Test Quiz

Start Quiz

Question 1 / 38

Which of the following best describes TACACS+?

A symmetric-key authentication protocol used to protect the sending of logon information

"A remote-access control system providing authentication, authorization, and accounting"

A centralized authentication and access control for credentials to resources within an enterprise

An on-demand authentication used at random intervals within an ongoing data transmission

Which of the following best describes RADIUS?

A symmetric-key authentication protocol used to protect the sending of logon information

"A remote-access control system providing authentication, authorization, and accounting"

"A centralized authentication and access control for credentials to resources within an enterprise"

An on-demand authentication used at random intervals within an ongoing data transmission

Which of the following best describes Kerberos?

A symmetric-key authentication protocol used to protect the sending of logon information

"A remote-access control system providing authentication, authorization, and accounting"

"A centralized authentication and access control for credentials to resources within an enterprise"

An on-demand authentication used at random intervals within an ongoing data transmission

Which of the following security access control methods is best equated to the phrase “less is more”?

Implicit deny

Least privilege

Job rotation

Account expiration

Which of the following security access control methods is best described as resource availability restricted to only those logons explicitly granted access?

Implicit deny

Least privilege

Job rotation

Account expiration

Which of the following is not one of the three types of access controls?

Administrative

Personnel

Technical

Physical

Your company has just opened a call center in India to handle nighttime operations, and you are asked to review the site’s security controls. Specifically, you are asked which of the following is the strongest form of authentication. What will your answer be?

Something you know

Something you are

Passwords

Tokens

Your organization has become worried about recent attempts to gain unauthorized access to the R&D facility. Therefore, you are asked to implement a system that will require individuals to present a password and enter a PIN at the security gate before gaining access. What is this type of system called?

Authorization

Two-factor authentication

Authentication

Three-factor authentication

Which of the following is not one of the three primary types of authentication?

Something you remember

Something you know

Something you are

Something you have

While working as a contractor for Widget, Inc., you are asked what the weakest form of authentication is. What will you say?

Passwords

Retina scans

Facial recognition

Tokens

You’re preparing a presentation for the senior management of your company. They have asked you to rank the general order of accuracy of the most popular biometric systems, with 1 being the lowest and 5 being the highest. What will you tell them?

(1) fingerprint, (2) palm scan, (3) hand geometry, (4) retina scan, (5) iris scan

1) fingerprint, (2) palm scan, (3) iris scan, (4) retina scan, (5) hand geometry

(1) palm scan, (2) hand geometry, (3) iris scan, (4) retina scan, (5) fingerprint

(1) hand geometry, (2) palm scan, (3) fingerprint, (4) retina scan, (5) iris scan

Which of the following items is the least important to consider when designing an access control system?

Risk

Threat

Vulnerability

Annual loss expectancy

Today, you are meeting with a coworker who is proposing that the number of logins and passwords be reduced. Another coworker has suggested that you investigate single sign-on technologies and make a recommendation at the next scheduled meeting. Which of the following is a type of single sign-on system?

Kerberos

RBAC

 DAC

 SAML

Which style of authentication is not susceptible to a dictionary attack?

CHAP

LEAP

WPA-PSK

PAP

Which of the following is not one of the four access control models?

Discretionary

 Mandatory

Role-based

Delegated

Auditing is considered what method of access control?

Preventive

Technical

Administrative

Physical

What method of access control system would a bank teller most likely fall under?

Discretionary

Mandatory

Role-based

Rule-based

Which of the following is the easiest and most common form of offline password hash attack used to pick off insecure passwords?

Hybrid

Dictionary

Brute-force

Man-in-the-middle

Which of the following is an XML-based, open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider?

SAML

LDAP

 OAuth

KryptoKnight

Christine, a newly certified CISSP, has offered to help her brother-in-law, Gary, at his small construction business. The business currently has 18 computers configured as a peer-to-peer network. All users are responsible for their own security and can set file and folder privileges as they see fit. Which access control model best describes the configuration at this organization?

Discretionary

Mandatory

 Role-based

Nondiscretionary

Which of the following best describes challenge/response authentication?

It is an authentication protocol in which a salt value is presented to the user, who then returns an MD5 hash based on this salt value.

It is an authentication protocol in which a system of tickets is used to validate the user’s rights to access resources and services.

It is an authentication protocol in which the username and password are passed to the server using CHAP.

It is an authentication protocol in which a randomly generated string of values is presented to the user, who then returns a calculated number based on those random values.

What type of access control system doesn’t give users much freedom to determine who can access their files and is known for its structure and use of security labels?

Discretionary

Mandatory

Role-based

Nondiscretionary

As the newly appointed security officer for your corporation, you suggest replacing the password-based authentication system with RSA tokens. Elsa, your chief technology officer, denies your request, citing budgetary constraints. As a temporary solution, Elsa asks that you find ways to increase password security. Which of the following will accomplish this goal?

Disabling password-protected screensavers

Enabling account lockout controls

Enforcing a password policy that requires noncomplex passwords

Enabling users to use the same password on more than one system

Various operating systems such as Windows use what to control access rights and permissions to resources and objects?

RBAC

MITM

ABS

ACL

Kerberos has some features that make it a good choice for access control and authentication. One of these items is a ticket. What is a ticket used for?

A ticket is a block of data that allows users to prove their identity to an authentication server.

A ticket is a block of data that allows users to prove their identity to a service.

A ticket is a block of data that allows users to prove their identity to a ticket-granting server.

A ticket is a block of data that allows users to prove their identity to the Kerberos server.

What is the best definition of identification?

The act of verifying your identity

The act of claiming a specific identity

The act of finding or testing the truth

The act of inspecting or reviewing a user’s actions

Your chief information officer (CIO) needs your recommendation for a centralized access control system to maintain all the users and associated permissions. He also wants to be able to use this system for a wireless local area network (LAN). In addition to the wireless LAN requirement, the network administrator has stated that it is not important to the CIO to have a system that will split the authentication, authorization, and accounting processes up; however, having the option to use UDP, SCTP, or TCP is a must. The CIO also requires a SSO technology that can support non-repudiation and authenticity. The CIO has stated he is willing to purchase more than one system to meet the specified requirements. Which of the following is the best recommendation you would give?

Purchase a Diameter for centralized access control and SESAME for SSO.

Purchases a RADIUS for centralized access control and Kerberos because it is most commonly used and, most importantly, has been around a long time and many organizations trust it.

Purchase a Diameter for centralized access control and Kerberos for SSO.

Purchase Extended Terminal Access Controller System for centralized access control and use SESAME for SSO.

You have been promoted to security officer for a Fortune 500 company and are performing an audit of elevated privileges for the network. You observe that there are many members from the help desk that have privileges to various systems that they do not require to do their job on a daily basis. What best business practice does your company lack?

Separation of duties

Principle of least privilege

Need to know

Privilege creep

What does strong authentication require?

Public/private keys

Using two different methods of identification

Using a method of identification from at least two of type I, II, or III

 Authenticating inside an encrypted tunnel

You have a homogeneous environment with multiple application servers. Your users are having difficulty remembering all their passwords as they complete their daily activities. What would be the best solution?

Lower the passwords’ complexity requirements

Implement harsher penalties

Add assisted user reset capabilities

Use single sign-on

A security analyst has been asked to review permissions on accounts within Active Directory to determine if they are appropriate to the user’s role. During this process, the analyst notices that a user from building maintenance is part of the Domain Admin group. Which of the following does this indicate?

Cross-site scripting

Session hijack

Privilege escalation

Rootkit

In the last six months, a company is seeing an increase in credential-harvesting attacks. The latest victim was the chief executive officer (CEO). Which of the following countermeasures will render the attack ineffective?

Use a complex password according to the company policy.

Implement an intrusion-prevention system.

Isolate the CEO's computer in a higher security zone.

Implement multifactor authentication.

A system administrator is configuring accounts on a newly established server. Which of the following characteristics BEST differentiates service accounts from other types of accounts?

They can often be restricted in privilege.

They are meant for non-person entities.

They require special permissions to OS files and folders.

They remain disabled in operations.

The process of presenting a user ID to a validating system is known as:

authorization.

authentication.

identification.

single sign-on.

Which of the following is MOST relevant to include in a cost-benefit analysis of a two-factor authentication system?

The approved budget of the project

The approve budget of the project

The annual loss expectancy of incidents

The total cost of ownership

What is the purpose of polyinstantiation?

To restrict lower-level subjects from accessing low-level information

To make a copy of an object and modify the attributes of the second copy

To create different objects that will react in different ways to the same input

To create different objects that will take on inheritable attributes from their class

Which of the following terms uses user account management, access control, credential management, single sign-on (SSO) functionality, rights and permissions management for user accounts, and the auditing and monitoring of all these items?

Multifactor authentication

Single-factor authentication

Identity federation

Identity and access management (IAM)

Which of the following best describes the function of the Security Assertion Markup Language (SAML)?

SAML is a Security Content Automation Protocol (SCAP) language that is used to express security vulnerabilities in a standardized format.

SAML provides access and authorization decisions using a system to exchange information between a user, the identity provider (IDP), and the service provider (SP).

SAML is used to communicate threat information in a standardized format.

SAML is used to assist in exchanging public keys between entities for authentication purposes.

Submit Quiz