CISSP Practice Test Chapter 5 Identity and Access Management (Sybex)

Question 1

Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?

A. An access control list
B. An implicit denial list
C. A capability table
D. A rights management matrix

Answer 1

C. A capability table

Explanation:
C. Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.

Question 2

Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. Jim’s company does not have internal identity management staff and does not use centralized identity services. Instead, they rely upon Active Directory for AAA services. Which of the following options should Jim recommend to best handle the company’s on-site identity needs?

A. Integrate on-site systems using OAuth.
B. Use an on-premises third-party identity service.
C. Integrate on-site systems using SAML.
D. Design an internal solution to handle the organization’s unique needs.

Answer 2

B. Use an on-premises third-party identity service.

Explanation:
Since Jim’s organization is using a cloud-based identity as a service solution, a third-party, on-premises identity service can provide the ability to integrate with the IDaaS solution, and the company’s use of Active Directory is widely supported by third-party vendors. OAuth is used to log in to third-party websites using existing credentials and would not meet the needs described. SAML is a markup language and would not meet the full set of AAA needs. Since the organization is using Active Directory, a custom in-house solution is unlikely to be as effective as a preexisting third-party solution and may take far more time and expense to implement.

Question 3

Which of the following is not a weakness in Kerberos?

A. The KDC is a single point of failure.
B. Compromise of the KDC would allow attackers to impersonate any user.
C. Authentication information is not encrypted.
D. It is susceptible to password guessing.

Answer 3

C. Authentication information is not encrypted.

Explanation:
Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC both is a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Like many authentication methods, Kerberos can be susceptible to password guessing.

Question 4

Voice pattern recognition is what type of authentication factor?

A. Something you know
B. Something you have
C. Something you are
D. Somewhere you are

Answer 4

C. Something you are

Explanation:
Voice pattern recognition is “something you are,” a biometric authentication factor, because it measures a physical characteristic of the individual authenticating.

Question 5

If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?

A. One
B. Two
C. Three
D. Four

Answer 5

B. Two

Explanation:
Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.

Question 6

Charles wants to deploy a credential management system (CMS). He wants to keep the keys as secure as possible. Which of the following is the best design option for his CMS implementation?

A. Use AES-256 instead of 3DES.
B. Use long keys.
C. Use an HSM.
D. Change passphrases regularly.

Answer 6

C. Use an HSM.

Explanation:
C. Hardware Security Modules, or HSMs, are the most secure way to store keys associated with a CMS. They provide enhanced key management capabilities and are often required to be FIPS certified. In addition to these advantages, an HSM can improve cryptographic performance for the organization due to dedicated hardware designed for just that purpose. Long keys and using AES-256 are good practices, but an HSM provides greater security and will require appropriate cryptographic controls already. Changing passphrases can be challenging across an organization; instead, securing the passphrases and keys is more important and reasonable for most organizations.

Question 7

Brian is a researcher at a major university. As part of his research, he logs into a computing cluster hosted at another institution using his own university’s credentials. Once logged in, he is able to access the cluster and use resources based on his role in a research project, as well as using resources and services in his home organization. What has Brian’s home university implemented to make this happen?

A. Domain stacking
B. Federated identity management
C. Domain nesting
D. Hybrid login

Answer 7

B. Federated identity management

Explanation:
B. Brian’s organization is using a federated identity management approach where multiple organizations allow identities to be used across the organizations. Each organization needs to proof their own staff members’ identities and provide them with rights and role information that will allow them to use resources within the federated identity environment.

Question 8

Place the following steps in the order in which they occur during the Kerberos authentication process.

1. Client/server ticket generated
2. TGT generated
3. Client/TGS key generated
4. User accesses service User provides authentication credentials

A. 5, 3, 2, 1,
B. 4 5, 4, 2, 1, 3
C. 3, 5, 2, 1, 4
D. 5, 3, 1, 2, 4

Answer 8

A. 5, 3, 2, 1,

Explanation:
During the Kerberos authentication process, the steps take place in the following order: user provides authentication credentials; client/TGS key generated; TGT generated; client/server ticket generated; and user accesses service.

Question 9

What major issue often results from decentralized access control?

A. Access outages may occur.
B. Control is not consistent.
C. Control is too granular.
D. Training costs are high.

Answer 9

B. Control is not consistent.

Explanation:
Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.

Question 10

Callback to a landline phone number is an example of what type of factor?

A. Something you know
B. Somewhere you are
C. Something you have
D. Something you are

Answer 10

B. Somewhere you are

Explanation:
B. A callback to a landline phone number is an example of a “somewhere you are” factor because of the fixed physical location of a wired phone. A callback to a mobile phone would be a “something you have” factor.

Question 11

Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?

A. A shortcut trust
B. A forest trust
C. An external trust
D. A realm trust

Answer 11

D. A realm trust

Explanation:
D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a nontransitive trust between AD domains in separate forests.

Question 12

Which of the following AAA protocols is the most commonly used?

A. TACACS
B. TACACS+
C. XTACACS
D. Super TACACS

Answer 12

B. TACACS+

Explanation:
TACACS+ is the only modern protocol on the list. It provides advantages of both TACACS and XTACACS as well as some benefits over RADIUS, including encryption of all authentication information. Super TACACS is not an actual protocol.

Question 13

Which of the following is not a single sign-on implementation?

A. Kerberos
B. ADFS
C. CAS
D.RADIUS

Answer 13

D.RADIUS

Explanation:
Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

Question 14

As shown in the following image, a user on a Windows system is not able to use the Send Message functionality. What access control model best describes this type of limitation?

A. Least privilege
B. Need to know
C. Constrained interface
D. Separation of duties

Answer 14

C. Constrained interface

Explanation:
C. Interface restrictions based on user privileges is an example of a constrained interface. Least privilege describes the idea of providing users with only the rights they need to accomplish their job, while need to know limits access based on whether a subject needs to know the information to accomplish an assigned task. Separation of duties focuses on preventing fraud or mistakes by splitting tasks between multiple subjects.

Question 15

What type of access controls allow the owner of a file to grant other users access to it using an access control list?

A. Role-based
B. Nondiscretionary
C. Rule-based
D. Discretionary

Answer 15

D. Discretionary

Explanation:
D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant access based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an environment to manage access. Nondiscretionary access controls include rule-, role-, and lattice-based access controls.

Question 16

What type of access controls allow the owner of a file to grant other users access to it using an access control list?

A. Role-based
B. Nondiscretionary
C. Rule based
D. Discretionary

Answer 16

D. Discretionary

Explanation:
Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.

Question 17

For questions 17–19, please use your knowledge of the Kerberos logon process and refer to the following diagram: At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?

A. 3DES encryption
B. TLS encryption
C. SSL encryption
D. AES encryption

Answer 17

D. AES encryption

Explanation:
The client in Kerberos logins uses AES to encrypt the username and password prior to sending it to the KDC.

Question 18

At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?

A. An encrypted TGT and a public key
B. An access ticket and a public key
C. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user’s password
D. An encrypted, time-stamped TGT and an access token

Answer 18

C. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user’s password

Explanation:
The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key. It transmits both the encrypted symmetric key and an encrypted time-stamped TGT to the client.

Question 19

What tasks must the client perform before it can use the TGT?

A. It must generate a hash of the TGT and decrypt the symmetric key.
B. It must accept the TGT and decrypt the symmetric key.
C. It must decrypt the TGT and the symmetric key.
D. It must send a valid response using the symmetric key to the KDC and must install the TGT.

Answer 19

B. It must accept the TGT and decrypt the symmetric key.

Explanation:
The client needs to accept the TGT for use until it expires and must also decrypt the symmetric key using a hash of the user’s password.

Question 20

Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?

A. Retina scans can reveal information about medical conditions.
B. Retina scans are painful because they require a puff of air in the user’s eye.
C. Retina scanners are the most expensive type of biometric device.
D. Retina scanners have a high false positive rate and will cause support issues.

Answer 20

A. Retina scans can reveal information about medical conditions.

Explanation:
Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

Question 21

Mandatory access control is based on what type of model?

A. Discretionary
B. Group-based
C. Lattice-based
D. Rule-based

Answer 21

C. Lattice-based

Explanation:
C. Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group-based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.

Question 22

Greg wants to control access to iPads used throughout his organization as point-of-sale terminals. Which of the following methods should he use to allow logical access control for the devices in a shared environment?

A. Use a shared PIN for all point-of-sale terminals to make them easier to use.
B. Use OAuth to allow cloud logins for each user.
C. Issue a unique PIN to each user for the iPad they are issued.
D. Use Active Directory and user accounts for logins to the iPads using the AD userID and password.

Answer 22

D. Use Active Directory and user accounts for logins to the iPads using the AD userID and password.

Explanation:
Using an enterprise authentication system like Active Directory that requires individuals to log in with their credentials provides the ability to determine who was logged in if a problem occurs and also allows Greg to quickly and easily remove users who are terminated or switch roles. Using a shared PIN provides no accountability, while unique PINs per user on specifically issued iPads mean that others will not be able to log in. OAuth alone does not provide the services and features Greg needs—it is an authorization service, not an authentication service.

Question 23

What is the best way to provide accountability for the use of identities?

A. Logging
B. Authorization
C. Digital signatures
D. Type 1 authentication

Answer 23

A. Logging

Explanation:
Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs.

Question 24

Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?

A. Re-provisioning
B. Account review
C. Privilege creep
D. Account revocation

Answer 24

B. Account review

Explanation:
As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while re-provisioning might occur if an employee was terminated and returned or took a leave of absence and returned.

Question 25

Biba is what type of access control model?

A. MAC
B. DAC
C. Role BAC
D.ABAC

Answer 25

A. MAC

Explanation:
Biba uses a lattice to control access and is a form of the mandatory access control (MAC) model. It does not use rules, roles, or attributes, nor does it allow user discretion. Users can create content at their level or lower but cannot decide who gets access, levels are not roles, and attributes are not used to make decisions on access control.

Question 26

Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?

A. Kerberos
B. EAP
C. RADIUS
D. OAuth

Answer 26

C. RADIUS

Explanation:
C. RADIUS is an AAA protocol used to provide authentication and authorization; it’s often used for modems, wireless networks, and network devices. It uses network access servers to send access requests to central RADIUS servers. Kerberos is a ticket-based authentication protocol; OAuth is an open standard for authentication allowing the use of credentials from one site on third-party sites; and EAP is the Extensible Authentication Protocol, an authentication framework often used for wireless networks.

Question 27

Henry is working with a web application development team on their authentication and authorization process for his company’s new application. The team wants to make session IDs as secure as possible. Which of the following is not a best practice that Henry should recommend?

A. The session ID token should be predictable.
B. The session ID should have at least 64 bits of entropy.
C. The session length should be at least 128 bits.
D. The session ID should be meaningless.

Answer 27

A. The session ID token should be predictable.

Explanation:
Web application development best practices currently recommend the use of long session IDs (128 bits or longer) that have sufficient entropy (randomness) to ensure that they will not be easily duplicated or brute forced. It is also a best practice to make sure the session ID itself is meaningless to prevent information disclosure attacks. Session IDs should expire, however, because a session that never expires could eventually be brute forced even if all of these recommendations were met.

Question 28

Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor, and what traffic will she be able to read?

A. UDP, none. All RADIUS traffic is encrypted.
B. TCP, all traffic but the passwords, which are encrypted.
C. UDP, all traffic but the passwords, which are encrypted.
D. TCP, none. All RADIUS traffic is encrypted.

Answer 28

C. UDP, all traffic but the passwords, which are encrypted.

Explanation:
By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.

Question 29

What type of access control best describes NAC’s posture assessment capability?

A. A mandatory access control
B. A risk-based access control
C. A discretionary access control
D. A role-based access control

Answer 29

B. A risk-based access control

Explanation:
NAC’s posturing capability determines if a system is sufficiently secure and compliant enough to connect to a network. This is a form of risk-based access control, as systems that are not compliant are considered higher risk and either are placed in a quarantine and remediation network or zone or are prohibited from connecting to the network until they are compliant.

Question 30

When an application or system allows a logged-in user to perform specific actions, it is an example of what?

A. Roles
B. Group management
C. Logins
D. Authorization

Answer 30

D. Authorization

Explanation:
Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.

Question 31

Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex’s company encountered?

A. Excessive provisioning
B. Unauthorized access
C. Privilege creep
D. Account review

Answer 31

C. Privilege creep

Explanation:
C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.

Question 32

Geoff wants to prevent privilege escalation attacks in his organization. Which of the following practices is most likely to prevent horizontal privilege escalation?

A. Multifactor authentication
B. Limiting permissions for groups and accounts
C. Disabling unused ports and services
D. Sanitizing user inputs to applications

Answer 32

A. Multifactor authentication

Explanation:
A. Multifactor authentication is most likely to limit horizontal privilege escalation by making it difficult to access user accounts and to authenticate to a compromised account. Limiting permissions for groups and accounts can also help, but disabling unused ports and services and sanitizing user inputs both address threats that are most frequently associated with vertical privilege escalation attacks.

Question 33

Jim’s Microsoft Exchange environment includes servers that are located in local data centers at multiple business offices around the world as well as an Office 365 deployment for employees who are not located at one of those offices. Identities are created and used in both environments and will work in both. What type of federated system is Jim running?

A. A primary cloud system
B. A primary on-premise system
C. A hybrid system
D. A multitenant system

Answer 33

C. A hybrid system

Explanation:
Hybrid systems use both on-premises and cloud identity and services to provide resources and tools in both environments. While they can be complex, hybrid systems also provide a migration path to a fully cloud deployment or for a fault tolerant design that can handle on-premises or cloud outages while remaining functional.

Question 34

What type of access control scheme is shown in the following table?

Highly Sensitive Red Blue Green
Confidential Purple Orange Yellow
Internal Use Black Gray White
Public Clear Clear Clear

A. RBAC
B. DAC
C. MAC
D. TBAC

Answer 34

C. MAC

Explanation:
Mandatory access controls use a lattice or matrix to describe how classification labels relate to each other. In this image, classification levels are set for each of the labels shown. A discretionary access control (DAC) system would show how the owner of the objects allows access.
RBAC could be either rule- or role-based access control and would use either system-wide rules or roles. Task-based access control (TBAC) would list tasks for users.

Question 35

Michelle’s company is creating a new division by splitting the marketing and communications departments into two separate groups. She wants to create roles that provide access to resources used by each group. What should she do to maintain the appropriate security and rights for each group?

A. Put both the marketing and communications teams into the existing group because they will have similar access requirements.
B. Keep the marketing team in the existing group and create a new communications group based on their specific needs.
C. Keep the communications team in the existing group and create a new marketing group based on their specific needs.
D. Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.

Answer 35

D. Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.

Explanation:
D. Copying existing rights to new groups that have different needs will often result in overly broad privileges. Michelle should create new groups, move all staff into the appropriate groups, and then ensure that they have the access and permissions they need.

Question 36

When a subject claims an identity, what process is occurring?

A. Login
B. Identification
C. Authorization
D. Token presentation

Answer 36

B. Identification

Explanation:
The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor like a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.

Question 37

Dogs, guards, and fences are all common examples of what type of control?

A. Detective
B. Recovery
C. Administrative
D. Physical

Answer 37

D. Physical

Explanation:
Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus they are not recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.

Question 38

Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute-force attacks?

A. Change maximum age from 1 year to 180 days.
B. Increase the minimum password length from 8 characters to 16 characters.
C. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.
D. Retain a password history of at least four passwords to prevent reuse.

Answer 38

B. Increase the minimum password length from 8 characters to 16 characters.

Explanation:
Password complexity is driven by length, and a longer password will be more effective against brute-force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute-force attacks.

Question 39

Alaina is performing a regularly scheduled review for service accounts. Which of the following events should she be most concerned about?

A. An interactive login for the service account
B. A password change for the service account
C. Limitations placed on the service account’s rights
D. Local use of the service account

Answer 39

A. An interactive login for the service account

Explanation:
A. Interactive login for a service account is a critical warning sign, either of compromise or bad administrative practices. In either case, Alaina should immediately work to determine why the account logged in, what occurred, and if the interactive login was done remotely or locally. A remote interactive login for a service account in any professionally maintained environment is an almost guaranteed sign of compromise. Password changes for service accounts may be done as part of ongoing password expiration processes, limitations should always be placed on service accounts rights to ensure that they are only those required, and a local use of the service account as part of the service is a normal event.

Question 40

When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?

A. When security is more important than usability
B. When false rejection is not a concern due to data quality
C. When the CER of the system is not known
D. When the CER of the system is very high

Answer 40

A. When security is more important than usability

Explanation:
Organizations that have very strict security requirements that don’t have a tolerance for false acceptance want to lower the false acceptance rate, or FAR, to be as near to zero as possible. That often means that the false rejection rate, or FRR, increases. Different biometric technologies or a better registration method can help improve biometric performance, but false rejections due to data quality are not typically a concern with modern biometric systems. In this case, knowing the crossover error rate, or CER, or having a very high CER doesn’t help the decision.

Question 41

After recent reports of undesired access to workstations after hours, Derek has been asked to find a way to ensure that maintenance staff cannot log in to workstations in business offices. The maintenance staff members do have systems in their break rooms and their offices for the organization, which they still need access to. What should Derek do to meet this need?

A. Require multifactor authentication and only allow office staff to have multifactor tokens.
B. Use rule-based access control to prevent logins after hours in the business area.
C. Use role-based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations.
D. Use geofencing to only allow logins in maintenance areas.

Answer 41

C. Use role-based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations.

Explanation:
The most efficient use of Derek’s time would be to create a group that is populated with all maintenance staff and then to give that group login rights only to the designated PCs. While time-based constraints might help, in this case, it would continue to allow maintenance staff to log in to PCs they are not intended for use during business hours, leaving a gap in the control. Multifactor authentication as described does not meet the requirements of the scenario but may be a good idea overall for greater security for authentication across the organization. Geofencing is typically not accurate enough to rely on inside of buildings for specific PCs.

Question 42

Nick wants to do session management for his web application. Which of the following are common web application session management techniques or methods? (Select all that apply.)

A. IP tracking
B. Cookies
C. URL rewriting
D. TLS tokens

Answer 42

B. Cookies
C. URL rewriting

Explanation:
C. Common session management techniques include the use of cookies, hidden form fields, URL rewriting, and built-in frameworks like Java’s HTTPSession. IP tracking may be included in session information but is not itself a complete session identifier, and TLS token binding is used to make TLS sessions more secure, not to provide session identification.

Question 43

For questions 43–45, please use your knowledge of SAML integrations and security architecture design and refer to the following scenario and diagram: Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks?

A. Use SAML’s secure mode to provide secure authentication.
B. Implement TLS using a strong cipher suite, which will protect against both types of attacks.
C. Implement TLS using a strong cipher suite and use digital signatures.
D. Implement TLS using a strong cipher suite and message hashing.

Answer 43

C. Implement TLS using a strong cipher suite and use digital signatures.

Explanation:
TLS provides message confidentiality and integrity, which can prevent eavesdropping. When paired with digital signatures, which provide integrity and authentication, forged assertions can also be defeated. SAML does not have a security mode and relies on TLS and digital signatures to ensure security if needed. Message hashing without a signature would help prevent modification of the message but won’t necessarily provide authentication.

Question 44

If Alex’s organization is one that is primarily made up of off-site, traveling users, what availability risk does integration of critical business applications to on-site authentication create, and how could he solve it?

A. Third-party integration may not be trustworthy; use SSL and digital signatures.
B. If the home organization is offline, traveling users won’t be able to access third-party applications; implement a hybrid cloud/local authentication system.
C. Local users may not be properly redirected to the third-party services; implement a local gateway.
D. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.

Answer 44

B. If the home organization is offline, traveling users won’t be able to access third-party applications; implement a hybrid cloud/local authentication system.

Explanation:
Integration with cloud-based third parties that rely on local authentication can fail if the local organization’s internet connectivity or servers are offline. Adopting a hybrid cloud and local authentication system can ensure that internet or server outages are handled, allowing authentication to work regardless of where the user is or if their home organization is online. Using encrypted and signed communication does not address availability, redirects are a configuration issue with the third party, and a local gateway won’t handle remote users. Also, host files don’t help with availability issues with services other than DNS.

Question 45

What solution can best help address concerns about third parties that control SSO redirects as shown in step 2 in the diagram?

A. An awareness campaign about trusted third parties
B. TLS
C. Handling redirects at the local site
D. Implementing an IPS to capture SSO redirect attacks

Answer 45

A. An awareness campaign about trusted third parties

Explanation:
While many solutions are technical, if a trusted third party redirects to an unexpected authentication site, awareness is often the best defense. Using TLS would keep the transaction confidential but would not prevent the redirect. Handling redirects locally works only for locally hosted sites, and using a third-party service requires off-site redirects. An IPS might detect an attacker’s redirect, but tracking the multitude of load-balanced servers most large providers use can be challenging, if not impossible. In addition, an IPS relies on visibility into the traffic, and SAML integrations should be encrypted for security, which would require a man-in-the-middle type of IPS to be configured.

Question 46

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?

A. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed
B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
C. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well
D. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

Answer 46

B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility

Explanation:
Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control system (MAC). MAC is more secure due to the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

Question 47

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?

A. Log review
B. Manual review of permissions
C. Signature-based detection
D. Review the audit trail

Answer 47

C. Signature-based detection

Explanation:
While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

Question 48

Jessica needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?

A. SAML
B. SOAP
C. SPML
D. XACML

Answer 48

C. SPML

Explanation:
Service Provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.

Question 49

During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?

A. A brute-force attack
B. A pass-the-hash attack
C. A rainbow table attack
D. A salt recovery attack

Answer 49

C. A rainbow table attack

Explanation:
C. Rainbow tables are databases of pre-hashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute-force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user’s password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won’t match a rainbow table generated without the same salt.

Question 50

Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?

A. PKI
B. Federation
C. Single sign-on
D. Provisioning

Answer 50

B. Federation

Explanation:
Google’s federation with other applications and organizations allows single sign-on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single sign-on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

Question 51

Amanda starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?

A. Privilege creep
B. Rights collision
C. Least privilege
D. Excessive privileges

Answer 51

D. Excessive privileges

Explanation:
When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term and thus is not an issue here.

Question 52

When Chris verifies an individual’s identity and adds a unique identifier like a user ID to an identity system, what process has occurred?

A. Identity proofing
B. Registration
C. Directory management
D. Session management

Answer 52

B. Registration

Explanation:
Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.

Question 53

Selah wants to provide accountability for actions performed via her organization’s main line of business application. What controls are most frequently used to provide accountability in a situation like this? (Select all that apply.)

A. Enable audit logging.
B. Provide every staff member with a unique account and enable multifactor authentication.
C. Enable time- and location-based login requirements.
D. Provide every staff member with a unique account and require a self-selected password.

Answer 53

A. Enable audit logging.
B. Provide every staff member with a unique account and enable multifactor authentication.

Explanation:
Audit logging when combined with user accounts that can reliably be expected to only be accessible to a specific user due to the use of multifactor authentication is frequently used to provide strong accountability for actions taken via systems and applications. A password can be shared, making it less reliable, and time and location requirements are useful security controls but do not impact accountability.

Question 54

Charles wants to provide authorization services as part of his web application. What standard should he use if he wants to integrate easily with other web identity providers?

A. OpenID
B. TACACS+
C. RADIUS
D. OAuth

Answer 54

D. OAuth

Explanation:
OAuth is the most widely used open standard for authorization and delegation of rights for cloud services. OpenID is used for authentication, and TACAC+ and RADIUS are primarily used on-site for authentication and authorization for network devices.

Question 55

The company that Cameron works for uses a system that allows users to request privileged access to systems when necessary. Cameron requests access, and the request is pre-approved due to his role. He is then able to access the system to perform the task. Once he is done, the rights are removed. What type of system is he using?

A. Zero trust
B. Federated identity management
C. Single sign-on
D. Just-in-time access

Answer 55

D. Just-in-time access

Explanation:
Cameron is using a just-in-time (JIT) system that provides the access needed when it is needed. A zero trust system requires authentication and authorization when actions are performed but does not necessarily require privileges to be granted and removed when they are needed.

Question 56

Elle is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?

A. Require users to create unique questions that only they will know.
B. Require new users to bring their driver’s license or passport in person to the bank.
C. Use information that both the bank and the user have such as questions pulled from their credit report.
D. Call the user on their registered phone number to verify that they are who they claim to be.

Answer 56

C. Use information that both the bank and the user have such as questions pulled from their credit report.

Explanation:
Identity proofing can be done by comparing user information that the organization already has, like account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.

Question 57

Susan’s organization is part of a federation that allows users from multiple organizations to access resources and services at other federated sites. When Susan wants to use a service at a partner site, which identity provider is used?

A. Susan’s home organization’s identity provider
B. The service provider’s identity provider
C. Both their identity provider and the service provider’s identity provider
D. The service provider creates a new identity

Answer 57

A. Susan’s home organization’s identity provider

Explanation:
A. Federations use a user’s home organization’s identity provider (IDP). Service providers query those identity providers when the user attempts to authenticate to the service and, if the request is validated, allow access based on the rules and policies set for the service based on attributes that may be relevant that are provided by the IDP.

Question 58

A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer’s account. What type of biometric factor error occurred?

A. A registration error
B. A Type 1 error
C. A Type 2 error
D. A time of use, method of use error

Answer 58

C. A Type 2 error

Explanation:
C. Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 1 errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time of use, method of use errors are not specific biometric authentication terms.

Question 59

What type of access control is typically used by firewalls?

A. Discretionary access controls
B. Rule-based access controls
C. Task-based access control
D. Mandatory access controls

Answer 59

B. Rule-based access controls

Explanation:
Firewalls use rule-based access control, or Rule-BAC, in their access control lists and apply rules created by administrators to all traffic that passes through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.

Question 60

When you input a user ID and password, you are performing what important identity and access management activity?

A. Authorization
B. Validation
C. Authentication
D. Login

Answer 60

C. Authentication

Explanation:
When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren’t the most important identity and access management activity.

Question 61

Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, a number of servers have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen’s best option to make sure that the users of the passcards are who they are supposed to be?

A. Add a reader that requires a PIN for passcard users.
B. Add a camera system to the facility to observe who is accessing servers.
C. Add a biometric factor.
D. Replace the magnetic stripe keycards with smartcards.

Answer 61

C. Add a biometric factor.

Explanation:
Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: a PIN can be stolen. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).

Question 62

Theresa wants to allow her staff to securely store and manage passwords for systems including service accounts and other rarely used administrative credentials. What type of tool should she implement to enable this?  
A. Single sign-on 
B. A federated identity system 
C. A password manager 
D. A multifactor authentication system

Answer 62

C. A password manager

Explanation:
Enterprise password management tools allow passwords to be securely generated, stored, and managed. They can provide logs of who uses passwords, when they were updated, and if they meet complexity and other requirements. Of course, this means that the keys to your environment are all in one place, so securing and managing the enterprise password manager is very important!

Question 63

Olivia wants to limit the commands that a user can run via sudo to limit the potential for privilege escalation attacks. What Linux file should she modify to allow this?

A. The bash .bin configuration file
B. The sudoers file
C. The bash .allowed configuration file
D. The sudont file

Answer 63

B. The sudoers file

Explanation:
The sudoers file can list the specific users who can use sudo as well as the commands or directories that are allowed for them.

Question 64

Which objects and subjects have a label in a MAC model?

A. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label.
B. All objects have a label, and all subjects have a compartment.
C. All objects and subjects have a label.
D. All subjects have a label and all objects have a compartment.

Answer 64

C. All objects and subjects have a label.

Explanation:
C. In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

Question 65

For questions 65–67, please refer to the following scenario and diagram: Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google account using OAuth 2.0 or creating a new account on the platform using their own email address and a password of their choice. When the e-commerce application creates an account for a Google user, where should that user’s password be stored?

A. The password is stored in the e-commerce application’s database.
B. The password is stored in memory on the e-commerce application’s server.
C. The password is stored in Google’s account management system.
D. The password is never stored; instead, a salted hash is stored in Google’s account management system.

Answer 65

D. The password is never stored; instead, a salted hash is stored in Google’s account management system.

Explanation:
Passwords are never stored for web applications in a well-designed environment. Instead, salted hashes are stored and compared to passwords after they are salted and hashed. If the hashes match, the user is authenticated.

Question 66

Which of the following is responsible for user authentication for Google users?

A. The e-commerce application.
B. Both the e-commerce application and Google servers.
C. Google servers.
D. The diagram does not provide enough information to determine this.

Answer 66

C. Google servers.

Explanation:
When a third-party site integrates via OAuth 2.0, authentication is handled by the service provider’s servers. In this case, Google is acting as the service provider for user authentication. Authentication for local users who create their own accounts would occur in the e-commerce application (or a related server), but that is not the question that is asked here.

Question 67

What type of attack is the creation and exchange of state tokens intended to prevent?

A. XSS
B. CSRF
C. SQL injection
D. XACML1

Answer 67

B. CSRF

Explanation:
The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery. This makes sure that the unique session token with the authentication response from Google’s OAuth service is available to verify that the user, not an attacker, is making a request. XSS attacks focus on scripting and would have script tags involved, SQL injection would have SQL code included, and XACML is the eXtensible Access Control Markup Language, not a type of attack.

Question 68

Questions like “What is your pet’s name?” are examples of what type of identity proofing?

A. Knowledge-based authentication
B. Dynamic knowledge-based authentication
C. Out-of-band identity proofing
D. A Type 3 authentication factor

Answer 68

A. Knowledge-based authentication

Explanation:
A. Knowledge-based authentication relies on preset questions such as “What is your pet’s name?” and the answers. It can be susceptible to attacks because of the availability of the answers on social media or other sites. Dynamic knowledge-based authentication relies on facts or data that the user already knows that can be used to create questions they can answer on an as-needed basis (for example, a previous address or a school they attended). Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or “something you are,” rather than knowledge-based.

Question 69

Madhuri creates a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Madhuri using?

A. A capability table
B. An access control list
C. An access control matrix
D. A subject/object rights management system

Answer 69

C. An access control matrix

Explanation:
An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.

Question 70

During a review of support tickets, Ben’s organization discovered that password changes accounted for more than a quarter of its help desk’s cases. Which of the following options would be most likely to decrease that number significantly?

A. Two-factor authentication
B. Biometric authentication
C. Self-service password reset
D. Passphrases

Answer 70

C. Self-service password reset

Explanation:
Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don’t have the same impact that a self-service system does.

Question 71

Brian’s large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?

A. Use the built-in encryption in RADIUS.
B. Implement RADIUS over its native UDP using TLS for protection.
C. Implement RADIUS over TCP using TLS for protection.
D. Use an AES256 pre-shared cipher between devices.

Answer 71

C. Implement RADIUS over TCP using TLS for protection.

Explanation:
C. RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode over UDP. AES pre-shared symmetric ciphers are not a supported solution and would be difficult to both implement and maintain in a large environment, and the built-in encryption in RADIUS only protects passwords.

Question 72

Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?

A. Kerberos
B. OAuth
C. OpenID
D. LDAP

Answer 72

B. OAuth

Explanation:
OAuth provides the ability to access resources from another service and would meet Jim’s needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

Question 73

Ben’s organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren’t at their desk. What are the best types of session management solutions for Ben to recommend to help prevent this type of access?

A. Use session IDs for all access and verify system IP addresses of all workstations.
B. Set session timeouts for applications and use password-protected screensavers with inactivity timeouts on workstations.
C. Use session IDs for all applications, and use password-protected screensavers with inactivity timeouts on workstations.
D. Set session timeouts for applications and verify system IP addresses of all workstations.

Answer 73

B. Set session timeouts for applications and use password-protected screensavers with inactivity timeouts on workstations.

Explanation:
Since physical access to the workstations is part of the problem, setting application timeouts and password-protected screensavers with relatively short inactivity timeouts can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.

Question 74

What type of authentication scenario is shown in the following diagram?

A. Hybrid federation
B. On-premise federation
C. Cloud federation
D. Kerberos federation

Answer 74

A. Hybrid federation

Explanation:
This diagram shows an example of hybrid federation where authentication occurs on- premises and services are provided through a federated identity service in the cloud.

Question 75

Chris wants to control access to his facility while still identifying individuals. He also wants to ensure that the individuals are the people who are being admitted without significant ongoing costs. Which solutions from the following options would meet all of these requirements? (Select all that apply.)

A. Security guards and photo identification badges
B. RFID badges and readers with PIN pads
C. Magstripe badges and readers with PIN pads
D. Security guards and magstripe readers

Answer 75

B. RFID badges and readers with PIN pads
C. Magstripe badges and readers with PIN pads

Explanation:
The best answers in the scenario that Chris faces are either RFID or magstripe readers and PIN pads. Guards create ongoing expenses, and any solution without a PIN will allow a stolen or cloned badge to be used without validating that the person accessing the building is a legitimate user. While a guard can prevent a stolen badge and PIN combination, this is only used in environments where the cost is justifiable.

Question 76

A device like Yubikey or Titan Security Key is what type of Type 2 authentication factor?

A. A token
B. A biometric identifier
C. A smart card
D. A PIV

Answer 76

A. A token

Explanation:
A. Yubikeys, Titan Security Keys, and similar devices are examples of tokens. PIV stands for personal identity verification and is a full multifactor authentication solution, not a device. Biometric identifiers are something you are, and a smart card is a card with an embedded chip.

Question 77

What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?

A. SAML
B. Shibboleth
C. OpenID
D. Connect Higgins

Answer 77

C. OpenID

Explanation:
OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identity verification and basic profile information. SAML is the Security Assertion Markup Language, Shibboleth is a federated identity solution designed to allow web-based SSO, and Higgins is an open source project designed to provide users with control over the release of their identity information.

Question 78

Jim wants to implement an access control scheme that will ensure that users cannot delegate access. He also wants to enforce access control at the operating system level. What access control mechanism best fits these requirements?

A. Role-based access control
B. Discretionary access control
C. Mandatory access control
D. Attribute-based access control

Answer 78

C. Mandatory access control

Explanation:
In a mandatory access control system, the operating system enforces access control, and users cannot delegate rights. Discretionary access control allows users to delegate rights, and neither attribute nor role-based access control specifically meets these requirements.

Question 79

The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation? \

A. Constrained interface
B. Context-dependent control
C. Content-dependent control
D. Least privilege

Answer 79

B. Context-dependent control

Explanation:
B. Time-based controls are an example of context-dependent controls. A constrained interface would limit what Susan was able to do in an application or system interface, while content-dependent control would limit her access to content based on her role or rights. Least privilege is used to ensure that subjects only receive the rights they need to perform their role.

Question 80

Ben uses a software-based token that changes its code every minute. What type of token is he using?

A. Asynchronous
B. Smart card
C. Synchronous
D. Static

Answer 80

C. Synchronous

Explanation:
C. Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm that generates a constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smartcards typically present a certificate but may have other token capabilities built-in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.

Question 81

Firewalls are an example of what type of access control mechanism?

A. Mandatory access control
B. Attribute-based access control
C. Discretionary access control
D. Rule-based access control

Answer 81

D. Rule-based access control

Explanation:
Firewalls operate based on a ruleset and are an example of a rule-based access control scheme.

Question 82

Michelle works for a financial services company and wants to register customers for her web application. What type of authentication mechanism could she use for the initial login if she wants to quickly and automatically verify that the person is who they claim to be without having a previous relationship with them?

A. Request their Social Security number.
B. Use knowledge-based authentication.
C. Perform manual identity verification.
D. Use a biometric factor.

Answer 82

B. Use knowledge-based authentication.

Explanation:
Knowledge-based authentication is used by some financial institutions to validate the identity of new users. It uses information from tax and financial records that is unlikely to be available to others, allowing new users to provide details like their last credit card payment, mortgage payment, or other information to validate their identity. A Social Security number is somewhat trivial to acquire via paid services or other means, and manually validating identities is neither quick nor automatic. A biometric factor would require a previous enrollment, making this unsuitable for new customers.

Question 83

Megan’s company wants to use Google accounts to allow users to quickly adopt their web application. What common cloud federation technologies will Megan need to implement? (Select all that apply.)

A. Kerberos
B. OpenID
C. OAuth
D. RADIUS

Answer 83

B. OpenID
C. OAuth

Explanation:
C. Google accounts like many cloud identity providers rely on OpenID and OAuth. Kerberos is used for on-premises environments, and RADIUS is frequently used for authentication and authorization for network devices and services like VPN.

Question 84

Session ID length and session ID entropy are both important to prevent what type of attack?

A. Denial of service
B. Cookie theft
C. Session guessing
D. Man-in-the-middle attacks

Answer 84

C. Session guessing

Explanation:
Best practices for session management involve a long session ID (often 128 bits or longer) and enough randomness or entropy to make it hard to guess session IDs. This makes brute-force or algorithmic guessing attacks unlikely unless there is a flaw in the implementation. These do not prevent denial-of-service or man-in-the-middle attacks, and cookie attacks are focused on acquiring and reading or reusing cookies in most scenarios.

Question 85

The access control system for Naomi’s organization checks if her computer is fully patched, if it has a successful clean anti-malware scan, and if the firewall is turned on among other security validations before it allows her to connect to the network. If there are potential issues, she is not permitted to connect and must contact support. What type of access control scheme best describes this type of process?

A. MAC
B. Rule-based access control
C. Role-based access control
D. Risk-based access control

Answer 85

D. Risk-based access control

Explanation:
Risk-based access control models risk using information that is available when the access request is created. Information about the request and the risk it may create is calculated based on risk values and compared to access policies. If the risk value is acceptable, access is granted. One of the most common examples of this in organizations is NAC, or network access control, where a system is profiled to determine security risk and compliance before admission to a network. This can be seen as a more specific example of rule-based access control. Role-based access control bases its decisions on the roles of the individuals, whereas mandatory access control is enforced by the operating system.

Question 86

Isabelle wants to prevent privilege escalation attacks via her organization’s service accounts. Which of the following security practices is best suited to this?

A. Remove unnecessary rights.
B. Disable interactive login for service accounts.
C. Limit when accounts can log in.
D. Use meaningless or randomized names for service accounts.

Answer 86

A. Remove unnecessary rights.

Explanation:
The most important step in securing service accounts is to ensure that they have only the rights that are absolutely needed to accomplish the task they are designed for. Disabling interactive logins is important as well and would be the next best answer. Limiting when accounts can log in and using randomized or meaningless account names can both be helpful in some circumstances but are far less important.

Question 87

What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider?

A. It may cause incorrect selection of the proper OpenID provider.
B. It creates the possibility of a phishing attack by sending data to a fake OpenID provider.
C. The relying party may be able to steal the client’s username and password.
D. The relying party may not send a signed assertion.

Answer 87

B. It creates the possibility of a phishing attack by sending data to a fake OpenID provider.

Explanation:
Allowing the relying party to provide the redirect to the OpenID provider could allow a phishing attack by directing clients to a fake OpenID provider that can capture valid credentials. Since the OpenID provider URL is provided by the client, the relying party cannot select the wrong provider. The relying party never receives the user’s password, which means that they can’t steal it. Finally, the relying party receives the signed assertion but does not send one.

Question 88

Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place?

A. Identity as a service
B. Employee ID as a service
C. Cloud-based RADIUS
D. OAuth

Answer 88

A. Identity as a service

Explanation:
A. IDaaS, or identity as a service, provides an identity platform as a third-party service. This can provide benefits including integration with cloud services and removing overhead for maintenance of traditional on-premises identitysystems, but it can also create risk due to third-party control of identity services and reliance on an off-site identity infrastructure.

Question 89

Kristen wants to control access to an application in her organization based on a combination of staff member’s job titles, the permissions each group of titles need for the application, and the time of day and location. What type of control scheme should she select?

A. ABAC
B. DAC
C. MAC
D. Role BAC

Answer 89

A. ABAC

Explanation:
Attributes used for ABAC often fall into one of four categories: subject attributes like department or title; action attributes like the ability to view, edit, or delete; object attributes that describe the object that can be impacted; and contextual attributes like location, time, or elements. Discretionary access control would place these decisions in the hands of trusted subjects, MAC would enforce it at the operating system level, and role BAC would use only roles instead of the full set of criteria Kristen wants to apply.

Question 90

When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging?

A. Role-based access control
B. Rule-based access control
C. Mandatory access control (MAC)
D. Discretionary access control (DAC)

Answer 90

D. Discretionary access control (DAC)

Explanation:
The Linux filesystem allows the owners of objects to determine the access rights that subjects have to them. This means that it is a discretionary access control. If the system enforced a role-based access control, Alex wouldn’t set the controls; they would be set based on the roles assigned to each subject. A rule-based access control system would apply rules throughout the system, and a mandatory access control system uses classification labels.

Question 91

Joanna leads her organization’s identity management team and wants to ensure that roles are properly updated when staff members change to new positions. What issue should she focus on for those staff members to avoid future issues with role definition?

A. Registration
B. Privilege creep
C. Deprovisioning
D. Accountability

Answer 91

B. Privilege creep

Explanation:
Privilege creep is a constant concern when staff change roles over time. Privileges from previous roles may be easy to forget or to retain during transition because staff may continue to help cover the tasks or processes the individual previously performed. Over time, these forgotten rights and privileges can stack, leaving the staff member with rights that their current role should not have. Registration is a concern for new staff, while de-provisioning is a concern for departing staff. Accountability is typically provided by IAM systems by authenticating and logging access and privilege usage.

Question 92

What type of authorization mechanism is shown in the following chart?

A. RBAC
B. ABAC
C. MAC
D. DAC

Answer 92

A. RBAC

Explanation:
This is a role-based access control (RBAC) chart noting that each group has specific rights by roles. Attribute-based access control (ABAC) would use other attributes including things like location, mandatory access control (MAC) would be enforced by the operating system, and discretionary access control (DAC) allows subjects like users to set rights on objects they control.

Question 93

Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?

A. The Kerberos server is offline.
B. There is a protocol mismatch.
C. The client’s TGTs have been marked as compromised and de-authorized.
D. The Kerberos server and the local client’s time clocks are not synchronized.

Answer 93

C. The client’s TGTs have been marked as compromised and de-authorized.

Explanation:
Kerberos relies on properly synchronized time on each end of a connection to function. If the local system time is more than five minutes out of sync, valid TGTs will be invalid, and the system won’t receive any new tickets.

Question 94

Brian wants to explain the benefits of an on-premise federation approach for identity to his organization’s leadership. Which of the following is not a common benefit of a federated identity system?

A. Ease of account management
B. Single sign-on
C. Prevention of brute-force attacks
D. Increased productivity

Answer 94

C. Prevention of brute-force attacks

Explanation:
Single sign-on (SSO) is part of identity federation. It also means that account management is simpler since multiple accounts don’t have to be maintained for users who need to access systems and resources across the federation. Productivity can increase because staff don’t have to remember multiple logins and can use SSO to log in once instead of multiple times. It does not, however, do anything to prevent brute-force attacks, and in fact, a single account with broad access can make it easier for an attacker to gain that broader access unless solutions like multifactor authentication are put in place.

Question 95

The bank that Aaron works for wants to allow customers to use a new add-on application from a third-party partner they are working with. Since not every customer will want or need an account, Aaron has suggested that the bank use a SAML-based workflow that creates an account when a user downloads the app and tries to log in. What type of provisioning system has he suggested?

A. JIT
B. OpenID
C. OAuth
D. Kerberos

Answer 95

A. JIT

Explanation:
A JIT, or just-in-time, provisioning mechanism creates accounts when they are needed rather than creating them in advance. This is an effective method to limit the number of accounts being maintained and can be useful if user account numbers are part of a licensing agreement. OAuth, OpenID, and Kerberos are not mentioned in the question.

Question 96

What authentication protocol does Windows use by default for Active Directory systems?

A. RADIUS
B. Kerberos
C. OAuth
D. TACACS+

Answer 96

B. Kerberos

Explanation:
Windows uses Kerberos for authentication. RADIUS is typically used for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.

Question 97

Valerie needs to control access to applications that are deployed to mobile devices in a BYOD environment. What type of solution will best allow her to exercise control over the applications while ensuring that they do not leave remnant data on the devices used by her end users?

A. Deploy the applications to the BYOD devices and require unique PINs on every device.
B. Deploy the application to desktop systems and require users to use remote desktop to access them using enterprise authentication.
C. Deploy the applications to the BYOD devices using application containers and require unique PINs on every device.
D. Use a virtual hosted application environment that requires authentication using enterprise credentials.

Answer 97

D. Use a virtual hosted application environment that requires authentication using enterprise credentials.

Explanation:
When very high levels of control are needed or when endpoint devices cannot be trusted, using a centralized environment with remote connectivity and enterprise authentication can provide appropriate security.

Question 98

Match the following authorization mechanisms with their descriptions:

1. Role-BAC
2. Rule BAC
3. DAC
4. ABAC
5. MAC

A. An access control model enforced by the operating system.
B. Permissions or rights are granted based on parameters like an IP address, time, or other specific details that match requirements.
C. Sometimes called policy-based access control, this model uses information about the subject to assign permissions.
D. A model where subjects with the proper rights can assign or pass those rights to other subjects.
E. Used to assign permissions based on job or function.

Answer 98

1. E
2. B
3. D
4. C
5. A

Question 99

Match each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all.

Authentication technique

1. Password
2. ID card
3. Retinal scan
4. Smartphone token
5. Fingerprint analysis

Category

A. Something you have
B. Something you know
C. Something you are

Answer 99

The security controls match with the categories as follows:

1. Password: B. Something you know
2. ID card: A. Something you have
3. Retinal scan: C. Something you are
4. Smartphone token: A. Something you have
5. Fingerprint analysis: C. Something you are

Question 100

Match the following identity and access controls with the asset type they are best suited to protect. Each only has one option.

1. Information assets
2. Systems
3. Mobile devices
4. Facilities
5. Partner applications

A. Discretionary access controls 
B. Badge readers 
C. Federated identity management 
D. Biometric authentication 
E. User accounts with multifactor authentication

Answer 100

1. A
2. E
3. D
4. B
5. C