CHAPTER 5 - Identity and Access Management

Question 1

Which of the following statements correctly describes biometric methods?
A. They are the least expensive and provide the most protection.
B. They are the most expensive and provide the least protection.
C. They are the least expensive and provide the least protection.
D. They are the most expensive and provide the most protection.

Answer 1

D. Compared with the other available authentication mechanisms, biometric methods
provide the highest level of protection and are the most expensive.

Question 2

Which of the following statements correctly describes passwords?
A. They are the least expensive and most secure.
B. They are the most expensive and least secure.
C. They are the least expensive and least secure.
D. They are the most expensive and most secure.

Answer 2

C. Passwords provide the least amount of protection, but are the cheapest because they do
not require extra readers (as with smart cards and memory cards), do not require devices
(as do biometrics), and do not require a lot of overhead in processing (as in cryptography).
Passwords are the most common type of authentication method used today.

Question 3

How is a challenge/response protocol utilized with token device implementations?
A. This protocol is not used; cryptography is used.
B. An authentication service generates a challenge, and the smart token generates a
response based on the challenge.
C. The token challenges the user for a username and password.
D. The token challenges the user’s password against a database of stored credentials.

Answer 3

B. An asynchronous token device is based on challenge/response mechanisms. The
authentication service sends the user a challenge value, which the user enters into the
token. The token encrypts or hashes this value, and the user uses this as her one-time
password.

Question 4

Which access control method is considered user directed?
A. Nondiscretionary
B. Mandatory
C. Identity-based
D. Discretionary

Answer 4

D. The DAC model allows users, or data owners, the discretion of letting other users access
their resources. DAC is implemented by ACLs, which the data owner can configure.

Question 5

Which item is not part of a Kerberos authentication implementation?
A. Message authentication code
B. Ticket granting service
C. Authentication service

Answer 5

A. Message authentication code (MAC) is a cryptographic function and is not a key
component of Kerberos. Kerberos is made up of a KDC, a realm of principals (users,
services, applications, and devices), an authentication service, tickets, and a ticket granting
service.

Question 6

If a company has a high turnover rate, which access control structure is best?
A. Role-based
B. Decentralized
C. Rule-based
D. Discretionary

Answer 6

A. A role-based structure is easier on the administrator because she only has to create one
role, assign all of the necessary rights and permissions to that role, and plug a user into that
role when needed. Otherwise, she would need to assign and extract permissions and rights
on all systems as each individual came and left the company.A. A role-based structure is easier on the administrator because she only has to create one
role, assign all of the necessary rights and permissions to that role, and plug a user into that
role when needed. Otherwise, she would need to assign and extract permissions and rights
on all systems as each individual came and left the company.

Question 7

The process of mutual authentication involves _______________.
A. a user authenticating to a system and the system authenticating to the user
B. a user authenticating to two systems at the same time
C. a user authenticating to a server and then to a process
D. a user authenticating, receiving a ticket, and then authenticating to a service

Answer 7

A. Mutual authentication means it is happening in both directions. Instead of just the user
having to authenticate to the server, the server also must authenticate to the user.

Question 8

In discretionary access control security, who has delegation authority to grant access to
data?
A. User
B. Security officer
C. Security policy
D. Owner

Answer 8

D. This question may seem a little confusing if you were stuck between user and owner.
Only the data owner can decide who can access the resources she owns. She may or may
not be a user. A user is not necessarily the owner of the resource. Only the actual owner of
the resource can dictate what subjects can actually access the resource.

Question 9

Which could be considered a single point of failure within a single sign-on
implementation?
A. Authentication server
B. User’s workstation
C. Logon credentials
D. RADIUS

Answer 9

A. In a single sign-on technology, all users are authenticating to one source. If that source
goes down, authentication requests cannot be processed.

Question 10

What role does biometrics play in access control?
A. Authorization
B. Authenticity
C. Authentication
D. Accountability

Answer 10

C. Biometrics is a technology that validates an individual’s identity by reading a physical
attribute. In some cases, biometrics can be used for identification, but that was not listed as
an answer choice.

Question 11

Who or what determines if an organization is going to operate under a discretionary,
mandatory, or nondiscretionary access control model?
A. Administrator
B. Security policy
C. Culture
D. Security levels

Answer 11

B. The security policy sets the tone for the whole security program. It dictates the level of
risk that management and the company are willing to accept. This in turn dictates the type
of controls and mechanisms to put in place to ensure this level of risk is not exceeded.

Question 12

Which of the following best describes what role-based access control offers companies in
reducing administrative burdens?
A. It allows entities closer to the resources to make decisions about who can and cannot
access resources.
B. It provides a centralized approach for access control, which frees up department
managers.
C. User membership in roles can be easily revoked and new ones established as job
assignments dictate.
D. It enforces enterprise-wide security policies, standards, and guidelines.

Answer 12

C. An administrator does not need to revoke and reassign permissions to individual users
as they change jobs. Instead, the administrator assigns permissions and rights to a role, and
users are plugged into those roles.

Question 13

Which of the following is the best description of directories that are used in identity
management technology?
A. Most are hierarchical and follow the X.500 standard.
B. Most have a flat architecture and follow the X.400 standard.
C. Most have moved away from LDAP.
D. Many use LDAP.

Answer 13

A. Most enterprises have some type of directory that contains information pertaining to the
company’s network resources and users. Most directories follow a hierarchical database
format, based on the X.500 standard, and a type of protocol, as in Lightweight Directory
Access Protocol (LDAP), that allows subjects and applications to interact with the
directory. Applications can request information about a particular user by making an LDAP
request to the directory, and users can request information about a specific resource by
using a similar request.

Question 14

Which of the following is not part of user provisioning?
A. Creation and deactivation of user accounts
B. Business process implementation
C. Maintenance and deactivation of user objects and attributes
D. Delegating user administration

Answer 14

B. User provisioning refers to the creation, maintenance, and deactivation of user objects
and attributes as they exist in one or more systems, directories, or applications, in response
to business processes. User provisioning software may include one or more of the
following components: change propagation, self-service workflow, consolidated user
administration, delegated user administration, and federated change control. User objects
may represent employees, contractors, vendors, partners, customers, or other recipients of a
service. Services may include electronic mail, access to a database, access to a file server or
mainframe, and so on.

Question 15

What is the technology that allows a user to remember just one password?
A. Password generation
B. Password dictionaries
C. Password rainbow tables
D. Password synchronization

Answer 15

D. Password synchronization technologies can allow a user to maintain just one password
across multiple systems. The product will synchronize the password to other systems and
applications, which happens transparently to the user.

Question 16

Which of the following is not considered an anomaly-based intrusion protection system?
A. Statistical anomaly–based
B. Protocol anomaly–based
C. Temporal anomaly–based
D. Traffic anomaly–based

Answer 16

C. An anomaly-based IPS is a behavioral-based system that learns the “normal” activities
of an environment. The three types are listed next:
* Statistical anomaly–based Creates a profile of “normal” and compares activities to this
profile
* Protocol anomaly–based Identifies protocols used outside of their common bounds
* Traffic anomaly–based Identifies unusual activity in network traffic

Question 17

Which of the following has the correct term-to-definition mapping?
i. Brute-force attacks: Performed with tools that cycle through many possible character,
number, and symbol combinations to uncover a password.
ii. Dictionary attacks: Files of thousands of words are compared to the user’s password
until a match is found.
iii. Social engineering: An attacker falsely convinces an individual that she has the
necessary authorization to access specific resources.
iv. Rainbow table: An attacker uses a table that contains all possible passwords already in
a hash format.
A. i, ii
B. i, ii, iv
C. i, ii, iii, iv
D. i, ii, iii

Answer 17

C. The list has all the correct term-to-definition mappings.

Question 18

George is responsible for setting and tuning the thresholds for his company’s behaviorbased
IDS. Which of the following outlines the possibilities of not doing this activity
properly?
A. If the threshold is set too low, nonintrusive activities are considered attacks (false
positives). If the threshold is set too high, malicious activities are not identified (false
negatives).
B. If the threshold is set too low, nonintrusive activities are considered attacks (false
negatives). If the threshold is set too high, malicious activities are not identified (false
positives).
C. If the threshold is set too high, nonintrusive activities are considered attacks (false
positives). If the threshold is set too low, malicious activities are not identified (false
negatives).
D. If the threshold is set too high, nonintrusive activities are considered attacks (false
positives). If the threshold is set too high, malicious activities are not identified (false
negatives).

Answer 18

C. If the threshold is set too high, nonintrusive activities are considered attacks (false
positives). If the threshold is set too low, malicious activities are not identified (false
negatives).

Question 19

Which of the following is the best identity management technology that Lenny should
consider implementing to accomplish some of the company’s needs?
A. LDAP directories for authoritative sources
B. Digital identity provisioning
C. Active Directory
D. Federated identity

Answer 19

D. Federation identification allows for the company and its partners to share customer
authentication information. When a customer authenticates to a partner website, that
authentication information can be passed to the retail company, so when the customer visits
the retail company’s website, the user has to submit less user profile information and the
authentication steps the user has to go through during the purchase process could
potentially be reduced. If the companies have a set trust model and share the same or
similar federated identity management software and settings, this type of structure and
functionality is possible.

Question 20

Lenny has a meeting with the internal software developers who are responsible for
implementing the necessary functionality within the web-based system. Which of the
following best describes the two items that Lenny needs to be prepared to discuss with this
team?
A. Service Provisioning Markup Language and the Extensible Access Control Markup
Language
B. Standard Generalized Markup Language and the Generalized Markup Language
C. Extensible Markup Language and the Hypertext Markup Language
D. Service Provisioning Markup Language and the Generalized Markup Language

Answer 20

A. The Service Provisioning Markup Language (SPML) allows company interfaces to pass
service requests, and the receiving company provisions (allows) access to these services.
Both the sending and receiving companies need to be following the XML standard, which
will allow this type of interoperability to take place. When using the Extensible Access
Control Markup Language (XACML), application security policies can be shared with
other applications to ensure that both are following the same security rules. The developers
need to integrate both of these language types to allow for their partner employees to
interact with their inventory systems without having to conduct a second authentication
step. The use of the languages can reduce the complexity of inventory control between the
different companies.

Question 21

Pertaining to the CEO’s security concerns, what should Lenny suggest the company put
into place?
A. Security event management software, an intrusion prevention system, and behaviorbased
intrusion detection
B. Security information and event management software, an intrusion detection system,
and signature-based protection
C. An intrusion prevention system, security event management software, and malware
protection
D. An intrusion prevention system, security event management software, and war-dialing
protection

Answer 21

A. Security event management software allows for network traffic to be viewed holistically
by gathering log data centrally and analyzing it. The intrusion prevention system allows for
proactive measures to be put into place to help in stopping malicious traffic from entering
the network. Behavior-based intrusion detection can identify new types of attacks (zero
day) compared to signature-based intrusion detection.

Question 22

Which of the following is the best remote access technology for this situation?
A. RADIUS
B. TACACS+
C. Diameter
D. Kerberos

Answer 22

C. The Diameter protocol extends the RADIUS protocol to allow for various types of
authentication to take place with a variety of different technologies (PPP, VoIP, Ethernet,
etc.). It has extensive flexibility and allows for the centralized administration of access
control.

Question 23

What are the two main security concerns Robbie is most likely being asked to identify and
mitigate?
A. Social engineering and spear-phishing
B. War dialing and pharming
C. Spear-phishing and war dialing
D. Pharming and spear-phishing

Answer 23

C. Spear-phishing is a targeted social engineering attack, which is what the CIO’s secretary
is most likely experiencing. War dialing is a brute-force attack against devices that use
phone numbers, as in modems. If the modems can be removed, the risk of war-dialing
attacks decreases.

Question 24

Which of the following best describes the type of environment Harry’s team needs to set
up?
A. RADIUS
B. Service-oriented architecture
C. Public key infrastructure
D. Web services

Answer 24

B. A service-oriented architecture (SOA) will allow Harry’s team to create a centralized
web portal and offer the various services needed by internal and external entities.

Question 25

Which of the following best describes the types of languages and/or protocols that Harry
needs to ensure are implemented?
A. Security Assertion Markup Language, Extensible Access Control Markup Language,
Service Provisioning Markup Language
B. Service Provisioning Markup Language, Simple Object Access Protocol, Extensible
Access Control Markup Language
C. Extensible Access Control Markup Language, Security Assertion Markup Language,
Simple Object Access Protocol
D. Service Provisioning Markup Language, Security Association Markup Language

Answer 25

C. The most appropriate languages and protocols for the purpose laid out in the scenario
are Extensible Access Control Markup Language, Security Assertion Markup Language,
and Simple Object Access Protocol. Harry’s group is not necessarily overseeing account
provisioning, so the Service Provisioning Markup Language is not necessary, and there is
no language called “Security Association Markup Language.”

Question 26

The company’s partners need to integrate compatible authentication functionality into their
web portals to allow for interoperability across the different company boundaries. Which of
the following will deal with this issue?
A. Service Provisioning Markup Language
B. Simple Object Access Protocol
C. Extensible Access Control Markup Language
D. Security Assertion Markup Language

Answer 26

D. Security Assertion Markup Language allows the exchange of authentication and
authorization data to be shared between security domains. It is one of the most commonly
used approaches to allow for single sign-on capabilities within a web-based environment.