SSCP

What access control scheme labels subjects and objects and allows subjects to access objects when the labels match? DAC MAC Rule-based access control (RBAC) Role-based access control (RBAC)

MAC Mandatory access control (MAC) applies labels to subjects and objects and allows subjects to access objects when their labels match. Discretionary access control (DAC) is controlled by the owner of objects, rule-based access control applies rules throughout a system, and role-based access control bases rights on roles, which are often handled as groups of users.

Which one of the following security programs is designed to provide employees with the knowledge they need to perform their specific work tasks? Awareness Training Education Indoctrination

Training B. Security training is designed to provide employees with the specific knowledge they need to fulfill their job functions. It is usually designed for individuals with similar job functions.

Ben has been tasked with identifying security controls for systems covered by his organization's information classification system. Why might Ben choose to use a security baseline? It applies in all circumstances, allowing consistent security controls. They are approved by industry standards bodies, preventing liability. They provide a good starting point that can be tailored to organizational needs. They ensure that systems are always in a secure state.

They provide a good starting point that can be tailored to organizational needs. C. Security baselines provide a starting point to scope and tailor security controls to your organization's needs. They aren't always appropriate to specific organizational needs, they cannot ensure that systems are always in a secure state, and they do not prevent liability.

Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator? Password Retinal scan Username Token

Usernames: are an identification tool. They are not secret, so they are not suitable for use as a password.

Maddox is conducting an information audit for his organization. Which one of the following elements that he discovered is least likely to be classified as PII when used in isolation? Street addresses Item codes Mobile phone numbers Social Security numbers

item codes

Jim wants to allow a partner organization's Active Directory forest (B) to access his domain forest's (A)'s resources but doesn't want to allow users in his domain to access B's resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do? Set up a two-way transitive trust. Set up a one-way transitive trust. Set up a one-way nontransitive trust. Set up a two-way nontransitive trust.

1-way nontransitive trust A trust that allows one forest to access another's resources without the reverse being possible is an example of a one-way trust. Since Jim doesn't want the trust path to flow as the domain tree is formed, this trust has to be nontransitive.

How does single sign-on increase security? It decreases the number of accounts required for a subject. It helps decrease the likelihood that users will write down their passwords. It provides logging for each system that it is connected to. It provides better encryption for authentication data.

It helps decrease the likelihood that users will write down their passwords. Studies consistently show that users are more likely to write down passwords if they have more accounts. Central control of a single account is also easier to shut off if something does go wrong. Simply decreasing the number of accounts required for a subject doesn't increase security by itself, and SSO does not guarantee individual system logging, although it should provide central logging of SSO activity. Since an SSO system was not specified, there is no way of determining whether a given SSO system provides better or worse encryption for authentication data.

What principle of information security states that an organization should implement overlapping security controls whenever possible? Least privilege Separation of duties Defense in depth Security through obscurity

Defense in Depth C. Defense in depth states that organizations should have overlapping security controls designed to meet the same security objectives whenever possible. This approach provides security in the event of a single control failure.

The leadership at Susan's company has asked her to implement an access control system that can support rule declarations like "Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m." What type of access control system would be Susan's best choice? ABAC Rule-based access control (RBAC) DAC MAC

ABAC: An attribute-based access control (ABAC) system will allow Susan to specify details about subjects, objects, and access, allowing granular control. Although a rule-based access control system (RBAC) might allow this, the attribute-based access control system can be more specific and thus is more flexible. Discretionary access control (DAC) would allow object owners to make decisions, and mandatory access controls (MACs) would use classifications; neither of these capabilities was described in the requirements.

Adam recently configured permissions on an NTFS filesystem to describe the access that different users may have to a file by listing each user individually. What did Adam create? An access control list An access control entry Role-based access control Mandatory access control

ACL Adam created a list of individual users that may access the file. This is an access control list, which consists of multiple access control entries. It includes the names of users, so it is not role-based, and Adam was able to modify the list, so it is not mandatory access control.

Laura is in the process of logging into a system and she just entered her password. What term best describes this activity? Authentication Authorization Accounting Identification

Authentication Entering a password is an act that proves a user's identity and, therefore, is an authentication step. Laura likely already identified herself by providing her username or performing a similar identification function. Authorization occurs after authentication when the system determines what actions Laura is allowed to take. Accounting occurs when the system logs Laura's activity.

What access management concept defines what rights or privileges a user has? Identification Accountability Authorization Authentication

Authorization Authorization defines what a subject can or can't do. Identification occurs when a subject claims an identity, accountability is provided by the logs and audit trail that track what occurs on a system, and authorization occurs when that identity is validated.

Gary is implementing a new website architecture that uses multiple small web servers behind a load balancer. What principle of information security is Gary seeking to enforce? Denial Confidentiality Integrity Availability

Availability D. Keeping a server up and running is an example of an availability control because it increases the likelihood that a server will remain available to answer user requests.

What is the primary advantage of decentralized access control? It provides better redundancy. It provides control of access to people closer to the resources. It is less expensive.

It provides control of access to people closer to the resources: Decentralized access control empowers people closer to the resources to control access but does not provide consistent control. It does not provide redundancy, since it merely moves control points, the cost of access control depends on its implementation and methods, and granularity can be achieved in both centralized and decentralized models.

Which of the following is a ticket-based authentication protocol designed to provide secure communication? RADIUS OAuth SAML Kerberos

Kerberos Kerberos is an authentication protocol that uses tickets and provides secure communications between the client, key distribution center (KDC), ticket-granting service (TGS), authentication server (AS), and endpoint services. RADIUS does not provide the same level of security by default, SAML is a markup language, and OAuth is designed to allow third-party websites to rely on credentials from other sites like Google or Microsoft.

Juan is retrofitting an existing door to his facility to include a lock with automation capabilities. Which one of the following types of lock is easiest to install as a retrofit to the existing door? Mantrap Electric lock Magnetic lock Turnstile

C. A magnetic lock may usually be retrofitted to an existing door with a minimum of effort. Installing an electric lock usually requires replacing the entire door. Mantraps and turnstiles will require significant renovation projects.

Wanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices? IP address MAC address Digital certificate Password

C. Digital certificates: are the strongest device-based access control mechanism listed in this scenario. Administrators may create certificates for each device and tie them to the physical device. Passwords are easily transferred to other devices and are not as strong an approach. IP addresses are easily changed and should not be used. MAC addresses theoretically identify devices uniquely, but it is possible to alter a MAC address, so they should not be relied upon for authentication

Greg is the network administrator for a large stadium that hosts many events throughout the course of the year. They equip ushers with handheld scanners to verify tickets. Ushers turn over frequently and are often hired at the last minute. Scanners are handed out to ushers before each event, but different ushers may use different scanners. Scanners are secured in a locked safe when not in use. What network access control approach would be most effective for this scenario? 1 Multifactor authentication 2 Device authentication 3 Password authentication 4 No authentication

Device Authentication: Device authentication allows the venue to restrict network access to authorized scanners but does not require individual ushers to sign in to the device. This seems an acceptable level of security for this environment, as the scanners are carefully controlled. Moving to any authentication scheme

Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting? Informing other employees of the termination Retrieving the employee's photo ID Calculating the final paycheck Revoking electronic access rights

Electronic access Electronic access to company resources must be carefully coordinated. An employee who retains access after being terminated may use that access to take retaliatory action. On the other hand, if access is terminated too early, the employee may figure out that he or she is about to be terminated.

Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access? Credentials and need to know Clearance and need to know Password and clearance Password and biometric scan Ben's organization is adopting biometric authentication for its high-security building's access control system. Use the following chart to answer questions 9-11 about the organization's adoption of the technology.

Clearance & N2K: Before granting access, Gary should verify that the user has a valid security clearance and a business need to know the information. Gary is performing an authorization task, so he does not need to verify the user's credentials, such as a password or biometric scan.

Susan is working with the management team in her company to classify data in an attempt to apply extra security controls that will limit the likelihood of a data breach. What principle of information security is Susan trying to enforce? Availability Denial Confidentiality Integrity

Confidentiality Confidentiality controls prevent the disclosure of sensitive information to unauthorized individuals. Limiting the likelihood of a data breach is an attempt to prevent unauthorized disclosure.

You discover that a user on your network has been using the Wireshark tool, as shown here. Further investigation revealed that he was using it for illicit purposes. What pillar of information security has most likely been violated?

Confidentiality D. Wireshark is a protocol analyzer and may be used to eavesdrop on network connections. Eavesdropping is an attack against confidentiality.

Frank discovers a keylogger hidden on the laptop of his company's chief executive officer. What information security principle is the keylogger most likely designed to disrupt? Confidentiality Integrity Availability Denial

Confidentiality Keyloggers monitor the keystrokes of an individual and report them back to an attacker. They are designed to steal sensitive information, a disruption of the goal of confidentiality.

What type of fire suppression system fills with water when the initial stages of a fire are detected and then requires a sprinkler head heat activation before dispensing water? Wet pipe Dry pipe Deluge Preaction

D. A preaction fire suppression system activates in two steps. The pipes fill with water once the early signs of a fire are detected. The system does not dispense water until heat sensors on the sprinkler heads trigger the second phase.

Which one of the following security programs is designed to establish a minimum standard common denominator of security understanding? Training Education Indoctrination Awareness

D. Awareness establishes a minimum standard of information security understanding. It is designed to accommodate all personnel in an organization, regardless of their assigned tasks.

Ben is responsible for the security of payment card information stored in a database. Policy directs that he remove the information from the database, but he cannot do this for operational reasons. He obtained an exception to policy and is seeking an appropriate compensating control to mitigate the risk. What would be his best option? Purchasing insurance Encrypting the database contents Removing the data Objecting to the exception

Encrypting the database contents B. Ben should encrypt the data to provide an additional layer of protection as a compensating control. The organization has already made a policy exception, so he should not react by objecting to the exception or removing the data without authorization. Purchasing insurance may transfer some of the risk but is not a mitigating control.

Norma is helping her organization create a specialized network designed for vendors that need to connect to Norma's organization's network to process invoices and upload inventory. This network should be segmented from the rest of the corporate network but have a much higher degree of access than the general public. What type of network is Norma building? 1 Internet 2 Intranet 3 Outranet 4 Extranet

Extranet: The purpose of an extranet is to allow outside organizations that are business partners to access limited resources on the corporate network. That describes the situation in this scenario, so Norma is building an extranet.

Which one of the following is an example of physical infrastructure hardening? Antivirus software Hardware-based network firewall Two-factor authentication Fire suppression system

Fire suppression system Fire suppression systems protect infrastructure from physical damage. Along with uninterruptible power supplies, fire suppression systems are good examples of technology used to harden physical infrastructure. Antivirus software, hardware firewalls, and two-factor authentication are all examples of logical controls.

MAC models use three types of environments. Which of the following is not a mandatory access control design? Hierarchical Bracketed Compartmentalized Hybrid

Hierarchical, Compartmentalized, Hybrid Mandatory access control systems can be hierarchical, where each domain is ordered and related to other domains above and below it; compartmentalized, where there is no relationship between each domain; or hybrid, where both hierarchy and compartments are used. There is no concept of bracketing in mandatory access control design.

When a subject claims an identity, what process is occurring? Login Identification Authorization Token presentation

Identification: The process of a subject claiming or professing an identity is known as identification. Authorization verifies the identity of a subject by checking a factor such as a password. Logins typically include both identification and authorization, and token presentation is a type of authentication.

Which one of the following is the first step in developing an organization's vital records program? Identifying vital records Locating vital records Archiving vital records Preserving vital records

Identifying vital records A. An organization pursuing a vital records management program should begin by identifying all of the documentation that qualifies as a vital business record. This should include all of the records necessary to restart the business in a new location should the organization invoke its business continuity plan.

Referring to the figure shown here, what is the earliest stage of a fire where it is possible to use detection technology to identify it? Incipient Smoke Flame Heat

Incipient A. Fires may be detected as early as the incipient stage. During this stage, air ionization takes place, and specialized incipient fire detection systems can identify these changes to provide early warning of a fire.

Which one of the following is not a goal of a formal change management program? Implement change in an orderly fashion. Test changes prior to implementation. Provide rollback plans for changes. Inform stakeholders of changes after they occur.

Inform stakeholders of changes after they occur D. Stakeholders should be informed of changes before, not after, they occur. The other items listed are goals of change management programs.

Which one of the following administrative processes assists organizations in assigning appropriate levels of security control to sensitive information? Information classification Remanence Transmitting data Clearing

Information Classification A. The need to protect sensitive data drives information classification. This allows organizations to focus on data that needs to be protected rather than spending effort on less important data. Remanence describes data left on media after an attempt is made to remove the data. Transmitting data isn't a driver for an administrative process to protect sensitive data, and clearing is a technical process for removing data from media.

Beth is the security administrator for a public school district. She is implementing a new student information system and is testing the code to ensure that students are not able to alter their own grades. What principle of information security is Beth enforcing? Integrity Availability Confidentiality Denial

Integrity Integrity controls, such as the one Beth is implementing in this example, are designed to prevent the unauthorized modification of information.

Questions like "What is your pet's name?" are examples of what type of identity proofing? Knowledge-based authentication Dynamic knowledge-based authentication Out-of-band identity proofing A Type 3 authentication factor

Knowledge-based authentication Knowledge-based authentication relies on preset questions such as "What is your pet's name?" and the answers. It can be susceptible to attacks because of the availability of the answers on social media or other sites. Dynamic knowledge-based authentication relies on facts or data that the user already knows that can be used to create questions they can answer on an as-needed basis (for example, a previous address, or a school they attended). Out-of-band identity proofing relies on an alternate channel like a phone call or text message. Finally, Type 3 authentication factors are biometric, or "something you are," rather than knowledge-based.

Jack's organization is a government agency that handles very sensitive information. They need to implement an access control system that allows administrators to set access rights but does not allow the delegation of those rights to other users. What is the best type of access control design for Jack's organization? Discretionary access control Mandatory access control Decentralized access control Rule-based access control

MAC Mandatory access control systems allow an administrator to configure access permissions but do not allow users to delegate permission to others. Discretionary access control systems do allow this delegation. The scenario does not provide information to indicate whether a decentralized or rule-based approach is appropriate.

Which one of the following is an example of a nondiscretionary access control system? 1 File ACLs 2 MAC 3 DAC 4 Visitor lis

MAC: A mandatory access control (MAC) scheme is an example of a nondiscretionary approach to access control, as the owner of objects does not have the ability to set permissions on those objects. It is possible for a visitor list or file ACLs to be configured using a nondiscretionary scheme, but these approaches can also be configured as discretionary access control (DAC) implementations.

An accounting employee at Doolittle Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud? Separation of duties Least privilege Defense in depth Mandatory vacation

Mandatory vacation programs Mandatory vacation programs require that employees take continuous periods of time off each year and revoke their system privileges during that time. This will ideally disrupt any attempt to engage in the cover-up actions necessary to hide fraud and result in exposing the threat. Separation of duties, least privilege, and defense in depth controls all may help prevent the fraud in the first place but are unlikely to speed the detection of fraud that has already occurred.

Which one of the following does not describe a standard physical security requirement for wiring closets? Place only in areas monitored by security guards. Do not store flammable items in the closet. Use sensors on doors to log entries. Perform regular inspections of the closet.

Place only in areas monitored by security guards A. While it would be ideal to have wiring closets in a location where they are monitored by security staff, this is not feasible in most environments. Wiring closets must be distributed geographically in multiple locations across each building used by an organization.

Gabe is concerned about the security of passwords used as a cornerstone of his organization's information security program. Which one of the following controls would provide the greatest improvement in Gabe's ability to authenticate users? More complex passwords User education against social engineering Multifactor authentication Addition of security questions based on personal knowledge

Multifactor authentication While all of the listed controls would improve authentication security, most simply strengthen the use of knowledge-based authentication. The best way to improve the authentication process would be to add a factor not based on knowledge through the use of multifactor authentication. This may include the use of biometric controls or token-based authentication.

Which one of the following is an administrative control that can protect the confidentiality of information? Encryption Nondisclosure agreement Firewall Fault tolerance

NDA Nondisclosure agreements (NDAs) protect the confidentiality of sensitive information by requiring that employees and affiliates not share confidential information with third parties. NDAs normally remain in force after an employee leaves the company.

Joe is the security administrator for an ERP system. He is preparing to create accounts for several new employees. What default access should he give to all of the new employees as he creates the accounts? Read only Editor Administrator No access

No access The principle of least privilege should guide Joe in this case. He should apply no access permissions by default and then give each user the necessary permissions to perform their job responsibilities. Read-only, editor, and administrator permissions may be necessary for one or more of these users, but those permissions should be assigned based upon business need and not by default.

Kelly is adjusting her organization's password requirements to make them consistent with best practice guidance from NIST. What should she choose as the most appropriate time period for password expiration? 30 days 90 days 180 days No expiration

No expiration Current best practice guidance from NIST, published in NIST Special Publication 800-63b, suggests that organizations should not impose password expiration requirements on end users.

Ben is designing a messaging system for a bank and would like to include a feature that allows the recipient of a message to prove to a third party that the message did indeed come from the purported originator. What goal is Ben trying to achieve? Authentication Authorization Integrity Nonrepudiation

Nonrepudiation D. Nonrepudiation allows a recipient to prove to a third party that a message came from a purported source. Authentication would provide proof to Ben that the sender was authentic, but Ben would not be able to prove this to a third party.

Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that? Kerberos OAuth OpenID LDAP

OAuth OAuth provides the ability to access resources from another service and would meet Jim's needs. OpenID would allow him to use an account from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

Files, databases, computers, programs, processes, devices, and media are all examples of what? Subjects Objects File stores Users

Objects: All of these are objects. Although some of these items can be subjects, files, databases, and storage media can't be. Processes and programs aren't file stores, and of course none of these is a user.

Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt? Kerberos LDAP OpenID SESAME

OpenID OpenID is a widely supported standard that allows a user to use a single account to log into multiple sites, and Google accounts are frequently used with OpenID.

Kathleen is implementing an access control system for her organization and builds the following array: Reviewers: update files, delete files Submitters: upload files Editors: upload files, update files Archivists: delete files What type of access control system has Kathleen implemented? Role-based access control Task-based access control Rule-based access control Discretionary access control

RBAC Role-based access control gives each user an array of permissions based on their position in the organization, such as the scheme shown here. Task-based access control is not a standard approach. Rule-based access controls use rules that apply to all subjects, which isn't something we see in the list. Discretionary access control gives object owners rights to choose how the objects they own are accessed, which is not what this list shows.

Betty is concerned about the use of buffer overflow attacks against a custom application developed for use in her organization. What security control would provide the strongest defense against these attacks? Firewall Intrusion detection system Parameter checking Vulnerability scanning

Parameter Checking C. Parameter checking, or input validation, is used to ensure that input provided by users to an application matches the expected parameters for the application. Developers may use parameter checking to ensure that input does not exceed the expected length, preventing a buffer overflow attack.

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed? Log review Manual review of permissions Signature-based detection Review the audit trail

Signature-based detection While signature-based detection is used to detect attacks, review of provisioning processes typically involves checking logs, reviewing the audit trail, or performing a manual review of permissions granted during the provisioning process.

Ben is following the National Institute of Standards and Technology (NIST) Special Publication 800-88 guidelines for sanitization and disposition as shown here. He is handling information that his organization classified as sensitive, which is a moderate security categorization in the NIST model. If the media is going to be sold as surplus, what process does Ben need to follow?

Purge, Validate, Document D. The NIST SP 800-88 process for sanitization and disposition shows that media that will be reused and was classified at a moderate level should be purged and then that purge should be validated. Finally, it should be documented.

What type of access control is typically used by firewalls? Discretionary access controls Rule-based access controls Task-based access control Mandatory access controls

RBAC Firewalls use rule-based access control in their access control lists and apply rules created by administrators to all traffic that passes through them. DAC, or discretionary access control, allows owners to determine who can access objects they control, while task-based access control lists tasks for users. MAC, or mandatory access control, uses classifications to determine access.

In Luke's company, users change job positions on a regular basis. Luke would like the company's access control system to make it easy for administrators to adjust permissions when these changes occur. Which model of access control is best suited for Luke's needs? Mandatory access control Discretionary access control Rule-based access control Role-based access control

RBAC Role-based access control would be an excellent solution for Luke's requirements. Administrators would assign permissions to roles and then simply adjust the role of a user when he or she changes jobs, rather than changing all of the individual permissions.

Retaining and maintaining information for as long as it is needed is known as what? Data storage policy Data storage Asset maintenance Record retention

Record Retention D. Record retention is the process of retaining and maintaining information for as long as it is needed. A data storage policy describes how and why data is stored, while data storage is the process of actually keeping the data. Asset maintenance is a process for maintaining physical assets that is not related to information security.

Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option? HTML XACML SAML SPML

SAML Security Assertion Markup Language (SAML) is the best choice for providing authentication and authorization information, particularly for browser-based SSO. HTML is primarily used for web pages, SPML is used to exchange user information for SSO, and XACML is used for access control policy markup.

Ryan would like to implement an access control technology that is likely to both improve security and increase user satisfaction. Which one of the following technologies meets this requirement? Mandatory access controls Single sign-on Multifactor authentication Automated deprovisioning

SSO: All of the controls listed here, if properly implemented, have the potential to improve the organization's security posture. However, only single sign-on is likely to improve the user experience by eliminating barriers to authentication across multiple systems. Mandatory access control and multifactor authentication will likely be seen as inconveniences by users, while automated deprovisioning will improve the experience of identity and access management administrators but not affect the end user experience.

Chris is responsible for workstations throughout his company and knows that some of the company's workstations are used to handle proprietary information. Which option best describes what should happen at the end of their lifecycle for workstations he is responsible for? Erasing Clearing Sanitization Destruction

Sanitization C. Sanitization is a combination of processes that ensure that data from a system cannot be recovered by any means. Erasing and clearing are both prone to mistakes and technical problems that can result in remnant data and don't make sense for systems that handled proprietary information. Destruction is the most complete method of ensuring that data cannot be exposed, and some organizations opt to destroy the entire workstation, but that is not a typical solution because of the cost involved.

Rhonda is considering the use of new identification cards for physical access control in her organization. She comes across a military system that uses the card shown here. What type of card is this? Smart card Proximity card Magnetic stripe card Phase three card

Smart Card A. The card shown in the image has a smart chip underneath the American flag. Therefore, it is an example of a smart card. This is the most secure type of identification card technology.

Ben uses a software-based token that changes its code every minute. What type of token is he using? Asynchronous Smart card Synchronous Static

Synchronous soft token Synchronous soft tokens, such as Google Authenticator, use a time-based algorithm that generates a constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the response it expects. Smartcards typically present a certificate but may have other token capabilities built in. Static tokens are physical devices that can contain credentials and include smart cards and memory cards.

After 10 years working in her organization, Cassandra is moving into her fourth role, this time as a manager in the accounting department. What issue is likely to show up during an account review if her organization does not have strong account maintenance practices? An issue with least privilege Privilege creep Account creep Account termination

privilege creep Privilege creep is a common problem when employees change roles over time and their privileges and permissions are not properly modified to reflect their new roles. Least privilege issues are a design or implementation problem, and switching roles isn't typically what causes them to occur. Account creep is not a common industry term, and account termination would imply that someone has removed her account instead of switching her to new groups or new roles.

What term is used to describe the problem that occurs when users change jobs in an organization but never have the access rights associated with their old jobs removed? Rights management Privilege creep Two-person control Least privilege

privilege creep Privilege creep is the term used to describe the security issue that arises when users move between jobs in an organization and accumulate privileges that are never revoked when no longer necessary. This is a violation of the principle of least privilege.

As part of hiring a new employee, Kathleen's identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called? Registration Provisioning Population Authenticator loading

provisioning Provisioning includes the creation, maintenance, and removal of user objects from applications, systems, and directories. Registration occurs when users are enrolled in a biometric system; population and authenticator loading are not common industry terms.

Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky's login attempt? Ricky VPN Remote file server Files contained on the remote server

ricky In the subject/object model of access control, the user or process making the request for a resource is the subject of that request. In this example, Ricky is requesting access to the VPN (the object of the request) and is, therefore, the subject.

During a review of support incidents, Ben's organization discovered that password changes accounted for more than a quarter of its help desk's cases. Which of the following options would be most likely to decrease that number significantly? Two-factor authentication Biometric authentication Self-service password reset Passphrases

self-service password reset Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has. Two-factor and biometric authentication both add additional complexity and may actually increase the number of contacts. Passphrases can be easier to remember than traditional complex passwords and may decrease calls, but they don't have the same impact that a self-service system does.

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation? Mandatory vacation Separation of duties Defense in depth Job rotation

separation of duties When following the separation of duties principle, organizations divide critical tasks into discrete components and ensure that no one individual has the ability to perform both actions. This prevents a single rogue individual from performing that task in an unauthorized manner.

The U.S. government CAC is an example of what form of Type 2 authentication factor? A token A biometric identifier A smart card A PIV

smart card The U.S. government's Common Access Card is a smart card. The U.S. government also issues PIV cards, or personal identity verification cards.

Which of the following multifactor authentication technologies provides both low management overhead and flexibility? Biometrics Software tokens Synchronous hardware tokens Asynchronous hardware tokens

software tokens Software tokens are flexible, with delivery options including mobile applications, SMS, and phone delivery. They have a relatively low administrative overhead, as users can typically self-manage. Biometrics require significant effort to register users and to deploy and maintain infrastructure, and they require hardware at each authentication location. Both types of hardware tokens can require additional overhead for distribution and maintenance, and token failure can cause support challenges.

Chris is worried that the laptops that his organization has recently acquired were modified by a third party to include keyloggers before they were delivered. Where should he focus his efforts to prevent this? His supply chain His vendor contracts His post-purchase build process The original equipment manufacturer (OEM)

supply chain Supply chain management can help ensure the security of hardware, software, and services that an organization acquires. Chris should focus on each step that his laptops take from the original equipment manufacturer to delivery.

Which one of the following activities is an example of an authorization process? User providing a password User passing a facial recognition check System logging user activity System consulting an access control list

system consulting an access control list Authorization occurs when a system determines whether an authenticated user is permitted to perform an activity, such as by consulting an access control list. Authentication occurs when a user proves his or her identity to a system, such as by providing a password or completing a facial recognition scan. When a system logs user activity, this is an example of accounting.

What type of trust relationship extends beyond the two domains participating in the trust to one or more of their subdomains? Transitive trust Inheritable trust Nontransitive trust Noninheritable trust

transitive trust: Transitive trusts go beyond the two domains directly involved in the trust relationship and extend to their subdomains. Nontransitive trusts are not inheritable to other domains. The terms inheritable trust and noninheritable trust are not normally used.

Kaiden is creating an extranet for his organization and is concerned about unauthorized eavesdropping on network communications. Which one of the following technologies can he use to mitigate this risk? VPN Firewall Content filter Proxy server

vpn: Kaiden should use a virtual private network (VPN) for all remote connections to the extranet. The VPN will encrypt traffic sent over public networks and protect it from eavesdropping.

A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer's account. What type of biometric factor error occurred? A registration error A Type 1 error A Type 2 error A time-of-use, method-of-use error

Type 2 error Type 2 errors occur in biometric systems when an invalid subject is incorrectly authenticated as a valid user. In this case, nobody except the actual customer should be validated when fingerprints are scanned. Type 2 errors are also known as false positive errors. Type 1 (or false negative) errors occur when a valid subject is not authenticated; if the existing customer was rejected, it would be a Type 1 error. Registration is the process of adding users, but registration errors and time-of-use, method-of-use errors are not specific biometric authentication terms.

Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, several servers have been stolen, but the logs for the pass cards show only valid IDs. What is Kathleen's best option to make sure that the users of the pass cards are who they are supposed to be? Add a reader that requires a PIN for passcard users. Add a camera system to the facility to observe who is accessing servers. Add a biometric factor. Replace the magnetic stripe keycards with smartcards.

add a biometric factor Kathleen should implement a biometric factor. The cards and keys are an example of a Type 2 factor, or "something you have." Using a smart card replaces this with another Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from the same problem: A PIN can be stolen. Adding cameras doesn't prevent access to the facility and thus doesn't solve the immediate problem (but it is a good idea!).

Which objects and subjects have a label in a MAC model? Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label. All objects have a label, and all subjects have a compartment. All objects and subjects have a label. All subjects have a label and all objects have a compartment.

all objects and subjects have a label In a mandatory access control system, all subjects and objects have a label. Compartments may or may not be used, but there is not a specific requirement for either subjects or objects to be compartmentalized. The specific labels of Confidential, Secret, and Top Secret are not required by MAC.

What type of token-based authentication system uses a challenge/response process in which the challenge must be entered on the token? Asynchronous Smart card Synchronous RFID

asynchronous Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user. Synchronous tokens use a time-based calculation to generate codes. Smart cards are paired with readers and don't need to have challenges entered, and RFID devices are not used for challenge/response tokens.

When you input a user ID and password, you are performing what important identity and access management activity? Authorization Validation Authentication Login

authentication When you input a username and password, you are authenticating yourself by providing a unique identifier and a verification that you are the person who should have that identifier (the password). Authorization is the process of determining what a user is allowed to do. Validation and login both describe elements of what is happening in the process; however, they aren't the most important identity and access management activity.

Lauren's team of system administrators each deal with hundreds of systems with varying levels of security requirements and find it difficult to handle the multitude of usernames and passwords they each have. What type of solution should she recommend to ensure that passwords are properly handled and that features such as logging and password rotation occur? A credential management system A strong password policy Separation of duties Single sign-on

credential management system Lauren's team would benefit from a credential management system. Credential management systems offer features such as password management, multifactor authentication to retrieve passwords, logging, audit, and password rotation capabilities. A strong password policy would only make maintenance of passwords for many systems a more difficult task if done manually. Single sign-on would help if all of the systems had the same sensitivity levels, but different credentials are normally required for higher-sensitivity systems.

Which one of the following control categories does not accurately describe a fence around a facility? Physical Detective Deterrent Preventive

detective A fence does not have the ability to detect intrusions. It does, however, have the ability to prevent and deter an intrusion. Fences are an example of a physical control.

The (ISC)2 code of ethics applies to all SSCP holders. Which of the following is not one of the four mandatory canons of the code? Protect society, the common good, the necessary public trust and confidence, and the infrastructure. Disclose breaches of privacy, trust, and ethics. Provide diligent and competent service to the principles. Advance and protect the profession.

disclose breaches of privacy, trust & ethics The (ISC)2 code of ethics also includes "Act honorably, honestly, justly, responsibly, and legally" but does not specifically require credential holders to disclose all breaches of privacy, trust, or ethics.

What term is used to describe the default set of privileges assigned to a user when a new account is created? Aggregation Transitivity Baseline Entitlement

entitlement Entitlement refers to the privileges granted to users when an account is first provisioned. Aggregation is the accumulation of privileges over time. Transitivity is the inheritance of privileges and trust through relationships. Baselines are snapshots of a system or application's security that allow analysts to detect future modifications.

Raul is creating a trust relationship between his company and a vendor. He is implementing the system so that it will allow users from the vendor's organization to access his accounts payable system using the accounts created for them by the vendor. What type of authentication is Raul implementing? Federated authentication Transitive trust Multifactor authentication Single sign-on

federated authentication This type of authentication, where one domain trusts users from another domain, is called federation. Federation may involve transitive trusts, where the trusts may be followed through a series of domains, but this scenario only describes the use of two domains. The scenario only describes use of credentials for a single system and does not describe a multiple-system scenario where single sign-on would be relevant. There is no requirement described for the use of multifactor authentication, which would require the use of two or more diverse authentication techniques.

Adam is accessing a standalone file server using a username and password provided to him by the server administrator. Which one of the following entities is guaranteed to have information necessary to complete the authorization process? Adam File server Server administrator Adam's supervisor

file server We know that both Adam and the server administrator have the username and password, but this is information used for identification and authentication, not authorization. We do not know what information Adam's supervisor might have. The server is a standalone file server, so it must have information about the activities that Adam is authorized to perform.

The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as "Which of the following streets did you live on in 2007?" What process is Susan's organization using? Identity proofing Password verification Authenticating with Type 2 authentication factor Out-of-band identity proofing

identity proofing Verifying information that an individual should know about themselves using third-party factual information (a Type 1 authentication factor) is sometimes known as dynamic knowledge-based authentication and is a type of identity proofing. Out-of-band identity proofing would use another means of contacting the user, such as a text message or phone call, and password verification requires a password.

Which one of the following actions might be taken as part of a business continuity plan? Restoring from backup tapes Implementing RAID Relocating to a cold site Restarting business operations

implementing RAID RAID technology provides fault tolerance for hard drive failures and is an example of a business continuity action. Restoring from backup tapes, relocating to a cold site, and restarting business operations are all disaster recovery actions.

Mandatory access control is based on what type of model? Discretionary Group-based Lattice-based Rule-based

lattice-based Mandatory access control systems are based on a lattice-based model. Lattice-based models use a matrix of classification labels to compartmentalize data. Discretionary access models allow object owners to determine access to the objects they control, role-based access controls are often group-based, and rule-based access controls like firewall ACLs apply rules to all subjects they apply to.

Darlene was recently offered a consulting opportunity as a side job. She is concerned that the opportunity might constitute a conflict of interest. Which one of the following sources is most likely to provide her with appropriate guidance? Organizational code of ethics (ISC)2 code of ethics Organizational security policy (ISC)2 security policy

organizational code of ethics The situation Darlene finds herself in is an ethical dilemma, and a code of ethics would be the best place to look for guidance. This situation is specific to her employer, so she should turn to her organization's code of ethics, rather than the more general (ISC)2 Code of Ethics

When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this? Knowledge-based authentication Dynamic knowledge-based authentication Out-of-band identity proofing Risk-based identity proofing

out-of-band identity proofing Identity proofing that relies on a type of verification outside the initial environment that required the verification is out-of-band identity proofing. This type of verification relies on the owner of the phone or phone number having control of it but removes the ability for attackers to use only Internet-based resources to compromise an account. Knowledge-based authentication relies on answers to preselected information, whereas dynamic knowledge-based authentication builds questions using facts or data about the user. Risk-based identity proofing uses risk-based metrics to determine whether identities should be permitted or denied access. It is used to limit fraud in financial transactions, such as credit card purchases. This is a valid form of proofing but does not necessarily use an out-of-band channel, such as SMS.

Which of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors? Voice pattern recognition Hand geometry Palm scans Heart/pulse patterns

palm scans Palm scans compare the vein patterns in the palm to a database to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than voice pattern recognition, hand geometry, and pulse patterns, each of which can be more difficult to uniquely identify between individuals or can be fooled more easily.

Carl recently assisted in the implementation of a new set of security controls designed to comply with legal requirements. He is concerned about the long-term maintenance of those controls. Which one of the following is a good way for Carl to ease his concerns? Firewall rules Policy documents Security standards Periodic audits

periodic audits While all of the items listed are components of a strong security program, periodic audits would provide Carl with the assurance that controls continue to operate effectively over the long term.

The false acceptance rate (FAR)

A measurement of the percentage of invalid users that will be falsely accepted by the system. This is called a Type II error. Type II errors are more dangerous than Type I errors.

The false rejection rate (FRR)

A measurement of valid users that will be falsely rejected by the system. This is called a Type I error.

What term is used to describe a set of common security configurations, often provided by a third party? Security policy Baseline DSS NIST SP 800-53

Baseline B. A baseline is a set of security configurations that can be adopted and modified to fit an organization's security needs. A security policy is written to describe an organization's approach to security, while DSS is the second half of the Payment Card Industry Data Security Standard. The NIST SP-800 series of documents address computer security in a variety of areas.

Yolanda is writing a document that will provide configuration information regarding the minimum level of security that every system in the organization must meet. What type of document is she preparing? Policy Baseline Guideline Procedure

Baseline Baselines provide the minimum level of security that every system throughout the organization must meet.

Ralph is designing a physical security infrastructure for a new computing facility that will remain largely unstaffed. He plans to implement motion detectors in the facility but would also like to include a secondary verification control for physical presence. Which one of the following would best meet his needs? CCTV IPS Turnstiles Faraday cages

CCTV A. Closed-circuit television (CCTV) systems act as a secondary verification mechanism for physical presence because they allow security officials to view the interior of the facility when a motion alarm sounds to determine the current occupants and their activities.

the point where false acceptance rate and false rejection rate cross over and is a standard assessment used to compare the accuracy of biometric devices.

CER: crossover error rate

Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access? An access control list An implicit denial list A capability table A rights management matrix

Capability tables Capability tables list the privileges assigned to subjects and identify the objects that subjects can access. Access control lists are object-focused rather than subject-focused. Implicit deny is a principle that states that anything that is not explicitly allowed is denied, and a rights management matrix is not an access control model.

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why? MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

DAC Discretionary access control (DAC) can provide greater scalability by leveraging many administrators, and those administrators can add flexibility by making decisions about access to their objects without fitting into an inflexible mandatory access control (MAC) system. MAC is more secure because of the strong set of controls it provides, but it does not scale as well as DAC and is relatively inflexible in comparison.

What access control system lets owners decide who has access to the objects they own? Role-based access control Task-based access control Discretionary access control Rule-based access control

DAC Discretionary access control gives owners the right to decide who has access to the objects they own. Role-based access control uses administrators to make that decision for roles or groups of people with a role, task-based access control uses lists of tasks for each user, and rule-based access control applies a set of rules to all subjects.

Which one of the following is not an example of a technical control? Router ACL Firewall rule Encryption Data classification

Data Classification D. Router ACLs, encryption, and firewall rules are all examples of technical controls. Data classification is an administrative control.