Chapter 2
What are the three different meanings of MAC within the context of CompTIA Security+
Media access control, Mandatory access control, Message authentication codeWhat does a high False Rejection Rate (FRR) in a biometric system indicate?
The system incorrectly rejects a registered userWhich of the following statements about embedded certificates in smart cards is true?
The embedded certificates support cryptography for increased security.What does ’Account lockout threshold’ refer to in the context of account lockout policies on Microsoft systems?
The maximum number of times a user can enter the wrong password before the account is lockedWhat is a DACL in the context of Microsoft Systems?
It is a list of Access Control Entries (ACEs) tied to a Security Identifier (SID).What is the concept of just-in-time administration in the context of Privileged Access Management?
Administrators only receive administrative privileges when they send a request for them.What does an iris scanner use for recognition and how does it capture this information?
Iris scanners use the patterns of the iris around the pupil, captured using camera technologies.What does the ’Subject’ typically refer to in an ABAC policy?
The human operator of the systemWhich element is NOT typically included in an ABAC policy statement?
DeviceWhat permissions does an administrator have in Microsoft Project Server?
Administrators have complete access and control over everything on the serverWhy is it necessary to change default passwords on systems and devices before usage?
To prevent unauthorized individuals from gaining accessWhat is the benefit of requiring administrators to use two accounts?
It reduces the exposure of the administrative account to an attackWhat capabilities does the ’Full control’ NTFS permission provide to users?
Users can do anything with a file and its permissionsWhat does the ’Read & execute’ permission allow a user to do in a Microsoft NTFS filesystem?
Provides a user permission to run executable files, including scripts.What does ’True rejection’ refer to in the context of biometric systems?
The system correctly rejects an unknown user.Which is an example of a signal used in Microsoft’s Conditional Access policies within Active Directory environments?
IP locationWhy should personnel not use shared or generic accounts according to account management policies?
It is impossible to determine the specific user who performed an actionWhich group of technologies is most commonly used in the ’Somewhere You Are’ authentication attribute?
GeolocationWhat is the role of an owner in the discretionary access control (DAC) scheme?
The owner establishes access for objects such as files and folders.In SAML, what is the function of the Principal?
It’s typically a user who logs on once and, if necessary, requests an identity from the IdP.In the role-BAC scheme, how do administrators commonly grant access?
By assigning rights and permissions to groups and adding users to the appropriate groupWhat does the NIST SP-800-63B state about two-step authentication via SMS?
It discourages its use due to several vulnerabilities.What is a characteristic of gait analysis as a method of biometric authentication?
It can identify individuals based on the way they walk.What are the four elements typically included in an Attribute-Based Access Control (ABAC) policy statement?
Subject, Object, Action, EnvironmentWhat are some of the requirements for Kerberos to work properly?
A system of dispensing tickets for authentication, time synchronization, a database of users or subjects.What does ’Account lockout duration’ refer to in the context of Microsoft system security policies?
The length of time an account remains locked after exceeding the account lockout thresholdWhat is a common signal used within Conditional Access policies in Microsoft’s Azure Active Directory environments?
Device typeWhat is the level of access typically granted to ’Team Members’ in a role-Based Access Control (BAC) scheme on a Microsoft Project Server?
Limited access to only report on assigned workWhat does the ’Modify’ permission enable users to do in NTFS?
It allows users to change files and view them, including deleting files or adding files to a folderWhat is the principle called which suggests giving the users only the account permissions they need to perform their job?
Principle of Least PrivilegeWhat does the Mandatory Access Control (MAC) scheme use to determine access?
Sensitivity labels or security labelsWhich of the following best describes a strong password according to the text?
A password that is at least 8 characters long, combining at least three of the four character types: uppercase, lowercase, numbers and special charactersWhat is the role of an Identity provider (IdP) in the context of Security Assertion Markup Language (SAML)?
It creates, maintains, and manages identity information for principals.What does the term ’someone you know’ imply in the context of cybersecurity and trust models?
The person, company or system for which someone else vouches or provides a level of trust.What does the ’Something You Have’ authentication factor refer to in CompTIA Security+ SY0-701?
Something you can physically holdWhat is the primary purpose of SSO?
To identify and authenticate usersWhat does ’False acceptance’ in a biometric system refer to?
When a biometric system incorrectly identifies an unknown user as a registered userWhat does the ’something you are’ authentication factor use for authentication?
BiometricsWhat is the role of the Key Distribution Center (KDC) in the Kerberos network authentication mechanism?
The KDC issues ticket-granting tickets (TGTs) and packages user credentials within a ticket.What is the recommended procedure for managing user accounts when an employee is on an extended leave of absence according to the material?
The account should be disabled.What are the characteristics of a service account in the context of credential policies?
Service accounts require long, complex passwords that do not expire.What is the role of a Service Provider in Security Assertion Markup Language (SAML)?
It provides services to the user after authenticating them.What does the concept of ’’Roles Based on Jobs and Functions’ imply in the context of an organization with multiple departments?
Assigning roles to users based on their position in the companyIn the context of an organization’s disablement policy, why is disabling preferred over deleting the account for a terminated employee?
Disabling the account retain any encryption and security keys associated with the account.What are some of the security features provided by smart cards?
Confidentiality, integrity, authentication, and non-repudiationWhich of the following best describes the ’Object’ in an Attribute-Based Access Control (ABAC) scheme?
It’s the resource (such as a file, database, or application) that the user is trying to access.What are some objections to using retina scanners for biometric authentication?
They can identify medical issuesWhat does ’True acceptance’ mean in the context of a biometric system?
The biometric system correctly identifies a registered userWhat is the primary function of a federated identity management system in single sign on (SSO) systems?
It authenticates user credentials from different networks or operating systems as a single identity.What is the primary purpose of authentication in an IT security context?
To prove a user’s identity with credentialsWhy are shared accounts discouraged in account management policies?
They undermine the individual authorization controlsWhat is one of the common signals that Conditional Access policies use in a Microsoft Azure Active Directory environment?
User or group membershipWhat is a key difference between HMAC-based One-Time Password (HOTP) and Time-based One-Time Password (TOTP)?
HOTP remains valid indefinitely until used, while TOTP expires after a set amount of time.What might be a possible reason for organizations to prefer disabling user accounts over deleting them?
Disabling keeps the encryption and security keys associated with the accountsWhich of the following is NOT one of the access control schemes mentioned in the text?
Identity-based access control (IBAC)What is the term for when a biometric system incorrectly rejects a recognized user?
False rejectionWho is responsible for defining the access for subjects and objects in a system?
The higher authority entitiesWhy is it often detrimental to security if users constantly reuse the same password?
It increases the chance that the password will become predictable and therefore easier to guess or crack.What are important aspects of password security that organizations should provide training on, according to the text?
Not reusing passwords and creating strong passwordsWhat does the ’Something You Can Do’ authentication factor refer to in terms of Microsoft Windows 10?
Actions you can perform such as gestures on a pictureWhich role in SAML is an entity providing services to principals?
Service providerIn an Attribute-Based Access Control (ABAC) system, what does the Action element represent?
What the user is attempting to do, such as reading or modifying a file, accessing specific websites, and accessing website applicationsWhich type of account is most often associated with regular users or the personnel working in organizations?
Personnel or end-user accountsWhat is the primary benefit of Single sign-on (SSO) in a network?
It gives access to multiple systems with a single loginWhat is a primary function of a password vault?
To store most of your passwords in an encrypted format which requires one password to access themWhat is typically considered as ’Subjects’ in an access control scheme?
Users or groups that access objectsWhich of the following is NOT a key characteristic of voice recognition as a method of biometric authentication?
It requires physical contact with the device for identification.What does the ’Write’ permission allow in NTFS?
Users can change the content of a fileWhat is an example of a dynamic rule in rule-based access control?
Intrusion prevention system detects an attack and modifies the rules to block traffic from attackersWhat is the role of objects in an access control scheme?
They grant authorization to subjectsWhat is the difference between Static KBA and Dynamic KBA?
Static KBA verifies the identity of existing users, while Dynamic KBA identifies new users.What is the first step in a biometric authentication system?
Users register with the authentication systemWhat is the role of ’Executives’ in Microsoft Project Server?
They can access data from any project held on the server but do not have access to modify server settings.Why does Kerberos version 5 require all systems to be synchronized and within five minutes of each other?
To timestamp tickets and prevent replay attacksWithin the context of authentication attributes, what is an example of ’Something You Exhibit’?
A Common Access Card (CAC) or Personal Identity Verification (PIV) cardWhat is the purpose of labels in the MAC scheme?
To define the boundaries for the security levels
To create a need to know
To classify users and data
All of the aboveWhat is the function of the VIP Access app created by Symantec, as utilized within authentication applications?
It creates a steady stream of one-time-use passwordsWhy is it often required by account management policies for each user to have at least one account?
To support effective identification, authentication, authorization, and accountingWhat does a password expiration setting identifies?
The time period after which a user must change their passwordWhat is the primary benefit of OpenID Connection (OIDC) for an application?
It eliminates the need to manage user’s credentials and minimizes the risk of exposing them.Which of the following descriptions correctly defines the term ’Accounting’ in the context of AAA?
Tracking user activity and recording the activity in logsWhy might an organization prefer to disable a user account rather than deleting it?
To retain any encryption and security keys associated with the accountWhat is the purpose of the constantly changing number displayed on a token key?
It is a rolling one-time use password synced with a serverWhat does the ’Modify’ permission in NTFS allow a user to do?
View and change files, including deleting files or adding files to a folderWhich of the following statements about shared and generic account/credentials is true?
Access can be tailored for shared and generic accountsWhat is commonly done with the Guest account in most organizations, according to the text?
It is generally disabled and only enabled in special situations.Which of the following is NOT a characteristic used by facial recognition systems in biometrics?
The patterns on the person’s skinIn the role-BAC scheme in Microsoft Project Server, what level of access do Project Managers have?
They have full control over their own projects but do not control projects owned by other project managers.Which authentication factor does the ’something you know’ category typically refer to?
Shared secret like password or pinWhich type of account pertains to external entities that have access to a network?
Third-party accountsWhat is the function of a time-based login?
It restricts users from logging on to computers outside certain specified timesWhich of the following best describes the ’Read & execute’ NTFS permission in Linux?
It gives a user permission to run any executable files, including scriptsWhat information can be determined from authentication log entries?
Time and date stamp, successful or unsuccessful login, and the computer name or IP addressWhy should administrators avoid using shared or generic accounts?
To prevent privilege escalation attacks
They cannot implement basic authorization controls with shared accounts
To avoid logging conflicts when multiple users use the same account
All of the aboveWhat type of biometric authentication method is commonly used by laptop computers, smartphones and USB flash drives?
Fingerprint ScannersWhat does the DAC scheme emphasis regarding object ownership within the Microsoft NTFS system?
Every object has an owner, and the owner has full, explicit control of the objectWhat type of account commonly requires long, complex passwords that should not expire?
Service accountsWhat is a common goal of authentication services that prevents unencrypted credentials from being sent across a network?
To prevent credentials from being sent in cleartextWhat is the main function of role-Based Access Control?
It uses roles to manage rights and permissions for usersHow do vein matching systems in biometric authentication work?
They use near-infrared light to view the veins of an individual.What is the primary purpose of Authentication attributes in system security?
To identify a user or device based on characteristics or traits.What do credential policies require for administrator and root accounts?
Multifactor authenticationWhat is one of the requirements for Kerberos to work properly?
Time synchronization, with systems synchronized and within five minutes of each otherWhat are the main functions of the embedded certificates in a smart card?
It allows the use of a complex encryption key, supports digital signatures, data encryption, and provides secure authenticationWhat are the additional requirements for a service account set by credential policies?
They require long, complex passwords that do not expireWhat is the role of the Key Distribution Center (KDC) in Kerberos authentication?
It issues ticket-granting tickets (TGTs) and other ticketsWhy are shared or generic accounts often prohibited in account management policies?
It makes it difficult to implement basic authorization controls and track user actions.What is the least secure form of authentication factor?
Something you knowWhat is the purpose of an account audit?
To identify and compare the privileges granted to users against what they need.What is a fundamental feature of Microsoft’s Conditional Access within Azure Active Directory environments?
It is a policy with an if-then statement.What are the uses of Password Keys?
To reset passwords on systemsLast updated