Lesson 8: Implementing Identity and Account Management Controls

1. Which statement best describes the purpose of an acceptable use policy

(AUP)?
A. An AUP governs how employees may use company equipment and internet
services.
B. An AUP establishes ethical standards for employee behavior.
C. An AUP communicates a company’s values and expectations to its employees
and customers.
D. An AUP defines security roles and training requirements for different types of
employees.
2. A member of the IT team at a company launches a simulated phishing
attack email to users across the organization. Which of these statements
most accurately describes the purpose of such an attack?
A. The attack simulated an insider attack and alerted other members of the IT
team to the presence of an attack.
B. The attack is a bug bounty, which identifies individuals in the organization
who recognize the attack, who then make attempts to enhance security.
C. The attack identifies those users who respond to the phishing attempt as
individuals who may require more training.
D. The attack prepares users for upcoming training, with users who respond
appropriately, designated as teachers.
3. Which of the following methods allows subjects to determine who has
access to their objects?
A. RBAC
B. DAC
C. MAC
D. ABAC
4. Consider the role trust plays in federated identity management and
determine which models rely on networks to establish trust
relationships. (Select all that apply.)
A. SAML
B. OAuth
C. OpenID
 D. LDAP
5. Many Internet companies, such as Google and Facebook, allow users to
share a single set of credentials between multiple services providers. For
example, a user could login to Amazon using their Facebook credentials.
Which term correctly defines this example?
A. Federation
B. Single sign-on
C. Permission
D. Access control
6. A network administrator regularly reviews group membership and access
control lists for each resource. The administrator also looks for
unnecessary accounts to disable. What is the administrator executing in
this situation?
A. Recertification
B. Logging
C. Permission auditing
D. Usage auditing
7. A Windows systems administrator needs to grant the users in the finance
department with read-only access to a folder named 'Invoices.' What
would be the proper and most manageable way to go about granting this
access?
A. Add the security group 'Finance' to the NTFS permissions with 'Read' rights.
B. Add each user account in the finance department to the NTFS permissions
with 'Read' rights.
C. Add the security group 'Finance' to the NTFS permissions with 'Modify' rights.
D. Add each user account in the finance department to the NTFS permissions
with 'Modify' rights.
8. Examine the tradeoff between traditional password policy complexity
requirements and updated practical suggestions from the National Institute
of Standards and Technology (NIST) and select the statement that fits both
practical password management and traditional complexity requirements.
A. Passwords should be easy to remember and can include spaces and repetitive
strings of numbers (like 987654).
 B. Passwords should be easy to remember, but should never use spaces.
C. Passwords should be written in plain text in a common password repository
held secure by an IT staff member.
D. Passwords should not contain dictionary words or contextual information,
such as a username or the company name.
9. Which type of employee training utilizes gamification and/or scenario-
based techniques to emphasize training objectives? (Select all that
apply.)
A. Capture the flag (CTF)
B. Computer-based training (CBT)
C. User-based Testing
D. Role-based training
10. A system administrator has configured a security log to record unexpected
behavior and review the logs for suspicious activity. Consider various
types of audits to determine which type aligns with this activity.
A. Permission auditing
B. Usage auditing
C. Information security audit
D. Compliance audit
11. An employee arrives to office space, logs in to the company network, and
uses a yubikey to authenticate. Upon authenticating, the employee can
move within approved applications throughout the day without requiring
additional authentication. What policy is best illustrated by this scenario?
A. Least privilege
B. Implicit deny
C. Single Sign-On (SSO)
D. Access key
12. A company's clean desk policy will most likely feature which of the
following clauses?
A. Employees must not use multiple tabs in a browser window.
B. Employees must keep their workplace tidy and professional in appearance.
C. Employees may not use personally-owned electronic devices in the office.
D. Employees must not leave documents unattended in their workspace.
13. An employee is working on a team to build a directory of systems they are
installing in a classroom. The team is using the Lightweight Directory
Access Protocol (LDAP) to update the X.500 directory. Utilizing the
standards of an X.500 directory, which of the following distinguished
names is the employee most likely to recommend?
A. OU=Univ,DC=local,CN=user,CN=system1
B. CN=system1,CN=user,OU=Univ,DC=local
C. CN=user,DC=local,OU=Univ,CN=system1
D. DC=system1,OU=Univ,CN=user,DC=local
14. A cyber team is tasked with reviewing the organization’s end-user policies
for employees after critical information was found on a public GitHub
repository. What conduct policy protects the organization from the security
and legal implications of employees misusing company assets?
A. Code of Conduct
B. Clean Desk
C. Capture the Flag
D. Acceptable Use Policy
15. A senior administrator is teaching a new technician how to properly
develop a standard naming convention in Active Directory (AD). Examine
the following responses and determine which statements are sound advice
for completing this task. (Select all that apply.)
A. Create as many root-level containers and nest containers as deeply as needed
B. Consider grouping Organizational Units (OU) by location or department
C. Build groups based on department, and keep all accounts, both standard and
administrative, in the same group
D. Within each root-level Organizational Unit (OU), use separate child OUs for
different types of objects
16. Analyze the following scenarios and determine which cases call for
account disablement over account lockout. (Select all that apply.)
A. Audit logs reveal suspicious activity on a privileged user’s account.
B. A user’s company laptop and key fob are stolen at an airport.
C. A user enters an incorrect password multiple times.
D. A privileged user attempts to log onto a company server outside of authorized
 hours.
17. Analyze and compare the access control models in terms of how Access
Control Lists (ACL) are written and determine which statement accurately
explains the Discretionary Access Control (DAC) model.
A. A DAC model is the most flexible and weakest access control model.
Administrative accounts have control of the resource and grants rights to
others.
B. A DAC model is the least flexible and strongest access control model. The
owner has full control over the resource and grants rights to others.
C. A DAC model is the least flexible and strongest access control model.
Administrative accounts have control of the resource and grant rights to
others.
D. A DAC model is the most flexible and weakest access control model. The
owner has full control over the resource and grants rights to others.
18. An employee recently retired, and the employee received an exit interview,
returned a company-issued laptop, and had company-specific programs
and applications removed from a personal PC. Evaluate this employee’s
offboarding process and determine what, if anything, remains to be done.
A. The offboarding process is complete; no further action is necessary.
B. IT needs to disable the employee’s user account and privileges.
C. IT needs to delete any company data encrypted with the employee’s key.
D. The employee must sign a nondisclosure agreement (NDA).
19. What are the most common baseline account and password policies that
system administrators implement? (Select all that apply.)
A. Use upper- and lower-case letters, numbers, and special characters for
passwords.
B. Set an account lockout policy.
C. Disable enforcement of a password history policy for unique passwords.
D. Use a shared account for administrative work on the network.
20. Consider the challenges with providing privileged management and
authorization on an enterprise network. Which of the following would the
network system administrator NOT be concerned with when configuring
directory services?
 A. Confidentiality
B. Integrity
C. Non-repudiation
D. DoS
21. Windows has several service account types, typically used to run
processes and background services. Which of the following statements
about service accounts is FALSE?
A. The Network service account and the Local service account have the same
privileges as the standard user account.
B. Any process created using the system account will have full privileges over
the local computer.
C. The Local service account creates the host processes and starts Windows
before the user logs on.
D. The Local service account can only access network resources as an
anonymous user.

1.A

An AUP governs employees' use of company equipment and Internet

services. AUPs protect an organization from the security and legal
implications of employees misusing its equipment.

A code of conduct outlines professional behavior based on ethical standards,

such as honesty and fairness.

Some professions may have developed codes of ethics to cover difficult

situations; some businesses may also have a code of ethics to communicate
the values it expects its employees to practice.

2.C

Unless the phishing email is part of a penetration test, other members of the
IT team likely know a member of their team is sending a simulated phishing
email.
A bug bounty is a program operated by a software vendor or website operator
where individuals receive rewards for reporting vulnerabilities. While
contractors may perform pen tests on a contractual basis, a bug bounty
program is a way of crowd sourcing vulnerability detection.

A phishing campaign training event means sending simulated phishing

messages to users. This allows IT to target those users who respond to the
messages for follow-up training.

Untrained users represent a serious vulnerability because they are

susceptible to social engineering and malware attacks, such as phishing
attempts.

3.B

Discretionary Access Control (DAC) is not rule-based. DAC stresses the

importance of the owner, who has full control over resources and can modify
the Access Control List to grant rights to others.

Role-Based Access Control (RBAC) considers a user’s organizational role,

such as the rule the systems use to assign rights, rather than being directly
assigned the rights.

Mandatory Access Control (MAC) uses a security clearance level as the rule
to determine a user’s rights

Attribute-Based Access Control (ABAC) uses a combination of subject and

object attributes, along with any context-sensitive or system-wide attributes,
as the rule administrators apply when assigning rights. These could include
group/role memberships, information about the current OS, the IP address, or
the presence of up-to-date patches, and anti-malware.

4.ABC

Security Assertion Markup Language (SAML) is an identity federation format used to

exchange authentication information between the principal, the service provider, and
the identity provider.

Authentication and authorization for a RESTful API is often implemented using the
Open Authorization (OAuth) protocol.
OpenID is an identity federation method enabling users authentication on cooperating
websites by a third-party authentication service.

Lightweight Directory Access Protocol (LDAP) is not an identity federation. It is a

network protocol used to access network directory databases storing information
about authorized users and their privileges, as well as other organizational
information.

5.A

Federation means the company trusts the accounts created and managed by a different
network. The networks establish trust relationships, so the identity of a user
(principal) from network A (identity provider), can be trusted as authentic by network
B (service provider).

SSO (Single-Sign On) means a user authenticates to a system once, to access the
resources the system has granted rights to use. This is not an example of a trust
relationship.

Permission is a security setting, not a trust relationship. It controls access to objects,

including file system items and network resources.

Access control is the process of determining and assigning privileges to resources,

objects, and data. It does not involve a trust relationship.

6.C

The administrator is permission auditing, involving the regular review of privileges

such as group membership, access control lists for each resource plus identifying, and
disabling unnecessary accounts.

Recertification is a security control where admin audits user access privileges to

ensure they are accurate and adhere to relevant standards and regulations. A resource
or user change triggers recertification.

Logging is an automated process of capturing data to provide information on the use

of the website, alerts of any unusual or suspicious behavior, and audit changes made
to pages and settings.

Usage auditing means configuring the security log to record key indicators, then
reviewing the logs for suspicious activity. This process does not involve reviewing
user privileges.

7.A

Adding the security group 'Finance' with 'Read' permissions to the Invoice folder will
allow any user that is added to the Finance group to access the folder with the proper
read-only permissions.

Adding individual user accounts with 'Read' permissions to the Invoice folder will
grant the proper permissions, but this is not as manageable. Adding and removing
individual user accounts will prove a tedious administrative task in the long-run.

Adding the security group 'Finance' with 'Modify' permissions to the Invoice folder
will allow any user that is added to the Finance group to access the folder, but will
also allow the users to modify any files, which does not meet the requirements.

Adding individual user accounts with 'Modify' permissions to the Invoice folder will
grant users too much access than s required. Adding and removing individual user
accounts will also prove a tedious administrative task in the long-run.

8.D

Traditional password complexity rules (that is, no use of username within

password and combination of at least eight upper/lower case alpha-numeric
and non-alpha-numeric characters) often result in users writing down
passwords. NIST recommends only blocking common passwords, such as
dictionary words, repetitive strings (like 12345678), and contextual
information.

NIST recommends allowing users to choose a password (or other memorized

secret) of between 8 and 64 ASCII or Unicode characters, including spaces.

IT should not centrally store plaintext passwords. IT administrators do not

need to know users’ plaintext passwords.
Users should avoid using dictionary words, strings found in breach databases,
and strings that repeat contextual information, such as username or company
name.

9.AB

Capture the Flag (CTF) is usually used in ethical hacker training programs and
gamified competitions. Participants complete a series of challenges within a
virtualized computing environment to discover a flag that represents a vulnerability or
attack to overcome.

Computer-based training (CBT) allows a student to acquire skills and experience by

completing practical simulations or branching choice scenarios. CBT might use video
game elements to improve engagement.

User-based training consists of training in which all users of certain systems and
accesses are trained equally on holistic concepts.

Staff training should focus on user roles, which require different levels of security
training, education, or awareness.

10.B

Usage auditing refers to configuring the security log to record key indicators and then
reviewing the logs for suspicious activity. Behavior recorded by event logs that differs
from expected behavior may indicate everything from a minor security infraction to a
major incident.

The systems administrator puts in place permission auditing to review privileges

regularly. This includes monitoring group membership and access control lists for
each resource plus identifying and disabling unnecessary accounts.

An information security audit measures how the organization's security policy is

employed and determines how secure the network or site is that is being audited.

A compliance audit reviews a company's policies and procedures and determines if it

is in compliance with regulatory guidelines.

11.C

This company is using a Single Sign-On (SSO) policy. This means that a user only
has to authenticate to a system once, to gain access to all the resources to which the
system has granted rights to the user. An example is when a user authenticates with
Windows, and also authenticates with the Windows domain's SQL Server, and
Exchange Server services.

Least privilege means that the system grants rights necessary for users to perform
their job and no more.

Implicit deny is the foundation of a system's access control. This means that unless
there is a rule specifying that a system grants access to a user, the system will deny
any access request.

The system generates an access key for a user when the user supplies authentication
data. The system compares it with the server's security database, and both must match.
The server security service generates the access key.

12.D

A clean desk policy means that each employee's work area should be free
from any documents left there. The policy aims to prevent sensitive
information from being obtained by unauthorized staff or guests at the
workplace.

A clean desk policy pertains to a user’s physical workspace, rather than a

virtual workspace, such as a web browser.

The purpose of a clean desk policy is to reduce the chances of compromising

sensitive information.

Some companies may try to prevent staff from bringing personal devices on
site, because such devices represent a data exfiltration risk. When connected
to an enterprise system, personal electronic devices pose security
complications.

13.B
A distinguished name is a unique identifier for any given resource within an X.500-
like directory and made up of attribute=value pairs, separated by commas. The most
specific attribute lists first, and then successive attributes become progressively
broader.

Also referred to as the relative distinguished name, the most specific attribute (in this
case, system1) uniquely identifies the object within the context of successive attribute
values.

The directory schema describes the types of attributes, what information they contain,
and the way attributes define object types. Some of the attributes commonly used
include Common Name (CN), Organizational Unit (OU), Organization (O), Country
(C), and Domain Component (DC).

In this scenario, CN=system1 is the Common Name, CN=User is the broader

common name, OU=Univ is the Organizational Unit, and DC=local is the Domain
Component. This goes in order of a specific system to the broadest Domain
Component.

14.D

Enforcing an acceptable use policy (AUP) is important to protect the

organization from the security and legal implications of employees misusing
its equipment.

A code of conduct, or rules of behavior, sets out expected professional

standards, such as employees' use of social media and file sharing, and how
it poses substantial risks to the organization, including threat of virus infection
or systems intrusion.

A clean desk policy means that each employee's work area should be free
from any documents left there.

Capture the Flag (CTF) is a training technique and not a personnel policy that
is typically used in ethical hacker training programs and gamified
competitions.
15. BD

Organizational Units (OUs) represent administrative boundaries. They allow the

enterprise administrator to delegate administrative responsibility for users and
resources in different locations or departments. An OU grouped by location will be
sufficient if different IT departments are responsible for services in different
geographic locations. An OU grouped by department is more applicable if different IT
departments are responsible for supporting different business functions.

Within each root-level parent OU, use separate child OUs for different types of
objects such as servers, client systems, users and groups. Be consistent.

Do not create too many root-level containers or nest containers too deeply. They
should not be more than five levels.

Separate administrative user and group accounts from standard ones.

16.AB

If admin detects or suspects an account misuse, they can manually disable

the account, preventing the account from being used for login. A remote logoff
command can end a session in progress.

Smart cards or USB keys can store a user's certificate and private key, which
can authenticate to different PCs and mobile devices. A stolen laptop and key
represent a vulnerability.

An account enters a locked state because of a policy violation, such as

entering an incorrect password. Lockouts usually occur for a limited duration.

A time of day policy establishes authorized logon hours for an account. Time-
and location-based policies prevent users from logging in outside of
authorized hours and locales.

17.D

In DAC, the owner has full control over the resource, meaning that he or she
can modify its ACL to grant rights to others. DAC is the most flexible and
weakest control model.
With DAC, decision-making lies with the resource owner. In rule-based
access control and mandatory access control (MAC), it lies with the system
owner (that is, the controls are enforced system-wide and cannot be
countermanded or accepted by users "within" the system)

DAC is the easiest model to compromise, as it is vulnerable to insider threats

and abuse of compromised accounts.

Attribute-based access control (ABAC) is a fine-grained, strong access control

mechanism, making access decisions based on a combination of subject,
object, and context-sensitive or system-wide attributes.

18.B

An exit interview (or offboarding) is the process of ensuring that an employee leaves
a company gracefully, and that company assets remain secure.

When an employee leaves, proper account management involves disabling the user’s
account and privileges.

When IT disables an employee’s account, any information assets created or managed

by the employee, but owned by the company, must still be accessible in terms of
encryption keys or password-protected files.

Employee contracts might incorporate the terms of a nondisclosure agreement (NDA),

or it could be a separate document. This is generally part of the onboarding process.

19.AB

A password complexity requirement is a baseline account policy commonly

enforced in a domain network. It requires the use of upper- and lower-case
letters, numbers, and special characters for passwords to make password
guessing difficult.

An account lockout policy is a common account policy enforced to prevent

further attempts to use an account when entering a password fails, for
example. An administrator can set a specific threshold of failed login attempts
that will lock the account for a specified length of time once the failed attempt
threshold is reached.
A password history policy is commonly enforced in a domain network. It
prevents reusing the same password up to 24 previously used passwords in a
Windows domain.

Using a shared account, especially for administrative work, goes against

security best practices. Use individual accounts for accountability.

20.D

Denial of Service (DoS) is a network-based attack that consumes the

network's bandwidth that could impact a directory service, but is more of a
network concern than when managing a directory service.

Confidentiality of the information on the network (read access) is a concern. A

user may be able to see a file but not read it.

The integrity of the information on the network (write access) is also a

concern. Only users who have write access are able to modify a file.

Non-repudiation means a subject cannot deny doing something, such as

creating, modifying, or sending a resource. It is a consideration for managing
privileges and authorization.

21.C

The System account, not the Local Service account, creates the host
processes that start Windows before the user logs on.

The Network Service account and the Local Service account have the same
privileges as the standard user account. Standard users have limited
privileges, typically with access to run programs, create, and modify files only
belonging to their profile.

Any process created using the System account will have full privileges over
the local computer. The System account has the most privileges of any
Windows account.

The Local Service account can only access network resources as an

anonymous user, unlike a Network Service account. Network Service
accounts can present the computer's account credentials when accessing
network resources.