5_3_4 – Organizational Security Policies.Credential Policies

Questions and Answers

What is a critical part of a data security strategy?

Sharing credentials with others

Proper credential management (correct)

Keeping passwords on the client side

Storing passwords in the application

Where should passwords ideally reside?

As part of the operating system

On the client side

On the server side (correct)

Within the application itself

What should be done to ensure secure communication during login?

Sharing login credentials with others

Encrypting credentials during communication (correct)

Sending passwords over the network in plain text

Storing passwords in the application itself

Why is storing passwords as part of the application not secure?

It exposes passwords to unauthorized access

What type of account should be used for logging in?

Personal account not shared with others

Why is encrypting communication important during login?

To prevent credentials from being intercepted

What type of credentials are used by background processes on a device?

Non-interactive credentials

Why is it common to use different credentials for different services on an operating system?

To enhance security

What is the purpose of running with a user account normally and only using elevated accounts when required?

To prevent accidental damage to the system

What can happen if mistakes are made while using administrator or route access?

Significant damage to the operating system

Why is it advised to occasionally change the password for administrator or root accounts?

To ensure only authorized users have access

What additional security measure should be used when logging in with administrator or root access?

Biometric authentication

What is the purpose of having separate personal accounts in an operating system?

To limit access to personal files for individual users

Why is it important for users on the network to have unique accounts?

To ensure accountability and prevent unauthorized access

What is the role of two-factor authentication in user account security?

It provides an additional layer of security beyond passwords

Why should third party accounts be unique and tied to individuals?

To prevent unauthorized access and ensure accountability

What is the purpose of defining additional credential policies for mobile devices?

To ensure that only trusted devices can access sensitive data

Why is it necessary to perform occasional audits on third party accounts?

To ensure that those accounts are secure and safe

How does device certificates contribute to mobile device security?

They identify devices as trusted hardware validated by security teams

'Screen locks' on mobile devices are primarily used for?

Adding an extra layer of protection to the device

'Two-factor authentication' is valuable because it:

Adds a second layer of security beyond passwords

What role does 'elevated account' play in an organization's network security?

Allows temporary additional access to the operating system.

Where should passwords ideally be stored for secure credential management?

Encrypted on the server-side

Why is storing passwords as part of an application considered insecure?

It exposes passwords to potential unauthorized access

What is the importance of encrypting communication during the login process?

To prevent transmission of login credentials in plain text

Why should personal accounts not be shared according to the text?

To ensure that only one person can log in with the account

Which type of communication process helps ensure encryption of credentials during login to a web server?

TLS communication process

What is a critical aspect of data security strategy related to credential management?

Encrypting communication during login processes

What is the main reason for using different credentials for different services on an operating system?

To ensure that each service has the correct access rights

Why is it challenging to manage non-interactive services' credentials?

They have no prompt for password changes

What is the primary benefit of running with a user account normally and only using elevated accounts when required?

Prevents malware from gaining enhanced access

Why is it essential to change the password occasionally for administrator or root accounts?

To limit access to enhanced credentials

What is the purpose of multifactor authentication when logging in with administrator or root access?

To restrict access to authorized individuals

How does having elevated accounts like administrator or root impact network security?

Increases vulnerability to malware attacks

What is the main reason for having separate personal accounts in an operating system?

To limit individual users' actions and restrict malware access

Why is two-factor authentication recommended for accounts used to access cloud-based services?

To protect against unauthorized access and enhance security

What is the purpose of device certificates used on mobile devices?

To identify the device as trusted and validated by the security team

Why should third party accounts used by business partners or vendors be unique and tied to individuals?

To ensure accountability and security for external connections

What additional form of authentication could be beneficial when using third party accounts on an operating system?

Adding two-factor or multifactor authentication

Why do users on a network need to have unique accounts, even if they are within the same organization?

To enhance accountability and security measures

What role does an elevated account play within an organization's network security?

To temporarily grant additional access when required

Why are third party accounts connecting to a network from external sources a potential security risk?

They may not be subject to the same authentication standards as internal accounts

Why is it important to define additional credential policies for mobile devices like smartphones and tablets?

To enhance data security and prevent unauthorized access

What is the role of screen locks on mobile devices in maintaining security?

To restrict user access and enhance data security