Domain 5: Review Questions Flashcards

Question 1

Q

Which of the following is not an example of a knowledge authentication factor?

A. Password
B. Mother’s maiden name
C. City of birth
D. Smart card

Answer

A

D.

Knowledge factors are something a person knows, including passwords, mother’s maiden name, city of birth, and date of birth. Ownership factors are something a person has, including a smart card.

Question 2

Q

Which of the following statements about memory cards and smart cards is false?

A. A memory card can be a swipe card that contains user authentication information.
B. Memory cards are also known as integrated circuit cards (ICCs).
C. Smart cards contain memory and an embedded chip.
D. Smart card systems are more reliable than memory card systems.

Answer

A

B.

Memory cards are not also known as integrated circuit cards (ICCs). Smart cards are also known as ICCs.

A memory card is a swipe card that is issued to valid users and it contains user authentication information.

A smart card accepts, stores, and sends data but can hold more data than a memory card. Smart cards, often known as integrated circuit cards (ICCs), contain memory like a memory card but also contain an embedded chip like bank or credit cards.

Question 3

Q

Which biometric method is most effective as far as accuracy?

A. Iris scan
B. Retina scan
C. Fingerprint
D. Handprint

Answer

A

B.

Retina scans are considered more effective as far as accuracy than iris scans, fingerprints, and handprints. Retina Scan examines unique blood vessel patterns in the back of the eye.

Question 4

Q

What is a Type I error in a biometric authentication system?

A. Crossover error rate (CER)
B. False rejection rate (FRR)
C. False acceptance rate (FAR)
D. Throughput rate

Answer

A

B. A Type I error in a biometric system is false rejection rate (FRR).

A Type II error in a biometric system is false acceptance rate (FAR). Crossover error rate (CER) is the point at which FRR equals FAR. Throughput rate is the rate at which users are authenticated.

Question 5

Q

Which access control model is a desirable model used by routers and firewalls to control access to secure networks?

A. Discretionary access control
B. Mandatory access control
C. Role-based access control
D. Rule-based access control

Answer

A

D.

Rule-based access control is a desirable model used by routers and firewalls to control access to networks.

The other three types of access control models are not usually implemented by routers and firewalls.

Question 6

Q

Which threat is not considered a social engineering threat?

A. Phishing
B. Pharming
C. DoS attack
D. Dumpster diving

Answer

A

C.

A denial-of-service (DoS) attack is not considered a social engineering threat. The other three options are considered to be social engineering threats.

Question 7

Q

Which of the following statements best describes an IDaaS implementation?

A. Ensures that any instance of identification and authentication to a resource is managed properly.
B. Collects and verifies information about an individual to prove that the person who has a valid account is who that person claims to be.
C. Provides a set of identity and access management functions to target systems on customers’ premises and/or in the cloud.
D. Exchanges authentication and authorization data between organizations or security domains.

Answer

A

C.

An Identity as a Service (IDaaS) implementation provides a set of identity and access management functions to target systems on customers’ premises and/or in the cloud. Session management ensures that any instance of identification and authentication to a resource is managed properly. A proof of identity process collects and verifies information about an individual to prove that the person who has a valid account is who that person claims to be.

Question 8

Q

Which of the following is an example of multifactor authentication?

A. Username and password
B. Username, retina scan, and smart card
C. Retina scan and finger scan
D. Smart card and security token

Answer

A

B.

Using a username, retina scan, and smart card is an example of multifactor authentication. The username is something you know, the retina scan is something you are, and the smart card is something you have.

Question 9

Q

You decide to implement an access control policy that requires that users only log on from certain workstations within your organization’s facility. Which type of authentication factor are you implementing?

A. Knowledge factor
B. Location factor
C. Ownership factor
D. Characteristic factor

Answer

A

B.

You are implementing a location factor, which is based on where a person is located when logging in.

Question 10

Q

Which threat is considered a password threat?

A. Buffer overflow
B. Sniffing
C. Spoofing
D. Brute-force attack

Answer

A

D. A brute-force attack is considered a password threat.

Question 11

Q

Which session management mechanisms are often used to manage desktop sessions?

A. Screensavers and timeouts
B. FIPS 201.2 and NIST SP 800-79-2
C. Bollards and locks
D. KDC, TGT, and TGS

Answer

A

A.

Desktop sessions can be managed through screensavers, timeouts, logon, and schedule limitations. FIPS PUB 201.2 and NIST SP 800-79-2 are documents that provide guidance on proof of identity.

Physical access to facilities can be provided securely using locks, fencing, bollards, guards, and CCTV. In Kerberos, the Key Distribution Center (KDC) issues a ticket-granting ticket (TGT) to the principal. The principal sends the TGT to the ticket-granting service (TGS) when the principal needs to connect to another entity.

Question 12

Q

Which of the following is a major disadvantage of implementing an SSO system?

A. Users are able to use stronger passwords.
B. Users need to remember the login credentials for a single system.
C. User and password administration is simplified.
D. If a user’s credentials are compromised, an attacker can access all resources.

Answer

A

D.

If a user’s credentials are compromised in a single sign-on (SSO) environment, attackers have access to all resources to which the user has access. All other choices are advantages to implementing an SSO system.

Question 13

Q

Which type of attack is carried out from multiple locations using zombies and botnets?

A. TEMPEST
B. DDoS
C. Backdoor
D. Emanating

Answer

A

B.

A distributed DoS (DDoS) attack is a DoS attack that is carried out from multiple attack locations. Vulnerable devices are infected with software agents, called zombies. They turn the vulnerable devices into botnets, which then carry out the attack.

Devices that meet TEMPEST standards implement an outer barrier or coating, called a Faraday cage or Faraday shield. A backdoor or trapdoor is a mechanism implemented in many devices or applications that gives the user who uses the backdoor unlimited access to the device or application. Emanations are electromagnetic signals that are emitted by an electronic device. Attackers can target certain devices or transmission mediums to eavesdrop on communication without having physical access to the device or medium.

Question 14

Q

Which type of attack is one in which an unauthorized person gains access to a network and remains for a long period of time with the intention of stealing data?

A. APT
B. ABAC
C. Access aggregation
D. FIM

Answer

A

A.

An advanced persistent threat (APT) is an attack in which an unauthorized person gains access to a network and remains for a long period of time with the intention of stealing data. Attribute-based access control (ABAC) grants or denies user requests based on arbitrary attributes of the user and arbitrary attributes of the object, and environment conditions that may be globally recognized. Access aggregation is a term that is often used synonymously with privilege creep. Access aggregation occurs when users gain more access across more systems. In federated identity management (FIM), each organization that joins the federation agrees to enforce a common set of policies and standards. These policies and standards define how to provision and manage user identification, authentication, and authorization.

Question 15

Q

Which of the following is a formal process for creating, changing, and removing users that includes user approval, user creation, user creation standards, and authorization?

A. NIST SP 800-63
B. Centralized access control
C. Decentralized access control
D. Provisioning life cycle

Answer

A

D.

The provisioning life cycle is a formal process for creating, changing, and removing users. This process includes user approval, user creation, user creation standards, and authorization. Users should sign a written statement that explains the access conditions, including user responsibilities. NIST SP 800-63 provides a suite of technical requirements for federal agencies implementing digital identity services, including an overview of identity frameworks; and using authenticators, credentials, and assertions in digital systems. In centralized access control, a central department or personnel oversee the access for all organizational resources. This administration method ensures that user access is controlled in a consistent manner across the entire enterprise. In decentralized access control, personnel closest to the resources, such as department managers and data owners, oversee the access control for individual resources.

Question 16

Q

Henry uses his organizationally provided credentials to log into his workstation and is then able to use services across the organization and in the cloud. What identity solution has his organization implemented?

A. An access control list
B. Single sign-on
C. Multifactor authentication
D. Role-based access control

Answer

A

B.

Single sign-on provides a single authentication process to allow authorization to multiple services. An access control list, or ACL, is a ruleset used to determine if a subject can gain access to a service or system. Multifactor requires multiple factors, and the specifics of how Henry logged in were not discussed in the question. Finally, role-based access control uses a subject’s role(s) to determine if they can access a service or system, and no mention of roles was made.

Question 17

Q

Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. Jim’s company does not have internal identity management staff and does not use centralized identity services. Instead, they rely upon Active Directory for AAA services. Which of the following options should Jim recommend to best handle the company’s on-site identity needs?

A. Integrate on-site systems using OAuth.
B. Use an on-premises third-party identity service.
C. Integrate on-site systems using SAML.
D. Design an internal solution to handle the organization’s unique needs.

Answer

A

B.

Since Jim’s organization is using a cloud-based identity as a service solution, a third-party, on-premises identity service can provide the ability to integrate with the IDaaS solution, and the company’s use of Active Directory is widely supported by third-party vendors. OAuth is used to log in to third-party websites using existing credentials and would not meet the needs described. SAML is a markup language and would not meet the full set of AAA needs. Since the organization is using Active Directory, a custom in-house solution is unlikely to be as effective as a preexisting third-party solution and may take far more time and expense to implement.

Question 18

Q

What role does a policy enforcement point play in a zero trust environment?

A. It makes decisions for the policy engine.
B. It is the workstation or mobile device used by the end user.
C. It deploys role-based access controls based on local policy.
D. It receives authorization requests and sends them to the policy decision point.

Answer

A

D.

A policy enforcement point in a zero trust environment receives authorization requests and then sends them to the policy decision point. They are used anywhere that authorization controls are needed. They do not make decisions for the policy engine, can exist beyond workstations and mobile devices, and use policies set at the zero trust control layer rather than just at the endpoint device.

Question 19

Q

Voice pattern recognition is what type of authentication factor?

A. Something you know
B. Something you have
C. Something you are
D. Somewhere you are

Answer

A

C.

Voice pattern recognition is “something you are,” a biometric authentication factor, because it measures a physical characteristic of the individual authenticating.

Question 20

Q

If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?

A. One
B. Two
C. Three
D. Four

Answer

A

B.

Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.

Question 21

Q

Charles wants to deploy a credential management system (CMS). He wants to keep the keys as secure as possible. Which of the following is the best design option for his CMS implementation?

A. Use AES-256 instead of 3DES.
B. Use long keys.
C. Use an HSM.
D. Change passphrases regularly.

Answer

A

C.

Hardware Security Modules, or HSMs, are the most secure way to store keys associated with a CMS. They provide enhanced key management capabilities and are often required to be FIPS certified. In addition to these advantages, an HSM can improve cryptographic performance for the organization due to dedicated hardware designed for just that purpose. Long keys and using AES-256 are good practices, but an HSM provides greater security and will require appropriate cryptographic controls already. Changing passphrases can be challenging across an organization; instead, securing the passphrases and keys is more important and reasonable for most organizations.

Question 22

Q

Brian is a researcher at a major university. As part of his research, he logs into a computing cluster hosted at another institution using his own university’s credentials. Once logged in, he is able to access the cluster and use resources based on his role in a research project, as well as using resources and services in his home organization. What has Brian’s home university implemented to make this happen?

A. Domain stacking
B. Federated identity management
C. Domain nesting
D. Hybrid login

Answer

A

B.

Brian’s organization is using a federated identity management approach where multiple organizations allow identities to be used across the organizations. Each organization needs to conduct identity proofing of their own staff members’ identities and provide them with rights and role information that will allow them to use resources within the federated identity environment.

Question 23

Q

When Sally attempts to authenticate to her organization’s services, she knows that the organization uses a mobile device management tool to check her location and whether she’s logging in from her company-issued mobile device. What type of authentication is this?

A. Context-aware
B. Knowledge-based
C. Identity factoring
D. Zero trust

Answer

A

A.

Authentication that takes attributes such as location, device, and time of day into account is context-aware authentication. This allows organizations to make choices about whether the authentication is appropriate and allowed in addition to the use of credentials. The decision is based on contextual information, not user knowledge or identity factors, which are used only to authenticate. Zero trust may leverage context information, but context-aware authentication alone does not indicate zero trust.

Question 24

Q

What major issue often results from decentralized access control?

A. Access outages may occur.
B. Control is not consistent.
C. Control is too granular.
D. Training costs are high.

Answer

A

B.

Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.

Question 25

Q

Callback to a landline phone number is an example of what type of factor?

A. Something you know
B. Somewhere you are
C. Something you have
D. Something you are

Answer

A

B.

A callback to a landline phone number is an example of a “somewhere you are” factor because of the fixed physical location of a wired phone. A callback to a mobile phone would be a “something you have” factor.

Question 26

Q

What common behavior drives the NIST recommendation that passwords should not expire?

A. Attackers would not have enough time to compromise passwords if they expired.
B. Users often make minimal changes to passwords to handle change requirements.
C. Password expiration leads to too little support overhead.
D. Re-hashing passwords when changes are required is computationally intensive.

Answer

A

B.

The NIST recommendation to not expire passwords recognizes that users often make minimal changes to their passwords when they are required to change them. In addition, password changes drive significant support overhead as users forget their passwords or otherwise face challenges with them. Longer password lives do create the potential for attackers to have longer to compromise them, but modern password recommendations look for multifactor authentication, which means a compromised password is less of a threat. Hashing new passwords does require computation, but not a significant amount using modern hardware.

Question 27

Q

What three functions make up the AAA model?

A. Access control, authentication, and authorization
B. Access, administration, and authorization
C. Authentication, authorization, and accounting
D. Accounting, auditing, and assessment

Answer

A

C.

AAA refers to a set of security protocols that are used to identify and authorize users and record their activities. The acronym stands for authentication, authorization, and accounting.

Question 28

Q

What directory-based technology underlies Microsoft Active Directory single sign-on?

A. LDAP
B. zero trust
C. Shibboleth
D. RADIUS

Answer

A

A.

Active Directory relies on the Lightweight Directory Access Protocol (LDAP) as part of its single sign-on (SSO) implementation. Zero trust is not a SSO implementation, and Shibboleth is an open-source identity management system. RADIUS is not a single sign-on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

Question 29

Q

Sameer’s organization needs to perform identity proofing for new customers. What type of authentication is best suited to identity proofing in this scenario?

A. Cognitive passwords
B. Knowledge-based authentication
C. Palm scans
D. USB tokens

Answer

A

B.

Knowledge-based authentication relies on information that only the individual who wants to prove their identity is likely to know. This might include a mortgage payment amount, vehicle information, or driver’s license number among many options. Cognitive passwords, or security questions, are created by users, which means they aren’t suited to this type of identity proofing. Palm scans and USB tokens both require prior engagement with the user as well and thus aren’t suited for identity proofing with users who are new customers.

Question 30

Q

What type of access controls allow the owner of a file to grant other users access to it using an access control list?

A. Role-based
B. Nondiscretionary
C. Rule-based
D. Discretionary

Answer

A

D.

When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant access based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Nondiscretionary access controls apply a fixed set of rules to an environment to manage access. Nondiscretionary access controls include rule-, role-, and lattice-based access controls.

Question 31

Q

Alex’s job requires him to see protected health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?

A. Separation of duties
B. Constrained interfaces
C. Context-dependent control
D. Need to know

Answer

A

D.

Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.

Question 32

Q

Ifemoa wants to ensure that users in her organization cannot change their password to a previously used password. What setting should she configure?

A. Password length
B. Maximum password age
C. An MFA requirement
D. Password history

Answer

A

D.

Password history tracks what passwords have been set previously and will not allow reuse. A specific number of past passwords is typically set, and passwords themselves should not be retained. Instead, properly secured hashes are retained and compared to hashes of the new passwords. Length, maximum age, and MFA do not solve the issue of password reuse.

Question 33

Q

With a password history set, Ifeoma wants to prevent users from resetting their password multiple times to allow them to return to their original password. What setting should she apply?

A. A password complexity requirement
B. A maximum password age
C. A minimum password age
D. A password length requirement

Answer

A

C.

Ifeoma knows that a minimum password age of one day will discourage users from resetting their passwords to attempt to return to their original password. Length and complexity do not prevent this if the original password met these requirements, and a maximum age is set in organizations that require password changes on a recurring basis.

Question 34

Q

With her organization’s password behavior under control, Ifeoma wants to ensure that a lost password will not result in easy compromise of her company’s accounts. Which of the following controls provides the best protection against password loss or exposure-related compromise?

A. MFA
B. SSO
C. Federation
D. Password rotation

Answer

A

A.

Requiring multifactor authentication (MFA) is a common security measure used to prevent unauthorized access to an account in case of password loss or exposure. SSO allows the use of an account throughout systems or services. Federation connects different organizations together, allowing the use of credentials between trusted partners, and password rotation can help, but lost passwords remain dangerous until the rotation happens allowing days, weeks, or even months of potential vulnerable time.

Question 35

Q

Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?

A. Retina scans can reveal information about medical conditions.
B. Retina scans are painful because they require a puff of air in the user’s eye.
C. Retina scanners are the most expensive type of biometric device.
D. Retina scanners have a high false positive rate and will cause support issues.

Answer

A

A.

Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

Question 36

Q

Mandatory access control is based on what type of model?

A. Discretionary
B. Group-based
C. Lattice-based
D. Rule-based

Answer

A

C.

Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group-based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.

Question 37

Q

Greg wants to control access to iPads used throughout his organization as point-of-sale terminals. Which of the following methods should he use to allow logical access control for the devices in a shared environment?

A. Use a shared PIN for all point-of-sale terminals to make them easier to use.
B. Use OAuth to allow cloud logins for each user.
C. Issue a unique PIN to each user for the iPad they are issued.
D. Use Active Directory and user accounts for logins to the iPads using the AD user ID and password.

Answer

A

D.

Using an enterprise authentication system like Active Directory that requires individuals to log in with their credentials provides the ability to determine who was logged in if a problem occurs and also allows Greg to quickly and easily remove users who are terminated or switch roles. Using a shared PIN provides no accountability, while unique PINs per user on specifically issued iPads mean that others will not be able to log in. OAuth alone does not provide the services and features Greg needs—it is an authorization service, not an authentication service.

Question 38

Q

What is the best way to provide accountability for the use of identities?

A. Logging
B. Authorization
C. Digital signatures
D. Type 1 authentication

Answer

A

A.

Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs. Authorization does not provide accountability because it validates that a person can perform an action, not who is using the identity. Digital signatures can be used to validate an identity, not to provide accountability by proving who is using it, and Type 1 authentication is something you know. Again, logging is the best way to provide accountability for the use of an identity.

Question 39

Q

Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?

A. Re-provisioning
B. Account review
C. Privilege creep
D. Account revocation

Answer

A

B.

As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while re-provisioning might occur if an employee was terminated and returned or took a leave of absence and returned.

Question 40

Q

Biba is what type of access control model?

A. MAC
B. DAC
C. Role BAC
D. ABAC

Answer

A

A.

Biba uses a lattice to control access and is a form of the mandatory access control (MAC) model. It does not use rules, roles, or attributes, nor does it allow user discretion. Users can create content at their level or lower but cannot decide who gets access, levels are not roles, and attributes are not used to make decisions on access control.

Question 41

Q

Which of the following is a client-server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?

A. Kerberos
B. EAP
C. RADIUS
D. OAuth

Answer

A

C.

RADIUS is an AAA protocol used to provide authentication and authorization; it’s often used for modems, wireless networks, and network devices. It uses network access servers to send access requests to central RADIUS servers. Kerberos is a ticket-based authentication protocol; OAuth is an open standard for authentication allowing the use of credentials from one site on third-party sites; and EAP is the Extensible Authentication Protocol, an authentication framework often used for wireless networks.

Question 42

Q

Henry is working with a web application development team on their authentication and authorization process for his company’s new application. The team wants to make session IDs as secure as possible. Which of the following is not a best practice that Henry should recommend?

A. The session ID token should be predictable.
B. The session ID should have at least 64 bits of entropy.
C. The session length should be at least 128 bits.
D. The session ID should be meaningless.

Answer

A

A.

Session identifiers should not be predictable to ensure that attackers can’t simply guess or easily brute force session IDS. Web application development best practices currently recommend the use of long session IDs (128 bits or longer) that have sufficient entropy (randomness) to ensure that they will not be easily duplicated or brute-forced. It is also a best practice to make sure the session ID itself is meaningless to prevent information disclosure attacks. Session IDs should expire, however, because a session that never expires could eventually be brute-forced even if all of these recommendations were met.

Question 43

Q

Angela uses her smartphone’s built-in biometric authentication and an application provided by her employer to log into her account. What type of authentication has she used?

A. Extended
B. Passwordless
C. Alternative
D. SPOT

Answer

A

B.

Passwordless authentication leverages applications and capabilities such as built-in biometric authentication mechanisms. Extended and alternative authentication are not terms used on the exam. The Fast Identity Online Alliance (FIDO) is an open industry association that provides frameworks for passwordless authentication, but SPOT is not a type of passwordless authentication.

Question 44

Q

What type of access control best describes NAC’s posture assessment capability?

A. A mandatory access control
B. A risk-based access control
C. A discretionary access control
D. A role-based access control

Answer

A

B.

The posturing capability of network access control (NAC) determines if a system is sufficiently secure and compliant enough to connect to a network. This is a form of risk-based access control, as systems that are not compliant are considered higher risk and either are placed in a quarantine and remediation network or zone or are prohibited from connecting to the network until they are compliant.

Question 45

Q

When an application or system allows a logged-in user to perform specific actions, it is an example of what?

A. Roles
B. Group management
C. Logins
D. Authorization

Answer

A

D.

Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.

Question 46

Q

Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex’s company encountered?

A. Excessive provisioning
B. Unauthorized access
C. Privilege creep
D. Account review

Answer

A

C.

Privilege creep occurs when users retain rights they do not need to accomplish their current job from roles they held previously. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.

Question 47

Q

Geoff wants to prevent privilege escalation attacks in his organization. Which of the following practices is most likely to prevent horizontal privilege escalation?

A. Multifactor authentication
B. Limiting permissions for groups and accounts
C. Disabling unused ports and services
D. Sanitizing user inputs to applications

Answer

A

A.

Multifactor authentication is most likely to limit horizontal privilege escalation by making it difficult to access user accounts and to authenticate to a compromised account. Limiting permissions for groups and accounts can also help, but disabling unused ports and services and sanitizing user inputs both address threats that are most frequently associated with vertical privilege escalation attacks.

Question 48

Q

Jim’s Microsoft Exchange environment includes servers that are located in local data centers at multiple business offices around the world as well as an Office 365 deployment for employees who are not located at one of those offices. Identities are created and used in both environments and will work in both. What type of federated system is Jim running?

A. A primary cloud system
B. A primary on-premises system
C. A hybrid system
D. A multitenant system

Answer

A

C.

Hybrid systems use both on-premises and cloud identity and services to provide resources and tools in both environments. While they can be complex, hybrid systems also provide a migration path to a full cloud deployment or for a fault-tolerant design that can handle on-premises or cloud outages while remaining functional.

Question 49

Q

What type of access control scheme is shown in the following table?

A. RBAC
B. DAC
C. MAC
D. TBAC

Answer

A

C.

Mandatory access controls (MAC) use a lattice or matrix to describe how classification labels relate to each other. In this image, classification levels are set for each of the labels shown. A discretionary access control (DAC) system would show how the owner of the objects allows access. RBAC could be either rule- or role-based access control and would use either system-wide rules or roles. Task-based access control (TBAC) would list tasks for users.

Question 50

Q

Michelle’s company is creating a new division by splitting the marketing and communications departments into two separate groups. She wants to create roles that provide access to resources used by each group. What should she do to maintain the appropriate security and rights for each group?

A. Put both the marketing and communications teams into the existing group because they will have similar access requirements.
B. Keep the marketing team in the existing group and create a new communications group based on their specific needs.
C. Keep the communications’ team in the existing group and create a new marketing group based on their specific needs.
D. Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.

Answer

A

D.

Copying existing rights to new groups that have different needs will often result in overly broad privileges. Michelle should create new groups, move all staff into the appropriate groups, and then ensure that they have the access and permissions they need.

Question 51

Q

When a subject claims an identity, what process is occurring?

A. Login
B. Identification
C. Authorization
D. Token presentation

Answer

A

B.

The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor like a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.

Question 52

Q

Which of the following is a common account setting for a service account?

A. Disable password expiration.
B. Set maximum password age to 90 days.
C. Set minimum password age to 1 day.
D. Disable complexity requirements.

Answer

A

A.

Service accounts are commonly set to not have expiring passwords to prevent service outages. Organizations may choose to rotate passwords on a regular basis using automation tools as part of their password management strategy to help avoid issues with exposed or compromised service passwords. Disabling complexity requirements and setting a minimum password age are not commonly done for service accounts.

Question 53

Q

Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute-force attacks?

A. Change the maximum age from 1 year to 180 days.
B. Increase the minimum password length from 8 characters to 16 characters.
C. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.
D. Retain a password history of at least four passwords to prevent reuse.

Answer

A

B.

Password complexity is driven by length, and a longer password will be more effective against brute-force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute-force attacks.

Question 54

Q

Alaina is performing a regularly scheduled review for service accounts. Which of the following events should she be most concerned about?

A. An interactive login for the service account
B. A password change for the service account
C. Limitations placed on the service account’s rights
D. Local use of the service account

Answer

A

A.

Interactive login for a service account is a critical warning sign, either of compromise or bad administrative practices. In either case, Alaina should immediately work to determine why the account logged in, what occurred, and if the interactive login was done remotely or locally. A remote interactive login for a service account in any professionally maintained environment is an almost guaranteed sign of compromise. Password changes for service accounts may be done as part of ongoing password expiration processes, limitations should always be placed on service accounts rights to ensure that they are only those required, and a local use of the service account as part of the service is a normal event.

Question 55

Q

When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?

A. When security is more important than usability
B. When false rejection is not a concern due to data quality
C. When the CER of the system is not known
D. When the CER of the system is very high

Answer

A

A.

Organizations that have very strict security requirements that don’t have a tolerance for false acceptance want to lower the false acceptance rate, or FAR, to be as near to zero as possible. That often means that the false rejection rate, or FRR, increases. Different biometric technologies or a better registration method can help improve biometric performance, but false rejections due to data quality are not typically a concern with modern biometric systems. In this case, knowing the crossover error rate, or CER, or having a very high CER doesn’t help the decision.

Question 56

Q

After recent reports of undesired access to workstations after hours, Derek has been asked to find a way to ensure that maintenance staff cannot log into workstations in business offices. The maintenance staff members do have systems in their break rooms and their offices for the organization, which they still need access to. What should Derek do to meet this need?

A. Require multifactor authentication and allow only office staff to have multifactor tokens.
B. Use rule-based access control to prevent logins after hours in the business area.
C. Use role-based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations.
D. Use geofencing to only allow logins in maintenance areas.

Answer

A

C.

The most efficient use of Derek’s time would be to create a group that is populated with all maintenance staff and then to give that group login rights only to the designated PCs. While time-based constraints might help, in this case, it would continue to allow maintenance staff to log in to PCs that are not intended for use during business hours, leaving a gap in the control. Multifactor authentication, as described, does not meet the requirements of the scenario but may be a good idea overall for greater security for authentication across the organization. Geofencing is typically not accurate enough to rely on inside buildings for specific PCs

Question 57

Q

Nick wants to do session management for his web application. Which of the following are common web application session management techniques or methods? (Select all that apply.)

A. IP tracking
B. Cookies
C. URL rewriting
D. TLS tokens

Answer

A

B, C.

Common session management techniques include the use of cookies, hidden form fields, URL rewriting, and built-in frameworks like Java’s HTTPS session. IP tracking may be included in session information but is not itself a complete session identifier, and TLS token binding is used to make TLS sessions more secure, not to provide session identification.

Question 58

Q

Use your knowledge of SAML integrations and security architecture design and refer to the following scenario and diagram:

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization.

Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks?

A. Use SAML’s secure mode to provide secure authentication.
B. Implement TLS using a strong cipher suite, which will protect against both types of attacks.
C. Implement TLS using a strong cipher suite and use digital signatures.
D. Implement TLS using a strong cipher suite and message hashing.

Answer

A

C.

TLS provides message confidentiality and integrity, which can prevent eavesdropping. When paired with digital signatures, which provide integrity and authentication, forged assertions can also be defeated. SAML does not have a security mode and relies on TLS and digital signatures to ensure security if needed. Message hashing without a signature would help prevent modification of the message but won’t necessarily provide authentication.

Question 59

Q

Use your knowledge of SAML integrations and security architecture design and refer to the following scenario and diagram:

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization.

If Alex’s organization is one that is primarily made up of off-site, traveling users, what availability risk does integration of critical business applications to on-site authentication create, and how could he solve it?

A. Third-party integration may not be trustworthy; use SSL and digital signatures.
B. If the home organization is offline, traveling users won’t be able to access third-party applications; implement a hybrid cloud/local authentication system.
C. Local users may not be properly redirected to the third-party services; implement a local gateway.
D. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.

Answer

A

B.

Integration with cloud-based third parties that rely on local authentication can fail if the local organization’s Internet connectivity or servers are offline. Adopting a hybrid cloud and local authentication system can ensure that Internet or server outages are handled, allowing authentication to work regardless of where the user is or if their home organization is online. Using encrypted and signed communication does not address availability, redirects are a configuration issue with the third party, and a local gateway won’t handle remote users. Also, host files don’t help with availability issues with services other than DNS.

Question 60

Q

Use your knowledge of SAML integrations and security architecture design and refer to the following scenario and diagram:

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization.

What solution can best help address concerns about third parties that control SSO redirects as shown in step 2 in the diagram?

A. An awareness campaign about trusted third parties
B. TLS
C. Handling redirects at the local site
D. Implementing an IPS to capture SSO redirect attacks

Answer

A

A.

While many solutions are technical, if a trusted third party redirects to an unexpected authentication site, awareness is often the best defense. Using TLS would keep the transaction confidential but would not prevent the redirect. Handling redirects locally works only for locally hosted sites, and using a third-party service requires off-site redirects. An IPS might detect an attacker’s redirect, but tracking the multitude of load-balanced servers most large providers use can be challenging, if not impossible. In addition, an IPS relies on visibility into the traffic, and SAML integrations should be encrypted for security, which would require a man-in-the-middle type of IPS to be configured.

Question 61

Q

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?

A. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed
B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
C. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well
D. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

Answer

A

B.

Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control system (MAC). MAC is more secure due to the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

Question 62

Q

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?

A. Log review
B. Manual review of permissions
C. Signature-based detection
D. Review the audit trail

Answer

A

C.

While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

Question 63

Q

Jessica wants to adopt an open standard to provide authentication, authorization, and attribute information as part of her cloud identity federation efforts. What standard should she adopt to leverage the flexibility of XML as part of her efforts?

A. SAML
B. SOAP
C. OAuth
D. OpenID Connect

Answer

A

A.

SAML is an open, XML-based standard used to provide authorization, attribute information, and authentication data. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself. OAuth is an authorization framework that exchanges information using APIs, and OpenID Connect is an authentication layer using OAuth that provides both authentication and authorization, but not attribute information.

Question 64

Q

During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?

A. A brute-force attack
B. A pass-the-hash attack
C. A rainbow table attack
D. A salt recovery attack

Answer

A

C.

Rainbow tables are databases of pre-hashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute-force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user’s password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won’t match a rainbow table generated without the same salt.

Answer 65

A

B.

Google’s federation with other applications and organizations allows single sign-on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single sign-on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

Answer 66

A

D.

When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike privilege creep, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term and thus is not an issue here.

Answer 67

A

B.

Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.

Answer 68

A

A, B.

Audit logging when combined with user accounts that can reliably be expected to be accessible only to a specific user due to the use of multifactor authentication is frequently used to provide strong accountability for actions taken via systems and applications. A password can be shared, making it less reliable, and time and location requirements are useful security controls but do not impact accountability.

Answer 69

A

D.

OAuth is the most widely used open standard for authorization and delegation of rights for cloud services. OpenID is used for authentication, and TACACS+ and RADIUS are primarily used on-site for authentication and authorization for network devices.

Answer 70

A

D.

Cameron is using a just-in-time (JIT) system that provides the access needed when it is needed. A zero trust system requires authentication and authorization when actions are performed but does not necessarily require privileges to be granted and removed when they are needed.

Answer 71

A

C.

Identity proofing can be done by comparing user information that the organization already has, like account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.

Answer 72

A

A.

In federated systems, a user’s access to services is authenticated through their own organization’s identity provider (IDP). Service providers query those IDPs when the user attempts to authenticate to the service and, if the request is validated, allow access based on the rules and policies set for the service based on attributes that may be relevant that are provided by the IDP.

Answer 73

A

C.

Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 1 errors occur when a valid subject is not authenticated; if the existing customer is rejected, it is a Type 1 error. Registration is the process of adding users, but registration errors and time of use, method of use errors are not specific biometric authentication terms.

Answer 74

A

B.

Firewalls use rule-based access control, or Rule-BAC, in their access control lists and apply rules created by administrators to all traffic that passes through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.

Answer 75

A

C.

When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren’t the most important identity and access management activity.

Answer 76

A

C.

Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN would address the problem by adding a second authentication factor, but PINs may be written down and are prone to theft or even guessing for shorter PINs, so a biometric factor is preferable if it is available. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).

Answer 77

A

C.

Enterprise credential management tools, often called password vaults, allow passwords to be securely generated, stored, and managed. They can provide logs of who uses passwords, when they were updated, and if they meet complexity and other requirements. Of course, this means the keys to your environment are all in one place, so securing and managing the enterprise password manager is very important!

Answer 78

A

B.

The sudoers file can list the specific users who can use sudo as well as the commands or directories that are allowed for them.

Answer 79

A

C.

In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

Answer 80

A

D.

Passwords are never stored for web applications in a well-designed environment. Instead, salted hashes are stored and compared to passwords after they are salted and hashed. If the hashes match, the user is authenticated.

C.

When a third-party site integrates via OAuth 2.0, authentication is handled by the service provider’s servers. In this case, Google is acting as the service provider for user authentication. Authentication for local users who create their own accounts would occur in the e-commerce application (or a related server), but that is not the question that is asked here.

B.

The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery (CSRF). This makes sure that the unique session token with the authentication response from Google’s OAuth service is available to verify that the user, not an attacker, is making a request. XSS attacks focus on scripting and would have script tags involved, SQL injection would have SQL code included, and XACML is the eXtensible Access Control Markup Language, not a type of attack.

Answer 81

A

A.

Knowledge-based authentication relies on preset questions such as “What is your pet’s name?” and the answers. It can be susceptible to attacks because of the availability of the answers on social media or other sites. Dynamic knowledge-based authentication relies on facts or data that the user already knows that can be used to create questions they can answer on an as-needed basis (for example, a previous address or a school they attended). Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or “something you are,” rather than knowledge-based.

Answer 82

A

C.

An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.

Answer 83

A

C.

Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don’t have the same impact that a self-service system does.

Answer 84

A

C.

RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode over UDP. AES pre-shared symmetric ciphers are not a supported solution and would be difficult to both implement and maintain in a large environment, and the built-in encryption in RADIUS only protects passwords.

Answer 85

A

B.

OAuth provides the ability to access resources from another service and would meet Jim’s needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

Answer 86

A

B.

Since physical access to the workstations is part of the problem, setting application timeouts and password-protected screensavers with relatively short inactivity timeouts can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.

Brainscape's Knowledge GenomeTM

Domain 5: Review Questions Flashcards

Brainscape's Knowledge Genome^TM