Domain 5 Flashcards

Question 1

Q

Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?
a. An access control list
b. An implicit denial list
c. A capability table
d. A rights management matrix

Answer

A

C. Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.

Question 2

Q

Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim’s company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?
a. Integrate onsite systems using OAuth.
b. Use an on-premise third-party identity service.
c. Integrate onsite systems using SAML.
d. Design an in-house solution to handle the organization’s unique needs.

Answer

A

B. Since Jim’s organization is using a cloud-based Identity as a Service solution, a third party, on-premise identity service can provide the ability to integrate with the IDaaS solution, and the company’s use of Active Directory is widely supported by third-party vendors. OAuth is used to log into third-party websites using existing credentials and would not meet the needs described. SAML is a markup language and would not meet the full set of AAA needs. Since the organization is using Active Directory, a custom in-house solution is unlikely to be as effective as a preexisting third-party solution and may take far more time and expense to implement.

Question 3

Q

Which of the following is not a weakness in Kerberos?
a. The KDC is a single point of failure.
b. Compromise of the KDC would allow attackers to impersonate any user.
c. Authentication information is not encrypted.
d. It is susceptible to password guessing.

Answer

A

C. Kerberos encrypts messages using secret keys, providing protection for authentication traffic. The KDC is both a single point of failure and can cause problems if compromised because keys are stored on the KDC that would allow attackers to impersonate any user. Like many authentication methods, Kerberos can be susceptible to password guessing.

Question 4

Q

Voice pattern recognition is what type of authentication factor?
a. Type 1
b. Type 2
c. Type 3
d. Type 4

Answer

A

C. Voice pattern recognition is “something you are,” a Type 3 authentication factor. Type 1 factors are “something you know,” and Type 2 factors are “something you have.” Type 4 is made up and is not a valid type of authentication factor.

Question 5

Q

If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of factor has she used?
a. One
b. Two
c. Three
d. Four

Answer

A

B. Susan has used two distinct types of factors: the PIN and password are both Type 1 factors, and the retina scan is a Type 3 factor. Her username is not a factor.

Question 6

Q

Which of the following items are not commonly associated with restricted interfaces?
a. Shells
b. Keyboards
c. Menus
d. Database views

Answer

A

B. Menus, shells, and database views are all commonly used for constrained interfaces. A keyboard is not typically a constrained interface, although physically constrained interfaces like those found on ATMs, card readers, and other devices are common.

Question 7

Q

During a log review, Saria discovers a series of logs that show login failures as shown here:

Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from remotehost passwd=orange

Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=Orang3

Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=Orange93

Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from remotehost passwd=Orangutan1

Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=Orangemonkey

What type of attack has Saria discovered?

a. A brute force attack
b. A man-in-the-middle attack
c. A dictionary attack
d. A rainbow table attack

Answer

A

C. Dictionary attacks use a dictionary or list of common passwords as well as variations of those words to attempt to log in as an authorized user. This attack shows a variety of passwords based on a similar base word, which is often a good indicator of a dictionary attack. A brute force attack will typically show simple iteration of passwords, while a man-in-the-middle attack would not be visible in the authentication log. A rainbow table attack is used when attackers already have password hashes in their possession and would also not show up in logs.

Question 8

Q

What type of attack can be prevented by using a trusted path?
a. Dictionary attacks
b. Brute force attacks
c. Man-in-the-middle attacks
d. Login spoofing

Answer

A

D. The Common Criteria defines trusted paths as a way to protect data between users and a security component. This includes attacks like replacing login windows for systems and is the reason Windows uses Ctrl+Alt_Del as a login sequence. Man-in-the-middle attacks can be prevented by using a trusted channel, which is often implemented with encryption and certificates. Brute force and dictionary attacks are often discouraged by using a back-off algorithm to slow down or prevent attacks.

Question 9

Q

What major issue often results from decentralized access control?
a. Access outages may occur.
b. Control is not consistent.
c. Control is too granular.
d. Training costs are high.

Answer

A

B. Decentralized access control can result in less consistency because the individuals tasked with control may interpret policies and requirements differently and may perform their roles in different ways. Access outages, overly granular control, and training costs may occur, depending on specific implementations, but they are not commonly identified issues with decentralized access control.

Question 10

Q

Callback to a home phone number is an example of what type of factor?
a. Type 1
b. Somewhere you are
c. Type 3
d. Geographic

Answer

A

B. A callback to a home phone number is an example of a “somewhere you are” factor. This could potentially be spoofed by call forwarding or using a VoIP system. Type 1 factors are “something you know,” Type 3 factors are biometric, and geographic factors are typically based on IP addresses or access to a GPS.

Question 11

Q

a. Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?
a. . A shortcut trust
b. A forest trust
c. An external trust
d. A realm trust

Answer

A

D. Kerberos uses realms, and the proper type of trust to set up for an Active Directory environment that needs to connect to a K5 domain is a realm trust. A shortcut trust is a transitive trust between parts of a domain tree or forest that shortens the trust path, a forest trust is a transitive trust between two forest root domains, and an external trust is a non-transitive trust between AD domains in separate forests.

Question 12

Q

Which of the following AAA protocols is the most commonly used?
a. TACACS
b. TACACS+
c. XTACACS
d. Super TACACS

Answer

A

B. TACACS+ is the only modern protocol on the list. It provides advantages of both TACACS and XTACACS as well as some benefits over RADIUS, including encryption of all authentication information. Super TACACS is not an actual protocol.

Question 13

Q

Which of the following is not a single sign-on implementation?
a. Kerberos
b. ADFS
c. CAS
d. RADIUS

Answer

A

D. Kerberos, Active Directory Federation Services (ADFS), and Central Authentication Services (CAS) are all SSO implementations. RADIUS is not a single-sign on implementation, although some vendors use it behind the scenes to provide authentication for proprietary SSO.

Question 14

Q

As seen in the following image, a user on a Windows system is not able to use the “Send Message” functionality. What access control model best describes this type of limitation?
a. Least privilege
b. Need to know
c. Constrained interface
d. Separation of duties

Answer

A

C. Interface restrictions based on user privileges is an example of a constrained interface. Least privilege describes the idea of providing users with only the rights they need to accomplish their job, while need to know limits access based on whether a subject needs to know the information to accomplish an assigned task. Separation of duties focuses on preventing fraud or mistakes by splitting tasks between multiple subjects.

Question 15

Q

What type of access controls allow the owner of a file to grant other users access to it using an access control list?
a. Role based
b. Non-discretionary
c. Rule based
d. Discretionary

Answer

A

D. When the owner of a file makes the decisions about who has rights or access privileges to it, they are using discretionary access control. Role-based access controls would grant accessed based on a subject’s role, while rule-based controls would base the decision on a set of rules or requirements. Non-discretionary access controls apply a fixed set of rules to an environment to manage access. Non-discretionary access controls include rule-, role-, and lattice-based access controls.

Question 16

Q

Alex’s job requires him to see personal health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?
a. Separation of duties
b. Constrained interfaces
c. Context-dependent control
d. Need to know

Answer

A

D. Need to know is applied when subjects like Alex have access to only the data they need to accomplish their job. Separation of duties is used to limit fraud and abuse by having multiple employees perform parts of a task. Constrained interfaces restrict what a user can see or do and would be a reasonable answer if need to know did not describe his access more completely in this scenario. Context-dependent control relies on the activity being performed to apply controls, and this question does not specify a workflow or process.

Question 17

Q

Using your knowledge of the Kerberos logon process and the following diagram, answer questions 17, 18, and 19.

At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?
a. 3DES encryption
b. TLS encryption
c. SSL encryption
d. AES encryption

Answer

A

D. The client in Kerberos logins uses AES to encrypt the username and password prior to sending it to the KDC.

Question 18

Q

Using your knowledge of the Kerberos logon process and the following diagram, answer questions 17, 18, and 19.

At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?
a. An encrypted TGT and a public key
b. An access ticket and a public key
c. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user’s password
d. An encrypted, time-stamped TGT and an access token

Answer

A

C. The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key. It transmits both the encrypted symmetric key and an encrypted time-stamped TGT to the client.

Question 19

Q

At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?

What tasks must the client perform before it can use the TGT?
a. It must generate a hash of the TGT and decrypt the symmetric key.
b. It must install the TGT and decrypt the symmetric key.
c. It must decrypt the TGT and the symmetric key.
d. It must send a valid response using the symmetric key to the KDC and must install the TGT.

Answer

A

B. The client needs to install the TGT for use until it expires, and must also decrypt the symmetric key using a hash of the user’s password.

Question 20

Q

Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
a. Retina scans can reveal information about medical conditions.
b. Retina scans are painful because they require a puff of air in the user’s eye.
c. Retina scanners are the most expensive type of biometric device.
d. Retina scanners have a high false positive rate and will cause support issues.

Answer

A

A. Retina scans can reveal additional information, including high blood pressure and pregnancy, causing privacy concerns. Newer retina scans don’t require a puff of air, and retina scanners are not the most expensive biometric factor. Their false positive rate can typically be adjusted in software, allowing administrators to adjust their acceptance rate as needed to balance usability and security.

Question 21

Q

Mandatory access control is based on what type of model?
a. Discretionary
b. Group based
c. Lattice based
d. Rule based

Answer

A

C. Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.

Question 22

Q

Which of the following is not a type of attack used against access controls?
a. Dictionary attack
b. Brute force attack
c. Teardrop
d. Man-in-the-middle attack

Answer

A

C. Dictionary, brute force, and man-in-the-middle attacks are all types of attacks that are frequently aimed at access controls. Teardrop attacks are a type of denial of service attack.

Question 23

Q

What is the best way to provide accountability for the use of identities?
a. Logging
b. Authorization
c. Digital signatures
d. Type 1 authentication23

Answer

A

A. Logging systems can provide accountability for identity systems by tracking the actions, changes, and other activities a user or account performs.

Question 24

Q

Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?
a. Re-provisioning
b. Account review
c. Privilege creep
d. Account revocation

Answer

A

B. As an employee’s role changes, they often experience privilege creep, which is the accumulation of old rights and roles. Account review is the process of reviewing accounts and ensuring that their rights match their owners’ role and job requirements. Account revocation removes accounts, while re-provisioning might occur if an employee was terminated and returned or took a leave of absence and returned.

Question 25

Q

Biba is what type of access control model?
a. MAC
b. DAC
c. Role BAC
d. ABAC

Answer

A

A. Biba uses a lattice to control access and is a form of the mandatory access control (MAC) model. It does not use rules, roles, or attributes, nor does it allow user discretion. Users can create content at their level or lower but cannot decide who gets access, levels are not roles, and attributes are not used to make decisions on access control.

Question 26

Q

Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?
a. Kerberos
b. EAP
c. RADIUS
d. OAuth

Answer

A

C. RADIUS is an AAA protocol used to provide authentication and authorization; it’s often used for modems, wireless networks, and network devices. It uses network access servers to send access requests to central RADIUS servers. Kerberos is a ticket-based authentication protocol; OAuth is an open standard for authentication allowing the use of credentials from one site on third-party sites; and EAP is the Extensible Authentication Protocol, an authentication framework often used for wireless networks.

Question 27

Q

What type of access control is being used in the following permission listing:

Storage Device X

User1: Can read, write, list

User2: Can read, list

User3: Can read, write, list, delete

User4: Can list

a. Resource-based access controls
b. Role-based access controls
c. Mandatory access controls
d. Rule-based access controls

Answer

A

A. Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based Infrastructure as a Service environments. The lack of roles, rules, or a classification system indicate that role-based, rule-based, and mandatory access controls are not in use here.

Question 28

Q

Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor and what traffic will she be able to read?
a. UDP, none. All RADIUS traffic is encrypted.
b. TCP, all traffic but the passwords, which are encrypted
c. UDP, all traffic but the passwords, which are encrypted
d. TCP, none. All RADIUS traffic is encrypted.

Answer

A

C. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting.

Question 29

Q

Which of the following is not part of a Kerberos authentication system?
a. KDC
b. TGT
c. AS
d. TS

Answer

A

D. A key distribution center (KDC) provides authentication services, and ticket-granting tickets (TGTs) provide proof that a subject has authenticated and can request tickets to access objects. Authentication services (ASs) are part of the KDC. There is no TS in a Kerberos infrastructure.

Question 30

Q

When an application or system allows a logged-in user to perform specific actions, it is an example of what?
a. Roles
b. Group management
c. Logins
d. Authorization

Answer

A

D. Authorization provides a user with capabilities or rights. Roles and group management are both methods that could be used to match users with rights. Logins are used to validate a user.

Question 31

Q

Alex has been employed by his company for over a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex’s company encountered?
a. Excessive provisioning
b. Unauthorized access
c. Privilege creep
d. Account review

Answer

A

C. Privilege creep occurs when users retain from roles they held previously rights they do not need to accomplish their current job. Unauthorized access occurs when an unauthorized user accesses files. Excessive provisioning is not a term used to describe permissions issues, and account review would help find issues like this.

Question 32

Q

Which of the following is not a common threat to access control mechanisms?
a. Fake login pages
b. Phishing
c. Dictionary attacks
d. Man-in-the-middle attacks

Answer

A

B. Phishing is not an attack against an access control mechanism. While phishing can result in stolen credentials, the attack itself is not against the control system and is instead against the person being phished. Dictionary attacks and man-in-the-middle attacks both target access control systems.

Question 33

Q

What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order for normal function?
a. Collisions
b. Race conditions
c. Determinism
d. Out-of-order execution

Answer

A

B. Race conditions occur when two or more processes need to access the same resource in the right order. If an attacker can disrupt this order, they may be able to affect the normal operations of the system and gain unauthorized access or improper rights. Collisions occur when two different files produce the same result from a hashing operation, out-of-order execution is a CPU architecture feature that allows the use of otherwise unused cycles, and determinism is a philosophical term rather than something you should see on the CISSP exam!

Question 34

Q

What type of access control scheme is shown in the following table?

a, RBAC

b. DAC
c. MAC
d. TBAC

Answer

A

C. Mandatory access controls use a lattice to describe how classification labels relate to each other. In this image, classification levels are set for each of the labels shown. A discretionary access control (DAC) system would show how the owner of the objects allows access. RBAC could be either rule- or role-based access control and would either use system-wide rules or roles. Task-based access control (TBAC) would list tasks for users.

Question 35

Q

Which of the following is not a valid LDAP DN (distinguished name)?
a. cn=ben+ou=sales
b. ou=example
c. cn=ben,ou=example;
d. ou=example,dc=example,dc=com+dc=org

Answer

A

C. LDAP distinguished names are made up of zero or more comma-separate components known as relative distinguished names. cn=ben,ou=example; ends with a semicolon and is not a valid DN. It is possible to have additional values in the same RDN by using a plus sign between then.

Question 36

Q

When a subject claims an identity, what process is occurring?
a. Login
b. Identification
c. Authorization
d. Token presentation

Answer

A

B. The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor like a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.

Question 37

Q

Dogs, guards, and fences are all common examples of what type of control?
a. Detective
b. Recovery
c. Administrative
d. Physical

Answer

A

D. Dogs, guards, and fences are all examples of physical controls. While dogs and guards might detect a problem, fences cannot, so they are not all examples of detective controls. None of these controls would help repair or restore functionality after an issue, and thus none are recovery controls, nor are they administrative controls that involve policy or procedures, although the guards might refer to them when performing their duties.

Question 38

Q

Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute force attacks?
a. Change maximum age from 1 year to 180 days.
b. Increase the minimum password length from 8 characters to 16 characters.
c. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.
d. Retain a password history of at least four passwords to prevent reuse.

Answer

A

B. Password complexity is driven by length, and a longer password will be more effective against brute force attacks than a shorter password. Each character of additional length increases the difficulty by the size of the potential character set (for example, a single lowercase character makes the passwords 26 times more difficult to crack). While each of the other settings is useful for a strong password policy, they won’t have the same impact on brute force attacks.

Question 39

Q

What is the stored sample of a biometric factor called?
a. A reference template
b. A token store
c. A biometric password
d. An enrollment artifact

Answer

A

A. The stored sample of a biometric factor is called a reference profile or a reference template. None of the other answers are common terms used for biometric systems.

Question 40

Q

When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?
a. When security is more important than usability
b. When false rejection is not a concern due to data quality
c. When the CER of the system is not known
d. When the CER of the system is very high

Answer

A

A. Organizations that have very strict security requirements that don’t have a tolerance for false acceptance want to lower the false acceptance rate, or FAR, to be as near to zero as possible. That often means that the false rejection rate, or FRR, increases. Different biometric technologies or a better registration method can help improve biometric performance, but false rejections due to data quality are not typically a concern with modern biometric systems. In this case, knowing the crossover error rate, or CER, or having a very high CER doesn’t help the decision.

Question 41

Q

Susan is working to improve the strength of her organization’s passwords by changing the password policy. The password system that she is using allows upper- and lower-case letters as well as numbers but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?
a. 26 times more complex
b. 62 times more complex
c. 36 times more complex
d. 2^62 times more complex

Answer

A

B. The complexity of brute forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62^1, or 62 possibilities, and thus, the new passwords would be 62 times harder to brute force on average.

Question 42

Q

Which pair of the following factors are key for user acceptance of biometric identification systems?
a. The FAR
b. The throughput rate and the time required to enroll
c. The CER and the ERR
d. How often users must reenroll and the reference profile requirements

Answer

A

B. Biometric systems can face major usability challenges if the time to enroll is long (over a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow. FAR and FRR may be important in the design decisions made by administrators or designers, but they aren’t typically visible to users. CER and ERR are the same and are the point where FAR and FRR meet. Reference profile requirements are a system requirement, not a user requirement.

Question 43

Q

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram and your knowledge of SAML integrations and security architecture design, answer questions 43, 44, and 45.

Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks?
a. Use SAML’s secure mode to provide secure authentication.
b. Implement TLS using a strong cipher suite, which will protect against both types of attacks.
c. Implement TLS using a strong cipher suite and use digital signatures.
d. Implement TLS using a strong cipher suite and message hashing.

Answer

A

C. TLS provides message confidentiality and integrity, which can prevent eavesdropping. When paired with digital signatures, which provide integrity and authentication, forged assertions can also be defeated. SAML does not have a security mode and relies on TLS and digital signatures to ensure security if needed. Message hashing without a signature would help prevent modification of the message but won’t necessarily provide authentication.

Question 44

Q

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram and your knowledge of SAML integrations and security architecture design, answer questions 43, 44, and 45.

If Alex’s organization is one that is primarily made up of offsite, traveling users, what availability risk does integration of critical business applications to onsite authentication create and how could he solve it?
a. Third-party integration may not be trustworthy; use SSL and digital signatures.
b. If the home organization is offline, traveling users won’t be able to access third-party applications; implement a hybrid cloud/local authentication system.
c. Local users may not be properly redirected to the third-party services; implement a local gateway.
d. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.

Answer

A

B. Integration with cloud-based third parties that rely on local authentication can fail if the local organization’s Internet connectivity or servers are offline. Adopting a hybrid cloud and local authentication system can ensure that Internet or server outages are handled, allowing authentication to work regardless of where the user is or if their home organization is online. Using encrypted and signed communication does not address availability, redirects are a configuration issue with the third party, and a local gateway won’t handle remote users. Also, host files don’t help with availability issues with services other than DNS.

Question 45

Q

Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram and your knowledge of SAML integrations and security architecture design, answer questions 43, 44, and 45.

What solution can best help address concerns about third parties that control SSO directs as shown in step 2 in the diagram?
a. An awareness campaign about trusted third parties
b. TLS
c. Handling redirects at the local site
d. Implementing an IPS to capture SSO redirect attacks

Answer

A

A. While many solutions are technical, if a trusted third party redirects to an unexpected authentication site, awareness is often the best defense. Using TLS would keep the transaction confidential but would not prevent the redirect. Handling redirects locally only works for locally hosted sites, and using a third-party service requires offsite redirects. An IPS might detect an attacker’s redirect, but tracking the multitude of load-balanced servers most large providers use can be challenging, if not impossible. In addition, an IPS relies on visibility into the traffic, and SAML integrations should be encrypted for security, which would require a man-in-the-middle type of IPS to be configured.

Question 46

Q

Susan has been asked to recommend whether her organization should use a mandatory access control scheme or a discretionary access control scheme. If flexibility and scalability is an important requirement for implementing access controls, which scheme should she recommend and why?
a. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed
b. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
c. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well
d. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

Answer

A

B. Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control system (MAC). MAC is more secure due to the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

Question 47

Q

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?
a. Log review
b. Manual review of permissions
c. Signature-based detection
d. Review the audit trail

Answer

A

C. While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

Question 48

Q

Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?
a. SAML
b. SOAP
c. SPML
d. XACML

Answer

A

C. Service Provisioning Markup Language, or SPML is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.

Question 49

Q

During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?
a. A brute force attack
b. A pass-the-hash attack
c. A rainbow table attack
d. A salt recovery attack

Answer

A

C. Rainbow tables are databases of prehashed passwords paired with high-speed lookup functions. Since they can quickly compare known hashes against those in a file, using rainbow tables is the fastest way to quickly determine passwords from hashes. A brute force attack may eventually succeed but will be very slow against most hashes. Pass-the-hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent to a system to avoid the need to know a user’s password. Salts are data added to a hash to avoid the use of tools like rainbow tables. A salt added to a password means the hash won’t match a rainbow table generated without the same salt.

Question 50

Q

Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?
a. PKI
b. Federation
c. Single sign-on
d. Provisioning

Answer

A

B. Google’s federation with other applications and organizations allows single-sign on as well as management of their electronic identity and its related attributes. While this is an example of SSO, it goes beyond simple single-sign on. Provisioning provides accounts and rights, and a public key infrastructure is used for certificate management.

Question 51

Q

Lauren starts at her new job and finds that she has access to a variety of systems that she does not need access to to accomplish her job. What problem has she encountered?
a. Privilege creep
b. Rights collision
c. Least privilege
d. Excessive privileges

Answer

A

D. When users have more rights than they need to accomplish their job, they have excessive privileges. This is a violation of the concept of least privilege. Unlike creeping privileges, this is a provisioning or rights management issue rather than a problem of retention of rights the user needed but no longer requires. Rights collision is a made-up term, and thus is not an issue here.

Question 52

Q

When Chris verifies an individual’s identity and adds a unique identifier like a user ID to an identity system, what process has occurred?
a. Identity proofing
b. Registration
c. Directory management
d. Session management

Answer

A

B. Registration is the process of adding a user to an identity management system. This includes creating their unique identifier and adding any attribute information that is associated with their identity. Proofing occurs when the user provides information to prove who they are. Directories are managed to maintain lists of users, services, and other items. Session management tracks application and user sessions.

Question 53

Q

Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636.What does this indicate to Jim about the configuration of the LDAP server?
a. It requires connections over SSL/TLS.
b. It supports only unencrypted connections.
c. It provides global catalog services.
d. It does not provide global catalog services.

Answer

A

A. Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating that the server supports encrypted connections. Since neither port 3268 nor 3269 is mentioned, we do not know if the server provides support for a global catalog.

Question 54

Q

The X.500 standards cover what type of important identity systems?
a. Kerberos
b. Provisioning services
c. Biometric authentication systems
d. Directory services

Answer

A

D. The X.500 series of standards covers directory services. Kerberos is described in RFCs; biometric systems are covered by a variety of standards, including ISO standards; and provisioning standards include SCIM, SPML, and others.

Question 55

Q

Microsoft’s Active Directory Domain Services is based on which of the following technologies?
a. RADIUS
b. LDAP
c. SSO
d. PKI

Answer

A

B. Active Directory Domain Services is based on LDAP, the Lightweight Directory Access Protocol. Active Directory also uses Kerberos for authentication.

Question 56

Q

Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
a. Require users to create unique questions that only they will know.
b. Require new users to bring their driver’s license or passport in person to the bank.
c. Use information that both the bank and the user have such as questions pulled from their credit report.
d. Call the user on their registered phone number to verify that they are who they claim to be.

Answer

A

C. Identity proofing can be done by comparing user information that the organization already has, like account numbers or personal information. Requiring users to create unique questions can help with future support by providing a way for them to do password resets. Using a phone call only verifies that the individual who created the account has the phone that they registered and won’t prove their identity. In-person verification would not fit the business needs of most websites.

Question 57

Q

By default, in what format does OpenLDAP store the value of the userPassword attribute?
a. In the clear
b. Salted and hashed
c. MD5 hashed
d. Encrypted using AES256 encryption

Answer

A

A. By default, OpenLDAP stored the userPassword attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is the responsibility of the administrator or programmer who builds its provisioning system.

Question 58

Q

A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer’s account. What type of biometric factor error occurred?
a. A registration error
b. A Type 1 error
c. A Type 2 error
d. A time of use, method of use error

Answer

A

C. Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 1 errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time of use, method of use errors are not specific biometric authentication terms.

Question 59

Q

What type of access control is typically used by firewalls?
a. Discretionary access controls
b. Rule-based access controls
c. Task-based access control
d. Mandatory access controls

Answer

A

B. Firewalls use rule-based access control, or Rule-BAC, in their access control lists and apply rules created by administrators to all traffic that pass through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.

Question 60

Q

When you input a user ID and password, you are performing what important identity and access management activity?
a. Authorization
b. Validation
c. Authentication
d. Login

Answer

A

C. When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren’t the most important identity and access management activity.

Question 61

Q

Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, a number of servers have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen’s best option to make sure that the users of the passcards are who they are supposed to be?
a. Add a reader that requires a PIN for passcard users.
b. Add a camera system to the facility to observe who is accessing servers.
c. Add a biometric factor.
d. Replace the magnetic stripe keycards with smart cards.

Answer

A

C. Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or “something you have.” Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn’t prevent access to the facility and thus doesn’t solve the immediate problem (but it is a good idea!).

Question 62

Q

Which of the following is a ticket-based authentication protocol designed to provide secure communication?
a. RADIUS
b. OAuth
c. SAML
d. Kerberos

Answer

A

D. Kerberos is an authentication protocol that uses tickets, and provides secure communications between the client, key distribution center (KDC), ticket-granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third-party websites to rely on credentials from other sites like Google or Microsoft.

Question 63

Q

What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?
a. Corrective
b. Logical
c. Compensating
d. Administrative

Answer

A

D. Administrative access controls are procedures and the policies from which they derive. They are based on regulations, requirements, and the organization’s own policies. Corrective access controls return an environment to its original status after an issue, while logical controls are technical access controls that rely on hardware or software to protect systems and data. Compensating controls are used in addition to or as an alternative to other controls.

Question 64

Q

In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS?
a. A TGT
b. An AS
c. The SS
d. A session key

Answer

A

A. When clients perform a client service authorization, they send a TGT and the ID of the requested service to the TGS, and the TGS responds with a client-to-server ticket and session key back to the client if the request is validated. An AS is an authentication server and the SS is a service server, neither of which can be sent.

Answer 65

A

C. In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

Answer 66

A

D. Passwords are never stored for web applications in a well-designed environment. Instead, salted hashes are stored and compared to passwords after they are salted and hashed. If the hashes match, the user is authenticated.

Answer 67

A

C. When a third-party site integrates via OAuth 2.0, authentication is handled by the service provider’s servers. In this case, Google is acting as the service provider for user authentication. Authentication for local users who create their own accounts would occur in the e-commerce application (or a related server), but that is not the question that is asked here.

Answer 68

A

B. The anti-forgery state token exchanged during OAuth sessions is intended to prevent cross-site request forgery. This makes sure that the unique session token with the authentication response from Google’s OAuth service is available to verify that the user, not an attacker, is making a request. XSS attacks focus on scripting and would have script tags involved, SQL injection would have SQL code included, and XACML is the eXtensible Access Control Markup Language, not a type of attack.

Answer 69

A

A. Knowledge-based authentication relies on preset questions “What is your pet’s name?” and the answers. It can be susceptible to attacks due to the availability of the answers on social media or other sites. Dynamic knowledge based authentication relies on facts or data that the user already knows which can be used to create questions they can answer on an as needed basis (for example, a previous address, or a school they attended).
Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or “something you are,” rather than knowledge based.

Answer 70

A

C. An access control matrix is a table that lists objects, subjects, and their privileges. Access control lists focus on objects and which subjects can access them. Capability tables list subjects and what objects they can access. Subject/object rights management systems are not based on an access control model.

Answer 71

A

C. Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add additional complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don’t have the same impact that a self-service system does.

Answer 72

A

C. RADIUS supports TLS over TCP. RADIUS does not have a supported TLS mode over UDP. AES pre-shared symmetric ciphers are not a supported solution and would be very difficult to both implement and maintain in a large environment, and the built-in encryption in RADIUS only protects passwords.

Answer 73

A

B. OAuth provides the ability to access resources from another service and would meet Jim’s needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

Answer 74

A

B. Since physical access to the workstations is part of the problem, setting application time-outs and password-protected screensavers with relatively short inactivity time-outs can help prevent unauthorized access. Using session IDs for all applications and verifying system IP addresses would be helpful for online attacks against applications.

Answer 75

A

C. Firewalls, routers, and passwords are all examples of technical access controls and are software or hardware systems used to manage and protect access. RAID-5 is an example of a recovery control. If you’re questioning why routers are a technical access control, remember that router access control lists (ACLs) are quite often used to control network access or traffic flows.

Answer 76

A

A. Verifying information that an individual should know about themselves using third-party factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge-based authentication and is a type of identity proofing. Out-of-band identity proofing would use another means of contacting the user, like a text message or phone call, and password verification requires a password.

Answer 77

A

C. The US government’s Common Access Card is a smart card. The US government also issues PIV cards, or personal identity verification cards.

Answer 78

A

C. OpenID Connect is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identity verification and basic profile information. SAML is the Security Assertion Markup Language, Shibboleth is a federated identity solution designed to allow web-based SSO, and Higgins is an open-source project designed to provide users with control over the release of their identity information.

Answer 79

A

C. In a mandatory access control system, classifications do not have to include rights to lower levels. This means that the only label we can be sure Jim has rights to is Secret. Despite the fact that it is unclassified, Unclassified data remains a different label, and Jim may not be authorized to access it.

Answer 80

A

B. Time-based controls are an example of context-dependent controls. A constrained interface would limit what Susan was able to do in an application or system interface, while content-dependent control would limit her access to content based on her role or rights. Least privilege is used to ensure that subjects only receive the rights they need to perform their role.

Answer 81

A

C. A Type 3 authentication factor is: something you are: like a biometric identifier. A Type 1 authentication factor is “something you know.” A Type 2 factor is “something you have,” like a smart card or hardware token. There is not a Type 4 authentication factor.

Answer 82

A

B. Policy is a subset of the administrative layer of access controls. Administrative, technical, and physical access controls all play an important role in security.

Answer 83

A

C. Google Authenticator’s constantly changing codes are part of a synchronous token that uses a time-based algorithm to generate codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smart cards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.

Answer 84

A

A. Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don’t need to have challenges entered, and RFID devices are not used for challenge/response tokens.

Answer 85

A

C. The crossover error rate is the point where false acceptance rate and false rejection rate cross over and is a standard assessment used to compare the accuracy of biometric devices.

Answer 86

A

A. At point B, the false acceptance rate, or FAR, is quite high, while the false rejection rate, or FRR, is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of pointA.

Answer 87

A

B. CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn’t something Ben can do. FRR is not a setting in software, so Ben can’t use that as an option either.

Answer 88

A

B. The Simple Authentication and Security Layer (SASL) for LDAP provides support for a range of authentication types, including secure methods. Anonymous authentication does not require or provide security, and simple authentication can be tunneled over SSL or TLS but does not provide security by itself. S-LDAP is not an LDAP protocol.

Answer 89

A

C. Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.

Answer 90

A

B. Allowing the relying party to provide the redirect to the OpenID provider could allow a phishing attack by directing clients to a fake OpenID provider that can capture valid credentials. Since the OpenID provider URL is provided by the client, the relying party cannot select the wrong provider. The relying party never receives the user’s password, which means that they can’t steal it. Finally, the relying party receives the signed assertion but does not send one.

Answer 91

A

A. IDaaS, or Identity as a Service, provides an identity platform as a third-party service. This can provide benefits including integration with cloud services and removing overhead for maintenance of traditional on-premise identity systems, but it can also create risk due to third-party control of identity services and reliance on an offsite identity infrastructure.

Answer 92

A

B. Drives in a RAID-5 array are intended to handle failure of a drive. This is an example of a recovery control, which is used to return operations to normal function after a failure. Administrative controls are policies and procedures. Compensation controls help cover for issues with primary controls or improve them. Logical controls are software and hardware mechanisms used to protect resources and systems.

Answer 93

A

D. The Linux filesystem allows the owners of objects to determine the access rights that subjects have to them. This means that it is a discretionary access control. If the system enforced a role-based access control, Alex wouldn’t set the controls; they would be set based on the roles assigned to each subject. A rule-based access control system would apply rules throughout the system, and a mandatory access control system uses classification labels.

Answer 94

A

D. Diameter was designed to provide enhanced, modern features to replace RADIUS. Diameter provides better reliability and a broad range of improved functionality. RADIUS-NG does not exist, Kerberos is not a direct competitor for RADIUS, and TACACS is not an open protocol.

Answer 95

A

A. In this example, uid=ben,ou=sales,dc=example,dc=com, the items proceed from most specific to least specific (broadest) from left to right, as required by a DN.

Answer 96

A

D. Kerberos relies on properly synchronized time on each end of a connection to function. If the local system time is more than 5 minutes out of sync, otherwise valid TGTs will be invalid and the system won’t receive any new tickets.

Answer 97

A

A. Kerberos, KryptoKnight, and SESAME are all single sign-on, or SSO, systems. PKI systems are public key infrastructure systems, CMS systems are content management systems, and LDAP and other directory servers provide information about services, resources, and individuals.

Answer 98

A

B. Locks can be preventative access controls by stopping unwanted access, can deter potential intruders by making access difficult, and are physical access controls. They are not directive controls because they don’t control the actions of subjects.

Answer 99

A

B. Windows uses Kerberos for authentication. RADIUS is typically used for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.

Answer 100

A

C. The default ports for SSL/TLS LDAP directory information and global catalog services are 636 and 3269, respectively. Unsecure LDAP uses 389, and unsecure global directory services use 3268.

Brainscape's Knowledge GenomeTM

Domain 5 Flashcards

Brainscape's Knowledge Genome^TM