Answer Description

Port Security also known as MAC Filtering is used to restrict which devices can physically connect to the network. This is done by whitelisting which MAC addresses (the physical address of a Networking Interface Card (NIC) are permitted on the network. It is most commonly done where a network port like an RJ-45 is publicly accessible like in an office waiting area.

Wikipedia

In computer networking, MAC address filtering is a security access control method whereby the MAC address assigned to each network interface controller is used to determine access to the network. MAC addresses are uniquely assigned to each card, so using MAC filtering on a network permits and denies network access to specific devices through the use of blacklists and whitelists. While the restriction of network access through the use of lists is straightforward, an individual person is not identified by a MAC address, rather a device only, so an authorized person will need to have a whitelist entry for each device that they would like to access the network. While giving a network some additional protection, MAC filtering can be circumvented by using a packet analyzer to find a valid MAC and then using MAC spoofing to access the network using that address. MAC address filtering can be considered as security through obscurity because the effectiveness is based on "the secrecy of the implementation or its components".

Answer Description

Wireless Protected Access 2 (WPA2) is used to protect wireless networks. When available,WPA2-AES should be used as Advanced Encryption Standard AES provides a much stronger and more secure encryption than the older Temporal Key Integrity Protocol (TKIP).

Wikipedia

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer network. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).WPA (sometimes referred to as the TKIP standard) became available in 2003. The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2, which became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard. In January 2018, Wi-Fi Alliance announced the release of WPA3 with several security improvements over WPA2.

Answer Description

A Firewall is used to restrict network access. In it's simplest form it will block TCP and UDP ports based on number or protocol, but many modern firewalls include complex algorithms to block unusual traffic, detect possible network attacks and monitor or block traffic based on many other factors.

Wikipedia

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

Answer Description

A smart card is a small plastic card much like a credit card with an integrated circuit that can be used to authenticate a user.

Wikipedia

A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) chip. Many smart cards include a pattern of metal contacts to electrically connect to the internal chip. Others are contactless, and some are both. Smart cards can provide personal identification, authentication, data storage, and application processing. Applications include identification, financial, public transit, computer security, schools, and healthcare. Smart cards may provide strong security authentication for single sign-on (SSO) within organizations. Numerous nations have deployed smart cards throughout their populations. The universal integrated circuit card (UICC) for mobile phones, installed as pluggable SIM card or embedded eSIM, is also a type of smart card. As of 2015, 10.5 billion smart card IC chips are manufactured annually, including 5.44 billion SIM card IC chips.

Answer Description

A username and password are both examples of "things you know" which is only one factor. The factors are:

• Knowledge (something the user knows)
• Possession (something the user has; like a credit card or cell phone)
• Inherence (something the user is, that is unique to the user; like a fingerprint)

Wikipedia

Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.

Answer Description

In Microsoft Active Directory a Group Policy is a policy applied to many AD objects. Objects can be user accounts, servers, desktop devices, etc. Group Policies are used to manage things like user account permissions. For example, a policy may be created for each team with default account permissions needed for those users.

Wikipedia

Group Policy is a feature of the Microsoft Windows NT family of operating systems (including Windows 7, Windows 8.1, Windows 10, Windows 11, and Windows Server 2003+) that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy (LGPO or LocalGPO) allows Group Policy Object management without Active Directory on standalone computers.Active Directory servers disseminate group policies by listing them in their LDAP directory under objects of class groupPolicyContainer. These refer to fileserver paths (attribute gPCFileSysPath) that store the actual group policy objects, typically in an SMB share \\domain.com\SYSVOL shared by the Active Directory server. If a group policy has registry settings, the associated file share will have a file registry.pol with the registry settings that the client needs to apply.The Policy Editor (gpedit.msc) is not provided on Home versions of Windows XP/Vista/7/8/8.1/10/11.

Answer Description

Mobile Device Management (MDM) software is used to manage groups of mobile devices like smartphones and tablets. Because these devices run different operating systems than their PC counterparts, are often used by employees at home or on public wireless networks and can download applications from app stores, special management software is needed to ensure their security.

Wikipedia

Mobile device management (MDM) is the administration of mobile devices, such as smartphones, tablet computers, and laptops. MDM is usually implemented with the use of a third-party product that has management features for particular vendors of mobile devices. Though closely related to Enterprise Mobility Management and Unified Endpoint Management, MDM differs slightly from both: unlike MDM, EMM includes mobile information management, BYOD, mobile application management and mobile content management, whereas UEM provides device management for endpoints like desktops, printers, IoT devices, and wearables as well.

Answer Description

Certificates are used in HTTPS and many other protocols to certify the authenticity of a server (or both the server and client in some cases) and when encrypting data.

Wikipedia

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer). If the signature is valid, and the software examining the certificate trusts the issuer, then it can use that key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web. In a typical public-key infrastructure (PKI) scheme, the certificate issuer is a certificate authority (CA), usually a company that charges customers to issue certificates for them. By contrast, in a web of trust scheme, individuals sign each other's keys directly, in a format that performs a similar function to a public key certificate. In case of key compromise, a certificate may need to be revoked. The most common format for public key certificates is defined by X.509. Because X.509 is very general, the format is further constrained by

Answer Description

A password is an example of "something a user knows" and is not something in a user's possession.

Wikipedia

Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.

Answer Description

A mantrap is a buffer area between an unsecured and secured area. Most commonly it is a small room with two doors, each door can only open when the other is shut. Mantraps provide an additional layer of security by reducing tailgating, piggybacking, providing privacy for access measures like a pin number, and in extreme cases trapping potential intruders.

Wikipedia

A mantrap, security mantrap portal, airlock, sally port or access control vestibule is a physical security access control system comprising a small space with two sets of interlocking doors, such that the first set of doors must close before the second set opens. Airlocks have a very similar design, allowing free ingress and egress while also restricting airflow. In a manual mantrap, a guard locks and unlocks each door in sequence. An intercom and/or video camera are often used to allow the guard to control the trap from a remote location. In an automatic mantrap, identification may be required for each door, sometimes even different measures for each door. For example, a key may open the first door, but a personal identification number entered on a number pad opens the second. Other methods of opening doors include proximity cards or biometric devices such as fingerprint readers or iris recognition scans. Time of Flight sensors are used in high security environments. Metal detectors are often built in to prevent the entrance of people carrying weapons. This use is particularly frequent in banks and jewelry shops. Turnkey, installed systems are provided by some suppliers due to need for technically trained installers. Fire codes require that automatic mantraps allow exit from the intermediate space while denying access to a secure space such as a data center or research lab. A manually-operated mantrap may allow a guard to lock both doors, trapping a suspect between the doors for questioning or detainment.

Answer Description

Wired Equivalent Privacy (WEP) is a deprecated wireless security standard. It has been superseded by WPA and WPA2 which are stronger more secure options (WPA2 should be used when possible). A number of successful attacks exist to gain access to WEP based wireless networks.

Wikipedia

Wired Equivalent Privacy (WEP) was a security algorithm for 802.11 wireless networks. Introduced as part of the original IEEE 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network. WEP, recognizable by its key of 10 or 26 hexadecimal digits (40 or 104 bits), was at one time widely used, and was often the first security choice presented to users by router configuration tools.In 2003, the Wi-Fi Alliance announced that WEP had been superseded by Wi-Fi Protected Access (WPA). In 2004, with the ratification of the full 802.11i standard (i.e. WPA2), the IEEE declared that both WEP-40 and WEP-104 have been deprecated.WEP was the only encryption protocol available to 802.11a and 802.11b devices built before the WPA standard, which was available for 802.11g devices. However, some 802.11b devices were later provided with firmware or software updates to enable WPA, and newer devices had it built in.

Answer Description

WiFi Protected Access 2 is the best option in the list. MAC3 and SHA256 are not wireless security protocols. WEP is a wireless security protocol but can easily be broken using modern attacks and should not be used.

Wikipedia

Wi-Fi Protected Access (WPA), Wi-Fi Protected Access 2 (WPA2), and Wi-Fi Protected Access 3 (WPA3) are the three security certification programs developed after 2000 by the Wi-Fi Alliance to secure wireless computer network. The Alliance defined these in response to serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy (WEP).WPA (sometimes referred to as the TKIP standard) became available in 2003. The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2, which became available in 2004 and is a common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard. In January 2018, Wi-Fi Alliance announced the release of WPA3 with several security improvements over WPA2.

Answer Description

Microsoft Active Directory is a directory service for organizing user accounts, servers and client operating systems. Additionally it provides helpful features like enforcing password policies, running login scripts, applying user account restrictions and much more.

Wikipedia

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. Windows Server operating systems include it as a set of processes and services. Originally, only centralized domain management used Active Directory. However, it ultimately became an umbrella title for various directory-based identity-related services.A domain controller is a server running the Active Directory Domain Service (AD DS) role. It authenticates and authorizes all users and computers in a Windows domain-type network, assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer part of a Windows domain, Active Directory checks the submitted username and password and determines whether the user is a system administrator or a non-admin user. Furthermore, it allows the management and storage of information, provides authentication and authorization mechanisms, and establishes a framework to deploy other related services: Certificate Services, Active Directory Federation Services, Lightweight Directory Services, and Rights Management Services.Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.Robert R. King defined it in the following way:"A domain represents a database. That database holds records about network services-things like computers, users, groups and other things that use, support, or exist on a network. The domain database is, in effect, Active Directory."

Answer Description

Virtual Private Network (VPN) is a tool that provides an encrypted secure tunnel between two networks or between a client device and a network. Enterprises use VPNs to allow secure connection of mobile devices like laptops and smart devices to the internal company network. Typically when you are in a company office a VPN will not be needed, but when you are working from a coffee shop or from home then a VPN can give you secure access to company servers and systems.

Wikipedia

A virtual private network (VPN) is a mechanism for creating a secure connection between a computing device and a computer network, or between two networks, using an insecure communication medium such as the public Internet.A VPN can extend a private network (one that disallows or restricts public access), in such a way that it enables users of that network to send and receive data across public networks as if the public networks' devices were directly connected to the private network. The benefits of a VPN include security, reduced costs for dedicated communication lines, and greater flexibility for remote workers. VPNs are also used to bypass internet censorship. Encryption is common, although not an inherent part of a VPN connection.A VPN is created by establishing a virtual point-to-point connection through the use of tunneling protocols over existing networks. A VPN available from the public Internet can provide some of the benefits of a wide area network (WAN). From a user perspective, the resources available within the private network can be accessed remotely.

Answer Description

A privacy screen is a thin piece of plastic that goes over a device's screen. The privacy screen is transparent for users sitting directly in front of the devices screen, but for anyone looking at the screen from an angle the screen is blocked, blurred or heavily darkened. This protects against confidential data on a screen from being easily visible to others in the area.

Answer Description

A Biometric lock is a lock that uses a person's physical attributes to authenticate them. It may also use non-physical attributes like voice recognition, however options like fingerprints, iris scans and facial recognition are more common in a security scenario.

Wikipedia

A biometric device is a security identification and authentication device. Such devices use automated methods of verifying or recognising the identity of a living person based on a physiological or behavioral characteristic. These characteristics include fingerprints, facial images, iris and voice recognition.

Answer Description

The Principal of Least Privilege means users and user accounts should be given the most restrictive permissions possible to complete the tasks necessary. For example, if a file is used by a Finance team to track company revenue a user in the marketing department should not have access to the file. SAPM is not a real acronym, an Entry Control Roster refers to a list of authorized people for a physical area.

Wikipedia

In information security, computer science, and other fields, the principle of least privilege (PoLP), also known as the principle of minimal privilege (PoMP) or the principle of least authority (PoLA), requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.

Answer Description

In Microsoft Active Directory a Group Policy is a policy applied to many AD objects. Objects can be user accounts, servers, desktop devices, etc. Group Policies can be used to enforce updates and restrict workstations that are too out of date from accessing the domain until updates are applied.

Wikipedia

Group Policy is a feature of the Microsoft Windows NT family of operating systems (including Windows 7, Windows 8.1, Windows 10, Windows 11, and Windows Server 2003+) that controls the working environment of user accounts and computer accounts. Group Policy provides centralized management and configuration of operating systems, applications, and users' settings in an Active Directory environment. A set of Group Policy configurations is called a Group Policy Object (GPO). A version of Group Policy called Local Group Policy (LGPO or LocalGPO) allows Group Policy Object management without Active Directory on standalone computers.Active Directory servers disseminate group policies by listing them in their LDAP directory under objects of class groupPolicyContainer. These refer to fileserver paths (attribute gPCFileSysPath) that store the actual group policy objects, typically in an SMB share \\domain.com\SYSVOL shared by the Active Directory server. If a group policy has registry settings, the associated file share will have a file registry.pol with the registry settings that the client needs to apply.The Policy Editor (gpedit.msc) is not provided on Home versions of Windows XP/Vista/7/8/8.1/10/11.

Answer Description

Inherence, also known as "something a user is" or "something you are" refers to some sort of unique trait about a user. Examples are facial recognition, fingerprints, retina scans, etc.

Wikipedia

Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence (or factors) to an authentication mechanism: knowledge (something only the user knows), possession (something only the user has), and inherence (something only the user is). MFA protects user data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password. A third-party authenticator (TPA) app enables two-factor authentication, usually by showing a randomly generated and frequently changing code to use for authentication.

Answer Description

Both Hardware Tokens and Software Tokens provide "something you have" factor authentication. Common hardware tokens are smartcards, USB sticks or one-time-use password generators. Software tokens are generally apps that generate a temporary password. Software tokens are considered a cheaper alternative to hardware tokens, as issuing a hardware token to a large number of users has a high cost. Arguably hardware tokens are more secure, but are less practical and more costly.

Wikipedia

A software token (a.k.a. soft token) is a piece of a two-factor authentication security device that may be used to authorize the use of computer services. Software tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, PDA, or mobile phone and can be duplicated. (Contrast hardware tokens, where the credentials are stored on a dedicated hardware device and therefore cannot be duplicated — absent physical invasion of the device) Because software tokens are something one does not physically possess, they are exposed to unique threats based on duplication of the underlying cryptographic material - for example, computer viruses and software attacks. Both hardware and software tokens are vulnerable to bot-based man-in-the-middle attacks, or to simple phishing attacks in which the one-time password provided by the token is solicited, and then supplied to the genuine website in a timely manner. Software tokens do have benefits: there is no physical token to carry, they do not contain batteries that will run out, and they are cheaper than hardware tokens.