CompTIA Security Plus Practice Exam

With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

Most access control systems are rule-based -- that is, they use a preset list of rules when deciding whether or not a user should have access to a resource; this is not specific to access control systems based on user role. Most networks use server-based access control to control access to network resources, however, local resources are typically under the control of the local machine. Neither is particularly unique to role-based access control. Some networks may use token-based access control, but that is not a requirement for role-based access control, either.

There is no such thing as a SAC (Subjective Access Control) list.

Authentication is accomplished through something you know, something you have and/or something you are. One form of authentication requires possession of something ("something you have") such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to satisfy multiple authentication criteria to guarantee authenticity.

Something you know, would be a piece of data known only to you, such as a password. Something you are, would be a physical characteristic of you, like your fingerprint.

Authentication is accomplished through something you know, something you have and/or something you are. The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.

Something you have, would be a physical item you possess, such as a smartcard. Something you are, would be a personal characteristic of you, not a piece of information you know.

A honeypot is the correct answer because it is a technology used to simulate a network of vulnerable devices. It is designed to attract attackers and gather information about their techniques and tactics. By setting up a honeypot, organizations can study and analyze the behavior of attackers, identify vulnerabilities in their systems, and develop appropriate countermeasures to enhance their overall security.

Biometrics devices use physical characteristics to identify the user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 18

Single Sign-on (SSO) is an authentication system where a unique username and password are used to access multiple systems within a company. With SSO, users only need to enter their credentials once and they can then access various systems and applications without having to re-authenticate each time. This improves user convenience and productivity, as well as simplifying administration and security management for the company.

Single sign-on (SSO) is a process where users can access numerous resources without needing multiple credentials. With SSO, users only need to authenticate once, usually with a username and password, and then they can access multiple applications or systems without needing to provide their credentials again. This simplifies the authentication process for users and improves efficiency by reducing the need to remember and manage multiple sets of credentials.

All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time, called a retention period. This period of time will be determined by your company policies. This allows the use of logs for regular audits, and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

Administrator preference is often used to determine certain things like how long logs are retained ... but since these decisions can affect the ability of the company to go back and research potential security issues, it is a corporate issue that should be governed by a deliberate policy statement.

MTTF and MTTR are not relevant to setting the time for which logs will be retained. MTTF (Mean Time To Failure, sometimes called MTBF, Mean Time Before Failure) is related to the average amount of time a piece of equipment will be in service before it fails. MTTR (Mean Time To Repair) is a measure of how long it will take to repair the equipment when it fails.

The administrator should log both logon successes and logon failures in order to effectively monitor and track any unauthorized access attempts or suspicious activity on the network. By logging both types of events, the administrator can identify potential security breaches and take appropriate actions to mitigate them. Logging only logon failures for non-existent users or only logon successes or only logon failures may not provide a comprehensive view of the network's security posture and may result in missed or delayed detection of security incidents.

The RBAC model allows a user to act in a certain predetermined manner based on the role the user holds in the organization. Users can be assigned certain roles system wide.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12

Mandatory Access Control is a strict hierarchical model usually associated with governments. All objects are given security labels known as sensitivity labels and are classified accordingly. Then all users are given specific security clearances as to what they are allowed to access.

RADIUS (Remote Authentication Dial-In User Service) lowers administration costs and increases security by having a centralized database for authenticating remote users. PAP is the simplest of authentication protocols, which uses clear text.

The correct answer is the Multifactor authentication model. This model uses a combination of two or more authentication factors, such as a smart card and a User ID/Password, to verify the identity of a user before granting access to network resources. This adds an extra layer of security compared to using a single factor authentication method.

The concept of least privilege is about providing access to information that is necessary to complete a specific task. It is not based on the sense of urgency from management or the tenure at the company. Additionally, it does not involve giving access to information that may be revealed to the public. Therefore, the correct answer is that access should be given based on what is needed to complete the task.

Each distinct department (sales, marketing, management, and production) has their own role in the company, which probably includes using the: filer server, print server, and mail server. So it would be wise to create roles for each department.

The actual verification of a client's identity is done by validating an authenticator. The authenticator contains the client's identity and a timestamp. To insure that the authenticator is up-to-date and is not an old one that has been captured by an attacker, the timestamp in the authenticator is checked against the current time. If the timestamp is not close enough to the current time (typically within five minutes) then the authenticator is rejected as invalid. Thus, Kerberos requires your system clocks to be loosely synchronized (the default is 5 minutes, but it can be adjusted in Version 5 to be whatever you want).

Reference: http://www.faqs.org/faqs/kerberos-faq/general/section-22.html

Biometrics These technologies are becoming more reliable, and they will become widely used over the next few years. Many companies use smart cards as their primary method of access control. Implementations have been limited in many applications because of the high cost associated with these technologies. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 265

Passwords should be easy to memorize, because that minimizes the chance that users will write the password down somewhere that others could see it.

Passwords should not be the same as the user ID, because that is one of the common passwords that common "password cracker" programs try, when attempting to discover passwords for accounts. Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).

The presence of an undocumented login that does not require authentication against the domain poses a security issue because it can be used as a backdoor into the company's databases. This means that unauthorized individuals could potentially gain access to sensitive information or manipulate the data without proper authentication or authorization.

The MAC model is a static model that uses a predefined set of access privileges to files on the system. The system administrator establishes these parameters and associates them with an account, files or resources. The MAC model can be very restrictive.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 11

In a Role Based Access Control (RBAC) model, users are assigned access rights based on their function within the organization. This means that users are granted permissions based on their specific roles or job functions, rather than individual identities. RBAC allows for more efficient and streamlined access management, as it simplifies the process of assigning and revoking permissions by linking them to predefined roles.

Mutual authentication is the method that should be used to ensure that both the user and the server can authenticate each other. This method requires both parties to present valid credentials to verify their identities. By using mutual authentication, the server can confirm that the user is who they claim to be, and the user can also verify the authenticity of the server. This helps to establish a secure and trusted connection between the user and the server.

Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended. Under this type of control, the owner determines who has access and what privilege they have.

If the end users of resources had control of who had access and what privileges they have, they would be able to access any resource, because they'd have the ability to change access controls at will. If only the administrators controlled access to resources, it would be a major job duty (as well as a bureaucratic bottleneck for users) that would take time away from other administrative activities.

The correct answer is to make use of the Kerberos authentication method. Kerberos is a network authentication protocol that relies on a trusted third-party authentication server. This server allocates tickets to users, which they can then use to access various services and resources on the network. The tickets are encrypted and provide a secure way to authenticate users without revealing their passwords to individual services. This method is widely used in enterprise environments to ensure secure authentication and authorization.

Explanation: Ensuring least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn't be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC (role based access control), enforced minimum privileges for general system users can be easily achieved.

Netscape, Oracle, and Sun Microsystems have announced an alliance to ensure that their extranet products can work together by standardizing on JavaScript and the Common Object Request Broker Architecture (CORBA). Microsoft supports the Point-to-Point Tunneling Protocol (PPTP) and IPSec.

CORBA and DCOM are programming technologies.

The DAC model allows the owner of a resource to establish privileges to the information they own. The DAC model would allow a user to share a file or use a file that someone else has shared. The DAC model establishes an ACL that identifies the users who have authorization to that information. This allows the owner to grant or revoke access to individuals or groups of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12

Sensitivity labels are used in a Mandatory Access Control (MAC) environment to determine the level of sensitivity or classification of data. These labels are assigned to resources and users, and access decisions are made based on these labels. In a MAC environment, the access to resources is strictly controlled and determined by the sensitivity labels assigned to them. Access control lists, group membership, and ownership are not specific to MAC environments and can be used in other access control models as well.

The correct answer is the Mandatory Access Control (MAC) access control model. This model assigns sensitivity labels to users and their data, allowing access to be determined by the security levels assigned to both the user and the data. Unlike the Discretionary Access Control (DAC) model, where access is controlled by the owner of the resource, MAC enforces access based on predefined rules and policies set by the system administrator. Similarly, the Role Based Access Control (RBAC) and Rule Based Access Control (RBAC) models do not specifically assign sensitivity labels to users and their data.

The correct answer is 65,535. TCP/IP has 65,535 ports, and each port is associated with a specific service or application. Some of these ports are commonly used and well-known, while others are used for more specialized purposes. Attackers can scan, exploit, or attack these ports to gain unauthorized access or disrupt the functioning of a system or network. Therefore, all 65,535 ports in TCP/IP are potentially vulnerable to such activities.

Mandatory Access Control (MAC) is a type of access control that is based on security labels assigned to every data item and every user. This means that access to resources is determined by the security labels rather than the user's discretion or role. MAC ensures that access is granted or denied based on predefined rules and policies, which are typically set by system administrators or security officers. This helps to enforce strict control over the flow of information and prevents unauthorized access or data leakage.

Biometrics is the use of authenticating a user by scanning on of their unique physiological body parts. Just like in the movies, a user places their hand on a finger print scanner or they put their eyes against a retinal scanner. If the image matches what's on the database, it authenticates the user. Since a persons fingerprint, blood vessel print, or retinal image is unique the only way the system can authenticate is if the proper user is there. The only way an unauthorized user to get access is to physically kidnap the authorized user and force them through the system. For this reason, biometrics are the strongest (and the costliest) for of authentication.

Message authentication codes (MACs) are cryptographic algorithms that are used to provide integrity to messages. They ensure that the message has not been tampered with during transmission or storage. By generating a unique code or tag for each message, MACs allow the recipient to verify the integrity of the message by comparing the generated code with the received code. This helps to detect any unauthorized modifications or alterations to the message. Therefore, the correct answer is that message authentication codes are used to provide the Integrity service.

When an attacker captures part of a communication and later sends the communication segment to the server pretending to be the user, it is known as a replay attack. In a replay attack, the attacker intercepts and records a legitimate communication, and then replays it at a later time to deceive the server into thinking it is a genuine request from the user. This type of attack can be used to gain unauthorized access or perform malicious actions on the server.

Reusing a ticket as a replay attack in Kerberos would not be successful because the tickets are time stamped. This means that each ticket has a specific timestamp indicating when it was issued. When a ticket is presented, the Kerberos server checks the timestamp to ensure that it is within an acceptable time range. If the ticket is expired or outside the valid time range, it is considered invalid and the replay attack would fail.

A DNS (Domain Name Service) server requires port 53. The DNS server uses this port to receive and respond to DNS queries from clients. Port 53 is specifically assigned for DNS communication, allowing the server to listen for incoming requests and provide the corresponding IP addresses for domain names.

Mandatory Access Control is a strict hierarchical model, first developed by governments and it is based on classifying data on importance and categorizing data by department. Users receive specific security clearances to access this data. For instance, the most important piece of data would have the highest classification, where only the President would of that department would have access; while the least important resources would be classified at the bottom where everyone in the organization including the janitors could access it.

The correct answer is the Mandatory Access Control (MAC) model. This model uses security labels connected to the objects to determine access control. In MAC, access decisions are based on the sensitivity level of the object and the clearance level of the user. Users are only granted access to objects with matching or lower sensitivity levels. This model is commonly used in high-security environments where strict access control is necessary.

Multifactor authentication requires the user to provide multiple forms of identification, such as a username, password, and a thumbprint scan. This ensures a higher level of security for accessing a workstation as it combines different factors to verify the user's identity. Biometric authentication only includes the thumbprint scan and does not require a username and password. Kerberos authentication is a network authentication protocol and does not involve a thumbprint scan. Mutual authentication is a process where both the client and the server verify each other's identities and does not necessarily involve a thumbprint scan. Therefore, the Multifactor authentication is the most appropriate choice for this scenario.

A common authentication technique whereby an individual is prompted (the challenge) to provide some private information (the response). Most security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in. Reference: http://www.webopedia.com/TERM/C/challenge_response.html

Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting user's workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their private key was just used against their will.

Physical attacks involve physical access to hardware such as a network cable or keyboard. Social engineering attacks are based on taking advantage of human interaction rather than technology itself. (Frequently, social engineering attacks don't even require access to a computer.) There is no such thing as a "logical" attack, although many attacks do involve the use of logic to figure out how an application works and where its security vulnerabilities may be.

Social Engineering attacks: in computer security systems, this type of attack is usually the most successful, especially when the security technology is properly implemented and configured. Usually, these attacks rely on the faults in human beings. An example of a social engineering attack has a hacker impersonating a network service technician. The serviceman approaches a low-level employee and requests their password for network servicing purposes. When using smartcards instead of passwords, this type of attack is a bit more difficult. Most people would not trust an impersonator wishing to have their smartcard and PIN for service purposes.

Logical, physical and Trojan horse attacks are often much less successful when security is properly implemented on a network.

A performance baseline is a benchmark or standard that represents normal or optimal performance for a system. By establishing a baseline, any deviations from this normal performance can be identified and investigated. In the context of security, performance anomalies could indicate potential security breaches or attacks. Therefore, a performance baseline is most useful for detecting performance anomalies that may be due to security breaches. This allows organizations to identify and respond to potential security incidents in a timely manner.

Network-based IDSs cannot analyze encrypted information. This problem is increasing as more organizations (and attackers) use virtual private networks. Most network-based IDSs cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated.

Access control lists enable devices in your network to ignore requests from specified users or systems, or grant certain network capabilities to them. ACLs allow a stronger set of access controls to be established in your network. The basic process of ACL control allows the administrator to design and adapt the network to deal with specific security threats.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 235

The word lattice is used to describe the upper and lower level bounds of a user' access permission.

Mandatory Access Control (MAC) is an access control model that makes use of subject and object labels. It enforces access control based on predefined security policies and assigns labels to both subjects (users) and objects (resources). These labels determine the level of access that subjects have to objects. MAC ensures that access decisions are made based on the labels assigned to subjects and objects, rather than the discretion of individual users (as in Discretionary Access Control) or their roles (as in Role Based Access Control).

RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS uses a centralized database for simplified management. RADIUS is a standard published in RFC2138 as mentioned above.

The other protocols listed are network communication protocols, not authentication protocols responsible for carrying traffic between a NAS and an Authentication Server.

The DAC model allows the owner of a resource to establish privileges to the information they own. The DAC model would allow a user to share a file or use a file that someone else has shared. The DAC model establishes an ACL that identifies the users who have authorized to that information. This allows the owner to grant or revoke access to individuals or group of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12