CISSP Q V1.4 DOMAIN 5 Identity and Access Management (IAM)

Question 1

In order to give employees appropriate access rights, a company might choose to determine what tasks need to be accomplished, and then to define what access rights are necessary to accomplish said tasks. What type of access control system would most accurately fit this situation?

A. Rule-based access control and need-to-know.
B. Role-based access control.
C. Need-to-know and least privilege.
D. Non-discretionary access control.

Answer 1

B. Role-based access control.

Role-based access control means determining what people belong in what roles, and then defining what resources the people in these roles should be able to access. While (C) might be tempting, least privilege shouldn’t be considered an access control system.

Question 2

What answer lists 3 control categories?

A. Preventative, physical, detective
B. Physical, administrative, technical
C. Deterrent, preventative, compensating
D. Administrative, directive, deterrent

Answer 2

C. Deterrent, preventative, compensating

Question 3

What are the 7 control categories?

D
D
D
C
C
R
P

Answer 3

The 7 control categories (The 7 C’s) are directive, deterrent, detective, compensating, corrective, recovery, and preventative.

Question 4

What are the 3 control types?

A
T or L
P

Answer 4

The 3 Types (3 T’s) are Administrative, Technical or Logical, and Physical.

Question 5

Which of the following devices has an embedded microchip which can store enormous amounts of data, double as an access card for doors, and an authenticator for a computer?

A. Smart Card.
B. Proximity card, or “prox card.”
C. PIN card.
D. Magnetic-stripe Card.

Answer 5

A. Smart Card.

The clue in the question is “store enormous amounts of data.” A proximity card and a Mag Stripe card can be used as access cards for doors and even as an authentication mechanism for a computer, but neither can store enormous amounts of data. Pin cards can’t store enormous amounts of data, and also don’t typically open doors.

Question 6

Which statement BEST describes an access control?

A. A hidden device that permits identity spoofing.
B. A deployment of encryption to protect
authorization systems.
C. A mechanism that helps protect systems by
controlling unauthorized user activities.
D. A systems device that records all user login
attempts.

Answer 6

C. A mechanism that helps protect systems by
controlling unauthorized user activities.

Question 7

Which of the following operations security activities requires the least amount of training and experience?

A. Maintaining operational resilience.
B. Controlling user accounts.
C. Protecting valuable assets.
D. Managing security services effectively.

Answer 7

B. Controlling user accounts.

Question 8

To create an effective access control system for your organization’s desktops, what must be created?

A. The company’s computer organizational placement chart.
B. A list that shows which users have requested special
permissions.
C. A set of firewall rules that either permit or deny different
computer systems access to specific services.
D. A set of Kerberos rules that the Kerberos Ticket Granting
Server (TGS) uses to allow users access to certain files.

Answer 8

C. A set of firewall rules that either permit or deny different
computer systems access to specific services.

Allowing differing computers to have differing levels of access to systems is normally done with Rule-based access control. Rule-based control for desktops is usually best done with firewall rule sets.

Question 9

Which answer below contains two of the MOST accurate biometric systems?

A. Retinal scans and hand geometry.
B. Iris Scans and keystroke dynamics.
C. Fingerprint readers and facial recognition.
D. Iris scans and vascular pattern scans.

Answer 9

D. Iris scans and vascular pattern scans.

(D) is the correct answer. We are looking for the best combo. Retina and Iris scans are commonly agreed to be some of the best due to their high reliability and their low risk for compromise. That allows us to eliminate (C). Focusing on the second half of the combo then, keystroke dynamics isn’t in the same league as a hand scan, so eliminate (B). Between hand geometry and vascular patterns, vascular patterns is more reliable, so (D) is better than (A).

Question 10

In the context of the Confidentiality, Integrity and Availability (CIA) triad, “Perfect availability” of a resource means which of the following?

A. Availability 24 hours a day, 7 days a week (24/7)
B. Availability whenever authorized users require access to the resource
in order to do their jobs.
C. Availability as appropriate to support the Business Continuity Plan
/ Disaster Recovery Plan (BCP/DR).
D. Full availability even to users in branch offices who have to remote in
to access said resources.

Answer 10

B. Availability whenever authorized users require access to the resource
in order to do their jobs.

In the student manual, availability is defined as “aim[ing] at ensuring that systems are up and running so that persons can use them when they are needed.” Leaving aside the issue that the need for availability extends beyond “systems,” note: “when they are needed.”

(A) would only be appropriate if the resource were needed 24/7.(C)does not extend far enough.(D) is a distractor. “Users in branch offices” need the same kind of availability that other “users” do.

Question 11

If a system’s security goal is that no subject can gain access to any object without authorization, which of the following should be implemented?

A. The security kernel implementing the reference monitor concept.
B. The ring protection mechanism.
C. Virtual memory mapping and process isolation.
D. Correct management of memory and storage.

Answer 11

A. The security kernel implementing the reference monitor concept.

Answer (A) is correct. Answer (B) is too general, Answer (C) describes how applications work with the OS, and Answer (D) is a distractor.

Question 12

Which of the following is the best example of two-factor authentication?

A. Requiring a user to use both a digital finger print and an iris scan to get logged in.
B. Requiring a user to provide a 14 character password and also punch in a 8 character access key to a cipher lock located at the entrance door.
C. Requiring a token device to be inserted in a special slot at the entrance door, as well as a keyless entry device.
D. Requiring a token device and a fingerprint.

Answer 12

D. Requiring a token device and a fingerprint.

Answer (D) is correct, as it is “something you have,” a token, and “something you are,” a fingerprint. The rest are single factor, Answer (A) using two biometrics, Answer (B) using two things you know and Answer (C) with two things you have. Dual-factor and multi-factor authentication require “proof” that you are using items from more than one category.

Question 13

Which of the following is NOT true of Rule-based access control?

1. It is unique to mandatory access control systems.
2. It is based on the user’s job function.
3. It is often implemented by modern firewalls.
4. It focuses on provisioning user credentials.

A.2and3
B.1and4
C. 2and4
D. 3and4

Answer 13

B.1and4

Rule-based access control sets up rules used to determine user access. It is frequently configured based on job function, and is commonly implemented with firewalls. Meanwhile, it is not unique to MAC systems (can be used in DAC and NDAC as well) and has nothing to do with provisioning user credentials.

Question 14

What best describes role-based access control?

A. It is unique to mandatory access control systems.
B. It is often implemented by modern firewalls.
C. It is a set of technologies focusing on provisioning and
decommissioning user credentials.
D. It is configured based on the user’s job function.

Answer 14

D. It is configured based on the user’s job function.

Role-based control is used in MAC, DAC and NDAC systems. Access necessary based on user roles can be implemented in part by firewalls, but this does not make firewalls role- based rather than rule-based access control. Role-based access control is not itself a set of technologies, although it can be implemented via various technologies.

Question 15

Alice has just successfully logged into a system using Kerberos. She wants to edit a file located on server K, which is in the same domain that she is. Which action best describes how this will be done?

A. Alice can access the file without logging into Server K.
B. Alice logs into Server K and accesses the file.
C. Alice goes back to the Kerberos system, gets a special ticket for Server K, and uses it to log into Server K. Server K will then decide whether
Alice can edit her requested file.
D. Alice goes back to the Kerberos system, gets a special ticket for Server K, and uses it to log into Server K. Since she is an authenticated user, she will be automatically allowed to edit the requested file.

Answer 15

C. Alice goes back to the Kerberos system, gets a special ticket for Server K, and uses it to log into Server K. Server K will then decide whether
Alice can edit her requested file.

Question 16

When a company is considering adopting a biometric system, which is the LEAST important consideration?

A. Technology type.
B. Reliability and accuracy.
C. User acceptance.
D. Resistance to users counterfeiting their credentials.

Answer 16

A. Technology type.

Question 17

Which statement BEST describes how “Role-based access control” is typically used?

A. It only occurs in discretionary access control systems (DACs).
B. Since it is based on the user’s job function, it can be used in
many situations.
C. It is always used in mandatory access control systems (MACs).
D. It is the accepted method for limiting users to certain tasks at
certain times of the day.

Answer 17

B. Since it is based on the user’s job function, it can be used in
many situations.

Role Based Access Control can work with both Discretionary and Mandatory Access Control systems, so Answer (A) is not correct. Answer (C) takes things a step too far when it says “always” used with MAC, as role-based control is typically optional in that environment. Furthermore answer (D) has too narrow of a focus and there are many other acceptable ways to apply time restrictions.

Question 18

In a SAML 2.0 system, when a user across the internet is attempting to access a web service, which of the following happens?

A. The web server uses a federated login system to authenticate the user.
B. The web service provides both authentication and authorization.
C. The web service uses a direct connection to an Active Directory (AD)
server to provide authentication.
D. Web Server connects back to the user’s home login system to determine whether the user should be allowed to access the desired service.

Answer 18

A. The web server uses a federated login system to authenticate the user.

Allowing for Federated Logins is a major attribute of SAML 2.0. SAML 2.0 was designed to prevent the web service from having to do authentication and authorization itself. Instead, it uses the Identity Provider (IdP) for this. Answers (B), (C), and (D) are therefore all incorrect.

Question 19

The correct ordering of steps with respect to user access to an object is:

A. Identification, authorization, auditing.
B. Identification, authentication, authorization.
C. Authorization, setup of auditing for the session,
authentication.
D. Authentication, setup of auditing for the session, access.

Answer 19

B. Identification, authentication, authorization.

Remember the acronym, IAAA, which can remind you that you need to “present unique Identity first, then Authentication proves uniqueness, then Authorization provides Access to an Object, and then finally Auditing records the access to the object.”

Question 20

Which answer best describes the DISADVANTAGES of Single Sign-On (SSO) systems?

1. Having to maintain system clocks.
2. The fact that a single compromised password can expose all of the user’s
   resources.
3. SSOs require users to remember many passwords for the many systems
   within the SSO environment.
4. Changing passwords is much easier in SSO systems than in non-SSO systems.

A.1and2
B.2and3
C. 1and3
D. 2and4

Answer 20

A.1and2

Question 21

The XML language is often used in modern networks for which of the following purposes?

1. To provide link-encryption for copper based WAN links
2. In VOIP systems to encode analog into digital signals
3. To represent data in a neutral format that is independent of the underlying database or application
4. In SAML to exchange authentication information for a web-based client

A.1and3
B.2and4
C. 3and4
D. 2and3

Answer 21

C. 3and4

XML helps different applications communicate together by including the formatting of the data (within the data) so that the receiver can know what data types are present in the received data. Answer (A) is a distractor. Answer (B) is incorrect – this is done by a CODEC.

Question 22

A development firm was recently hired to develop a new application for your company. They will need the ability to restart virtual machines on your company’s cloud platform, but should only be able to do so when requested, and for a limited time. Without requiring the developers to submit a formal written request on each occasion, what access methodology would be best suited to this task while maintaining least privilege?

A. Time Based Access Control (TBAC)
B. Attribute Based Access Control (ABAC)
C. Request Formal Provisioning (RFP)
D. Just In Time access control (JIT)

Answer 22

D. Just In Time access control (JIT)

They are describing a perfect situation to deploy (D) Just In Time Access. Meanwhile, (C) RFP is a distractor (completely fictional).

JIT allows organizations to grant access to applications/systems for predetermined periods of time on an as-needed, per request, basis. Users can submit a request via a workflow process and automatically and instantly receive access without violating least privilege or having to wait through a long managerial process.

Question 23

HD cameras located throughout the airport are going to be used to track passengers without requiring them to enroll in a biometric system. Of the biometric options below, what would be suitable for this advanced security tracking system? (pick two)

A. Voice
B. Vein
C. Facial
D. Gait
E. Fingerprint
F. Retina

Answer 23

C. Facial
D. Gait

Question 24

What could be used to allow for secure authentication to several service providers without the need to send a password to each?

A. CHAP
B. PAP
C. Oauth
D. SAML

Answer 24

D. SAML

The question clearly describes SSO (single sign-on).
PAP and CHAP both involve sending a password, so those can be ruled out.
Oauth is used for sending authorizations from one web service or cloud server to another, but doesn’t handle authentication on its own. To give Oauth that functionality, we would need to also leverage OpenID Connect.
SAML is an XML-based format used to exchange authentication information and thereby achieve identity federations (SSO). It doesn’t actually send your password from one system to another in the process. Instead it tokenizes credentials across multiple parties.