Access Controls

Which of the following passwords is the strongest as per NIST's SP 800-63B? A. YouCan'tTouchThi$12 B. *iQ23!T C. abcdefgh D. Copenhagen

A. "YouCan'tTouchThi$12" is a passphrase that is in accordance with NIST's SP 800-63B password recommendations. Actually, it also includes a combination of lowercase and uppercase letters, a special character ($), and two numbers to make it stronger.

Which of the following is an example of a passphrase? A. ILoveS@l@miAndCh33s3 B. P@ssw0rd C. IUOIUQJHJH1987287!!dslkUYQ62 D. passphrase

A. A passphrase is defined as a lengthy character sequence that is meaningful to the user. ILoveS@l@miAndCh33s3 is a passphrase derived from "ILoveSalamiAndCheese" where the letter "a" has been replaced with the character "@" and the letter "e" with "3" in order to provide enhanced security.

Which of these statements regarding passwords is not true? A. Use one strong password across various systems. B. Change passwords often. C. Never give out your password. D. Use passphrases whenever possible.

A. Although the answer mentions a strong password is in use, that doesn't make it impossible to be intercepted, stolen, or provided unintentionally to an attacker. If that password is used across various systems, the malicious party will have access to everything, which could prove quite damaging for an organization.

An attacker is using a brute-force tool in order to crack a user's password and gain access to online medical information. Which is the best option in order to protect against this type of attack? A. Account lockout policy B. Minimum password length C. Password history D. Maximum password age

A. Configuring a lockout policy with a low number of attempts to enter a password (commonly three to five) will mitigate the risk of an attacker brute forcing a user's password. That means that if a wrong password is entered five consecutive times, the user's account is locked, which will require an administrator to unlock it.

What mechanism does Kerberos use to protect transmission confidentiality? A. Symmetric encryption B. Asymmetric encryption C. TGT D. KDC

A. Kerberos uses symmetric encryption in order to protect the transmission confidentiality.

What is the greatest disadvantage of using a retina scanner? A. The scan can potentially identify and reveal the subject's medical conditions. B. They are often unreliable. C. The scan takes too long. D. There is a large amount of false positives.

A. The biggest disadvantage of a retina scanner is the fact that a scan can identify and reveal a subject's medical conditions, which makes it less popular to the majority of the population

The process of creating user accounts and granting them access to appropriate resources is called: A. Provisioning B. Authorization C. Entitlement D. Proofing

A. The definition of provisioning is "The process of creating user accounts and assigning them access to suitable resources."

Josh is going away on a two-week holiday, but his Windows domain password expires in three days. He wants to still be able to use his laptop to access company network resources while he's away. What does he need to do? A. Change his domain password before it expires B. Call his company's IT team while away so they can have his password changed C. Do nothing, as he can always use his cached credentials after the first three days D. Log in to his laptop as a local administrator and reset his password

A. The only way for Josh to maintain access to company resources while he's away on holiday is to ensure he changes his password before leaving. The question doesn't mention that a VPN client is configured, thus implying that Josh's laptop has no way of connecting to the corporate network once he's away.

John is a security manager and is creating an Excel file containing his team's shift plan. He wants his team to be able to read the file in order to know what shift they are working in but doesn't want them to be able to edit the file and change shifts at will. Which of these access control models would be most suitable to accomplish this? A. Mandatory B. Discretionary C. Rule-based Role-based

B. Discretionary access control (DAC) grants access to objects based on the identity of each subject. It also provides data owners the ability to grant permissions to subjects.

Which of these statements is true regarding DAC and non-DAC access control? A. In non-DAC models, users have ownership of their resources. B. In non-DAC models, security administrators control the access granted to users. C. DAC models are best for avoiding catastrophic system modifications. DAC models don't use any type of ACL.

B. In non-DAC models (i.e., MAC), security administrators control the access provided to users, allowing for very robust but less granular control.

An attacker managed to obtain the password file from Lara's laptop and is using a brute-force tool to guess her password. Which of the following is the best option in order to protect her account from this type of attack? A. Account lockout policy B. Password complexity C. Password history D. Password length

B. Password complexity is the best weapon against offline brute-force attacks. The more complex the password is, the less chance a brute-force attack has of identifying it.

Dian signs in to her Gmail account and checks her e-mail. She then wants to access her YouTube channel to upload a new video, which she accesses without entering any further login details. This is an example of: A. Federated access B. SSO C. Decentralized authentication D. Two-step verification

B. SSO refers to a single user authentication instance while the system allows for the same credentials to be used for the remainder of the session (typically until the user closes his browser or logs out of the application). Dian used her credentials to log in to her Gmail account, and when she browsed to YouTube, SSO was used, which is why she didn't have to re-enter her username and password.

Which of the following is not an SSO technology? A. SAML B. SecureAuth IdP C. Kerberos D. OpenIDConnect

B. SecureAuth IdP provides mobile device management and doesn't have anything to do with SSO.

Which model is known as the "Chinese Wall" model? A. Biba B. Brewer-Nash C. Bell-LaPadula D. Clark-Wilson

B. The Brewer-Nash model is also known as the Chinese Wall model.

Which data classification scheme does the U.S. government use (listed from lowest to highest classification level)? A. Top Secret, Secret, Confidential, Unclassified B. Unclassified, Confidential, Secret, Top Secret C. Unclassified, Classified, Secret, Top Secret D. Unclassified, Classified, Confidential, Top Secret

B. The U.S. government classification order (from lowest to highest) is Unclassified, Confidential, Secret, and Top Secret.

Captain Jones has been granted top secret access. According to the Bell-LaPadula model, which rule ensures that she doesn't write information to a lower security level? A. Simple integrity axiom B. Star property C. Simple security property D. Star integrity axiom

B. The star property (also known as "no write down") ensures that subjects with access to a security level don't write to objects at a lower security level.

How many primary types of authentication factors are there? A. 2 B. 3 C. 7 D. 4

B. There are three primary types of authentication factors. Those are "something you know," "something you have," and "something you are."

Sarah, a customer of Glober Bank, has successfully logged on to the bank's website and wants to complete a transaction. In order for that to be finalized, after inserting the destination account details she is required to use a device that generates an eight-digit number that she needs to provide to the website within 40 seconds of its creation time in order for the transaction to be verified and allowed. This is an example of: A. Static password B. Authentication C. Synchronous dynamic password D. Asynchronous dynamic password

C. A synchronous dynamic password is generated by a token, which changes the password at given intervals (in this example, every 40 seconds).

Captain Cramer is reviewing a biometric authentication system that will be used at a nuclear missile silo. Which of the following is the most likely reason that would prevent him from approving the usage of this device? A. Low CER B. Increased amount of type 1 errors C. Increased amount of type 2 errors D. High FRR

C. A type 2 error (also known as FAR, False Acceptance Rate) can affect a system in a more negative way, as it means that it improperly allows access to illegitimate users, which would be detrimental in the case of a nuclear silo.

Felly Corp. wants to improve the level of current security policies. As such, employees won't be allowed to connect to critical infrastructure using corporate machines from the guest network. This is an example of: A. RBAC (Role-based Access Control) B. MAC C. ABAC D. DAC

C. ABAC works by evaluating subject and object attributes (i.e., a user attempting to log in to a finance server from the guest network) and allows/rejects accordingly.

Bob wants to log on to a company system and is presented with a screen asking him to enter a username and password, followed by a second screen asking for an OTP. Which of these elements falls under identification? A. Password B. OTP C. Username D. Username and password combination

C. Bob first enters a username to claim his identity. Please note that at this point he just claims to be Bob, without providing any further evidence to support that (like his password).

Which is not a protocol for asynchronous dynamic password creation? A. HOTP B. OPIE C. TOTP D. S/KEY

C. TOTP (Time-based One Time Password) is a protocol that is used for creating time-based synchronous dynamic passwords.

Which of these statements is not correct regarding the Bell-LaPadula model? A. It uses the "no read up" rule. B. It uses the "no write down" rule. C. It is used to enforce confidentiality. D. It is used to enforce integrity.

C. The primary goal of the Bell-LaPadula model is to enforce confidentiality.

Which of the following is indicative of a better biometric authentication system? A. Higher FAR B. Higher FRR C. Lower DER D. Lower CER

D. CER (Crossover Error Rate) is where the FRR (False Rejection Rate) and FAR (False Acceptance Rate) cross over. A good biometric authentication system should have a low CER.

Which of the following is the best method of performing device authentication? A. MAC address filtering B. Dynamic IP addressing C. Cookies D. Certificate-based authentication

D. Out of the proposed answers, certificate-based authentication is the best method, as it entails a digital certificate to be installed on the device in order to authenticate when used to connect to a network.

What is the primary purpose of SSO? A. Authorization B. Confidentiality C. Availability D. Authentication

D. SSO (single sign-on) is mainly used to identify and authenticate users. Hence, from the available answers, authentication is the correct one.

A large law firm has a team (designated Alpha) representing a manufacturing client, while another team (designated Bravo) is working on a case relating to one of the manufacturing client's biggest competitors. Bravo team would greatly benefit from information that Alpha team has access to. Which of these models would be the most appropriate to ensure that a conflict of interest is avoided? A. Bell-LaPadula B. Biba C. Clark-Wilson D. Brewer-Nash

D. The Brewer-Nash model (also known as the Chinese Wall model) is primarily used to avoid conflicts of interest. According to that, an ethical screen model is used to classify data to distinct conflict-of-interest classes. In this case, a simple way of classifying data would be to ensure that the manufacturing client is placed in one class while their competitor is in another one. Hence, if Bravo team has access to the competitor class, it can't access data from the conflicting class of the manufacturing client.

Which of the following isn't included in the identity and access management lifecycle? A. Entitlement B. Proofing C. De-provisioning D. Deletion

D. There's no term known as deletion in the identity and access management lifecycle. Account deletion will normally take place at the de-provisioning phase

Which is the best option for managing passwords? A. Write them down and save them in a safe to which only you have the key. B. Save them on a local text file. C. Store them on an external USB. D. Use KeePassXC.

D. Using a password manager (like KeePassXC or Windows Credential Manager) ensures that you store your passwords in an encrypted database, which can only be accessed via a main password (also known as a master password). As long as you ensure your master password is strong enough, then the data is fairly secure.

Elizabeth books a SSCP exam, and when she reaches the exam center she realizes that a palm vein scan is required. This is an example of which authentication factor? A. Something you know B. Something you are C. Something you have D. Biometrics

B. A palm vein scan falls under "something you are," as it uses a person's unique characteristics (palm vein feature) in order to provide authentication.

A user accesses a document. Which of these statements is correct? A. The user is the object. B. The document is the object. C. The document is the subject. D. The user is both the subject and object.

B. An object is the resource being accessed; hence, the document is the object.

An army officer needs to access a secure area. For that purpose, she enters her unique six-digit username, personal password, and answer to a security question. Which of the following describes the type of authentication being used? A. Multifactor authentication B. Strong authentication C. Single-factor authentication D. Two-factor authentication

C. Both the previously mentioned authentication attributes (password, answer to a security question) belong to the same authentication category, which is "something you know." As you may remember, the first step to answering any authentication factor-related question is to identify the different factors used to authenticate the user. In the example, there's only one factor in use, therefore resulting in the system using single-factor authentication. Also note that the six-digit username is used for identification (not authentication).

Nadia is on holiday and needs to access her banking website to make a transaction. She uses her friend's computer to log on to the bank's website, and after entering her credentials she is requested to enter her mother's maiden name. This is an example of: A. Passphrase B. OTP C. Cognitive password D. Static password

C. Entering the mother's maiden name is a typical example of a cognitive password, which is something that only a valid system user would know (similar to a dog's name, first school that was attended, favorite color, or city of birth). It is worth noting that in real life, the answer to such a question doesn't need to be truthful, and actually this is a good way of not allowing an unauthorized user to discover accurate information and gain access to someone's account. For example, if a user's cognitive password is his favorite color (i.e., yellow), then an attacker can identify that in little time (often enough an attacker will use open source intelligence techniques, like browsing to someone's Facebook profile where a favorite color is being depicted). However, if an answer of "fever31" is set, the chance of someone identifying that as a favorite color is very slim.

A home network serving the needs of a small family can be classified as a: A. WAN B. PAN C. LAN D. MAN

C. Home networks can be classified as LANs, as they are a group of connected devices within a small geographical area, which in this case is the user's residence.

Anemone Investment Group is using a two-step verification process (user's password combined with an OTP sent via SMS) to allow remote access to its secure file server. It is 2:00 A.M. on a Saturday, and one of their employees realizes his personal e-mail account has been compromised. He is using the same compromised credentials to access Anemone Investment Group's network remotely. The IT team only works Monday through Friday. How should he proceed? A. Call the company CEO and report the issue. B. Immediately drive to the office and change their password. C. Send an e-mail to the IT team and follow up with them on Monday morning. D. Delete their personal e-mail account.

C. One of the greatest advantages of using a two-factor authentication scheme is that even if the user's password is compromised, the attacker would still need an OTP (which in this case he can only get if he obtains the user's mobile phone) to access the account. Based on that, the user can safely notify the IT team via e-mail at the time he was made aware of the issue and be diligent and follow up with them as soon as they are available.

Which of these combinations provides the strongest and most accurate authentication? A. Username, cognitive password, PIN B. Dynamic password, fingerprint C. Retina scan, OTP D. Symantec's VIP Access, Google Authenticator

C. Using a retina scan and OTP (one-time password) entails that a two-factor authentication system is in place (combining "something you are" and "something you have"). If you take a look at the other answers, A and D only use one factor (as explained later on). However, B also mentions two factors of authentication being in place: a dynamic password (which is another way of describing OTP) and a fingerprint. Note that a retina scan is considered one of the most accurate biometric authentication types and is certainly more accurate than a fingerprint, thus making it the best option.

Danny attempts to enter his credentials in order to log in to his corporate laptop. After entering a wrong password three times, he is unable to enter any credentials again. What is the most likely reason? A. Maximum password age. B. Password history. C. Account has been deleted. D. Account has been locked out

D. After entering a wrong password three times, Danny's account most likely was locked out in order to prevent a brute-force attack from taking place.

Fine Investments Bank has a partnership with Gradie Security to share resources in order for the latter to manage their firewalls. They aim to exchange a lot of network documentation via a web-based portal, which will only be accessible by Gradie Security. This is an example of a(n): A. DMZ B. PAN C. Intranet D. Extranet

D. An extranet is a network that uses the Internet to host resources and would be the best way for Fine Investments Bank to provide documentation and other internal information to Gradie Security.

Mesquite Investment Group wants to allow their employees to browse Facebook only after their workday finishes. Which of these attributes is best to use? A. Location B. Group membership C. Remote access D. Temporal

D. Assuming that the working day runs from 9:00 A.M. to 5:00 P.M., then Mesquite Investment Group wants to only allow Facebook usage out of those hours, which is something that can easily be done using the temporal attribute.