Chapter 3 Identity and Access Management

Question 1

What is the most common form of authentication that is most likely to be entered incorrectly?

Answer 1

A password is most likely to be entered incorrectly; the user may forget the password or may have the Caps Lock key on by accident.

Question 2

When you purchase a new wireless access point, what should you do first?

Answer 2

When purchasing any device, you should change the default username and password as many of these are available on the internet and could be used to access your device

Question 3

What is password history?

Answer 3

Password history determines the number of passwords you can use before you can reuse your current password. Some third-party applications or systems may call this a password reuse list

Question 4

How can you prevent someone from reusing the same password?

Answer 4

Password history could be set up and combined with a minimum password age to prevent password reuse. If you set the minimum password age to 1 day, a user could only change their password a maximum of once per day. This would prevent them from rotating their passwords to come back to the old password.

Question 5

Explain what a complex password requires.

Answer 5

A complex password uses three of the following: uppercase and lowercase letters, numbers, and special characters not used in programming.

Question 6

How can you prevent a hacker from inserting a different password many times?

Answer 6

If you set up an account lockout with a low value, such as 3, the hacker needs to guess your password within three attempts, or the password is locked out and the user account is disabled

Question 7

What type of factor authentication is a smart card?

Answer 7

A smart card is a multi-factor authentication; the card is something you have, inserting it into a card reader is something you do, and the PIN is something you know

Question 8

How many factors is it if you have a password, PIN, and date of birth?

Answer 8

A password, PIN, and date of birth are all factors that you know; therefore, it is single-factor.

Question 9

What is biometric authentication?

Answer 9

Biometric authentication refers to the use of a part of your body or voice for authentication-for example, your iris, retina, palm, or fingerprint

Question 10

What authentication method can be used by two third parties that participate in a joint venture?

Answer 10

Federated services are an authentication method that can be used by two third parties; this uses SAML and extended attributes, such as an employee’s ID or email address

Question 11

Name an XML-based authentication protocol

Answer 11

Security Assertion Mark-up Language (SAML) is an XML-based authentication protocol used with federated services.

Question 12

What is Shibboleth?

Answer 12

Shibboleth is an open-source Federation Services protocol.

Question 13

What protocol is used to store and search for Active Directory objects?

Answer 13

Lightweight Directory Authentication Protocol (LDAP) is used to store objects in X500 format and search Active Directory objects such as users, printers, groups, or computers.

Question 14

What is the format of a distinguished name for a user called Fred who works in the IT department for a company with a domain called Company A that is a dotcom?

Answer 14

A distinguished name in the ITU X500 object format is cn=Fred, ou=IT, dc=Company, dc-Com.

Question 15

What authentication factor uses tickets, timestamps, and updated sequence numbers and is used to prevent replay attacks?

Answer 15

Kerberos authentication protocol is the only one that uses tickets as well as timestamps and updated sequence numbers to prevent replay attacks. It also prevents pass-the-hash attacks as it does not use NTLM but stores the account details in an encrypted database.

Question 16

What is a Ticket Granting Ticket (TGT) session?

Answer 16

A Ticket-Granting Ticket (TGT) session is a process by which a user logs in to an Active Directory domain using Kerberos authentication and receives a service ticket REL.

Question 17

What is single sign-on? Give two examples.

Answer 17

Single sign-on is an authentication scheme wherein a user inserts their credentials only once and accesses different resources, such as email and files, without needing to re-enter their credentials. Examples of this are Kerberos and Federation Services.

Question 18

How can you prevent a pass-the-hash attack?

Answer 18

Pass-the-hash attacks exploit older systems such as Microsoft NT4.0, which uses NT LAN Manager. You can prevent this by enabling Kerberos or disabling NTLM

Question 19

Give an example of when you would use Open ID Connect.

Answer 19

You would use OpenID Connect to access a device or portal using your Facebook, Twitter, Google, or Hotmail credentials. The portal itself does not manage the account.

Question 20

Name two AAA servers and the ports associated with them.

Answer 20

The first AAA server is RADIUS, using UDP port 1812. It is seen as non-proprietary. The second is TACACS+ and uses TCP port 49. Diameter is a more modern secure form of RADIUS that is TCP-based and uses EAP.

Question 21

What is used for accounting in an AAA server?

Answer 21

Accounting for an AAA server pertains to documenting when someone logs in and out. This can be used for billing purposes. Accounting information is normally logged into a database such as SQL. RADIUS Accounting uses UDP port 1813.

Question 22

What is the purpose of a VPN solution?

Answer 22

A VPN solution creates a secure connection from a remote location to your corporate network or vice versa. The most secure tunneling protocol is L2TP/IPSec.

Question 23

Why should you never use PAP authentication?

Answer 23

PAP authentication uses a password in clear text which could be captured easily by a packet sniffer

Question 24

What type of device is an iris scanner?

Answer 24

An iris scanner is a physical device used for biometric authentication.

Question 25

Name two possible weaknesses of facial recognition software?

Answer 25

Facial recognition could be affected by light or turning your head slightly to one side, and some older facial recognition systems erroneously accept photographs. Microsoft Windows Hello is much more secure as it uses infrared and is not fooled by a photograph or affected by light.

Question 26

What is Type II in biometric authentication and why is it a security risk?

Answer 26

Type II in biometric authentication is False Acceptance Rate, where people that are not permitted to access your network are given access.

Question 27

Name a time-limited password type.

Answer 27

Time-Based One-Time Password (TOTP) has a short time limit of 30-60 seconds.

Question 28

How many times can you use an HOTP password? Is there a time restriction associated with it?

Answer 28

HOTP is a one-time password that does not expire until it is used.

Question 29

How does a CAC differ from a smart card and who uses CAC?

Answer 29

A CAC is similar to a smart card as it uses certificates, but the CAC is used by the military and has a picture and the details of the user on the front, as well as their blood group and Geneva convention category on the reverse side.

Question 30

What is a port-based authentication that authenticates both users and devices?

Answer 30

IEE802.1x is port-based authentication that authenticates both users and devices.

Question 31

What type of account is a service account?

Answer 31

A service account is a type of administrative account that allows an application to have a higher level of privileges to run on a desktop or server. An example of this is using a service account to run an antivirus application.

Question 32

How many accounts should a system administrator for a multinational corporation have and why?

Answer 32

A system administrator should have two accounts: a user account for day-to-day tasks, and an administrative account for administrative tasks.

Question 33

What do you need to do when you purchase a baby monitor and why?

Answer 33

When you purchase a baby monitor, you should rename the default administrative account and change the default password to prevent someone from using it to hack into your home. This is known as an Internet of Things (IoT) item.

Question 34

What is a privileged account?

Answer 34

A privileged account is an account with administrative rights.

Question 35

What is the drawback for security if the company uses shared accounts?

Answer 35

When monitoring and auditing are carried out, the employees responsible cannot be traced when using shared accounts. Shared accounts should be eliminated for monitoring and auditing purposes.

Question 36

What is a default account? Is it a security risk?

Answer 36

Default accounts and passwords for devices and software can be found on the internet and used to hack your network or home devices. Ovens, TVs, baby monitors, and refrigerators are examples, and therefore pose a security risk.

Question 37

The system administrator in a multinational corporation creates a user account using an employee’s first name and last name. Why are they using the same details from each person?

Answer 37

The system administrator is using a standard naming convention.

Question 38

What two actions do you need to complete when John Smith leaves the company?

Answer 38

When John Smith leaves the company, you need to disable his account and reset the password. Deleting the account will prevent access to the data he used.

Question 39

What is account recertification?

Answer 39

Account recertification is an audit of user accounts and permissions that are usually carried out by an auditor. This is also referred to as a user account review.

Question 40

What is the purpose of a user account review?

Answer 40

A user account review ensures that old accounts have been deleted and that all current users have the appropriate access to resources and not a higher level of privilege.

Question 41

What can you implement to find out immediately when a user is placed in a group that may give them a higher level of privileges?

Answer 41

A SIEM system can carry out active monitoring and notify the administrators of any changes to user accounts or logs.

Question 42

What will be the two possible outcomes if an auditor finds any working practices that do not conform to the company policy?

Answer 42

Following an audit, either change management or a new policy will be put in place to rectify any area not conforming to company policy.

Question 43

If a contractor brings in five consultants for two months of mail server migration, how should you set up their accounts?

Answer 43

The contractor’s account should have an expiry date equal to the last day of the contract

Question 44

How can you ensure that the contractors in Question 43 can only access the company network from 9 a.m. - 5 p.m. daily?

Answer 44

Rule-based access should be adopted so that the contractors can access the company network between 9 a.m. and 5 p.m. daily

Question 45

If you have a company that has five consultants who work in different shift patterns, how can you set up their accounts so that each of them can only access the network during their individual shifts?

Answer 45

Time and day restrictions should be set up against each individual’s user account matching their shift pattern.

Question 46

A brute-force attack cracks a password using all combinations of characters and will eventually crack a password. What can you do to prevent a brute-force attack?

Answer 46

Account Lockout with a low value will prevent brute-force attacks.

Question 47

The IT team has a global group called IT Admin; each member of the IT team is a member of this group and therefore has full control access to the departmental data. Two new apprentices are joining the company and they need to have read access to the IT data. How can you achieve this with the minimum amount of administrative effort?

Answer 47

Create a group called IT apprentices, and then add the apprentices’ accounts to the group. Give the group read access to the IT data.

Question 48

You have different login details and passwords to access Airbnb, Twitter, and Facebook, but you keep getting them mixed up and have locked yourself out of these accounts from time to time. What can you implement on your Windows 10 laptop to help you?

Answer 48

The credential manager can be used to store generic and Windows 10 accounts. The user, therefore, does not have to remember the account details.

Question 49

You have moved departments, but the employees in your old department still use your old account for access; what should the company have done to prevent this from happening? What should their next action be?

Answer 49

The company should have disabled the account and reset the password. A user account review needs to be carried out to find accounts in a similar situation.

Question 50

What is the purpose of the ssh-copy-id command?

Answer 50

To copy and install the public key on the SSH server and add it to the list of authorized keys

Question 51

Describe the process of impossible time travel.

Answer 51

This is where a user logs in to a device from one location, and then they log in from another location shortly afterward, where it would be impossible to travel that distance in the time between logins

Question 52

When you log in to your Dropbox account from my phone, you get an email asking you to confirm that this was a legal login. What have you been subjected to?

Answer 52

This is known as a risky login as you have used a secondary device to log in to Dropbox.

Question 53

What is the purpose of a password vault and how secure is it?

Answer 53

A password vault is an application that stores passwords using AES-256 encryption and it is only as secure as the master key.

Question 54

What type of knowledge-based authentication would a bank normally use?

Answer 54

They would use a dynamic KBA that would ask you details about your account that are not previously stored questions.

Question 55

What is the difference between FAR and FRR?

Answer 55

FAR allows unauthorized user access, and FRR rejects authorized user access.

Question 56

What is a solution that helps protect privileged accounts?

Answer 56

Privileged Access Management is a solution the stores the privileged account in a bastion domain to help protect them from attack.

Question 57

What is the danger to households with IoT devices?

Answer 57

Some people don’t realize that there are generic accounts controlling the devices that make them vulnerable to attack.

Question 58

Why do cloud providers adopt a zero-trust model?

Answer 58

Some devices (for example, an iPad) do not belong to a domain , so every connection should be considered unsafe.

Question 59

Which authentication model gives access to a computer system even though the wrong credentials are being used?

Answer 59

Biometric authentication allows unauthorized users access to the system.