this system?
proximity reader
biometric systems
programmable locks
door motion detector

Answer:
door motion detector

Explanation:
Door motion detectors are not used with basic electronic access control (EAC) security. Door motion detectors detect movements in the door to guard against unauthorized access and thus prevent a security breach in the facility.

The EAC security system uses electronic equipment to identify an authorized individual and provides the individual with access into a restricted area. EAC also allows an owner to increase employee productivity by preventing unrestricted traffic from flowing to different areas of the building. EAC can include proximity readers, biometric systems, and programmable locks. EAC can also integrate with CCTV and alarms for monitoring the facility premises.

” You need to discover if users are using Terminal Services to log in to your Windows Server 2008 network. Which user right should you audit?
Logon as a service
Access this computer from the network
Log on locally
Allow logon through Terminal Services

Answer:
Allow logon through Terminal Services

Explanation:
To discover if users are using Terminal Services to log in to your Windows Server 2008 network, you should audit the Allow logon through Terminal Services user right.

You should not audit the Logon as a service user right. This right allows an account to log on as a service.

You should not audit the Access this computer from the network right. It determines which users are allowed to connect to the computer over the network.

You should not audit the Log on locally right. You would need to audit this right if your network ran Windows 2000 Server.

” You are designing an access control system for a new company. The company has asked that you ensure that users are authenticated with a central server. In addition, users should only have access to the files they need to perform their jobs. When implement access control, what is the appropriate order?
identification, authentication, authorization
authentication, identification, authorization
identification, authorization, authentication
authentication, authorization, identification

Answer:
identification, authentication, authorization

Explanation:
The appropriate order for access control is identification, authentication, and authorization.

Identification is the process of identifying a user based on a user name, user identification (ID), or account number. Authentication is the process of validating the user with a second piece of information, usually a password, passphrase, or personal identification number (PIN). Authorization is the process of granting the user access to data based on the user identity and permissions.

” Which type of right occurs when a user inherits a permission based on group membership?
capability
implicit right
explicit right
access right”

Answer:
implicit right

Explanation:
An implicit right occurs when a user inherits a permission based on group membership. It can also occur due to role assignment.

A capability is an access right that is assigned directly to a subject.

An explicit right occurs when a user is given a permission directly.

An access right is a generic term referring to any permission granted to a user, whether implicitly or explicitly.

” Your company has decided to implement a biometric system to ensure that only authorized personnel is able to access several secure areas at the facility. However, management is concerned that users will have privacy concerns when the biometric system is implemented. You have been asked to recommend the least intrusive biometric system of the listed options. Which option is considered the least intrusive?
iris scan
voice print
fingerprint
retinal scan

Answer:
voice print

Explanation:
A voice print is considered less intrusive than the other options given.

Both an iris scan and a retinal scan are considered more intrusive because of the nature in which the scan is completed. Most people are reluctant to have a scanner read any eye geometrics. A fingerprint is more intrusive than a voice print. Most people are reluctant to give their fingerprint because fingerprints can be used for law enforcement.

A voice print is very easy to obtain. Its primary purpose is to distinguish a person’s manner of speaking and voice patterns. Voice print systems are easy to implement as compared to some other biometric methods. Voice prints are usually reliable and flexible.


You need to determine which users are accessing a Windows Server 2003 computer from the network. Which audit category should you enable?
Audit Account Logon Events
Audit Account Management
Audit Privilege Use
Audit Object Access

Answer:
Audit Privilege Use

Explanation:
The Audit Privilege Use audit category will audit all instances of users exercising their rights. This category audits all rights found in the Local Security Policy under Security SettingsLocal PoliciesUser Right Assignment. The Access the computer from the network policy allows users to access a computer from the network.

The Audit Account Logon Events audit category tracks all attempts to log on with a domain user account when enabled on domain controllers. If you enable this policy on a workstation or member server, it will record any attempts to log on by using a local account stored in that computer’s user accounts database.

The Audit Account Management audit category monitors changes to user accounts and groups.

The Audit Object Access audit category tracks access to all objects outside Active Directory.

” Your company has decided to deploy security templates to ensure that all computers on your network are secure. Which areas should be covered by the security templates? (Choose all that apply.)
account policies
user rights and permissions
registry permissions
system services

Answer:
account policies
user rights and permissions
registry permissions
system services

Explanation:
A security template should cover all of the options listed: account policies, user rights and permissions, registry permissions, and system services. Other areas that should be covered include event log settings, restricted groups, file permissions, and auditing settings.

A standardized security template, including server images and client images, will ensure that mandated security configuration have been made to the operating system.

You should design the security controls that you implement in a security template based on the risk assessment you have performed.


Which protocol grants TGTs?
ARP
Kerberos
L2TP
Telnet

Answer:
Kerberos

Explanation:
Kerberos is a protocol that issues ticket-granting tickets (TGTs), which clients can then use to request session keys. A Kerberos client can use a session key to gain access to resources.

Address Resolution Protocol (ARP) is used on TCP/IP networks to resolve Internet Protocol (IP) addresses to Media Access Control (MAC) addresses. MAC addresses are assigned to network interface cards (NICs) and are used to identify physical resources on a network. IP is used on TCP/IP networks to locate hosts. ARP enables Ethernet and TCP/IP to interoperate. Layer 2 Tunneling Protocol (L2TP) can be used to create secure virtual private network (VPN) connections. Telnet is a TCP/IP protocol that enables a user to remotely connect to a server through a text-based interface. The user can then use Telnet to remotely issue commands on the server as if it were the local computer.

” Your organization has several applications and servers that implement different password types. You need to document the different password types that are used because your company wants to later implement a single sign-on system. Which password types are usually the hardest to remember? (Choose all that apply.)
static password
dynamic password
cognitive password
user-generated password
software-generated password

Answer:
dynamic password
software-generated password

Explanation:
Dynamic passwords and software-generated passwords are the same thing. They are also called one-time passwords because they are only used during one login session. At the next login session, a new password is generated. They are usually the hardest passwords to remember because they are so complex. Because of their complexity, they are also harder to guess.

A static password, also called a user-generated password, is one created by the user. It is usually very easy for the user to remember. In most companies, the password policy ensures that the static passwords expire after a certain amount of time.

A cognitive password is a password that is based on some personal fact or opinion. One of the most popular uses of a cognitive password is for security purposes to obtain confidential information. Cognitive passwords are things like your mother’s maiden name, your favorite color, or the school where you graduated.

One-time, or dynamic, passwords are considered to be more secure than static passwords and passphrases. They are usually generated by a piece of software. If the password generator is compromised, the entire system is in jeopardy. There are different types of password generators.

A token device, sometimes called a transaction device, is usually a handheld device that presents a user with a list of characters to be entered as a password for the computer. Only the device and the authentication server know the password.

A synchronous token device synchronizes with the authentication server based on time or a counter. The time value device must have the same time as the authentication server. The time value and a secret key are used to create the one-time password, which is displayed for the user. The counter value device uses an authentication value. The value and a secret are hashed, and the one-time password is displayed for the user.

An asynchronous token device authenticates the user using a challenge/response mechanism. The authentication server generates random values. This random value is entered by the user, encrypted, and transmitted. A one-time password is then generated.

” You are setting up the network for a small business. The small business is concerned with security of their data. You need to configure the network so that users log in with a user name and password. You investigate the types of passwords that the company can use.

Which password type is usually easiest to remember?
passphrase
static password
dynamic password
software-generated password


Answer:
passphrase

Explanation:
A passphrase is usually the easiest to remember. Even though it is longer than a static password, it is considered easier to remember because you can make it a sentence, such as “”IAmSoGladThatChristmasOnlyComesOnceAYear.””

A static password is one that is generated by the user. Password changes to static passwords happen at administrator-defined intervals. A static password is considered harder to remember than a passphrase because it is a single word or small phrase and is usually changed more often than a passphrase.

A dynamic password and a software-generated password are the same thing. They are difficult to remember because of their length and complexity.

Passphrases are not susceptible to brute force or dictionary attacks because they are more complex than regular passwords.

” Which Windows account policy prevents a user from reusing a certain number of expired passwords?
Account Lockout
Maximum Password Age
Minimum Password Length
Enforce Password History

Answer:
Enforce Password History

Explanation:
In Microsoft Windows, the Enforce Password History account policy can be configured to prevent a user from reusing a specified number of expired passwords.

The Account Lockout policy can be used to configure an account to become locked after a specified number of failed logon attempts. The Maximum Password Age policy can be configured to specify the maximum length of time that a Windows password will remain valid. The Minimum Password Length policy can be configured to specify the minimum number of characters that can be used as a password for a Windows user account.


What contains LDAP entries?
DIT
LDIF
TLS
X.500

Answer:
DIT

Explanation:
Lightweight Directory Access Protocol (LDAP) entries are contained in a directory information tree (DIT), which is a hierarchical structure that can be searched for directory information. The start of the LDAP tree is called the root. LDAP is a directory service that enables users to find resources on a network, and it operates on well-known port 389. LDAP with SSL uses port 636. The purpose of LDAP authentication services is to provide a single point of user management.

LDAP Data Interchange Format (LDIF) enables LDAP servers to exchange directory information. LDAP can use Transport Layer Security (TLS) to secure LDAP transmissions. LDAP over TLS operates on well-known port 636. X.500 is a directory service specification on which LDAP is based.

By default, LDAP communications between client and server applications are not encrypted, meaning that it would be possible to use a network monitoring device to view the communications traveling between LDAP computers. LDAP over Secure Sockets Layer (SSL) / Transport Layer Security (TLS), also known as LDAPS or Secure LDAP, will encrypt communications.

” Which technologies provide single sign-on authentication? (Choose all that apply.)
DAC
MAC
RBAC
RADIUS
Kerberos
SESAME
Active Directory

Answer:
Kerberos
SESAME
Active Directory

Explanation:
Kerberos, SESAME, and Active Directory are three technologies that provide single sign-on authentication. Novell eDirectory is another example. Single sign-on addresses the problem of users having to remember multiple usernames and passwords to access different systems. It involves centrally authenticating multiple systems against a federated user database.

Discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC) are three access control models that help companies design their access control structure. While they work with authentication technologies, they do not provide single sign-on authentication by themselves.

Remote Authentication Dial-In User Service (RADIUS) is a dial-up and virtual private network (VPN) user authentication protocol used to authenticate remote users. It provides centralized authentication and accounting features. Alone, it does not provide single sign-on authentication. RADIUS only encrypts password packets from the client to the server.

Single sign-on provides many advantages. It is an efficient logon method because users only have to remember one password and only need to log on once. Resources are accessed faster because users do not need to log in for each resource access. It lowers security administration costs because only one account exists for each user. It lowers setup costs because only one account needs to be created for each user. Single sign-on allows the use of stronger passwords.

Other technologies that provide single sign-on authentication are security domains, directory services, and thin clients.

” Users access your network using smart cards. Recently, hackers have uncovered the encryption key of a smart card using reverse engineering. Which smart card attack was used?
microprobing
software attack
fault generation
side-channel attack

Answer:
fault generation

Explanation:
Fault generation was used in this attack. Fault generation is a smart card attack that allows a hacker to uncover the encryption key using reverse engineering. This is accomplished by introducing an input voltage, clock rate, or temperature fluctuation error into the card. Comparison between the encryption functions that are produced when the error occurs versus when no error occurs helps with the reverse engineering process.

Microprobing is an intrusive smart card attack in which the card is physically manipulated until the ROM chip can be accessed.

A software attack uses an application to edit the card to allow a hacker to extract account information from the smart card. The hardware used in these attacks usually resembles legitimate smart card readers.

A side-channel attack examines the smart card communication process to discover confidential information. Some common side-channel attacks are differential power analysis, electromagnetic analysis, and timing attacks.

” You are training several IT professionals on security and access control. You need to explain to the professionals the most common form of identification and authentication. What identification and authentication mechanism should you explain?
biometrics
smart cards
two-factor authentication
user identification with reusable password

Answer:
user identification with reusable password

Explanation:
The most common form of identification and authentication is user identification with a reusable password. User identifications (IDs) and passwords are something a user knows.

Biometrics, while not the most common form of identification and authentication, is more secure than using user identification and passwords. Biometrics is something you are. A fingerprint, for instance, would be more secure than a password, because your fingerprint will never change.

Smart cards, which are something you have, are not commonly implemented because of the expense. However, they are more secure than using user identification and passwords. Smart cards are a Type 2 authentication factor. Common access cards are similar to smart cards and are used by the U.S. federal government for active-duty military personnel.

Two-factor authentication must include two of the following three categories: something you know (Type I), some you have (Type II), or something you are (Type III). Two-factor authentication is not as common as using user identification and passwords. Two-factor authentication is sometimes referred to as multi-factor authentication. Multi-factor authentication will provide an additional layer of security when stored keys and passwords are not strong enough. Recently, some security professionals have started using two other authentication factors: somewhere you are and something you do. Somewhere you are is based on the location, and something you do is based on your actions, such as how you strike the keys or sign a phrase.

Passwords are considered the weakest authentication mechanism. Passphrases are somewhat stronger because of their complexity.

When assessing identification and authentication controls, it is good practice to maintain a list of authorized users and their approved access levels. A password policy should be implemented that forces users to change their passwords at predefined intervals. User accounts should be terminated when employment is terminated or suspended while on vacation or leave. Account lockout policies can ensure that unsuccessful login attempts will eventually result in an account being locked out.

” What enables remote access users to log on to a network through a shared authentication database?
DES
IPSec
RADIUS
SSH

Answer:
RADIUS

Explanation:
Remote Access Dial-In User Service (RADIUS) enables remote access users to log on to a network through a shared authentication database. When a remote user logs on to a network that uses RADIUS, a RADIUS client sends a remote user’s credentials to a RADIUS server. A RADIUS server checks a remote user’s credentials and sends a reply back to the RADIUS client. If the remote user’s credentials are valid, then the RADIUS client will allow the remote user to log on to the network. If the remote user’s credentials are invalid, then the RADIUS client will not allow the remote user to log on to the network.

A war dialer program is typically used by attackers to access a company’s internal network through its remote access system.

Data Encryption Standard (DES) is a private key encryption standard that can be used to encrypt files. Internet Protocol Security (IPSec) can be used to digitally sign and encrypt Internet Protocol (IP) packets. Secure Shell (SSH) is a method for securing sessions between network computers. SSH is most often used in UNIX environments, but is also available for Windows and OS/2 computers.

” Which criteria can be used to restrict access to resources?
roles
groups
location
time of day
transaction type
all of the above choices
none of the choices

Answer:
all of the above choices

Explanation:
Roles, groups, location, time of day, and transaction type can all be used to restrict access to resources. Regardless of the criteria used, access administration can be simplified by grouping objects and subjects. Access control lists (ACLs) can be used to assign users, groups, or roles access to a particular resource. If you implement time of day restrictions with ACLs, security is improved.

Roles are based upon a subject’s job within the company. The roles are only granted those rights and privileges needed to complete job assignments.

Groups are created to incorporate users that need the same access permissions into one common entity. When these users need access to a resource, the permission is granted to the entire group. Using groups simplifies access control administration. Group-based privileges are best suited when assigning user rights to individuals in a sales department where there is a high turnover rate.

Locations can be used to restrict user access to resources by limiting the location from which a subject can log on. A Microsoft Windows domain can restrict user access to the domain by limiting the computer from which a user can log on to the domain. This is done by entering the computer name from which the user can access the domain to the user’s account properties.

Time of day can be used to restrict user access to resources by limiting the days and times during which a user is authorized to work. A Microsoft Windows user account can be edited to allow only certain login times.

Transaction type is a commonly used access restriction method in databases. Subjects are given access permissions based on transaction types. For example, a user may be allowed to view employee compensation, but not allowed to edit it.

” You need to implement an authentication system that verifies the identity of the users. Which type of authentication should you implement?
a retinal scan
a smart card
a password
a security token

Answer:
a retinal scan

Explanation:
You should implement a retinal scan. A retinal scan views the pattern of the blood vessels in a user’s retina to authenticate the user on a network. A retinal scan is a biometric authentication that can determine the identity of a user. Biometric authentication methods scan unique physical attributes to identify the user. All biometric methods, including retinal scans and fingerprint scans, are something that a user is.

A security token, a smart card, or a password cannot be used to guarantee the identity of the user who is using the authentication method.

A security token is a small device that generates single-use, time-sensitive passwords.

A smart card is a small plastic card that contains authentication information. A smart card or proximity card is something that a user has. A Common Access Card (CAC) is a Department of Defense smart card used by active-duty military personnel.

Passwords are another method for authenticating users. Passwords allow access to resources. A password or security token is something that a user knows.

An authentication system that uses physical security methods, biometric security methods, and knowledge-based security methods is known as a multi-factor authentication system.

” Your organization has been awarded a federal government contract. You have been instructed to set up a server with an operating system that will enforce the access control rules required by the federal government. Which access control method will be implemented?
role-based access control
mandatory access control
discretionary access control
identity-based access control

Answer:
mandatory access control

Explanation:
Mandatory access control (MAC) will be implemented. Security labels, such as secret, top secret, and so on, are used. This model requires that an operating system specifically designed for it must be used to enforce its rules. These types of OSs are often referred to as trusted OSs. SE Linux and Trusted Solaris are two examples of operating systems specifically designed for MAC environments.

Most standard operating systems can be used to enforce the other access control methods given. They can be implemented using user accounts, group accounts, and permissions.

Under MAC, only an administrator can change the category or classification of a subject or object. An access right that is expressly forbidden in the access control policy can never be granted in a MAC environment.

In role-based access control, access is based on the roles to which a user belongs. Discretionary access control is used when the data owner configures the appropriate permission for each user. Identity-based access control is not an access control type.


Your organization has recently adopted a new organizational security policy. As part of this new policy, management has decided to implement an iris scanner wanting access to the secure data center. Which procedure this use to authenticate users?
It takes a picture of the user’s eye and compares the picture with pictures on file.
It scans the blood vessels in the user’s eye and compares the pattern with patterns on file.
It scans the shape of the user’s face and compares the face scan with faces on file.
It scans the user’s handwriting and compares the handwriting with a sample on file.

Answer:
It takes a picture of the user’s eye and compares the picture with pictures on file.

Explanation:
An iris scanner determines whether to authenticate a user by taking a picture of the iris of the user’s eye and comparing the picture with iris pictures on file.

A retinal scanner determines whether to authenticate a user by scanning the pattern of blood vessels in the user’s eye and comparing that pattern with patterns already on file. A retinal scanner has the lowest crossover error rate and is the most reliable biometric system.

A face recognition scanner determines whether to authenticate a user by scanning the user’s face and comparing that scan to face scans already on file.

A signature scanner determines whether to authenticate a user by comparing the shapes and stroke-timing of a person writing their signature with a signature pattern already on file.

Biometric access control is a security mechanism that makes use of hand scanners, fingerprints, retinal scanners, or DNA structure to identify the user.

Need essay sample on "SY0-401:5 TS Quiz Access Control and Identity Management"? We will write a custom essay sample specifically for you for only .90/page

Can’t wait to take that assignment burden offyour shoulders?

Let us know what it is and we will show you how it can be done!
×
Sorry, but copying text is forbidden on this website. If you need this or any other sample, please register
Signup & Access Essays

Already on Businessays? Login here

No, thanks. I prefer suffering on my own
Sorry, but copying text is forbidden on this website. If you need this or any other sample register now and get a free access to all papers, carefully proofread and edited by our experts.
Sign in / Sign up
No, thanks. I prefer suffering on my own
Not quite the topic you need?
We would be happy to write it
Join and witness the magic
Service Open At All Times
|
Complete Buyer Protection
|
Plagiarism-Free Writing

Emily from Businessays

Hi there, would you like to get such a paper? How about receiving a customized one? Check it out https://goo.gl/chNgQy