After a merger between two companies a security analyst has been asked to ensure that the organization’s systems are secured against infiltration by any former employees that were terminated during the transition. Which of the following actions are MOST appropriate to harden applications against infiltration by former employees? (Select TWO)
A. Monitor VPN client access B. Reduce failed login out settings C. Develop and implement updated access control policies D. Review and address invalid login attempts E. Increase password complexity requirements F. Assess and eliminate inactive accounts
A password audit has revealed that a significant percentage if end-users have passwords that are easily cracked. Which of the following is the BEST technical control that could be implemented to reduce the amount of easily “crackable” passwords in use?
A. Credential management B. Password history C. Password complexity D. Security awareness training
Several employee accounts appear to have been cracked by an attacker. Which of the following should the security administrator implement to mitigate password cracking attacks? (Select TWO).
A. Increase password complexity B. Deploy an IDS to capture suspicious logins C. Implement password history D. Implement monitoring of logins E. Implement password expiration F. Increase password length
Correct Answer: A,F Section: Access Control and Identity Management
The more difficult a password is the more difficult it is to be cracked by an attacker. By increasing the password complexity you make it more difficult.
Passwords that are too short can easily be cracked. The more characters used in a password, combined with the increased complexity will mitigate password cracking attacks.
B: IDS (intrusion detection systems) can be implemented to capture suspicious logins, but that assumes that the passwords are already cracked.
C: Password history implementation is used to prevent users changing their password to the same value as the old one, or to one that they used the last time around, this might also
be used by some crackers to hack passwords and thus is not mitigating password attacks.
D: Monitoring the logins is part of auditing and does not mitigate the password cracking attacks.
E: Password expiration refers to the period of validity of passwords. Some crackers will even make use of these expiry periods to crack passwords.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 139-140
A security administrator is concerned about the strength of user’s passwords. The company does not want to implement a password complexity policy. Which of the following can the security Administrator implement to mitigate the risk of an online password attack against users with weak passwords?
A. Increase the password length requirements B. Increase the password history C. Shorten the password expiration period D. Decrease the account lockout time
Correct Answer: C Section: Access Control and Identity Management
Reducing the password expiration period will require passwords to be changed at the end of that period. A password needs to be changed if it doesn’t meet the compliance
requirements of the company’s password policy, or is evidently insecure. It will also need to be changed if it has been reused, or due to possible compromise as a result of a system
intrusion. This will give online password attackers less time to crack the weak passwords.
A: Increasing the password length will not make the new passwords less susceptible to online password attackers.
B: Password history tracks previous passwords to prevent password reuse. It will not make the new passwords less susceptible to online password attackers.
D: Account lockout automatically disables an account due to repeated failed log on attempts. When the account is unlocked it will still have the same weak password, and still
susceptible to online password attacks.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292-294
An internal auditing team would like to strengthen the password policy to support special characters. Which of the following types of password controls would achieve this goal?
A. Add reverse encryption B. Password complexity C. Increase password length D. Allow single sign on
Correct Answer: B Section: Access Control and Identity Management
Generally, the minimum password length is considered to be 8 upper and lowercase characters. The use of at least one non-alpha character like punctuation, special characters, or
numbers, combined with the password length produces strong passwords. Strong passwords are produced by the combination of a password’s length and complexity.
A: Typical protocol components, like encryption and hash functions, can be reverse-engineered automatically by tracing the execution of protocol implementations and trying to identify
buffers in memory holding unencrypted packets. It will not strengthen the password policy to support special characters.
C: Increasing the password length will not necessarily support special characters.
D: Single sign-on means that once a user (or other subject) is authenticated into a realm, they need not re-authenticate to access resources on any realm entity. It will not strengthen
the password policy to support special characters.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 284, 292, 293
After a recent internal audit, the security administrator was tasked to ensure that all credentials must be changed within 90 days, cannot be repeated, and cannot contain any dictionary words or patterns. All credentials will remain enabled regardless of the number of attempts made. Which of the following types of user account options were enforced? (Select TWO).
A. Recovery B. User assigned privileges C. Lockout D. Disablement E. Group based privileges F. Password expiration G. Password complexity
Correct Answer: F,G Section: Access Control and Identity Management
Password complexity often requires the use of a minimum of three out of four standard character types for a password. The more characters in a password that includes some
character type complexity, the more resistant it is to password-cracking techniques. In most cases, passwords are set to expire every 90 days.
A: Recovery of a password requires that the password storage mechanism be reversible or that passwords be stored in multiple ways. Requiring passwords to be changed is more
secure than recovering them.
B: User assigned privileges can be assigned by the user. It will not ensure that all credentials must be changed within 90 days.
C: Account lockout settings determine the number of failed login attempts before the account gets locked and how long the account will be locked out for. The question states: “All
credentials will remain enabled regardless of the number of attempts made.”
D: Disablement automatically disables a user account or causes the account to expire at a specific time and on a specific day. It will not ensure that all credentials must be changed
within 90 days.
E: Group-based privileges grants each group member the same level of access to a certain object. It will not ensure that all credentials must be changed within 90 days.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292-294
An auditing team has found that passwords do not meet best business practices. Which of the following will MOST increase the security of the passwords? (Select TWO).
A. Password Complexity B. Password Expiration C. Password Age D. Password Length E. Password History
Correct Answer: A,D Section: Access Control and Identity Management
Passwords should have the strength to avoid discovery through attack, but it should also be easy enough for the user to remember. The length and complexity of a password
combined are vital factors in defining a password’s strength.
B, C: It is common practice for passwords to automatically expire after a specified period so as to compel users to change passwords. However, if it is a strong password, it can remain
E: Password History tracks previous passwords so as to prevent password reuse.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 292, 293
A security administrator must implement all requirements in the following corporate policy: Passwords shall be protected against offline password brute force attacks. Passwords shall be protected against online password brute force attacks. Which of the following technical controls must be implemented to enforce the corporate policy? (Select THREE).
A. Account lockout B. Account expiration C. Screen locks D. Password complexity E. Minimum password lifetime F. Minimum password length
Correct Answer: A,D,F Section: Threats and Vulnerabilities
A brute force attack is a trial-and-error method used to obtain information such as a user password or personal identification number (PIN). In a brute force attack, automated software is used to generate a large number of consecutive guesses as to the value of the desired data. Brute force attacks may be used by criminals to crack encrypted data, or by security analysts to test an organization’s network security.
A brute force attack may also be referred to as brute force cracking.
For example, a form of brute force attack known as a dictionary attack might try all the words in a dictionary. Other forms of brute force attack might try commonly-used passwords or combinations of letters and numbers.
The best defense against brute force attacks strong passwords. The following password policies will ensure that users have strong (difficult to guess) passwords:
F: Minimum password length. This policy specifies the minimum number of characters a password should have. For example: a minimum password length of 8 characters is regarded as good security practice.
D: Password complexity determines what characters a password should include. For example, you could require a password to contain uppercase and lowercase letters and numbers.
This will ensure that passwords don’t consist of dictionary words which are easy to crack using brute force techniques.
A: Account lockout policy: This policy ensures that a user account is locked after a number of incorrect password entries. For example, you could specify that if a wrong password is entered three times, the account will be locked for a period of time or indefinitely until the account is unlocked by an administrator.
B: Account expiration settings determine when an account will expire. This is usually a time or date. An account configured with an expiration date will not prevent an attacker trying to brute force a password as the attacker could make as many attempts as he wants until the time or date of the account expiration.
C: A screen lock will cause the screen of a computer or mobile device to lock after a period of inactivity. It is not used to prevent brute force attacks.
E: Password history determines the number of previous passwords that cannot be used when a user changes his password. For example, a password history value of 5 would disallow a user from changing his password to any of his previous 5 passwords.
When a user is forced to change his password due to a maximum password age period expiring, he could change his password to a previously used password. Or if a password history value of 5 is configured, the user could change his password six times to cycle back round to the original password. This is where the minimum password age (minimum password lifetime) comes in. This is the period that a password must be used for. For example, a minimum password age of 30 would determine that when a user changes his password, he must continue to use the same password for at least 30 days. A minimum password age would not protect against brute force attacks.