5_3_4 – Organizational Security Policies.Credential Policies

Questions and Answers

What is a critical part of a data security strategy?

• Sharing credentials with others
• Proper credential management (correct)
• Keeping passwords on the client side
• Storing passwords in the application

Where should passwords ideally reside?

• As part of the operating system
• On the client side
• On the server side (correct)
• Within the application itself

What should be done to ensure secure communication during login?

• Sharing login credentials with others
• Encrypting credentials during communication (correct)
• Sending passwords over the network in plain text
• Storing passwords in the application itself

Why is storing passwords as part of the application not secure?

It exposes passwords to unauthorized access (D)

What type of account should be used for logging in?

Personal account not shared with others (D)

Why is encrypting communication important during login?

To prevent credentials from being intercepted (A)

What type of credentials are used by background processes on a device?

Non-interactive credentials (D)

Why is it common to use different credentials for different services on an operating system?

To enhance security (A)

What is the purpose of running with a user account normally and only using elevated accounts when required?

To prevent accidental damage to the system (B)

What can happen if mistakes are made while using administrator or route access?

Significant damage to the operating system (A)

Why is it advised to occasionally change the password for administrator or root accounts?

To ensure only authorized users have access (C)

What additional security measure should be used when logging in with administrator or root access?

Biometric authentication (B)

What is the purpose of having separate personal accounts in an operating system?

To limit access to personal files for individual users (C)

Why is it important for users on the network to have unique accounts?

To ensure accountability and prevent unauthorized access (C)

What is the role of two-factor authentication in user account security?

It provides an additional layer of security beyond passwords (B)

Why should third party accounts be unique and tied to individuals?

To prevent unauthorized access and ensure accountability (C)

What is the purpose of defining additional credential policies for mobile devices?

To ensure that only trusted devices can access sensitive data (D)

Why is it necessary to perform occasional audits on third party accounts?

To ensure that those accounts are secure and safe (D)

How does device certificates contribute to mobile device security?

They identify devices as trusted hardware validated by security teams (B)

'Screen locks' on mobile devices are primarily used for?

Adding an extra layer of protection to the device (D)

'Two-factor authentication' is valuable because it:

Adds a second layer of security beyond passwords (D)

What role does 'elevated account' play in an organization's network security?

Allows temporary additional access to the operating system. (A)

Where should passwords ideally be stored for secure credential management?

Encrypted on the server-side (D)

Why is storing passwords as part of an application considered insecure?

It exposes passwords to potential unauthorized access (A)

What is the importance of encrypting communication during the login process?

To prevent transmission of login credentials in plain text (B)

Why should personal accounts not be shared according to the text?

To ensure that only one person can log in with the account (A)

Which type of communication process helps ensure encryption of credentials during login to a web server?

TLS communication process (B)

What is a critical aspect of data security strategy related to credential management?

Encrypting communication during login processes (B)

What is the main reason for using different credentials for different services on an operating system?

To ensure that each service has the correct access rights (D)

Why is it challenging to manage non-interactive services' credentials?

They have no prompt for password changes (A)

What is the primary benefit of running with a user account normally and only using elevated accounts when required?

Prevents malware from gaining enhanced access (A)

Why is it essential to change the password occasionally for administrator or root accounts?

To limit access to enhanced credentials (B)

What is the purpose of multifactor authentication when logging in with administrator or root access?

To restrict access to authorized individuals (B)

How does having elevated accounts like administrator or root impact network security?

Increases vulnerability to malware attacks (B)

What is the main reason for having separate personal accounts in an operating system?

To limit individual users' actions and restrict malware access (B)

Why is two-factor authentication recommended for accounts used to access cloud-based services?

To protect against unauthorized access and enhance security (D)

What is the purpose of device certificates used on mobile devices?

To identify the device as trusted and validated by the security team (B)

Why should third party accounts used by business partners or vendors be unique and tied to individuals?

To ensure accountability and security for external connections (A)

What additional form of authentication could be beneficial when using third party accounts on an operating system?

Adding two-factor or multifactor authentication (A)

Why do users on a network need to have unique accounts, even if they are within the same organization?

To enhance accountability and security measures (A)

What role does an elevated account play within an organization's network security?

To temporarily grant additional access when required (A)

Why are third party accounts connecting to a network from external sources a potential security risk?

They may not be subject to the same authentication standards as internal accounts (B)

Why is it important to define additional credential policies for mobile devices like smartphones and tablets?

To enhance data security and prevent unauthorized access (A)

What is the role of screen locks on mobile devices in maintaining security?

To restrict user access and enhance data security (C)