4.

0 Identity and Access Management

Federating networks means to share resources among multiple independent networks in order

to optimise the use of those resources, improve the quality of network-based services, and/or
reduce cost

Security Assertion Markup Language (SAML) is an open standard that

allows

 Identity providers (IdP) to pass authorization credentials to service

providers (SP).
 What that jargon means is that you can use one set of credentials to log
into many different websites. It’s much simpler to manage one login per
user than it is to manage separate logins to email, customer relationship
management (CRM) software, Active Directory, etc.

SAML transactions use Extensible Markup Language (XML) for standardized

communications between the identity provider and service providers.

SAML is the link between the authentication of a user’s identity and the
authorization to use a service.

The Security Assertion Markup Language (SAML) is an open standard for

 sharing security information about
 identity,
 authentication and
 authorization across different systems.

SAML is implemented with the

 Extensible Markup Language (XML) standard for

 Sharing data, and SAML provides a
 Framework for implementing single sign-on (SSO) and other 
 Federated identity systems.
CHAP is an authentication scheme used by Point-to-Point Protocol (PPP) servers to validate
the identity of remote clients.
CHAP

 periodically verifies the identity of the client by using a three-way handshake.

 This happens at the time of establishing the initial link (LCP), and may
 happen again at any time afterwards.
 Chap do not encrypt it Autenticates

The main differentiator between these three players is that 

OAuth 2.0 is a framework that controls authorization to a protected resource
such as an applications or a set of files,
OpenID Connect and SAML are both industry standards for federated authentication.

OAuth provides authorization services only,

OpenID Connect (OIDC) provides federated authentication

Basic threats to an LDAP directory service include:

(1) Unauthorized access to directory data via data-retrieval

operations.

(2) Unauthorized access to directory data by monitoring access of

others. Passive Attack

(3) Unauthorized access to reusable client authentication information

by monitoring access of others. Passive Attack

(4) Unauthorized modification of directory data.

(5) Unauthorized modification of configuration information.

 (6) Denial of Service: Use of resources (commonly in excess) in a
manner intended to deny service to others.

(7) Spoofing: Tricking a user or client into believing that

information came from the directory when in fact it did not,
either by modifying data in transit or misdirecting the client's
transport connection. Tricking a user or client into sending
privileged information to a hostile entity that appears to be the
directory server but is not. Tricking a directory server into
believing that information came from a particular client when in
fact it came from a hostile entity.

(8) Hijacking: An attacker seizes control of an established protocol

session.

Threats (1), (4), (5), (6), (7), and (8) are active attacks. Threats
(2) and (3) are passive attacks.

Ticket Granting Ticket or Ticket to Get Tickets (TGT) is a small, encrypted identification file with

a limited validity period. After authentication, this file is granted to a user for data traffic
protection by the key distribution center (KDC) subsystem of authentication services such
as Kerberos.

The TGT file contains the 

 Session key,
 Expiration date, and the
 User's IP address

Which protects the user from man-in-the-middle attacks. The TGT is used to obtain a
service ticket from Ticket Granting Service (TGS). User is granted access to network
services only after this service ticket is provided.
 Kerberos provides mutual authentication for domain networks.

 Kerberos uses the concept of single sign-on to aid accessibility to domain resources
once a user is authenticated.
 The server and client authenticate to each other with Kerberos through shared
knowledge of a secret key.

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) supports

mutual authentication, whereas
CHAP, the unenhanced version, does not support mutual authentication unless between two
Cisco routers.

Unless specified, Challenge Handshake Authentication Protocol (CHAP) typically only provides
one-way authentication. CHAP can provide two-way authentication when two Cisco routers are
used to authenticate to one another.

NT LAN Manager (NTLM) is currently the only choice for non-domain networks
(workgroups), and
NTLMv2 should be used exclusively, disabling backward compatibility with LM due to
LM’s vulnerability to password cracking attacks, which NTLMv2 compensates for. NTLM
only provides for client authentication, not mutual authentication.
Local Area Network Manager (LM) is more vulnerable to password cracking attempts. If the
compatibility feature is not disabled, the client sends both LM and New Technology LAN
Manager (NTLM) responses that can be captured by a network sniffer.

Local Area Network Manager (LM) compatibility would not make New Technology LAN
Manager version 2 (NTLMv2) inoperable. However, it would reduce effectiveness in
providing secure authentication, as compatibility could store and send the LM version of the
password hash.

Currently, New Technology Local Area Network Manager (NTLM) is the only choice for
workgroups, which are non-domain networks. LAN Manager version 2 (NTLMv2) is
preferable and should be used over NTLM.
 Both New Technology Local Area Network Manager (NTLM) and LAN Manager (LM) are
vulnerable to pass-the-hash attacks. A more robust authentication protocol, such as
Kerberos, can help defend against such an attack.

In the Server Manager tool menu, the person installing the RADIUS client

 chooses and
 confirms the shared secret for the RADIUS client.

The RADIUS client does not generate its own randomly-assigned passwords. Passwords
are designated by the individual installing the RADIUS client.

The authentication server does not derive the RADIUS password from a network domain
administrative password. This would constitute a security risk, as the compromise of one
password could potentially reveal information about the other.

The RADIUS client password can be set up and reset any time an administrator accesses
the Network Policy Server manager tool. It is typically established when the RADIUS client is
configured.

TACACS+ uses TCP communications for reliable, connection-oriented delivery, making

it easier to detect when a server is down.

TACACS+ is similar to RADIUS, but designed Cisco designed it with flexibility in mind.
Its connection-oriented delivery method increases reliability and flexibility. It is
supported by third parties and open-source RADIUS implementations.

All data in TACACS+ packets is encrypted (not just authentication data).

TACACS+ is more often used for device management than for authenticating end user
devices. It allows centralized control of accounts set up to manage routers, switches, and
firewall appliances, and detailed management of privileges assigned to those accounts.
This order is correct: Common Name, Organizational Unit, Organization, Country, Domain
Component. In X.500 naming convention, the most specific attribute goes first, and
definitions become broader further down the list.

In the X.500 naming convention, the most specific attribute goes first, and definitions
become broader further down the list. This option begins with the broadest definition.

In X.500 naming convention, the most specific attribute goes first, and definitions become
broader further down the list. This option does not follow a logical order, jumping from a
narrow definition to a broad definition, and then following the narrow to broad rule.

In X.500 naming convention, the most specific attribute goes first, and definitions become
broader further down the list. This definition begins with broader definitions and does not
follow a logical order to the narrowest definition.

Local Area Network Manager (LM) is more vulnerable to password cracking attempts. If the
compatibility feature is not disabled, the client sends both LM and New Technology LAN
Manager (NTLM) responses that can be captured by a network sniffer.

Local Area Network Manager (LM) compatibility would not make New Technology LAN
Manager version 2 (NTLMv2) inoperable. However, it would reduce effectiveness in
providing secure authentication, as compatibility could store and send the LM version of the
password hash.

Currently, New Technology Local Area Network Manager (NTLM) is the only choice for
workgroups, which are non-domain networks. LAN Manager version 2 (NTLMv2) is
preferable and should be used over NTLM.

Both New Technology Local Area Network Manager (NTLM) and LAN Manager (LM) are
vulnerable to pass-the-hash attacks. A more robust authentication protocol, such as
Kerberos, can help defend against such an attack.
A distinguished name in an X.500 directory, or similar directory, identifies a resource by
attribute=value pairs, separated by commas. The attributes are listed in order from most
specific to broadest term.

A schema is the organizational plan the directory follows. Attributes within the directory are
defined by the overall schema. For example, an X.500 directory may contain attribute=value
pairs such as Common Name (CN)=Samuel, and Organizational Unit (OU)= Sales.

Distinguished name, not directory name is the term for the attribute=value pairs that define a
resource in an X.500 directory. These answers appear similar.

Unique name is not a term used in an X.500 directory. Instead the term, distinguished name,
identifies a resource by attribute=value pairs, separated by commas. The attributes are
listed in order from most specific to broadest term.

Compare features of Shibboleth and Security Association Markup Language (SAML) and
determine what Shibboleth provides that SAML does not. (Select two)

ANSWER
I DON'T KNOW YET

Correct Answers
Your Choices
Correct answer Your correct unselected answer
Shibboleth allows the user to choose a preferred identity provider

Shibboleth is an identity provider and supports the authentication of users

SAML is an identity provider, while Shibboleth is both an identity provider and service
provider????
 One of Shibboleth’s main components, the Embedded Discovery Service, allows the user to
choose a preferred identity provider. The user does not choose the identity provider in
Security Association Markup Language (SAML).

Shibboleth is an identity provider, and it supports authentication from several different

directory and authentication systems.

Security Association Markup Language (SAML) is not an identity provider; it is an open

standard that allows identity providers (IdP) to pass authorization to service providers (SP).
Shibboleth is both an IdP and an SP.

Security Association Markup Language (SAML) can be implemented on mobile devices.

Shibboleth is open source. OAuth protocol, (in this context, Auth- stands for authorization,
not authentication) is generally preferred over SAML for mobile apps.

Password Authentication Protocol (PAP) is a weak, obsolete protocol. It is

designed for use with dial-up connections and transfers password information in
cleartext rather than over a secure connection.

Challenge Handshake Authentication Protocol (CHAP) is stronger than

Password Authentication Protocol (PAP), as CHAP was designed for authenticating
remotely linked users. CHAP relies on a three-way handshake method of challenge,
response, and verification to authenticate users.

Kerberos is a strong authentication protocol, which utilizes service tickets, symmetric

encryption, and mutual authentication. It is much stronger than Password
Authentication Protocol (PAP).

NT LAN Manager (NTLM) authentication is not the strongest protocol available, but it
is a challenge/response protocol, which requires the password to be encrypted, rather
than sent via plaintext, so it is stronger than Password Authentication Protocol (PAP).

Mutual authentication assures that the client and the server are authenticated to one another, and
an attacker cannot intercept the communications exchanged between the two.
Credential dumping makes Kerberos more susceptible to a pass-the-hash or ticket foraging
attack, known as a “golden ticket” if an attacker is able to gain access this way.

A service request is just the first part of the Kerberos authentication process; this alone is
insufficient to protect against such an attack until the principal and application server are
authenticated to one another.

Timestamping prevents tickets from being used again, thus preventing a replay attack.

1. Common Name (CN),

2. Organizational Unit (OU),
3. Organization (O),
4. Country (C),
5. Domain Component (DC)
6.
The security and storage of biometric template is a current issue. Templates should not be able
to reconstruct the samples, they should be tamper-proof, and unauthorized templates should
not be able to gain system access.

Pattern matching from templates is an issue with current biometric technologies. Standard
encryption technologies cannot be used to store biometric data, and a biometric scan must be
able to produce the same key each time it is scanned, presenting challenges concerning
credential access and data recovery.

Biometric extraction techniques may improve in the future, but feature extraction models are not
a main point of concern for contemporary biometric technology security.

Reader deployment depends on the type of biometric authentication used; this is not a major
issue, though some methods are easier to deploy than others.

A large, metropolitan airport employs hundreds of workers daily. The facility managers have
been tasked with increasing security checks for employees entering airport terminals, while
maintaining a quick processing time of employee credentials. Analyze the scenario and
determine which biometric scanning procedure best meets the airport’s needs.
Iris scanners

Iris scanners best meet the airport's needs. Iris scanning can be implemented in higher-traffic
areas, where throughput is a concern. At the same time, accuracy is high, while ease of
spoofing is fairly low. The enrollment process for employees is less intrusive than retinal scans.

Retinal scanners are intrusive, complex and expensive. They are not the best option for high-
traffic areas, such as airports.

Voice recognition would be too difficult to implement in this situation, given high levels of
ambient noise in a busy place like an airport.

Fingerprint scanners offer ease of enrollment, but in this high traffic area, it would be difficult to
ensure the scanner remains clean and dry for hundreds of employees.

 A new sign-on system for employees requires a token for credential storage. Which sign-
on system does NOT satisfy this requirement?
A Quick Response (QR) code

A Quick Response (QR) code is not a token and does not store credentials. A QR code can
act as a shared secret for authentication, but it is not the token itself.

A USB device can act as a token for credential storage. USB devices typically come in the form
of peripherals, such as smart card readers.

Key fob devices can store credentials and act as a portable token. This type of device usually
produces tokens that expire to protect against the threat of physical interception.

Mobile device applications can store credentials, and these applications often serve as tokens.
An executive user is supposed to have permissions to a given resource, however, when the
user tries to access the resource, access is denied and the user receives an error message.
Analyze the situation to troubleshoot the problem and select which of the following scenarios
provide a plausible explanation for the user’s thwarted access. (Select two)

 Access Control Entries (ACEs) are out of order in the Access Control List (ACL)
 The system is using Mandatory Access Control (MAC), and the user does not
occupy the correct role

The user has not been granted permissions to the resource they are trying to access
Troubleshooting the order of the Access Control List (ACL) to see if the Access Control Entries
(ACEs) are in order if a user is supposed to have access, and permissions were delegated
appropriately. ACEs must be in a certain order to enforce the ACL properly.

The user may not have been granted access to the resource they are trying to access. If they
are supposed to have access, adding them to the Access Control List (ACL) can remedy this
problem.

Mandatory access control (MAC) bases access on security clearance and need to know, not
strictly on a user’s role.

Attribute-Based Access Control (ABAC) is a fine-grained method of assigning permissions that

can be based on many different user and system attributes, not just on security clearance.

Access Control Entries (ACEs) are out of order in the Access Control List (ACL)

The user has not been granted permissions to the resource they are trying to access
Attribute-Based Access Control (ABAC) is the ideal choice for assigning

 complex rule-based privileges.

 decisions based on subject and object attributes,
 context-dependent
 system-wide attributes, making it the most fine-tuned control.

Role-Based Access Control (RBAC) vs.

Attribute-Based Access Control (ABAC)
Role-based access control (RBAC) and attribute-based access control (ABAC) are
two ways of controlling the authentication process and authorizing users.
The primary difference between RBAC and ABAC is RBAC provides access to
resources or information based on user roles, while ABAC provides access rights
based on user, environment, or resource attributes. Essentially, when considering
RBAC vs. ABAC, RBAC controls broad access across an organization, while ABAC
takes a fine-grain approach.
What Is RBAC?

RBAC is role-based, so depending on your role in the organization, you will

have different access permissions. This is determined by an administrator, who
sets the parameters of what access a role should have, along with which users are
assigned which roles. For instance, some users may be assigned to a role where
they can write and edit particular files, whereas other users may be in a role
restricted to reading files but not editing them.
It’s possible for one user to be assigned multiple roles, giving them access to
numerous different files or abilities. Say there’s a team of people working on a
large project. The project manager will have access to all the files and can edit
and change things within the project. However, the development team might
only be allowed access to the programming files and won’t be able to see or edit
the financial information or employee details for the project. On the flip side, the
human resources or management team might have access to all the employee
and financial information but has no use for the programming files.

An organization might use RBAC for projects like this because with RBAC, the
policies don’t need to be changed every time a person leaves the organization or
changes jobs: they can simply be removed from the role group or allocated to a
new role. This also means new employees can be granted access relatively
quickly, depending on the organizational role they fulfill.

Back to top
What Is ABAC?
Attribute-based access control draws on a set of characteristics called
“attributes.” This includes user attributes, environmental attributes, and resource
attributes.

 User attributes include things like the user’s name, role, organization, ID,
and security clearance.
 Environmental attributes include the time of access, location of the data,
and current organizational threat levels.
 Resource attributes include things like creation date, resource owner, file
name, and data sensitivity.
Essentially, ABAC has a much greater number of possible control variables
than RBAC. ABAC is implemented to reduce risks due to unauthorized access, as
it can control security and access on a more fine-grained basis. For example,
instead of people in the HR role always being able to access employee and
payroll information, ABAC can place further limits on their access, such as only
allowing it during certain times or for certain branch offices relevant to the
employee in question. This can reduce security issues and can also help with
auditing processes later.
RBAC vs. ABAC

Generally, if RBAC will suffice, you should use it before setting up ABAC access
control. Both these access control processes are filters with ABAC being the
more complex of the two, requiring more processing power and time.
There’s no point in using this more powerful filter—and incurring the
accompanying resource cost—if you don’t need it.
Either way, it’s important to use the minimum number of RBAC and ABAC filters
to structure your access and security landscape. It can help to carefully plan out
your directory data and access approaches to make sure you aren’t using
unnecessary filters or making things overly complex. In many cases, RBAC and
ABAC can be used together hierarchically, with broad access enforced by
RBAC protocols and more complex access managed by ABAC. This means the
system would first use RBAC to determine who has access to a resource, followed
by ABAC to determine what they can do with the resource and when they can
access it.
 Role-Based Access Control (RBAC) allocated user permissions based on roles, or group
memberships.
This company requires more fine-grained access controls that also takes other factors into
account.

Discretionary Access Control (DAC) gives access based on a content’s creator or owner, who
grants permissions. This type of control is flexible, yet vulnerable to insider attack, and is task-
heavy for the content creator.

Mandatory Access Control (MAC) enforces rules based on security clearances and labels of
resources, to which a user is granted “need to know” or not. This form is ideal for military units
and highly secure information, but is cumbersome for normal use.

The process of fine-tuning a biometric system involves adjusting the Crossover Error Rate
(CER), the point at which the false rejection rate and false acceptance rate meet.

The False Rejection Rate (FRR) is also known as a type I error, which rejects authorized
templates. FRR most commonly produces frustration, and can impede traffic flow if not properly
tuned.

The False Acceptance Rate (FAR) is the rate at which the system lets in unauthorized users,
which constitutes a security breach. Fine-tuning a system to minimize the FAR is imperative.

A type II error is also known as a false positive, measured by the False Acceptance Rate (FAR).
This is the rate at which unauthorized personnel gain access to the secure facility. This number
must be minimized.

HMAC-Based One-time Password Algorithm (HOTP) and Time-Based One-time

Password Algorithm (TOTP) allow users to authenticate using a logical token. Although
both are considered secure, what vulnerabilities do these algorithms still possess?
(Select two)
ANSWER
I DON'T KNOW YET

Correct Answers Your Choices

 User-generated passwords

Susceptibility to interception

Device synchronization errors

Weak password encryption

WHAT YOU NEED TO KNOW

Susceptibility to interception is a risk associated with one-time passwords, since the
token is delivered to a phyiscal space. Both HMAC-Based One-time Password
Algorithms (HOTP) and Time-Based One-time Password Algorithms (TOTP) generate
these tokens.

The password encryption method used by both one-time password algorithms is secure,
using a random number generator to produce the 8-byte key value.

HMAC-Based One-time Password Algorithm (HOTP) and Time-Based One-time

Password Algorithm (TOTP) use randomly generated numbers, not user-generated
passwords.

Device synchronization errors can result in key expiration or key error. Although
HMAC-Based One-time Password Algorithm (HOTP) does not use a timestamp, the
device and server may still be synchronized with a counter to invalidate the key should
they go out of sync.
previous

The CEO of a large company calls the help desk and reports issues with access to an
important folder. The CEO is supposed to have access to this folder based on his role.
What can the helpdesk technician identify as possible causes of the problem? (Select
two)
ANSWER
SURE AND INCORRECT

Correct Your
Answers Choices
 The system is using Attribute-Based Access Control (ABAC), and the
user does not have the proper clearance
Access Control Entries (ACEs) are out of order in the Access Control
List (ACL)
The system is using Mandatory Access Control (MAC), and the user
does not occupy the correct role
The user has not been granted permissions to the resource they are
trying to access

WHAT YOU NEED TO KNOW

Troubleshooting the order of the Access Control List (ACL) to see if the Access Control
Entries (ACEs) are in order if a user is supposed to have access, and permissions were
delegated appropriately. ACEs must be in a certain order to enforce the ACL properly.

The user may not have been granted access to the resource they are trying to access. If
they are supposed to have access, adding them to the Access Control List (ACL) can
remedy this problem.

Mandatory access control (MAC) bases access on security clearance and need to know,
not strictly on a user’s role.

Attribute-Based Access Control (ABAC) is a fine-grained method of assigning

permissions that can be based on many different user and system attributes, not just on
security clearance.

What major advantage does Time-Based One-Time Password Algorithm

(TOTP) have over HMAC-Based One-Time Password Algorithm (HOTP)?
ANSWER
INCORRECT


THE CORRECT ANSWER
TOTP adds an expiration time to the token
 An organization's security policy requires employees to authenticate to the network
using a two-factor authentication and behavioral recognition. Evaluate which of the
following methods utilizes both behavioral recognition and two-factor authentication.
ANSWER
INCORRECT


THE CORRECT ANSWER
Saying a passphrase and entering a passcode at a user terminal
con

HMAC-Based One-time Password Algorithm (HOTP) and Time-Based One-

time Password Algorithm (TOTP) both provide the user with a logical token
for authentication. TOTP addresses one of the primary vulnerabilities of
HOTP with timestamping, what other vulnerabilities do both methods still
share? (Select two)
ANSWER
SURE AND INCORRECT

Correct Answers Your Choices

Device synchronization errors

User-generated passwords

Susceptibility to interception

Weak password encryption

Behavioral Technology Something you ARE AND CAN DO.

 1. Voice recognition
2. Signing a form
3. Uttering a passphrase
4. Voice and
5. Signature recognition
Something you ARE
6. Handprint
7. retinal scan

Something you know

1. PIN
2. Entering a passcode uses

Something you have

1. Smart card utilizes
2. Physical token.

Something you know- This is the most common kind of authentication used
for humans. We use passwords every day to access our systems.
Unfortunately, something that you know can become something you just
forgot. And if you write it

1.  Password
2. PIN
3. .
4. Something you have (eg. a smart card). This form of human authentication
removes the problem of forgetting something you know, but some object now
must be with you any time you want to be authenticated. And such an object
might be stolen and then becomes something the attacker has.
5. Something you are (eg. a fingerprint). Base authentication on something
intrinsic to the principal being authenticated. It's much harder to lose a
fingerprint than a wallet. Unfortunately, biometric sensors are fairly expensive
and (at present) not very accurate.
hash-based message authentication codes (HMAC)

6. HOTP and TOTP are the two main standards for One-
Time Password but what do they mean from a security
perspective, and why would you choose one over the
other?
7.

8. In both HOTP and TOTP the token (ie, the OTP generator) generates a numeric code,
usually 6 or 8 digits. The security of OTP is based on fact that the codes are constantly
changing and that they are single-use, hence the name.
9. View our range of OTP cards and tokens

10. HOTP: Event-based One-Time Password

11. Event-based OTP (also called HOTP meaning HMAC-based One-Time Password) is the
original One-Time Password algorithm and relies on two pieces of information. The first is
the secret key, called the "seed", which is known only by the token and the server that
validates submitted OTP codes. The second piece of information is the moving factor which,
in event-based OTP, is a counter. The counter is stored in the token and on the server. The
counter in the token increments when the button on the token is pressed, while the counter
on the server is incremented only when an OTP is successfully validated.
12. To calculate an OTP the token feeds the counter into the HMAC algorithm using the token
seed as the key. HOTP uses the SHA-1 hash function in the HMAC. This produces a 160-bit
value which is then reduced down to the 6 (or 8) decimal digits displayed by the token.

13. TOTP: Time-based One-Time Password

14. Time-based OTP (TOTP for short), is based on HOTP but where the moving factor is time
instead of the counter. TOTP uses time in increments called the timestep, which is usually 30
or 60 seconds. This means that each OTP is valid for the duration of the timestep.
 15. Comparison
16. Both OTP schemes offer single-use codes but the key difference is that in HOTP a given
OTP is valid until it is used, or until a subsequent OTP is used. In HOTP there are a number
of valid "next OTP" codes. This is because the button on the token can be pressed, thus
incrementing the counter on the token, without the resulting OTP being submitted to the
validating server. For this reason, HOTP validating servers accept a range of OTPs.
Specifically, they will accept an OTP that is generated by a counter that is within a set
number of increments from the previous counter value stored on the server. This is range is
referred to as the validation window. If the token counter is outside of the range allowed by
the server, the validation fails and the token must be re-synchronized.
17. So clearly in HOTP there is a trade-off to make. The larger the validation window the less
likely the chance of needing to re-sync the token with the server, which is inconvenient for
the user. Importantly though, the larger the window the greater the chance of an adversary
guessing one of the accepted OTPs through a brute-force attack.
18. In contrast, in TOTP there is only one valid OTP at any given time - the one generated from
the current UNIX time.

19. Choice
20. Choosing between HOTP and TOTP purely from a security perspective clearly favours
TOTP. Importantly, the validating server must be able to cope with potential for time-drift with
TOTP tokens in order to minimize any impact on users.
21. There is also more choice of form-factor with TOTP tokens. Traditional key fob OTP tokens
are getting smaller and Microcosm has now introduced the OTP Card - a credit card sized
OTP token with EPD display. Cards can be a more convenient option as they can be stored
with other cards in a wallet or purse, or in the back of a mobile phone case.

22. Discover our OTP range here

A workflow is an onboarding process that involves identifying the roles and

permissions users need. A workflow is often a visual representation of an
organization, oraganized by permissions and account types.

Offboarding is the process by which accounts are deleted or disabled. When

personnel no longer need access to specific resources, permissions are
withdrawn.
User Account Control (UAC) is a Windows-specific function that prevents
users from invoking administrative privileges without specific authorization.

Privilege bracketing is an account management practice that involves giving

users permissions to a resource for the duration of a specific project or need to
know situation.

Local groups are not an active directory scope. Domain local is an active
directory scope, but local groups, when configured on a workstation, only
apply to that particular workstation. Domain local groups assign rights to
resources in their same domain.

Domain local groups in an active directory can assign rights to resources

within that same domain. Accounts from any trusted domain can be a member
of a domain local group.

Global groups are essentially the opposite in scope from domain local groups.
Global groups can contain only accounts from the same domain, but can
access resources and assign rights within any trusted domain.

Universal groups can contain accounts from any trusted domain and access
resources and grant permissions to any object in any trusted domain.

Domain local groups can assign rights to resources within the same domain
only, but accounts from any trusted domain can be a member of domain local
groups. Global groups can only contain accounts from the same domain, but
can assign rights to resources in any domain. These two groups have
essentially opposite scopes.

Organization size does not define the scope of domain local or global groups.
Smaller organizations may only need to employ global groups because they
operate on only one domain, but this decision is up to the organization.

Domain local and global groups assign rights in different domains. Domain
local groups can assign rights within the same domain only, while global
groups can assign rights in any trusted domain.
Domain local and global groups are different both in the accounts they contain
and in the permissions they grant. They serve essentially opposite functions.
Domain local groups assign rights in the same domain and trust accounts
from any domain. Global groups contain accounts from only one domain but
assign rights to resources in any trusted domain.

Excessive bandwidth usage is indicative of the spread of malware throughout

the system, or of a possible attempt to exfiltrate data by a malicious actor.

Indications of a backdoor installation will likely appear in an audit log as

unscheduled changes or attempted changes to a system’s configuration.
Bandwidth consumption usually indicates malware or data exfiltration.

An attempt to cover one’s tracks may appear as gaps or alterations in an event

log, or as sequencing errors in an audit, rather than bandwidth consumption.
Unusual bandwidth usage could indicate unauthorized program is running.

A password cracking attempt will appear in an audit log as multiple

authentication failures. Password policies that offer unrestricted login
attempts are particularly vulnerable to this type of attack, but will not
consume massive amounts of bandwidth.

Microsoft’s rule, “Accounts go into Global groups, which go into Domain Local
groups, which get Permissions” (AGDLP) applies. This system provides a
framework for placing users into Global groups based on their roles, then
those groups are assigned to domain local groups (which have local resource
permissions). This model is scalable and secure.

Only assigning domain local groups is not a very specific method of grouping
individual users, and in a large organization, finer-tuning is required.

Universal groups can be comprised of accounts from multiple trusted

domains, and used to grant permissions to any object within any trusted
domain. Global groups can only contain accounts from the same domain, but
can be used to assign rights to any trusted domain’s resources. Universal
groups are more, not less, permissive.
 This sequence does not place groups in a logical hierarchy for permissions
granting. Permissions should narrow from more to less permissive in scope.

A system administrator conducts an audit and notices several anomalous log entries.
The audit seems to indicate an anonymous user making changes to host processes.
Analyze the audit findings and determine the probable cause of these anomalous
entries.
ANSWER
INCORRECT

THE CORRECT ANSWER

A local service account has gained escalated privileges

A local service account has accessed network resources

YOU WERE SURE AND INCORRECT
A system account made unscheduled changes to the operating system

A system account has gained escalated privileges

I DON'T KNOW YET

WHAT YOU NEED TO KNOW

 A local service account presents itself to the network as an anonymous user, it may
indicate a local service account has gained escalated privileges if the anonymous user is
making changes to host processes.

A system account has the most privileges; it creates the host processes the computer
runs and is authorized to make changes to the operating system. This is not likely the
cause of the log anomaly.

Local system accounts can access the network as anonymous users. In isolation, the fact
that these accounts have such access is not reason for concern.

System accounts possess the highest existing privileges of any account, and therefore
cannot gain escalated privileges.

The following troubleshooting tasks are relevant for authentication issues,

EXCEPT:
ANSWER
INCORRECT


Verify authentication servers are connected to and communicating with the
network


YOU WERE SURE AND INCORRECT
Verifying date/time settings are synchronized between servers and clients


Verify the user’s credentials are valid and readable by authentication
mechanism


THE CORRECT ANSWER
Verifying a user is who they say they are and have authorization to
use the resource

I DON'T KNOW YET

WHAT YOU NEED TO KNOW

Verifying a user’s identity and authorizations should take place before
authentication is an issue. Authentication troubleshooting should entail those
issues directly related to authentication, such as authentication server
communication, date/time setting synchronization, and credential
compatibility.

Verifying the date and time setting is a valid troubleshooting task for an
authentication issue. If servers and clients are too far out of synch, credentials
offered will not be considered valid.

User credentials and the credential reading mechanism should be compatible.

If a user tries to present a Public Key Infrastructure (PKI) key to a Kerberos
authentication system, the two systems do not communicate properly, as they
do not speak the same language.

To ensure all systems are online and able to communicate, verifying the
authentication server’s connection and communication with the network is a
pertinent troubleshooting task.

A large company recently reviewed their password management policy and

published several updated policies. Upon review, all of these policies are
problematic EXCEPT?
ANSWER
INCORRECT


Users will be locked out after two incorrect password entries


 YOU WERE SURE AND INCORRECT
A password cannot match any of the past 100 passwords used


Passwords must be changed every 30 days


THE CORRECT ANSWER
Passwords cannot contain the username in any configuration


I DON'T KNOW YET

WHAT YOU NEED TO KNOW

The recommendation for a password not containing the username in any
configuration is sound. A username should not be used as a password.

100 passwords would cover a significant amount of time, so this policy is

overly cautious and restrictive for a standard user. Microsoft systems only
store the last 24 passwords, so the policy is only enforceable within the
system’s limitations.

Requiring users to change their passwords every 30 days is part of many

standard password policies, but changing passwords with such frequency may
lead to problems with users writing down passwords or storing them in
unsecure spreadsheets to remember them, opening them to social engineering
attacks.

Password lockout requires balancing the need for security and the need for
access. A standard lockout number is three attempts. Any fewer than three
may lead to an increased workload of unlocking accounts.
 UAC helps prevent mundane use of administrative accounts by requiring
specific authorization. It does not necessarily prevent escalation of privileges.

Why is it recommended not to use the default administrator account for

routine administration, even after it has been renamed?
 The principle of least privilege suggests it may have inappropriate
privileges for the task at hand

Least privilege applies to all users, including administrators. Likely, this

default account has permissions the users do not need for their routine tasks,
so these permissions are more secure if held in disabled admin accounts.

This is not a true statement; it is wise to change the name of a default account
and create misleading “dummy accounts” to make it more difficult to find the
true admin account.

Ordinary users do not have access to this account.

It is best practice to use the default administrator accounts only to install the
operating system (OS). Then they should be disabled. This makes it harder for
attackers to find and compromise an admin account. This is called generic
account prohibition.

How does general account prohibition add a layer of safety to an Operating

System (OS)?
ANSWER


THE CORRECT ANSWER
General account prohibition makes it harder to identify and
compromise an administrative account
 Default administrator accounts should be disabled after being used to install
the Operating System (OS). Systems administrators should have separate
accounts for conducting administrative actions. This system helps protect
against compromise of administrative accounts.

General account prohibition does not specifically address backdoor attacks.

General account prohibition makes admin accounts harder to find and attack.
Aministrative accounts may be disguised under an ordinary user account
name, but this does not protect against privilege escalation.

Assigning users to different account groups is part of the general account

maintenance and creation process. Administrative groups prohibit
unauthorized user access.

Which of the following is NOT a common troubleshooting task performed for

a user having authentication issues?
ANSWER
INCORRECT


THE CORRECT ANSWER
Verifying a user is who they say they are and have authorization to
use the resource


Verifying date/time settings are synchronized between servers and clients


YOU WERE SURE AND INCORRECT
Verify the user’s credentials are valid and readable by authentication
mechanism


 Verify authentication servers are connected to and communicating with the
network


I DON'T KNOW YET

WHAT YOU NEED TO KNOW

Verifying a user’s identity and authorizations should take place before
authentication is an issue. Authentication troubleshooting should entail those
issues directly related to authentication, such as authentication server
communication, date/time setting synchronization, and credential
compatibility.

Verifying the date and time setting is a valid troubleshooting task for an
authentication issue. If servers and clients are too far out of synch, credentials
offered will not be considered valid.

User credentials and the credential reading mechanism should be compatible.

If a user tries to present a Public Key Infrastructure (PKI) key to a Kerberos
authentication system, the two systems do not communicate properly, as they
do not speak the same language.

To ensure all systems are online and able to communicate, verifying the
authentication server’s connection and communication with the network is a
pertinent troubleshooting task.
review correct answerskeep going