During a system audit, Casey notices that the private key for her organization’s web server has been stored in a public Amazon S3 storage bucket for more than a year. What should she do?
Remove the key from the bucket.
Notify all customers that their data may have been exposed.
Request a new certificate using a new key.
Nothing, because the private key should be accessible for validation
Which of the following is not a common threat to access control mechanisms?
Fake login pages
Phishing
Dictionary attacks
Man-in-the-middle attacks
Which one of the following would be considered an example of infrastructure as a service cloud computing?
Payroll system managed by a vendor and delivered over the web
Application platform managed by a vendor that runs customer code
Servers provisioned by customers on a vendor-managed virtualization platform
Web-based email service provided by a vendor
Referring to the fire triangle shown here, which one of the following suppression materials attacks a fire by removing the fuel source?
Water
Soda acid
Carbon dioxide
Halon
What type of alternate processing facility contains the hardware necessary to restore operations but does not have a current copy of data?
Hot site
Warm site
Cold site
Mobile site
The IP address 201.19.7.45 is what type of address?
A public IP address
An RFC 1918 address
An APIPA address
A loopback address
James has opted to implement a NAC solution that uses a post-admission philosophy for its control of network connectivity. What type of issues can’t a strictly post-admission policy handle?
Out-of-band monitoring
Preventing an unpatched laptop from being exploited immediately after connecting to the network
Denying access when user behavior doesn’t match an authorization matrix
Allowing user access when user behavior is allowed based on an authorization matrix
What process adds a header and a footer to data received at each layer of the OSI model?
Attribution
Encapsulation
TCP wrapping
Data hiding
Which of the following is not one of the four canons of the (ISC)2 code of ethics?
Avoid conflicts of interest that may jeopardize impartiality.
Protect society, the common good, necessary public trust and confidence, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
For questions 10–13, please refer to the following scenario.
Mike and Renee would like to use an asymmetric cryptosystem to communicate with each other. They are located in different parts of the country but have exchanged encryption keys by using digital certificates signed by a mutually trusted certificate authority.
When the certificate authority (CA) created Renee’s digital certificate, what key was contained within the body of the certificate?
Renee’s public key
Renee’s private key
CA’s public key
CA’s private key
When the certificate authority created Renee’s digital certificate, what key did it use to digitally sign the completed certificate?
Renee’s public key
Renee’s private key
CA’s public key
CA’s private key
When Mike receives Renee’s digital certificate, what key does he use to verify the authenticity of the certificate?
Renee’s public key
Renee’s private key
CA’s public key
CA’s private key
Mike would like to send Renee a private message using the information gained during this exchange. What key should he use to encrypt the message?
Renee’s public key
Renee’s private key
CA’s public key
CA’s private key
Jim starts a new job as a system engineer, and his boss provides him with a document entitled “Forensic Response Guidelines.” Which one of the following statements is not true?
Jim must comply with the information in this document.
The document contains information about forensic examinations.
Jim should read the document thoroughly.
The document is likely based on industry best practices.
Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex’s company encountered?
Excessive provisioning
Unauthorized access
Privilege creep
Account review
RIP, OSPF, and BGP are all examples of protocols associated with what type of network device?
Switches
Bridges
Routers
Gateways
If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?
One
Two
Three
Four
What process makes TCP a connection-oriented protocol?
It works via network connections.
It uses a handshake.
It monitors for dropped connections.
It uses a complex header.
What is the goal of the BCP process?
RTO < MTD
MTD < RTO
RPO < MTD
MTD < RPO
Which one of the following is an example of an administrative control?
Intrusion detection system
Security awareness training
Firewalls
Security guards
What level of RAID is also known as disk mirroring?
RAID 0
RAID 1
RAID 5
RAID 10
Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?
SAML
SOAP
SPML
XACML
TCP and UDP both operate at what layer of the OSI model?
Layer 2
Layer 3
Layer 4
Layer 5
Linda is selecting a disaster recovery facility for her organization, and she wants to retain independence from other organizations as much as possible. She would like to choose a facility that balances cost and recovery time, allowing activation in about one week after a disaster is declared. What type of facility should she choose?
Cold site
Warm site
Mutual assistance agreement
Hot site
Which one of the following backup types does not alter the status of the archive bit on a file?
Full backup
Incremental backup
Partial backup
Differential backup
During which phase of the incident response process would administrators design new security controls intended to prevent a recurrence of the incident?
Reporting
Recovery
Remediation
Lessons Learned
Match each of the numbered services with the lettered network port commonly used by that service. Each item should be used exactly once.
Service
Network port
DNS
HTTPS
SSH
RDP
MSSQL
TCP port 443
TCP port 3389
TCP port 1433
UDP port 53
TCP port 22
What type of Windows audit record describes events like an OS shutdown or a service being stopped?
An application log
A security log
A system log
A setup log
During a log review, Karen discovers that the system she needs to gather logs from has the log setting shown here. What problem is Karen likely to encounter?
Too much log data will be stored on the system.
The system is automatically purging archived logs.
The logs will not contain the information needed.
The logs will contain only the most recent 20 MB of log data.
Microsoft’s STRIDE threat assessment framework uses six categories for threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. If a penetration tester is able to modify audit logs, what STRIDE categories best describe this issue?
Tampering and information disclosure
Elevation of privilege and tampering
Repudiation and denial of service
Repudiation and tampering
Place the list of disaster recovery test types in order of their potential impact on the business, starting with the least impactful and progressing through the most impactful.
Checklist review
Parallel test
Tabletop exercise
Full interruption test
What type of access control is being used in the following permission listing?
Storage Device X
User1: Can read, write, list
User2: Can read, list
User3: Can read, write, list, delete
User4: Can list
Resource-based access controls
Role-based access controls
Mandatory access controls
Rule-based access controls
Fred’s company wants to ensure the integrity of email messages sent via its central email servers. If the confidentiality of the messages is not critical, what solution should Fred suggest?
Digitally sign and encrypt all messages to ensure integrity.
Digitally sign but don’t encrypt all messages.
Use TLS to protect messages, ensuring their integrity.
Use a hashing algorithm to provide a hash in each message to prove that it hasn’t changed.
Which one of the following goals of physical security environments occurs first in the functional order of controls?
Delay
Detection
Deterrence
Denial
Cameron is responsible for backing up his company’s primary file server. He configured a backup schedule that performs full backups every Monday evening at 9 p.m. and incremental backups on other days of the week at that same time. How many files will be copied in Wednesday’s backup?
1
2
5
6
Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
Require users to create unique questions that only they will know.
Require new users to bring their driver’s license or passport in person to the bank.
Use information that both the bank and the user have such as questions pulled from their credit report.
Call the user on their registered phone number to verify that they are who they claim to be.
Surveys, interviews, and audits are all examples of ways to measure what important part of an organization’s security posture?
Code quality
Service vulnerabilities
Awareness
Attack surface
In the image shown here, what does system B send to system A at step 2 of the three-way TCP handshake?
SYN
ACK
FIN/ACK
SYN/ACK
Which one of the following is not a valid key length for the Advanced Encryption Standard?
128 bits
192 bits
256 bits
384 bits
Which one of the following is not a technique used by virus authors to hide the existence of their virus from anti-malware software?
Stealth
Multipartitism
Polymorphism
Encryption
For questions 41–43, please refer to the following scenario.
The company that Fred works for is reviewing the security of its company-issued cell phones. They issue 4G-capable smartphones running Android and iOS and use a mobile device management solution to deploy company software to the phones. The mobile device management software also allows the company to remotely wipe the phones if they are lost.
What security considerations should Fred’s company require for sending sensitive data over the cellular network?
They should use the same requirements as data over any public network.
Cellular provider networks are private networks and should not require special consideration.
Encrypt all traffic to ensure confidentiality.
Require the use of WAP for all data sent from the phone.
Fred intends to attend a major hacker conference this year. What should he do when connecting to his cellular provider’s 4G network while at the conference?
Continue normal usage.
Discontinue all usage; towers can be spoofed.
Only use trusted Wi-Fi networks.
Connect to his company’s encrypted VPN service.
What are the most likely circumstances that would cause a remote wipe of a mobile phone to fail?
The phone has a passcode on it.
The phone cannot contact a network.
The provider has not unlocked the phone.
The phone is in use.
Which one of the following is an example of risk transference?
Building a guard shack
Purchasing insurance
Erecting fences
Relocating facilities
Kyle is being granted access to a military computer system that uses System High mode. What is not true about Kyle’s security clearance requirements?
Kyle must have a clearance for the highest level of classification processed by the system, regardless of his access.
Kyle must have access approval for all information processed by the system.
Kyle must have a valid need to know for all information processed by the system.
Kyle must have a valid security clearance.
Tom is conducting a business continuity planning effort for Orange Blossoms, a fruit orchard located in Central Florida. During the assessment process, the committee determined that there is a small risk of snow in the region but that the cost of implementing controls to reduce the impact of that risk is not warranted. They elect to not take any specific action in response to the risk. What risk management strategy is Orange Blossoms pursuing?
Risk mitigation
Risk transference
Risk avoidance
Risk acceptance
Carla has worked for her company for 15 years and has held a variety of different positions. Each time she changed positions, she gained new privileges associated with that position, but no privileges were ever taken away. What concept describes the sets of privileges she has accumulated?
Entitlement
Aggregation
Transitivity
Isolation
Which one of the following types of agreements is the most formal document that contains expectations about availability and other performance parameters between a service provider and a customer?
Service-level agreement (SLA)
Operational-level agreement (OLA)
Memorandum of understanding (MOU)
Statement of work (SOW)
Chris has been assigned to scan a system on all of its possible TCP and UDP ports. How many ports of each type must he scan to complete his assignment?
65,536 TCP ports and 32,768 UDP ports
1,024 common TCP ports and 32,768 ephemeral UDP ports
65,536 TCP and 65,536 UDP ports
16,384 TCP ports and 16,384 UDP ports
Lauren starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?
Privilege creep
Rights collision
Least privilege
Excessive privileges
Jim has been contracted to perform a penetration test of a bank’s primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?
A crystal-box penetration test
A gray-box penetration test
A black-box penetration test
A white-box penetration test
Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using?
A capability table
An access control list
An access control matrix
A subject/object rights management system
A cloud-based service that provides account provisioning, management, authentication, authorization, reporting, and monitoring capabilities is known as what type of service?
PaaS
IDaaS
IaaS
SaaS
What is the maximum penalty that may be imposed by an (ISC)2 peer review board when considering a potential ethics violation?
Revocation of certification
Termination of employment
Financial penalty
Suspension of certification
Matthew, Richard, and Christopher would like to exchange messages with each other using symmetric cryptography. They want to ensure that each individual can privately send a message to another individual without the third person being able to read the message. How many keys do they need?
1
2
3
6
What UDP port is typically used by the syslog service?
443
514
515
445
During which of the following disaster recovery tests does the team sit together and discuss the response to a scenario but not actually activate any disaster recovery controls?
Checklist review
Full interruption test
Parallel test
Tabletop exercise
Which one of the following is a detailed, step-by-step document that describes the exact actions that individuals must complete?
Policy
Standard
Guideline
Procedure
Tammy is selecting a disaster recovery facility for her organization. She would like to choose a facility that balances the time required to recover operations with the cost involved. What type of facility should she choose?
Hot site
Warm site
Cold site
Red site
Which one of the following statements about malware is correct?
Malware authors do not target Macintosh or Linux systems.
The most reliable way to detect known malware is watching for unusual system activity.
Signature detection is the most effective technique to combat known malware.
APT attackers typically use malware designed to exploit vulnerabilities identified in security bulletins.
Ben needs to verify that the most recent patch for his organization’s critical application did not introduce issues elsewhere. What type of testing does Ben need to conduct to ensure this?
Unit testing
White box
Regression testing
Black box
Warren is designing a physical intrusion detection system for his data center and wants to include technology that issues an alert if the communications lines for the alarm system are unexpectedly cut. What technology would meet this requirement?
Heartbeat sensor
Emanation security
Motion detector
Faraday cage
Greg is battling a malware outbreak in his organization. He used specialized malware analysis tools to capture samples of the malware from three different systems and noticed that the code is changing slightly from infection to infection. Greg believes that this is the reason that antivirus software is having a tough time defeating the outbreak. What type of malware should Greg suspect is responsible for this security incident?
Stealth virus
Polymorphic virus
Multipartite virus
Encrypted virus
Which group is best suited to evaluate and report on the effectiveness of administrative controls an organization has put in place to a third party?
Internal auditors
Penetration testers
External auditors
Employees who design, implement, and monitor the controls
In virtualization platforms, what name is given to the module that is responsible for controlling access to physical resources by virtual resources?
Guest machine
SDN
Kernel
Hypervisor
Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?
PKI
Federation
Single sign-on
Provisioning
Joe wants to test a program he suspects may contain malware. What technology can he use to isolate the program while it runs?
ASLR
Sandboxing
Clipping
Process isolation
What type of attack would the following precautions help prevent?
Requesting proof of identity
Requiring callback authorizations on voice-only requests
Not changing passwords via voice communications
DoS attacks
Worms
Social engineering
Shoulder surfing
Mike has been tasked with preventing an outbreak of malware like Mirai. What type of systems should be protected in his organization?
Servers
SCADA
Mobile devices
Internet of Things (IoT) devices
What type of risk assessment uses tools such as the one shown here?
Quantitative
Loss expectancy
Financial
Qualitative
Ben has written the password hashing system for the web application he is building. His hashing code function for passwords results in the following process for a series of passwords:
What flaw has Ben introduced with his hashing implementation?
Plaintext salting
Salt reuse
Use of a short salt
Poor salt algorithm selection
Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?
Password
Retinal scan
Username
Token
Theresa is implementing a new access control system and wants to ensure that developers do not have the ability to move code from development systems into the production environment. What information security principle is she most directly enforcing?
Separation of duties
Two-person control
Least privilege
Job rotation
NIST Special Publication 800-92, the Guide to Computer Security Log Management, describes four types of common challenges to log management:
Many log sources
Inconsistent log content
Inconsistent timestamps
Inconsistent log formats
Which of the following solutions is best suited to solving these issues?
Implement SNMP for all logging devices.
Implement a SIEM.
Standardize on the Windows event log format for all devices and use NTP.
Ensure that logging is enabled on all endpoints using their native logging formats and set their local time correctly.
Which one of the following components should be included in an organization’s emergency response guidelines?
Secondary response procedures for first responders
Long-term business continuity protocols
Activation procedures for the organization’s cold sites
Contact information for ordering equipment
Grace is considering the use of new identification cards in her organization that will be used for physical access control. She comes across the sample card shown here and is unsure of the technology it uses. What type of card is this?
Smart card
Phase-two card
Proximity card
Magnetic stripe card
Gary is analyzing a security incident and, during his investigation, encounters a user who denies having performed an action that Gary believes he did perform. What type of threat has taken place under the STRIDE model?
Repudiation
Information disclosure
Tampering
Elevation of privilege
After scanning all the systems on his wireless network, Mike notices that one system is identified as an iOS device running a massively out-of-date version of Apple’s mobile operating system. When he investigates further, he discovers that the device is an original iPad and that it cannot be updated to a current secure version of the operating system. What should Mike recommend?
Retire or replace the device.
Isolate the device on a dedicated wireless network.
Install a firewall on the tablet.
Reinstall the OS.
What type of access control scheme is shown in the following table?
Highly Sensitive
Red
Blue
Green
Confidential
Purple
Orange
Yellow
Internal Use
Black
Gray
White
Public
Clear
Clear
Clear
RBAC
DAC
MAC
TBAC
Rick is an application developer who works primarily in Python. He recently decided to evaluate a new service where he provides his Python code to a vendor who then executes it on their server environment. What type of cloud computing environment is this service?
SaaS
PaaS
IaaS
CaaS
During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?
A brute-force attack
A pass-the-hash attack
A rainbow table attack
A salt recovery attack
Kay is selecting an application management approach for her organization. Employees need the flexibility to install software on their systems, but Kay wants to prevent them from installing certain prohibited packages. What type of approach should she use?
Antivirus
Whitelist
Blacklist
Heuristic
Owen recently designed a security access control structure that prevents a single user from simultaneously holding the role required to create a new vendor and the role required to issue a check. What principle is Owen enforcing?
Two-person control
Least privilege
Separation of duties
Job rotation
IP addresses like 10.10.10.10 and 172.19.24.21 are both examples of what type of IP address?
Public IP addresses
Prohibited IP addresses
Private IP addresses
Class B IP ranges
Fran’s company is considering purchasing a web-based email service from a vendor and eliminating its own email server environment as a cost-saving measure. What type of cloud computing environment is Fran’s company considering?
SaaS
IaaS
CaaS
PaaS
Match each of the numbered cable types with exactly one of the lettered maximum cable lengths.
Cable type
Maximum length
Category 5e
Coaxial (RG-58)
Fiber optic
500 feet
300 feet
1+ kilometers
Which component of IPsec provides authentication, integrity, and nonrepudiation?
L2TP
Encapsulating Security Payload
Encryption Security Header
Authentication Header
Alex’s job requires him to see protected health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?
Separation of duties
Constrained interfaces
Context-dependent control
Need to know
Which one of the following investigation types has the loosest standards for collecting and preserving information?
Civil investigation
Operational investigation
Criminal investigation
Regulatory investigation
Susan is working to improve the strength of her organization’s passwords by changing the password policy. The password system that she is using allows uppercase and lowercase letters as well as numbers but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?
26 times more complex
62 times more complex
36 times more complex
2^62 times more complex
Purchasing insurance is a form of what type of risk response?
Transfer
Avoid
Mitigate
Accept
Which one of the following metrics specifies the amount of time that business continuity planners find acceptable for the restoration of service after a disaster?
MTD
RTO
RPO
MTO
Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
Retina scans can reveal information about medical conditions.
Retina scans are painful because they require a puff of air in the user’s eye.
Retina scanners are the most expensive type of biometric device.
Retina scanners have a high false positive rate and will cause support issues.
What is the best way to ensure email confidentiality in motion?
Use TLS between the client and server.
Use SSL between the client and server.
Encrypt the email content.
Use a digital signature.
What layer of the OSI model is associated with datagrams?
Session
Transport
Network
Data Link
What type of vulnerability scan accesses configuration information from the systems it is run against as well as information that can be accessed via services available via the network?
Authenticated scans
Web application scans
Unauthenticated scans
Port scans
What term is used to describe a starting point for a minimum security standard?
Outline
Baseline
Policy
Configuration guide
Full disk encryption like Microsoft’s BitLocker is used to protect data in what state?
Data in transit
Data at rest
Unlabeled data
Labeled data
Gwen comes across an application that is running under a service account on a web server. The service account has full administrative rights to the server. What principle of information security does this violate?
Need to know
Separation of duties
Least privilege
Job rotation
Using the OSI model, what format does the Data Link layer use to format messages received from higher up the stack?
A data stream
A frame
A segment
A datagram
What type of forensic investigation typically has the highest evidentiary standards?
Administrative
Criminal
Civil
Industry
Lauren’s healthcare provider maintains such data as details about her health, treatments, and medical billing. What type of data is this?
Protected health information
Personally identifiable information
Protected health insurance
Individual protected data
In Jen’s job as the network administrator for an industrial production facility, she is tasked with ensuring that the network is not susceptible to electromagnetic interference due to the large motors and other devices running on the production floor. What type of network cabling should she choose if this concern is more important than cost and difficulty of installation?
10Base2
100BaseT
1000BaseT
Fiber-optic
What type of penetration testing provides detail on the scope of a penetration test—including items like what systems would be targeted—but does not provide full visibility into the configuration or other details of the systems or networks the penetration tester must test?
Crystal box
White box
Black box
Gray box
You are the CISO for a major hospital system and are preparing to sign a contract with a software as a service (SaaS) email vendor and want to ensure that its business continuity planning measures are reasonable. What type of audit might you request to meet this goal?
SOC 1
FISMA
PCI DSS
SOC 2
Which of the following types of controls does not describe a mantrap?
Deterrent
Preventive
Compensating
Physical
Match each one of the numbered protocols with the most accurate lettered description. Use each answer exactly once.
Protocol
Description
TCP
UDP
DNS
ARP
Performs translations between MAC addresses and IP addresses
Performs translations between FQDNs and IP addresses
Transports data over a network in a connection-oriented fashion
Transports data over a network in a connectionless fashion
What should be true for salts used in password hashes?
A single salt should be set so passwords can be de-hashed as needed.
A single salt should be used so the original salt can be used to check passwords against their hash.
Unique salts should be stored for each user.
Unique salts should be created every time a user logs in.
STRIDE, which stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege, is useful in what part of application threat modeling?
Vulnerability assessment
Misuse case testing
Threat categorization
Penetration test planning
Which one of the following is not a basic preventative measure that you can take to protect your systems and applications against attack?
Implement intrusion detection and prevention systems.
Maintain current patch levels on all operating systems and applications.
Remove unnecessary accounts and services.
Conduct forensic imaging of all systems.
You are conducting a qualitative risk assessment for your organization. The two important risk elements that should weigh most heavily in your analysis of risk are probability and ___________.
Likelihood
History
Impact
Cost
Fred needs to transfer files between two servers on an untrusted network. Since he knows the network isn’t trusted, he needs to select an encrypted protocol that can ensure that his data remains secure. What protocol should he choose?
SSH
TCP
SFTP
IPsec
Which one of the following investigation types always uses the beyond-a-reasonable-doubt standard of proof?
Civil investigation
Criminal investigation
Operational investigation
Regulatory investigation
Norm would like to conduct a disaster recovery test for his organization and wants to choose the most thorough type of test, recognizing that it may be quite disruptive. What type of test should Norm choose?
Full interruption test
Parallel test
Tabletop exercise
Checklist review
Ed is tasked with protecting information about his organization’s customers, including their name, Social Security number, birthdate, and place of birth, as well as a variety of other information. What is this information known as?
PHI
PII
Personal protected data
PID
Susan is conducting a STRIDE threat assessment by placing threats into one or more of the following categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. As part of her assessment, she has discovered an issue that allows transactions to be modified between a web browser and the application server that it accesses. What STRIDE categorization(s) best fit this issue?
Tampering and Information Disclosure
Spoofing and Tampering
Tampering and Repudiation
Information Disclosure and Elevation of Privilege
Tamara recently decided to purchase cyber-liability insurance to cover her company’s costs in the event of a data breach. What risk management strategy is she pursuing?
Risk acceptance
Risk mitigation
Risk transference
Risk avoidance
Referring to the figure shown here, what is the name of the security control indicated by the arrow?
Mantrap
Intrusion prevention system
Turnstile
Portal
Elaine is developing a business continuity plan for her organization. What value should she seek to minimize?
AV
SSL
RTO
MTO
Chris is deploying a gigabit Ethernet network using Category 6 cable between two buildings. What is the maximum distance he can run the cable according to the Category 6 standard?
50 meters
100 meters
200 meters
300 meters
What type of alternate processing facility includes all of the hardware and data necessary to restore operations in a matter of minutes or seconds?
Hot site
Warm site
Cold site
Mobile site
For questions 122–124, please refer to the following scenario.
The organization that Ben works for has a traditional on-site Active Directory environment that uses a manual provisioning process for each addition to their 350-employee company. As the company adopts new technologies, they are increasingly using software as a service applications to replace their internally developed software stack.
Ben has been tasked with designing an identity management implementation that will allow his company to use cloud services while supporting their existing systems. Using the logical diagram shown here, answer the following questions about the identity recommendations Ben should make.
If availability of authentication services is the organization’s biggest priority, what type of identity platform should Ben recommend?
On-site
Cloud-based
Hybrid
Outsourced
If Ben needs to share identity information with the business partner shown, what should he investigate?
Single sign-on
Multifactor authentication
Federation
IDaaS
What technology is likely to be involved when Ben’s organization needs to provide authentication and authorization assertions to their cloud e-commerce application?
Active Directory
SAML
RADIUS
SPML
Norm is configuring an RSA cryptosystem for use within his organization and is selecting the key lengths that he will support. Which one of the following key lengths is not both supported by the RSA algorithm and generally considered secure?