Domain 5: Identity and Access Management (IAM) Flashcards

Question

# Define: Authentication System

Answer 1

A methodology to verify the legitimacy of users or devices accessing a secure environment, utilizing credentials, biometrics, or digital certificates. ## Footnote A process or methodology implemented to verify the legitimacy of a user, system, or device seeking access to a secured environment. Such systems commonly involve credentials like usernames and passwords but can also use more advanced methods, such as biometric identification, smart cards, or digital certificates, in order to uphold the integrity of the secured area or data. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Authentication).*

Answer 2

Data or an element used to confirm claimed identity, such as passwords or biometric features, or a device managing such authentication data. ## Footnote A piece of data used to verify the claim of an identity. This could be a password, token, biometric feature, or other element associated with a specific user. In a broader sense, an authenticator can also refer to a device or software that generates or manages such authentication data, for instance, a hardware token that generates one-time passwords. *For more information, view this lecture on [Network Authentication Protocols](https://courses.thorteaches.com/courses/take/cissp/lessons/19178311-network-authentication-protocols). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Authenticator).*

Answer 3

Represents the verified trustworthiness and origin of data. ## Footnote Authenticity in the Parkerian Hexad ensures that information is genuine and comes from a trusted source. It involves verifying the data's origin and integrity to prevent tampering, manipulation, or forgery. This property is essential for maintaining trust in data exchanges and securing communication channels, as unverified data can lead to significant security breaches and erroneous decision-making. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Parkerian_Hexad#Authenticity).*

Answer 4

Determining the permissions of an authenticated user, such as which resources or data they can access, based on predefined rules or policies. ## Footnote The process of determining what permissions an authenticated user has access to. It's the step that follows authentication - once the system confirms the user's identity, it then determines what resources, data, or areas the user can access or manipulate based on predefined policies or rules. *For more information, view this lecture on [IAAA- Part 1- Identification, Authentication, Authorization, and Accountability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551727-iaaa-part-1-identification-authentication-authorization-and-accountability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Authorization).*

Answer 5

Parallel lines or bars representing machine-readable data, used to track products or objects in industries such as retail, healthcare, and logistics. ## Footnote A series of parallel lines or bars of varying widths that represent data in a machine-readable format. It is commonly used to identify and track products, documents, or other objects in a variety of industries, including retail, healthcare, and logistics. Examples include the barcodes found on retail products, patient identification wristbands in hospitals, and shipping labels for packages. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Barcode).*

Answer 6

An authentication scheme transmitting usernames and passwords unencrypted, considered insecure over untrusted networks unless used with a secure layer like HTTPS. ## Footnote An authentication scheme that transmits a user's username and password across the network in an unencrypted format, often encoded with Base64. Due to its lack of security features, like encryption or tokenization, it's considered insecure for transmitting credentials over untrusted networks unless accompanied by a secure transport layer, such as HTTPS. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Basic_access_authentication).*

Answer 7

The linkage creation between software objects and data elements, variables, or user actions, with cybersecurity applications ensuring the secure association of credentials. ## Footnote In computing, this refers to the creation of a linkage between a software object and a data element, a variable and its value, or a user action and a program response. In the realm of cybersecurity, binding often relates to the secure association of credentials with users or devices to ensure secure authentication processes.

Answer 8

An advanced security device using unique biological traits for authentication, providing secure access through non-transferable and hard-to-replicate verification methods. ## Footnote Advanced security devices that use unique biological traits, such as fingerprints, eye patterns, or facial recognition, to authenticate and grant access to individuals. Biometric locks enhance security by providing a non-transferable and difficult-to-replicate method for verifying identity. *For more information, view this lecture on [Type 3 Authentication - "Something you are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Smart_lock).*

Answer 9

The use of biological characteristics, such as fingerprints or facial features, for identity verification, applied across security, healthcare, and finance to increase accuracy and prevent fraud. ## Footnote The science and technology of using biological characteristics, such as fingerprints or facial features, to identify individuals and verify their identity. This concept is used in various fields, including security, healthcare, and finance, to improve accuracy and reduce the risk of identity fraud. *For more information, view this lecture on [Type 3 Authentication - "Something you are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Biometrics).*

Answer 10

Security flaws in the authentication process that allow unauthorized users to impersonate legitimate ones, due to weak policies or mishandling of identifiers, leading to potential data breaches. ## Footnote This refers to flaws or vulnerabilities in a system's authentication processes that could allow an unauthorized individual to assume the identity of a legitimate user. This could occur due to issues such as weak password policies, insecure account recovery methods, or improperly managed session identifiers. Once an attacker exploits these flaws, they can perform actions with the same privileges as the compromised user, potentially leading to unauthorized data access, data manipulation, or other damaging actions.

Answer 11

A security tool defining the access rights for users or processes over specific resources in a system, detailing which actions are permitted and which are not. ## Footnote A security tool used in certain computer systems to define the access rights a certain user, process or a piece of software has over specific resources in the system. The table lists out the objects and the corresponding actions that can be performed on those objects, providing a comprehensive view of what is and isn't permitted, thereby assisting in the enforcement of a secure environment.

Answer 12

The action of reading a card's magnetic stripe through a reader device to facilitate electronic transactions, with security measures to protect against unauthorized breaches. ## Footnote The action of reading the magnetic stripe of a card, such as a credit or debit card, through a card reader device. Card swipe technology is utilized to facilitate electronic transactions by securely transferring cardholder information to a point-of-sale (POS) system. Security measures are integral to card swipe systems to protect against fraud and unauthorized data breaches. *For more information, view this lecture on [Physical Security- Part 4](https://courses.thorteaches.com/courses/take/cissp/lessons/19632100-physical-security-part-4). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Magnetic_stripe_card).*

Answer 13

A digital document binding a public key to an identity, verifying entities in online transactions, and part of a public key infrastructure. ## Footnote Often referred to as a digital certificate or a public key certificate, a certificate is a digital document that binds a public key to an identity. This document is used in various forms of online transactions and communications to prove the identity of an entity, like a person, company, or server. Certificates play a key role in public key infrastructure (PKI) systems, helping to prevent impersonation and interception by confirming that an entity is who it claims to be and thus promoting trust and security in digital communications. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Public_key_certificate).*

Answer 14

An entity issuing digital certificates to verify identities in digital communications, ensuring secure online transactions and data transfer. ## Footnote An entity that issues digital certificates, which are used to verify the identity of organizations and individuals in digital communications, ensuring secure transactions and data transfer over the Internet. The CA validates entities and binds a public key with an identity, producing a certificate that can be used for secure communication. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Certificate_authority).*

Answer 15

The process overseeing digital certificates' lifecycle, ensuring they remain effective and correctly used to prevent security lapses. ## Footnote The process of creating, storing, distributing, revoking, and managing digital certificates. It involves oversight of the lifecycle of certificates to ensure they are up to date and being used correctly, preventing security lapses due to expired or compromised certificates. Good certificate management practices are essential for maintaining the security of encrypted communications and transactions. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Certificate_Management_Protocol).*

Answer 16

Rules defining the applicability of certificates to a community or class of application with common security requirements, outlining actions under various circumstances. ## Footnote A set of rules that outline the applicability of a specific certificate to a particular community and/or class of application with common security requirements. These rules define what actions should be taken under different circumstances, such as the process of issuing, renewing, or revoking a certificate. By providing a framework for the application and use of digital certificates, Certificate Policies ensure that all entities involved follow consistent practices, which is crucial for maintaining trust and security in digital transactions and communications. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Certificate_policy).*

Answer 17

A document by a Certificate Authority outlining practices and procedures for managing the lifecycle of certificates, from issuance to revocation. ## Footnote A detailed document published by a Certificate Authority that outlines the practices and procedures used to manage the lifecycle of a certificate, from its issuance to its expiration or revocation. The CPS provides a comprehensive view of the CA's operations, including validation procedures, security measures, and liabilities. By adhering to the guidelines outlined in the CPS, the CA ensures the integrity, authenticity, and reliability of the certificates it issues, which, in turn, fosters trust and security in digital environments. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Certificate_policy).*

Answer 18

Declaring a digital certificate invalid before its expiration due to issues like compromised keys, handled by the issuing authority and updated on CRLs or OCSP. ## Footnote The process of declaring a digital certificate as no longer valid before its scheduled expiration date. This can occur due to a number of reasons such as the certificate's private key being compromised, the certificate being issued in error, or the certificate holder no longer requiring the certificate. The revocation is typically handled by the issuing Certificate Authority, and the status of the revoked certificate is updated in real-time on a Certificate Revocation List (CRL) or via an Online Certificate Status Protocol (OCSP) responder. Timely certificate revocation is critical in maintaining a secure digital environment as it prevents the use of invalid certificates, thereby protecting against unauthorized access and data breaches. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Certificate_revocation_list).*

Answer 19

A document by a Certificate Authority listing digital certificates that have been revoked before expiration, ensuring they are not trusted. ## Footnote A specific type of document maintained and published by a Certificate Authority that contains a list of digital certificates that have been revoked before their scheduled expiration date. The CRL is regularly updated and checked by services using the certificates, ensuring that any certificate that has been revoked is not trusted. By providing real-time information about the validity of certificates, CRLs play a vital role in maintaining the trust and security inherent in digital transactions and communications. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Certificate_revocation_list).*

Answer 20

A process using a digital certificate to prove identity, commonly issued by a trusted authority, preventing spoofing and man-in-the-middle attacks. ## Footnote A digital identification process where a client or server proves their identity to another by showing a digital certificate. It's a way to ensure that an individual, device, or website is exactly who or what it purports to be to avoid spoofing or man-in-the-middle attacks. The certificates are issued by a trusted Certificate Authority, which verifies the identity of the entity before issuing the certificate. Certificate-based authentication is widely used in secure environments due to its robustness and ability to provide two-factor and mutual authentication. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Public_key_infrastructure).*

Answer 21

A network authentication protocol where the server sends a challenge to the client, who must return a hashed value for successful authentication. ## Footnote A network authentication protocol where the server challenges a client to prove its identity. The server sends a unique challenge string, and the client responds with a value obtained by hashing the challenge with its password. If the values match, authentication is successful. CHAP provides more security than password-based authentication because the password is not sent over the network. It also periodically re-authenticates to protect against session hijacking. *For more information, view this lecture on [Network authentication protocols.](https://courses.thorteaches.com/courses/take/cissp/lessons/19178311-network-authentication-protocols) Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Challenge-Handshake_Authentication_Protocol).*

Answer 22

A security token generating a response to a challenge from an authentication system, confirming user identity using a secret key or algorithm. ## Footnote A security token or device that produces a response code used in authentication processes. When presented with a challenge, such as a numeric code or a nonce provided by the authentication system, the token generates a corresponding response based on a secret key or algorithm. This response is then used to verify the user's identity. These tokens enhance security by requiring something the user has (the token) in addition to something the user knows (a PIN or password). *For more information, view this lecture on [Type 2 authentication - "Something you have" or "Possession factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_token#Password_types).*

Answer 23

An authentication method where a server presents a challenge and the user or system must provide a valid encrypted response to access. ## Footnote A method of authentication in which a server presents a question or challenge to a user or system seeking access, who must then provide a valid answer or response. This type of authentication is often used in scenarios where passwords alone are deemed insufficiently secure. The challenge is typically a random number, and the response is the correct encryption of this number using a shared key. By ensuring that the response is correct, the system verifies the identity of the user or system, thereby enhancing the security of the access process. *For more information, view this lecture on [Type 2 authentication - "Something you have" or "Possession factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Challenge%E2%80%93response_authentication).*

Answer 24

Unencrypted data that is easily readable and understandable, posing security risks if intercepted without proper protections. ## Footnote Data that is transmitted or stored unencrypted and thus can be easily read and understood without any need for decryption. While it facilitates ease of use and interoperability, it poses significant security risks as it can be easily intercepted and read by unauthorized individuals, potentially leading to data leakage, privacy violations, or other security incidents. *For more information, view this lecture on [Introduction to Cryptography- Part 1.](https://courses.thorteaches.com/courses/take/cissp/lessons/19121869-introduction-to-cryptography-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Plaintext).*

Answer 25

A threshold in a security system at which certain user activities are logged or noticed, such as multiple failed login attempts. ## Footnote In the context of security, a threshold at which a system begins to take notice of or log certain user activities, typically to detect potential unauthorized actions or policy violations. For example, setting a clipping level for incorrect password attempts might involve the system recording or alerting administrators after a certain number of failed logins to prevent brute-force attacks. *For more information, view this lecture on [Type 1 authentication - "Something you know" or "Knowledge factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178829-type-1-authentication-something-you-know-or-knowledge-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_access_control#Accountability).*

Answer 26

Security questions that authenticate a user based on personal knowledge, with the potential drawback of being easier to guess or research. ## Footnote These are security questions used to authenticate a user's identity based on personal knowledge. They can be less secure than other forms of authentication due to the possibility of answers being easily guessed or researched. It's important to select questions with answers that are not publicly available to increase security. *For more information, view this lecture on [Type 1 authentication - "Something you know" or "Knowledge factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178829-type-1-authentication-something-you-know-or-knowledge-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Cognitive_password).*

Answer 27

A US government identification card with an embedded chip, granting access to secure facilities and computer networks. ## Footnote A type of identification card used by the US government and military to grant access to secure facilities and networks. The card contains a microprocessor chip that can store and transmit digital information, such as biometric data and security credentials. For example, military personnel may use their CAC card to enter a secure base or to log in to a classified network. *For more information, view this lecture on [Type 2 authentication - "Something you have" or "Possession factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Common_Access_Card).*

Answer 28

A process to ensure all necessary data entries or transaction steps are completed before processing, vital for data integrity and accuracy. ## Footnote A validation process that ensures all necessary data entries or transaction steps are completed before processing. Completeness checks are vital for maintaining data integrity and the accuracy of operations in various systems. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Data_validation).*

Answer 29

Methods for verifying the sequence and integrity of transmitted or stored data, employing checksums, sequence numbers, or cyclic redundancy checks. ## Footnote This refers to methods used in computing to verify the sequence and integrity of data transmitted or stored. Techniques such as checksums, sequence numbers, and cyclic redundancy checks (CRC) can detect and correct errors to ensure the data received is in the correct order and unaltered.

Answer 30

Data within a secure environment with restrictions on access or handling according to security policies or regulatory requirements. ## Footnote A Constrained Data Item (CDI) refers to any data within a secure environment that is subject to access or handling restrictions based on security policies or regulatory requirements. Proper control and oversight are necessary to ensure that CDs are not improperly altered, disclosed, or destroyed, thereby mitigating potential risks associated with sensitive or classified information.

Answer 31

An approach that grants or denies data access based on content, managing sensitive information access. ## Footnote A security approach where access to information is granted or denied based on the content within the data objects rather than solely based on user credentials or roles. This method is useful for managing access to classified or sensitive information, ensuring that only content that a user is authorized to view can be accessed. *For more information, view this lecture on [Authorization.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization).*

Answer 32

An understanding of relevant factors and circumstances that impact a security-related decision, action, or event. ## Footnote In terms of security, context refers to the understanding of the surrounding factors, environment, and circumstances that are relevant to a decision, action, or event. Context can involve various data points such as user behavior, network activity, or system configurations, which, when analyzed collectively, can provide more accurate insights or trigger alerts if anomalies are detected. *For more information, view this lecture on [Authorization.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Context-based_access_control).*

Answer 33

A security approach evaluating a user's access request based on context, such as location or device state, before granting permission. ## Footnote A security approach that evaluates the context of a user's access request — such as location, time, and device security state — before granting or denying permission. This dynamic form of access control can adjust the level of access based on situational factors, enhancing security by adapting to potential risk changes. *For more information, view this lecture on [Authorization.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Context-based_access_control).*

Answer 34

CBAC dynamically grants or restricts resource access by evaluating situational factors such as user role, device context, location, and time of request. ## Footnote Unlike static role-based models, CBAC analyzes real-time context to assess access requests, potentially tightening permissions if risk factors increase (e.g., unfamiliar device). This adaptive approach enforces the principle of least privilege while minimizing friction for legitimate users. By incorporating telemetry like IP reputation and user behavior, CBAC helps detect anomalies early, enhancing security across diverse applications and cloud environments. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Context-based_access_control).*

Answer 35

A system or policy that restricts resource access, using a combination of controls and permissions to protect against unauthorized use. ## Footnote A policy or a system that provides a method of restricting access to resources based on the identification and authentication of users or systems. It uses a combination of access controls, user rights, and permissions to protect resources against unauthorized use and to prevent users from performing actions outside their permitted scope. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Access_control#Access_control_system_components).*

Answer 36

The process of handling user credentials, from creation to updating, crucial for system access control. ## Footnote The process of creating, storing, managing, and updating user credentials such as usernames, passwords, and personal identification numbers (PINs), as well as digital certificates and keys. Effective credential management is crucial in maintaining security and controlling access to sensitive systems and data. It encompasses practices such as enforcing password complexity requirements, implementing regular password rotations, and using multi-factor authentication to enhance security. Good credential management also involves monitoring for compromised credentials and ensuring that access rights are revoked when no longer required, such as when an employee leaves an organization. *For more information, view this lecture on [Identity and access provisioning.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Credential_Management).*

Answer 37

An entity issuing digital credentials to authenticate users and ensure electronic identity verification. ## Footnote An entity that issues digital credentials for the purpose of authenticating users to a network or service. A CSP validates the identity of individuals or entities and then issues credentials such as usernames, passwords, tokens, certificates, or biometric data, enabling them to prove their identity electronically. CSPs play a key role in establishing trust within digital environments by ensuring that the parties in a transaction are who they claim to be. *For more information, view this lecture on [Identity and access provisioning.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Credential_service_provider).*

Answer 38

Credential Stuffing is an attack method where attackers test stolen username-password pairs across multiple platforms, exploiting reused or weak credentials to gain unauthorized access. ## Footnote During credential stuffing, cybercriminals often use automated tools to attempt login on numerous websites. This practice targets the fact that individuals frequently reuse passwords, making successful breaches more likely. Organizations defend against it by implementing multi-factor authentication, rate limiting, IP blacklisting, and password hygiene education. By monitoring user login patterns for anomalies, security teams can detect and mitigate these attempts. Effective prevention reduces account takeovers and data leakage incidents. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Credential_stuffing).*

Answer 39

Information verifying user identity, crucial for authentication processes to secure systems and networks. ## Footnote Information used to verify the identity of a user or system within a digital environment. Credentials, such as usernames and passwords or digital certificates, are essential for authentication processes to access computer systems or networks. *For more information, view this lecture on [Identity and access provisioning.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Credential).*

Answer 40

The mutual recognition and exchange of certificates between certification authorities. ## Footnote A process where two or more certification authorities (CA) mutually exchange and recognize their certificates. This is used to establish trust between different certification authorities and to allow them to exchange encrypted information securely. Examples of this include a CA in the US recognizing a CA in Europe or a government CA recognizing a private CA.

Answer 41

The metric where False Acceptance Rate equals False Rejection Rate, indicating biometric system accuracy. ## Footnote In biometrics, the Crossover Error Rate (CER) is a critical performance metric that represents the point at which the False Acceptance Rate (FAR), the measure of the likelihood that the system incorrectly grants access to an unauthorized user, equals the False Rejection Rate (FRR), the measure of the likelihood of the system incorrectly denying access to an authorized user. The CER is used to compare the accuracy of biometric systems; the lower the CER, the higher the system's accuracy. It provides a balanced benchmark by showing how the tradeoff between security and convenience is managed by the system. A system with a high CER might be more user-friendly but less secure, and vice versa. *For more information, view this lecture on [Type 3 authentication - "Something you are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Biometrics#Performance).*

Answer 42

Verifying that electronic content is provided by the claimed sender and has not been altered, key for secure communications. ## Footnote A process or protocol ensuring that the content of an electronic message or document is provided by the claimed sender (the origin) and has not been altered in transit. It's crucial for secure communications in networks, verifying that the data received has not been tampered with and actually comes from the purported source. This is typically achieved through cryptographic methods, such as digital signatures or message authentication codes (MACs). *For more information, view this lecture on [Digital signatures.](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures).*

Answer 43

Decentralized Identity eliminates reliance on centralized authorities by storing identity data in distributed ledgers or using blockchain-based systems, giving users control over their personal information. ## Footnote Typically, identity management resides with a third party, raising concerns about data breaches and surveillance. DID shifts this control to the individual, employing cryptographic proofs and verifiable credentials that users can share selectively. Organizations verify credentials without storing raw personal data, reducing privacy risks and compliance burdens. Although emerging technologies power DID, practical deployments still face challenges like interoperability, governance models, and user adoption. Nevertheless, it promises greater security, autonomy, and privacy for identity management. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Decentralized_identifier).*

Answer 44

A pre-set password for devices or applications that should be changed after the initial setup to prevent unauthorized access. ## Footnote A pre-set password provided by the manufacturer of a hardware device or software application that is intended to be used during the initial setup process. Default passwords are often common and well-known, which can pose a significant security risk if not changed after installation or setup. It is considered a critical security practice to change all default passwords to strong, unique passwords to prevent unauthorized access that can result from default password exploitation. Cybersecurity best practices mandate the updating of default passwords as part of the initial configuration of any new system or device. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Default_password).*

Answer 45

A list of entities barred from accessing a system, used to enhance security by preventing threats. ## Footnote A security measure that specifies certain entities — such as software applications, email addresses, users, or IP addresses — that are blocked or denied access to a system. It's a form of access control used to improve system security by explicitly refusing entry to potential threats and is the opposite of an allow list, which permits access only to entities that have been deemed safe. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Blacklist_(computing)).*

Answer 46

A cryptographic tool confirming message authenticity and data integrity, akin to an electronic signature. ## Footnote A cryptographic tool used to confirm the authenticity and integrity of a message, software, or digital document. It works by associating a signature with a document using a unique private key, and anyone can verify the signature with the corresponding public key. Digital signatures are commonly used to implement electronic signatures, which can have legal significance. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Digital_signature).*

Answer 47

A structure in computing organizing files into a hierarchical system, facilitating access and management. ## Footnote In the context of computing, a directory is a file system cataloging structure that contains references to other computer files and possibly other directories. On many computers, directories are known as folders. In operating systems, directories are used to organize files in a hierarchical structure, providing a convenient means to access data stored within the system. Additionally, in networking, a directory refers to a service that stores, organizes, and provides access to information about network resources and users, such as a Lightweight Directory Access Protocol (LDAP) directory. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Directory_(computing)).*

Answer 48

A system managing directory information, like user accounts or network resources, centralized access. ## Footnote A system or software that stores and manages directories of information, such as user accounts or network resources. It is often used in the context of computer networks to provide centralized access and management of directory information. For example, a directory service may be used to manage user accounts in an Active Directory environment or to provide access to shared resources in a network. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Directory_service).*

Answer 49

An access control model where the owner or administrator sets policies for who can access a resource, known for its flexibility. ## Footnote A type of access control where the owner or administrator of the protected system, data, or resource sets the policies defining who or what is authorized to access the resource. In DAC models, access is based on the discretion of the owner. Users can be granted permission by an owner to read, write, or execute a file or program. This model is contrasted with mandatory access control (MAC), where access rights are regulated by a central authority based on multiple levels of security. DAC is known for its flexibility but can be less secure than MAC, as it allows users to control access to their own data, which they may not always do securely. *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Discretionary_access_control).*

Answer 50

A sphere of knowledge identified by a name, often in networking, defining control over internet addresses under the DNS system. ## Footnote In the context of networking and the Internet, a domain refers to a sphere of knowledge identified by a name. Specifically, in terms of domain names, it's part of a network address that identifies it as belonging to a particular domain. This is used to control internet addresses under the DNS (Domain Name System), which translates domain names to IP addresses. Domains also refer to specific areas of control or influence, such as a security domain in information security or a collision domain in networking. *For more information, view this lecture on [Authentication Protocols - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33652414-authentication-protocols-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Domain).*

Answer 51

Servers that manage authentication, security, and resource access in a network domain. ## Footnote Domain Controllers are central servers responsible for authenticating users, managing security policies, and controlling access to resources within a network domain. They maintain directory services, enforce group policies, and ensure that proper credentials are in place for network operations. Effective domain controller management is critical for maintaining an organized, secure, and efficient IT infrastructure. *For more information, view this lecture on [Authentication Protocols - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33652414-authentication-protocols-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Domain_controller).*

Answer 52

A principle requiring two or more authorized personnel to complete a task, reducing the risk of fraud and unauthorized activities. ## Footnote A security principle that requires two or more authorized individuals to perform a specific task. It reduces the risk of fraudulent or unauthorized activity as it necessitates the collaboration of two separate entities to execute the action. It is commonly used in high-risk operations or when handling sensitive information. *For more information, view this lecture on [Physical Security- Part 3](https://courses.thorteaches.com/courses/take/cissp/lessons/19632079-physical-security-part-3).*

Answer 53

A security measure that needs multiple individuals to access sensitive resources, enhancing protection against unauthorized actions. ## Footnote Dual custody requires two or more individuals to access sensitive resources. This practice enhances security by ensuring that no single individual can access, manipulate, or transport sensitive data or assets. It's often applied to financial transactions, system administrative tasks, or secure facilities access. *For more information, view this lecture on [Physical Security- Part 3](https://courses.thorteaches.com/courses/take/cissp/lessons/19632079-physical-security-part-3).*

Answer 54

A user or process gains higher than intended access, leading to control over system resources and potential misuse. ## Footnote A scenario where a user or process gains higher access rights or permissions than they're intended to have, typically resulting in unauthorized control over system resources. It often constitutes a serious security flaw, as it allows the individual or process to bypass restrictions, potentially leading to information theft, data corruption, or additional harmful activities. *For more information, view this lecture on [Secure Design Principles](https://courses.thorteaches.com/courses/take/cissp/lessons/25340659-secure-design-principles). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privilege_escalation).*

Answer 55

A person who uses a product or system as intended, often protected by security protocols to minimize risks. ## Footnote The individual who directly interacts with a product, application, or system. This person does not participate in the development of the system but uses it for its intended purpose. In the data protection context, the end user is often the target of security protocols and training to minimize risks, such as phishing attacks or malware intrusion, which arise from human error or negligence. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/End_user).*

Answer 56

Temporary authentication tokens with short validity periods. ## Footnote Ephemeral credentials refer to transient access tokens or passwords generated for limited durations. They enhance security by minimizing the exposure window, so even if compromised, the credentials quickly become invalid. Often used in dynamic environments and one-time access scenarios, ephemeral credentials balance convenience and security by reducing persistent risk and supporting automated credential management in modern applications.

Answer 57

A policy language and model for fine-grained access control decisions in XML format. ## Footnote A declarative access control policy language implemented in XML and a processing model that defines how access control decisions are evaluated from the policy. It enables fine-grained control of authorized activities, providing the ability to manage more detailed restrictions than traditional access control lists (ACLs). *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/XACML).*

Answer 58

A framework supporting multiple authentication methods, used in wireless networks and PPP connections. ## Footnote A framework widely used in wireless networks and point-to-point connections that provides multiple authentication methods, such as smart cards, token cards, certificates, public key encryption, and one-time passwords (OTP). EAP is designed to support various authentication mechanisms without requiring the use of a specific one, allowing both the client and server to negotiate the desired method of authentication. It is often used in conjunction with other protocols, such as RADIUS and Diameter, and is an essential component of network access control in both wired and wireless networks. *For more information, view this lecture on [Network Authentication Protocols](https://courses.thorteaches.com/courses/take/cissp/lessons/19178311-network-authentication-protocols). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Extensible_Authentication_Protocol).*

Answer 59

A biometric system metric for the likelihood of falsely accepting unauthorized users, indicating security level. ## Footnote A measure used in biometric security systems to indicate the probability that the system will incorrectly accept an unauthorized user. It is one of the key metrics, along with the False Rejection Rate (FRR), used to assess the performance of a biometric system. A low FAR is desired as it reflects a higher level of security, indicating that the system is less likely to permit access to an unauthorized individual. However, system designers must balance FAR with FRR to ensure the system is both secure and user-friendly. *For more information, view this lecture on [Type 3 Authentication - "Something You Are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Biometrics#Performance).*

Answer 60

A system monitoring failure to detect a real problem, leading to potential unnoticed issues or breaches. ## Footnote An instance in system monitoring or threat detection where a genuine problem, such as a security breach, system failure, or malicious activity, goes unnoticed. A false negative essentially means the system failed to recognize and alert a real issue, which is highly concerning as it can lead to significant damage or security compromises without immediate detection or resolution. *For more information, view this lecture on [Type 3 Authentication - "Something You Are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Type_I_and_type_II_errors).*

Answer 61

An error where benign activity is incorrectly flagged as malicious, which can lead to alert fatigue and missed real threats. ## Footnote A system mistakenly flags benign or normal activity as suspicious or malicious. While this doesn't pose a direct threat, a high number of false positives can lead to alert fatigue, which is when genuine alerts are ignored due to a large number of false alarms, potentially leading to overlooked real threats. *For more information, view this lecture on [Type 3 Authentication - "Something You Are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Type_I_and_type_II_errors).*

Answer 62

A metric indicating the likelihood that a biometric system will wrongly deny access to an authorized user, impacting system usability. ## Footnote Also known as Type I error rate, FRR measures the likelihood that a biometric security system will incorrectly reject an access attempt by an authorized user. It's one of the two primary metrics used to evaluate the accuracy of biometric systems, the other being the False Acceptance Rate (FAR). A lower FRR means that legitimate users are less likely to be inconvenienced by being denied access. However, reducing FRR typically increases FAR, so system designers must balance security with usability. *For more information, view this lecture on [Type 3 Authentication - "Something You Are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Biometrics#Performance).*

Answer 63

The linking of a user's identity across multiple separate identity management systems, simplifying access across systems and organizations. ## Footnote The means of linking a person's electronic identity and attributes stored across multiple distinct identity management systems. This method allows for users to use the same credentials across various systems and enterprises, improving the user experience, reducing administrative costs, and maintaining a high level of security for confidential information. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Federated_identity).*

Answer 64

A U.S. initiative for secure digital interactions and identity management in government services. ## Footnote A US federal government initiative aimed at reducing cybersecurity risks and improving identity management. FICAM provides a comprehensive identity management framework to enable trusted digital interactions between individuals, devices, and government entities. It outlines best practices for issuing secure credentials and managing access to federal IT systems and resources aligned with federal regulations and standards. FICAM's goal is to enhance security, increase efficiency, and promote better privacy protections in the digital government landscape. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/National_Strategy_for_Trusted_Identities_in_Cyberspace#Federal_Cloud_Credential_Exchange).*

Answer 65

A system that allows multiple organizations to share identity and authentication processes. ## Footnote FIDM enables different organizations or systems to collaborate by sharing a centralized authentication process. Users can access multiple services or systems with a single set of credentials, reducing administrative overhead and improving user convenience. This approach enhances security through standardized identity management, streamlines access control across disparate environments, and supports cross-domain trust relationships. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Federated_identity).*

Answer 66

FIDO is an open industry alliance creating standards for passwordless authentication, promoting cryptographic keys and biometric factors over shared secrets to enhance security and usability. ## Footnote FIDO protocols (e.g., U2F, FIDO2) rely on public-key cryptography, where private keys remain on user devices. Authentication requests prove ownership without transmitting sensitive credentials. This method thwarts phishing and password reuse, improving privacy. Major tech vendors endorse FIDO, unifying strong authentication across websites, services, and platforms. Ultimately, it reduces credential theft risks and streamlines secure logins industry-wide. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/FIDO_Alliance).*

Answer 67

The official permission granting process for individuals to access organizational data, part of access control. ## Footnote The process by which an individual is granted official permission to access specific data or areas within an organization, typically after meeting predetermined security requirements. This formal approval is often documented and is necessary for maintaining security protocols and ensuring that sensitive information is only accessible to authorized personnel. This process is part of access control and is crucial for compliance, privacy, and data protection. *For more information, view this lecture on [Data Classification and Clearance](https://courses.thorteaches.com/courses/take/cissp/lessons/18588247-data-classification-and-clearance). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_modes).*

Answer 68

Permissions and access rights based on group memberships, controlling resource access in network security. ## Footnote A system of assigning permissions and access rights to users based on their membership in specific groups. This is commonly used in network security to control access to resources and ensure that only authorized users can access certain systems or data. Examples include assigning different levels of access to different departments within a company or allowing members of a specific group to access certain files or applications.

Answer 69

Guest accounts are temporary or limited-access user profiles, allowing visitors to use a system without full administrative privileges or permanent data storage. ## Footnote Often found on shared computers or Wi-Fi networks, these accounts isolate guest actions, preventing them from installing software or accessing sensitive information. While convenient for short-term use, poorly configured guest accounts can pose security risks, opening avenues for malicious activities. Properly restricting permissions and monitoring usage ensures that these accounts remain a safe method for offering basic services to external users. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/User_profile#Guest).*

Answer 70

A biometric device capturing unique hand characteristics for authentication, distinct from fingerprint or palm scanners. ## Footnote A handprint scanner is a type of biometric device that captures the unique patterns and characteristics of an individual's hand, such as the shape, size, and vein patterns, to authenticate identity. Handprint scanners are distinct from fingerprint or palm scanners, as they typically scan the entire hand and not just individual features. *For more information, view this lecture on [Type 3 authentication - "Something you are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Hand_geometry).*

Answer 71

A service assisting users with technical problems, essential for maintaining system usability and security. ## Footnote A service provided by an organization to assist users with technical or other issues. It is used to provide support to users who are experiencing problems with their computer systems or software. Examples include providing assistance with password resets, troubleshooting network connectivity issues, and providing guidance on how to use specific software applications. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Help_desk).*

Answer 72

An algorithm for one-time passwords based on a counter and a shared secret key. ## Footnote An algorithm that computes a one-time password from a shared secret key and an incrementing counter. In a security context, this provides a robust method of two-factor authentication, enhancing user verification processes by generating unique, time-based credentials that are difficult for attackers to replicate or predict, thereby protecting sensitive data and system access. *For more information, view this lecture on [Type 2 authentication - "Something you have" or "Possession factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/HOTP).*

Answer 73

Combines on-premises and cloud identity solutions, providing users with a single set of credentials for secure access to resources anywhere. ## Footnote Hybrid Identity as a Service (IDaaS) refers to cloud-based solutions that manage user identities and access across both on-premises and cloud applications. It combines the advantages of on-premises identity solutions with the flexibility of the cloud, allowing users to employ a single identity or set of credentials to securely access resources regardless of location.

Answer 74

The process of asserting a unique identifier, the first step in access control that precedes authentication and authorization. ## Footnote The process of claiming or asserting a unique identifier, such as a username, to represent an individual, system, or process within a system. It is the first step in the access control process, leading to authentication, which confirms that the claimed identity is valid. Ensuring accurate identification is key in protecting resources from unauthorized access. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Identification).*

Answer 75

Policies and technologies ensuring that individuals access organizational resources appropriately and securely. ## Footnote A framework of policies and technologies that ensure the right individuals access the right resources at the right times for the right reasons. It involves tools for controlling user access to critical information within an organization, including systems for user identity verification, access rights and levels, and tracking and reporting on user activities. This aids in minimizing risk and helping organizations meet compliance regulations. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Identity_and_access_management).*

Answer 76

Cloud-based services managing identity and access, streamlining authentication and authorization. ## Footnote A cloud-based service that provides identity and access management capabilities, such as authentication and authorization, to organizations. This concept is used by organizations to outsource their identity and access management needs and to benefit from the scalability and flexibility of the cloud. Examples of IDaaS providers include Microsoft Azure Active Directory and Okta. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning).*

Answer 77

The process of verifying a user's claimed identity during authentication, checking credentials against stored identity information. ## Footnote Identity assertion is the process by which a system verifies and confirms a user's claimed identity during an authentication event. This typically involves checking credentials like passwords, tokens, or biometric data against stored identity information to grant or deny access. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning).*

Answer 78

Levels evaluating the trustworthiness of an individual's claimed identity, used in online verification processes. ## Footnote Levels of assurance used to evaluate the trustworthiness of an individual's claimed identity. IALs are used in online identity verification processes to determine the level of access an individual should be granted. Examples include IAL1 (lowest level of assurance) and IAL3 (highest level of assurance).

Answer 79

Revoking a former user's access rights and permissions from organizational systems, a part of identity and access management. ## Footnote The process of revoking access to an individual's identity and associated resources. It is commonly used in IAM systems to ensure that individuals who are no longer authorized to access certain resources are unable to do so. Examples of identity deprovisioning include disabling a user's account or deleting a user's access permissions. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Identity_management).*

Answer 80

Regularly reviewing and updating user roles and responsibilities to ensure appropriate access in an organization. ## Footnote As part of the identity lifecycle, job or duties review involves regularly reviewing and updating the roles and responsibilities of users within an organization. This is typically done to ensure that users have the appropriate access and permissions for their job duties and to reduce the risk of unauthorized access to sensitive information. An example of a job or duties review as part of the identity lifecycle is conducting an annual review of user roles and permissions to ensure that they are in line with current job responsibilities. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning).*

Answer 81

Monitoring user actions to identify suspicious or unusual behavior, part of identity lifecycle management. ## Footnote As part of the identity lifecycle, user behavior review involves regularly reviewing and monitoring the actions and activities of users to identify any suspicious or unusual behavior. This is typically done to identify potential security threats or breaches within an organization. An example of user behavior review as part of the identity lifecycle is using security analytics software to monitor user activity on a network and alert security personnel of any suspicious activity. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning).*

Answer 82

Verifying an individual's identity using multiple pieces of evidence, often in identity and access management systems. ## Footnote The process of verifying the identity of an individual through the use of multiple pieces of evidence. It is commonly used in IAM systems to ensure that only authorized individuals are able to access certain resources. Examples of identity proofing include using a combination of a password and a security token to access a system. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Identity_verification_service).*

Answer 83

An entity that offers authentication services, verifying user identities for secure access to multiple applications. ## Footnote An entity that provides authentication services to verify the identity of an individual or system. IdPs are commonly used in single sign-on systems to securely verify the identity of users accessing multiple applications. Examples include Google and Microsoft as IDps for their respective services. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Identity_provider).*

Answer 84

Setting up and managing user accounts and access rights across IT systems and services as part of identity lifecycle management. ## Footnote Identity provisioning involves setting up and managing individual user accounts and access permissions across various IT systems and services. This process incorporates establishing roles, granting appropriate access based on those roles, and regularly updating or revoking access as needed, especially as users join, move within, or leave the organization. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/User_provisioning).*

Answer 85

A repository for user profile data that supports authentication and authorization processes, essential for managing and validating user identities. ## Footnote A database or directory where user profile data is securely stored. An identity store might contain information such as usernames, passwords, roles, and other user attributes necessary for authentication and authorization processes. By keeping all these data in one place, an identity store aids in managing and validating user identities efficiently.

Answer 86

A digital token containing verified user identity claims, used in authentication and access management systems. ## Footnote An identity token is a security token that is digitally signed and contains claims about the identity of a user, which can be verified by a system or application. Identity tokens simplify access management by substituting for traditional credentials and are often used in federated identity and single sign-on (SSO) systems. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_token).*

Answer 87

The process of ensuring that a claimed identity is legitimate and accurate, typically in identity and access management systems. ## Footnote The process of verifying that an individual's identity is valid and accurate. It is commonly used in IAM systems to ensure that only authorized individuals are able to access certain resources. Examples of identity validation include checking a user's credentials against a database of authorized users. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Identity_verification_service).*

Answer 88

A security policy that denies access unless explicitly granted, minimizing potential exposure to sensitive data and resources. ## Footnote The default security policy that denies all access attempts not explicitly granted. It's a preventative measure to ensure that unless specific permissions are given, access is restricted. This principle minimizes potential exposure of sensitive data and resources by default and is a fundamental part of many access control models. *For more information, view this lecture on [Firewalls Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19178275-firewalls-part-1).*

Answer 89

Granting permissions temporarily when needed to complete tasks, reducing unauthorized access risk. ## Footnote Just-in-time (JIT) access is a privilege management approach where users are granted necessary permissions only when required and for the shortest duration necessary to complete tasks. This minimizes the risk of unauthorized access or security breaches by limiting the window of opportunity for attackers. JIT access is often implemented in privileged access management solutions. *For more information, view this lecture on [Access control systems](https://courses.thorteaches.com/courses/take/cissp/lessons/19179400-access-control-systems). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Just-in-time_compilation).*

Answer 90

A network authentication protocol using tickets and encryption to securely identify users and grant network access. ## Footnote A network authentication protocol that uses tickets and encryption to securely identify users and grant them access to network resources. It is used to prevent unauthorized access and protect against replay attacks. It is used in network security and authentication. Examples include logging into a computer or accessing a database. *For more information, view this lecture on [Authentication protocols - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19179828-authentication-protocols-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Kerberos_(protocol)).*

Answer 91

Techniques that exploit weaknesses in the Kerberos authentication protocol. ## Footnote Kerberos Exploitations refer to methods by which attackers target vulnerabilities in the Kerberos authentication system. Exploits can involve manipulating ticket-granting processes or exploiting misconfigurations to impersonate users and access protected resources. Such attacks compromise the integrity of the authentication mechanism, underscoring the importance of stringent configuration, regular patching, and comprehensive monitoring in Kerberos implementations. *For more information, view this lecture on [Attacks on our cryptography- Part 3.](https://courses.thorteaches.com/courses/take/cissp/lessons/19423096-attacks-on-our-cryptography-part-3). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Kerberos_(protocol)#Drawbacks_and_limitations).*

Answer 92

A network service managing cryptographic key distribution and user authentication. ## Footnote A Key Distribution Center (KDC) is a network service that facilitates secure communication by issuing and managing cryptographic keys. It authenticates users and distributes session keys that enable users to encrypt and decrypt messages, ensuring secure communication across the network. It plays a critical role in protocols like Kerberos. *For more information, view this lecture on [Authentication protocols - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19179828-authentication-protocols-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Key_distribution_center).*

Answer 93

A secure key storage method allowing key retrieval under specific conditions while maintaining high security. ## Footnote A secure storage procedure where cryptographic keys are held in trust, meaning that they're kept by a third party. This arrangement allows for the recovery of encrypted data in cases where individuals lose their keys or in legally mandated situations. Though it provides a solution for lost keys and legal obligations, key escrow is often a contentious topic due to potential misuse or unauthorized access to these keys, which can compromise data security. *For more information, view this lecture on [Digital signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures).*

Answer 94

A trusted entity securely managing cryptographic key storage and retrieval under predefined conditions. ## Footnote A Key Escrow Agency is a trusted entity responsible for safely storing and managing cryptographic keys on behalf of other parties. The agency ensures that stored keys can be retrieved under predefined conditions, such as legal requirements or key recovery scenarios while maintaining high-security standards to prevent unauthorized access. *For more information, view this lecture on [Digital signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures).*

Answer 95

The secure transfer of cryptographic keys over a network, vital for encrypted communications. ## Footnote The process of transferring cryptographic keys between parties over a network, enabling secure communication. Key exchange is typically used in protocols like Diffie-Hellman and RSA to securely share keys that will later be used to encrypt and decrypt messages. The transfer is done in such a way that even if the communication is intercepted, the intruder cannot derive the original key. This process is a fundamental part of many secure network protocols, including SSL/TLS, which provides secure web browsing. *For more information, view this lecture on [Asymmetric encryption- Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19149672-asymmetric-encryption-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Key_exchange).*

Answer 96

Verifying a user's identity using cryptographic keys, often with a pair of related keys for security. ## Footnote A method of verifying a user's identity using cryptographic keys, typically involving a pair of public and private keys. It is used in various security protocols to ensure that access to resources is granted only to authenticated users. *For more information, view this lecture on [Authentication protocols - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19179828-authentication-protocols-part-1).*

Answer 97

A physical station for customer self-service, often featuring an interactive terminal for transactions or information access. ## Footnote A physical location where customers can access a company's services or products, often through the use of a self-service terminal. It is commonly found in airports, shopping malls, and other public areas. Examples include a ticket kiosk at an amusement park or a rental car kiosk at an airport.

Answer 98

A protocol for secure wireless network authentication, though less secure than other methods. ## Footnote A protocol used in wireless networking to provide secure authentication between a client and an access point. It is used in wireless networks to ensure that only authorized users can access the network. Examples include Wi-Fi networks in offices and public spaces. *For more information, view this lecture on [Network authentication protocols](https://courses.thorteaches.com/courses/take/cissp/lessons/19178311-network-authentication-protocols). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Lightweight_Extensible_Authentication_Protocol).*

Answer 99

A security protocol that blocks account access after multiple failed login attempts, protecting against brute-force attacks. ## Footnote A security measure that prevents a user from accessing a system or network after a certain number of failed login attempts. It is used to prevent unauthorized access and to protect against brute-force attacks. Examples include lockout policies on password-protected accounts and network access points. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning).*

Answer 100

User permissions based on identity and security controls, managing data and system access. ## Footnote The ability to access data or resources based on user credentials, permissions, and other security controls. It is used to control access to sensitive information and systems. Examples include using a username and password to log into a network, requiring two-factor authentication to access a database, and using role-based access controls to restrict access to certain resources. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Logical_access_control).*

Answer 101

The systematic management of user rights for accessing systems and data in a computing environment. ## Footnote The mechanisms used to manage access rights to resources on a computer system or network, often based on user identity or role. These mechanisms determine who or what can view or use resources in a computing environment. Examples of logical access control methods include user authentication processes, access control lists (ACLs), and role-based access control (RBAC). *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Logical_access_control).*

Answer 102

An electronic token used for authenticating user identities and authorizing access to systems. ## Footnote A logical access token is an electronic key, typically in the form of a digital credential or token, used to authenticate a user and authorize that user's access to systems, applications, or data. This can include software-based tokens, hardware tokens, or cryptographic tokens used in multifactor authentication systems. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_token).*

Answer 103

Protection measures at the software level, including firewalls and access controls. ## Footnote The security measures and controls that are implemented at the software and application level, as opposed to physical security measures. They are used to protect data and systems from unauthorized access, tampering, and other threats. Examples include encryption, access controls, and firewalls. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Logical_security).*

Answer 104

Machine Identity Management secures the identities of non-human entities—like applications, containers, and IoT devices—by issuing and managing cryptographic credentials to verify their authenticity. ## Footnote As machine-to-machine communications proliferate, improper identity handling can lead to unauthorized system access or data tampering. Proper management involves issuing secure certificates or keys, rotating them before expiration, and revoking compromised credentials. Centralized certificate authorities and automated lifecycle management tools help prevent outages caused by expired certificates. By ensuring each device or software component’s identity is verified, organizations maintain trustworthy communication channels and reduced attack surfaces.

Answer 105

A device that reads data from the magnetic stripe of a card, such as credit cards or access cards. ## Footnote A device that reads the information stored on a magnetic strip or magnetic stripe card. It is used in various industries, such as financial services and transportation, to authenticate users and access information. Examples include ATM card readers and credit card swipe machines. *For more information, view this lecture on [Physical security- Part 4](https://courses.thorteaches.com/courses/take/cissp/lessons/19632100-physical-security-part-4). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Magnetic_stripe_card).*

Answer 106

An access control model where access rights are determined by the system, not users, often used in high-security environments. ## Footnote A type of access control where the operating system constrains the ability of a subject or initiator to access or generally perform some sort of operation on an object or target. In MAC, access rights are determined by the system based on regulations and not the users. It is commonly used in organizations that require a high level of security, such as military institutions. *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Mandatory_access_control).*

Answer 107

Security that requires multiple forms of authentication, enhancing protection against unauthorized access. ## Footnote A security measure that requires users to provide two or more independent credentials to verify their identity. These credentials typically fall into three categories - something you know (like a password), something you have (like a smart card or a mobile device), and something you are (like a fingerprint or other biometric feature). By requiring multiple forms of proof, MFA adds an extra layer of protection against unauthorized access. *For more information, view this lecture on [Introduction to Access Control](https://courses.thorteaches.com/courses/take/cissp/lessons/19178806-introduction-to-access-control). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Multi-factor_authentication).*

Answer 108

A principle that restricts information access to individuals based on their necessity to know for their job role. ## Footnote A principle in the control of access to confidential information. The concept suggests that information should be provided only to those individuals who absolutely need it to perform their responsibilities. The need-to-know principle helps to enforce the confidentiality of sensitive information, limit the number of people with access to this type of data, and reduce the risk of unauthorized disclosure or misuse of the information. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Need_to_know).*

Answer 109

Assessing which individuals should access certain information based on their job requirements. ## Footnote The "Need to Know Determination" is the process by which organizations assess and decide which individuals need access to specific information to fulfill their job duties. It's an aspect of access control focused on minimizing the risk of unauthorized information disclosure by granting access only to those with a justified requirement for that information. *For more information, view this lecture on [The CIA Triad- Part 1- Confidentiality, Integrity, and Availability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551695-the-cia-triad-part-1-confidentiality-integrity-and-availability).*

Answer 110

An access control list that specifies which users or entities are explicitly denied access or privileges. ## Footnote A negative-list, also known as a denylist or blacklist, is an access control mechanism that specifies entities, such as user accounts, email addresses, or IP addresses, which are explicitly denied access or privileges within a system or network. This approach contributes to safeguarding against unauthorized access and securing systems from potential attackers or harmful activities. *For more information, view this lecture on [Application positive-listing](https://courses.thorteaches.com/courses/take/cissp/lessons/19180298-application-positive-listing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Whitelist).*

Answer 111

Technical guidance on digital identity services, covering authentication and identity proofing. ## Footnote A special publication by NIST that provides technical guidelines for digital identity services. It covers identity proofing, authentication, and federation, outlining standards for ensuring the security and privacy of online identities. *For more information, visit this [Wikipedia page](https://pages.nist.gov/800-63-3/).*

Answer 112

Temporary passwords valid for a single use in authentication processes. ## Footnote A temporary password that is only valid for a single use. It is often used as an additional layer of security in authentication processes. Examples include a one-time password sent to a user's email or mobile phone or a token generated by a hardware device. *For more information, view this lecture on [Type 2 authentication - "Something you have" or "Possession factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/One-time_password).*

Answer 113

A protocol for real-time verification of the revocation status of digital certificates. ## Footnote A protocol used to check the revocation status of digital certificates. It allows a relying party, such as a web server, to verify the status of a certificate in real-time without relying on a local cache of revocation information. Examples of OCSP responders include certificate authorities and OCSP servers. *For more information, view this lecture on [Digital signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Online_Certificate_Status_Protocol).*

Answer 114

An open-standard protocol for secure authorization in web, mobile, and desktop applications. ## Footnote An open-standard protocol for granting access to resources without sharing the user's credentials. It is used to securely authenticate and authorize users to access online services and applications. Examples of where it is used include in the login process for social media platforms and in the access to third-party applications through a user's Google or Facebook account. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/OAuth).*

Answer 115

A method of verifying user identity through shared secrets like passwords, enhancing network security. ## Footnote A method of verifying the identity of a user or device through the use of a shared secret, such as a password or biometric. It is used in network security to ensure that only authorized users can access sensitive resources. Examples include password-based login systems, fingerprint scanners, and face recognition technology. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy#Authentication).*

Answer 116

An authentication protocol built on OAuth 2.0, enabling clients to verify user identity and obtain profile information. ## Footnote An authentication layer on top of the OAuth 2.0 protocol that allows clients to verify the identity of an end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the user in an interoperable and REST-like manner. OpenID Connect allows clients of all types, including web-based, mobile, and JavaScript clients, to request and receive information about authenticated sessions and end-users. It is widely used as a way for users to sign into third-party websites without having to create new passwords, instead using their existing identities from providers like Google, Facebook, or Microsoft. OIDC is designed to be extensible, allowing participants to use it in conjunction with other existing or future authentication and authorization mechanisms. *For more information, view this lecture on [Identity and access provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/OpenID_Connect).*

Answer 117

PAM imposes policies and controls around elevated accounts, restricting privileged credentials, monitoring use, and rotating passwords to reduce insider threats. ## Footnote Administrative accounts possess high-impact capabilities, so compromised credentials can cause severe damage. PAM solutions vault sensitive passwords, provide just-in-time access, and log session activity for auditing. By implementing strong authentication and restricting privileged activities, organizations minimize the risk of lateral movement. Proper PAM programs ensure continuous accountability, supporting compliance standards while reinforcing the principle of least privilege. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privileged_access_management).*

Answer 118

A sequence of characters used to authenticate a user and grant access to systems or data. ## Footnote A password is a sequence of characters used as a security credential to authenticate users and protect access to computer systems and online accounts. Good password practices include using length and complexity to resist password-cracking attempts. Examples provided should reflect strong passwords rather than weak, commonly used ones. *For more information, view this lecture on [Type 1 authentication - "Something you know" or "Knowledge factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178829-type-1-authentication-something-you-know-or-knowledge-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Password).*

Answer 119

A simple authentication protocol that sends usernames and passwords in plaintext. ## Footnote Password Authentication Protocol (PAP) is an authentication protocol that sends usernames and passwords as plaintext and is therefore considered insecure by modern standards. PAP is susceptible to eavesdropping and interception, as the credentials are not encrypted. It's typically used in legacy or less secure environments where more secure authentication methods are not feasible. *For more information, view this lecture on [Network authentication protocols.](https://courses.thorteaches.com/courses/take/cissp/lessons/19178311-network-authentication-protocols). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Password_Authentication_Protocol).*

Answer 120

The use of various character types and lengths to strengthen passwords and enhance security. ## Footnote The level of difficulty in guessing or cracking a password based on its length, character types, and other factors. Used in password policies to increase security. Examples -requiring a minimum length of 8 characters, using a combination of letters, numbers, and special characters, and enforcing regular password changes. *For more information, view this lecture on [Type 1 authentication - "Something you know" or "Knowledge factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178829-type-1-authentication-something-you-know-or-knowledge-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Password_strength).*

Answer 121

A record of a user's past passwords to prevent reuse, enhancing account security. ## Footnote A security feature that remembers a certain number of a user's previous passwords to prevent them from reusing them. This can deter unauthorized access because it forces users to come up with new passwords regularly, making it more difficult for potential intruders to guess them. *For more information, view this lecture on [Type 1 authentication - "Something you know" or "Knowledge factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178829-type-1-authentication-something-you-know-or-knowledge-factors).*

Answer 122

The practice of securely generating, storing, and handling passwords to protect user accounts. ## Footnote The process of handling the creation, storage, and usage of passwords in a secure manner. This may involve the use of password management software to generate, store, and automatically fill in complex passwords. The goal is to create strong passwords and maintain good security practices without creating a cumbersome user experience. *For more information, view this lecture on [Type 1 authentication - "Something you know" or "Knowledge factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178829-type-1-authentication-something-you-know-or-knowledge-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Password_manager).*

Answer 123

The secure, encrypted storage of passwords in a dedicated tool. ## Footnote Password vaulting is the practice of using specialized software to encrypt and store passwords securely. It centralizes credential management, reduces risks associated with weak or reused passwords, and simplifies access for authorized users. By safeguarding sensitive authentication data, organizations can maintain robust security and compliance while ensuring that credentials are protected from unauthorized access. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Password_manager).*

Answer 124

Passwordless authentication utilizes cryptographic keys, biometrics, or one-time codes instead of traditional passwords, reducing credential-based risks and simplifying the user experience. ## Footnote By removing static secrets, it counters phishing, guesswork, and brute force attacks. Systems may deploy hardware tokens or push notifications on registered devices for secure logins. Users verify their identity locally, never transmitting raw credentials. With broad adoption by tech giants, passwordless solutions ease support costs and frustration, while strengthening security. This shift heralds a future less reliant on remembered or reused passwords. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Passwordless_authentication).*

Answer 125

Calculating a user's permissions by combining individual and group-based access rights for secure and appropriate access. ## Footnote Permission aggregation is a concept in access control where the system calculates the effective permissions of a user by combining all the rights granted directly to the user and those obtained through group memberships or role assignments. It's crucial in complex systems with layered security structures to understand a user's combined permissions, which helps in enforcing the principle of least privilege and preventing excessive access rights. *For more information, view this lecture on [Security models and concepts - Introduction](https://courses.thorteaches.com/courses/take/cissp/lessons/18591274-security-models-and-concepts-introduction).*

Answer 126

The level of access granted to users for specific resources or actions within a system or network. ## Footnote The level of access that a user, group, or process has to a system or its resources. They are an essential component of access control, helping to ensure that only authorized individuals or processes can view, modify, or execute specific files or operations. The administration of permissions is a critical task in maintaining system security and data integrity, requiring ongoing oversight to account for changes in roles, responsibilities, or threat environments. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/File_system_permissions).*

Answer 127

A secret number used to authenticate a user's identity and grant access to services or systems. ## Footnote A secret numeric password used to authenticate a user's identity and access certain services or systems. It is used in security to provide an additional layer of protection against unauthorized access. Examples include ATM PINs and phone unlock codes. *For more information, view this lecture on [Type 1 authentication - "Something you know" or "Knowledge factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178829-type-1-authentication-something-you-know-or-knowledge-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Personal_identification_number).*

Answer 128

A government-issued card for federal employees and contractors containing security features for identity verification. ## Footnote The Personal Identification Verification (PIV) Card is a United States federal government standard for secure and reliable forms of identification for federal employees and contractors. The PIV card serves as a government-issued identification card for access to federal buildings and information systems, and includes integrated security features such as cryptographic keys, personal identification numbers (PINs), and biometric data to ensure the cardholder's identity. *For more information, view this lecture on [Type 2 authentication - "Something you have" or "Possession factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Personal_identity_verification).*

Answer 129

Measures restricting physical entry to facilities or devices, including security guards, keycards, and biometric systems. ## Footnote The measures put in place to restrict physical access to a facility, building, or device. This can include security guards, keycards, security cameras, and biometric scanners. It is used in the field of information security to prevent unauthorized individuals from gaining access to sensitive information or systems. 3 examples of physical access control measures are security guards at the entrance to a building, keycards for employees to access specific areas, and security cameras monitoring entrances and exits. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Access_control#Physical_security).*

Answer 130

A tangible device providing authentication and secure access, such as key fobs, smart cards, or USB tokens. ## Footnote A physical access token is a tangible device that provides secure user authentication and access control to buildings, rooms, or information systems. These tokens store security credentials and can take various forms, such as key fobs, smart cards, or USB tokens. Examples include RFID badges for building access, tokens for two-factor authentication, and smart cards used in conjunction with personal identification numbers (PINs). *For more information, view this lecture on [Type 2 authentication - "Something you have" or "Possession factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_token).*

Answer 131

An access control technique specifying allowed entities, enhancing security by granting access to only those listed. ## Footnote A positive-list, more commonly referred to as an "allowlist," is an access control strategy that specifies allowed entities, such as user IDs, email addresses, or IP addresses. Access is granted only to those on the list, while all others are denied by default. It's used in security implementations for network access, email filtering, and software execution policies. *For more information, view this lecture on [Application positive-listing.](https://courses.thorteaches.com/courses/take/cissp/lessons/19180298-application-positive-listing). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Whitelist).*

Answer 132

Actions or strategies implemented to stop security incidents before they happen, enhancing overall security. ## Footnote Preventive measures in cybersecurity are actions and strategies implemented to stop security incidents before they occur. These measures are based on the anticipation of potential threats and include practices like installing firewalls, enforcing strong authentication protocols, conducting regular security training, and applying timely system patches. Their aim is to enhance the overall security posture and prevent the exploitation of vulnerabilities. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls#Types_of_security_controls).*

Answer 133

Security measures designed to stop undesirable events from occurring by deterring potential incidents. ## Footnote Security measures designed to prevent undesirable events, such as data breaches or system intrusions. These controls work by deterring potential incidents before they occur, serving as a proactive method for enhancing system security. Examples of preventive controls include firewalls, access controls, encryption, and security awareness training. By implementing preventive controls, organizations can reduce their vulnerability to potential threats and protect their valuable resources. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_controls#Types_of_security_controls).*

Answer 134

Special access rights granted to users or processes to perform actions within a system or network. ## Footnote A special right, immunity, or exemption granted to an individual or group. It is used in the context of access control to grant certain users or processes additional rights and permissions beyond the default access level. Examples include administrative privileges, root privileges, and privileged accounts. *For more information, view this lecture on [Authorization.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privilege_(computing)).*

Answer 135

The gradual accumulation of excessive user permissions over time beyond necessary levels. ## Footnote Privilege Creep occurs when users steadily accumulate access rights and permissions that exceed what is necessary for their roles. This over-provisioning can lead to security vulnerabilities by increasing the risk of unauthorized actions or data breaches. Regular audits and adherence to the principle of least privilege are crucial to mitigate privilege creep and maintain a secure access control environment. *For more information, view this lecture on [Authorization.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization).*

Answer 136

Exploiting vulnerabilities to gain unauthorized access or higher permission levels than intended. ## Footnote The act of exploiting a vulnerability or misconfiguration to gain access to privileges and permissions beyond the intended level of access. It is used in the context of security vulnerabilities and threats to gain unauthorized access to sensitive data and systems. Examples include exploiting weak passwords, privilege mismanagement, and insecure default configurations. *For more information, view this lecture on [Software vulnerabilities and Attacks.](https://courses.thorteaches.com/courses/take/cissp/lessons/19182134-software-vulnerabilities-and-attacks). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privilege_escalation).*

Answer 137

Individuals or accounts with elevated access rights, capable of affecting system security. ## Footnote A user or account with additional rights and permissions beyond the default access level. It is used in access control systems to grant certain individuals or processes access to sensitive data and systems. Examples include administrator accounts, root accounts, and service accounts. *For more information, view this lecture on [Authorization.](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Privilege_(computing)).*

Answer 138

A device detecting the presence of objects or individuals using electromagnetic fields or radio waves. ## Footnote A device that uses electromagnetic fields or radio waves to identify objects in close proximity. This is commonly used in security systems to authenticate users based on their proximity to a particular device or location. Examples include RFID readers and NFC readers. *For more information, view this lecture on [Physical security- Part 4.](https://courses.thorteaches.com/courses/take/cissp/lessons/19632100-physical-security-part-4). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Proximity_card).*

Answer 139

Services managing cryptographic keys over distance, ensuring keys remain secure and accessible only to authorized entities. ## Footnote The processes and protocols used to manage cryptographic keys in a remote or distributed environment. These services maintain the lifecycle of the cryptographic keys used for encryption and decryption processes, including their generation, storage, distribution, rotation, and retirement. These services help ensure the keys are securely stored and only accessible to authorized entities, thus safeguarding sensitive encrypted data.

Answer 140

Updating cryptographic keys on a remote device or system to maintain the security of encrypted data. ## Footnote The practice of updating cryptographic keys on a remote device or system. It is used in secure network environments where encryption is utilized to maintain the security of the encrypted data. Remote rekeying is performed periodically or under specific circumstances, such as when a key is compromised, to ensure the continued security and integrity of the encrypted data.

Answer 141

The process of extending the validity of digital certificates, subscriptions, or services to continue access and security measures. ## Footnote The process of extending the validity of something, such as a digital certificate or subscription to a security service. This is an important process that ensures continued protection and access to service. Failure to renew may lead to a lapse in service, possibly leaving systems unprotected or causing service disruptions. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures).*

Answer 142

The denial of involvement in an action, such as a transaction; non-repudiation measures secure proof of participation. ## Footnote The ability of an individual or entity to deny having performed a particular action related to data or a transaction, typically an illicit one. For instance, a user could deny having sent a message or conducted a transaction. Non-repudiation measures are put in place to prevent this, providing proof of origin or delivery that cannot be convincingly denied by the sender or receiver, respectively. *For more information, view this lecture on [IAAA- Part 1- Identification, Authentication, Authorization, and Accountability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551727-iaaa-part-1-identification-authentication-authorization-and-accountability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Non-repudiation#In_digital_security).*

Answer 143

Cryptographic keys stored for emergency use, ensuring continued access to encrypted data when needed. ## Footnote A set of cryptographic keys that are stored securely for use in emergency or contingency situations. These keys can be used as a backup, for example, in the event of loss or compromise of the primary keys. Having reserve keying material is an important aspect of a comprehensive data security strategy as it helps ensure continued access to encrypted data under all circumstances.

Answer 144

A security approach that involves providing only the essential functions and features needed for specific tasks to minimize the system's attack surface. ## Footnote A security principle that advocates for limiting the exposure of the working of a system. It involves providing only the necessary features and functionalities needed to fulfill specific tasks, thereby reducing the attack surface and limiting the potential for misuse. By restricting the functionality and information available, the scope for errors or security breaches can be significantly reduced.

Answer 145

A security principle that advocates for the most secure settings as the default configuration to limit system access and privileges. ## Footnote A principle in system security that advocates for setting the most secure settings as the default configuration. This means that, out of the box, a system or application is set up to provide the least permissions or privileges, limiting access to the system's resources. Users or administrators then must explicitly grant additional permissions as necessary. This helps to reduce the likelihood of unintended access or security breaches due to oversight or misconfiguration.

Answer 146

Retina scanning is a biometric identification technique that maps the unique patterns of blood vessels at the back of the eye, providing high accuracy but requiring specialized hardware. ## Footnote During the scan, low-intensity light illuminates the retina, capturing images to match against a stored template. This advanced security measure offers strong resistance to forgery, though it must address user comfort and potential privacy concerns. Adoption remains limited compared to fingerprints or facial recognition. When implemented correctly, retina scanning delivers a robust layer of identity verification. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Retinal_scan).*

Answer 147

The process of formally invalidating a digital certificate or cryptographic key to prevent its use for secure communications. ## Footnote The act of invalidating a digital certificate or cryptographic key. Once a certificate or key is revoked, it is no longer trusted and cannot be used for secure communications. Revocation is a necessary measure in situations where a key or certificate has been compromised, or the entity it represents is no longer valid. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures).*

Answer 148

An access control method limiting system access based on user roles within an organization. ## Footnote A method of limiting access to computer systems based on the roles and responsibilities of individual users. It is used to ensure that only authorized users have access to sensitive information and resources. Examples include limiting access to financial data to only accounting personnel or restricting access to confidential documents to only senior management. *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Role-based_access_control).*

Answer 149

Controlling access to resources based on a set of defined rules, enhancing security. ## Footnote An approach to managing access to system resources that revolves around a set of predefined rules. These rules are set up to govern the access capabilities of an entity based on specific conditions, such as IP address, time of access, or the particular service being accessed. This type of control enhances the security of systems by ensuring that access is granted only under defined circumstances, thereby reducing the chances of unauthorized access. *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_access_control#Mandatory_access_control).*

Answer 150

An access control method using pre-defined rules to govern permissions in a system. ## Footnote An access control method where system access is determined by rules or policies set by an administrator. RBAC allows for complex operational conditions and is widely used due to its flexibility and the ability to enforce company security policies at a granular level. *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Computer_access_control#Mandatory_access_control).*

Answer 151

A standard for exchanging authentication and authorization data, often enabling single sign-on for web services. ## Footnote A standard protocol used for securely exchanging authentication and authorization data between online service providers and identity providers. It is used in web security to enable single sign-on (SSO) and provide users with access to multiple services using a single set of credentials. Examples of SAML include using SAML to enable SSO for a company's internal web applications or using SAML to enable SSO for a customer's online account with a service provider. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/SAML).*

Answer 152

An early protocol developed to secure credit card transactions, now replaced by more modern solutions. ## Footnote An early protocol designed to secure electronic credit card transactions. While SET introduced mechanisms to safeguard payment information, it is now considered obsolete and has been largely replaced by more versatile and widely supported standards such as TLS and EMV for online and offline credit card transaction security. *Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Secure_Electronic_Transaction).*

Answer 153

A standard for securely exchanging authentication and authorization data between identity providers and service providers. ## Footnote An open-standard data format that enables identity and service providers to exchange authentication and authorization data. Using XML-based language, SAML creates a seamless environment where users can authenticate once and gain access to multiple applications and services, thereby enhancing user experience, improving security, and reducing the administrative overhead associated with managing multiple passwords and access controls. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/SAML).*

Answer 154

A descriptor attached to data or resources indicating their security level for access control purposes. ## Footnote An information tag associated with a resource or data object that defines its security status, including the level of sensitivity and the access privileges required to interact with it. Security labels are crucial elements in Mandatory Access Control (MAC) systems, where access decisions are made based on these labels and the security clearances of users or processes. They help ensure that sensitive data can only be accessed by authorized and appropriately cleared entities. *For more information, view this lecture on [Data Classification and Clearance](https://courses.thorteaches.com/courses/take/cissp/lessons/18588247-data-classification-and-clearance).*

Answer 155

Verifying the identity of a server to ensure the integrity of communications and prevent unauthorized access. ## Footnote The process of verifying the identity of a server or device before allowing access to its services or resources. It is used in network security to prevent unauthorized access and ensure the integrity of communications. Examples include using passwords, certificates, or tokens for server authentication. *For more information, view this lecture on [Digital Signatures](https://courses.thorteaches.com/courses/take/cissp/lessons/19149728-digital-signatures).*

Answer 156

An individual or entity that utilizes specific services provided by a system or organization. ## Footnote A service user is an individual or entity that utilizes a particular service provided by an organization or system. In the context of a network or software service, the term can refer to the end-users who interact with the service, whether they're employees within an organization, customers, or other stakeholders. It's crucial to manage service users' access rights and credentials appropriately to ensure they can perform necessary tasks while maintaining system security. *For more information, view this lecture on [Policy Decision/Enforcement Points, and Service Account Management](https://courses.thorteaches.com/courses/take/cissp/lessons/54399157-new-2024-policy-decision-enforcement-points-and-service-account-management).*

Answer 157

Shared accounts are user credentials accessed by multiple individuals, often for administrative or operational tasks, making accountability and audit trails more challenging. ## Footnote While sometimes convenient, they weaken security: malicious actions can’t easily be traced to a single user, and password changes can disrupt entire teams. Organizations address these risks by adopting unique logins, privileged access management, or password vaults. Minimizing shared accounts fosters clearer responsibility, reduces insider threats, and aligns with best practices for regulatory compliance and robust security posture. *For more information, view this lecture on [Introduction to Access Control](https://courses.thorteaches.com/courses/take/cissp/lessons/19178806-introduction-to-access-control). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Account_sharing).*

Answer 158

The process by which users identify and authenticate themselves to gain access to a system or network, typically involving credentials like a username and password. ## Footnote The process by which a user gains access to a system or network by identifying and authenticating themselves. It typically involves the user entering a unique identifier (such as a username or email address) and providing one or more forms of verification (like a password, biometric data, or a security token). The sign-on procedure ensures that access is granted only to authenticated users, serving as a fundamental security measure in protecting sensitive systems and data from unauthorized access.

Answer 159

A security verification method requiring only one credential, such as a password, to authenticate a user. ## Footnote A security measure that only requires one form of authentication, such as a password or biometric, to access a system or service. It is used in security access control. Examples include using a password to log into a website or using a fingerprint to unlock a phone. *For more information, view this lecture on [Introduction to Access Control](https://courses.thorteaches.com/courses/take/cissp/lessons/19178806-introduction-to-access-control).*

Answer 160

A security measure enabling users to access multiple systems with a single set of credentials, simplifying user authentication. ## Footnote A security measure that allows a user to access multiple systems or services with a single set of credentials. It is used in user access control. Examples include using a single login to access multiple corporate applications or using a social media account to log into various websites. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Single_sign-on).*

Answer 161

Security tokens with embedded microprocessor chips, used for secure access and transactions. ## Footnote A type of security token that stores information on a microprocessor chip, such as personal identification or financial data. It is used in access control and secure transactions. Examples include using a smart card to access a secure facility or using a smart card for contactless payment. *For more information, view this lecture on [Physical Security- Part 4](https://courses.thorteaches.com/courses/take/cissp/lessons/19632100-physical-security-part-4). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Smart_card).*

Answer 162

A verification process involving multiple factors to confirm a user's identity and secure access to systems. ## Footnote A security control that uses multiple factors to verify a user's identity. It is used in access control to prevent unauthorized access to sensitive systems or data. Examples of strong authentication include using a combination of something the user knows (a password), something the user has (a security token or key), and something the user is (biometric data such as a fingerprint or facial recognition).

Answer 163

An active entity that interacts with a system, responsible for initiating actions and controlling state changes. ## Footnote An active entity, typically a user, process, or device, which causes information to flow among objects or changes the system's state. The subject essentially initiates and controls these actions, making it a critical component of access control models and security protocols. It's crucial to verify the identity and permissions of a subject before allowing access to sensitive resources. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Access_control#Computer_security).*

Answer 164

The classification level assigned to an individual or entity indicating their clearance to access certain information. ## Footnote The classification level of an individual or entity that determines the level of access they are allowed to certain information or resources. It is used in security protocols to protect sensitive data and prevent unauthorized access. Examples include top-secret clearance for government employees, confidential access to medical records, and public access to news articles. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://courses.thorteaches.com/courses/take/cissp/lessons/18588247-data-classification-and-clearance).*

Answer 165

An authentication protocol that provides centralized validation for users accessing network resources. ## Footnote An authentication protocol that provides centralized validation of users attempting to gain access to network resources. TACACS+ improves security by allowing for separate authentication, authorization, and accounting procedures. *For more information, view this lecture on [Authentication Protocols - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33652414-authentication-protocols-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/TACACS%2B).*

Answer 166

Security measures based on technology, including hardware, software, and network components. ## Footnote Security measures that are based on the use of technology, such as hardware, software, and networking components. They are used to protect against threats and vulnerabilities in a system or network. Examples include firewalls, intrusion detection systems, and encryption algorithms. *For more information, view this lecture on [Access Control Categories and Types](https://courses.thorteaches.com/courses/take/cissp/lessons/18588072-access-control-categories-and-types).*

Answer 167

A TGT is a temporary credential in Kerberos authentication systems, allowing users to request service tickets without repeatedly re-entering their passwords. ## Footnote Upon login, the Kerberos Key Distribution Center issues a TGT encrypted with the user’s key. Clients present the TGT to obtain tickets for various network services. This centralized mechanism streamlines secure authentication while limiting password exposure. TGTs typically have an expiration time, reinforcing security. Proper key management, short ticket lifetimes, and time synchronization are critical in preventing misuse or replay attacks. *For more information, view this lecture on [Authentication Protocols - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19179828-authentication-protocols-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Kerberos_(protocol)#Description).*

Answer 168

A server in the Kerberos protocol that provides service tickets to authenticated clients for network resource access. ## Footnote The server responsible for providing service tickets to authenticated clients. After a client has been authenticated and received a Ticket Granting Ticket (TGT), they can then request specific service tickets from the TGS. These service tickets are used to authenticate the client to various resources on a network, without needing to repeatedly supply the original login credentials. *For more information, view this lecture on [Authentication Protocols - Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19179828-authentication-protocols-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Kerberos_(protocol)).*

Answer 169

Limitations on access to systems or networks based on specified times of the day. ## Footnote Constraints placed on a user's access to a system or network based on the time of day. For instance, an organization might limit the hours during which certain users can access specific resources to mitigate the risk of unauthorized access or misuse. This is particularly common in environments that require high levels of security or regulatory compliance. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning).*

Answer 170

A digital artifact representing identity, transactions, or permissions within a system. ## Footnote A digital identity representation that serves as evidence of a transaction, authentication, or permission within a system. Tokens usually contain protected, cryptographically secured data, such as user authentication credentials, which can be used to gain access to network services or carry out certain transactions. *For more information, view this lecture on [The OSI Model- Part 1](https://courses.thorteaches.com/courses/take/cissp/lessons/19177264-the-osi-model-part-1). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_token).*

Answer 171

A hardware tool used in authentication that generates or stores a unique factor, like a digital signature or biometric data. ## Footnote A physical device that an authorized user of computer services is given to ease authentication. This device can generate and/or store a unique authentication factor, like a secure digital signature or biometric data, such as a fingerprint template, which provides additional proof of identification. *For more information, view this lecture on [LAN Topologies](https://courses.thorteaches.com/courses/take/cissp/lessons/19177530-lan-topologies). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Security_token).*

Answer 172

TOTPs generate temporary numeric codes synchronized to a time-based algorithm, frequently used for two-factor authentication (2FA) alongside a user’s password. ## Footnote Each code typically expires in 30 or 60 seconds, reducing the window an attacker can exploit. Applications like Google Authenticator or hardware tokens produce these time-synced codes offline, enhancing security over static credentials. Using TOTP helps mitigate phishing, credential stuffing, and brute-force attacks. Proper clock synchronization, fallback procedures, and user training ensure reliable, secure authentication experiences. *For more information, view this lecture on [Type 2 Authentication - "Something You Have" or "Possession Factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Time-based_one-time_password_algorithm).*

Answer 173

The ability to access a resource based on possession of access rights to a different resource, used in access control systems. ## Footnote The ability to access a resource through another resource that the user has access to. It is used in access control systems to grant access to multiple resources based on a single permission. Examples -transitive access through group membership in Active Directory, transitive access through role-based access control, transitive access through access control lists in a file system. *For more information, view this lecture on [Authentication Protocols - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33652414-authentication-protocols-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Active_Directory#Forests,_trees,_and_domains).*

Answer 174

A correct identification by a security system that an activity is non-threatening or non-malicious. ## Footnote A term used in statistics and diagnostic testing to represent cases where the system correctly identified the absence of a condition. In a security context, it refers to instances where a system correctly identifies an activity as non-threatening or non-malicious, thus avoiding false alarms. *For more information, view this lecture on [Type 3 Authentication - "Something You Are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/False_positives_and_false_negatives).*

Answer 175

A correct identification by a security system that an activity is threatening or malicious. ## Footnote Instances where the system accurately identifies a condition's presence. In security terms, it refers to situations where a system correctly flags an activity as threatening or malicious, indicating that the security measures in place are working as intended to identify real threats. *For more information, view this lecture on [Type 3 Authentication - "Something You Are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/False_positives_and_false_negatives).*

Answer 176

A source of trust for a chain of trust in digital systems, often an authoritative entity like a Certificate Authority. ## Footnote A source of verification for a chain of trust in digital systems. It is typically an authoritative entity, like a Certificate Authority, for which a degree of trust is assumed and not derived from a higher entity. Its role is to vouch for the identity of entities in the network and the credibility of their certificates and keys. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Trust_anchor).*

Answer 177

A network segment where a consistent set of security policies and trust relations prevail. ## Footnote A Trust Domain is an administrative or network boundary within which all systems and users operate under a unified security policy. This common set of rules ensures that interactions, data exchanges, and access controls are governed consistently. Establishing clear trust domains is essential in multi-tenant or federated environments to maintain security, proper access management, and inter-organizational trust. *For more information, view this lecture on [Authentication Protocols - Part 2](https://courses.thorteaches.com/courses/take/cissp/lessons/33652414-authentication-protocols-part-2). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Active_Directory#Trusting).*

Answer 178

A collection of trusted certificates within a system used to authenticate digital certificates and secure connections. ## Footnote A repository within a computer system or application that stores trusted certificates from certificate authorities (CAs). Trust stores help verify the authenticity of digital certificates and establish secure connections through SSL/TLS protocols.

Answer 179

A security process requiring two forms of identification, enhancing access control. ## Footnote A security measure that requires a user to provide two different types of credentials to verify their identity before they can access a system or data. This typically involves a combination of something the user knows (like a password), something the user has (like a physical token or a smartphone app), or something the user is (like a biometric characteristic). *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Multi-factor_authentication).*

Answer 180

Authentication based on something a user knows, like a PIN or password. ## Footnote A type of authentication factor that is based on something a user knows, such as a password or PIN. It is used in information security to verify the identity of a user. Examples include a password and a security question. This is also known as knowledge-based authentication. *For more information, view this lecture on [IAAA- Part 1- Identification, Authentication, Authorization, and Accountability](https://courses.thorteaches.com/courses/take/cissp/lessons/18551727-iaaa-part-1-identification-authentication-authorization-and-accountability). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Knowledge-based_authentication).*

Answer 181

An incorrect security alert identifying benign activity as malicious. ## Footnote In cybersecurity, a Type 1 error refers to incorrectly identifying benign activity as malicious, such as flagging legitimate network traffic as an attack. This can lead to unnecessary responses and can diminish trust in security systems due to over-alerting. *For more information, view this lecture on [Type 3 Authentication - "Something You Are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Type_I_and_type_II_errors).*

Answer 182

Authentication based on something a user possesses, like a token or smart card. ## Footnote A type of authentication factor that is based on something a user has, such as a security token or a smart card. It is used in information security to verify the identity of a user. Examples include a security token, a smart card, or a USB key. *For more information, view this lecture on [Type 2 Authentication - "Something You Have" or "Possession Factors"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178858-type-2-authentication-something-you-have-or-possession-factors). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Authentication#Authentication_factors).*

Answer 183

A statistical error where a test fails to recognize the presence of a condition, similar to a false negative in security. ## Footnote A statistical error that occurs when a null hypothesis is not rejected, even though it is false. This is also known as a false negative. It is used in the same contexts as Type 1 errors. Examples include failing to reject a faulty medical device or assuming there is no relationship between two variables when there actually is. *For more information, view this lecture on [Type 3 Authentication - "Something You Are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics).*

Answer 184

Authentication based on a user's unique physical attributes, like fingerprints or facial recognition. ## Footnote A type of authentication factor that is based on something a user is, such as a fingerprint or a facial recognition scan. It is used in information security to verify the identity of a user. Examples include a fingerprint scan, a facial recognition scan, or a voice recognition scan. This is also known as biometric or something you are authentication. *For more information, view this lecture on [Type 3 Authentication - "Something you are" or "Biometrics"](https://courses.thorteaches.com/courses/take/cissp/lessons/19178870-type-3-authentication-something-you-are-or-biometrics). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Biometrics).*

Answer 185

An individual who interacts with a computer system or service, critical to securing against unauthorized access. ## Footnote A user is an individual or entity that interacts with a computer system or service. In cybersecurity, a user can be an administrator, an employee, or a customer, each with varying levels of access and privileges. Ensuring the security of user accounts and data is fundamental to protecting against unauthorized access and breaches. *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/User_(computing)).*

Answer 186

A unique identifier assigned to a user for authentication and access to a system or network. ## Footnote A unique identifier assigned to a user that is used to authenticate their identity when accessing a system or network. It is used in authentication systems to verify a user's identity and grant them access to the appropriate resources. Examples include username, employee ID, and social security number. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/User_identifier).*

Answer 187

The process of creating, managing, and authenticating user accounts within a system or network. ## Footnote The process of creating and managing user accounts within a system or network. It is used to ensure that only authorized users have access to the appropriate resources and to maintain an accurate and up-to-date record of user permissions. Examples include creating new user accounts, assigning roles and permissions, and disabling inactive accounts. *For more information, view this lecture on [Identity and Access Provisioning](https://courses.thorteaches.com/courses/take/cissp/lessons/19179779-identity-and-access-provisioning). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/Provisioning_(technology)#User_provisioning).*

Answer 188

Rights and permissions granted to users to perform certain actions or access resources within a system. ## Footnote The specific rights and permissions granted to a user to access and use certain resources or perform certain actions. These privileges are assigned by the system administrator or other authorized user based on the user's role and responsibilities. Examples include allowing a user to read or write to a specific file or to access a particular network or database. This can also be referred to as "user permissions" or "access rights." *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization).*

Answer 189

Ensuring that data or information conforms to specified criteria and is accurate and consistent. ## Footnote The process of verifying that data or information meets certain criteria or standards. It is used to ensure the accuracy and consistency of data and to prevent errors or inconsistencies. Examples include verifying the format of a phone number or email address or checking that a password meets the required complexity criteria. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Verification_and_validation).*

Answer 190

The process of confirming that a system meets specified requirements and functions as intended. ## Footnote The process of ensuring that a product, system, or component meets specified requirements. It involves a series of checks and balances to ensure that what was designed, created, or implemented aligns with the original intentions or goals. Verification is often used to ensure that security measures are properly in place and functioning as intended. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Verification_and_validation).*

Answer 191

Voice recognition technology identifies speakers or processes spoken commands by analyzing vocal traits, phonemes, and unique speech patterns. ## Footnote It powers telephone banking, digital assistants, or secure voice-based authentication. Systems may employ acoustic models or machine learning, training on large datasets to improve accuracy. Security risks include replay attacks or impersonation, though advanced solutions counter with liveness detection and voiceprinting. Properly implemented, voice recognition offers convenient, hands-free interactions but requires careful calibration to handle diverse accents and environmental noise. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Speech_recognition).*

Answer 192

The action of saving or updating information on a storage medium, a fundamental operation in computing. ## Footnote The act of creating or recording information on a storage medium such as a hard drive or flash drive. It is commonly used in computing to save and update data. Examples include saving a document, updating a database, and writing to a log file. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/Write_(system_call)).*

Answer 193

Permission to modify or create data within a system, needing careful management to maintain data integrity. ## Footnote The permission granted to a user or process to modify, delete, or create new data within a system. Write access needs to be carefully controlled to prevent unauthorized changes and ensure data integrity. *For more information, view this lecture on [Authorization](https://courses.thorteaches.com/courses/take/cissp/lessons/19179045-authorization). Or visit this [Wikipedia page](https://en.wikipedia.org/wiki/File_system_permissions).*

Answer 194

A standard defining directory services for storing and organizing network object data, such as Active Directory. ## Footnote X.500 is a standard for directories that store information about objects on a network. It is used in directory services for storing and organizing information about users, resources, and services in a network. Examples of X.500 directories include Active Directory, LDAP, and X.500 directory services. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/X.500).*

Answer 195

A standard for public key certificates, facilitating secure identity verification in network communication. ## Footnote A standard for public key certificates, which are used to verify the identity of a user or device in a network. It is used in secure communication protocols such as SSL/TLS, which require the use of certificates for authentication and encryption. Examples of X.509 V3 certificates include SSL/TLS certificates, digital signatures, and client authentication certificates. *For more information, visit this [Wikipedia page](https://en.wikipedia.org/wiki/X.509).*

Domain 5: Identity and Access Management (IAM) Flashcards

Master IAM-related terminology including authentication, authorization, and identity lifecycle.