CHAPTER 13 Questions

Question 1

An organization is considering creating a cloud-based federation using a third-party service to share federated identities. After it’s completed, what will people use as their login ID?

A. Their normal account
B. An account given to them from the cloud-based federation
C. Hybrid identity management
D. Single-sign on

Answer 1

A. Their normal account

An on-premises identity management system will provide the organization with the most control and is the best choice. A cloud-based solution is controlled by a third party. Either an on-premises or a cloud-based solution is needed. There’s no need to have both in a hybrid solution. Identity management solutions provide single sign-on (SSO), but SSO is a benefit of identity management, not a type of identity management.

Question 2

Which of the following best expresses the primary goal when controlling access to assets?

A. Preserve confidentiality, integrity, and availability of systems and data.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.

Answer 2

A. Preserve confidentiality, integrity, and availability of systems and data.

A primary goal when controlling access to assets is to protect against losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system, but objects do not authenticate. Subjects access objects, but objects do not access subjects. Identification and authentication are important as the first step in access control, but much more is needed to protect assets.

Question 3

Which of the following is true related to a subject?

A. A subject is always a user account.
B. The subject is always the entity that provides or hosts information or data.
C. The subject is always the entity that receives information about or data from an object.
D. A single entity can never change roles between subject and object.

Answer 3

C. The subject is always the entity that receives information about or data from an object.

The subject is active and is always the entity that receives information about, or data from, the object. A subject can be a user, a program, a process, a file, a computer, a database, and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.

Question 4

Based on advice from the National Institute of Standards and Technology (NIST), when should regular users be required to change their passwords?

A. Every 30 days
B. Every 60 days
C. Every 90 days
D. Only if the current password is compromised

Answer 4

D. Only if the current password is compromised

NIST SP 800-63B recommends users only be required to change their password if their current password is compromised. They do not recommend that users be required to change their password regularly at any interval.

Question 5

Security administrators have learned that users are switching between two passwords. When the system prompts them to change their password, they use the second password. When the system prompts them to change their password again, they use the first password. What can prevent users from rotating between two passwords?

A. Password complexity
B. Password history
C. Password length
D. Password age

Answer 5

B. Password history

Password history can prevent users from rotating between two passwords. It remembers previously used passwords. Password complexity and password length help ensure that users create strong passwords. Password age ensures that users change their password regularly.

Question 6

Which of the following best identifies the benefit of a passphrase?

A. It is short.
B. It is easy to remember.
C. It includes a single set of characters.
D. It is easy to crack.

Answer 6

B. It is easy to remember.

A passphrase is a long string of characters that is easy to remember, such as IP@$$edTheCISSPEx@m. It is not short and typically includes at least three sets of character types. It is strong and complex, making it difficult to crack.

Question 7

Your organization issues devices to employees. These devices generate onetime passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?

A. Synchronous token
B. Asynchronous token
C. Smartcard
D. Common access card

Answer 7

A. Synchronous token

A synchronous token generates and displays onetime passwords that are synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the onetime password. Smartcards do not generate onetime passwords, and common access cards are a version of a smartcard that includes a picture of the user.

Question 8

What does the CER for a biometric device indicate?

A. It indicates that the sensitivity is too high.
B. It indicates that the sensitivity is too low.
C. It indicates the point where the false rejection rate equals the false acceptance rate.
D. When high enough, it indicates the biometric device is highly accurate.

Answer 8

C. It indicates the point where the false rejection rate equals the false acceptance rate.

The point at which the biometric false rejection rate and the false acceptance rate are equal is the crossover error rate (CER). It does not indicate that sensitivity is too high or too low. A lower CER indicates a higher-quality biometric device, and a higher CER indicates a less accurate device.

Question 9

Sally has a user account and has previously logged on using a biometric system. Today, the biometric system didn’t recognize her, so she wasn’t able to log on. What does this describe?

A. False rejection
B. False acceptance
C. Crossover error
D. Equal error

Answer 9

A. False rejection

A false rejection, sometimes called a false negative authentication or a Type I error, occurs when an authentication doesn’t recognize a valid subject (Sally in this example). A false acceptance, sometimes called a false positive authentication or a Type II error, occurs when an authentication system incorrectly recognizes an invalid subject. Crossover errors and equal errors aren’t valid terms related to biometrics. However, the crossover error rate (also called equal error rate) compares the false rejection rate to the false acceptance rate and provides an accuracy measurement for a biometric system.

Question 10

Users log on with a username when accessing the company network from home. Management wants to implement a second factor of authentication for these users. They want a secure solution, but they also want to limit costs. Which of the following best meets these requirements?

A. Short Message Service (SMS)
B. Fingerprint scans
C. Authenticator app
D. Personal identification number (PIN)

Answer 10

C. Authenticator app

An authenticator app on a smartphone or tablet device is the best solution. SMS has vulnerabilities, and NIST has deprecated its use for two-factor authentication. Biometric authentication methods, such as fingerprint scans, provide strong authentication. However, purchasing biometric readers for each employee’s home would be expensive. A PIN is in the something you know factor of authentication, so it doesn’t provide two-factor authentication when used with a password.

Question 11

Which of the following provides authentication based on a physical characteristic of a subject?

A. Account ID
B. Biometrics
C. Token
D. PIN

Answer 11

B. Biometrics

Physical biometric methods such as fingerprints and iris scans provide authentication for subjects. An account ID provides identification. A token is something you have, and it creates onetime passwords, but it is not related to physical characteristics. A personal identification number (PIN) is something you know.

Question 12

Fingerprint readers match minutiae from a fingerprint with data in a database. Which of the following accurately identify fingerprint minutiae? (Choose three.)

A. Vein pattern
B. Ridges
C. Bifurcations
D. Whorls

Answer 12

B. Ridges
C. Bifurcations
D. Whorls

Ridges, bifurcations, and whorls are fingerprint minutiae. Ridges are the lines in a fingerprint. Some ridges abruptly end, and some ridges bifurcate or fork into branch ridges. Whorls are a series of circles. Palm scans measure vein patterns in a palm.

Question 13

An organization wants to implement biometrics for authentication, but management doesn’t want to use fingerprints. Which of the following is the most likely reason why management doesn’t want to use fingerprints?

A. Fingerprints can be counterfeited.
B. Fingerprints can be changed.
C. Fingerprints aren’t always available.
D. Registration takes too long.

Answer 13

A. Fingerprints can be counterfeited.

Fingerprints can be counterfeited or duplicated. It is not possible to change fingerprints. Users will always have a finger available (except for major medical events), so they will always have a fingerprint available. It usually takes less than a minute for registration of a fingerprint

Question 14

Which of the following items are required to ensure logs accurately support accountability? (Choose two.)

A. Identification
B. Authorization
C. Auditing
D. Authentication

Answer 14

A. Identification
D. Authentication

Accurate identification and authentication are required to support accountability. Logs record events, including who took an action, but without accurate identification and authentication, the logs can’t be relied on. Authorization grants access to resources after proper authentication. Auditing occurs after logs are created, but identification and authentication must occur first.

Question 15

Management wants to ensure that an IT network supports accountability. Which of the following is necessary to meet this requirement?

A. Identification
B. Integrity
C. Authentication
D. Confidentiality

Answer 15

C. Authentication

Authentication is necessary to ensure a network supports accountability. Note that authentication indicates that a user claimed an identity such as with a username and proved the identity such as with a password. In other words, valid authentication includes identification. However, identification doesn’t include authentication. If users could just claim an identity without proving it’s their identity, the system doesn’t support accountability. Audit trails (not available as a possible answer) help provide accountability as long as users have authenticated. Integrity provides assurances that unauthorized entities have not modified data or system settings. Confidentiality ensures that unauthorized entities can’t access sensitive data and is unrelated to this question.

Question 16

A company’s security policy states that user accounts should be disabled during the exit interview for any employee leaving the company. Which of the following is the most likely reason for this policy?

A. To remove the account
B. To remove privileges assigned to the count
C. To prevent sabotage
D. To encrypt user data

Answer 16

C. To prevent sabotage

The most likely reason (of the provided options) is to prevent sabotage. If the user’s account remains enabled, the user may log on later and cause damage. Disabling the account doesn’t remove the account or remove assigned privileges. Disabling an account doesn’t encrypt any data, but it does retain encryption keys that supervisors can use to decrypt any data encrypted by the user.

Question 17

When employees leave an organization, personnel either delete or disable accounts. In which of the following situations would they most likely delete an account?

A. An administrator who has used their account to run services left the organization.
B. A disgruntled employee who encrypted files with their account left the organization.
C. An employee has left the organization and will start a new job tomorrow.
D. A temporary employee using a shared account will not return to the organization.

Answer 17

C. An employee has left the organization and will start a new job tomorrow.

The most likely reason to delete the account (of the provided options) is if an employee left the organization and will start a new job tomorrow. It would not be appropriate to delete the account for any other answer options. If an administrator used their account to run services, deleting their account would prevent the services from running. It would be appropriate to disable the account of a disgruntled employee. If this employee encrypted data with their account, deleting the account would prevent access to the encrypted data. It would be appropriate to change the password of a shared account used by temporary employees.

Question 18

Karen is taking maternity leave and will be away from the job for at least 12 weeks. Which of the following actions should be taken while she is taking this leave of absence?

A. Delete the account.
B. Reset the account’s password.
C. Do nothing.
D. Disable the account.

Answer 18

D. Disable the account.

It’s appropriate to disable an account when an employee takes a leave of absence of 30 days or more. The account should not be deleted because the employee will return after the leave of absence. If the password is reset, someone could still log on. If nothing is done to the account, someone else may access it and impersonate the employee.

Question 19

Security investigators discovered that after attackers exploited a database server, they identified the password for the sa account. They then used this to access other servers in the network. What can be implemented to prevent this from happening in the future?

A. Account deprovisioning
B. Disabling an account
C. Account access review
D. Account revocation

Answer 19

C. Account access review

Account access reviews can detect security issues for service accounts such as the sa (short for system administrator) account in Microsoft SQL Server systems. Reviews can ensure that service account passwords are strong and changed often. The other options suggest removing, disabling, or deleting the sa account, but doing so is likely to affect the database server’s performance. Account deprovisioning ensures accounts are removed when they are no longer needed. Disabling an account ensures it isn’t used, and account revocation deletes the account.

Question 20

Fred, an administrator, has been working within an organization for over 10 years. He previously maintained database servers while working in a different division. He now works in the programming department but still retains privileges on the database servers. He recently modified a setting on a database server so that a script he wrote will run. Unfortunately, his change disabled the server for several hours before database administrators discovered the change and reversed it. Which of the following could have prevented this outage?

A. A policy requiring strong authentication
B. Multifactor authentication
C. Logging
D. Account access review

Answer 20

D. Account access review

A periodic account access review can discover when users have more privileges than they need and could have been used to discover that this employee had permissions from several positions. Strong authentication methods (including multifactor authentication methods) would not have prevented the problems in this scenario. Logging records what happened, but it doesn’t prevent events.