CISSP PRACTICE TESTS Chapter 5 ▪Identity and Access Management (Domain 5)
45. What solution can best help sddress concerns about third parties that control SSO directs as shown in step 2 in the diagrams? A. An awareness campagin about trusted third parties B. TLS C. Handling redirects at the local site D. Implementing an IPS to capture SSO redirect attacks
A. An awareness campaign about trust third parties
76. The Financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as, "Which of the following streets did you live on in 2007?" What process is Susan's organization using? A. Identity proofing B. Password verification C. Autheenticating with Type 2 authentication factor D. Out-of-band identity proofing
A. Identify proofing
23. What is the best way to provide accountability for the use of identittes? A. Logging B. Authorization C. Digital signatures D. Type 1 authentication
A. Logging
40. When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR? A. When security is more important than usability B. When false rejection is not a concern due to data quality C. When the CER of the system is not known D. When the CER of the system is very high
A. When security is more important than usability
73. Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that? A. Kerberos B. OAuth C. OpenID D. LDAP
B. OAuth
82. Which of the following is not an access control layer? A. Physical B. Policy C. Adminstrative D. Technical
B. Policy
92. RAID- 5 is an example of what type control? A. Administrative B. Recovery C. Compensation D. Logical
B. Recovery
52. When Chris verifies an individual's identity and adds a unique identifier like a user ID to an identity system, what process has occurred? A. Identity proofing B. Registration C. Directory management D. Session management
B. Registration
88. What LDAP authentication mode can provide secure authentication? A. Anonymous B. SASL C. Simple D. S-LDAP
B. SASL
67. Which system or systems is/are responsible for user authentication for Google+ users? A. The e-commerce application B. Both the e-commerce application and Google servers C. Google servers D. The diagram does not provide enough information to determine this.
C. Google servers
75. Lauren is an information security analyst tasked with deploying technical access control? Which of the following is not a logical or technical control? A. Paaswords B. Firewalls C. RAID arrays D. Routers
C. RAID arrays
48. Lauren needs to send information about services she is provisioning to a third-party organizaton. What standards-based markup language should she choose to build the interface? A. SAML B. SOAP C. SPML D. XACML
C. SPML
83. Ben uses a software based token which changes its code every minute. What type of token is he using? A. Asynchronous B. Smart card C. Synchronous D. Static
C. Synchronous
54. The X.500 standards cover what type of important identity systems? A. Kerberos B. Provisioning services C. Biometric authentication systems D. Directory services
D. Directory services
21. Mandatory access control is based on what type of model? A. Discretionary B. Group based C. Lattice based D. Rule based
C. Lattice based
80. The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. Whatvtype of access control best describes this limitation? A. Constrained interface B. Context- dependent control C. Content-dependent control D. Least privilege
B. Context-dependent control
9. What major issue often results from decentralized access control? A. Access outages may occur. B. Control is not consistent. C. Control is too granular. D. Training costs are high.
B. Control is not consistent
84. What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the nation? A. Asynchronous B. Smart card C. Synchronous D. RFID
A. Asynchronous
98. Which of the following types of access controls do not describe a lock? A. Physical B. Directive C. Preventative D. Deterrent
B. Directive
29. Which of the following is not part ot a Kerberos authentication system? A. KDC B. TGT C. AS D. TS
D. TS
25. Biba is what type of access control model? A. MAC B. DAC C. Role BAC D. ABAC
A. MAC
37. Dogs, guard, and fences are all common examples of what type of control? A. Detective B. Recovery C. Administrative D. Physical
D. Physcial
64. In a Keberos environment, when a user needs to access a network resource, what ie sent to the TGS? A. A TGT B.An AS C. The SS D. A session key
A. A TGT
39. What is the stored sample ofba biometric factor called? A. A reference template B. A token store C. A biometric password D. An enrollment artifact
A. A reference template
24. Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights? A. Re-provisioning B. Account review C. Privilege creep D. Account revocation
B. Account review
86. At point B, what problem is likely to occur? A. False acceptance will be very high. B. False rejection will be very high. C. False rejection will be very low. D. False acceptance will be very low.
A. False acceptance will be very high
91. Jim is implementing a cloud identity solution for his orginization. What type of technology is he putting in place? A. Identity as a Service B. Employer ID as a Service C. Cloud-based RADIUS D. OAuth
A. Identity as a Service
57. By default, in what format does OpenLDAP store the value of the userPasssword attribute? A. In the clear B. Salted and hashed C. MD5 hashed D. Encrypted usingbAES256 encyrption
A. In the clear
53.Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636. What does this indicate to Jim about the configuration of the LDAP server? A. It requires connections over SSL/TLS. B. It supports only unencrypted connections. C. It provides global catalog services. D. It does not provide gobal catalog services
A. It requires connections over SSL/TLS.
69. Question like "What is your pet's name?" are examples of what type of identity proofing? A. Knowledge-based authentication B. Dynamic knowledge-based authentication C. Out-of-band identity proofing D. A Type 3 authentication factor
A. Knowledge-based authentication
27. What type of access control is being used in the following permission listing: Storage Device X User 1: Can read, write, list User 2: Can read, list User 3: Can read, write, list, delete User 4: Can list A. Resource-based access controls B. Role-based access controls C. Mandatory access controls D. Rule-based access controls
A. Resource- based access controls
20. Jacob is planning his organization's biometric authentication system and is considering retin scans. What concern may be raised aboutretina scans by others in his organization? A. Retina scans can reveal information about medical conditions. B. Retina scans are painful because they require a puff of air in the user's eye. C. Retina scanners are the most expensive type of biometric device. D. Retina scanners have a high fasle positive rate and will cause support issuses.
A. Retina scans can reveal information about medical conditions.
97. Kerberos, KryptoKnight, and SESAME are all examples of what type of system? A. SSO B. PKI C.CMS D. Directory
A. SSO
95. LDAP distinguished (DNs) are made up of comma- separated components called relative distinguished names (RDNs) that have an attribute name and a value. DNs become less specific as they progress from left to right. Which of the following LDAP DN best fits this rule? A. uid=ben,ou=sales,dc=example,dc=com B. uid=ben,dc=com,dc=example C. dc=com,dc=example,ou=sales,uid=ben D. ou=sales,dc=com,dc=example
A. uid=ben,ou=sales,dc=example,dc=com
41. Susan is working to improve the strength of her organization'spasswords bychanging the password policy. The password system thst she is using allows upper- and lower-case letters as well as numbers but no other characters. How much additional complexity does adding a single character to the mimimum length of passwords for her organization create? A. 26 times more complex B. 62 times more complex C. 36 times more complex D. 2^62 times more complex
B. 62 times more complex
87. What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization's needs? A. Adjust the sensitivity of the biometric devices. B. Assess other biometric systems to compare them. C. Move the CER D. Adjust the FRR settings in software.
B. Assess other biometric systems to compare them.
68. What type of attack is the creation and exchange of state tokens intended to prevent? A. XSS B. CSRF C. SQL injection D.XACML
B. CSRF
46. Susan has been asked to recommend whether her organization should use a mandatory access control scheme or a discretionary access control scheme. If flexibility and scalability is an important requirement for implementing access controls, which scheme should she recommend and why? A. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed B. DAC, because allowing individual administratots to make choices about the objects they control provides scalability and flexibility C. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well D. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by movingthose decisions to a central authority
B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
50. Google's identity integration with a vaiety of organizations and applications across domains is an example of which of the following? A. PKI B. Federation C. Single sign-on D. Provisioning
B. Federation
36. When a subject claims an identity, what process is occurring? A. Login B. Identification C. Authorization D. Token presentation
B. Identification
44. If Alex's organization is one that is primarily made up of offsite, traveling users, what availability risk does integration of critical business applications to onsite authentication create and how could he solve it? A. Third-party integration may not be trustworthy; use SSL and digital signatures. B. If the home organization is offline, traveling users won't be able to access third-party applications; implement a hybrid cloud/local authentication system.. C. Local users may not be properly redirected to the third-party services; implement a local gateway. D. Browsers may not properly redirect; host files to ensure that issues with redirects are resolved.
B. If the home organization is offline, traveling users won't be able to access third-party applications; implement a hybrid cloud/local authentication system.
38. Susan's organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute force attacks? A.Change maximum age from 1year to 180 days. B. Increase the minimum password length from 8 characters to 16 characters. C.Increase the password complexity sothat at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required. D. Retain a password history of at least four passwords to prevent reuse.
B. Increase the minimum password length from 8 characters to 16 characters.
19. What tasks must the client perform before it can use the TGT? A. It must generate a hash of the TGT and decrpt the symmetric key. B. It must install the TGT and decrypt the symmetric key. C. It must decrypt the TGT and the symmetric key. D. it must send a valid response using the symmetric key to the KDC and must install the TGT.
B. It must install the TGT and decrypt the symmetric key.
90. What danger is created by allowing the OpenID relying party to control the connection tothe OpenID provide? A. It may cause incorrect selection of proper OpenID provider. B. Its creates the possibility of a phishing attack by sending data to a fake OpenID provider. C. The relying party may be able to steal the clientz's username and password. D. The relying party may not send a signed assertion.
B. Its creates the possibility of a phishing attack by sending data to a fake OpenID provider.
99.What authenttication protocol does Windows use by default for Active Directory systems? A. RADIUS B. Kerrberos C. OAuth D. TACACS+
B. Kerberos
6.Which of the following items are not commonly associated with restricted interfaces? A. Shells B. Keyboards C. Menus D. Database views
B. Keyboards
55. Microsoft's Active Directory Domain Services is based on which of the following technologies? A. RADIUS B. LDAP C. SSO D. PKI
B. LDAP
32. Which of the following is not a common threat to acess control mechanisms? A. Fake login pages B. Phishing C. Dictionary attacks D. Man- in- the- middle attacks
B. Phishing
33. What term property ddescribes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order for normal function? A. Collisions B. Race conditions C. Determinism D. Out-of-order execution
B. Race conditions
59. What type of access control is typically used by firewalls? A. Discretionary access controls B. Rule- based access controls C. Task-based access conttrol D. Mandatory access controls
B. Rule-based access controls
74. Ben's organization has had issue with unauthorized access to applications and work-stations during the lunch hour when employees aren't at their desk. What are the best type of session management solutions for Ben to recommend to help prevent this type of access? A. Use session IDs for all access and verify system IP addresses of all workstations. B. Set session time-outs for applications and use password protected screensaver with inactivity time-outs on workstations. C. Use session IDs for all applications, and use password protected screensavers with inactivity time-outs on workstations. D. Set session time-outs for applications and verify system IP addresses of all workstations.
B. Set session time-outs for applications and use password protected screensavers with inactivity time-outs on workstations.
10. Callback to a home phone number is an example of what type of factor? A.Type 1 B. Somewhere you are C. Type 3 D. Geographic
B. Somewhere you are
12. Which of the following AAA protocols is the most commonly used? A. TACACS B. TACACS+ C. XTACACS D. Super TACAS
B. TACACS+
42. Which pair of the following factors are key for user acceptance of biometric identification system? A. The FAR B. The throughput rate and the time required to enroll C. The CER and the ERR D. How often users must reenroll and the reference profile requirements
B. The throughput rate and the time required to enroll
58. A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer's account. What type of biometric factor error occurred? A. A registration error B. A Type 1 error C. A Type 2 error D. A time of use, method of use error
C. A Type 2 error
5. If Susan's organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of factor has she used? A. One B. Two C. Three 4. Four
B. Two
2. Jim's organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim's company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company's onsite identity needs? A. Integrate onsite systems using OAuth. B. Use an on-premise third-party identity service. C. Integrate onsite systems using SAML. D. Design an in-house solution to handle the organization's unique needs.
B. Use an on-premise third-party identity service.
1. Which of the following is best decribed as an access control model that focuses on subjects and identifies the objects that each subject can access? A. An access control list B. An implicit denial list C. A capability table D. A rights management matrix
C. A capability table
7. During a log review, Saria discovers a series of logs that show login failures as shown here: Jan 31 11:39:12 ip-10-0-0-2 sshd[29098]: Invalid user admin from remotehost passwd=orange Jan 31 11:39:2] ip-10-0-0-2 sshd[2909]: Invalid user admin from remotehost passwx= Orang3 Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from remotehost passwd=Orange93 Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid ussr admin from remotehost passwd=Orangutan1 Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin from remotehost passwd=Orangemonkey What type of attack has Saria discovered? A. A brute force attack B. A man-in-the-middle attack C. A dictionary attack D. A rainbow table attack
C. A dictionary attack
49. During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords? A. A brute force attack B. A pass- the-hash attack C. A rainbow table attack D. A salt recovery attack
C. A rainbow table attack
77. The US government CACis an example of what form of Type 2 authentication factor? A. A token B. A biometric identifier C. A smart card D. A PIV
C. A smart card
61. Kathleen works for a data center hosting facility that provides physical data center space for iindividuals and organizations. Until recently , each client was given a magnetric-strip-based keycard to acess the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, a number of servers have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen's best option to make sure that the users of passcards are who they are supposed to be? A. Add a reader that requires a PIN for passcard users. B. Add a camera system to the facility to observe who is assessing servers. C. Add a biometric Factor. D. Replace the magnetic stripe keycards cards with smart cards.
C. Add a biometric Factor.
65. Which objects and subjects have a label in a MAC model? A. Objects and subjects that arec classified as Confidential, Secret, or Top Secret have a label. B. All objects have a label,and all subjects have a compartment. C.All objects and subjects have a label. D. All subjects have a label and all objects have acompartment.
C. All objects and subjects have a label
70. Lauren builds a table thatvincludes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriaate rights to the objects. What type of access control system is Lauren using? A. A capability table B.. An access control list C. An access control matrix D. A subject/object rights management system
C. An access control matrix
18. At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid? A. An encrypted TGT and a public key B. An access ticket and a public key C. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user's password D. An encrypted, time-stamped TGT and an access token
C. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user's password
60. What you input a user ID and password, hou are performing what important identity and access management activity? A. Authorization B. Validation C. Authentication D. Login
C. Authentication
3. What of the following is not a weakness in Kerberos? A. The KDC is a single point of failure. B. Compromise of the KDC would allow attackers to impersonate any user. C. Authentication information is not encrypted. D. It is susceptible to password guessing.
C. Authentication information is not encrypted.
14. As seen in the following image , a user on a Windows system is not able to use the "Send Message" functionality. What acess control model best describes this type of limitation? Refer to page 96 in book. A. Least privilege B. Need to know C. Constrained interface D. Separation of duties
C. Constrained interface
34. What type of access control scheme is shown in the following table? Highly Sensitive •••••••••••Red•••••••• Blue •••••••••Green Confidential ••••••••••••••••Purple•••••Orange••••••Yellow Internal Use•••••••••••••••••Black••••••Gray••••••••••White Public••••••••••••••••••••••••Clear•••••••Clear•••••••••Clear A. RBAC B. DAC C. MAC D. TBAC
C. MAC
72. Brain's large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unecrypted information transferred during authentication. How should Brain implement encryption for RADIUS? A.Use the built-in encryption in RADIUS B. Implement RADIUS over its native UDP using TLS for protection. C. Implement RADIUS over TCP using TLS for protection. D. Use an AES256 pre-shared cipher between devices.
C. Implement RADIUS over TCP using TLS for protection.
Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagream and your knowledge of SAML integrations and security architecture design, answer questions 43, 44, and 45. Refer to page 102 in book. 43. Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these pitential attacks? A. Use SAML's secure mode to provide secure authentication. B. Implement TLS using a strong cipher suite, which will protect against both types of attacks. C. Implement TLS using a strong cipher suite and use digital signatures. D. Implement TLS using a strong cipher suite and message hashing.
C. Implement TLS using a strong cipher suite and use digital signatures.
22. Which of the following is not a type of attack. used aganist access controls? A. Dictionary attack B. Brute force attack C. Teardrop D. Man-in-the-middle attack
C. Teardrop
78. What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API? A. SAML B. Shibboleth C. OpenID Connect D. Higgins
C. OpenID Connect
89. Which of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors? A. Voice pattern recognition B. Hand geometry C. Palm scans D. Heart/pulse patterns
C. Palm scans
3l. Alex has been employed by his company for over a decade and has held a number of positions in the company. During an adult, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex's company encountered? A. Excessive provisioning B. Unauthorized access C. Privilege creep D. Account review
C. Privilege creep
26. Which of the following is a client/serve protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server? A. Kerberos B. EAP C. RADIUS D. OAuth
C. RADIUS
79. Jim has Secret clearance and iscaccessing files that use a mandatory access control scheme to apply the Top Secret, Secret, Confidential , and Unclassified label scheme. If his rights include the ability to access all data of his clearance level or lower, what classification levels of data can he access? A. Top Secret and Secret B. Secret, Confidential, and Unclassified C. Secret data only D. Secret and Unclassified
C. Secret data only
100. Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP's default ports? A. Unsecure LDAP and unsecure gobal directory B. Username LDAP and secure global directory C. Secure LDAP and secure global directory D. Secure LDAP and unsecure gobal directory
C. Secure LDAP and secure global directory
71. During a review of support incidents, Ben's organization discovered that password changes accounted for morethan a quarter of its help desk's cases. Which of the following options would be most likely to decrease that number significantly? A. Two-factor authentication B. Biometric authentication C. Self-service password reset D. Passphrases
C. Self-service password reset
47. Which of the following tool is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed? A. Log review B. Manual review of permissions C. Signature-based detection D. Review the audit trail
C. Signature-based detection
Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart, answer question 85, 86, and87 about the organization's adoption of the technology. Refer to page 111 in book. 85. Ben's company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity? A. The FRR crossover B. The FAR point C. The CER D. The CFR
C. The CER
4. Voice pattern recognition is what type of authentication factor? A. Type 1 B. Type 2 C. Type 3 D. Type 4
C. Type 3
81. When Lauren uses a fingerprint scanner to access her bank accojnt, what type of authentication factor is she using? A. Type1 B. Type 2 C. Type 3 D. Type 4
C. Type 3
28. Angela uses a sniffer to monitor traffic from a RADIUS serve configured with default settings. What protocol should she monitor and what traffic will she be able to read? A. UDP, none. All RADIUS traffic is encrypted. B. TCP, all traffic but the passwords, which are encrypted C. UDP, all traffic but the passwords, which are encrypted D. TCP, none. All RADIUS traffic is encrypted.
C. UDP, all traffic but the passwords, which are encrypted
56. Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities? A. Require users to create unique questions that only they will know. B. Require new users to bring their driver's license or passport in person to the bank. C. Use information that both the bank and the user have such as questions pulled from their credit report. D. Call the user on their registered phone number to verify that they are who they claim to be.
C. Use information that both the bank and the user have such as questions pulled from their credit report.
35. Which of the following is not a valid LDAP DN (distinguished name)? A. cn=ben+ou=sales B. ou=example C. cn=ben,ou=example; D. ou=example,dc=example,dc=com+dc=org
C. cn=ben,ou=example;
11. Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. Whattype of trust does she need to create? A. A shortcut trust B. A forest trust C. An external trust D. A realm trust
D. A realm trust
Using your knowledge of the Kerberos logon process andd the followingbdiiagram, answer questions 17, 18, and 19. Refer to page 97 in book. ••••••■____________________A______________》 [] Client Workstatiion•••••••••••••••••••KDC •••••••■《__________B____________ [] Client workstation•••••••KDC •••••••■__________C______________》(Service) Client workstation 17. At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected? A. 3DES encryption B. TLS encryption C. SSL encryption D. AES encryption
D. AES encryption
63. What type of access control is composed of policies and procedures that suport regulations, requirements, and the organization's own policies? A. Corrective B. Logical C. Compensating D. Administrative
D. Administrative
30. When an application or system allows a logged-in user to perform specific actions, it is an example of what? A. Roles B. Group management C. Logins D. Authorization
D. Authorization
8. What type of attack can be prevented by using a trusted path? A. Dictionary attacks B. Brute force attacks C.Man-in-the-middle attacks D. Login spoofing
D. login spoofing
94. What open protocol was designed to replaced RADIUS- including support for aadditional commands and protocols, replacing UDP traffic with TCP, and providing for extensible commands-but does not preserve backward compatibility with RADIUS? A. TACACS B. RADIUS- NG C. Kerberos D. Diameter
D. Diameter
15. What type of acess controls allow the owner of a file to grant other users access to it using an access control list? A. Role based B. Non-discretionary C. Rule based D. Discretionary
D. Discretionary
93. When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of accesscontrol modelis he leveraging? $ chmod 731 alex.txt $ ls -la total 12 drwxr -xr -x 2 alex root 4096 Feb 27 19:26 . drwxr -xr- x 3 root 4096 Feb 27 19:25 .. -rwx -wx--x 1 alex 15 Feb 27 19:26 alex. txt $□ A. Role-based access control B. Rule-based access control C. Mandatory acces control D. Discretionary access control
D. Discretionary access control
51. Lauren starts at her new job and finds that she has access to a variety of systems that she does not need access to accomplish her job. What problem has she encountered? A. Privilege creep B. Rights collision C. Least privilege D. Excessive privileges
D. Excessive privileges
62. Which of the following is a ticket-based authentication protocol designed to provide secure communication? A. RADIUS B. OAuth C. SAML D. Kerberos
D. Kerberos
16. Alex's job requires him to see personal health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control? A. Separation of duties B. Constrained interfaces C. Context- dependent control D. Need to know
D. Need to know
13. Which of the following is not a single sign- on implementation? A. Kerberos B. ADFS C. CAS D. RADIUS
D. RADIUS
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are viven the choice between using their Google+ account using OAuth 2.0, or creating anew account on the platform using their own email address and password of their choice. Using this information and the following diavram of an example authentication flow, answer questions 66, 67, andy8. Refer to page 107 in book. 66. When the e-commrce application creates an account for a Google+ user, where should that user's password be stored? A. The password is stored in the e-commerce application's database. B. The password is stored in memory on the e-commerce application's server. C. The password is stored in Google's account management system. D. The password is never stored; instead, a salted hash is stored in Google's accounts management system.
D. The password is never stored; instead, a salted hash is stored in Google's account management system.
96. Susan is troubleeshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and. password are correct, and her network connection is functioning, what is the most likely issue? A. The Kerberos serve is offline. B. There is a protocol mismatch. C. dc=com, dc=example,ou=sales,uid=ben D. ou=sales,dc=com,dc=example
D. ou=sales,dc=com,dc=example
