- Ryan is concerned about integrity attacks against his organization's sales database. Which one of the following SQL commands is least likely to result in an integrity issue?
A. SELECT
B. INSERT
C. UPDATE
d. DELETE
- Which one of the following technologies is not commonly used as part of a single sign-on (SSO) implementation?
A. OAuth
B. IPSec
C. OpenID
D. SAML
- Consider the statistics shown in the following table for a biometric authentication system. What is the system's FRR based upon for this data?
Figure 4.1
A. 1%
B. 2%
C. 8%
D. 16%
- In an authentication system using the mandatory access control (MAC) model, who determines what users may access an object?
A. The user
B. The object owner
C. The system administrator
D. The system
- TJ is designing the authentication system for an online gambling website that is restricted for use by residents of a single US state. What type of access control should TJ implement to ensure that his organization does not run afoul of the law?
A. Role-based access control
B. Multifactor authentication
C. Token-based authentication
D. Location-based access control
- Thelma is configuring a new web server running Apache. Apache requires an account to read the files contained in the /var/www directory. What type of account should Thelma use for this access?
A. Root account
B. Guest account
C. Service account
D. Administrator account
- Helen's organization has a password policy that does not enforce complexity requirements. What is the major disadvantage of this approach?
A. Attackers can use social engineering to extract simple passwords from users.
B. Attackers can easily brute force passwords that are short.
C. Attackers can easily brute force passwords that draw from a limited character set.
D. Attackers may use reverse hashing to decrypt simple passwords.
- Victoria is implementing an authentication system where the user is asked to speak a predefined passcode into a microphone. The system then verifies that the speaker's voice matches their enrollment sample and that the passcode is correct. How many authentication factors are at play in this scenario?
A. Zero
B. One
C. Two
D. Three
- Lila is concerned about the security of a database table that contains Social Security Numbers. The organization needs to maintain this information for tax reporting purposes, but Lila wants to make sure that the database administrators are unable to access this very sensitive field. Which one of the following security controls would best meet Lila's need?
A. Database activity monitoring
B. Field-level hashing
C. Database access controls
D. Field-level encryption
- Which one of the following account types should be assigned the highest priority for account activity logging?
A. Temporary user accounts
B. Guest accounts
C. Service accounts
D. Standard user accounts
- Colleen's company would like to manage administrator credentials by creating them in such a manner that nobody has knowledge of the root password for a system and the password is stored in an electronic vault. What mechanism should Colleen implement to ensure that administrators are not locked out of the system in the event of an access control failure?
A. Emergency access procedure
B. Redundant passwords
C. Give a manager the passwords
D. Multifactor authentication
- Which one of the following assertions can NOT be made by validating the card authentication certificate on a US government PIV card?
A. The holder of the credential is the same individual the card was issued to.
B. The card has not expired.
C. The card has not been revoked.
D. The card was issued by an authorized entity.
- Carla is examining a point-of-sale terminal and sees the prepopulated login screen shown here. What type of account is most likely being used in this scenario?
Figure 4.2
A. Privileged account
B. Shared account
C. Guest account
D. Superuser account
- Wanda is concerned about the likelihood of privilege creep in her organization. Which one of the following activities is likely to uncover the most comprehensive listing of privilege creep situations that can then be remediated?
A. Permission auditing
B. Usage auditing
C. Policy review
D. User termination audit
- Tim is a member of several NTFS groups and is attempting to access a file stored on an NTFS volume. The set of permissions that apply from each of his group memberships are shown here. What is the end result of these permissions when Tim attempts to access the file?
Figure 4.3
A. Tim can't read or write to the file.
B. Tim can read the file but not write to it.
C. Tim can write to the file but not read it.
D. Tim can both read and write the file.
- What network port is used for communications related to the Kerberos authentication process?
A. UDP port 636
B. TCP port 88
C. UDP port 88
D. TCP port 636
- Paula is reviewing her organization's account management life cycle. She is paying particular attention to the timeliness of account management activities and would like to prioritize areas that have the greatest risk. Which one of the following activities should be her highest priority?
A. Access modifications
B. Onboarding
C. Access reviews
D. Offboarding
- Nancy is configuring a user account and is setting the permissions that are shown here. What type of permissions is Nancy setting?
Figure 4.4
A. Location-based restrictions
B. Content-based restrictions
C. Role-based restrictions
D. Time-based restrictions
- When using CHAP authentication, what does the server send to the client in the second step of the handshake?
A. Password
B. Hash
C. Challenge
D. Certificate
- Barry is reviewing the password settings on his Windows domain and discovers that the domain is set to expire passwords every 60 days. Which one of the following actions should Barry take to align his organization with industry best practices?
A. Remove the password expiration period.
B. Extend the password expiration period to 180 days or more.
C. Shorten the password expiration period to 30 days or less.
D. No action is necessary.
- Brian is implementing geofencing as a component of his access control system. What type of control is he implementing?
A. Role-based access control
B. Group-based access control
C. Location-based access control
D. Time-based access control
- Molly's organization has a shared account that they use to provide access to vendors. What is the primary security objective that is sacrificed using this model, assuming that the password is not shared with unauthorized individuals?
A. Integrity
B. Least privilege
C. Confidentiality
D. Accountability
- Review the Google Authenticator screenshot shown here. What protocol is being used to generate passcodes by this software token?
Figure 4.5
A. LOTP
B. HOTP
C. KOTP
D. TOTP
- Which one of the following biometric technologies is most likely to be affected by a person's race?
A. Facial recognition
B. Fingerprint recognition
C. Iris recognition
D. Hand geometry
- When digital certificates are used for the authentication of a user to a server, what is the primary purpose of the digital certificate?
A. To convey a signed copy of the server's public key
B. To convey a signed copy of the user's private key
C. To convey a signed copy of the user's public key
D. To convey a signed copy of the server's private key
- Tina is designing a recovery mechanism for her organization's authentication system and provides each user with a card containing several one-time use passwords for use in the event their smartphone app malfunctions. What type of authentication factor are these one-time passwords?
A. Something you have
B. Something you know
C. Somewhere you are
D. Something you are
- Taylor is accessing a website that would like to access information stored in her Google account. The site makes a request to access that information using the OAuth protocol. In this scenario, who is the OAuth resource owner?
A. Taylor
B. Google
C. Website
D. Both Google and the website
- What is the primary feature that distinguishes a smart card from other types of access card?
A. Presence of a magnetic stripe
B. Presence of an integrated circuit
C. The requirement to enter a PIN or password
D. Compatibility with biometric authentication
- Corey would like to implement a multifactor authentication system for physical access to his data center. He is currently using a fingerprint scanner. Which one of the following would be the best second authentication technique to use in combination with the fingerprint scanner?
A. Voiceprint analysis
B. Security question
C. ID card
D. Retinal scan
- Consider the US government personal identity verification (PIV) card shown here. When the individual presents a card to an appropriate system for verification, what element allows the validator to verify the identity of the PIV user?
Figure 4.6
A. Encryption certificate
B. Card authentication certificate
C. Digital signature certificate
D. PIV authentication certificate
- Barry is troubleshooting authentication problems for his organization's VPN. The VPN uses a RADIUS backend for authentication and Barry would like to monitor this traffic. What ports are associated with RADIUS?
A. UDP ports 1812 and 1813
B. TCP ports 1812 and 1813
C. UDP ports 1433 and 1521
D. TCP ports 1433 and 1521
- Ken would like to configure his organization's password security policy to be in line with current NIST guidelines. What is the minimum password length that Ken should require to be consistent with those guidelines?
A. 6 characters
B. 8 characters
C. 12 characters
D. No minimum
- Which of the following services are supported by the TACACS+ protocol?
A. Authentication, authorization, and accounting
B. Authentication only
C. Authentication and authorization
D. Authentication and accounting
- Which one of the following techniques is the least secure approach to a "something you have" authentication factor?
A. SMS message
B. Physical token
C. Smartphone app
D. Smartcard
- Erin would like to assess the impact of several overlapping Windows GPOs and determine the effective result of those policies. Which tool is best suited for this task?
A. dcpromo
B. gpedit
C. gpresult
D. gpupdate
- Roger uses his fingerprint to unlock his laptop. What authentication factor was used in this example?
A. Biometric authentication
B. Token-based authentication
C. Location-based authentication
D. Knowledge-based authentication
- Which one of the following biometric access control mechanisms generally takes the longest time to recognize a user?
A. Fingerprint scan
B. Iris scan
C. Facial recognition
D. Retinal scan
- Before accessing a wire transfer website, Harry's bank requires that he provide a password, a security PIN, and answer several security questions. How many distinct authentication factors is this system using?
A. 0
B. 1
C. 2
D. 3
- Tim recently set the attribute shown here on a group of Windows user accounts. His organization has the following security requirements:
1. Passwords must be at least 10 characters.
2. Passwords must contain characters from three different character classes.
3. Passwords may not contain the user's account name.
Which of these requirements are met by the setting shown here?
Figure 4.7
A. Requirements 1 and 2
B. Requirements 2 and 3
C. Requirements 1, 2, and 3
D. Requirements 1 and 3
- Carl would like to implement a recertification process for vendors with accounts allowing access to systems in his organization. What access management control can best facilitate this?
A. Password complexity
B. Account expiration
C. Least privilege
D. Job rotation
- Which one of the following protocols is considered secure for use in an authentication system without the use of any compensating controls?
A. PAP
B. MS-CHAP
C. MS-CHAP v2
D. Kerberos
- Which one of the following is a large-scale federated identity management solution that is widely used mainly in academic institutions?
A. Kerberos
B. Shibboleth
C. OAuth
D. OpenID Connect
- Martin is concerned about the misuse of legitimate privileges by employees, otherwise known as the insider threat. Which one of the following activities would best serve as a control against this threat?
A. Privilege auditing
B. Usage auditing
C. Multifactor authentication
D. Credential management
- Lisa is evaluating a set of Group Policy Objects that have been applied to a Windows account. Which one of the following policies will be processed first?
A. Organizational Unit policy
B. Site policy
C. Domain policy
D. Local policy
- Tom is designing a password reset mechanism for his organization and would like to require a personal visit to a help desk. Which one of the following statements is not correct?
A. Users should be permitted to reset passwords in person.
B. Users reporting to the help desk should be asked for proof of identification.
C. Use of a help desk reset approach is burdensome on both users and staff.
D. Users reporting to the help desk should provide an old, expired password if possible.
- Which one of the following is a best practice for the management of privileged accounts on a server?
A. Privileged accounts should be shared between administrators.
B. Administrative users should have both privileged and unprivileged accounts.
C. Privileged accounts should not be protected by passwords.
D. Privileged accounts should be exempted from standard password management practices.
- Frank would like to set his organization's password length requirements to align with industry best practices. What should he set as the maximum password length?
A. 8 characters
B. 16 characters
C. 255 characters
D. No maximum
- Greg is designing authentication controls for a system that is accessed by employees in branch offices. There is no need for mobile or remote users to access the system. What authentication factor could Greg implement to prevent users from accessing the system remotely?
A. Something you have
B. Something you are
C. Somewhere you are
D. Something you know
- Which one of the following is an implementation of a mandatory access control system?
A. SELinux
B. NTFS
C. Google Drive
D. Mac OS X
- Taylor works for an organization that experiences high turnover in employees, particularly at their call center and retail stores. She would like to implement an access control system that minimizes work. Which one of the following actions will best reduce the workload on the access management team while maintaining security?
A. Implement group-based access control
B. Implement a permissive access control model
C. Implement mandatory access control
D. Implement personalized access control for each employee
- In a normal RADIUS authentication session, what is the first message that's sent by the client to the server?
A. Access-Reject
B. Access-Request
C. Access-Challenge
D. Access-Accept
- Tom is deciding whether to implement a standard account naming practice for his organization. Which one of the following statements best reflects the accepted best practices regarding this topic?
A. Organizations should adopt standard naming conventions to make account identification easier.
B. Organizations should not adopt standard naming conventions because it makes account names easy to guess.
C. Organizations should not adopt standard naming conventions because it facilitates social engineering.
D. Organizations should not adopt standard naming conventions because it violates the principle of security through obscurity.
- In a discretionary access control (DAC) system, who is primarily responsible for assigning permissions to access objects for a user?
A. User
B. Object owners
C. System administrator
D. The system itself
- What type of access control is performed by a standard network firewall?
A. Role-based access control
B. Rule-based access control
C. Mandatory access control
D. Attribute-based access control
- Group Policy Objects (GPOs) are components of what access control system?
A. Active Directory
B. Kerberos
C. RADIUS
D. TACACS+
- Tonya is considering the use of a voice recognition system for authentication purposes. She is concerned about the use of recordings to fool the system. What technology can she include in her design to best reduce the risk of this type of attack?
A. Passcode
B. Hashing
C. Encryption
D. Challenge/response
- Helen recently moved from the marketing department to the sales department and retained the permissions that were assigned to her previous job, despite the fact that they are no longer necessary. What security principle does this violate?
A. Security through obscurity
B. Separation of duties
C. Two-person control
D. Least privilege
- Brenda is assisting a user who is traveling on business and is unable to access a critical system. Brenda is able to access the system herself and the user was able to access it last week from the office. The user is connected to the VPN and is still having the same issue. What type of access restriction is most likely in place?
A. Role-based restriction
B. Time-based restriction
C. Location-based restriction
D. Content-based restriction
- This diagram shows the results of testing the accuracy of a biometric authentication system. What characteristic is designated by the arrow?
Figure 4.8
A. FAR
B. CER
C. FRR
D. IRR
- When using an attribute-based access control (ABAC) model, what attributes are available to the authorization system for analysis?
A. User and system attributes only
B. User attributes, system attributes, and environmental attributes
C. User attributes only
D. System attributes only
- Which one of the following principles describes the basic concept of access control that should be enforced by every network firewall?
A. Explicit deny
B. Implicit deny
C. Implicit allow
D. Explicit allow
- In a Kerberos authentication scheme, the client sends an authenticator to the ticket-granting server (TGS) when requesting a service ticket. How does the client encrypt this authenticator?
A. The client encrypts the authenticator with the client's private key.
B. The client encrypts the authenticator with the TGS public key.
C. The client encrypts the authenticator with the TGS session key.
D. The client does not encrypt the authenticator.
- In a network using 802.1x authentication, which device normally contains the 802.1x supplicant?
A. Authenticator
B. End-user system
C. Authentication server
D. Service server
- When you enter a password into a system, what activity are you engaged in?
A. Authentication
B. Identification
C. Authorization
D. Accounting
- Randi is configuring authentication for a SQL Server database and would like to ensure that user accounts are disabled when they leave the organization. Which one of the following approaches would best meet her requirement?
A. Windows authentication
B. SQL server authentication
C. Mixed mode authentication
D. No authentication
- Brent is the CISO for Sorin Sprockets, a manufacturer of industrial products. He is designing a federated authentication system where users from Domer Industries, one of his organization's suppliers, will use their accounts to access systems in the Sorin Sprockets domain. Which one of the following statements is correct about this relationship?
A. There must be a transitive trust relationship between Domer Industries and Sorin Sprockets.
B. Domer Industries must have a trust relationship with Sorin Sprockets.
C. There must be a two-way trust relationship between Domer Industries and Sorin Sprockets.
D. Sorin Sprockets must have a trust relationship with Domer Industries.
- Which one of the following authentication protocols is an appropriate protocol for performing administrator authentication on network devices?
A. STACACS
B. XTACACS
C. TACACS
D. TACACS+
- Ryan attempts to log in to AcmeSocial, a social networking website. The website allows him to log in with his HMail account through the use of SAML authentication. In this scenario, who is the SAML principal?
A. Both HMail and Acme Social
B. AcmeSocial
C. HMail
D. Ryan
- During what stage of the account management life cycle should a user receive their first exposure to security awareness training?
A. Onboarding
B. Deprovisioning
C. Renewal
D. Privilege assignment
- What protocol is normally used for communication between an authenticator and authentication server on a network using 802.1x authentication?
A. XTACACS
B. TACACS
C. RADIUS
D. TACACS+
- Thomas is configuring the security for a specialized computing system that will be used in a high-security environment. This system will assign tags to each file based upon their classification and users will only be able to access information that matches their security clearance. What type of security model is Thomas implementing?
A. ABAC
B. DAC
C. MAC
D. RBAC
- Which one of the following statements about iris recognition technology is incorrect?
A. Iris recognition technology has a very low false acceptance rate.
B. Iris patterns may be recognized from a distance.
C. Iris patterns change gradually during a person's lifetime.
D. Iris recognition scanners can be fooled by an image of a face.
- Carrie approaches the door to a physical facility and places her finger on a scanner. When she does so, the scanner displays the message "OK" and the door unlocks. Which one of the following steps has not occurred?
A. Authentication
B. Authorization
C. Identification
D. Two-factor authentication
- Yolanda is concerned about brute force attacks against her Windows system. Which one of the following controls is a good security practice that reduces the likelihood of a successful brute force attack?
A. Expire the Administrator account password monthly.
B. Rename the Administrator account.
C. Disable the Administrator account.
D. Encrypt the contents of the Administrator account.
- Which one of the following is a reasonable approach to handling failed authentication attempts against a password-based authentication system?
A. Disabling a user account after three incorrect attempts.
B. Require an exponentially increasing timeout period between login attempts.
C. Lock a user account after five incorrect login attempts.
D. Require 5 seconds between login attempts.
- Riley is securing an application that uses PAP authentication. Which one of the following statements is correct about PAP?
A. PAP can't perform reliable, repeatable authentication.
B. PAP does not encrypt credentials and is insecure.
C. PAP implementations are only possible on Token Ring networks.
D. PAP is widely used for VPN authentication.
- Which one of the following is an example of biometric authentication control?
A. Password
B. Fingerprint scan
C. Smart card
D. Keyfob token
- Gavin is managing the access control system for his organization. Users often change jobs and he would like to select an approach that will make it easy to reassign permissions when users move around the organization. Which access control model is best suited for his needs?
A. MAC
B. ABAC
C. DAC
D. RBAC
- After a user enters an incorrect password, many authentication systems record this activity in an authentication log. What phase of the identity and access management process is taking place?
A. Identification
B. Authentication
C. Accounting
D. Authorization
- Kip is preparing to conduct a privilege usage audit of his organization's database servers. Which one of the following data sources would be least helpful to him in this exercise?
A. Organization chart
B. Database access logs
C. Network firewall logs
D. Asset classification information
- Ron is designing a user awareness program intended to improve password security practices. Of the practices listed here, which poses the greatest risk to organizations?
A. Use of passwords that are more than a year old
B. Use of passwords less than 12 characters long
C. Use of passwords that do not contain special characters
D. Reuse of passwords on multiple sites
- Randy is building a multifactor authentication system that requires users to enter a passcode and then verifies that their face matches a photo stored in the system. What two factors is this system using?
A. Something you know and something you have
B. Something you have and something you know
C. Something you have and something you are
D. Something you know and something you are
- When creating a web application based upon the OAuth 2.0 standard, what authentication protocol is often the simplest choice?
A. Digital certificates
B. RADIUS
C. Kerberos
D. OpenID Connect
- Which one of the following authentication factors is the most difficult to practically implement?
A. Something you are
B. Something you do
C. Something you have
D. Something you know
- Val would like to configure her organization's password security policy to comply with industry best practices. How many passwords should she keep in a password history to prevent password reuse?
A. 0
B. 1
C. 5
D. 8
- Which one of the following devices is most likely to serve as an authenticator in an 802.1x network authentication scenario?
A. Laptop with a wireless connection
B. Desktop with a wired connection
C. Wireless access point
D. RADIUS server
- What type of security card is shown here?
Figure 4.9
A. Proximity card
B. Smart card
C. Magnetic stripe card
D. Common access card (CAC)
- Consider the statistics shown here for a biometric authentication system. What is the system's FAR based upon for this data?
Figure 4.10
A. 2%
B. 4%
C. 5%
D. 10%
- Consider the OpenLDAP password hashes shown here. Which user has the most secure password storage mechanism?
Figure 4.11
A. User 1
B. User 2
C. User 3
D. User 4
- Beth used the sign in with Facebook feature to access a website hosted by The Washington Post. This feature uses SAML-based authentication. In this scenario, what is the role that's being played by The Washington Post?
A. Identity provider
B. User agent
C. Service provider
D. Certificate authority
- In Kerberos authentication, which one of the following components is responsible for verifying that a user's password (or other credentials) is valid and correct?
A. Client
B. AS
C. Service
D. TGS
- Gina is configuring an access control system for a college that will examine a user's identity profile when determining whether to grant access to resources. Students will be granted access to limited files, while faculty and staff will have broader access. Faculty and staff access may be further segmented based upon their department, title, and other identity attributes. What type of access control system is Gina designing?
A. ABAC
B. DAC
C. MAC
D. SLAC
- Consider the transitive trust relationships shown here. Ben has a user account in Domain D. Which domains can Ben use his account in so that he can access resources?
Figure 4.12
A. Domains A, B, C, and D
B. Domain D only
C. Domains A, B, and D only
D. Domains A and B only
- When creating a role-based access control system, what mechanism can best be used to assign permissions to individuals in the same job role?
A. Policy templates
B. Group policy
C. Standard procedures
D. Administrator training
- Jane is seeking to enforce role-based access restrictions in her organization. Which one of the following technologies would allow her to enforce these restrictions across a variety of systems?
A. Oracle database permissions
B. NTFS access control lists
C. Cisco access controls lists
D. Active Directory group policy
- John approaches a security guard and hands her the smart card shown here. The guard conducts a physical inspection of the card and pulls up an image of it on her system to verify that it is authentic. How many authentication factors has John successfully completed at this point?
Figure 4.13
A. Zero
B. One
C. Two
D. Three
- Which one of the following is not an example of a privileged account on a server?
A. Shared account
B. Root account
C. Service account
D. Administrator account
- Paul is designing a system that will allow users from Acme Corporation, one of his organization's vendors, to access Paul's accounts payable system using the accounts provided by Acme Corporation. What type of authentication system is Paul attempting to design?
A. Single sign-on
B. Transitive trust
C. Federated authentication
D. Multifactor authentication
- Which one of the following attacks is a critical threat that applies specifically to NTLM authentication?
A. Rainbow table
B. Brute force
C. Pass-the-hash
D. Man-in-the-middle