Chapter 2 Flashcards
(170 cards)
1
Q
Authentication proves:
A
an identity with some type of credentials such as a username and password
2
Q
What works together with identification to provide a comprehensive access management system?
A
Authentication
Authorization
Accounting
(AAA)
3
Q
Define authorization:
A
access to resources based on their proven identity
4
Q
Accounting methods:
A
track user activity and record the activity in logs
5
Q
An audit trail allows:
A
security professionals to re-create the events that preceded a security incident
6
Q
Implement one factor of authentication for:
A
basic authentication
7
Q
Implement two factors of authentication for:
A
secure authentication
8
Q
Implement three factors of authentication for:
A
higher security
9
Q
Some factors of authentication are:
A
something you know
something you have
something you are
somewhere you are
something you do
10
Q
Something you know authentication factor refers to:
A
a shared secret, such as a password or even a PIN
11
Q
A strong password is:
A
of sufficient length, doesn’t include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types:
Uppercase characters (26 letters A-Z)
Lowercase characters (26 letters a-z)
Numbers (10 numbers 0-9)
Special characters (32 printable characters, such as !, $, and *)
12
Q
Microsoft began recommending a best practice of setting the minimum password length to at least:
A
14 characters
13
Q
You can calculate the key space with the following formula:
A
n
C^N(C )
14
Q
Security experts often mention that if you make a password too complex you make it:
A
less secure
15
Q
Windows domains use Group Policy to:
A
manage multiple users and computers in a domain.
16
Q
Group Policy allows an administrator to configure a setting once in a:
A
Group Policy Object (GPO) and apply this setting to many users and computers within the domain
17
Q
Active Directory Domain Services (AD DS) is a:
A
directory service Microsoft developed for Windows domain networks
18
Q
The great strength of Group Policy comes when you implement it in a:
A
Microsoft domain
19
Q
Organizational units (OUs) are used when:
A
Administrators use Group Policy to target specific groups of users or computers
20
Q
Password policies typically start as:
A
a written document that identifies the organization’s security goals related to passwords
21
Q
Password policy definitions:
Enforce password history
A
remembers past passwords and prevents the user from reusing previously used passwords
22
Q
Password policy definitions:
Maximum password age
A
defines when users must change their password
23
Q
Password policy definitions:
Minimum password age
A
defines how long users must wait before changing their password again
24
Q
Password policy definitions:
Minimum password length
A
enforces the character length of the password
25
Password policy definitions:
Password must meet complexity requirements
require users to have complex passwords that include at least three of the four character types (uppercase letters, lowercase letters, numbers, and special characters)
26
Password policy definitions:
Store passwords using reversible encryption
stores the password in such a way that the original password can be discovered
27
What is included in the Password Policy in Windows?
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
28
Accounts will typically have lockout policies to:
prevent users from guessing the password
29
Two key phrases associated with account lockout policies are:
Account lockout threshold
Account lockout duration
30
Account lockout threshold is:
the maximum number of times a user can enter the wrong password. When the user exceeds the threshold, the system locks the account
31
Account lockout duration indicates:
how long an account remains locked. If the duration is set to 0, the account remains locked until an administrator unlocks it
32
Something you have authentication factor refers to:
something you can physically hold
33
Smart cards are:
credit card-sized cards that have an embedded microchip and a certificate.
34
How do you use a smart card?
Users insert the smart card into a smart card reader, which reads the information on the card, including the details from the certificate, which provides certificate-based authentication.
35
Smart card provides:
confidentiality, integrity, authentication, and non-repudiation
36
Requirements for a smart card are:
Embedded certificate
Public Key Infrastructure (PKI)
37
An Embedded certificate holds:
a user's private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others).
38
Public Key Infrastructure (PKI) supports:
issuing and managing certificates
39
A Common Access Card (CAC) is:
a specialized type of smart card used by the U.S. Department of Defense.
40
A Personal Identity Verification (PIV) card is:
a specialized type of smart card used by
41
A token or key fob is:
an electronic device about the size of a remote key for a car. They include an LCD that displays a number, and this number changes periodically, such as every 60 seconds
42
A Hash-based Message Authentication Code (HMAC) uses:
a hash function and cryptographic key for many different cryptographic functions
43
A HMAC-based One-Time Password (HOTP) is:
an open standard used for creating one-time passwords, similar to those used in tokens or key fobs
44
A Time-based One-Time Password (TOTP) is:
similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds
45
Something you are authentication factor uses:
biometrics for authentication
46
Biometric methods are:
the strongest form of authentication because they are the most difficult for an attacker to falsify
47
Some examples of biometrics are:
fingerprint scanners
retina scanners
iris scanners
voice recognition
facial recognition
48
Retina scanners:
scan the retina of one or both eyes and use the pattern of blood vessels at the back of the eye for recognition
49
Iris scanners:
use camera technologies to capture the patterns of the iris around the pupil for recognition
50
Voice recognition methods:
identify who is speaking using speech recognition methods to identify different acoustic features
51
Facial recognition systems:
identify people based on facial features
52
Two biometric false readings are:
False acceptance
False rejection
53
False acceptance happens when:
a biometric system incorrectly identifies an unauthorized user as an authorized user
54
The false acceptance rate (FAR) identifies:
the percentage of times false acceptance occurs
55
False rejection happens when:
a biometric system incorrectly rejects an authorized user
56
The false rejection rate (FRR) identifies:
the percentage of times false rejections occur
57
By increasing the sensitivity of biometric systems it:
decreases the number of false matches and increases the number of false rejections
58
By decreasing the sensitivity of biometric systems it:
increases the false matches and decreases the false rejections
59
The Crossover error rate (CER) for two biometric systems is:
the point where the FAR crosses over the FRR. A lower CER indicates that the biometric system is more accurate
60
Somewhere you are authentication factor identifies:
a user's location
61
Geolocation is:
a group of technologies used to identify a user's location and is the most common method used for the somewhere you are authentication factor
62
Many authentication systems user the:
Internet Protocol (IP) address for geolocation
63
The something you do authentication factor refers:
to actions you can take such as gestures on a touch screen, how you write or type
64
Dual-factor authentication uses:
two different factors of authentication
65
Multifactor authentication uses:
two or more factors of authentication
66
Kerberos is:
a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms
67
Kerberos provides:
mutual authentication that can help prevent man-in-the-middle attacks and uses tickets to help prevent replay attacks
68
Kerberos includes several requirements for it to work properly. They are:
A method of issuing tickets used for authentication
Time synchronization
A database of subjects or users
69
The Key Distribution Center (KDC) uses:
a complex process of issuing ticket-granting tickets (TGTs) and other tickets. The KDC packages user credentials within a ticket. Tickets provide authentication for users when they access resources such as files on a file server.
70
Kerberos version 5 requires:
all systems to be synchronized and within five minutes of each other
71
When a user logs on with Kerberos, the KDC issues the user a:
ticket-granting ticket, which typically has a lifetime of 10 hours to be useful for a single workday.
72
New Technology LAN Manager (NTLM) is:
a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems
73
There are three versions of NTLM:
NTLM
NTLMv2
NTLM2 Session
74
NTLM is:
a simple MD4 hash of a user's password
75
NTLMv2 is:
a challenge-response authentication protocol. When a user attempts to log on, NTMLv2 creates an HMAC-MD5 has composed of a combination of the username, the logon domain name, the user's password, the current time, and more.
76
NTLM2 Session:
improves NTLMv2 b adding in mutual authentication. In other words, the client authenticates with the server, and the server also authenticates with the client.
77
Lightweight Directory Access Protocol (LDAP) specifies:
formats and methods to query directories
78
LDAP Secure (LDAPS) uses:
encryption to protect LDAP transmissions. When a client connects with a server using LDAPS, the two systems establish a Transport Layer Security (TLS) session before transmitting any data
79
A Transport Layer Security (TLS):
encrypts the data before transmission
80
Single sign-on (SSO) refers to:
the ability of a user to log on or access multiple systems by providing credentials only once
81
A transitive trust creates:
an indirect trust relationship
82
The Security Assertion Markup Language (SAML) is:
an Extensible Markup Language (XML)- based data format used for SSO on web browsers
83
Two organizations that trust each other can use:
SAML as a federated identity management system. Users authenticate with one web site and are not required to authenticate again when accessing the second web site
84
SAML defines three roles:
Principal
Identity provider
Service provider
85
The SAML Principal role is:
typically a user that logs on once
86
The SAML Identity provider:
creates, maintains, and manages identity information for principals
87
The SAML Service provider is:
an entity that provides services to principals.
88
A federation requires:
a federated identity management system that all members of the federation use.
89
Shibboleth is:
a federated identity solution that is open source and freely available, making it affordable solution that some of the commercially available federated identity solutions
90
OAuth is:
an open standard for authorization many companies use to provide secure access to protected resources.
91
OpenID Connect works with:
OAuth 2.0 and it allows clients to verify the identity of end users without managing their credentials
92
Account managememtn is concerned with:
the creation, management, disablement, and termination of accounts.
93
The principle of least privilege is:
an example of a technical control implemented with access controls
94
Least privilege specifies:
that individuals and processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more
95
The common types of accounts used within a network are:
End user accounts
Privileged accounts
Guest accounts
Service accounts
96
End user accounts are for:
regular users
97
Privileged accounts has:
additional rights and privileges beyond what a regular user has
98
Guest accounts are for:
someone with limited access to a computer or network without having to create a new account
99
Service accounts is for:
some applications and services that need to run under the context of an account
100
One of the challenges with service accounts is that:
they often aren't managed
101
It's common to require administrators to have how many accounts?
2. One for regular day-to-day work and the other to perform administrative work
102
What is the benefit of requiring administrators to have 2 accounts?
It reduces the exposure of the administrative account to an attack
103
A Standard naming convention ensures:
user account names and email addresses are created similarly. For example first name, a dot, and the last name.
104
Account management policies often dictate that:
personnel should not use shared or generic accounts.
105
When can't you implement basic authorization controls?
When multiple users share a single account
106
Four key concepts of basic authorization controls are:
Identification
Authentication
Authorization
Accounting
107
Define Identification:
users claim an identity with an identifier such as a username
108
Define authentication:
users prove their identity using an authentication method such as a password
109
Define authorization:
users are authorized access to resources based on their proven identity
110
Define accounting:
Logs record activity using the users' claimed identity
111
A single, temporary user log on with a Guest account does:
support identification, authentication, authorization, and accounting
112
A disablement policy specifies:
how to manage accounts in different situations
113
Disabling is preferred over:
deleting the account initially because it retains any encryption and security keys associated with the account
114
Some contents of an account disablement policy include:
Terminated employee
Leave of absence
Delete account
115
Terminated employee account disablement policy specifies:
that accounts for ex-employees are disabled as soon as possible
116
Leave of absence account disablement policy specifies:
if an employee will be absent for an extended period, the account should be disabled while the employee is away.
117
Delete account account disablement policy specifies:
when the organization determines the account is no longer needed, administrators delete it
118
The two primary account recovery scenarios are:
Enable a disabled account
Recover a deleted account
119
Enabling a disabled accounts requires administrators to:
reset the user's password and take control of the account, pass it to a supervisor/manager,
120
Recovering a delete account is more complex than:
creating another account with the same name
121
Time-of-day restrictions specify:
when users can log on to a computer
122
Location-based policies restrict:
access based on the location of the user
123
Within a network, it's possible to restrict access based on:
computer names and MAC addresses
124
It's possible to set user accounts to expire automatically, When the account expires the:
system disables it, and the user is no longer able to log on using the account
125
Account maintenance is often done with:
scripts to automate the process
126
Account maintenance includes:
deleting accounts that are no longer needed
127
A credential is:
a collection of information that provides an identity (such as a username) and proves that identity (such as a password)
128
Credential management systems help:
users store these credentials securely
129
Access control ensures that:
only authenticated and authorized entities can access resources
130
Some examples of access control are:
Role-based access control (role-BAC)
Rule-based access control (rule-BAC)
Discretionary access control (DAC)
Mandatory access control (MAC)
Attribute-based access control (ABAC)
131
Often when using any of the access control models, you'll run across the following terms:
Subjects
Objects
132
Subjects are:
typically users or groups that access and object
133
Objects are:
items such as files, folders, shares, and printers that subjects access
134
Role-based access control (role-BAC) uses:
roles to manage rights and permissions for users.
135
When an administrator adds a user to a role in a role-BAC the user has:
all the rights and permissions of that role
136
Microsoft Project Server can host:
multiple projects managed by different project managers.
137
Microsoft Project Server includes the following roles:
Administrators
Executives
Project Managers
Team Members
and more
138
Microsoft Project Server Administrators have:
complete access and control over everything on the server, including all of the projects managed on the server
139
Microsoft Project Server Executives can:
access data from any project held on the server, but do not have access to modify system settings on the server
140
Microsoft Project Server Project Managers have:
full control over their own projects, but do not have any control over projects owned by other project managers
141
Microsoft Project Server Team Members can:
typically report on work that project managers assign to them, but they have little access outside the score of their assignments
142
A matrix is a:
planning document that matches the roles with required privileges
143
In a Hierarchy-based Role-BAC:
top-level roles have significantly more permissions than lower-level roles.
Roles may mimic the hierarchy of an organization
144
In a Job-,task-, or function-based Role-BAC:
roles are centered on jobs or functions that users need to perform
145
Group-based access control (Windows systems refer to these as security groups):
simplifies user administration by allowing access based on roles or groups
146
Rule-based access control (Rule-BAC) is based on:
a set of approved instructions, such as an access control list
147
In the Discretionary access control (DAC) model,
every object (such as files and folders) has an owner, and the owner establishes access for the objects.
148
A common example of the DAC model is the
New Technology File System (NTFS) used in Windows
149
The NTFS used in Windows provides:
security by allowing users and administrators to restrict access to files and folders with permissions
150
Microsoft systems identify users with:
security identifiers (SIDs)
151
A security identifier (SID) is:
a long string of characters that is meaningless to most, therefore the system looks up the name associated with the SID and displays the name
152
Every object (such as a file or folder) includes a:
discretionary access control list (DACL) that identifies who can access it in a system using the DAC model
153
The Discretionary access control list (DACL) is a:
list of Access Control Entries (ACEs)
154
Each Access Control Entries (ACE) is:
composed of a SID and the permission(s) granted to the SID
155
If users create a file, they are designated as:
the owner and have explicit control over the file. They can then modify the permissions on the object by adding user or group accounts to the DACL and assigning the desired permission
156
An inherent flaw associated with the DAC model is the:
susceptibility to Trojan horses
157
Trojan horses are:
executable files that masquerade as something useful but include malware
158
In the mandatory access control (MAC) model Security administrators assign:
labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don't match, the access model blocks access
159
Security-enhanced Linux (SELinux) is:
one of the few operating systems using the mandatory access control model.
160
The Mandatory Access Control (MAC) model uses:
different levels of security to classify both users and the data. These levels are defined in a lattice.
161
The lattice can be:
a complex relationship between different ordered sets of labels. These labels define the boundaries for the security levels
162
An administrator is responsible for:
establishing access, but only someone at a higher authority can define the access for subjects and objects
163
Establishing Access steps:
1. a security professional identifies the specific access individuals are authorized to access via paperwork
2. the administrator assigns rights based on the direction of the security professional
3. Multiple approval levels are usually involved in the decision-making process
4. Once an individual is formally granted access, a network administrator would be responsible for establishing access based on the clearances identified by the security professional
164
An attribute-based access control (ABAC) evaluates:
attributes and grants access based on the value of these attributes and grants access when the system detects a match in the policy
165
Attributes can be:
almost any characteristic of a user, the environment, or the resource.
166
Many software defined networks (SDNs) use:
attribute-based access control (ABAC) models
167
Policy statements typically include four elements:
Subject
Object
Action
Environment
168
Action is:
what the user is attempting to do, such as reading or modifying a file, accessing specific web sites, and accessing web site applications
169
Environment includes:
everything outside of the subject and object attributes
170
An ABAC system has:
a lot of flexibility and can enforce both a DAC and a MAC model
