Joe notices there are several user accounts on the local network generating spam with embedded malicious code. Which of the following technical control should Joe put in place to BEST reduce these incidents?
A. Account lockout B. Group Based Privileges C. Least privilege D. Password complexity
Joe an employee reports to the security manager that several files in a research and development folder that only JOE has access to have been improperly modified. The modified data on the files in recent and the modified by account is Joe’s. The permissions on the folder have not been changed, and there is no evidence of malware on the server hosting the folder or on Joe’s workstation. Several failed login attempts to Joe’s account were discovered in the security log of the LDAP server. Given this scenario, which of the following should the security manager implement to prevent this in the future?
A. Generic account prohibition B. Account lockout C. Password complexity D. User access reviews
An incident occurred when an outside attacker was able to gain access to network resources. During the incident response, investigation security logs indicated multiple failed login attempts for a network administrator. Which of the following controls, if in place could have BEST prevented this successful attack?
A. Password history B. Password complexity C. Account lockout D. Account expiration
A hacker has discovered a simple way to disrupt business for the day in a small company which relies on staff working remotely. In a matter of minutes the hacker was able to deny remotely working staff access to company systems with a script. Which of the following security controls is the hacker exploiting?
A. DoS B. Account lockout C. Password recovery D. Password complexity
Correct Answer: B Section: Access Control and Identity Management
B: Account lockout automatically disables an account due to repeated failed log on attempts. The hacker must have executed a script to repeatedly try logging on to the remote
accounts, forcing the account lockout policy to activate.
A: Denial of service (DoS) is a form of attack whose principal objective is preventing the victimized system from performing valid actions or responding to valid traffic.
C: The users did not forget their passwords, they were locked out. Furthermore, most times users would be required to change their passwords instead of recovering them as it is not a
D: since the hacker did not gain access to the system, password complexity would not be exploited as it forms part of the company’s password policy.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 2913-293
A security administrator must implement all requirements in the following corporate policy: Passwords shall be protected against offline password brute force attacks. Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate policy? (Select THREE).
A. Account lockout B. Account expiration C. Screen locks D. Password complexity E. Minimum password lifetime F. Minimum password length
Correct Answer: A,D,F Section: Threats and Vulnerabilities
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security.
A brute force attack may also be referred to as brute force cracking.
For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.
The best defense against brute force attacks strong passwords. The following password policies will ensure that users have strong (difficult to guess) passwords:
F: Minimum password length. This policy specifies the minimum number of characters a password should have. For example: a minimum password length of 8 characters is regarded as good security practice.
D: Password complexity determines what characters a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers.
This will ensure that passwords don’t consist of dictionary words which are easy to crack using brute force techniques.
A: Account lockout policy: This policy ensures that a user account is locked after a number of incorrect password entries. For example, you could specify that if a wrong password is entered three times, the account will be locked for a period of time or indefinitely until the account is unlocked by an administrator.
B: Account expiration settings determine when an account will expire. This is usually a time or date. An account configured with an expiration date will not prevent an attacker trying to brute force a password as the attacker could make as many attempts as he wants until the time or date of the account expiration.
C: A screen lock will cause the screen of a computer or mobile device to lock after a period of inactivity. It is not used to prevent brute force attacks.
E: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords.
When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to the original password. This is where the minimum password age (minimum password lifetime) comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days. A minimum password age would not protect against brute force attacks.
Which of the following would BEST deter an attacker trying to brute force 4-digit PIN numbers to access an account at a bank teller machine?
A. Account expiration settings B. Complexity of PIN C. Account lockout settings D. PIN history requirements
Correct Answer: C Section: Threats and Vulnerabilities
Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. For example, an account can be configured to lock if three incorrect passwords (or in this case PIN’s) are entered. The account can then be configured to automatically unlock after a period of time or stay locked until someone manually unlocks it.
A: Account expiration settings determine when an account will expire. This is usually a time or date. An account configured with an expiration date will not prevent an attacker trying to brute force a PIN as the attacker could make as many attempts as he wants until the time or date of the account expiration.
B: Complexity of PIN: Password complexity determines what a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers.
The question states that access is gained by using a 4-digit PIN number. The “complexity” of the PIN is 4 numbers. There’s not much you can do to make a 4 digit PIN more complex other than require that no numbers are repeated. You could only change the length of the PIN to make it more difficult to guess. PIN complexity will not prevent an attacker trying to brute force a PIN.
D: PIN history requirements are used when people change their PINs. PIN history requirements could state that you cannot use any of your five previously used PINs. PIN history will not prevent an attacker trying to brute force a PIN.