Pen used to do a practice exam.

Domain 4 Quiz

Domain 4 Quiz

  1. Jenny can unlock her work mobile phone by drawing a pattern on the screen with her finger. This mode of authentication verifies:
    1. Something you know
    2. Something you have
    3. Something you are
    4. Something you do
    5. Somewhere you are
    Yes, she has to know what to draw, but let's say she knows she's to draw the digit 4. Each of us would have our own way of drawing that. The test is how she draws it. And she has to have the phone. Ultimate answer: This is what CompTIA wants you to say for drawing a pattern.
  2. To enter the server room Joe must pass through a mantrap, entering a PIN on a keypad at the outer door, entering the mantrap and closing the door behind him, swiping his badge on the reader, then typing a password into a keyboard by the inner door. How many factors is this?
    1. 1
    2. 2
    3. 3
    4. 4
    PIN = know, badge = have, password = know. The thing he knows is split into two parts, one called PIN and the other password.
  3. To enter the server room Joe must be recognized by the guard, enter a PIN on the keypad, and place his hand on a scanner. How many factors is this?
    1. 1
    2. 2
    3. 3
    4. 4
    Recognized = is (his face), PIN = know, hand scan = is. The thing he is has been considered in two parts, his face and his hand.
  4. To enter the server room Joe must be recognized by the guard, show the guard his badge, and enter a PIN on the keypad. How many factors is this?
    1. 1
    2. 2
    3. 3
    4. 4
    Recognized = is, badge = has, PIN = know. The question doesn't say anything about his picture being on the badge.
  5. Joe has been given a Post-It note with a PIN written on it. To enter the server room he must be recognized by the guard, tell the guard the passphrase of the day, and enter the PIN on the keypad. How many factors is this?
    1. 1
    2. 2
    3. 3
    4. 4
    Recognized = is, passphrase = know, PIN = know. Yes, the PIN is written on a Post-It note, but that doesn't make the note a thing he has to have. Obviously he's supposed to memorize the PIN.
  6. Yoyodyne Corporation plans to use Active Directory for single sign-on throughout the enterprise. Which network protocols must be added to the ALLOW list in all internal router ACLs? Select two.
    1. LDAP
    2. LDAPS
    3. Kerberos
    4. X.500
    Active directory is the combination of DNS, LDAP, and Kerberos, plus a shared back-end database. But given the choice of an insecure and secure version of the same protocol, always select the secure one. The LDAP interface allows clients to interact with an X.500 database, but it isn't a protocol on the network.
  7. Dmitri's company wants to establish SSO. The initial analysis concluded that they need a system that handles both authentication and authorization with tokens. Dmitri has concluded that the protocol used by Facebook and LinkedIn is the most promising. He is favoring:
    1. SAML
    2. OAUTH
    3. OpenID
    4. WS-Federation
    5. Shibboleth
    OAUTH is the answer when social media is involved. OpenID has similar capability and operation, and would be used across the Internet, but the user gets an OpenID token from some place that isn't social media or intentionally working like social media. SAML and WS-Federation are much more business-like: A cloud-based identity provider like Okta, Oracle, or one of the "Big Three" of AWS, Google, and Microsoft, is paid by the corporation to provide identity services for personnel. Shibboleth works much like SAML but is found mostly in academic settings. Rather than pay big money to a cloud provider, someone involved says "We'll do this with a free software package and some effort by our skilled personnel."
  8. Kristina works at a financial services firm that suffered a major breach. They have implemented a centralized AAA system regulating access to the Intranet. After proving their identity with a smart card and a complex passphrase, users are connected to the appropriate VLAN. Internal services are only provided to user sessions holding valid service tickets. Intranet activity records are continuously analyzed to detect inappropriate or malicious activity. Identify this latter activity.
    1. Identification
    2. Authentication
    3. Authorization
    4. Auditing
    Many questions have a lot of distracting content. This question is really no more than "What is the name for monitoring activity?"
  9. Pedro's manager has been given a recommendation that they implement a single-sign on solution in which user sessions will have cryptographic software tokens providing their identity, their authorization to use services, and the cryptographic keys used to secure their communication. What should Pedro recommend?
    1. Kerberos
    2. RADIUS
    3. SAML
    4. VPN
    The Kerberos TGT proves their identity. A service ticket specifies the symmetric key for that user communicating with that service — it isn't exactly authorization as most people use Kerberos, but it's close enough. This certainly isn't RADIUS, SAML, or a VPN.
  10. Mikhail, a system administrator, has been asked by Kelli, a database administrator, to create an account for the new database project. The account should require authenticated access, have auditing enable, but incapable of interaction, with credentials that rarely if ever change. What type of account should Mikhail create?
    1. Ordinary user
    2. Privileged user
    3. Administrator
    4. Guest
    5. Service
    6. Management
    The list of four attributes must all be true. "Incapable of interaction" is unusual, and it eliminates the first four choices. This account will own database tables and processes, but will never be used interactively. It's similar to the user apache or nginx owning the web service configuration file, logs, and web service processes. The question is really: "What do we call these types of accounts, service or management?"
  11. Which password policy setting would require a user to include both digits and special characters in their password?
    1. Prohibiting dictionary words
    2. Length
    3. Complexity
    4. Maximum age
    5. Minimum age
    6. Expiration
    7. Length
    The usual concept is "character classes" — lower-case, upper-case, digits, and other or special. Requiring a mix of classes is complexity. Random numbers would not be in the dictionary, but they would be all-digit strings.
  12. Akira authenticates with a device that displays a different value every minute. What is this an example of?
    1. Multi-factor
    2. OTP
    3. HOTP
    4. TOTP
    Many people will say "multi-factor" because they're assuming that this is in addition to a password, but the question only mentions the token. TOTP is a time-based one-time password. Yes, it will actually involved hashing within the token, but HOTP or hash-based one-time password implied something like repeated hashing.
  13. Kerberos provides which three of the following? Select three.
    1. Network intrusion detection
    2. ESSO
    3. Cryptographic key control
    4. Log analysis and alerting
    5. An API supporting third-party applications
    6. A "single pane of glass" dashboard
    Applications written to use Kerberos capabilities are said to be "Kerberized".
  14. Functional SSO must incorporate which of the following?
    1. Active Directory
    2. RADIUS
    3. Federated identity management
    4. Kerberos
    Single sign-on requires federated identities. You could do that with Kerberos alone, or with AD which contains Kerberos.
  15. Which of these is an XML-based open-source standard that involves an IdP or Identity Provider, an SP or Service Provider, and a Principal, and is the basis for several other authentication systems?
    1. SAML
    2. OAUTH
    3. OpenID
    4. Shibboleth
    5. WS-Federation
  16. A military contractor is very worried about physical intrusion. They need to keep unauthorized individuals out of sensitive areas. Inappropriately allowing an unauthorized individuals into an area is classified as which of the following:
    1. False Acceptance
    2. False Rejection
    3. False Positive
    4. False Negative
    5. Fail Open
    6. Fail Closed
    The first two are commonly considered with biometrics, where there is no precisely correct input and the system must decide "close enough". The middle two are associated with automated decision making like virus detection and vulnerability detection. The last two have to do with the behavior during failure or other unexpected situations; automatic locking doors should fail open when the fire alarm is sounding, to protect life and safety.
  17. Which of these is an open-source standards-based solution for single sign-on web authentication, based largely on SAML?
    1. OAUTH
    2. OpenID
    3. EAP-TLS
    4. Shibboleth
    5. WS-Federation
    SAML and WS-Federation are corporate solutions. Shibboleth is very similar to SAML, but is used largely in academic settings.
  18. Mutual authentication involves which two? Select two.
    1. Client authenticating the server
    2. Client authorizing the server
    3. Server authenticating the client
    4. Server authorizing the client
    For example, you can only connect in to work using your laptop that has a work certificate installed.

Passing = 82% of 18 = 14.8

Goal = 91% of 18 = 16.4

To the Cybersecurity Page