Domain 5 - Identity & Access Management Flashcards

Question 1

Q

Which of the following is best described as an access control
model that focuses on subjects and identifies the objects that
each subject can access?
A. An access control list
B. An implicit denial list
C. A capability table
D. A rights management matrix

Answer

A

C. A capability table

C. Capability tables list the privileges assigned to subjects and
identify the objects that subjects can access. Access control lists
are object-focused rather than subject-focused. Implicit deny is
a principle that states that anything that is not explicitly allowed
is denied, and a rights management matrix is not an access
control model.

Question 2

Q

Jim’s organization-wide implementation of IDaaS offers broad
support for cloud-based applications. Jim’s company does not
have internal identity management staff and does not use
centralized identity services. Instead, they rely upon Active
Directory for AAA services. Which of the following options
should Jim recommend to best handle the company’s on-site
identity needs?
A. Integrate on-site systems using OAuth.
B. Use an on-premises third-party identity service.
C. Integrate on-site systems using SAML.
D. Design an internal solution to handle the organization’s
unique needs.

Answer

A

B. Use an on-premises third-party identity service.

B. Since Jim’s organization is using a cloud-based identity as a
service solution, a third-party, on-premises identity service can
provide the ability to integrate with the IDaaS solution, and the
company’s use of Active Directory is widely supported by thirdparty vendors. OAuth is used to log in to third-party websites
using existing credentials and would not meet the needs
described. SAML is a markup language and would not meet the
full set of AAA needs. Since the organization is using Active
Directory, a custom in-house solution is unlikely to be as
effective as a preexisting third-party solution and may take far
more time and expense to implement.

Question 3

Q

Which of the following is not a weakness in Kerberos?
A. The KDC is a single point of failure.
B. Compromise of the KDC would allow attackers to
impersonate any user.
C. Authentication information is not encrypted.
D. It is susceptible to password guessing.

Answer

A

C. Authentication information is not encrypted.

C. Kerberos encrypts messages using secret keys, providing
protection for authentication traffic. The KDC both is a single
point of failure and can cause problems if compromised because
keys are stored on the KDC that would allow attackers to
impersonate any user. Like many authentication methods,
Kerberos can be susceptible to password guessing.

Question 4

Q

Voice pattern recognition is what type of authentication factor?
A. Something you know
B. Something you have
C. Something you are
D. Somewhere you are

Answer

A

C. Something you are

C. Voice pattern recognition is “something you are,” a biometric
authentication factor, because it measures a physical
characteristic of the individual authenticating.

Question 5

Q

If Susan’s organization requires her to log in with her username,
a PIN, a password, and a retina scan, how many distinct
authentication factor types has she used?
A. One
B. Two
C. Three
D. Four

Answer

A

B. Two

B. Susan has used two distinct types of factors: the PIN and
password are both Type 1 factors, and the retina scan is a Type 3
factor. Her username is not a factor.

Question 6

Q

Charles wants to deploy a credential management system
(CMS). He wants to keep the keys as secure as possible. Which
of the following is the best design option for his CMS
implementation?
A. Use AES-256 instead of 3DES.
B. Use long keys.
C. Use an HSM.
D. Change passphrases regularly

Answer

A

C. Use an HSM.

C. Hardware Security Modules, or HSMs, are the most secure
way to store keys associated with a CMS. They provide enhanced
key management capabilities and are often required to be FIPS
certified. In addition to these advantages, an HSM can improve
cryptographic performance for the organization due to dedicated
hardware designed for just that purpose. Long keys and using
AES-256 are good practices, but an HSM provides greater
security and will require appropriate cryptographic controls
already. Changing passphrases can be challenging across an
organization; instead, securing the passphrases and keys is more
important and reasonable for most organizations.

Question 7

Q

Brian is a researcher at a major university. As part of his
research, he logs into a computing cluster hosted at another
institution using his own university’s credentials. Once logged
in, he is able to access the cluster and use resources based on his
role in a research project, as well as using resources and services
in his home organization. What has Brian’s home university
implemented to make this happen?
A. Domain stacking
B. Federated identity management
C. Domain nesting
D. Hybrid login

Answer

A

B. Federated identity management

B. Brian’s organization is using a federated identity
management approach where multiple organizations allow
identities to be used across the organizations. Each organization
needs to proof their own staff members’ identities and provide
them with rights and role information that will allow them to
use resources within the federated identity environment.

Question 8

Q

Place the following steps in the order in which they occur during
the Kerberos authentication process.
1. Client/server ticket generated
2. TGT generated
3. Client/TGS key generated
4. User accesses service
5. User provides authentication credentials
A. 5, 3, 2, 1, 4
B. 5, 4, 2, 1, 3
C. 3, 5, 2, 1, 4
D. 5, 3, 1, 2, 4

Answer

A

A. 5, 3, 2, 1, 4

A. During the Kerberos authentication process, the steps take
place in the following order: user provides authentication
credentials; client/TGS key generated; TGT generated;
client/server ticket generated; and user accesses service.

Question 9

Q

What major issue often results from decentralized access
control?
A. Access outages may occur.
B. Control is not consistent.
C. Control is too granular.
D. Training costs are high.

Answer

A

B. Control is not consistent.

B. Decentralized access control can result in less consistency
because the individuals tasked with control may interpret
policies and requirements differently and may perform their
roles in different ways. Access outages, overly granular control,
and training costs may occur, depending on specific
implementations, but they are not commonly identified issues
with decentralized access control.

Question 10

Q

Callback to a landline phone number is an example of what type
of factor?
A. Something you know
B. Somewhere you are
C. Something you have
D. Something you are

Answer

A

B. Somewhere you are

B. A callback to a landline phone number is an example of a
“somewhere you are” factor because of the fixed physical
location of a wired phone. A callback to a mobile phone would
be a “something you have” factor.

Question 11

Q

Kathleen needs to set up an Active Directory trust to allow
authentication with an existing Kerberos K5 domain. What type
of trust does she need to create?
A. A shortcut trust
B. A forest trust
C. An external trust
D. A realm trust

Answer

A

D. A realm trust

D. Kerberos uses realms, and the proper type of trust to set up
for an Active Directory environment that needs to connect to a
K5 domain is a realm trust. A shortcut trust is a transitive trust
between parts of a domain tree or forest that shortens the trust
path, a forest trust is a transitive trust between two forest root
domains, and an external trust is a nontransitive trust between
AD domains in separate forests.

Question 12

Q

Which of the following AAA protocols is the most commonly
used?
A. TACACS
B. TACACS+
C. XTACACS
D. Super TACACS

Answer

A

B. TACACS+

B. TACACS+ is the only modern protocol on the list. It provides
advantages of both TACACS and XTACACS as well as some
benefits over RADIUS, including encryption of all
authentication information. Super TACACS is not an actual
protocol.

Question 13

Q

Which of the following is not a single sign-on implementation?
A. Kerberos
B. ADFS
C. CAS
D. RADIUS

Answer

A

D. RADIUS

D. Kerberos, Active Directory Federation Services (ADFS), and
Central Authentication Services (CAS) are all SSO
implementations. RADIUS is not a single sign-on
implementation, although some vendors use it behind the
scenes to provide authentication for proprietary SSO

Question 14

Q

A user on a Windows system is
not able to use the Send Message functionality. What access
control model best describes this type of limitation?
A. Least privilege
B. Need to know
C. Constrained interface
D. Separation of duties

Answer

A

C. Constrained interface

C. Interface restrictions based on user privileges is an example
of a constrained interface. Least privilege describes the idea of
providing users with only the rights they need to accomplish
their job, while need to know limits access based on whether a
subject needs to know the information to accomplish an
assigned task. Separation of duties focuses on preventing fraud
or mistakes by splitting tasks between multiple subjects.

Question 15

Q

What type of access controls allow the owner of a file to grant
other users access to it using an access control list?
A. Role-based
B. Nondiscretionary
C. Rule-based
D. Discretionary

Answer

A

D. Discretionary

D. When the owner of a file makes the decisions about who has
rights or access privileges to it, they are using discretionary
access control. Role-based access controls would grant access
based on a subject’s role, while rule-based controls would base
the decision on a set of rules or requirements. Nondiscretionary
access controls apply a fixed set of rules to an environment to
manage access. Nondiscretionary access controls include rule-,
role-, and lattice-based access controls

Question 16

Q

Alex’s job requires him to see protected health information
(PHI) to ensure proper treatment of patients. His access to their
medical records does not provide access to patient addresses or
billing information. What access control concept best describes
this control?
A. Separation of duties
B. Constrained interfaces
C. Context-dependent control
D. Need to know

Answer

A

D. Need to know

D. Need to know is applied when subjects like Alex have access
to only the data they need to accomplish their job. Separation of
duties is used to limit fraud and abuse by having multiple
employees perform parts of a task. Constrained interfaces
restrict what a user can see or do and would be a reasonable
answer if need to know did not describe his access more
completely in this scenario. Context-dependent control relies on
the activity being performed to apply controls, and this question
does not specify a workflow or process.

Question 17

Q

Credentials —> Workstation —A—> KDC

At point A in the diagram, the client sends the username and
password to the KDC. How is the username and password
protected?
A. 3DES encryption
B. TLS encryption
C. SSL encryption
D. AES encryption

Answer

A

D. AES encryption

D. The client in Kerberos logins uses AES to encrypt the
username and password prior to sending it to the KDC

Question 18

Q

Workstation <—B—- KDC

At point B in the diagram, what two important elements does
the KDC send to the client after verifying that the username is
valid?
A. An encrypted TGT and a public key
B. An access ticket and a public key
C. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user’s password
D. An encrypted, time-stamped TGT and an access token

Answer

A

C. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user’s password

C. The KDC uses the user’s password to generate a hash and
then uses that hash to encrypt a symmetric key. It transmits
both the encrypted symmetric key and an encrypted timestamped TGT to the client.

Question 19

Q

What tasks must the client perform before it can use the TGT?
A. It must generate a hash of the TGT and decrypt the
symmetric key.
B. It must accept the TGT and decrypt the symmetric key.
C. It must decrypt the TGT and the symmetric key.
D. It must send a valid response using the symmetric key to
the KDC and must install the TGT.

Answer

A

B. It must accept the TGT and decrypt the symmetric key.

B. The client needs to accept the TGT for use until it expires and
must also decrypt the symmetric key using a hash of the user’s
password.

Question 20

Q

Jacob is planning his organization’s biometric authentication
system and is considering retina scans. What concern may be
raised about retina scans by others in his organization?
A. Retina scans can reveal information about medical conditions.
B. Retina scans are painful because they require a puff of air in the user’s eye.
C. Retina scanners are the most expensive type of biometric device.
D. Retina scanners have a high false positive rate and will cause support issues.

Answer

A

A. Retina scans can reveal information about medical conditions.

A. Retina scans can reveal additional information, including
high blood pressure and pregnancy, causing privacy concerns.
Newer retina scans don’t require a puff of air, and retina
scanners are not the most expensive biometric factor. Their false
positive rate can typically be adjusted in software, allowing
administrators to adjust their acceptance rate as needed to
balance usability and security.

Question 21

Q

Mandatory access control is based on what type of model?
A. Discretionary
B. Group-based
C. Lattice-based
D. Rule-based

Answer

A

C. Lattice-based

C. Mandatory access control systems are based on a latticebased model. Lattice-based models use a matrix of classification
labels to compartmentalize data. Discretionary access models
allow object owners to determine access to the objects they
control, role-based access controls are often group-based, and
rule-based access controls like firewall ACLs apply rules to all
subjects they apply to.

Question 22

Q

Greg wants to control access to iPads used throughout his
organization as point-of-sale terminals. Which of the following
methods should he use to allow logical access control for the
devices in a shared environment?
A. Use a shared PIN for all point-of-sale terminals to make
them easier to use.
B. Use OAuth to allow cloud logins for each user.
C. Issue a unique PIN to each user for the iPad they are issued.
D. Use Active Directory and user accounts for logins to the iPads using the AD userID and password.

Answer

A

D. Use Active Directory and user accounts for logins to the iPads using the AD userID and password.

D. Using an enterprise authentication system like Active
Directory that requires individuals to log in with their
credentials provides the ability to determine who was logged in
if a problem occurs and also allows Greg to quickly and easily
remove users who are terminated or switch roles. Using a shared
PIN provides no accountability, while unique PINs per user on
specifically issued iPads mean that others will not be able to log
in. OAuth alone does not provide the services and features Greg
needs—it is an authorization service, not an authentication
service.

Question 23

Q

What is the best way to provide accountability for the use of
identities?
A. Logging
B. Authorization
C. Digital signatures
D. Type 1 authentication

Answer

A

A. Logging

A. Logging systems can provide accountability for identity
systems by tracking the actions, changes, and other activities a
user or account performs.

Question 24

Q

Jim has worked in human relations, payroll, and customer
service roles in his company over the past few years. What type
of process should his company perform to ensure that he has
appropriate rights?
A. Re-provisioning
B. Account review
C. Privilege creep
D. Account revocation

Answer

A

B. Account review

B. As an employee’s role changes, they often experience
privilege creep, which is the accumulation of old rights and
roles. Account review is the process of reviewing accounts and
ensuring that their rights match their owners’ role and job
requirements. Account revocation removes accounts, while reprovisioning might occur if an employee was terminated and
returned or took a leave of absence and returned.

Question 25

Q

Biba is what type of access control model?
A. MAC
B. DAC
C. Role BAC
D. ABAC

Answer

A

A. MAC

A. Biba uses a lattice to control access and is a form of the
mandatory access control (MAC) model. It does not use rules,
roles, or attributes, nor does it allow user discretion. Users can
create content at their level or lower but cannot decide who gets
access, levels are not roles, and attributes are not used to make
decisions on access control.

Question 26

Q

Which of the following is a client/server protocol designed to
allow network access servers to authenticate remote users by
sending access request messages to a central server?
A. Kerberos
B. EAP
C. RADIUS
D. OAuth

Answer

A

C. RADIUS

C. RADIUS is an AAA protocol used to provide authentication
and authorization; it’s often used for modems, wireless
networks, and network devices. It uses network access servers to
send access requests to central RADIUS servers. Kerberos is a
ticket-based authentication protocol; OAuth is an open standard
for authentication allowing the use of credentials from one site
on third-party sites; and EAP is the Extensible Authentication
Protocol, an authentication framework often used for wireless
networks.

Question 27

Q

Henry is working with a web application development team on
their authentication and authorization process for his company’s
new application. The team wants to make session IDs as secure
as possible. Which of the following is not a best practice that
Henry should recommend?
A. The session ID token should be predictable.
B. The session ID should have at least 64 bits of entropy.
C. The session length should be at least 128 bits.
D. The session ID should be meaningless.

Answer

A

A. The session ID token should be predictable.

A. Web application development best practices currently
recommend the use of long session IDs (128 bits or longer) that
have sufficient entropy (randomness) to ensure that they will
not be easily duplicated or brute forced. It is also a best practice
to make sure the session ID itself is meaningless to prevent
information disclosure attacks. Session IDs should expire,
however, because a session that never expires could eventually
be brute forced even if all of these recommendations were met.

Question 28

Q

What type of access control best describes NAC’s posture
assessment capability?
A. A mandatory access control
B. A risk-based access control
C. A discretionary access control
D. A role-based access control

Answer

A

B. A risk-based access control

B. NAC’s posturing capability determines if a system is
sufficiently secure and compliant enough to connect to a
network. This is a form of risk-based access control, as systems
that are not compliant are considered higher risk and either are
placed in a quarantine and remediation network or zone or are
prohibited from connecting to the network until they are
compliant.

Question 29

Q

Angela uses a sniffer to monitor traffic from a RADIUS server
configured with default settings. What protocol should she
monitor, and what traffic will she be able to read?
A. UDP, none. All RADIUS traffic is encrypted.
B. TCP, all traffic but the passwords, which are encrypted.
C. UDP, all traffic but the passwords, which are encrypted.
D. TCP, none. All RADIUS traffic is encrypted.

Answer

A

C. UDP, all traffic but the passwords, which are encrypted.

C. By default, RADIUS uses UDP and only encrypts passwords.
RADIUS supports TCP and TLS, but this is not a default setting.

Question 30

Q

Alex has been employed by his company for more than a decade
and has held a number of positions in the company. During an
audit, it is discovered that he has access to shared folders and
applications because of his former roles. What issue has Alex’s
company encountered?
A. Excessive provisioning
B. Unauthorized access
C. Privilege creep
D. Account review

Answer

A

C. Privilege creep

C. Privilege creep occurs when users retain from roles they held
previously rights they do not need to accomplish their current
job. Unauthorized access occurs when an unauthorized user
accesses files. Excessive provisioning is not a term used to
describe permissions issues, and account review would help find
issues like this.

Question 31

Q

When an application or system allows a logged-in user to
perform specific actions, it is an example of what?
A. Roles
B. Group management
C. Logins
D. Authorization

Answer

A

D. Authorization

D. Authorization provides a user with capabilities or rights.
Roles and group management are both methods that could be
used to match users with rights. Logins are used to validate a
user.

Question 32

Q

Jim’s Microsoft Exchange environment includes servers that are
located in local data centers at multiple business offices around
the world as well as an Office 365 deployment for employees
who are not located at one of those offices. Identities are created
and used in both environments and will work in both. What type
of federated system is Jim running?
A. A primary cloud system
B. A primary on-premise system
C. A hybrid system
D. A multitenant system

Answer

A

C. A hybrid system

C. Hybrid systems use both on-premises and cloud identity and
services to provide resources and tools in both environments.
While they can be complex, hybrid systems also provide a
migration path to a fully cloud deployment or for a fault tolerant
design that can handle on-premises or cloud outages while
remaining functional.

Question 33

Q

Geoff wants to prevent privilege escalation attacks in his
organization. Which of the following practices is most likely to
prevent horizontal privilege escalation?
A. Multifactor authentication
B. Limiting permissions for groups and accounts
C. Disabling unused ports and services
D. Sanitizing user inputs to applications

Answer

A

A. Multifactor authentication

A. Multifactor authentication is most likely to limit horizontal
privilege escalation by making it difficult to access user accounts
and to authenticate to a compromised account. Limiting
permissions for groups and accounts can also help, but disabling
unused ports and services and sanitizing user inputs both
address threats that are most frequently associated with vertical
privilege escalation attacks.

Question 34

Q

A. RBAC
B. DAC
C. MAC
D. TBAC

Answer

A

C. MAC

C. Mandatory access controls use a lattice or matrix to describe
how classification labels relate to each other. In this image,
classification levels are set for each of the labels shown. A
discretionary access control (DAC) system would show how the
owner of the objects allows access. RBAC could be either rule- or
role-based access control and would use either system-wide
rules or roles. Task-based access control (TBAC) would list tasks
for users.

Question 35

Q

Michelle’s company is creating a new division by splitting the marketing and communications departments into two separate groups. She wants to create roles that provide access to resources used by each group. What should she do to maintain the appropriate security and rights for each group?
A. Put both the marketing and communications teams into the existing group because they will have similar access requirements.
B. Keep the marketing team in the existing group and create a new communications group based on their specific needs.
C. Keep the communications team in the existing group and create a new marketing group based on their specific needs.
D. Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.

Answer

A

D. Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.

D. Copying existing rights to new groups that have different
needs will often result in overly broad privileges. Michelle
should create new groups, move all staff into the appropriate
groups, and then ensure that they have the access and
permissions they need.

Question 36

Q

When a subject claims an identity, what process is occurring?
A. Login
B. Identification
C. Authorization
D. Token presentation

Answer

A

B. Identification

B. The process of a subject claiming or professing an identity is
known as identification. Authorization verifies the identity of a
subject by checking a factor like a password. Logins typically
include both identification and authorization, and token
presentation is a type of authentication.

Question 37

Q

Dogs, guards, and fences are all common examples of what type
of control?
A. Detective
B. Recovery
C. Administrative
D. Physical

Answer

A

D. Physical

D. Dogs, guards, and fences are all examples of physical
controls. While dogs and guards might detect a problem, fences
cannot, so they are not all examples of detective controls. None
of these controls would help repair or restore functionality after
an issue, and thus they are not recovery controls, nor are they
administrative controls that involve policy or procedures,
although the guards might refer to them when performing their
duties.

Question 38

Q

Susan’s organization is updating its password policy and wants
to use the strongest possible passwords. What password
requirement will have the highest impact in preventing bruteforce attacks?
A. Change maximum age from 1 year to 180 days.
B. Increase the minimum password length from 8 characters to 16 characters.
C. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.
D. Retain a password history of at least four passwords to prevent reuse.

Answer

A

B. Increase the minimum password length from 8 characters to 16 characters.

B. Password complexity is driven by length, and a longer
password will be more effective against brute-force attacks than
a shorter password. Each character of additional length
increases the difficulty by the size of the potential character set
(for example, a single lowercase character makes the passwords
26 times more difficult to crack). While each of the other
settings is useful for a strong password policy, they won’t have
the same impact on brute-force attacks.

Question 39

Q

Alaina is performing a regularly scheduled review for service
accounts. Which of the following events should she be most
concerned about?
A. An interactive login for the service account
B. A password change for the service account
C. Limitations placed on the service account’s rights
D. Local use of the service account

Answer

A

A. An interactive login for the service account

A. Interactive login for a service account is a critical warning
sign, either of compromise or bad administrative practices. In
either case, Alaina should immediately work to determine why
the account logged in, what occurred, and if the interactive login
was done remotely or locally. A remote interactive login for a
service account in any professionally maintained environment is
an almost guaranteed sign of compromise. Password changes for
service accounts may be done as part of ongoing password
expiration processes, limitations should always be placed on
service accounts rights to ensure that they are only those
required, and a local use of the service account as part of the
service is a normal event.

Question 40

Q

When might an organization using biometrics choose to allow a
higher FRR instead of a higher FAR?
A. When security is more important than usability
B. When false rejection is not a concern due to data quality
C. When the CER of the system is not known
D. When the CER of the system is very high

Answer

A

A. When security is more important than usability

A. Organizations that have very strict security requirements
that don’t have a tolerance for false acceptance want to lower the
false acceptance rate, or FAR, to be as near to zero as possible.
That often means that the false rejection rate, or FRR, increases.
Different biometric technologies or a better registration method
can help improve biometric performance, but false rejections
due to data quality are not typically a concern with modern
biometric systems. In this case, knowing the crossover error
rate, or CER, or having a very high CER doesn’t help the
decision.

Question 41

Q

After recent reports of undesired access to workstations after
hours, Derek has been asked to find a way to ensure that
maintenance staff cannot log in to workstations in business
offices. The maintenance staff members do have systems in their
break rooms and their offices for the organization, which they
still need access to. What should Derek do to meet this need?
A. Require multifactor authentication and only allow office staff to have multifactor tokens.
B. Use rule-based access control to prevent logins after hours in the business area.
C. Use role-based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations.
D. Use geofencing to only allow logins in maintenance areas.

Answer

A

C. Use role-based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations.

C. The most efficient use of Derek’s time would be to create a
group that is populated with all maintenance staff and then to
give that group login rights only to the designated PCs. While
time-based constraints might help, in this case, it would
continue to allow maintenance staff to log in to PCs they are not
intended for use during business hours, leaving a gap in the
control. Multifactor authentication as described does not meet
the requirements of the scenario but may be a good idea overall
for greater security for authentication across the organization.
Geofencing is typically not accurate enough to rely on inside of
buildings for specific PCs.

Question 42

Q

Alex is concerned about eavesdropping on the SAML traffic and
also wants to ensure that forged assertions will not be
successful. What should he do to prevent these potential
attacks?
A. Use SAML’s secure mode to provide secure authentication.
B. Implement TLS using a strong cipher suite, which will protect against both types of attacks.
C. Implement TLS using a strong cipher suite and use digital signatures.
D. Implement TLS using a strong cipher suite and message hashing.

Answer

A

C. Implement TLS using a strong cipher suite and use digital signatures.

C. TLS provides message confidentiality and integrity, which
can prevent eavesdropping. When paired with digital signatures,
which provide integrity and authentication, forged assertions
can also be defeated. SAML does not have a security mode and
relies on TLS and digital signatures to ensure security if needed.
Message hashing without a signature would help prevent
modification of the message but won’t necessarily provide
authentication.

Question 43

Q

Nick wants to do session management for his web application.
Which of the following are common web application session
management techniques or methods? (Select all that apply.)
A. IP tracking
B. Cookies
C. URL rewriting
D. TLS tokens

Answer

A

B. Cookies
C. URL rewriting

B, C. Common session management techniques include the use
of cookies, hidden form fields, URL rewriting, and built-in
frameworks like Java’s HTTPSession. IP tracking may be
included in session information but is not itself a complete
session identifier, and TLS token binding is used to make TLS
sessions more secure, not to provide session identification.

Question 44

Q

If Alex’s organization is one that is primarily made up of off-site,
traveling users, what availability risk does integration of critical
business applications to on-site authentication create, and how
could he solve it?
A. Third-party integration may not be trustworthy; use SSL and digital signatures.
B. If the home organization is offline, traveling users won’t be able to access third-party applications; implement a hybrid cloud/local authentication system.
C. Local users may not be properly redirected to the thirdparty services; implement a local gateway.
D. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.

Answer

A

B. If the home organization is offline, traveling users won’t be able to access third-party applications; implement a hybrid cloud/local authentication system.

B. Integration with cloud-based third parties that rely on local
authentication can fail if the local organization’s internet
connectivity or servers are offline. Adopting a hybrid cloud and
local authentication system can ensure that internet or server
outages are handled, allowing authentication to work regardless
of where the user is or if their home organization is online.
Using encrypted and signed communication does not address
availability, redirects are a configuration issue with the third
party, and a local gateway won’t handle remote users. Also, host
files don’t help with availability issues with services other than
DNS.

Question 45

Q

What solution can best help address concerns about third
parties that control SSO redirects as shown in step 2 in the
diagram?
A. An awareness campaign about trusted third parties
B. TLS
C. Handling redirects at the local site
D. Implementing an IPS to capture SSO redirect attacks

Answer

A

A. An awareness campaign about trusted third parties

A. While many solutions are technical, if a trusted third party
redirects to an unexpected authentication site, awareness is
often the best defense. Using TLS would keep the transaction
confidential but would not prevent the redirect. Handling
redirects locally works only for locally hosted sites, and using a
third-party service requires off-site redirects. An IPS might
detect an attacker’s redirect, but tracking the multitude of loadbalanced servers most large providers use can be challenging, if
not impossible. In addition, an IPS relies on visibility into the
traffic, and SAML integrations should be encrypted for security,
which would require a man-in-the-middle type of IPS to be
configured.

Question 46

Q

Which of the following tools is not typically used to verify that a
provisioning process was followed in a way that ensures that the
organization’s security policy is being followed?
A. Log review
B. Manual review of permissions
C. Signature-based detection
D. Review the audit trail

Answer

A

C. Signature-based detection

C. While signature-based detection is used to detect attacks,
review of provisioning processes typically involves checking logs,
reviewing the audit trail, or performing a manual review of
permissions granted during the provisioning process.

Question 47

Q

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?
A. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed
B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
C. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well
D. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

Answer

A

B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility

B. Discretionary access control (DAC) can provide greater
scalability by leveraging many administrators, and those
administrators can add flexibility by making decisions about
access to their objects without fitting into an inflexible
mandatory access control system (MAC). MAC is more secure
due to the strong set of controls it provides, but it does not scale
as well as DAC and is relatively inflexible in comparison.

Question 48

Q

Jessica needs to send information about services she is
provisioning to a third-party organization. What standardsbased markup language should she choose to build the
interface?
A. SAML
B. SOAP
C. SPML
D. XACML

Answer

A

C. SPML

C. Service Provisioning Markup Language, or SPML, is an
XML-based language designed to allow platforms to generate
and respond to provisioning requests. SAML is used to make
authorization and authentication data, while XACML is used to
describe access controls. SOAP, or Simple Object Access
Protocol, is a messaging protocol and could be used for any XML
messaging but is not a markup language itself.

Question 49

Q

During a penetration test, Chris recovers a file containing
hashed passwords for the system he is attempting to access.
What type of attack is most likely to succeed against the hashed
passwords?
A. A brute-force attack
B. A pass-the-hash attack
C. A rainbow table attack
D. A salt recovery attack

Answer

A

C. A rainbow table attack

C. Rainbow tables are databases of pre-hashed passwords
paired with high-speed lookup functions. Since they can quickly
compare known hashes against those in a file, using rainbow
tables is the fastest way to quickly determine passwords from
hashes. A brute-force attack may eventually succeed but will be
very slow against most hashes. Pass-the-hash attacks rely on
sniffed or otherwise acquired NTLM or LanMan hashes being
sent to a system to avoid the need to know a user’s password.
Salts are data added to a hash to avoid the use of tools like
rainbow tables. A salt added to a password means the hash won’t
match a rainbow table generated without the same salt.

Question 50

Q

Google’s identity integration with a variety of organizations and
applications across domains is an example of which of the
following?
A. PKI
B. Federation
C. Single sign-on
D. Provisioning

Answer

A

B. Federation

B. Google’s federation with other applications and organizations
allows single sign-on as well as management of their electronic
identity and its related attributes. While this is an example of
SSO, it goes beyond simple single sign-on. Provisioning provides
accounts and rights, and a public key infrastructure is used for
certificate management.

Question 51

Q

Amanda starts at her new job and finds that she has access to a
variety of systems that she does not need to accomplish her job.
What problem has she encountered?
A. Privilege creep
B. Rights collision
C. Least privilege
D. Excessive privileges

Answer

A

D. Excessive privileges

D. When users have more rights than they need to accomplish
their job, they have excessive privileges. This is a violation of the
concept of least privilege. Unlike creeping privileges, this is a
provisioning or rights management issue rather than a problem
of retention of rights the user needed but no longer requires.
Rights collision is a made-up term and thus is not an issue here.

Question 52

Q

When Chris verifies an individual’s identity and adds a unique
identifier like a user ID to an identity system, what process has
occurred?
A. Identity proofing
B. Registration
C. Directory management
D. Session management

Answer

A

B. Registration

B. Registration is the process of adding a user to an identity
management system. This includes creating their unique
identifier and adding any attribute information that is
associated with their identity. Proofing occurs when the user
provides information to prove who they are. Directories are
managed to maintain lists of users, services, and other items.
Session management tracks application and user sessions.

Question 53

Q

Selah wants to provide accountability for actions performed via
her organization’s main line of business application. What
controls are most frequently used to provide accountability in a
situation like this? (Select all that apply.)
A. Enable audit logging.
B. Provide every staff member with a unique account and enable multifactor authentication.
C. Enable time- and location-based login requirements.
D. Provide every staff member with a unique account and require a self-selected password.

Answer

A

A. Enable audit logging.
B. Provide every staff member with a unique account and enable multifactor authentication.

A, B. Audit logging when combined with user accounts that can
reliably be expected to only be accessible to a specific user due to
the use of multifactor authentication is frequently used to
provide strong accountability for actions taken via systems and
applications. A password can be shared, making it less reliable,
and time and location requirements are useful security controls
but do not impact accountability.

Question 54

Q

Charles wants to provide authorization services as part of his
web application. What standard should he use if he wants to
integrate easily with other web identity providers?
A. OpenID
B. TACACS+
C. RADIUS
D. OAuth

Answer

A

D. OAuth

D. OAuth is the most widely used open standard for
authorization and delegation of rights for cloud services.
OpenID is used for authentication, and TACAC+ and RADIUS
are primarily used on-site for authentication and authorization
for network devices.

Question 55

Q

The company that Cameron works for uses a system that allows
users to request privileged access to systems when necessary.
Cameron requests access, and the request is pre-approved due
to his role. He is then able to access the system to perform the
task. Once he is done, the rights are removed. What type of
system is he using?
A. Zero trust
B. Federated identity management
C. Single sign-on
D. Just-in-time access

Answer

A

D. Just-in-time access

D. Cameron is using a just-in-time (JIT) system that provides
the access needed when it is needed. A zero trust system
requires authentication and authorization when actions are
performed but does not necessarily require privileges to be
granted and removed when they are needed.

Question 56

Q

Elle is responsible for building a banking website. She needs
proof of the identity of the users who register for the site. How
should she validate user identities?
A. Require users to create unique questions that only they will know.
B. Require new users to bring their driver’s license or passport in person to the bank.
C. Use information that both the bank and the user have such as questions pulled from their credit report.
D. Call the user on their registered phone number to verify that they are who they claim to be.

Answer

A

C. Use information that both the bank and the user have such as questions pulled from their credit report.

C. Identity proofing can be done by comparing user information
that the organization already has, like account numbers or
personal information. Requiring users to create unique
questions can help with future support by providing a way for
them to do password resets. Using a phone call only verifies that
the individual who created the account has the phone that they
registered and won’t prove their identity. In-person verification
would not fit the business needs of most websites.

Question 57

Q

Susan’s organization is part of a federation that allows users
from multiple organizations to access resources and services at
other federated sites. When Susan wants to use a service at a
partner site, which identity provider is used?
A. Susan’s home organization’s identity provider
B. The service provider’s identity provider
C. Both their identity provider and the service provider’s
identity provider
D. The service provider creates a new identity

Answer

A

A. Susan’s home organization’s identity provider

A. Federations use a user’s home organization’s identity
provider (IDP). Service providers query those identity providers
when the user attempts to authenticate to the service and, if the
request is validated, allow access based on the rules and policies
set for the service based on attributes that may be relevant that
are provided by the IDP.

Question 58

Q

A new customer at a bank that uses fingerprint scanners to
authenticate its users is surprised when he scans his fingerprint
and is logged in to another customer’s account. What type of
biometric factor error occurred?
A. A registration error
B. A Type 1 error
C. A Type 2 error
D. A time of use, method of use error

Answer

A

C. A Type 2 error

C. Type 2 errors occur in biometric systems when an invalid
subject is incorrectly authenticated as a valid user. In this case,
nobody except the actual customer should be validated when
fingerprints are scanned. Type 1 errors occur when a valid
subject is not authenticated; if the existing customer was
rejected, it would be a Type 1 error. Registration is the process of
adding users, but registration errors and time of use, method of
use errors are not specific biometric authentication terms

Question 59

Q

What type of access control is typically used by firewalls?
A. Discretionary access controls
B. Rule-based access controls
C. Task-based access control
D. Mandatory access controls

Answer

A

B. Rule-based access controls

B. Firewalls use rule-based access control, or Rule-BAC, in their
access control lists and apply rules created by administrators to
all traffic that passes through them. DAC, or discretionary access
control, allows owners to determine who can access objects they
control, while task-based access control lists tasks for users.
MAC, or mandatory access control, uses classifications to
determine access.

Question 60

Q

When you input a user ID and password, you are performing
what important identity and access management activity?
A. Authorization
B. Validation
C. Authentication
D. Login

Answer

A

C. Authentication

C. When you input a username and password, you are
authenticating yourself by providing a unique identifier and a
verification that you are the person who should have that
identifier (the password). Authorization is the process of
determining what a user is allowed to do. Validation and login
both describe elements of what is happening in the process;
however, they aren’t the most important identity and access
management activity.

Question 61

Q

Kathleen works for a data center hosting facility that provides
physical data center space for individuals and organizations.
Until recently, each client was given a magnetic-strip-based
keycard to access the section of the facility where their servers
are located, and they were also given a key to access the cage or
rack where their servers reside. In the past month, a number of
servers have been stolen, but the logs for the passcards show
only valid IDs. What is Kathleen’s best option to make sure that
the users of the passcards are who they are supposed to be?
A. Add a reader that requires a PIN for passcard users.
B. Add a camera system to the facility to observe who is
accessing servers.
C. Add a biometric factor.
D. Replace the magnetic stripe keycards with smartcards.

Answer

A

C. Add a biometric factor.

C. Kathleen should implement a biometric factor. The cards and
keys are an example of a Type 2 factor, or “something you have.”
Using a smart card replaces this with another Type 2 factor, but
the cards could still be loaned out or stolen. Adding a PIN
suffers from the same problem: a PIN can be stolen. Adding
cameras doesn’t prevent access to the facility and thus doesn’t
solve the immediate problem (but it is a good idea!).

Question 62

Q

Theresa wants to allow her staff to securely store and manage
passwords for systems including service accounts and other
rarely used administrative credentials. What type of tool should
she implement to enable this?
A. Single sign-on
B. A federated identity system
C. A password manager
D. A multifactor authentication system

Answer

A

C. A password manager

C. Enterprise password management tools allow passwords to
be securely generated, stored, and managed. They can provide
logs of who uses passwords, when they were updated, and if they
meet complexity and other requirements. Of course, this means
that the keys to your environment are all in one place, so
securing and managing the enterprise password manager is very
important!

Question 63

Q

Olivia wants to limit the commands that a user can run via sudo
to limit the potential for privilege escalation attacks. What Linux
file should she modify to allow this?
A. The bash .bin configuration file
B. The sudoers file
C. The bash .allowed configuration file
D. The sudont file

Answer

A

B. The sudoers file

B. The sudoers file can list the specific users who can use sudo as
well as the commands or directories that are allowed for them.

Question 64

Q

Which objects and subjects have a label in a MAC model?
A. Objects and subjects that are classified as Confidential,
Secret, or Top Secret have a label.
B. All objects have a label, and all subjects have a
compartment.
C. All objects and subjects have a label.
D. All subjects have a label and all objects have a
compartment.

Answer

A

C. All objects and subjects have a label.

C. In a mandatory access control system, all subjects and
objects have a label. Compartments may or may not be used, but
there is not a specific requirement for either subjects or objects
to be compartmentalized. The specific labels of Confidential,
Secret, and Top Secret are not required by MAC.

Answer 65

A

B. CSRF

B. The anti-forgery state token exchanged during OAuth
sessions is intended to prevent cross-site request forgery. This
makes sure that the unique session token with the
authentication response from Google’s OAuth service is
available to verify that the user, not an attacker, is making a
request. XSS attacks focus on scripting and would have script
tags involved, SQL injection would have SQL code included, and
XACML is the eXtensible Access Control Markup Language, not
a type of attack.

Answer 66

A

D. The password is never stored; instead, a salted hash is stored in Google’s account management system.

D. Passwords are never stored for web applications in a welldesigned environment. Instead, salted hashes are stored and
compared to passwords after they are salted and hashed. If the
hashes match, the user is authenticated.

Answer 67

A

C. Google servers.

C. When a third-party site integrates via OAuth 2.0,
authentication is handled by the service provider’s servers. In
this case, Google is acting as the service provider for user
authentication. Authentication for local users who create their
own accounts would occur in the e-commerce application (or a
related server), but that is not the question that is asked here.

Answer 68

A

A. Knowledge-based authentication

A. Knowledge-based authentication relies on preset questions
such as “What is your pet’s name?” and the answers. It can be
susceptible to attacks because of the availability of the answers
on social media or other sites. Dynamic knowledge-based
authentication relies on facts or data that the user already knows
that can be used to create questions they can answer on an asneeded basis (for example, a previous address or a school they
attended). Out-of-band identity proofing relies on an alternate
channel like a phone call or text message. Finally, Type 3
authentication factors are biometric, or “something you are,”
rather than knowledge-based.

Answer 69

A

C. An access control matrix

C. An access control matrix is a table that lists objects, subjects,
and their privileges. Access control lists focus on objects and
which subjects can access them. Capability tables list subjects
and what objects they can access. Subject/object rights
management systems are not based on an access control model.

Answer 70

A

C. Self-service password reset

C. Self-service password reset tools typically have a significant
impact on the number of password reset contacts that a help
desk has. Two-factor and biometric authentication both add
complexity and may actually increase the number of contacts.
Passphrases can be easier to remember than traditional complex
passwords and may decrease calls, but they don’t have the same
impact that a self-service system does.

Answer 71

A

C. Implement RADIUS over TCP using TLS for protection.

C. RADIUS supports TLS over TCP. RADIUS does not have a
supported TLS mode over UDP. AES pre-shared symmetric
ciphers are not a supported solution and would be difficult to
both implement and maintain in a large environment, and the
built-in encryption in RADIUS only protects passwords.

Answer 72

A

B. OAuth

B. OAuth provides the ability to access resources from another
service and would meet Jim’s needs. OpenID would allow him to
use an account from another service with his application, and
Kerberos and LDAP are used more frequently for in-house
services.

Answer 73

A

B. Set session timeouts for applications and use passwordprotected screensavers with inactivity timeouts on workstations.

B. Since physical access to the workstations is part of the
problem, setting application timeouts and password-protected
screensavers with relatively short inactivity timeouts can help
prevent unauthorized access. Using session IDs for all
applications and verifying system IP addresses would be helpful
for online attacks against applications.

Answer 74

A

A. Hybrid federation

A. This diagram shows an example of hybrid federation where
authentication occurs on- premises and services are provided
through a federated identity service in the cloud.

Answer 75

A

B. RFID badges and readers with PIN pads
C. Magstripe badges and readers with PIN pads

B, C. The best answers in the scenario that Chris faces are either
RFID or magstripe readers and PIN pads. Guards create
ongoing expenses, and any solution without a PIN will allow a
stolen or cloned badge to be used without validating that the
person accessing the building is a legitimate user. While a guard
can prevent a stolen badge and PIN combination, this is only
used in environments where the cost is justifiable.

Answer 76

A

A. A token

A. Yubikeys, Titan Security Keys, and similar devices are
examples of tokens. PIV stands for personal identity verification
and is a full multifactor authentication solution, not a device.
Biometric identifiers are something you are, and a smart card is
a card with an embedded chip.

Answer 77

A

Jim wants to implement an access control scheme that will

C. In a mandatory access control system, the operating system
enforces access control, and users cannot delegate rights.
Discretionary access control allows users to delegate rights, and
neither attribute nor role-based access control specifically meets
these requirements.

Answer 78

A

C. OpenID Connect

C. OpenID Connect is a RESTful, JSON-based authentication
protocol that, when paired with OAuth, can provide identity
verification and basic profile information. SAML is the Security
Assertion Markup Language, Shibboleth is a federated identity
solution designed to allow web-based SSO, and Higgins is an
open source project designed to provide users with control over
the release of their identity information.

Answer 79

A

B. Context-dependent control

B. Time-based controls are an example of context-dependent
controls. A constrained interface would limit what Susan was
able to do in an application or system interface, while contentdependent control would limit her access to content based on
her role or rights. Least privilege is used to ensure that subjects
only receive the rights they need to perform their role.

Answer 80

A

C. Synchronous

C. Synchronous soft tokens, such as Google Authenticator, use a
time-based algorithm that generates a constantly changing
series of codes. Asynchronous tokens typically require a
challenge to be entered on the token to allow it to calculate a
response, which the server compares to the response it expects.
Smartcards typically present a certificate but may have other
token capabilities built-in. Static tokens are physical devices that
can contain credentials and include smart cards and memory
cards.

Answer 81

A

D. Rule-based access control

D. Firewalls operate based on a ruleset and are an example of a
rule-based access control scheme.

Answer 82

A

B. Use knowledge-based authentication.

B. Knowledge-based authentication is used by some financial
institutions to validate the identity of new users. It uses
information from tax and financial records that is unlikely to be
available to others, allowing new users to provide details like
their last credit card payment, mortgage payment, or other
information to validate their identity. A Social Security number
is somewhat trivial to acquire via paid services or other means,
and manually validating identities is neither quick nor
automatic. A biometric factor would require a previous
enrollment, making this unsuitable for new customers.

Answer 83

A

B. OpenID
C. OAuth

B, C. Google accounts like many cloud identity providers rely on
OpenID and OAuth. Kerberos is used for on-premises
environments, and RADIUS is frequently used for
authentication and authorization for network devices and
services like VPN.

Answer 84

A

C. Session guessing

C. Best practices for session management involve a long session
ID (often 128 bits or longer) and enough randomness or entropy
to make it hard to guess session IDs. This makes brute-force or
algorithmic guessing attacks unlikely unless there is a flaw in the
implementation. These do not prevent denial-of-service or manin-the-middle attacks, and cookie attacks are focused on
acquiring and reading or reusing cookies in most scenarios.

Answer 85

A

D. Risk-based access control

D. Risk-based access control models risk using information that
is available when the access request is created. Information
about the request and the risk it may create is calculated based
on risk values and compared to access policies. If the risk value
is acceptable, access is granted. One of the most common
examples of this in organizations is NAC, or network access
control, where a system is profiled to determine security risk
and compliance before admission to a network. This can be seen
as a more specific example of rule-based access control. Rolebased access control bases its decisions on the roles of the
individuals, whereas mandatory access control is enforced by
the operating system.

Answer 86

A

A. Remove unnecessary rights.

A. The most important step in securing service accounts is to
ensure that they have only the rights that are absolutely needed
to accomplish the task they are designed for. Disabling
interactive logins is important as well and would be the next best
answer. Limiting when accounts can log in and using
randomized or meaningless account names can both be helpful
in some circumstances but are far less important.

Answer 87

A

B. It creates the possibility of a phishing attack by sending data to a fake OpenID provider.

B. Allowing the relying party to provide the redirect to the
OpenID provider could allow a phishing attack by directing
clients to a fake OpenID provider that can capture valid
credentials. Since the OpenID provider URL is provided by the
client, the relying party cannot select the wrong provider. The
relying party never receives the user’s password, which means
that they can’t steal it. Finally, the relying party receives the
signed assertion but does not send one.

Answer 88

A

A. Identity as a service

A. IDaaS, or identity as a service, provides an identity platform
as a third-party service. This can provide benefits including
integration with cloud services and removing overhead for
maintenance of traditional on-premises identity systems, but it
can also create risk due to third-party control of identity services
and reliance on an off-site identity infrastructure.

Answer 89

A

A. ABAC

A. Attributes used for ABAC often fall into one of four
categories: subject attributes like department or title; action
attributes like the ability to view, edit, or delete; object attributes
that describe the object that can be impacted; and contextual
attributes like location, time, or elements. Discretionary access
control would place these decisions in the hands of trusted
subjects, MAC would enforce it at the operating system level,
and role BAC would use only roles instead of the full set of
criteria Kristen wants to apply.

Answer 90

A

B. Privilege creep

B. Privilege creep is a constant concern when staff change roles
over time. Privileges from previous roles may be easy to forget or
to retain during transition because staff may continue to help
cover the tasks or processes the individual previously
performed. Over time, these forgotten rights and privileges can
stack, leaving the staff member with rights that their current
role should not have. Registration is a concern for new staff,
while de-provisioning is a concern for departing staff.
Accountability is typically provided by IAM systems by
authenticating and logging access and privilege usage

Answer 91

A

D. Discretionary access control (DAC)

D. The Linux filesystem allows the owners of objects to
determine the access rights that subjects have to them. This
means that it is a discretionary access control. If the system
enforced a role-based access control, Alex wouldn’t set the
controls; they would be set based on the roles assigned to each
subject. A rule-based access control system would apply rules
throughout the system, and a mandatory access control system
uses classification labels.

Answer 92

A

A. RBAC

A. This is a role-based access control (RBAC) chart noting that
each group has specific rights by roles. Attribute-based access
control (ABAC) would use other attributes including things like
location, mandatory access control (MAC) would be enforced by
the operating system, and discretionary access control (DAC)
allows subjects like users to set rights on objects they control.

Answer 93

A

C. Prevention of brute-force attacks

C. Single sign-on (SSO) is part of identity federation. It also
means that account management is simpler since multiple
accounts don’t have to be maintained for users who need to
access systems and resources across the federation. Productivity
can increase because staff don’t have to remember multiple
logins and can use SSO to log in once instead of multiple times.
It does not, however, do anything to prevent brute-force attacks,
and in fact, a single account with broad access can make it easier
for an attacker to gain that broader access unless solutions like
multifactor authentication are put in place.

Answer 94

A

D. The Kerberos server and the local client’s time clocks are
not synchronized.

D. Kerberos relies on properly synchronized time on each end of
a connection to function. If the local system time is more than
five minutes out of sync, valid TGTs will be invalid, and the
system won’t receive any new tickets.

Answer 95

A

A. JIT

A. A JIT, or just-in-time, provisioning mechanism creates
accounts when they are needed rather than creating them in
advance. This is an effective method to limit the number of
accounts being maintained and can be useful if user account
numbers are part of a licensing agreement. OAuth, OpenID, and
Kerberos are not mentioned in the question

Answer 96

A

B. Kerberos

B. Windows uses Kerberos for authentication. RADIUS is
typically used for wireless networks, modems, and network
devices, while OAuth is primarily used for web applications.
TACACS+ is used for network devices.

Answer 97

A

D. Use a virtual hosted application environment that requires authentication using enterprise credentials.

D. When very high levels of control are needed or when
endpoint devices cannot be trusted, using a centralized
environment with remote connectivity and enterprise
authentication can provide appropriate security.

Answer 98

A

The security controls match with the categories as follows:
1. Password: B. Something you know
2. ID card: A. Something you have
3. Retinal scan: C. Something you are
4. Smartphone token: A. Something you have
5. Fingerprint analysis: C. Something you are

Brainscape's Knowledge GenomeTM

Domain 5 - Identity & Access Management Flashcards

Brainscape's Knowledge Genome^TM