Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?
Jim’s organization-wide implementation of IDaaS offers broad support for cloud-based applications. The existing infrastructure for Jim’s company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?
Which of the following is not a weakness in Kerberos?
Voice pattern recognition is what type of authentication factor?
If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of factor has she used?
Which of the following items are not commonly associated with restricted interfaces?
During a log review, Saria discovers a series of logs that show login failures as shown here:
What type of attack has Saria discovered?
What type of attack can be prevented by using a trusted path?
What major issue often results from decentralized access control?
Callback to a home phone number is an example of what type of factor?
Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?
Which of the following AAA protocols is the most commonly used?
Which of the following is not a single sign-on implementation?
As seen in the following image, a user on a Windows system is not able to use the “Send Message” functionality. What access control model best describes this type of limitation?
What type of access controls allow the owner of a file to grant other users access to it using an access control list?
Alex’s job requires him to see personal health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?
Using your knowledge of the Kerberos logon process and the following diagram, answer questions 17, 18, and 19.
At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?
At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?
What tasks must the client perform before it can use the TGT?
Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
Mandatory access control is based on what type of model?
Which of the following is not a type of attack used against access controls?
What is the best way to provide accountability for the use of identities?
Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?
Biba is what type of access control model?
Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?
What type of access control is being used in the following permission listing:
Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor and what traffic will she be able to read?
Which of the following is not part of a Kerberos authentication system?
When an application or system allows a logged-in user to perform specific actions, it is an example of what?
Alex has been employed by his company for over a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex’s company encountered?
Which of the following is not a common threat to access control mechanisms?
What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order for normal function?
What type of access control scheme is shown in the following table?
Highly Sensitive | Red | Blue | Green |
Confidential | Purple | Orange | Yellow |
Internal Use | Black | Gray | White |
Public | Clear | Clear | Clear |
Which of the following is not a valid LDAP DN (distinguished name)?
When a subject claims an identity, what process is occurring?
Dogs, guards, and fences are all common examples of what type of control?
Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute force attacks?
What is the stored sample of a biometric factor called?
When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?
Susan is working to improve the strength of her organization’s passwords by changing the password policy. The password system that she is using allows upper- and lower-case letters as well as numbers but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?
Which pair of the following factors are key for user acceptance of biometric identification systems?
Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization. Using the following diagram and your knowledge of SAML integrations and security architecture design, answer questions 43, 44, and 45.
Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks?
If Alex’s organization is one that is primarily made up of offsite, traveling users, what availability risk does integration of critical business applications to onsite authentication create and how could he solve it?
What solution can best help address concerns about third parties that control SSO directs as shown in step 2 in the diagram?
Susan has been asked to recommend whether her organization should use a mandatory access control scheme or a discretionary access control scheme. If flexibility and scalability is an important requirement for implementing access controls, which scheme should she recommend and why?
Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?
Lauren needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?
During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?
Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?
Lauren starts at her new job and finds that she has access to a variety of systems that she does not need access to to accomplish her job. What problem has she encountered?
When Chris verifies an individual’s identity and adds a unique identifier like a user ID to an identity system, what process has occurred?
Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636. What does this indicate to Jim about the configuration of the LDAP server?
The X.500 standards cover what type of important identity systems?
Microsoft’s Active Directory Domain Services is based on which of the following technologies?
Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
By default, in what format does OpenLDAP store the value of the userPassword attribute?
A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer’s account. What type of biometric factor error occurred?
What type of access control is typically used by firewalls?
When you input a user ID and password, you are performing what important identity and access management activity?
Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, a number of servers have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen’s best option to make sure that the users of the passcards are who they are supposed to be?
Which of the following is a ticket-based authentication protocol designed to provide secure communication?
What type of access control is composed of policies and procedures that support regulations, requirements, and the organization’s own policies?
In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS?
Which objects and subjects have a label in a MAC model?
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google+ account using OAuth 2.0, or creating a new account on the platform using their own email address and a password of their choice.
Using this information and the following diagram of an example authentication flow, answer questions 66, 67, and 68.
When the e-commerce application creates an account for a Google+ user, where should that user’s password be stored?
Which system or systems is/are responsible for user authentication for Google+ users?
What type of attack is the creation and exchange of state tokens intended to prevent?
Questions like “What is your pet’s name?” are examples of what type of identity proofing?
Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Lauren using?
During a review of support incidents, Ben’s organization discovered that password changes accounted for more than a quarter of its help desk’s cases. Which of the following options would be most likely to decrease that number significantly?
Brian’s large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?
Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?
Ben’s organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren’t at their desk. What are the best type of session management solutions for Ben to recommend to help prevent this type of access?
Lauren is an information security analyst tasked with deploying technical access controls for her organization. Which of the following is not a logical or technical access control?
The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as, “Which of the following streets did you live on in 2007?” What process is Susan’s organization using?
The US government CAC is an example of what form of Type 2 authentication factor?
What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?
Jim has Secret clearance and is accessing files that use a mandatory access control scheme to apply the Top Secret, Secret, Confidential, and Unclassified label scheme. If his rights include the ability to access all data of his clearance level or lower, what classification levels of data can he access?
The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation?
When Lauren uses a fingerprint scanner to access her bank account, what type of authentication factor is she using?
Which of the following is not an access control layer?
Ben uses a software based token which changes its code every minute. What type of token is he using?
What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token?
Ben’s organization is adopting biometric authentication for its high-security building’s access control system. Using the following chart, answer questions 85, 86, and 87 about the organization’s adoption of the technology.
Ben’s company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?
At point B, what problem is likely to occur?
What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?
What LDAP authentication mode can provide secure authentication?
Which of the following Type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors?
What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider?
Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place?
RAID-5 is an example of what type of control?
When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging?
What open protocol was designed to replace RADIUS—including support for additional commands and protocols, replacing UDP traffic with TCP, and providing for extensible commands—but does not preserve backward compatibility with RADIUS?
LDAP distinguished names (DNs) are made up of comma-separated components called relative distinguished names (RDNs) that have an attribute name and a value. DNs become less specific as they progress from left to right. Which of the following LDAP DN best fits this rule?
Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?
Kerberos, KryptoKnight, and SESAME are all examples of what type of system?
Which of the following types of access controls do not describe a lock?
What authentication protocol does Windows use by default for Active Directory systems?
Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP’s default ports?