Week 3 – AAA Security (Not Roadside Assistance)

1. How is authentication different from authorization?

Answers

·        Authentication is verifying access to a resource; authorization is verifying an identity.

·        Authentication is identifying a resource; authorization is verifying access to an identity.

·        They’re the same thing.

·        Authentication is verifying an identity; authorization is verifying access to a resource.

2. What are some characteristics of a strong password? Check all that apply,

Answers

·        Includes numbers and special characters

·        Is used across accounts and systems

·        Contains dictionary words

·        Is at least eight characters long

3. In a multi-factor authentication scheme, a password can be thought of as:

Answers

·        something you have.

·        something you use.

·        something you know.

·        something you are.

Explanation: A password is often regarded to be one of the components in an authentication method known as multi-factor authentication (MFA). When attempting to authenticate the identity of a user, multi-factor authentication includes the use of two or more different authentication techniques, often known as factors.

A password is used as the "something you know" element in multi-factor authentication, which stands for authentication using several factors. In order to improve the level of security, the plan is to combine this knowledge-based component with at least one extra factor drawn from one of the other categories. This strategy helps reduce some of the dangers that are involved with authenticating users by depending simply on their passwords.

4. What are some drawbacks to using biometrics for authentication? Check all that apply.

Answers

·        Biometric authentication is difficult or impossible to change if compromised.

·        Biometrics are easy to share.

·        There are potential privacy concerns.

·        Biometric authentication is much slower than alternatives.

5. In what way are U2F tokens more secure than OTP generators?

Answers

·        They can’t be cloned.

·        They’re password-protected.

·        They’re cheaper.

·        They’re resistant to phishing attacks.

Explanation: One-time password (OTP) generators and Universal 2nd Factor (U2F) tokens are both ways of giving extra authentication factors; however, U2F tokens provide some security benefits over standard OTP generators.

Even though U2F tokens have these benefits when it comes to security, it is important to keep in mind that both U2F and OTPs provide an extra layer of protection in addition to passwords. It is possible that selecting one over the other will rely on the particular use case, personal preferences of the user, and the overall security needs of the system.

6. What elements of a certificate are inspected when a certificate is verified? Check all that apply.

Answers

·        Trust of the signatory CA

·        “Not valid before” date

·        Certificate key size

·        “Not valid after” date

7. What is a CRL?

Answers

·        Certificate Revocation List

·        Certificate Recording Language

·        Caramel Raspberry Lemon

·        Certified Recursive Listener

Explanation: The acronym "CRL" stands for "certificate revocation list," and it refers to a list of digital certificates that have had their validity revoked by the issuing Certificate Authority (CA) before the date that was originally set for their expiry. The Certificate Revocation List (CRL) makes it possible for organizations, such as web browsers and other relying parties, to determine whether or not a particular certificate is still valid.

CRLs are a technique that is used often for the purpose of monitoring the revocation status of certificates; however, there is an alternative approach known as the Online Certificate Status Protocol (OCSP) that enables real-time status checking without depending on the periodic download of CRLs. This protocol was developed by Microsoft. The decision between CRL and OCSP is often influenced by the particular needs of the system as well as the advantages and disadvantages of offline checking in comparison to real-time responsiveness. 

8. What are the names of similar entities that a Directory server organizes entities into?

Answers

·        Clusters

·        Groups

·        Tress

·        Organizational Units

Explanation: Entities are often arranged in a directory server in the form of a hierarchical structure that is referred to as a Directory Information Tree, or DIT for short. Similar items are gathered together inside of the DIT and placed into containers or nodes that are referred to as Directory Entries or Directory Objects. Each entry in the DIT represents an entity (such a person, device, or resource), and it is connected with attributes that determine the properties of that object. These attributes may be found in the entry's associated dictionary.

A DIT has a structure that is similar to that of a tree, with each node representing an entry and the characteristics that are associated with it. A naming standard such as the Distinguished Name (DN), which is used in the organization of the DIT, is used to provide a one-of-a-kind identifier for each directory item.

9. True or false: The Network Access Server handles the actual authentication in a RADIUS scheme.

Answers

·        True

·        False

Explanation: Not true. The Network Access Server (NAS) is the component responsible for delivering authentication requests to the Remote Authentication Dial-In User Service (RADIUS) server in a RADIUS (Remote Authentication Dial-In User Service) system, although the RADIUS server is the component that is in charge of the actual authentication process and not the NAS.

10. True or false: Clients authenticate directly against the RADIUS server.

Answers

·        True

·        False

Explanation: RADIUS stands for Remote Authentication Dial-In User Service, and its name refers to the authentication process in which clients (such as users or devices requesting network access) identify themselves directly against a RADIUS server. This design supports centralized authentication and authorization, which makes it a useful tool for the effective management of access control in big networks. Although the NAS is responsible for facilitating communication between the client and the RADIUS server, the RADIUS server is the one responsible for actually making authentication choices.

11. What does a Kerberos authentication server issue to a client that successfully authenticates?

Answers

·        An encryption key

·        A ticket-granting ticket

·        A master password

·        A digital certificate

Explanation: A ticket-granting ticket, also known as a TGT, is given to a client by a Kerberos authentication server once the client has successfully authenticated themselves with the server. The Ticket Granting Ticket (TGT) is an essential part of the Kerberos authentication procedure and is used by the client in order to request service tickets in order to get access to certain services available throughout the network.

12. What advantages does single sign-on offer? Check all that apply.

Answers

·        It reduces the total number of credentials,

·        It enforces multifactor authentication.

·        It reduces time spent authenticating.

·        It provides encrypted authentication.

13. What does OpenID provide?

Answers

·        Certificate signing

·        Digital signatures

·        Authentication delegation

·        Cryptographic hashing

Explanation: Users are able to sign in to a variety of websites or services with just one set of credentials thanks to OpenID, which is a decentralized authentication mechanism. OpenID was created with the main intention of streamlining the authentication procedure and doing away with the need placed on users to generate and remember numerous usernames and passwords for the many online services they use.

14. What role does authorization play?

Answers

·        It determines whether or not an entity has access to a resource.

·        It verifies passwords.

·        It verifies an entity’s identity.

·        It provides strong encryption.

Explanation: The authorization step is very important to the success of an entire access control and security strategy for a system. It is the process of assessing if a user, system, or entity has the appropriate permissions to perform a certain action, access a particular resource, or carry out a given operation inside a system or application. These permissions allow the user, system, or entity to carry out the action, access the resource, or carry out the operation. Users will only be able to access the resources and capabilities to which they have been expressly granted permission to make use of thanks to authorization.

15. What does OAuth provide?

Answers

·        Confidentiality

·        Secure communications

·        Access delegation

·        Integrity

Explanation: OAuth, which stands for "Open Authorization," is both a standard and a protocol that is freely available to everyone. It serves as a framework for granting safe and delegated access to various resources. It is usual practice to make use of OAuth in order to provide access to a user's resources to third-party apps without disclosing the credentials of the user. It is used extensively in situations in which users desire to allow restricted access to their resources on one site (referred to as the "resource server") to another site or application (referred to as the "client") without explicitly providing their credentials with the latter.

16. How is auditing related to accounting?

Answers

·        Accounting is reviewing records, while auditing is recording access and usage.

·        Accounting is recording access and usage, while auditing is reviewing these records.

·        They’re not related.

·        They’re the same thing.

17. What is an example of a screen lock method?

Answers

·        OS updates

·        Facial recognition

·        Device encryption

·        Firewalls

Explanation: The usage of a "PIN" (Personal Identification Number) as a technique of protecting a device is an illustration of one kind of screen lock approach. Users of the device are needed to enter a numeric PIN in order to unlock it and access the information stored on it while using this approach. The personal identification number (PIN) is normally comprised of a string of numbers, and its primary function is to act as a form of authentication in order to prevent unwanted access.

18. What is a common mobile device security threat?

Answers

·        SQL Injection

·        DDoS

·        Insecure Wi-Fi and “meddler-in-the-middle” attacks

·        Zero-day attacks

Explanation: The existence of harmful software, more frequently referred to as "malware," is one of the most prevalent threats to the security of mobile devices. Malware is any program that has been developed with the explicit intent to damage, exploit, or otherwise compromise the operation of a mobile device. This malware may come in a variety of forms.


19. Fill in the blank: In the world of AAA security, “authz” is short for _____.

Answers

·        authoritarian

·        authorization

·        authored

·        authentication

Explanation: Within the realm of AAA security, the term "authz" is an abbreviation for the word "Authorization."

20. In the three A’s of security (AAA), what is the process of proving who you claim to be?

Answers

·        Authentication

·        Authored

·        Authorization

·        Accounting

Explanation: Authentication is the step in the three-step procedure known as the "AAA" security model that involves demonstrating that you are the person you say you are. An person or organization must first authenticate their identity via the authentication process before being granted access to a computer system, a network, or a resource. This is the first step in the security process. Authentication techniques may be anything from passwords and biometrics to smart cards and tokens, all of which are used to determine whether or not a user's claimed identity is legitimate.

21. Which of the following are valid multi-factor authentication factors? Select all that apply.

Answers

·        Something you have

·        Something you know

·        Something you did

·        Something you are

22. Which of the following might serve as a multifactor authentication mechanism when used along with a password? Select all that apply.

Answers

·        PIN

·        Passphrase

·        Bank card

·        Fingerprint

Explanation: A multifactor authentication (MFA) solution may be created by combining a password with one or more of these other factors. This technique increases the level of security provided by the authentication process. Users are required to present various pieces of documentation to verify their identities, which makes it far more difficult for unauthorized users to acquire access.

23. If an organization want to issue and sign client certificates, what will it need to set up?

Answers

·        A CA infrastructure

·        An LDAP infrastructure

·        An ID infrastructure

·        A CRL infrastructure

Explanation: In order for a company to be able to issue and sign client certificates, the company will normally need to set up what is known as a Public Key Infrastructure (PKI). A public key infrastructure (PKI) is a framework that comprises the rules, procedures, roles, and technology required for the safe administration of digital keys and certificates.

An organization may issue and sign client certificates after setting up a PKI using these components, which enables safe authentication and communication between clients and servers. Additionally, an organization can issue and sign its own certificates. The public key infrastructure (PKI) guarantees the validity, integrity, and secrecy of the digital certificates that are used in the authentication process.

24. In LDAP language, what do we call the folder an object belongs to?

Answers

·        A distinguished name (DN)

·        An organizational unit (OU)

·        TLS

·        A data information tree

Explanation: In the terminology of LDAP (Lightweight Directory Access Protocol), the "Distinguished Name" or DN of the container or folder to which an item belongs is referred to as a "Distinguished Name." The Distinguished Name of an entry inside the LDAP directory both offers the hierarchical route to get to that entry and identifies it in a way that is completely unique.

The differentiated network name (DN) is made up of a string of relative distinguished names (RDNs), each of which represents a container or organizational unit (OU) in the hierarchy that leads up to the entry. Each RDN is composed of an attribute and the value that corresponds to that attribute. The full DN for an LDAP entry may be determined by concatenating all of the RDNs that are located inside the hierarchy.

25. Fill in the blank: The authentication server is to authentication as the ticket granting service is to _____.

Answers

·        integrity

·        identification

·        authorization

·        verification

Explanation: Authentication is handled by the authentication server, which is analogous to how authorization is handled by the ticket issuing service.

26. Consider the following scenario: Multiple client switches and routers have been set up at a small military base. The network team decided to implement Terminal Access Controller Access-Control System Plus (TACACS+), along with Kerberos, and an external Lightweight
Directory Access Protocol (LDAP) service. What is the primary reason TACACS+ was chosen for this?

Answers

·        NIPRNet

·        Network access

·        *A: Device administration

·        Single Sign-On

27. Consider the following scenario: A network admin deployed a Terminal Access Controller Access Control System Plus (TACACS+) system so other admins can properly manage multiple switches and routers on the Local Area Network (LAN). The system will keep track and log admin access to each device and the changes made. This “logging” satisfies which part of the three A’s of security?

Answers

·        Accounting

·        Authorization

·        Administration

·        Authentication

28. Which of the following is a way to define permissions or authorizations for objects?

Answers

·        Network access servers (NAS)

·        Extensible authentication protocols

·        Access control lists (ACL)

·        Access control entries

 

Explanation: The usage of an Access Control List, often known as an ACL, is one method that may be used to specify rights or authorizations for objects. A collection of rules or entries that specify which users or system processes are authorized access to a resource (such as a file, directory, or network device) and what activities are allowed or forbidden is known as an access control list (ACL). An ACL is connected with the resource.

Shuffle Q/A 1

29. Fill in the blank: _____ is the idea of describing an entity uniquely.

Answers

·        Eligibility

·        Validity

·        Authorization

·        Identification

Explanation: The process of distinguishing one thing from all other like things is known as identification.

30. Which of the following passwords is the strongest for authenticating to a system?

Answers

·        P@55w0rd!

·        P@ssword!

·        P@w04d!$$L0N6

·        Password!

31. Which of the following are examples of "something you have" for multifactor authentication? Select all that apply.

Answers

·        RSA SecureID token

·        One-Time-Password (OTP)

·        Password

·        PING

 

32. Fill in the blank: In addition to the client being authenticated by the server, certificate authentication also provides _____.

Answers

·        server authentication

·        malware protection

·        authorization

·        integrity

Explanation: Certificate authentication offers mutual authentication, also known as two-way authentication, in addition to the server verifying the client's identity before proceeding with the authentication process. With mutual authentication, not only does the server authenticate the identity of the client by using the client's certificate, but the client also checks the identity of the server by checking the server's certificate. This is done to guarantee that both parties are honest with one another. This kind of authentication works in both directions, providing a safe and reliable communication route between the two parties involved in a transaction.

33. Which of these are examples of an access control system? Select all that apply.

Answers

·        OpenID

·        RADIUS

·        TACACS+

·        OAuth

34. Which of the following are types of one-time-password tokens? Select all that apply.

Answers

·        Password-based

·        Counter-based

·        Identity-based

·        Time-based

35. Fill in the blank: Security Keys are more ideal than OTP generators because they are resistant to _____ attacks.

Answers

·        password

·        DDoS

·        brute force

·        phishing

Explanation: When it comes to optimal solutions, Security Keys are preferable to OTP generators because to their resistance to phishing assaults.

During a phishing assault, the target is often duped into divulging critical information, such as their login and password, which might compromise their security. Phishing attacks are effectively thwarted by Security Keys' use of a physical device, which also mandates the user's presence and active participation in the authentication process. In contrast, one-time-password (OTP) generators, particularly those that depend on codes given via SMS or email, may be vulnerable to phishing attacks if users are deceived into entering the codes on fraudulent websites. This is especially true for OTP generators that rely on codes provided via SMS or email. Security Keys, which are often based on the FIDO (Fast Identity Online) standard, increase security by forcing the user to verify their identity in addition to physically possessing the key. This makes security keys more resistant to a variety of sorts of online assaults, including phishing.

36. How might a user protect the data on their mobile device if it is lost or stolen?

Answers

·        Refrain from updating apps

·        Remote wipes

·        Reporting the loss to an IT support specialist

·        Keep a spare device with all your data

 

37. Access control entries can be created for what types of file system objects? Select all that apply.

Answers

·        Files

·        APIs

·        Programs

·        Folders

Explanation: Access control entries, abbreviated as ACEs, are able to be developed for a wide variety of file system objects. The particular kinds of objects that may be used can change based on the operating system as well as the file system. 

38. Fill in the blank: Authorization is concerned with determining _____ to resources.

Answers

·        eligibility

·        access

·        identity

·        validity

Explanation: The authorization process involves figuring out who is allowed to access certain resources.

39. Fill in the blank: Security Keys utilize a secure challenge-and-response authentication system, which is based on _____.

Answers

·        symmetric encryption

·        steganography

·        public key cryptography

·        shared secrets

Explanation: For authentication purposes, Security Keys make use of a tried-and-true method known as challenge-and-response, which is based on public-key cryptography.

40. What is used to request access to services in the Kerberos process?

Answers

·        Client-to-Server ticket

·        Ticket Granting Ticket

·        TGS session key

·        Client ID

 

Explanation: To request access to services using the Kerberos protocol, a Ticket-Granting Ticket, abbreviated as TGT, is required. During the first step of the authentication procedure, which takes place with the Key Distribution Center (KDC), the TGT is received. When a user has been authenticated and has obtained a TGT, they are able to request service tickets for certain services by presenting the TGT to the Ticket Granting Service (TGS). Users are able to get service tickets without having to re-enter their credentials if they have a TGT, which acts as confirmation of the user's identification.

Shuffle Q/A 2

41. What are the benefits of using a Single Sign-On (SSO) authentication service? Select all that apply.

Answers

·        One set of credentials for the user

·        Reduce time spent on re-authenticating to services

·        The need for multiple passwords

·        Reduce overhead of password assistance

42. Fill in the blank: In the world of AAA security, “authn” is short for _____.

Answers

·        authentication

·        authorization

·        authored

·        authoritarian

Explanation: The term "authentication" is shortened to "authn" inside the AAA security community.

43. Fill in the blank: Kerberos enforces strict _____ requirements. Otherwise, authentication will fail.

Answers

·        AES

·        strong password

·        LDAP

·        Time

Explanation: Kerberos has stringent requirements for maintaining accurate time synchronization. In such case, the authentication will not be successful.

44. Consider the following scenario: A company is utilizing Google Business applications for their marketing department. These applications should be able to temporarily access a user's email account to send links for review. Why should the company use Open Authorization (OAuth) in this situation?

Answers

·        Gain access through a wireless access point

·        Compatibility with third party apps

·        Administer multiple network devices

·        Utilize a Key Distribution Center server

Explanation: Unquestionably accurate! Kerberos requires that the Key Distribution Center (KDC) and the clients have their times synced with one another. Authentication may be unsuccessful if there is a considerable time gap between the two locations. This criterion helps to avoid replay attacks and guarantees that the authentication procedure is carried out with integrity. The synchronization of the system's clocks is an essential component in maintaining the integrity of the Kerberos authentication protocol.

45. What does a Terminal Access Controller Access Control System Plus (TACACS+) keep track of? Select all that apply.

Answers

·        Commands that were run

·        Bandwidth and resource usage

·        Systems users authenticated to

·        Track user authentication

46. What is a client certificate used for?

Answers

·        To authenticate the CA

·        To authenticate the client

·        To authenticate the subordinate CA

·        To authenticate the server

Explanation: Authentication may be accomplished via the use of a client certificate in a variety of contexts, including online transactions, encrypted conversations, and numerous network services. To be more specific, a client certificate is a digital certificate that validates the identity of a client (person, device, or program) to a server. This validation might take place via an encrypted connection.

47. Consider the following scenario: A network admin wants to use a Remote Authentication Dial-In User Service (RADIUS) protocol to allow 5 user accounts to connect company laptops to an access point in the office. These are generic users and will not be updated often. Which of these internal sources would be appropriate to store these accounts in?

Answers

·        Active Directory

·        LDAP

·        Flat file

·        SQL database

Post a Comment

Previous Post Next Post