Domain 5 Flashcards

1
Q
  1. Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?
    a. An access control list
    b. An implicit denial list
    c. A capability table
    d. A rights management matrix
A

C. Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
  1. Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim’s company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?
    a. Integrate onsite systems using OAuth.
    b. Use an on-premise third-party identity service.
    c. Integrate onsite systems using SAML.
    d. Design an in-house solution to handle the organization’s unique needs.
A

B. Since Jim’s organization is using a cloud-based Identity as a Service solution, a third party, on-premise identity service can provide the ability to integrate with the IDaaS solution, and the company’s use of Active Directory is widely supported by third-party vendors. OAuth is used to log into third-party websites using existing credentials and would not meet the needs described. SAML is a markup language and would not meet the full set of AAA needs. Since the organization is using Active Directory, a custom in-house solution is unlikely to be as effective as a preexisting third-party solution and may take far more time and expense to implement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
  1. Which of the following is not a weakness in Kerberos?
    a. The KDC is a single point of failure.
    b. Compromise of the KDC would allow attackers to impersonate any user.
    c. Authentication information is not encrypted.
    d. It is susceptible to password guessing.
A

C. Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC is both a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Like many authentication methods, Kerberos can be susceptible to password guessing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
  1. Voice pattern recognition is what type of authentication factor?
    a. Type 1
    b. Type 2
    c. Type 3
    d. Type 4
A

C. Voice pattern recognition is “something you are,” a Type 3 authentication factor. Type 1 factors are “something you know,” and Type 2 factors are “something you have.” Type 4 is made up and is not a valid type of authentication factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
  1. If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of factor has she used?
    a. One
    b. Two
    c. Three
    d. Four
A

B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
  1. Which of the following items are not commonly associated with restricted interfaces?
    a. Shells
    b. Keyboards
    c. Menus
    d. Database views
A

B. Menus, shells, and database views are all commonly used for constrained interfaces. A keyboard is not typically a constrained interface, although physically constrained interfaces like those found on ATMs, card readers, and other devices are common.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
  1. During a log review, Saria discovers a series of logs that show login failures as shown here:

Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=orange

Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=Orang3

Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=Orange93

Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=Orangutan1

Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=Orangemonkey

What type of attack has Saria discovered?

a. A brute force attack
b. A man-in-the-middle attack
c. A dictionary attack
d. A rainbow table attack

A

C. Dictionary attacks use a dictionary or list of common passwords as well as variations of those words to attempt to log in as an authorized user. This attack shows a variety of passwords based on a similar base word, which is often a good indicator of a dictionary attack. A brute force attack will typically show simple iteration of passwords, while a man-in-the-middle attack would not be visible in the authentication log. A rainbow table attack is used when attackers already have password hashes in their possession and would also not show up in logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q
  1. What type of attack can be prevented by using a trusted path?
    a. Dictionary attacks
    b. Brute force attacks
    c. Man-in-the-middle attacks
    d. Login spoofing
A

D. The Common Criteria defines trusted paths as a way to protect data between users and a security component. This includes attacks like replacing login windows for systems and is the reason Windows uses Ctrl+Alt_Del as a login sequence. Man-in-the-middle attacks can be prevented by using a trusted channel, which is often implemented with encryption and certificates. Brute force and dictionary attacks are often discouraged by using a back-off algorithm to slow down or prevent attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
  1. What major issue often results from decentralized access control?
    a. Access outages may occur.
    b. Control is not consistent.
    c. Control is too granular.
    d. Training costs are high.
A

B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
  1. Callback to a home phone number is an example of what type of factor?
    a. Type 1
    b. Somewhere you are
    c. Type 3
    d. Geographic
A

B. A callback to a home phone number is an example of a “somewhere you are” factor. This could potentially be spoofed by call forwarding or using a VoIP system. Type 1 factors are “something you know,” Type 3 factors are biometric, and geographic factors are typically based on IP addresses or access to a GPS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

a. Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?
a. . A shortcut trust
b. A forest trust
c. An external trust
d. A realm trust

A

D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a non-transitive trust between AD domains in separate forests.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
  1. Which of the following AAA protocols is the most commonly used?
    a. TACACS
    b. TACACS+
    c. XTACACS
    d. Super TACACS
A

B. TACACS+ is the only modern protocol on the list. It provides advantages of both TACACS and XTACACS as well as some benefits over RADIUS, including encryption of all authentication information. Super TACACS is not an actual protocol.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
  1. Which of the following is not a single sign-on implementation?
    a. Kerberos
    b. ADFS
    c. CAS
    d. RADIUS
A

D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single-sign on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
  1. As seen in the following image, a user on a Windows system is not able to use the “Send Message” functionality. What access control model best describes this type of limitation?
    a. Least privilege
    b. Need to know
    c. Constrained interface
    d. Separation of duties
A

C. Interface restrictions based on user privileges is an example of a constrained interface. Least privilege describes the idea of providing users with only the rights they need to accomplish their job, while need to know limits access based on whether a subject needs to know the information to accomplish an assigned task. Separation of duties focuses on preventing fraud or mistakes by splitting tasks between multiple subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
  1. What type of access controls allow the owner of a file to grant other users access to it using an access control list?
    a. Role based
    b. Non-discretionary
    c. Rule based
    d. Discretionary
A

D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant accessed based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Non-discretionary access controls apply a fixed set of rules to an environment to manage access. Non-discretionary access controls include rule-, role-, and lattice-based access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
  1. Alex’s job requires him to see personal health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?
    a. Separation of duties
    b. Constrained interfaces
    c. Context-dependent control
    d. Need to know
A

D. Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Using your knowledge of the Kerberos logon process and the following diagram, answer questions 17, 18, and 19.

  1. At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?
    a. 3DES encryption
    b. TLS encryption
    c. SSL encryption
    d. AES encryption
A

D. The client in Kerberos logins uses AES to encrypt the username and password prior to sending it to the KDC.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Using your knowledge of the Kerberos logon process and the following diagram, answer questions 17, 18, and 19.

  1. At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?
    a. An encrypted TGT and a public key
    b. An access ticket and a public key
    c. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user’s password
    d. An encrypted, time-stamped TGT and an access token
A

C. The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key. It transmits both the encrypted symmetric key and an encrypted time-stamped TGT to the client.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?

  1. What tasks must the client perform before it can use the TGT?
    a. It must generate a hash of the TGT and decrypt the symmetric key.
    b. It must install the TGT and decrypt the symmetric key.
    c. It must decrypt the TGT and the symmetric key.
    d. It must send a valid response using the symmetric key to the KDC and must install the TGT.
A

B. The client needs to install the TGT for use until it expires, and must also decrypt the symmetric key using a hash of the user’s password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
  1. Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
    a. Retina scans can reveal information about medical conditions.
    b. Retina scans are painful because they require a puff of air in the user’s eye.
    c. Retina scanners are the most expensive type of biometric device.
    d. Retina scanners have a high false positive rate and will cause support issues.
A

A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
  1. Mandatory access control is based on what type of model?
    a. Discretionary
    b. Group based
    c. Lattice based
    d. Rule based
A

C. Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
  1. Which of the following is not a type of attack used against access controls?
    a. Dictionary attack
    b. Brute force attack
    c. Teardrop
    d. Man-in-the-middle attack
A

C. Dictionary, brute force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial of service attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q
  1. What is the best way to provide accountability for the use of identities?
    a. Logging
    b. Authorization
    c. Digital signatures
    d. Type 1 authentication23
A

A. Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
  1. Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?
    a. Re-provisioning
    b. Account review
    c. Privilege creep
    d. Account revocation
A

B. As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while re-provisioning might occur if an employee was terminated and returned or took a leave of absence and returned.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
  1. Biba is what type of access control model?
    a. MAC
    b. DAC
    c. Role BAC
    d. ABAC
A

A. Biba uses a lattice to control access and is a form of the mandatory access control (MAC) model. It does not use rules, roles, or attributes, nor does it allow user discretion. Users can create content at their level or lower but cannot decide who gets access, levels are not roles, and attributes are not used to make decisions on access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q
  1. Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?
    a. Kerberos
    b. EAP
    c. RADIUS
    d. OAuth
A

C. RADIUS is an AAA protocol used to provide authentication and authorization; it’s often used for modems, wireless networks, and network devices. It uses network access servers to send access requests to central RADIUS servers. Kerberos is a ticket-based authentication protocol; OAuth is an open standard for authentication allowing the use of credentials from one site on third-party sites; and EAP is the Extensible Authentication Protocol, an authentication framework often used for wireless networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q
  1. What type of access control is being used in the following permission listing:

Storage Device X

User1: Can read, write, list

User2: Can read, list

User3: Can read, write, list, delete

User4: Can list

a. Resource-based access controls
b. Role-based access controls
c. Mandatory access controls
d. Rule-based access controls

A

A. Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based Infrastructure as a Service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q
  1. Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor and what traffic will she be able to read?
    a. UDP, none. All RADIUS traffic is encrypted.
    b. TCP, all traffic but the passwords, which are encrypted
    c. UDP, all traffic but the passwords, which are encrypted
    d. TCP, none. All RADIUS traffic is encrypted.
A

C. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
  1. Which of the following is not part of a Kerberos authentication system?
    a. KDC
    b. TGT
    c. AS
    d. TS
A

D. A key distribution center (KDC) provides authentication services, and ticket-granting tickets (TGTs) provide proof that a subject has authenticated and can request tickets to access objects. Authentication services (ASs) are part of the KDC. There is no TS in a Kerberos infrastructure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
  1. When an application or system allows a logged-in user to perform specific actions, it is an example of what?
    a. Roles
    b. Group management
    c. Logins
    d. Authorization
A

D. Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
  1. Alex has been employed by his company for over a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex’s company encountered?
    a. Excessive provisioning
    b. Unauthorized access
    c. Privilege creep
    d. Account review
A

C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q
  1. Which of the following is not a common threat to access control mechanisms?
    a. Fake login pages
    b. Phishing
    c. Dictionary attacks
    d. Man-in-the-middle attacks
A

B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q
  1. What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order for normal function?
    a. Collisions
    b. Race conditions
    c. Determinism
    d. Out-of-order execution
A

B. Race conditions occur when two or more processes need to access the same resource in the right order. If an attacker can disrupt this order, they may be able to affect the normal operations of the system and gain unauthorized access or improper rights. Collisions occur when two different files produce the same result from a hashing operation, out-of-order execution is a CPU architecture feature that allows the use of otherwise unused cycles, and determinism is a philosophical term rather than something you should see on the CISSP exam!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q
  1. What type of access control scheme is shown in the following table?

a, RBAC

b. DAC
c. MAC
d. TBAC

A

C. Mandatory access controls use a lattice to describe how classification labels relate to each other. In this image, classification levels are set for each of the labels shown. A discretionary access control (DAC) system would show how the owner of the objects allows access. RBAC could be either rule- or role-based access control and would either use system-wide rules or roles. Task-based access control (TBAC) would list tasks for users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q
  1. Which of the following is not a valid LDAP DN (distinguished name)?
    a. cn=ben+ou=sales
    b. ou=example
    c. cn=ben,ou=example;
    d. ou=example,dc=example,dc=com+dc=org
A

C. LDAP distinguished names are made up of zero or more comma-separate components known as relative distinguished names. cn=ben,ou=example; ends with a semicolon and is not a valid DN. It is possible to have additional values in the same RDN by using a plus sign between then.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q
  1. When a subject claims an identity, what process is occurring?
    a. Login
    b. Identification
    c. Authorization
    d. Token presentation
A

B. The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor like a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q
  1. Dogs, guards, and fences are all common examples of what type of control?
    a. Detective
    b. Recovery
    c. Administrative
    d. Physical
A

D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus none are recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q
  1. Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute force attacks?
    a. Change maximum age from 1 year to 180 days.
    b. Increase the minimum password length from 8 characters to 16 characters.
    c. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.
    d. Retain a password history of at least four passwords to prevent reuse.
A

B. Password complexity is driven by length, and a longer password will be more effective against brute force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute force attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q
  1. What is the stored sample of a biometric factor called?
    a. A reference template
    b. A token store
    c. A biometric password
    d. An enrollment artifact
A

A. The stored sample of a biometric factor is called a reference profile or a reference template. None of the other answers are common terms used for biometric systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q
  1. When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?
    a. When security is more important than usability
    b. When false rejection is not a concern due to data quality
    c. When the CER of the system is not known
    d. When the CER of the system is very high
A

A. Organizations that have very strict security requirements that don’t have a tolerance for false acceptance want to lower the false acceptance rate, or FAR, to be as near to zero as possible. That often means that the false rejection rate, or FRR, increases. Different biometric technologies or a better registration method can help improve biometric performance, but false rejections due to data quality are not typically a concern with modern biometric systems. In this case, knowing the crossover error rate, or CER, or having a very high CER doesn’t help the decision.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q
  1. Susan is working to improve the strength of her organization’s passwords by changing the password policy. The password system that she is using allows upper- and lower-case letters as well as numbers but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?
    a. 26 times more complex
    b. 62 times more complex
    c. 36 times more complex
    d. 2^62 times more complex
A

B. The complexity of brute forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62^1, or 62 possibilities, and thus, the new passwords would be 62 times harder to brute force on average.

42
Q
  1. Which pair of the following factors are key for user acceptance of biometric identification systems?
    a. The FAR
    b. The throughput rate and the time required to enroll
    c. The CER and the ERR
    d. How often users must reenroll and the reference profile requirements
A

B. Biometric systems can face major usability challenges if the time to enroll is long (over a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren’t typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.

43
Q

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram and your knowledge of SAML integrations and security architecture design, answer questions 43, 44, and 45.

  1. Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks?
    a. Use SAML’s secure mode to provide secure authentication.
    b. Implement TLS using a strong cipher suite, which will protect against both types of attacks.
    c. Implement TLS using a strong cipher suite and use digital signatures.
    d. Implement TLS using a strong cipher suite and message hashing.
A

C. TLS provides message confidentiality and integrity, which can prevent eavesdropping. When paired with digital signatures, which provide integrity and authentication, forged assertions can also be defeated. SAML does not have a security mode and relies on TLS and digital signatures to ensure security if needed. Message hashing without a signature would help prevent modification of the message but won’t necessarily provide authentication.

44
Q

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram and your knowledge of SAML integrations and security architecture design, answer questions 43, 44, and 45.

  1. If Alex’s organization is one that is primarily made up of offsite, traveling users, what availability risk does integration of critical business applications to onsite authentication create and how could he solve it?
    a. Third-party integration may not be trustworthy; use SSL and digital signatures.
    b. If the home organization is offline, traveling users won’t be able to access third-party applications; implement a hybrid cloud/local authentication system.
    c. Local users may not be properly redirected to the third-party services; implement a local gateway.
    d. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.
A

B. Integration with cloud-based third parties that rely on local authentication can fail if the local organization’s Internet connectivity or servers are offline. Adopting a hybrid cloud and local authentication system can ensure that Internet or server outages are handled, allowing authentication to work regardless of where the user is or if their home organization is online. Using encrypted and signed communication does not address availability, redirects are a configuration issue with the third party, and a local gateway won’t handle remote users. Also, host files don’t help with availability issues with services other than DNS.

45
Q

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram and your knowledge of SAML integrations and security architecture design, answer questions 43, 44, and 45.

  1. What solution can best help address concerns about third parties that control SSO directs as shown in step 2 in the diagram?
    a. An awareness campaign about trusted third parties
    b. TLS
    c. Handling redirects at the local site
    d. Implementing an IPS to capture SSO redirect attacks
A

A. While many solutions are technical, if a trusted third party redirects to an unexpected authentication site, awareness is often the best defense. Using TLS would keep the transaction confidential but would not prevent the redirect. Handling redirects locally only works for locally hosted sites, and using a third-party service requires offsite redirects. An IPS might detect an attacker’s redirect, but tracking the multitude of load-balanced servers most large providers use can be challenging, if not impossible. In addition, an IPS relies on visibility into the traffic, and SAML integrations should be encrypted for security, which would require a man-in-the-middle type of IPS to be configured.

46
Q
  1. Susan has been asked to recommend whether her organization should use a mandatory access control scheme or a discretionary access control scheme. If flexibility and scalability is an important requirement for implementing access controls, which scheme should she recommend and why?
    a. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed
    b. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
    c. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well
    d. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority
A

B. Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control system (MAC). MAC is more secure due to the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

47
Q
  1. Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?
    a. Log review
    b. Manual review of permissions
    c. Signature-based detection
    d. Review the audit trail
A

C. While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

48
Q
  1. Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?
    a. SAML
    b. SOAP
    c. SPML
    d. XACML
A

C. Service Provisioning Markup Language, or SPML is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.

49
Q
  1. During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?
    a. A brute force attack
    b. A pass-the-hash attack
    c. A rainbow table attack
    d. A salt recovery attack
A

C. Rainbow tables are databases of prehashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user’s password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won’t match a rainbow table generated without the same salt.

50
Q
  1. Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?
    a. PKI
    b. Federation
    c. Single sign-on
    d. Provisioning
A

B. Google’s federation with other applications and organizations allows single-sign on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single-sign on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

51
Q
  1. Lauren starts at her new job and finds that she has access to a variety of systems that she does not need access to to accomplish her job. What problem has she encountered?
    a. Privilege creep
    b. Rights collision
    c. Least privilege
    d. Excessive privileges
A

D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term, and thus is not an issue here.

52
Q
  1. When Chris verifies an individual’s identity and adds a unique identifier like a user ID to an identity system, what process has occurred?
    a. Identity proofing
    b. Registration
    c. Directory management
    d. Session management
A

B. Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.

53
Q
  1. Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636.What does this indicate to Jim about the configuration of the LDAP server?
    a. It requires connections over SSL/TLS.
    b. It supports only unencrypted connections.
    c. It provides global catalog services.
    d. It does not provide global catalog services.
A

A. Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating that the server supports encrypted connections. Since neither port 3268 nor 3269 is mentioned, we do not know if the server provides support for a global catalog.

54
Q
  1. The X.500 standards cover what type of important identity systems?
    a. Kerberos
    b. Provisioning services
    c. Biometric authentication systems
    d. Directory services
A

D. The X.500 series of standards covers directory services. Kerberos is described in RFCs; biometric systems are covered by a variety of standards, including ISO standards; and provisioning standards include SCIM, SPML, and others.

55
Q
  1. Microsoft’s Active Directory Domain Services is based on which of the following technologies?
    a. RADIUS
    b. LDAP
    c. SSO
    d. PKI
A

B. Active Directory Domain Services is based on LDAP, the Lightweight Directory Access Protocol. Active Directory also uses Kerberos for authentication.

56
Q
  1. Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
    a. Require users to create unique questions that only they will know.
    b. Require new users to bring their driver’s license or passport in person to the bank.
    c. Use information that both the bank and the user have such as questions pulled from their credit report.
    d. Call the user on their registered phone number to verify that they are who they claim to be.
A

C. Identity proofing can be done by comparing user information that the organization already has, like account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.

57
Q
  1. By default, in what format does OpenLDAP store the value of the userPassword attribute?
    a. In the clear
    b. Salted and hashed
    c. MD5 hashed
    d. Encrypted using AES256 encryption
A

A. By default, OpenLDAP stored the userPassword attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is the responsibility of the administrator or programmer who builds its provisioning system.

58
Q
  1. A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer’s account. What type of biometric factor error occurred?
    a. A registration error
    b. A Type 1 error
    c. A Type 2 error
    d. A time of use, method of use error
A

C. Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 1 errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time of use, method of use errors are not specific biometric authentication terms.

59
Q
  1. What type of access control is typically used by firewalls?
    a. Discretionary access controls
    b. Rule-based access controls
    c. Task-based access control
    d. Mandatory access controls
A

B. Firewalls use rule-based access control, or Rule-BAC, in their access control lists and apply rules created by administrators to all traffic that pass through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.

60
Q
  1. When you input a user ID and password, you are performing what important identity and access management activity?
    a. Authorization
    b. Validation
    c. Authentication
    d. Login
A

C. When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren’t the most important identity and access management activity.

61
Q
  1. Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, a number of servers have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen’s best option to make sure that the users of the passcards are who they are supposed to be?
    a. Add a reader that requires a PIN for passcard users.
    b. Add a camera system to the facility to observe who is accessing servers.
    c. Add a biometric factor.
    d. Replace the magnetic stripe keycards with smart cards.
A

C. Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).

62
Q
  1. Which of the following is a ticket-based authentication protocol designed to provide secure communication?
    a. RADIUS
    b. OAuth
    c. SAML
    d. Kerberos
A

D. Kerberos is an authentication protocol that uses tickets, and provides secure communications between the client, key distribution center (KDC), ticket-granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third-party websites to rely on credentials from other sites like Google or Microsoft.

63
Q
  1. What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?
    a. Corrective
    b. Logical
    c. Compensating
    d. Administrative
A

D. Administrative access controls are procedures and the policies from which they derive. They are based on regulations, requirements, and the organization’s own policies. Corrective access controls return an environment to its original status after an issue, while logical controls are technical access controls that rely on hardware or software to protect systems and data. Compensating controls are used in addition to or as an alternative to other controls.

64
Q
  1. In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS?
    a. A TGT
    b. An AS
    c. The SS
    d. A session key
A

A. When clients perform a client service authorization, they send a TGT and the ID of the requested service to the TGS, and the TGS responds with a client-to-server ticket and session key back to the client if the request is validated. An AS is an authentication server and the SS is a service server, neither of which can be sent.

65
Q
  1. Which objects and subjects have a label in a MAC model?
    a. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label.
    b. All objects have a label, and all subjects have a compartment.
    c. All objects and subjects have a label.
    d. All subjects have a label and all objects have a compartment.
A

C. In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

66
Q

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google+ account using OAuth 2.0, or creating a new account on the platform using their own email address and a password of their choice.

Using this information and the following diagram of an example authentication flow, answer questions 66, 67, and 68.

  1. When the e-commerce application creates an account for a Google+ user, where should that user’s password be stored?
    a. The password is stored in the e-commerce application’s database.
    b. The password is stored in memory on the e-commerce application’s server.
    c. The password is stored in Google’s account management system.
    d. The password is never stored; instead, a salted hash is stored in Google’s account management system.
A

D. Passwords are never stored for web applications in a well-designed environment. Instead, salted hashes are stored and compared to passwords after they are salted and hashed. If the hashes match, the user is authenticated.

67
Q

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google+ account using OAuth 2.0, or creating a new account on the platform using their own email address and a password of their choice.

Using this information and the following diagram of an example authentication flow, answer questions 66, 67, and 68.

  1. Which system or systems is/are responsible for user authentication for Google+ users?
    a. The e-commerce application
    b. Both the e-commerce application and Google servers
    c. Google servers
    d. The diagram does not provide enough information to determine this.
A

C. When a third-party site integrates via OAuth 2.0, authentication is handled by the service provider’s servers. In this case, Google is acting as the service provider for user authentication. Authentication for local users who create their own accounts would occur in the e-commerce application (or a related server), but that is not the question that is asked here.

68
Q

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google+ account using OAuth 2.0, or creating a new account on the platform using their own email address and a password of their choice.

Using this information and the following diagram of an example authentication flow, answer questions 66, 67, and 68.

  1. What type of attack is the creation and exchange of state tokens intended to prevent?
    a. XSS
    b. CSRF
    c. SQL injection
    d. XACML
A

B. The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery. This makes sure that the unique session token with the authentication response from Google’s OAuth service is available to verify that the user, not an attacker, is making a request. XSS attacks focus on scripting and would have script tags involved, SQL injection would have SQL code included, and XACML is the eXtensible Access Control Markup Language, not a type of attack.

69
Q
  1. Questions like “What is your pet’s name?” are examples of what type of identity proofing?
    a. Knowledge-based authentication
    b. Dynamic knowledge-based authentication
    c. Out-of-band identity proofing
    d. A Type 3 authentication factor
A

A. Knowledge-based authentication relies on preset questions “What is your pet’s name?” and the answers. It can be susceptible to attacks due to the availability of the answers on social media or other sites. Dynamic knowledge based authentication relies on facts or data that the user already knows which can be used to create questions they can answer on an as needed basis (for example, a previous address, or a school they attended).
Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or “something you are,” rather than knowledge based.

70
Q
  1. Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using?
    a. A capability table
    b. An access control list
    c. An access control matrix
    d. A subject/object rights management system
A

C. An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.

71
Q
  1. During a review of support incidents, Ben’s organization discovered that password changes accounted for more than a quarter of its help desk’s cases. Which of the following options would be most likely to decrease that number significantly?
    a. Two-factor authentication
    b. Biometric authentication
    c. Self-service password reset
    d. Passphrases
A

C. Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add additional complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don’t have the same impact that a self-service system does.

72
Q
  1. Brian’s large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?
    a. Use the built-in encryption in RADIUS.
    b. Implement RADIUS over its native UDP using TLS for protection.
    c. Implement RADIUS over TCP using TLS for protection.
    d. Use an AES256 pre-shared cipher between devices.
A

C. RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode over UDP. AES pre-shared symmetric ciphers are not a supported solution and would be very difficult to both implement and maintain in a large environment, and the built-in encryption in RADIUS only protects passwords.

73
Q
  1. Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?
    a. Kerberos
    b. OAuth
    c. OpenID
    d. LDAP
A

B. OAuth provides the ability to access resources from another service and would meet Jim’s needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

74
Q
  1. Ben’s organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren’t at their desk. What are the best type of session management solutions for Ben to recommend to help prevent this type of access?
    a. Use session IDs for all access and verify system IP addresses of all workstations.
    b. Set session time-outs for applications and use password protected screensavers with inactivity time-outs on workstations.
    c. Use session IDs for all applications, and use password protected screensavers with inactivity time-outs on workstations.
    d. Set session time-outs for applications and verify system IP addresses of all workstations.
A

B. Since physical access to the workstations is part of the problem, setting application time-outs and password-protected screensavers with relatively short inactivity time-outs can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.

75
Q
  1. Lauren is an information security analyst tasked with deploying technical access controls for her organization. Which of the following is not a logical or technical access control?
    a. Passwords
    b. Firewalls
    c. RAID arrays
    d. Routers
A

C. Firewalls, routers, and passwords are all examples of technical access controls and are software or hardware systems used to manage and protect access. RAID-5 is an example of a recovery control. If you’re questioning why routers are a technical access control, remember that router access control lists (ACLs) are quite often used to control network access or traffic flows.

76
Q
  1. The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as, “Which of the following streets did you live on in 2007?” What process is Susan’s organization using?
    a. Identity proofing
    b. Password verification
    c. Authenticating with Type 2 authentication factor
    d. Out-of-band identity proofing
A

A. Verifying information that an individual should know about themselves using third-party factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge-based authentication and is a type of identity proofing. Out-of-band identity proofing would use another means of contacting the user, like a text message or phone call, and password verification requires a password.

77
Q
  1. The US government CAC is an example of what form of Type 2 authentication factor?
    a. A token
    b. A biometric identifier
    c. A smart card
    d. A PIV
A

C. The US government’s Common Access Card is a smart card. The US government also issues PIV cards, or personal identity verification cards.

78
Q
  1. What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?
    a. SAML
    b. Shibboleth
    c. OpenID Connectd.
    d. Higgins
A

C. OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identity verification and basic profile information. SAML is the Security Assertion Markup Language, Shibboleth is a federated identity solution designed to allow web-based SSO, and Higgins is an open-source project designed to provide users with control over the release of their identity information.

79
Q
  1. Jim has Secret clearance and is accessing files that use a mandatory access control scheme to apply the Top Secret, Secret, Confidential, and Unclassified label scheme. If his rights include the ability to access all data of his clearance level or lower, what classification levels of data can he access?
    a. Top Secret and Secret
    b. Secret, Confidential, and Unclassified
    c. Secret data only
    d. Secret and Unclassified
A

C. In a mandatory access control system, classifications do not have to include rights to lower levels. This means that the only label we can be sure Jim has rights to is Secret. Despite the fact that it is unclassified, Unclassified data remains a different label, and Jim may not be authorized to access it.

80
Q
  1. The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation?
    a. Constrained interface
    b. Context-dependent control
    c. Content-dependent control
    d. Least privilege
A

B. Time-based controls are an example of context-dependent controls. A constrained interface would limit what Susan was able to do in an application or system interface, while content-dependent control would limit her access to content based on her role or rights. Least privilege is used to ensure that subjects only receive the rights they need to perform their role.

81
Q
  1. When Lauren uses a fingerprint scanner to access her bank account, what type of authentication factor is she using?
    a. Type 1
    b. Type 2
    c. Type 3
    d. Type 4
A

C. A Type 3 authentication factor is: something you are: like a biometric identifier. A Type 1 authentication factor is “something you know.” A Type 2 factor is “something you have,” like a smart card or hardware token. There is not a Type 4 authentication factor.

82
Q
  1. Which of the following is not an access control layer?
    a. Physical
    b. Policy
    c. Administrative
    d. Technical
A

B. Policy is a subset of the administrative layer of access controls. Administrative, technical, and physical access controls all play an important role in security.

83
Q
  1. Ben uses a software based token which changes its code every minute. What type of token is he using?
    a. Asynchronous
    b. Smart card
    c. Synchronous
    d. Static
A

C. Google Authenticator’s constantly changing codes are part of a synchronous token that uses a time-based algorithm to generate codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smart cards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.

84
Q
  1. What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token?
    a. Asynchronous
    b. Smart card
    c. Synchronous
    d. RFID
A

A. Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don’t need to have challenges entered, and RFID devices are not used for challenge/response tokens.

85
Q

Ben’s organization is adopting biometric authentication for its high-security building’s access control system. Using the following chart, answer questions 85, 86, and 87 about the organization’s adoption of the technology.

  1. Ben’s company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?
    a. The FRR crossover
    b. The FAR point
    c. The CER
    d. The CFR
A

C. The crossover error rate is the point where false acceptance rate and false rejection rate cross over and is a standard assessment used to compare the accuracy of biometric devices.

86
Q

Ben’s organization is adopting biometric authentication for its high-security building’s access control system. Using the following chart, answer questions 85, 86, and 87 about the organization’s adoption of the technology.

  1. At point B, what problem is likely to occur?
    a. False acceptance will be very high.
    b. False rejection will be very high.
    c. False rejection will be very low.
    d. False acceptance will be very low.
A

A. At point B, the false acceptance rate, or FAR, is quite high, while the false rejection rate, or FRR, is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of pointA.

87
Q

Ben’s organization is adopting biometric authentication for its high-security building’s access control system. Using the following chart, answer questions 85, 86, and 87 about the organization’s adoption of the technology.

  1. What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?
    a. Adjust the sensitivity of the biometric devices.
    b. Assess other biometric systems to compare them.
    c. Move the CER.
    d. Adjust the FRR settings in software.
A

B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.

88
Q
  1. What LDAP authentication mode can provide secure authentication?
    a. Anonymous
    b. SASL
    c. Simple
    d. S-LDAP
A

B. The Simple Authentication and Security Layer (SASL) for LDAP provides support for a range of authentication types, including secure methods. Anonymous authentication does not require or provide security, and simple authentication can be tunneled over SSL or TLS but does not provide security by itself. S-LDAP is not an LDAP protocol.

89
Q
  1. Which of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors?
    a. Voice pattern recognition
    b. Hand geometry
    c. Palm scans
    d. Heart/pulse patterns
A

C. Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.

90
Q
  1. What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider?
    a. It may cause incorrect selection of the proper OpenID provider.
    b. It creates the possibility of a phishing attack by sending data to a fake OpenID provider.
    c. The relying party may be able to steal the client’s username and password.
    d. The relying party may not send a signed assertion.
A

B. Allowing the relying party to provide the redirect to the OpenID provider could allow a phishing attack by directing clients to a fake OpenID provider that can capture valid credentials. Since the OpenID provider URL is provided by the client, the relying party cannot select the wrong provider. The relying party never receives the user’s password, which means that they can’t steal it. Finally, the relying party receives the signed assertion but does not send one.

91
Q
  1. Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place?
    a. Identity as a Service
    b. Employee ID as a Service
    c. Cloud-based RADIUS
    d. OAuth
A

A. IDaaS, or Identity as a Service, provides an identity platform as a third-party service. This can provide benefits including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems, but it can also create risk due to third-party control of identity services and reliance on an offsite identity infrastructure.

92
Q
  1. RAID-5 is an example of what type of control?
    a. Administrative
    b. Recovery
    c. Compensation
    d. Logical
A

B. Drives in a RAID-5 array are intended to handle failure of a drive. This is an example of a recovery control, which is used to return operations to normal function after a failure. Administrative controls are policies and procedures. Compensation controls help cover for issues with primary controls or improve them. Logical controls are software and hardware mechanisms used to protect resources and systems.

93
Q
  1. When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging?
    a. Role-based access control
    b. Rule-based access control
    c. Mandatory access control
    d. Discretionary access control
A

D. The Linux filesystem allows the owners of objects to determine the access rights that subjects have to them. This means that it is a discretionary access control. If the system enforced a role-based access control, Alex wouldn’t set the controls; they would be set based on the roles assigned to each subject. A rule-based access control system would apply rules throughout the system, and a mandatory access control system uses classification labels.

94
Q
  1. What open protocol was designed to replace RADIUS—including support for additional commands and protocols, replacing UDP traffic with TCP, and providing for extensible commands—but does not preserve backward compatibility with RADIUS?
    a. TACACS
    b. RADIUS-NG
    c. Kerberos
    d. Diameter
A

D. Diameter was designed to provide enhanced, modern features to replace RADIUS. Diameter provides better reliability and a broad range of improved functionality. RADIUS-NG does not exist, Kerberos is not a direct competitor for RADIUS, and TACACS is not an open protocol.

95
Q
  1. LDAP distinguished names (DNs) are made up of comma-separated components called relative distinguished names (RDNs) that have an attribute name and a value. DNs become less specific as they progress from left to right. Which of the following LDAP DN best fits this rule?
    a. uid=ben,ou=sales,dc=example,dc=com
    b. uid=ben,dc=com,dc=example
    c. dc=com,dc=example,ou=sales,uid=ben
    d. ou=sales,dc=com,dc=example
A

A. In this example, uid=ben,ou=sales,dc=example,dc=com, the items proceed from most specific to least specific (broadest) from left to right, as required by a DN.

96
Q
  1. Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?
    a. The Kerberos server is offline.
    b. There is a protocol mismatch.
    c. The client’s TGTs have been marked as compromised and de-authorized.
    d. The Kerberos server and the local client’s time clocks are not synchronized.
A

D. Kerberos relies on properly synchronized time on each end of a connection to function. If the local system time is more than 5 minutes out of sync, otherwise valid TGTs will be invalid and the system won’t receive any new tickets.

97
Q
  1. Kerberos, KryptoKnight, and SESAME are all examples of what type of system?
    a. SSO
    b. PKI
    c. CMS
    d. Directory
A

A. Kerberos, KryptoKnight, and SESAME are all single sign-on, or SSO, systems. PKI systems are public key infrastructure systems, CMS systems are content management systems, and LDAP and other directory servers provide information about services, resources, and individuals.

98
Q
  1. Which of the following types of access controls do not describe a lock?
    a. Physical
    b. Directive
    c. Preventative
    d. Deterrent
A

B. Locks can be preventative access controls by stopping unwanted access, can deter potential intruders by making access difficult, and are physical access controls. They are not directive controls because they don’t control the actions of subjects.

99
Q
  1. What authentication protocol does Windows use by default for Active Directory systems?
    a. RADIUS
    b. Kerberos
    c. OAuth
    d. TACACS+
A

B. Windows uses Kerberos for authentication. RADIUS is typically used for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.

100
Q
  1. Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP’s default ports?
    a. Unsecure LDAP and unsecure global directory
    b. Unsecure LDAP and secure global directory
    c. Secure LDAP and secure global directory
    d. Secure LDAP and unsecure global directory
A

C. The default ports for SSL/TLS LDAP directory information and global catalog services are 636 and 3269, respectively. Unsecure LDAP uses 389, and unsecure global directory services use 3268.