Domain 5 Flashcards
- Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?
a. An access control list
b. An implicit denial list
c. A capability table
d. A rights management matrix
C. Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.
- Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim’s company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?
a. Integrate onsite systems using OAuth.
b. Use an on-premise third-party identity service.
c. Integrate onsite systems using SAML.
d. Design an in-house solution to handle the organization’s unique needs.
B. Since Jim’s organization is using a cloud-based Identity as a Service solution, a third party, on-premise identity service can provide the ability to integrate with the IDaaS solution, and the company’s use of Active Directory is widely supported by third-party vendors. OAuth is used to log into third-party websites using existing credentials and would not meet the needs described. SAML is a markup language and would not meet the full set of AAA needs. Since the organization is using Active Directory, a custom in-house solution is unlikely to be as effective as a preexisting third-party solution and may take far more time and expense to implement.
- Which of the following is not a weakness in Kerberos?
a. The KDC is a single point of failure.
b. Compromise of the KDC would allow attackers to impersonate any user.
c. Authentication information is not encrypted.
d. It is susceptible to password guessing.
C. Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC is both a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Like many authentication methods, Kerberos can be susceptible to password guessing.
- Voice pattern recognition is what type of authentication factor?
a. Type 1
b. Type 2
c. Type 3
d. Type 4
C. Voice pattern recognition is “something you are,” a Type 3 authentication factor. Type 1 factors are “something you know,” and Type 2 factors are “something you have.” Type 4 is made up and is not a valid type of authentication factor.
- If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of factor has she used?
a. One
b. Two
c. Three
d. Four
B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.
- Which of the following items are not commonly associated with restricted interfaces?
a. Shells
b. Keyboards
c. Menus
d. Database views
B. Menus, shells, and database views are all commonly used for constrained interfaces. A keyboard is not typically a constrained interface, although physically constrained interfaces like those found on ATMs, card readers, and other devices are common.
- During a log review, Saria discovers a series of logs that show login failures as shown here:
Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=orange
Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=Orang3
Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=Orange93
Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=Orangutan1
Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=Orangemonkey
What type of attack has Saria discovered?
a. A brute force attack
b. A man-in-the-middle attack
c. A dictionary attack
d. A rainbow table attack
C. Dictionary attacks use a dictionary or list of common passwords as well as variations of those words to attempt to log in as an authorized user. This attack shows a variety of passwords based on a similar base word, which is often a good indicator of a dictionary attack. A brute force attack will typically show simple iteration of passwords, while a man-in-the-middle attack would not be visible in the authentication log. A rainbow table attack is used when attackers already have password hashes in their possession and would also not show up in logs.
- What type of attack can be prevented by using a trusted path?
a. Dictionary attacks
b. Brute force attacks
c. Man-in-the-middle attacks
d. Login spoofing
D. The Common Criteria defines trusted paths as a way to protect data between users and a security component. This includes attacks like replacing login windows for systems and is the reason Windows uses Ctrl+Alt_Del as a login sequence. Man-in-the-middle attacks can be prevented by using a trusted channel, which is often implemented with encryption and certificates. Brute force and dictionary attacks are often discouraged by using a back-off algorithm to slow down or prevent attacks.
- What major issue often results from decentralized access control?
a. Access outages may occur.
b. Control is not consistent.
c. Control is too granular.
d. Training costs are high.
B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.
- Callback to a home phone number is an example of what type of factor?
a. Type 1
b. Somewhere you are
c. Type 3
d. Geographic
B. A callback to a home phone number is an example of a “somewhere you are” factor. This could potentially be spoofed by call forwarding or using a VoIP system. Type 1 factors are “something you know,” Type 3 factors are biometric, and geographic factors are typically based on IP addresses or access to a GPS.
a. Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?
a. . A shortcut trust
b. A forest trust
c. An external trust
d. A realm trust
D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a non-transitive trust between AD domains in separate forests.
- Which of the following AAA protocols is the most commonly used?
a. TACACS
b. TACACS+
c. XTACACS
d. Super TACACS
B. TACACS+ is the only modern protocol on the list. It provides advantages of both TACACS and XTACACS as well as some benefits over RADIUS, including encryption of all authentication information. Super TACACS is not an actual protocol.
- Which of the following is not a single sign-on implementation?
a. Kerberos
b. ADFS
c. CAS
d. RADIUS
D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single-sign on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.
- As seen in the following image, a user on a Windows system is not able to use the “Send Message” functionality. What access control model best describes this type of limitation?
a. Least privilege
b. Need to know
c. Constrained interface
d. Separation of duties
C. Interface restrictions based on user privileges is an example of a constrained interface. Least privilege describes the idea of providing users with only the rights they need to accomplish their job, while need to know limits access based on whether a subject needs to know the information to accomplish an assigned task. Separation of duties focuses on preventing fraud or mistakes by splitting tasks between multiple subjects.
- What type of access controls allow the owner of a file to grant other users access to it using an access control list?
a. Role based
b. Non-discretionary
c. Rule based
d. Discretionary
D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant accessed based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Non-discretionary access controls apply a fixed set of rules to an environment to manage access. Non-discretionary access controls include rule-, role-, and lattice-based access controls.
- Alex’s job requires him to see personal health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?
a. Separation of duties
b. Constrained interfaces
c. Context-dependent control
d. Need to know
D. Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.
Using your knowledge of the Kerberos logon process and the following diagram, answer questions 17, 18, and 19.
- At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?
a. 3DES encryption
b. TLS encryption
c. SSL encryption
d. AES encryption
D. The client in Kerberos logins uses AES to encrypt the username and password prior to sending it to the KDC.
Using your knowledge of the Kerberos logon process and the following diagram, answer questions 17, 18, and 19.
- At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?
a. An encrypted TGT and a public key
b. An access ticket and a public key
c. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user’s password
d. An encrypted, time-stamped TGT and an access token
C. The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key. It transmits both the encrypted symmetric key and an encrypted time-stamped TGT to the client.
At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?
- What tasks must the client perform before it can use the TGT?
a. It must generate a hash of the TGT and decrypt the symmetric key.
b. It must install the TGT and decrypt the symmetric key.
c. It must decrypt the TGT and the symmetric key.
d. It must send a valid response using the symmetric key to the KDC and must install the TGT.
B. The client needs to install the TGT for use until it expires, and must also decrypt the symmetric key using a hash of the user’s password.
- Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
a. Retina scans can reveal information about medical conditions.
b. Retina scans are painful because they require a puff of air in the user’s eye.
c. Retina scanners are the most expensive type of biometric device.
d. Retina scanners have a high false positive rate and will cause support issues.
A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.
- Mandatory access control is based on what type of model?
a. Discretionary
b. Group based
c. Lattice based
d. Rule based
C. Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.
- Which of the following is not a type of attack used against access controls?
a. Dictionary attack
b. Brute force attack
c. Teardrop
d. Man-in-the-middle attack
C. Dictionary, brute force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial of service attack.
- What is the best way to provide accountability for the use of identities?
a. Logging
b. Authorization
c. Digital signatures
d. Type 1 authentication23
A. Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs.
- Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?
a. Re-provisioning
b. Account review
c. Privilege creep
d. Account revocation
B. As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while re-provisioning might occur if an employee was terminated and returned or took a leave of absence and returned.
- Biba is what type of access control model?
a. MAC
b. DAC
c. Role BAC
d. ABAC
A. Biba uses a lattice to control access and is a form of the mandatory access control (MAC) model. It does not use rules, roles, or attributes, nor does it allow user discretion. Users can create content at their level or lower but cannot decide who gets access, levels are not roles, and attributes are not used to make decisions on access control.
- Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?
a. Kerberos
b. EAP
c. RADIUS
d. OAuth
C. RADIUS is an AAA protocol used to provide authentication and authorization; it’s often used for modems, wireless networks, and network devices. It uses network access servers to send access requests to central RADIUS servers. Kerberos is a ticket-based authentication protocol; OAuth is an open standard for authentication allowing the use of credentials from one site on third-party sites; and EAP is the Extensible Authentication Protocol, an authentication framework often used for wireless networks.
- What type of access control is being used in the following permission listing:
Storage Device X
User1: Can read, write, list
User2: Can read, list
User3: Can read, write, list, delete
User4: Can list
a. Resource-based access controls
b. Role-based access controls
c. Mandatory access controls
d. Rule-based access controls
A. Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based Infrastructure as a Service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.
- Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor and what traffic will she be able to read?
a. UDP, none. All RADIUS traffic is encrypted.
b. TCP, all traffic but the passwords, which are encrypted
c. UDP, all traffic but the passwords, which are encrypted
d. TCP, none. All RADIUS traffic is encrypted.
C. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.
- Which of the following is not part of a Kerberos authentication system?
a. KDC
b. TGT
c. AS
d. TS
D. A key distribution center (KDC) provides authentication services, and ticket-granting tickets (TGTs) provide proof that a subject has authenticated and can request tickets to access objects. Authentication services (ASs) are part of the KDC. There is no TS in a Kerberos infrastructure.
- When an application or system allows a logged-in user to perform specific actions, it is an example of what?
a. Roles
b. Group management
c. Logins
d. Authorization
D. Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.
- Alex has been employed by his company for over a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex’s company encountered?
a. Excessive provisioning
b. Unauthorized access
c. Privilege creep
d. Account review
C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.
- Which of the following is not a common threat to access control mechanisms?
a. Fake login pages
b. Phishing
c. Dictionary attacks
d. Man-in-the-middle attacks
B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.
- What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order for normal function?
a. Collisions
b. Race conditions
c. Determinism
d. Out-of-order execution
B. Race conditions occur when two or more processes need to access the same resource in the right order. If an attacker can disrupt this order, they may be able to affect the normal operations of the system and gain unauthorized access or improper rights. Collisions occur when two different files produce the same result from a hashing operation, out-of-order execution is a CPU architecture feature that allows the use of otherwise unused cycles, and determinism is a philosophical term rather than something you should see on the CISSP exam!
- What type of access control scheme is shown in the following table?
a, RBAC
b. DAC
c. MAC
d. TBAC
C. Mandatory access controls use a lattice to describe how classification labels relate to each other. In this image, classification levels are set for each of the labels shown. A discretionary access control (DAC) system would show how the owner of the objects allows access. RBAC could be either rule- or role-based access control and would either use system-wide rules or roles. Task-based access control (TBAC) would list tasks for users.
- Which of the following is not a valid LDAP DN (distinguished name)?
a. cn=ben+ou=sales
b. ou=example
c. cn=ben,ou=example;
d. ou=example,dc=example,dc=com+dc=org
C. LDAP distinguished names are made up of zero or more comma-separate components known as relative distinguished names. cn=ben,ou=example; ends with a semicolon and is not a valid DN. It is possible to have additional values in the same RDN by using a plus sign between then.
- When a subject claims an identity, what process is occurring?
a. Login
b. Identification
c. Authorization
d. Token presentation
B. The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor like a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.
- Dogs, guards, and fences are all common examples of what type of control?
a. Detective
b. Recovery
c. Administrative
d. Physical
D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus none are recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.
- Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute force attacks?
a. Change maximum age from 1 year to 180 days.
b. Increase the minimum password length from 8 characters to 16 characters.
c. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.
d. Retain a password history of at least four passwords to prevent reuse.
B. Password complexity is driven by length, and a longer password will be more effective against brute force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute force attacks.
- What is the stored sample of a biometric factor called?
a. A reference template
b. A token store
c. A biometric password
d. An enrollment artifact
A. The stored sample of a biometric factor is called a reference profile or a reference template. None of the other answers are common terms used for biometric systems.
- When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?
a. When security is more important than usability
b. When false rejection is not a concern due to data quality
c. When the CER of the system is not known
d. When the CER of the system is very high
A. Organizations that have very strict security requirements that don’t have a tolerance for false acceptance want to lower the false acceptance rate, or FAR, to be as near to zero as possible. That often means that the false rejection rate, or FRR, increases. Different biometric technologies or a better registration method can help improve biometric performance, but false rejections due to data quality are not typically a concern with modern biometric systems. In this case, knowing the crossover error rate, or CER, or having a very high CER doesn’t help the decision.