Domain 1: Access Controls
What access management concept defines what rights or privileges a user has? A. Identification B. Accountability C. Authorization D. Authentication
B. Authorization Explanation: Authorization defines what a subject can or can't do. Identification occurs when a subject claims an identity, accountability is provided by the logs and audit trail that track what occurs on a system, and authorization occurs when that identity is validated.
The U.S. government CAC is an example of what form of Type 2 authentication factor? A. A token B. A biometric identifier C. A smart card D. A PIV
C. A smart card Explanation: The U.S. government's Common Access Card is a smart card. The U.S. government also issues PIV cards, or personal identity verification cards.
Ben's company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity? A. The FRR crossover B. The FAR point C. The CER D. The CFR
C. The CER Explanation: The crossover error rate is the point where false acceptance rate and false rejection rate cross over and is a standard assessment used to compare the accuracy of biometric devices.
Kelly is adjusting her organization's password requirements to make them consistent with best practice guidance from NIST. What should she choose as the most appropriate time period for password expiration? A. 30 days B. 90 days C. 180 days D. No expiration
D. No expiration Explanation: Current best practice guidance from NIST, published in NIST Special Publication 800-63b, suggests that organizations should not impose password expiration requirements on end users.
What type of access control is typically used by firewalls? A. Discretionary access controls B. Rule-based access controls C. Task-based access control D. Mandatory access controls
Rule-based access controls Explanation: Firewalls use rule-based access control in their access control lists and apply rules created by administrators to all traffic that passes through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.
When you input a user ID and password, you are performing what important identity and access management activity? A. Authorization B. Validation C. Authentication D. Login
A. Authentication Explanation: When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren't the most important identity and access management activity.
MAC models use three types of environments. Which of the following is not a mandatory access control design? A. Hierarchical B. Bracketed C. Compartmentalized D. Hybrid
A. Hierarchical Explanation: Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.
Jim wants to allow a partner organization's Active Directory forest (B) to access his domain forest's (A)'s resources but doesn't want to allow users in his domain to access B's resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do? A. Set up a two-way transitive trust. B. Set up a one-way transitive trust. C. Set up a one-way nontransitive trust. D. Set up a two-way nontransitive trust
C. Setup one-way non transitive trust Explanation: A trust that allows one forest to access another's resources without the reverse being possible is an example of a one-way trust. Since Jim doesn't want the trust path to flow as the domain tree is formed, this trust has to be nontransitive.
Match each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all. Authentication technique 1. Password 2. ID card 3. Retinal scan 4. Smartphone token 5. Fingerprint analysis Category A. Something you have B. Something you know C. Something you are
1. B 2. A 3. C 4. A 5. C
Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky's login attempt? A. Ricky B. VPN C. Remote file server D. Files contained on the remote server
A. Ricky Explanation: In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Ricky is requesting access to the VPN (the object of the request) and is, therefore, the subject.
Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed? A. Log review B. Manual review of permissions C. Signature-based detection D. Review the audit trail
C. Signature-based detection Explanation: While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.
When a subject claims an identity, what process is occurring? A. Login B. Identification C. Authorization D. Token presentation
B. Identification Explanation: The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor such as a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.
What is the primary advantage of decentralized access control? A. It provides better redundancy. B. It provides control of access to people closer to the resources. C. It is less expensive. D. It provides more granular control of access
B. It provides control of access to people closer to the resources Explanation: Decentralized access control empowers people closer to the resources to control access but does not provide consistent control. It does not provide redundancy, since it merely moves control points, the cost of access control depends on its implementation and methods, and granularity can be achieved in both centralized and decentralized models.
Which one of the following is an example of a nondiscretionary access control system? A. File ACLs B. MAC C. DAC D. Visitor list
B. MAC address Explanation: A mandatory access control (MAC) scheme is an example of a nondiscretionary approach to access control, as the owner of objects does not have the ability to set permissions on those objects. It is possible for a visitor list or file ACLs to be configured using a nondiscretionary scheme, but these approaches can also be configured as discretionary access control (DAC) implementations.
Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that? A. Kerberos B. OAuth C. OpenID D. LDAP
B. OAuth Explanation: OAuth provides the ability to access resources from another service and would meet Jim's needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.
Files, databases, computers, programs, processes, devices, and media are all examples of what? A. Subjects B. Objects C. File stores D. Users
B. Objects Explanation: All of these are objects. Although some of these items can be subjects, files, databases, and storage media can't be. Processes and programs aren't file stores, and of course none of these is a user.
After 10 years working in her organization, Cassandra is moving into her fourth role, this time as a manager in the accounting department. What issue is likely to show up during an account review if her organization does not have strong account maintenance practices? A. An issue with least privilege B. Privilege creep C. Account creep D. Account termination
B. Privilege Creep Explanation: Privilege creep is a common problem when employees change roles over time and their privileges and permissions are not properly modified to reflect their new roles. Least privilege issues are a design or implementation problem, and switching roles isn't typically what causes them to occur. Account creep is not a common industry term, and account termination would imply that someone has removed her account instead of switching her to new groups or new roles.
As part of hiring a new employee, Kathleen's identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called? A. Registration B. Provisioning C. Population D. Authenticator loading
B. Provisioning Explanation: Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.
Mandatory access control is based on what type of model? A. Discretionary B. Group-based C. Lattice-based D. Rule-based
C . Lattice-based Explanation: Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group-based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to
Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, several servers have been stolen, but the logs for the pass cards show only valid IDs. What is Kathleen's best option to make sure that the users of the pass cards are who they are supposed to be? A. Add a reader that requires a PIN for passcard users. B. Add a camera system to the facility to observe who is accessing servers. C. Add a biometric factor. D. Replace the magnetic stripe keycards with smartcards.
C. Add a biometric factor Explanation: Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or "something you have." Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn't prevent access to the facility and thus doesn't solve the immediate problem (but it is a good idea!).
What access control system lets owners decide who has access to the objects they own? A. Role-based access control B. Task-based access control C. Discretionary access control D. Rule-based access control
C. Discretionary access control Explanation: Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.
Gabe is concerned about the security of passwords used as a cornerstone of his organization's information security program. Which one of the following controls would provide the greatest improvement in Gabe's ability to authenticate users? A. More complex passwords B. User education against social engineering C. Multifactor authentication D. Addition of security questions based on personal knowledge
C. Multifactor authentication Explanation: While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.
Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt? A. Kerberos B. LDAP C. OpenID D. SESAME
C. OpenID Explanation: OpenID is a widely supported standard that allows a user to use a single account to log into multiple sites, and Google accounts are frequently used with OpenID.
During a review of support incidents, Ben's organization discovered that password changes accounted for more than a quarter of its help desk's cases. Which of the following options would be most likely to decrease that number significantly? A. Two-factor authentication B. Biometric authentication C. Self-service password reset D. Passphrases
C. Self-service password reset Explanation: Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add additional complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don't have the same impact that a self-service system does.
Ben uses a software-based token that changes its code every minute. What type of token is he using? A. Asynchronous B. Smart card C. Synchronous D. Static
C. Synchronous Explanation: Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm that generates a constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smartcards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.
When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging? A. Role-based access control B. Rule-based access control C. Mandatory access control (MAC) D. Discretionary access control (DAC)
D. Discretionary access control Explanation: The Linux filesystem allows the owners of objects to determine the access rights that subjects have to them. This means that it is a discretionary access control. If the system enforced a role-based access control, Alex wouldn't set the controls; they would be set based on the roles assigned to each subject. A rule-based access control system would apply rules throughout the system, and a mandatory access control system uses classification labels.
What term is used to describe the default set of privileges assigned to a user when a new account is created? A. Aggregation B. Transitivity C. Baseline D. Entitlement
D. Entitlement Explanation: Entitlement refers to the privileges granted to users when an account is first provisioned. Aggregation is the accumulation of privileges over time. Transitivity is the inheritance of privileges and trust through relationships. Baselines are snapshots of a system or application's security that allow analysts to detect future modifications.
Norma is helping her organization create a specialized network designed for vendors that need to connect to Norma's organization's network to process invoices and upload inventory. This network should be segmented from the rest of the corporate network but have a much higher degree of access than the general public. What type of network is Norma building? A. Internet B. Intranet C. Outranet D. Extranet
D. Extranet Explanation: The purpose of an extranet is to allow outside organizations that are business partners to access limited resources on the corporate network. That describes the situation in this scenario, so Norma is building an extranet.
In Luke's company, users change job positions on a regular basis. Luke would like the company's access control system to make it easy for administrators to adjust permissions when these changes occur. Which model of access control is best suited for Luke's needs? A. Mandatory access control B. Discretionary access control C. Rule-based access control D. Role-based access control
D. Role-based access control Explanation: Role-based access control would be an excellent solution for Luke's requirements. Administrators would assign permissions to roles and then simply adjust the role of a user when he or she changes jobs, rather than changing all of the individual permissions.
What type of token-based authentication system uses a challenge/response process in which the challenge must be entered on the token? A. Asynchronous B. Smart card C. Synchronous D. RFID
A. Asynchronous Explanation: Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don't need to have challenges entered, and RFID devices are not used for challenge/response tokens.
What type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains? A. Transitive trust B. Inheritable trust C. Nontransitive trust D. Noninheritable trust
A. Transitive trust Explanation: Transitive trusts go beyond the two domains directly involved in the trust relationship and extend to their subdomains. Nontransitive trusts are not inheritable to other domains. The terms inheritable trust and noninheritable trust are not normally used.
Adam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create? A. An access control list B. An access control entry C. Role-based access control D. Mandatory access control
A. An access control list Explanation: Adam created a list of individual users that may access the file. This is an access control list, which consists of multiple access control entries. It includes the names of users, so it is not role-based, and Adam was able to modify the list, so it is not mandatory access control.
Kaiden is creating an extranet for his organization and is concerned about unauthorized eavesdropping on network communications. Which one of the following technologies can he use to mitigate this risk? A. VPN B. Firewall C. Content filter D. Proxy server
1. VPN Explanation: Kaiden should use a virtual private network (VPN) for all remote connections to the extranet. The VPN will encrypt traffic sent over public networks and protect it from eavesdropping.
The leadership at Susan's company has asked her to implement an access control system that can support rule declarations like "Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m." What type of access control system would be Susan's best choice? A. ABAC B. Rule-based access control (RBAC) C. DAC D. MAC
A. ABAC Explanation: An attribute-based access control (ABAC) system will allow Susan to specify details about subjects, objects, and access, allowing granular control. Although a rule-based access control system (RBAC) might allow this, the attribute-based access control system can be more specific and thus is more flexible. Discretionary access control (DAC) would allow object owners to make decisions, and mandatory access controls (MACs) would use classifications; neither of these capabilities was described in the requirements.
Laura is in the process of logging into a system and she just entered her password. What term best describes this activity? A. Authentication B. Authorization C. Accounting D. Identification
A. Authentication Explanation: Entering a password is an act that proves a user's identity and, therefore, is an authentication step. Laura likely already identified herself by providing her username or performing a similar identification function. Authorization occurs after authentication when the system determines what actions Laura is allowed to take. Accounting occurs when the system logs Laura's activity.
Lauren's team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features such as logging and password rotation occur? A. A credential management system B. A strong password policy C. Separation of duties D. Single sign-on
A. Credential Management system Explanation: Lauren's team would benefit from a credential management system. Credential management systems offer features such as password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. Single sign-on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher-sensitivity systems.
Raul is creating a trust relationship between his company and a vendor. He is implementing the system so that it will allow users from the vendor's organization to access his accounts payable system using the accounts created for them by the vendor. What type of authentication is Raul implementing? A. Federated authentication B. Transitive trust C. Multifactor authentication D. Single sign-on
A. Federated authentication Explanation: This type of authentication, where one domain trusts users from another domain, is called federation. Federation may involve transitive trusts, where the trusts may be followed through a series of domains, but this scenario only describes the use of two domains. The scenario only describes use of credentials for a single system and does not describe a multiple-system scenario where single sign-on would be relevant. There is no requirement described for the use of multifactor authentication, which would require the use of two or more diverse authentication techniques.
The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as "Which of the following streets did you live on in 2007?" What process is Susan's organization using? A. Identity proofing B. Password verification C. Authenticating with Type 2 authentication factor D. Out-of-band identity proofing
A. Identity Proofing Explanation: Verifying information that an individual should know about themselves using third-party factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge-based authentication and is a type of identity proofing. Out-of-band identity proofing would use another means of contacting the user, such as a text message or phone call, and password verification requires a password.
Questions like "What is your pet's name?" are examples of what type of identity proofing? A. Knowledge-based authentication B. Dynamic knowledge-based authentication C. Out-of-band identity proofing D. A Type 3 authentication factor
A. Knowledge-based authentication Explanation: Knowledge-based authentication relies on preset questions such as "What is your pet's name?" and the answers. It can be susceptible to attacks because of the availability of the answers on social media or other sites. Dynamic knowledge-based authentication relies on facts or data that the user already knows that can be used to create questions they can answer on an as-needed basis (for example, a previous address, or a school they attended). Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or "something you are," rather than knowledge-based.
Kathleen is implementing an access control system for her organization and builds the following array: Reviewers: update files, delete files Submitters: upload files Editors: upload files, update files Archivists: delete files What type of access control system has Kathleen implemented? A. Role-based access control B. Task-based access control C. Rule-based access control D. Discretionary access control
A. Role-based access control Explanation: Role-based access control gives each user an array of permissions based on their position in the organization, such as the scheme shown here. Task-based access control is not a standard approach. Rule-based access controls use rules that apply to all subjects, which isn't something we see in the list. Discretionary access control gives object owners rights to choose how the objects they own are accessed, which is not what this list shows.
At point B, what problem is likely to occur? A. False acceptance will be very high. B. False rejection will be very high. C. False rejection will be very low. D. False acceptance will be very low
A. The False acceptance rate will be very high Explanation: A. At point B, the false acceptance rate, or FAR, is quite high, while the false rejection rate, or FRR, is relatively low. This may be acceptable in some circumstances, but in organizations where a false acceptance can cause a major problem, it is likely that they should instead choose a point to the right of point A.
What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization's needs? A. Adjust the sensitivity of the biometric devices. B. Assess other biometric systems to compare them. C. Move the CER. D. Adjust the FRR settings in software
B. Assess the biometric system to compare them Explanation: CER is a standard used to assess biometric devices. If the CER for this device does not fit the needs of the organization, Ben should assess other biometric systems to find one with a lower CER. Sensitivity is already accounted for in CER charts, and moving the CER isn't something Ben can do. FRR is not a setting in software, so Ben can't use that as an option either.
When Ben lists the files on a Linux system, he sees the set of attributes shown here. The letters rwx indicate different levels of what? A. Identification B. Authorization C. Authentication D. Accountability
B. Authorization Explanation: The permissions granted on files in Linux designate what authorized users can do with those files—read, write, or execute. In the image shown, all users can read, write, and execute index.html, whereas the owner can read, write, and execute example.txt, the group cannot, and everyone can write and execute it.
Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access? A. Credentials and need to know B. Clearance and need to know C. Password and clearance D. Password and biometric scan
B. Clearance and Need to know Explanation: Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user's credentials, such as a password or biometric scan.
Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why? A. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility C. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well D. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority
B. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility Explanation: Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control (MAC) system. MAC is more secure because of the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.
Greg is the network administrator for a large stadium that hosts many events throughout the course of the year. They equip ushers with handheld scanners to verify tickets. Ushers turn over frequently and are often hired at the last minute. Scanners are handed out to ushers before each event, but different ushers may use different scanners. Scanners are secured in a locked safe when not in use. What network access control approach would be most effective for this scenario? A. Multifactor authentication B. Device authentication C. Password authentication D. No authentication
B. Device authentication Explanation: Device authentication allows the venue to restrict network access to authorized scanners but does not require individual ushers to sign in to the device. This seems an acceptable level of security for this environment, as the scanners are carefully controlled. Moving to any authentication scheme that requires user authentication would be unwieldy.
Adam is accessing a standalone file server using a username and password provided to him by the server administrator. Which one of the following entities is guaranteed to have information necessary to complete the authorization process? A. Adam B. File server C. Server administrator D. Adam's supervisor
B. File Server Explanation: We know that both Adam and the server administrator have the username and password, but this is information used for identification and authentication, not authorization. We do not know what information Adam's supervisor might have. The server is a standalone file server, so it must have information about the activities that Adam is authorized to perform.
How does single sign-on increase security? A. It decreases the number of accounts required for a subject. B. It helps decrease the likelihood that users will write down their passwords. C. It provides logging for each system that it is connected to. D. It provides better encryption for authentication data.
B. It helps decrease the likelihood that users will write down their passwords Explanation: Studies consistently show that users are more likely to write down passwords if they have more accounts. Central control of a single account is also easier to shut off if something does go wrong. Simply decreasing the number of accounts required for a subject doesn't increase security by itself, and SSO does not guarantee individual system logging, although it should provide central logging of SSO activity. Since an SSO system was not specified, there is no way of determining whether a given SSO system provides better or worse encryption for authentication data.
What access control scheme labels subjects and objects and allows subjects to access objects when the labels match? A. DAC B. MAC C. Rule-based access control (RBAC) D. Role-based access control (RBAC)
B. MAC Explanation: Mandatory access control (MAC) applies labels to subjects and objects and allows subjects to access objects when their labels match. Discretionary access control (DAC) is controlled by the owner of objects, rule-based access control applies rules throughout a system, and role-based access control bases rights on roles, which are often handled as groups of users.
Jack's organization is a government agency that handles very sensitive information. They need to implement an access control system that allows administrators to set access rights but does not allow the delegation of those rights to other users. What is the best type of access control design for Jack's organization? A. Discretionary access control B. Mandatory access control C. Decentralized access control D. Rule-based access control
B. Mandatory access control Explanation: Mandatory access control systems allow an administrator to configure access permissions but do not allow users to delegate permission to others. Discretionary access control systems do allow this delegation. The scenario does not provide information to indicate whether a decentralized or rule-based approach is appropriate.
What term is used to describe the problem that occurs when users change jobs in an organization but never have the access rights associated with their old jobs removed? A. Rights management B. Privilege creep C. Two-person control D. Least privilege
B. Privilege creep Explanation: Privilege creep is the term used to describe the security issue that arises when users move between jobs in an organization and accumulate privileges that are never revoked when no longer necessary. This is a violation of the principle of least privilege.
Ryan would like to implement an access control technology that is likely to both improve security and increase user satisfaction. Which one of the following technologies meets this requirement? A. Mandatory access controls B. Single sign-on C. Multifactor authentication D. Automated deprovisioning
B. Single sign-on Explanation: All of the controls listed here, if properly implemented, have the potential to improve the organization's security posture. However, only single sign-on is likely to improve the user experience by eliminating barriers to authentication across multiple systems. Mandatory access control and multifactor authentication will likely be seen as inconveniences by users, while automated deprovisioning will improve the experience of identity and access management administrators but not affect the end user experience.
Which of the following multifactor authentication technologies provides both low management overhead and flexibility? A. Biometrics B. Software tokens C. Synchronous hardware tokens D. Asynchronous hardware tokens
B. Software tokens Explanation: Software tokens are flexible, with delivery options including mobile applications, SMS, and phone delivery. They have a relatively low administrative overhead, as users can typically self-manage. Biometrics require significant effort to register users and to deploy and maintain infrastructure, and they require hardware at each authentication location. Both types of hardware tokens can require additional overhead for distribution and maintenance, and token failure can cause support challenges.
Wanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices? A. IP address B. MAC address C. Digital certificate D. Password
C. Digital Certificate Explanation: Digital certificates are the strongest device-based access control mechanism listed in this scenario. Administrators may create certificates for each device and tie them to the physical device. Passwords are easily transferred to other devices and are not as strong an approach. IP addresses are easily changed and should not be used. MAC addresses theoretically identify devices uniquely, but it is possible to alter a MAC address, so they should not be relied upon for authentication.
Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access? A. An access control list B. An implicit denial list C. A capability table D. A rights management matrix
C. A capability table Explanation: Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.
Which objects and subjects have a label in a MAC model? A. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label. B. All objects have a label, and all subjects have a compartment. C. All objects and subjects have a label. D. All subjects have a label and all objects have a compartment
C. All objects and subjects have a label Explanation: In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.
When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this? A. Knowledge-based authentication B. Dynamic knowledge-based authentication C. Out-of-band identity proofing D. Risk-based identity proofing
C. Out-of-band identity proofing Explanation: Identity proofing that relies on a type of verification outside the initial environment that required the verification is out-of-band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet-based resources to compromise an account. Knowledge-based authentication relies on answers to preselected information, whereas dynamic knowledge-based authentication builds questions using facts or data about the user. Risk-based identity proofing uses risk-based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessarily use an out-of-band channel, such as SMS.
Which of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors? A. Voice pattern recognition B. Hand geometry C. Palm scans D. Heart/pulse patterns
C. Palm Scans Explanation: Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.
Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option? A. HTML B. XACML C. SAML D. SPML
C. SAML Explanation: Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.
A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer's account. What type of biometric factor error occurred? A. A registration error B. A Type 1 error C. A Type 2 error D. A time-of-use, method-of-use error
C. Type 2 error Explanation: Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 2 errors are also known as false positive errors. Type 1 (or false negative) errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time-of-use, method-of-use errors are not specific biometric authentication terms.
Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator? A. Password B. Retinal scan C. Username D. Token
C. Username Explanation : Usernames are an identification tool. They are not secret, so they are not suitable for use as a password.
Which of the following is a ticket-based authentication protocol designed to provide secure communication? A. RADIUS B. OAuth C. SAML D. Kerberos
D. Kerberos Explanation: Kerberos is an authentication protocol that uses tickets and provides secure communications between the client, key distribution center (KDC), ticket-granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third-party websites to rely on credentials from other sites like Google or Microsoft.
Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts? A. Read only B. Editor C. Administrator D. No access
D. No access Explanation: The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read-only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.
Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting? A. Informing other employees of the termination B. Retrieving the employee's photo ID C. Calculating the final paycheck D. Revoking electronic access rights
D. Revoking electronic access rights Explanation: Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.
Which one of the following activities is an example of an authorization process? A. User providing a password B. User passing a facial recognition check C. System logging user activity D. System consulting an access control list
D. System consulting an access control list Explanation: Authorization occurs when a system determines whether an authenticated user is permitted to perform an activity, such as by consulting an access control list. Authentication occurs when a user proves his or her identity to a system, such as by providing a password or completing a facial recognition scan. When a system logs user activity, this is an example of accounting.