D is correct. A system that requires users to have a smart card and a

personal identification number (PIN) uses multifactor authentication or

two-factor authentication. The card is in the something you have factor, and

the PIN is in the something you know factor. A username provides

identification, and a password is in the something you know factor,

providing single-factor authentication. Fingerprints and vein scans are both

in the something you are factor, providing single-factor authentication. A

code for a cipher door lock is in the something you know factor, providing

single-factor authentication. See Chapter 2.

C is correct. Time-based logins (sometimes called time-of-day

restrictions) would prevent this. They would prevent anyone from logging

in after normal working hours and accessing sensitive data. All of the other

answers can detect suspicious behavior, but they wouldn’t prevent the users

from logging in after normal working hours and stealing the data. See

Chapter 2.

A is correct. The default application password for the SQL server

should be changed. Some SQL Server software implementations can have a

default blank password for the SA account (the System Administrator

account), and these default credentials are well-known. While the scenario

describes a worm because it is self-propagating, the question is asking for

the best preventive action to take. Using two-factor authentication (2FA) is

a good practice for users, but it isn’t always feasible for application

passwords. A code review can detect flaws and vulnerabilities in internally

developed applications, but SQL Server is Microsoft software. See Chapter

2.

A and C are correct. Brute force and dictionary attacks attempt to guess

passwords, but an account lockout control locks an account after the wrong

password is guessed too many times. The other attacks are not password

attacks, so they aren’t mitigated using account lockout controls. Domain

Name System (DNS) poisoning attempts to redirect web browsers to

malicious URLs. Replay attacks attempt to capture packets to impersonate

one of the parties in an online session. Buffer overflow attacks attempt to

overwhelm online applications with unexpected code or data. See Chapters

2 and 10.

C is correct. Users would typically enter a username as identification

for an authentication, authorization, and accounting (AAA) system. Users

would provide a password as proof that the claimed identity (the username)

is theirs. The password provides authentication. Users are assigned

permissions based on their proven identity, but the permissions do not

provide authentication. The virtual private network (VPN) would encrypt

traffic sent via the VPN tunnel, and this traffic may be encrypted with the

use of a certificate. However, this is not called a tunneling certificate, and

the certificate used for encryption does not provide identification. A

hardware token is often used as an additional method of authentication, but

it does not provide identification. See Chapter 2.

A is correct. A privileged access management system protects and limits

access to privileged accounts such as administrator accounts. OpenID

Connect is used for authentication and authorization on the Internet, not

internal networks. A mandatory access control (MAC) scheme uses labels

to control access, but it isn’t used to control access to administrator

accounts. Multifactor authentication (MFA) uses more than one factor of

authentication, but it doesn’t meet any of the requirements of this scenario.

See Chapter 2.

A is correct. Security Assertion Markup Language (SAML) is a single

sign-on SSO solution that can use third-party websites, and it provides

authentication. Kerberos is an SSO solution used on internal networks such

as in Microsoft Active Directory domains. Secure Shell (SSH) is used for

remote administration. OAuth (think of this as Open Authorization) is used

for authorization, but the scenario wants a solution for authentication. See

Chapter 2.

D is correct. A software-defined network (SDN) typically uses an

attribute-based access control (ABAC) scheme. The ABAC scheme is

based on attributes that identify subjects and objects within a policy. A

discretionary access control (DAC) scheme has an owner, and the owner

establishes access for the objects. A mandatory access control (MAC)

scheme uses labels assigned to subjects and objects. A role-based access

control scheme uses roles or groups to assign rights and permissions. See

Chapter 2.