Module 13 - Access Control Flashcards
(126 cards)
1
Q
Which type of control prevents direct contact with systems by using physical barriers like doors, guards, and fences?
A
Physical Access Control
2
Q
Which type of access control includes policies, procedures, and personnel-based practices?
A
Administrative access control
3
Q
Which category of access control includes encryption, smart cards, and firewalls?
A
Logical access control
3
Q
Which type of control determines who can enter or exit a facility, when, and where?
A
Physical access control
4
Q
Which system uses a sequence of locked doors to trap and screen individuals entering a secure area?
A
A mantrap
5
Q
Which list defines allowed or denied traffic on a network based on rules?
A
CLs (Access Control Lists)
5
Q
Which method converts readable data into unreadable form to protect confidentiality?
A
Encryption
6
Q
Which mechanism sets error thresholds, triggering a warning when exceeded?
A
A clipping level
6
Q
Which type of statement expresses the intent behind an organization’s security decisions?
A
Policies
6
Q
Which practice involves organizing data based on levels of confidentiality or impact?
A
Data classification
6
Q
Which set of rules governs how data is exchanged between devices?
A
Protocols
6
Q
Which document provides detailed, step-by-step instructions to perform a specific task?
A
Procedures
7
Q
Which AAA function confirms a user’s identity before access is granted?
A
Authentication
7
Q
Which AAA function determines what resources a verified user can access and what actions they can perform?
A
Authorization
7
Q
Which is the most common method used to identify a user in an access control system?
A
Username
8
Q
Which model allows users from different enterprises to use the same credentials to access multiple networks?
A
FIM (Federated Identity Management)
8
Q
Which AAA function logs and monitors user actions, access duration, and system changes?
A
Accounting
9
Q
Which security concept involves tracing an action back to a person or process and reporting the usage data?
A
Accountability
9
Q
Which process enforces the rules of the authorization policy by ensuring only recognized users can perform allowed actions?
A
Identification
10
Q
Which password characteristics are recommended for security? (4)
A
At least 8 characters, mix of uppercase and lowercase letters, special characters, numbers
10
Q
Which identity system links a user’s electronic identity across different identity management domains?
A
FIM (Federated Identity Management)
11
Q
What do we call a cyberattack where the initial compromise of one system leads to the compromise of other interconnected systems, creating a chain reaction of failures?
A
A cascading attack
11
Q
What is the primary risk associated with federated identity management across multiple enterprises?
A
Increased vulnerability to cascading attacks
12
Q
Which small device typically used in 2FA displays a temporary number after inputting a PIN or card?
A
A security key fob
13
Which type of biometric identifier includes voice patterns, gestures, or typing rhythm?
Behavioral biometrics
13
Which type of biometric identifier includes fingerprints, DNA, retina, or facial features?
Physiological biometrics
14
Which authentication approach combines at least two distinct verification methods?
MFA (Multi factor authentication)
15
Which files are used to record details like login times, failures, and accessed resources?
log files
16
Which security model assumes that no access request should be trusted until verified, regardless of origin?
Zero trust security
17
What guiding principle defines Zero Trust Security's core philosophy?
"Never trust , always verify"
18
Which pillar of Zero Trust covers employees, contractors, partners, and vendors accessing work apps on personal or managed devices?
Zero trust for the workforce
19
Which Zero Trust pillar focuses on securing access between microservices, APIs, and containers in cloud or virtualized environments?
Zero trust for workloads
20
Which pillar of Zero Trust deals with application-level security between interacting systems like APIs and databases?
Zero trust for workloads
21
Which category of Zero Trust covers endpoints like printers, cameras, HVAC systems, infusion pumps, and kiosks?
Zero trust for the workplace
21
Which Zero Trust pillar governs secure access for IoT and other devices connecting to enterprise networks?
Zero trust for the workspace
21
Which access control model is considered the least restrictive and may use ACLs to assign access?
DAC (Discretionary Access control)
22
Which model requires users to have appropriate security clearances that match classified data levels?
MAC (Mandatory access control)
22
Which access control model gives data owners full control over who can access their data?
DAC (Discretionary access control)
23
Which access control model uses security level labels and is most common in military or mission-critical environments?
MAC (Mandatory Access control)
24
Which access model assigns permissions based on an individual’s job function or organizational position?
RBAC (Role based access control)
25
Which model is also known as a type of non-discretionary access control?
RBAC (Role based access control)
25
Which access control method grants or denies access based on characteristics of the subject, object, and environment?
ABAC (Attribute based access control)
25
Which model enforces access rules defined by network security personnel rather than user roles or attributes?
RBAC (Rule based access control)
26
Which type of account is intended for interactions with the operating system, often for background tasks?
Service account
26
Which model might use factors like user attributes, resource attributes, and time of day to make access decisions?
ABAC (Attribute based access control)
27
Which access control model uses sets of conditions, such as IP addresses or protocol types, to permit or deny access?
RBAC (Rule based access control)
27
Which model grants access to network resources only during specific times or days?
TAC (Time based access control)
27
Which common access control exploit allows attackers to gain unauthorized elevated access to systems or data?
Privilege escalation
27
Which access control principle ensures users and processes are given only the permissions they need to complete their tasks?
Principle of least privilege
28
Which account type is suitable for temporary users who may need to access installed applications?
Guest account
28
Which type of account is used for day-to-day access to system resources in an organization?
User accounts
29
Which term refers to adding a location-based tag, such as GPS coordinates, to a file or image?
geotagging
30
Which permission level allows users to read contents, change, delete, create new files, and run programs in a folder?
Full control
30
What tool is used to configure security policies on standalone Windows systems not joined to a domain?
Windows Local security Policy configured via secpool.msc
31
What is characterized by triggering an action when a user enters or exits a geographic boundary?
geofencing
32
Which permission level allows users to change and delete files but not create new ones?
Modify
33
Which permission allows users to view file contents and execute programs but not change anything?
Read and execute
34
Which permission allows users to create and modify files and folders but not run programs or view contents?
Writing
35
In which versions of Windows is the Local Security Policy tool (secpol.msc) not available?
Windows Home edition
36
Which system allows users to authenticate to multiple apps using one set of login credentials?
SSO (Single Sign On)
37
What open standard lets third-party services like Facebook or Google use user credentials securely?
0Auth
38
Which cryptographic method uses a hash function combined with a secret key to authenticate users and ensure data integrity?
HMAC (Hash based message authentication code)
38
Which authentication method relies on personal knowledge or questions to reset passwords?
KBA (Knowledge based authentication)
39
What does a user send when using HMAC to authenticate to a web service?
A private key identifier and an HMAC
40
What is known as being responsible for authenticating data between two entities to prevent unauthorized access and outlines the type of information that needs to be shared in order to authenticate and connect?
An authentication protocol
40
Which security protocol used in VPNs relies on HMAC to authenticate packet origins and ensure integrity?
IPsec
40
How does a server verify the user's identity in HMAC authentication?
It calculates an HMAC using the users private key and compares it with the received HMAC
41
Which hashing algorithms are commonly used in IPsec with HMAC for integrity and authenticity?
MD5 and SHA-1
41
What type of integrity verification does Cisco.com provide for its software images?
MD5 based checksum
42
In authentication terminology, what does the term “entity” refer to?
Any device or system within an organisation
43
Which authentication protocol allows a password to be sent using a hash, with only the server needing a certificate?
EAP (Extensible Authentication Protocol)
44
Which protocol sends a username and password in plaintext to a remote access server?
PAP (Password authentication protocol)
45
Which protocol uses a one-way hash and performs identity verification periodically during a session?
CHAP (Challenge Handshake authentication protocol)
46
What transport protocol does TACACS+ use?
TCP
46
Which authentication service encrypts only the user’s password but not the username or other information?
RADIUS
46
Which protocol sends a hashed password from the client to a server that possesses a certificate, without requiring a certificate on the client?
EAP (Extensible Authentication Protocol)
46
Which outdated authentication protocol transmits both the username and password in plaintext, making it insecure?
PAP (password authentication protocol)
46
What key advantage does TACACS+ offer over RADIUS?
TACACS+ encrypts all data between a client and server
46
What is the second type of ticket used in Kerberos to access specific services?
Service ticket
46
What does Kerberos use as the foundation for its authentication mechanism?
Tickets
46
Which authentication protocol periodically re-validates the identity of a remote client using a one-way hash?
CHAP (Challenge Handshake Authentication Protocol)
46
What is the first type of ticket issued in the Kerberos authentication process?
Ticket granting ticket
46
Which authentication method determines user identity based on credentials or certificates and communicates with a RADIUS server for verification?
802.11x
47
Which protocol is used when a simple username and password are needed, encrypting only the password between client and server?
RADIUS
47
Which security protocol requires additional protections like replay-attack prevention when integrated into a product due to partial encryption?
RADIUS
47
Which authentication protocol encrypts the entire communication—including username, password, and service data—between client and server?
TACACS+
47
Which authentication protocol provides network administrators the ability to define ACLs, filters, and user privileges?
TACACS+
47
Which transport layer protocol is used by TACACS+ to ensure reliable and encrypted communication?
TCP
47
What is the term for a cryptographic technique where a single key is used for both encrypting and decrypting data?
Symmetric key encryption
47
Which protocol relies on symmetric key encryption and timestamped tickets to securely prove identities in a two-step ticket process?
Kerberos
47
Which ticket must a client present after the initial authentication to gain access to a specific server’s service in Kerberos?
A service ticket, issued after TGT (Ticket granting ticket)
47
Which server stores user IDs, hashed passwords, and shared keys for issuing tickets in a Kerberos-secured network?
The Kerberos server
47
What security benefit results from the timestamps and expiration attached to Kerberos tickets? (2)
Prevent ticket reuse and replay attacks
47
Which type of attack occurs when a malicious actor captures and retransmits valid data to achieve fraudulent authentication or execute unauthorized actions in a network?
A replay attack
47
What does the SHA stand for in Authentication ?
Secure Hash Algorithm
47
What generates one-time, one-way responses in challenge-based authentication protocols?
Cryptographic hash functions
47
Which hashing algorithm should be prioritized when selecting secure cryptographic functions today?
SHA-256
48
Which two hashing algorithms are no longer recommended due to known vulnerabilities?
SHA-1 and MD5
48
Which access control strategy enforces access permissions based on object labels and user clearances?
MAC (Mandatory access control)
48
Which type of access control system is ideal in environments with multiple levels of security classification?
MAC (Mandatory access control)
48
Which access control model allows object owners to determine who may access their resources and with what permissions?
DAC (Discretionary access control)
48
Which access model uses access control lists (ACLs) or permissions set by the resource owner?
DAC (Discretionary access control)
48
Which access control system grants user permissions based on their job responsibilities or function in the organization?
RBAC (Role based access control)
48
Which access strategy is widely used in large organizations to manage thousands of permissions efficiently?
RBAC (Role based access control)
48
Which control strategy uses predefined rules in access control lists to determine access permissions?
Rule based access control
48
Which model might enforce a restriction like ‘No access to payroll files after business hours’?
Rule based access control
48
Which model allows permissions like ‘read,’ ‘write,’ and ‘execute’ to be assigned directly by the file owner?
DAC (Discretionary access control
48
Which security framework provides scalable control over who can connect to a network and what they can do?
AAA Architectural framework
48
Which network component enforces identity verification using usernames, passwords, tokens, or challenge-response methods?
Authentication
48
Which AAA function determines what resources and operations a user is allowed to access after verifying identity?
Authorization
49
Which AAA function logs actions such as access times, resource usage, and changes made by users?
Accounting
49
Which AAA implementation stores usernames and passwords directly on the device, suitable for small networks? What is the alternative name?
Local AAA authentication or self-contained authentication
49
Which AAA implementation uses a central server to authenticate all users, ideal for scalable environments? What is the alternative name?
Server based AAA Authentication or Centralized AAA Authentication
49
Which AAA model offers better scalability and manageability for medium-to-large networks?
Server based AAA Authentication or Centralized AAA Authentication
49
Which two protocols are commonly used by devices to communicate with centralized AAA servers?
RADIUS and TACACS+
49
Which centralized AAA protocol encrypts the full body of the packet, excluding only the header?
TACACS+
49
Which centralized AAA protocol encrypts only the password in access-request packets, leaving other parts unencrypted?
RADIUS
50
Which AAA protocol separates authentication, authorization, and accounting into modular components?
TACACS+
50
Which AAA protocol combines authentication and authorization but keeps accounting separate?
RADIUS
50
What defines the function which allows for efficient management by granting or restricting commands to individual users or an entire group of users?
Per-user or per-group command authorization
50
Which AAA protocol uses TCP and supports per-user or per-group command authorization? Which port does it use?
TACACS+ on TCP port 49
50
Which AAA protocol operates over UDP and does not support command-level authorization?
RADIUS on UDP port 1812/1813 or 1645/1646
51
Which authentication method uses a bidirectional challenge-response mechanism like CHAP?
TACACS+
51
What is the meaning of the acronyms RADIUS and TACACS+?
RADIUS (Remote authentication user dial in service) and TACACS+ (Terminal access control access control system)
52
Which centralized AAA setup may use Active Directory or LDAP for user authentication and group mapping?
Centralized/Server AAA authentication
53
Which AAA protocol is generally supported by Cisco environments and offers more modular security?
TACACS+
