Domain 5: Identity and Access Management: Answer & Review Questions
Answer (d)
1. d. Knowledge factors are something a person knows, including passwords, mother's maiden name, city of birth, and date of birth. Ownership factors are something a person has, including a smart card.
Answer (d)
10. d. A brute-force attack is considered a password threat.
Answer (a)
11. a. Desktop sessions can be managed through screensavers, timeouts, logon, and schedule limitations. Federal Information Processing Standards (FIPS) Publication 201.2 and NIST Special Publication 800-79-2 are documents that provide guidance on proof of identity. Physical access to facilities can be provided securely using locks, fencing, bollards, guards, and closed-circuit television (CCTV). In Kerberos, the key distribution center (KDC) issues a ticket-granting ticket (TGT) to the principal. The principal sends the TGT to the ticketgranting service (TGS) when the principal needs to connect to another entity.
Answer (d)
12. d. If a user's credentials are compromised in a single sign-on (SSO) environment, attackers have access to all resources to which the user has access. All other choices are advantages to implementing an SSO system.
2. Which of the following statements about memory cards and smart cards is false?
a. A memory card is a swipe card that contains user authentication information. b. Memory cards are also known as integrated circuit cards (ICCs). c. Smart cards contain memory and an embedded chip. d. Smart card systems are more reliable than memory card systems.
18. What are the three types of access control?
a. Administrative, physical, and technical b. Identification, authentication, and authorization c. Mandatory, discretionary, and least privilege d. Access, management, and monitoring
17. What are the seven main categories of access controls?
a. Detective, Corrective, Monitoring, Logging, Recovery, classification, and directive b. Directive, deterrent, preventative, detective, corrective, compensating, and recovery c. Authorization, identification, factor, corrective, privilege, detective, and directive. d. Identification, authentication, authorization, detective, corrective, recovery, and directive.
16. ______ requires that a user or process be granted access to only those resources necessary to perform assigned functions.
a. Discretionary access control b. Separation of duties c. Least privilege d. Rotation of duties.
7. Which of the following statements best describes an IDaaS implementation?
a. Ensures that any instance of identification and authentication to a resource is managed properly. b. Collects and verifies information about an individual to prove that the person who has a valid account is who he or she claims to be. c. Provides a set of identity and access management functions to target systems on customers' premises and/or in the cloud. d. It is an SAML standard that exchanges authentication and authorization data between organizations or security domains.
19. What are types of failures in biometric identification systems? (Choose ALL that apply)
a. False reject b. False positive c. False accept d. False negative
20. What best describes two-factor authentication?
a. Something you know b. Something you have c. Something you are d. a combination of two listed above
13. Which type of attack is carried out from multiple locations using zombies and botnets?
a. TEMPEST b. DDoS c. Backdoor d. Emanating
12. Which of the following is a major disadvantage of implementing an SSO system?
a. Users are able to use stronger passwords. b. Users need to remember the login credentials for a single system. c. User and password administration are simplified. d. If a user's credentials are compromised, attacker can access all resources.
15. Which best describe access controls?
a. access controls are a collection of technical controls that permit access to authorized user, systems, and applications. b. access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who have been approved. c. access control is the employment of encryption solutions to protect authentication information during log-on. d. access controls help protect against vulnerabilities by controlling unauthorized access to systems and information by employees, partners, and customers.
10. Which threat is considered a password threat?
a. buffer overflow b. sniffing c. spoofing d. brute-force attack
4. What is a Type I error in a biometric system?
a. crossover error rate (CER) b. false rejection rate (FRR) c. false acceptance rate (FAR) d. throughput rate
5. Which access control model is most often used by routers and firewalls to control access to networks?
a. discretionary access control b. mandatory access control c. role-based access control d. rule-based access control
3. Which biometric method is most effective?
a. iris scan b. retina scan c. fingerprint d. hand-print
9. You decide to implement an access control policy that requires that users logon from certain workstations within your enterprise. Which type of authentication factor are you implementing?
a. knowledge factor b. location factor c. ownership factor d. characteristic factor
1. Which of the following is NOT an example of a knowledge authentication factor?
a. password b. mother's maiden name c. city of birth d. smart card
6. Which threat is NOT considered a social engineering threat?
a. phishing b. pharming c. DoS attack d. dumpster diving
11. Which session management mechanisms are often used to manage desktop sessions?
a. screensavers and timeouts b. FIPS 201.2 and NIST SP 800-79-2 c. Bollards and locks d. KDC, TGT, and TGS
14. Authentication is
a. the assertion of unique identity for a person or system. b. the process of verifying the identity of the user. c. the process of defining the specific resources a user needs and determining the type of access to those resources the user may have. d. the assertion by management that the user should be given access to a system.
8. Which of the following is an example of multi-factor authentication?
a. username and password b. username, retina scan, and smart card c. retina scan and finger scan d. smart card and security token
Answer (b)
see page 1116 of your Official (ISC)2 Guide to the CISSP CBK
Answer: (b)
see page 1117 of your Official (ISC)2 Guide to the CISSP CBK
Answer: (c)
see page 1117 of your Official (ISC)2 Guide to the CISSP CBK
Answer: (a)
see page 1118 of your Official (ISC)2 Guide to the CISSP CBK
Answer: (a|c)
see page 1118 of your Official (ISC)2 Guide to the CISSP CBK
Answer: (d)
see page 1118 of your Official (ISC)2 Guide to the CISSP CBK
Answer (b)
13. b. A distributed DoS (DDoS) attack is a DoS attack that is carried out from multiple attack locations. Vulnerable devices are infected with software agents, called zombies. This turns the vulnerable devices into botnets, which then carry out the attack. Devices that meet TEMPEST standards implement an outer barrier or coating, called a Faraday cage or Faraday shield. A backdoor or trapdoor is a mechanism implemented in many devices or applications that gives the user who uses the backdoor unlimited access to the device or application. Emanations are electromagnetic signals that are emitted by an electronic device. Attackers can target certain devices or transmission mediums to eavesdrop on communication without having physical access to the device or medium.
Answer (b)
2. b. Memory cards are NOT also known as integrated circuit cards (ICCs). Smart cards are also known as ICCs.
Answer (a)
3. a. Iris scans are considered more effective than retina scans, fingerprints, and hand prints.
Answer (b)
4. b. A Type I error in a biometric system is false rejection rate (FRR). A Type II error in a biometric system is false acceptance rate (FAR). Crossover error rate( CER) is the point at which FRR equals FAR. Throughput rate is the rate at which users are authenticated.
Answer (d)
5. d. Rule-based access control is most often used by routers and firewalls to control access to networks. The other three types of access control models are not usually implemented by routers and firewalls.
Answer (c)
6. c. A denial-of-service (DoS) attack is not considered a social engineering threat. The other three options are considered to be social engineering threats.
Answer (c)
7. c. An Identity as a Service (IDaaS) implementation provides a set of identity and access management functions to target systems on customers' premises and/or in the cloud. Session management ensures that any instance of identification and authentication to a resource is managed properly. A proof of identity process collects and verifies information about an individual to prove that the person who has a valid account is who he or she claims to be.
Answer (b)
8. b. Using username, retina scan, and a smart card is an example of multi-factor authentication. The username is something you know, the retina scan is something you are, and the smart card is something you have.
Answer (b)
9. b. You are implementing location factors, which are based on where a person is located when logging in.