Identity and Access Management (IAM)

Question 1

Q. 1 An access control system that grants access to information based on the identity of the user is known as what? Drag and drop the correct answer(s) from top to bottom.

Role-based access control
Mandatory access control
Clearance-based access control
Identity-based access control

Answer 1

Identity-based access control

[Identity and Access Management] Identity-based access control is used to grant access to information based on the identity of the person requesting access.

Question 2

Q. 2 An access control model in which the system determines the access policy is known as what? Drag and drop the correct answer(s) from top to bottom.

Discretionary access control
Mandatory access control
Administrative access control
Role-based access control

Answer 2

Mandatory access control
Role-based access control

[Identity and Access Management] Mandatory access controls are determined by the system, based on the user’s clearance level and the classification of the information.

Question 3

Q. 3 In Kerberos, a dynamic key that is generated when needed, shared between two principals, then destroyed when it is no longer needed, is known as a

Public key
Shared key
Secret key
Session key

Answer 3

Session key

[Security Engineering] Public, shared, and secret keys are general terms used to describe symmetric and asymmetric cryptosystems. A session key is a specific type of dynamic key that is generated in Kerberos, shared between systems participating in a Kerberos session, then destroyed when the session ends or the key expires.

Question 4

Q. 4 Which of the following are examples of physical access controls? Drag and drop the correct answer(s) from top to bottom.

Locked doors
Security guards
Audits
Firewalls
Surveillance cameras

Answer 4

Locked doors
Security guards
Surveillance cameras

[Identity and Access Management] Security guards, locked doors, and surveillance cameras are physical access controls. Firewalls are technical controls. Audits are administrative controls.

Question 5

Q. 5 An access control system that gives the user some control over who has access to information is known as

Identity-based access control
Discretionary access control
Role-based access control
Mandatory access control

Answer 5

Discretionary access control

[Identity and Access Management] Discretionary access controls permit access to information based on certain user-defined criteria.

Question 6

Q. 6 Which of the following are examples of administrative controls? Drag and drop the correct answer(s) from top to bottom.

Mantraps
Assessments
Security guards
Audits
Procedures
Supervision

Answer 6

Assessments
Audits
Procedures
Supervision

[Identity and Access Management] Supervision, audits, procedures, and assessments are administrative controls. Security guards and mantraps are physical controls.

Question 7

Q. 7 Fingerprint, retinal scan, and palm scans are examples of

Biometric authentication
Physical controls
Type 2 authentication
Multi-factor authentication

Answer 7

Biometric authentication

[Identity and Access Management] Fingerprints, retina patterns, and palm prints are physical characteristics that can be used for biometric authentication.

Question 8

Q. 8 In an access management life cycle, all of the following activities are considered detective controls for subject access EXCEPT:

Password configuration review
Access activity review
Entitlement review
Access request review

Answer 8

Password configuration review

[Identity and Access Management] Reviewing password configuration is a detective control, but it is not part of the access management lifecycle.

Question 9

Q. 9 Tokens, smart cards, and ATM cards used in authentication are examples of

Logical controls
Identifiers
Something you have
Type 3 authentication

Answer 9

Something you have

[Identity and Access Management] Tokens, smart cards, and ATM cards are examples of “something you have” for authentication.

Question 10

Q. 10 Which of the following diagrams correctly depicts the Crossover Error Rate?

1. CER shaded in middle
2. CER with down arrow no shade
3. CER to the far right shaded
4. CER to far ;eft shaded

Answer 10

2. CER with down arrow no shade

[Identity and Access Management] The CER is the point at which the sensitivity (False Reject Rate, or FRR) and errors (False Accept Rate, or FAR) in a biometric authentication system intersect (are equal).

Question 11

Q. 11 Which of the following are preventive controls? Drag and drop the correct answer(s) from top to bottom.

Listening devices
Audits
Fences
Smart cards

Answer 11

Fences
Smart cards

[Identity and Access Management] Smart cards, fences, and guard dogs are preventive controls. Audits and listening devices are detective controls.

Question 12

Q. 12 Which of the following are detective controls? Drag and drop the correct answer(s) from top to bottom.

Audits
Background checks
Listening devices
Fences
Video surveillance

Answer 12

Audits
Background checks
Listening devices
Video surveillance

[Identity and Access Management] Video surveillance, listening devices, audits, and background checks are detective controls. Fences are preventive or physical controls.

Question 13

Q. 13 What does TACACS stand for?

Technical Authentication Center Access Control Service
Terminal Access Controller Authentication Control Service
Technical Assistance Center Access Control System
Terminal Access Controller Access Control System

Answer 13

Terminal Access Controller Access Control System

[Communication and Network Security] TACACS is an authentication protocol. It stands for Terminal Access Controller Access Control System.

Question 14

Q. 14 Which of the following is NOT a weakness in Kerberos?

The user’s secret key is transmitted over the network
Kerberos is vulnerable to replay attacks
The TGS and AS servers are vulnerable to attack
The user’s secret key is temporarily stored on the client system

Answer 14

The user’s secret key is transmitted over the network

[Identity and Access Management] The user’s secret key never is transmitted over the network in Kerberos.

Question 15

Q. 15 CHAP is used for

Centralized access control
Encrypting RADIUS authentication
Ciphering RADIUS authentication
Creating one-time passwords

Answer 15

Centralized access control

[Communication and Network Security] CHAP is a protocol used for centralized access control.

Question 16

Q. 16 Two-factor authentication is stronger than single-factor authentication because

It uses a factor of two prime numbers for added strength
It requires two factors, such as a password and a smart card
Authentication difficulty is increased by a factor of two
The user must be physically present to authenticate

Answer 16

It requires two factors, such as a password and a smart card

[Identity and Access Management] Two-factor authentication requires a combination of two factors, such as something you know, something you have, or something you are.

Question 17

Q. 17 Which of the following is NOT part of a Kerberos implementation:

Client/TGS Session Key
Client Secret Key
PGP Secret Key
Client/Server Session Key

Answer 17

PGP Secret Key

[Security Engineering] Pretty Good Privacy (PGP) is encryption software used to for authentication and privacy in data communications.

Question 18

Q. 18 Single sign-on (SSO) performs which of the following?

Stores a password locally by using a Save My Password feature
Permits authentication to multiple applications without having to log in to each one individually
Stores a password and uses a cookie for subsequent authentication
Is an example of single-factor authentication

Answer 18

Permits authentication to multiple applications without having to log in to each one individually

[Identity and Access Management] SSO permits a user’s authentication to be used for all participating applications. SSO alleviates the problem of having to remember different user IDs and passwords for different applications or systems.

Question 19

Q. 19 Rule-based access control and lattice-based access control are examples of

Mandatory access controls
Administrative controls
Discretionary access controls
Non-discretionary access controls

Answer 19

Non-discretionary access controls

[Identity and Access Management] Rule-based access control and lattice-based access control are non-discretionary access controls because access rights are determined by defined rules or attribute pairs.

Question 20

Q. 20 RADIUS is an example of

Corrective control
Centralized access control
Distributed access control
Detective control

Answer 20

Centralized access control

[Communication and Network Security] RADIUS is a protocol used for centralized access control.

Question 21

Q. 21 Which of the following are examples of technical controls? Drag and drop the correct answer(s) from top to bottom.

Background checks
Job rotation
Guard Dogs
Access control lists
Encryption
Smart cards
Tokens

Answer 21

Access control lists
Encryption
Smart cards
Tokens

[Identity and Access Management] Tokens, encryption, smart cards, and access control lists are technical controls. Job rotation and background checks are administrative controls. Guard dogs are physical controls.

Question 22

Q. 22 The term something you are refers to

A user’s security clearance
A user’s role
Two-factor authentication
Biometric authentication

Answer 22

Biometric authentication

[Identity and Access Management] “Something you are” refers to something used for biometric authentication, such as a fingerprint, retina or iris pattern, handwriting, or voice.