CompTIA Security+ Practice Exam: Quiz!

Authentication is accomplished through something you know, something you have and/or something you are. One form of authentication requires possession of something ("something you have") such as a key, a smart card, a disk, or some other device. Whatever form it takes, the authenticating item should be difficult to duplicate and may require synchronization with systems other than the one to which you are requesting access. Highly secure environments may require you to satisfy multiple authentication criteria to guarantee authenticity.

Something you know, would be a piece of data known only to you, such as a password. Something you are, would be a physical characteristic of you, like your fingerprint.

There is no such thing as a SAC (Subjective Access Control) list.

The administrator should log both logon successes and logon failures in order to enable network auditing policies. This will provide a comprehensive record of all logon activities, allowing the administrator to monitor and investigate any unauthorized access attempts or suspicious activities. By logging both successes and failures, the administrator can identify potential security breaches and take appropriate actions to mitigate them.

With role-based access control, access decisions are based on the roles that individual users have as part of an organization. Users take on assigned roles (such as doctor, nurse, teller, manager). The process of defining roles should be based on a thorough analysis of how an organization operates and should include input from a wide spectrum of users in an organization.

Most access control systems are rule-based -- that is, they use a preset list of rules when deciding whether or not a user should have access to a resource; this is not specific to access control systems based on user role. Most networks use server-based access control to control access to network resources, however, local resources are typically under the control of the local machine. Neither is particularly unique to role-based access control. Some networks may use token-based access control, but that is not a requirement for role-based access control, either.

A honeypot is the correct answer because it is a technology used to simulate a network of vulnerable devices in order to attract and deceive attackers. It is designed to lure attackers into interacting with the system, allowing security professionals to monitor their activities and gather information about their tactics and techniques. By studying the attackers' behavior, organizations can better understand their vulnerabilities and develop strategies to protect against them.

Each distinct department (sales, marketing, management, and production) has their own role in the company, which probably includes using the: filer server, print server, and mail server. So it would be wise to create roles for each department.

The correct answer is "You should make use of the Mandatory Access Control (MAC) model." In the MAC model, security labels are assigned to objects and subjects. These labels determine the access rights and permissions for each subject based on the classification and security level of the object. This model ensures that access control decisions are made by a central authority rather than the discretion of individual users or roles.

Authentication is accomplished through something you know, something you have and/or something you are. The canonical example of something you know is a password or pass phrase. You might type or speak the value. A number of schemes are possible for obtaining what you know. It might be assigned to you, or you may have picked the value yourself. Constraints may exist regarding the form the value can take, or the alphabet from which you are allowed to construct the value might be limited to letters only. If you forget the value, you may not be able to authenticate yourself to the system.

Something you have, would be a physical item you possess, such as a smartcard. Something you are, would be a personal characteristic of you, not a piece of information you know.

Biometrics devices use physical characteristics to identify the user.
Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 18

The RBAC model allows a user to act in a certain predetermined manner based on the role the user holds in the organization. Users can be assigned certain roles system wide.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12

A common authentication technique whereby an individual is prompted (the challenge) to provide some private information (the response). Most security systems that rely on smart cards are based on challenge-response. A user is given a code (the challenge) which he or she enters into the smart card. The smart card then displays a new code (the response) that the user can present to log in. Reference: http://www.webopedia.com/TERM/C/challenge_response.html

This question is asking about the access control model where users are assigned access rights based on their function within the organization. This is a feature of Role Based Access Control (RBAC). In RBAC, access rights are assigned to users based on their roles or job functions. This allows for a more organized and efficient way of managing access privileges within an organization, as users with similar roles will have similar access rights.

The given correct answer is the Multifactor authentication model. This model uses multiple factors for authentication, such as a smart card and a User ID/Password, to provide an additional layer of security when accessing network resources. By requiring multiple forms of authentication, it reduces the risk of unauthorized access and enhances the overall security of the network.

Single sign-on is a process where users can access numerous resources without needing multiple credentials. With single sign-on, users only need to authenticate once, typically using a username and password, and then they can access multiple resources or applications without having to enter their credentials again. This simplifies the authentication process for users and improves efficiency by reducing the need for multiple logins.

The correct answer is "needed to complete the task." Least privilege refers to the principle of providing users with the minimum level of access necessary to perform their job functions effectively. This approach ensures that individuals only have access to the information and resources required to complete their specific tasks, reducing the risk of unauthorized access or accidental misuse of sensitive data. By granting access based on the needs of the task, organizations can enhance security and minimize potential vulnerabilities.

Kerberos is based upon an authentication server that allocates tickets to users. This authentication method uses a trusted third-party server to authenticate users and provide them with tickets, which they can use to access various resources on a network. The tickets are encrypted and can only be decrypted by the authentication server, ensuring secure authentication.

The MAC model is a static model that uses a predefined set of access privileges to files on the system. The system administrator establishes these parameters and associates them with an account, files or resources. The MAC model can be very restrictive.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 11

Sensitivity labels are used in a Mandatory Access Control (MAC) environment to classify and control access to resources based on their sensitivity levels. These labels determine the level of access that users or processes have to certain information or objects. They are typically assigned to data or resources and are used to enforce access control policies. In a MAC environment, access decisions are based on these sensitivity labels, ensuring that only authorized users or processes with the appropriate clearance level can access certain resources.

The correct answer is the Mandatory Access Control (MAC) access control model. This model assigns sensitivity labels to users and their data, ensuring that access to resources is based on predefined security policies and rules. In MAC, access decisions are made by the system based on the labels and clearances of users and objects, rather than by the discretion of individual users or administrators (as in DAC or RBAC models).

The actual verification of a client's identity is done by validating an authenticator. The authenticator contains the client's identity and a timestamp. To insure that the authenticator is up-to-date and is not an old one that has been captured by an attacker, the timestamp in the authenticator is checked against the current time. If the timestamp is not close enough to the current time (typically within five minutes) then the authenticator is rejected as invalid. Thus, Kerberos requires your system clocks to be loosely synchronized (the default is 5 minutes, but it can be adjusted in Version 5 to be whatever you want).

Reference: http://www.faqs.org/faqs/kerberos-faq/general/section-22.html

Biometrics These technologies are becoming more reliable, and they will become widely used over the next few years. Many companies use smart cards as their primary method of access control. Implementations have been limited in many applications because of the high cost associated with these technologies. Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 265

Trojan Horse attacks - This attack involves a rogue, Trojan horse application that has been planted on an unsuspecting user's workstation. The Trojan horse waits until the user submits a valid PIN from a trusted application, thus enabling usage of the private key, and then asks the smartcard to digitally sign some rogue data. The operation completes but the user never knows that their private key was just used against their will.

Physical attacks involve physical access to hardware such as a network cable or keyboard. Social engineering attacks are based on taking advantage of human interaction rather than technology itself. (Frequently, social engineering attacks don't even require access to a computer.) There is no such thing as a "logical" attack, although many attacks do involve the use of logic to figure out how an application works and where its security vulnerabilities may be.

The DAC model allows the owner of a resource to establish privileges to the information they own. The DAC model would allow a user to share a file or use a file that someone else has shared. The DAC model establishes an ACL that identifies the users who have authorized to that information. This allows the owner to grant or revoke access to individuals or group of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12

RADIUS is a protocol for carrying authentication, authorization, and configuration information between a Network Access Server, which desires to authenticate its links and a shared Authentication Server. RADIUS uses a centralized database for simplified management. RADIUS is a standard published in RFC2138 as mentioned above.

The other protocols listed are network communication protocols, not authentication protocols responsible for carrying traffic between a NAS and an Authentication Server.

The Role Based Access Control (RBAC) access control model would be most suitable in this scenario because it allows access to be based on the roles and responsibilities of users within the organization. This means that the finance department would only have access to the personal data of staff, while the marketing department would only have access to the production data. RBAC provides a more granular and efficient way of managing access permissions based on job functions, which aligns with the specific needs of the different departments in the organization.

Reusing a ticket as a replay attack in Kerberos would not be successful because the tickets are time stamped. This means that each ticket has a specific validity period, and once that period expires, the ticket becomes invalid. Therefore, even if an attacker manages to intercept and reuse a ticket, it will be rejected by the Kerberos server due to the expired timestamp.

The DAC model allows the owner of a resource to establish privileges to the information they own. The DAC model would allow a user to share a file or use a file that someone else has shared. The DAC model establishes an ACL that identifies the users who have authorization to that information. This allows the owner to grant or revoke access to individuals or groups of individuals based on the situation. This model is dynamic in nature and allows information to be shared easily between users.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 12

Biometrics is the use of authenticating a user by scanning on of their unique physiological body parts. Just like in the movies, a user places their hand on a finger print scanner or they put their eyes against a retinal scanner. If the image matches what's on the database, it authenticates the user. Since a persons fingerprint, blood vessel print, or retinal image is unique the only way the system can authenticate is if the proper user is there. The only way an unauthorized user to get access is to physically kidnap the authorized user and force them through the system. For this reason, biometrics are the strongest (and the costliest) for of authentication.

RADIUS (Remote Authentication Dial-In User Service) lowers administration costs and increases security by having a centralized database for authenticating remote users. PAP is the simplest of authentication protocols, which uses clear text.

Access control lists enable devices in your network to ignore requests from specified users or systems, or grant certain network capabilities to them. ACLs allow a stronger set of access controls to be established in your network. The basic process of ACL control allows the administrator to design and adapt the network to deal with specific security threats.

Reference: Mike Pastore and Emmett Dulaney, Security+ Study Guide, 2nd Edition, Alameda, Sybex, 2004, p 235

Mandatory Access Control is a strict hierarchical model, first developed by governments and it is based on classifying data on importance and categorizing data by department. Users receive specific security clearances to access this data. For instance, the most important piece of data would have the highest classification, where only the President would of that department would have access; while the least important resources would be classified at the bottom where everyone in the organization including the janitors could access it.

Explanation: Ensuring the least privilege requires identifying what the user's job is, determining the minimum set of privileges required to perform that job, and restricting the user to a domain with those privileges and nothing more. By denying to subjects transactions that are not necessary for the performance of their duties, those denied privileges couldn't be used to circumvent the organizational security policy. Although the concept of least privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system administrator. Through the use of RBAC (role based access control), enforced minimum privileges for general system users can be easily achieved.

All logs collected are used in the active and passive monitoring process. All logs are kept on archive for a period of time, called a retention period. This period of time will be determined by your company policies. This allows the use of logs for regular audits, and annual audits if retention is longer then a year. Logs must be secured to prevent modification, deletion, and destruction.

Administrator preference is often used to determine certain things like how long logs are retained ... but since these decisions can affect the ability of the company to go back and research potential security issues, it is a corporate issue that should be governed by a deliberate policy statement.

MTTF and MTTR are not relevant to setting the time for which logs will be retained. MTTF (Mean Time To Failure, sometimes called MTBF, Mean Time Before Failure) is related to the average amount of time a piece of equipment will be in service before it fails. MTTR (Mean Time To Repair) is a measure of how long it will take to repair the equipment when it fails.

A performance baseline is a reference point that represents the normal behavior and performance of a system. By establishing a baseline, any deviations from the normal performance can be easily identified. In the context of security, detecting performance anomalies can be a strong indicator of a security breach. Unusual spikes or drops in performance could be a result of malicious activities or unauthorized access. Therefore, a performance baseline is most useful for detecting such anomalies and identifying potential security breaches.

not-available-via-ai

Mutual authentication is the method that should be used to ensure that both the user and the server authenticate each other. In mutual authentication, the user presents their credentials to the server, and the server also presents its credentials to the user. This ensures that both parties can verify the identity of each other, preventing unauthorized access and ensuring a secure connection.

MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

In MAC, subjects (such as users) are each assigned a clearance (such as "secret" or "top secret"). Objects (containers for information, such as files) are assigned a sensitivity (classification, similar to clearance). When determining whether or not to grant a subject access to an object, the requesting subject's clearance is compared with the sensitivity of the object, and if the clearance is at or higher than the object's sensitivity level, access is granted. Therefore, a clearance functions as a privilege.

Passwords should be easy to memorize, because that minimizes the chance that users will write the password down somewhere that others could see it.

Passwords should not be the same as the user ID, because that is one of the common passwords that common "password cracker" programs try, when attempting to discover passwords for accounts. Passwords must be changed at least once every 60 days (depending on your environment). Password aging or expiration must be enforced on all systems. Upon password expiration, if the password is not changed, only three grace logins must be allowed then the account must be disable until reset by an administrator or the help desk. Password reuse is not allowed (rotating passwords).

The presence of an undocumented login that does not require authentication against the domain poses a security issue as it can be exploited as a backdoor into the company's databases. This means that unauthorized individuals could potentially gain access to sensitive company information without going through the proper authentication process. This undermines the security measures put in place and increases the risk of data breaches or unauthorized access to confidential information.

Mandatory Access Control (MAC) is an access control mechanism that uses security labels assigned to data items and users to enforce access restrictions. It ensures that access to resources is granted or denied based on predefined security policies and rules. MAC is different from other access control models like Role Based Access Control (RBAC), Discretionary Access Control (DAC), and List Based Access Control (LBAC) as it relies on labels rather than roles, user discretion, or lists to determine access privileges.

Single Sign-on (SSO) is an authentication system where a unique username and password are used to access multiple systems within a company. With SSO, users only need to log in once and they are granted access to all authorized systems and applications without the need to re-enter their credentials. This improves user experience and productivity by eliminating the need to remember and manage multiple usernames and passwords for different systems. SSO also enhances security by centralizing authentication and allowing for better control and monitoring of user access across the company's systems.

The word lattice is used to describe the upper and lower level bounds of a user' access permission.

The correct answer is 65,535. TCP/IP has a 16-bit field for port numbers, allowing for a maximum of 65,535 ports. These ports are used for various network services and applications. Scanning, exploiting, or attacking these ports can potentially compromise the security of a system or network. Therefore, all 65,535 ports are vulnerable to being scanned, exploited, or attacked.

Network-based IDSs cannot analyze encrypted information. This problem is increasing as more organizations (and attackers) use virtual private networks. Most network-based IDSs cannot tell whether or not an attack was successful; they can only discern that an attack was initiated. This means that after a network-based IDS detects an attack, administrators must manually investigate each attacked host to determine whether it was indeed penetrated.

not-available-via-ai

A self service password reset is a system where if an individual user forgets their password, they can reset it on their own (usually by answering a secret question on a web prompt, then receiving a new temporary password on a pre-specified email address) without having to call the help desk. For a system with many users, this will significantly reduce the help desk call volume.

CHAP performs the handshake process when first establishing a connection; and then at random intervals during the transaction session.

Discretionary access controls can extend beyond limiting which subjects can gain what type of access to which objects. Administrators can limit access to certain times of day or days of the week. Typically, the period during which access would be permitted is 9 a.m. to 5 p.m. Monday through Friday. Such a limitation is designed to ensure that access takes place only when supervisory personnel are present, to discourage unauthorized use of data. Further, subjects' rights to access might be suspended when they are on vacation or leave of absence. When subjects leave an organization altogether, their rights must be terminated rather than merely suspended. Under this type of control, the owner determines who has access and what privilege they have.

If the end users of resources had control of who had access and what privileges they have, they would be able to access any resource, because they'd have the ability to change access controls at will. If only the administrators controlled access to resources, it would be a major job duty (as well as a bureaucratic bottleneck for users) that would take time away from other administrative activities.

Access controls that are not based on the policy are characterized as discretionary controls by the U.S. government and as need-to-know controls by other organizations. The latter term connotes least privilege - those who may read an item of data are precisely those whose tasks entail the need.

Mandatory controls are based on policy. Secret controls and corrective controls are not related to access control.

MAC is the acronym for Mandatory Access Control. It is important to note that mandatory controls are prohibitive (i.e., all that is not expressly permitted is forbidden), not permissive. Only within that context do discretionary controls operate, prohibiting still more access with the same exclusionary principle. In this type of control system decisions are based on privilege (clearance) of subject (user) and sensitivity (classification) of object (file). It requires labeling.

Under MAC, you define who is allowed to access objects, and if you haven't defined an access right, access is not permitted. So, it is not the case that All that is expressly permitted is forbidden, or that All that is not expressly permitted is not forbidden