Chapter 2

Question 1

Authentication, authorization, and accounting (AAA)

Answer 1

If you understand identification (claiming an identity, such as with a username) and authentication (proving the identity, such as with a password),

Question 2

Accounting

Answer 2

track user activity and record the activity in logs.

Question 3

audit trail

Answer 3

re-create the events that preceded a security incident.

Question 4

Authentication Factors

Answer 4

Something you know, such as a password or (PIN)

Something you have, such as a smart card or USB token •

Something you are, such as a fingerprint or other biometric identification •

Somewhere you are, such as your location using geolocation technologies •

Something you do, such as gestures on a key pad

Question 5

something you know authentication

Answer 5

shared secret, such as a password or even a PIN.

the least secure form of authentication

Question 6

Group Policy

Answer 6

manage multiple users and computers in a domain.

Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more.

Administrators also use Group Policy to target specific groups of users or computers.

Question 7

Group Policy Object (GPO)

Answer 7

allows an administrator to configure a setting once in a GPO and apply this setting to many users and computers

Question 8

Active Directory Domain Services

AD DS)

Answer 8

directory service Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Administrators implement domain Group Policy on domain controllers.

Question 9

Something You Have authentication

Answer 9

refers to something you can physically hold. This section covers many of the common items in this factor, including smart cards, Common Access Cards, and hardware tokens. It also covers two open source protocols used with both hardware and software tokens.

Question 10

Embedded certificate.

Answer 10

The embedded certificate holds a user’s private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others). The private key is used each time the user logs on to a network.

Question 11

Public Key Infrastructure (PKI).

Answer 11

supports issuing and managing certificates.

Question 12

dual-factor authentication

Answer 12

users have something (the smart card) and know something (such as a password or PIN).

Question 13

(CAC)

Answer 13

Common Access Card

Question 14

(PIV)

Answer 14

Personal Identity Verification

Question 15

token or key fob

Answer 15

token is synced with a server that knows what the number is at any moment.

Question 16

Hash-based Message Authentication Code (HMAC)

Answer 16

uses a hash function and cryptographic key for many different cryptographic functions.

Question 17

One-Time Password (HOTP)

Answer 17

open standard used for creating one-time passwords, similar to those used in tokens or key fobs.

Does not expire until used

Question 18

Time-based One-Time Password

Answer 18

(TOTP) is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds.

Question 19

something you are authentication

Answer 19

uses biometrics (physical characteristic) for authentication. Biometric methods are the strongest form of authentication

Question 20

Biometric Errors

Answer 20

False acceptance. This is when a biometric system incorrectly identifies an unauthorized user as an authorized user. (FAR false acceptance rate)

False rejection. This is when a biometric system incorrectly rejects an authorized user. The false rejection rate (FRR, also known as a false nonmatch rate)

Question 21

somewhere you are authentication

Answer 21

identifies a user’s location. Geolocation is a group of technologies used to identify a user’s location and is the most common method used

Many authentication systems use the Internet Protocol (IP) address for geolocation.

Question 22

something you do authentication

Answer 22

refers to actions you can take such as gestures on a touch screen.

Question 23

Multifactor authentication

Answer 23

uses two or more factors of authentication.

Question 24

Kerberos

Answer 24

network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms.

provides mutual authentication that can help prevent man-in-the- middle attacks and uses tickets to help prevent replay attacks.

uses a database of objects such as Active Directory and a KDC (or TGT server) to issue timestamped tickets that expire after a certain time period.

uses a ticket-granting ticket (TGT) server, which creates tickets for authentication.

Question 25

New Technology LAN Manager (NTLM)

Answer 25

protocols that provide authentication, integrity, and confidentiality within Windows systems. At their most basic, they use a Message Digest hashing algorithm to challenge users and check their credentials. There are three versions of NTLM: NTLM, NTLMv2, NTLM2

Question 26

NTLM

Answer 26

simple MD4 hash of a user’s password. MD4 has been cracked and neither NTLM nor MD4 are recommended for use today.

Question 27

NTLMv2

Answer 27

NTLMv2 creates an HMAC-MD5 hash composed of a combination of the username, the logon domain name (or computer name), the user’s password, the current time, and more.

Question 28

NTLM2

Answer 28

mutual authentication. In other words, the client authenticates with the server, and the server also authenticates with the client.

Question 29

Lightweight Directory Access Protocol (LDAP)

Answer 29

specifies formats and methods to query directories. LDAP string: LDAP://CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com • CN=Homer. CN is short for common name. •     CN=Users. CN is sometimes referred to as container DC=GetCertifiedGetAhead. DC is short for domain component. DC=com. This is the second domain

Question 30

(LDAPS)

Answer 30

uses encryption to protect LDAP transmissions. When a client connects with a server using LDAPS, the two systems establish a Transport Layer Security (TLS) session before transmitting any data. TLS encrypts the data before transmission.

Question 31

Single sign-on (SSO)

Answer 31

refers to the ability of a user to log on or access multiple systems by providing credentials only once.

Question 32

transitive trust

Answer 32

creates an indirect trust relationship.

Question 33

Security Assertion Markup Language (SAML)

Answer 33

if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site. SAML provides SSO for web-based applications.

Question 34

Principal.(SAML)

Answer 34

This is typically a user. The user logs on once. If necessary, the principal requests an identity from the identity provider.

Question 35

An identity provider SAML

Answer 35

An identity provider creates, maintains, and manages identity information for principals.

Question 36

Service provider.

Answer 36

A service provider is an entity that provides services to principals.

Question 37

A federation

Answer 37

federated identity links a user’s credentials from different networks or operating systems, but the federation treats it as one identity.

Question 38

OAuth

Answer 38

open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each web site you access, you can often use the same account that you’ve created with Google, Facebook, PayPal, Microsoft, or Twitter.

Question 39

OpenID Connect

Answer 39

works with OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials.

Question 40

Need to Know

Answer 40

users are granted access only to the data and information that they need to know for their job. focused on data and information,

Question 41

End user accounts.

Answer 41

Most accounts are for regular users. Administrators create these accounts and then assign appropriate privileges based on the user’s job responsibilities. Microsoft refers to this as a Standard user account.

Question 42

Privileged accounts.

Answer 42

has additional rights and privileges beyond what a regular user has.

Question 43

Guest accounts.

Answer 43

Windows operating systems include a Guest account. These are useful if you want to grant someone limited access to a computer or network without creating a new account.

Question 44

Service accounts.

Answer 44

Some applications and services need to run under the context of an account One of the challenges with service accounts is that they often aren’t managed.

Question 45

naming convention

Answer 45

homer.simpson and bart.simpson.

Question 46

administrators to use two accounts,

Answer 46

helps prevent privilege escalation attacks. Users should not use shared accounts.

Question 47

credential

Answer 47

is a collection of information that provides an identity (such as a username) and proves that identity (such as with a password).

Question 48

Access control

Answer 48

ensures that only authenticated and authorized entities can access resources. For example, it ensures that only authenticated users who have been granted appropriate permissions can access files on a server.

Question 49

Subjects.

Answer 49

Subjects are typically users or groups that access an object. Occasionally, the subject may be a service that is using a service account to access an object.

Question 50

Objects.

Answer 50

Objects are items such as files, folders, shares, and printers that subjects access.

Question 51

Role-based access control (role-BAC)

Answer 51

uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions.

Question 52

Administrators.

Answer 52

have complete access and control over everything on the server, including all of the projects managed on the server.

Question 53

Executives.

Answer 53

Executives can access data from any project held on the server, but do not have access to modify system settings on the server.

Question 54

Project Managers.

Answer 54

Project managers have full control over their own projects, but do not have any control over projects owned by other project managers.

Question 55

Team Members.

Answer 55

Team members can typically report on work that project managers assign to them, but they have little access outside the scope of their assignments.

Question 56

Group-based privileges

Answer 56

reduce the administrative workload of access management.

Question 57

Rule-based access control (rule-BAC)

Answer 57

Routers and firewalls use rules within access control lists (ACLs). These rules define the traffic that the devices allow into the network, such as allowing Hypertext Transfer Protocol (HTTP) traffic for web browsers. These rules are typically static. based on a set of approved instructions, such as an access control list.

Question 58

discretionary access control (DAC)

Answer 58

New Technology File System (NTFS) used in Windows. NTFS provides security by allowing users and administrators to restrict access to files and folders with permissions.

Question 59

Trojan horses

Answer 59

are executable files. They masquerade as something useful, but they include malware.

Question 60

mandatory access control (MAC)

Answer 60

uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access model blocks access. uses sensitivity labels for users and data. It is commonly used when access needs to be restricted based on a need to know.

Question 61

attribute-based access control (ABAC)

Answer 61

evaluates attributes and grants access based on the value of these attributes. commonly used in software defined networks (SDNs).