Unit 2 - Practice Quiz

Authentication is the process of confirming that a user, device, or entity is who or what it claims to be. It answers the question, "Who are you?"

Authorization follows authentication. It is the process of giving an authenticated user permission to do something. It answers the question, "What are you allowed to do?"

A firewall acts as a barrier between a trusted internal network and an untrusted external network (like the internet), controlling the flow of traffic.

HTTPS stands for Hypertext Transfer Protocol Secure. The 'Secure' part indicates that the communication between your browser and the website is encrypted using SSL/TLS.

Provisioning is a key part of the identity lifecycle management process that involves setting up accounts and access rights for new users.

Authentication factors are categorized into what you know (e.g., password, PIN), what you have (e.g., smart card, token), and what you are (e.g., fingerprint, retina scan).

The Principle of Least Privilege (PoLP) is a fundamental concept in information security that limits user access rights to the bare minimum they need to do their work.

A DMZ is a buffer zone between the public internet and the private internal network. It hosts external-facing services like web and email servers, adding a layer of security.

A VPN establishes a secure tunnel for your data, encrypting it to protect your privacy and security when using public networks.

IAM systems provide a framework to ensure that the right people have the right access to the right resources, at the right times, and for the right reasons.

A LAN is a network that connects computers and devices within a limited geographical area, such as a home, school, or office building.

Encryption is a fundamental technique for secure communication. It scrambles data so that only authorized parties can understand the information.

MFA enhances security by requiring two or more different authentication factors. In this case, it's 'something you know' (password) and 'something you have' (the mobile app).

De-provisioning is the critical security process of revoking a user's credentials and access to systems, data, and facilities in a timely manner.

An IDS is a passive monitoring tool. It observes network traffic and logs or alerts on suspicious activity, whereas an Intrusion Prevention System (IPS) would actively block it.

By dividing a network into smaller, isolated segments, an organization can prevent an intruder who compromises one segment from easily moving to others, thus limiting the damage.

RBAC simplifies administration by managing permissions for roles (like 'Accountant' or 'Sales Rep') rather than for every single user individually.

In a modern star topology LAN, a central switch (or hub) connects all computers and network devices, allowing them to communicate with each other.

Single Sign-On is an authentication scheme that allows a user to log in with a single ID and password to gain access to multiple, independent software systems.

A digital identity is composed of various pieces of data, called attributes, that describe and uniquely identify an entity within a system.

This combination uses two distinct and strong factor types: inherence ('something you are') and knowledge ('something you know'). Biometric factors like fingerprints are generally considered stronger and harder to compromise than possession factors like tokens or SMS messages, which can be stolen or intercepted. Combining it with a complex password provides a very high level of security.

Creating a new, specific role for the temporary task is the best practice. It adheres to the principle of least privilege by granting only the exact permissions needed. It is easily revocable without affecting their permanent 'Accountant' role, and it avoids modifying a standard role (which would grant unnecessary access to all other accountants) or a high-privilege role.

This is a classic three-tier architecture design. The web server, being publicly accessible, is placed in the semi-trusted DMZ. The database, containing sensitive data, remains in the highly trusted internal network. A firewall is configured to strictly control communication, only allowing the web server to query the database, thus protecting the database from direct external attacks.

SAML is an open standard specifically designed for exchanging authentication and authorization data between an Identity Provider (like Active Directory) and a Service Provider (like Salesforce). It allows for secure web-based SSO across different security domains, which is the exact scenario described.

A WAF is purpose-built to protect web applications by filtering and monitoring HTTP/HTTPS traffic between the internet and the application. It understands web protocols deeply and can identify and block specific attack patterns like SQLi and XSS, which a traditional firewall operating at lower layers cannot.

TLS operates above the Transport Layer (Layer 4) and encrypts the application payload (e.g., HTTP data). IPsec, in Tunnel Mode, operates at the Network Layer (Layer 3). It takes the entire original IP packet (header and payload), encrypts it, and encapsulates it within a new IP packet. This hides the original source and destination IP addresses from anyone snooping on the intermediate network.

Access certification is the process of periodically reviewing and validating user access rights. Managers or data owners are required to formally attest that their subordinates' or users' permissions are still necessary and appropriate for their job roles. This systematic review helps identify and remove excessive privileges, directly countering privilege creep.

Replay attacks work by re-using a valid, captured transmission. A nonce (number used once) or a timestamp with a short validity window ensures that each authentication request is unique. The server can then reject any request with a nonce it has already seen or a timestamp that is too old, effectively preventing the captured token from being replayed successfully.

ABAC makes authorization decisions by evaluating rules against the attributes of the user, the resource, and the environment. This is far more flexible and granular than RBAC, which is based on static roles. ABAC is ideal for complex, dynamic environments where context (like location, time, or device type) is crucial for making access decisions.

The Distribution Layer serves as the crucial link between the Access Layer (where users connect) and the Core Layer (the high-speed backbone). Its main responsibilities include aggregating wiring closets, defining broadcast domains, providing routing between Virtual LANs (VLANs), and applying security policies with Access Control Lists (ACLs).

De-provisioning is the process of revoking a user's access to systems, applications, and data when their employment is terminated or their role changes. The presence of these 'orphan accounts' clearly indicates a failure in the de-provisioning workflow, as the accounts were not disabled or deleted in a timely manner.

Network segmentation divides a larger network into smaller, isolated sub-networks (segments). If an attacker compromises a host in one segment (e.g., Guest Wi-Fi), segmentation rules enforced by firewalls or ACLs will prevent them from easily moving 'laterally' to access critical resources in another segment (e.g., the Finance department servers). This containment is a core principle of defense-in-depth.

The core feature of Kerberos is its use of tickets. After a user authenticates once to the Key Distribution Center (KDC), they receive a Ticket-Granting Ticket (TGT). This TGT can then be used to request service tickets for various network resources without re-entering a password. RADIUS, a client-server protocol, typically requires the client to interact with the server for each authentication and authorization decision.

While traditional stateful firewalls operate primarily at Layers 3 and 4 (IP addresses and ports), NGFWs add Layer 7 (Application Layer) awareness. Through Deep Packet Inspection (DPI), an NGFW can identify the specific application generating the traffic, allowing administrators to create policies like "Allow general web traffic but block BitTorrent," even if BitTorrent attempts to run over port 80 (HTTP).

A VPN is specifically designed to create a secure, encrypted tunnel over an untrusted network. It captures all network traffic from the client device and sends it through this tunnel to the corporate network, effectively making the remote device a secure part of the internal network. Options like HTTPS or SFTP only secure specific application traffic, not all traffic.

The defining characteristic of DAC is that the owner of an object (the user who created it) has the discretion to grant access to others. While this is flexible, it's also a weakness in a corporate setting because an individual's decision might conflict with the organization's broader data handling and security policies. Models like MAC or RBAC enforce centrally managed policies, preventing such violations.

Provisioning is the identity management process of creating, updating, and maintaining user accounts and their access privileges across various systems. The scenario describes the automated creation and setup of a new digital identity and its necessary resources, which is the core function of user provisioning.

The core tenet of a Zero Trust model is to eliminate the outdated concept of a trusted internal network and an untrusted external network. The principle 'Never trust, always verify' means that every access request must be authenticated, authorized, and encrypted, regardless of where it originates. The existing configuration violates this by implicitly trusting any device on the internal network.

MPLS is a provider-managed technology that creates private, virtual circuits across its backbone. It is known for its ability to provide strong Service Level Agreements (SLAs) and Quality of Service (QoS) by prioritizing traffic types (like voice over data). It inherently separates customer traffic, making it a superior choice for enterprise WANs that need performance guarantees, compared to the variable nature of the public internet.

A centralized IAM system acts as the single source of truth for user identities and access rights. This allows administrators to define a security policy once and have it apply everywhere. Most importantly, when an employee leaves, their access can be revoked globally from one console, drastically reducing the risk of orphan accounts and unauthorized access compared to the error-prone process of logging into dozens of individual systems to disable separate accounts.

The KRBTGT account is used by the Key Distribution Center (KDC) to encrypt and sign all TGTs in a domain. Possessing its NTLM hash allows an attacker to create their own valid TGTs for any user, with any group memberships, and for any duration. This is known as a Golden Ticket attack. A Silver Ticket requires the hash of a service account, not KRBTGT. Pass-the-Hash is a different technique, and Kerberoasting targets service accounts, not the KRBTGT account which has a complex, machine-generated password making it impractical to crack.

The Authorization Code Grant with PKCE (RFC 7636) is specifically designed to prevent authorization code interception attacks. The client generates a code_verifier and a code_challenge. The challenge is sent in the initial request, and the verifier is sent in the token exchange request. The server validates that they match. This ensures that even if an attacker intercepts the authorization code, they cannot exchange it for a token without the code_verifier. The Implicit Grant is deprecated due to security risks like token leakage. Client Credentials and Resource Owner Password grants are unsuitable for this public client (SPA) scenario.

A service mesh operates at Layer 7 and can enforce identity-based security policies using strong cryptographic identities provided by mTLS. This is more granular than IP-based controls like Kubernetes NetworkPolicies or NACLs. It can inspect and control traffic based on application-level attributes (e.g., HTTP methods, gRPC calls) for individual pods, which aligns perfectly with Zero Trust principles for east-west traffic. A traditional NGFW would struggle with the ephemeral nature of pod IPs and would lack the application-context that a service mesh provides natively within the cluster.

While both appliances can perform TLS inspection, the key differentiator is the depth of application awareness. A WAF is purpose-built to understand web application protocols and logic. It can terminate TLS, parse HTTP requests, decode parameter encodings (like Base64, URL encoding), and then apply sophisticated rules that understand SQL, XSS, and other web attack patterns. An NGFW's DPI is typically more focused on identifying malware, protocol anomalies, and known exploit signatures at the network and transport layers, and is less specialized in decoding complex, nested application-layer data formats.

This approach correctly establishes a chain of trust. ADFS (the IdP for the legacy apps) is configured to trust Azure AD as an external IdP. When a user from Org B tries to access an app, ADFS redirects them to Azure AD for authentication. Azure AD authenticates the user and sends a SAML token back to ADFS. ADFS validates this token and then issues its own SAML token, which the legacy application trusts. This avoids complex identity synchronization, forest trusts (which aren't directly applicable to Azure AD), and reconfiguring dozens of individual applications.

IPsec has two modes: Transport and Tunnel. Transport Mode encrypts/authenticates only the IP payload (e.g., the TCP segment). The original IP header remains intact. This is efficient for host-to-host communication on the same network but is a security risk for a site-to-site VPN because it exposes the internal IP addresses of the communicating hosts to anyone monitoring traffic between the gateways. Tunnel Mode, the standard for site-to-site VPNs, encapsulates the entire original IP packet within a new IP packet, protecting the original headers and hiding the internal network topology.

The policy logic uses a series of AND conditions. For the policy to trigger, all conditions must be met: the user must be an admin, the location must be outside HQ, and the device must be compliant. The scenario described (Admin, inside HQ, non-compliant device) fails the location.ip != 'Trusted_HQ_IP' condition. Therefore, this policy rule does not apply, and access would be determined by the default or next policy. If the default is to allow access, this creates a significant security gap where an admin can use a potentially compromised, non-compliant device to access resources without MFA, simply because they are physically on the corporate network.

While the other options are true aspects of FIDO2, they don't fully explain its anti-phishing strength. The critical element is origin binding. During registration, the authenticator associates the generated key pair with the specific website's domain (the origin). During authentication, the website (relying party) sends a challenge that includes its origin. The authenticator will only sign this challenge with the correct private key if the origin matches the one stored during registration. A phishing site (evil-corp.com) cannot get a valid signature for a credential registered for good-corp.com. Even if a user is tricked into interacting with the phishing site, the cryptographic challenge-response will fail, preventing the attack. A user can be tricked into entering a valid TOTP code on a phishing site, which the attacker can then immediately relay to the real site.

The aud (Audience) claim is a critical security control that specifies the intended recipient(s) of the token. In this case, the token was explicitly issued for api.service-A.com. If service-B accepts this token without verifying that it is in the audience, it creates a confused deputy vulnerability. An attacker could use a token obtained for a less sensitive service (A) to access a more sensitive service (B). Verifying issuer, signature, and expiration are necessary, but ignoring the audience is a common and severe implementation flaw.

The core function of a switch is to forward production traffic. The process of copying packets to a SPAN port is a secondary, lower-priority task. Under heavy load, such as a DDoS attack, the switch will prioritize its primary forwarding function and may drop SPAN packets to conserve resources. This results in an incomplete and unreliable data stream for the IDS. A network TAP is a fail-safe hardware device that sits in-line and creates a perfect, bit-for-bit copy of all traffic without being affected by network load. It ensures the security appliance sees every single packet, which is critical for accurate detection and forensic analysis.

In a three-tier architecture, traffic between different access layer switches (east-west) often has to travel 'up' to the distribution or core layer to be routed. This creates natural choke points to place firewalls for inspection. In a spine-leaf fabric, any leaf switch is only one hop away from any other leaf switch via a spine. This is excellent for performance and low latency but means that a significant amount of east-west traffic can flow between racks without ever passing through a centralized firewall. This necessitates a shift towards a distributed security model, such as micro-segmentation with host-based firewalls or fabric-integrated security services, which can be more complex to manage.

BEAST is a client-side attack against TLS 1.0 and earlier that exploits a weakness in the Cipher Block Chaining (CBC) mode of operation. Specifically, it leverages the fact that the IV for each record was predictable (it was the last ciphertext block of the previous record). While modern browsers have client-side mitigations, and TLS 1.1/1.2 introduced server-side mitigations, the fundamental cryptographic weakness lies with CBC in these older protocols. The most robust solution is to prioritize Authenticated Encryption with Associated Data (AEAD) ciphers like AES_GCM. Heartbleed, Logjam, and CRIME are different types of TLS vulnerabilities not directly related to the CBC implementation itself.

JIT provisioning typically creates a user account in a service provider (SP) the first time a user tries to log in via SSO. Its primary function is user creation. However, it does not have a standard mechanism for handling de-provisioning (when a user leaves the company) or updating user attributes (like name or department changes). SCIM is a purpose-built REST/JSON-based protocol designed to manage the full identity lifecycle, including create, read, update, and delete (CRUD) operations. This makes SCIM far more robust for maintaining an accurate and secure user base in SaaS applications, especially for timely de-provisioning, which is a critical security control.

The placement of deception technology is strategic. A low-interaction honeypot in the DMZ is exposed to the internet and will attract a high volume of automated, low-sophistication attacks. Its value is in early warning and identifying external threat actors. Conversely, any traffic hitting the internal honeypot is highly suspicious, as legitimate users should have no reason to access it. This makes it an extremely high-fidelity sensor for detecting lateral movement by an attacker who has already bypassed perimeter defenses. The high-interaction nature allows the security team to observe the attacker's tools, techniques, and procedures (TTPs) in a safe environment.

Unconstrained Delegation is an extremely dangerous permission. When a user authenticates to a service with this enabled, their Ticket-Granting Ticket (TGT) is forwarded to the service's host and cached in memory. If an attacker compromises that host (e.g., the web server), they can extract the user's TGT from memory. With the TGT, the attacker can then request service tickets for any other service in the domain as that user. If a domain administrator authenticates to this service, the attacker can effectively become a domain admin. This is why Unconstrained Delegation is strongly discouraged in favor of Constrained Delegation or Resource-Based Constrained Delegation.

ABAC policies are evaluated based on the precise logic defined. The user is a 'researcher', so the second part of the OR condition is evaluated. This part requires three AND conditions to be true: user.role == 'researcher' (true), resource.sensitivity == 'anonymized' (true), and time.hour > 9 AND time.hour < 17 (false, because 20 is not less than 17). Since one of the AND conditions is false, the entire second part of the policy evaluates to false. The first part of the OR is also false because the user is not a 'doctor'. Therefore, the overall policy evaluates to 'Deny'.

SSL/TLS inspection is fundamentally a man-in-the-middle (MitM) process. The client establishes a TLS session with the proxy, and the proxy establishes a separate TLS session with the destination server. Certificate Pinning (e.g., HPKP, though now deprecated in browsers, is still used in mobile/custom apps) is a mechanism where a client is configured to only trust a specific public key or certificate for a given domain. The proxy's on-the-fly certificate will not match the pinned key, causing the client connection to fail. More critically, if the proxy's logic for validating the real upstream certificate is flawed (e.g., it accepts a weak signature), it might still present a valid-looking certificate to the client (signed by the trusted corporate CA), effectively masking the upstream security issue and exposing the client to a MitM attack that would have otherwise been caught.

The primary advantage of OIDC in modern application contexts is its simplicity and alignment with developer-friendly standards. OIDC uses JWTs (JSON Web Tokens) for its ID Token, which is lightweight and easily consumable by JavaScript and mobile clients. In contrast, SAML uses verbose XML documents (SAML Assertions) that require more complex parsing libraries and are generally less friendly to browser-based and mobile applications. OIDC's flows are also designed to be more RESTful and API-friendly, directly leveraging the OAuth 2.0 framework it is built upon.

This scenario describes a behavioral problem (rubber-stamping) that undermines the entire access certification process. Outlier detection is an advanced IGA feature that uses analytics to identify abnormal behavior, such as unusually high or fast approval rates. By flagging this manager's activity and escalating it for a secondary, more rigorous review, the IGA system can provide a compensating control against managerial negligence. While SoD and RBAC are important IAM principles, they don't directly solve the problem of a manager failing to perform their review duties properly. Increasing frequency might just lead to faster rubber-stamping.

One of the major improvements in TLS 1.3 is increased privacy and a faster handshake. After the client and server exchange hellos and agree on a key (using the key shares sent in the initial messages), the rest of the handshake is encrypted. This includes the EncryptedExtensions, Certificate, CertificateVerify, and Finished messages. By encrypting the certificate, TLS 1.3 prevents passive network observers from easily determining which website the user is connecting to (assuming SNI is also encrypted, which is now possible with ESNI/ECH), thereby significantly improving user privacy.