CISSP Cybex chap 5

Jim’s organization‐wide implementation of IDaaS offers broad support for cloud‐based applications. Jim’s company does not have internal identity management staff and does not use centralized identity services. Instead, they rely upon Active Directory for AAA services. Which of the following options should Jim recommend to best handle the company’s on‐site identity needs?. Integrate on‐site systems using OAuth. Use an on‐premises third‐party identity service. Integrate on‐site systems using SAML. Design an internal solution to handle the organization’s unique needs.

What role does a policy enforcement point play in a zero trust environment?. It makes decisions for the policy engine. It is the workstation or mobile device used by the end user. It deploys role‐based access controls based on local policy. It receives authorization requests and sends them to the policy decision point.

Voice pattern recognition is what type of authentication factor?. Something you know. Something you have. Something you are. Somewhere you are.

If Susan’s organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?. 1. 2. 3. 4.

Charles wants to deploy a credential management system (CMS). He wants to keep the keys as secure as possible. Which of the following is the best design option for his CMS implementation?. Use AES‐256 instead of 3DES. Use long keys. Use an HSM. Change passphrases regularly.

Brian is a researcher at a major university. As part of his research, he logs into a computing cluster hosted at another institution using his own university’s credentials. Once logged in, he is able to access the cluster and use resources based on his role in a research project, as well as using resources and services in his home organization. What has Brian’s home university implemented to make this happen?. Domain stacking. Federated identity management. Domain nesting. Hybrid login.

When Sally attempts to authenticate to her organization’s services, she knows that the organization uses a mobile device management tool to check her location and whether she’s logging in from her company‐issued mobile device. What type of authentication is this?. Context‐aware. Knowledge‐based. Identity factoring. Zero trust.

What major issue often results from decentralized access control?. Access outages may occur. Control is not consistent. Control is too granular. Training costs are high.

Callback to a landline phone number is an example of what type of factor?. Something you know. Somewhere you are. Something you have. Something you are.

What common behavior drives the NIST recommendation that passwords should not expire?. Attackers would not have enough time to compromise passwords if they expired. Users often make minimal changes to passwords to handle change requirements. Password expiration leads to too little support overhead. Re‐hashing passwords when changes are required is computationally intensive.

Sameer’s organization needs to perform identity proofing for new customers. What type of authentication is best suited to identity proofing in this scenario?. Cognitive passwords. Knowledge‐based authentication. Palm scans. USB tokens.

Alex’s job requires him to see protected health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?. Separation of duties. Constrained interfaces. Context‐dependent control. Need to know.

Please use your knowledge of password policies and their application to answer the question. With a password history set, Ifeoma wants to prevent users from resetting their password multiple times to allow them to return to their original password. What setting should she apply?. A password complexity requirement. A maximum password age. A minimum password age. A password length requirement.

Please use your knowledge of password policies and their application to answer the question. With her organization’s password behavior under control, Ifeoma wants to ensure that a lost password will not result in easy compromise of her company’s accounts. Which of the following controls provides the best protection against password loss or exposure‐related compromise?. MFA. SSO. Federation. Password rotation.

Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?. Retina scans can reveal information about medical conditions. Retina scans are painful because they require a puff of air in the user’s eye. Retina scanners are the most expensive type of biometric device. Retina scanners have a high false positive rate and will cause support issues.

Mandatory access control is based on what type of model?. Discretionary. Group‐based. Lattice‐based. Rule‐based.

Greg wants to control access to iPads used throughout his organization as point‐of‐sale terminals. Which of the following methods should he use to allow logical access control for the devices in a shared environment?. Use a shared PIN for all point‐of‐sale terminals to make them easier to use. Use OAuth to allow cloud logins for each user. Issue a unique PIN to each user for the iPad they are issued. Use Active Directory and user accounts for logins to the iPads using the AD user ID and password.

What is the best way to provide accountability for the use of identities?. Logging. Authorization. Digital signatures. Type 1 authentication.

Biba is what type of access control model?. MAC. DAC. Role BAC. ABAC.

Which of the following is a client‐server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?. Kerberos. EAP. RADIUS. OAuth.

Henry is working with a web application development team on their authentication and authorization process for his company’s new application. The team wants to make session IDs as secure as possible. Which of the following is not a best practice that Henry should recommend?. The session ID token should be predictable. The session ID should have at least 64 bits of entropy. The session length should be at least 128 bits. The session ID should be meaningless.

Angela uses her smartphone’s built‐in biometric authentication and an application provided by her employer to log into her account. What type of authentication has she used?. Extended. Passwordless. Alternative. SPOT.

What type of access control best describes NAC’s posture assessment capability?. A mandatory access control. A risk‐based access control. A discretionary access control. A role‐based access control.

When an application or system allows a logged‐in user to perform specific actions, it is an example of what?. Roles. Group management. Logins. Authorization.

Geoff wants to prevent privilege escalation attacks in his organization. Which of the following practices is most likely to prevent horizontal privilege escalation?. Multifactor authentication. Limiting permissions for groups and accounts. Disabling unused ports and services. Sanitizing user inputs to applications.

Jim’s Microsoft Exchange environment includes servers that are located in local data centers at multiple business offices around the world as well as an Office 365 deployment for employees who are not located at one of those offices. Identities are created and used in both environments and will work in both. What type of federated system is Jim running?. A primary cloud system. A primary on‐premises system. A hybrid system. A multitenant system.

What type of access control scheme is shown in the following table?. RBAC. DAC. MAC. TBAC.

Michelle’s company is creating a new division by splitting the marketing and communications departments into two separate groups. She wants to create roles that provide access to resources used by each group. What should she do to maintain the appropriate security and rights for each group?. Put both the marketing and communications teams into the existing group because they will have similar access requirements. Keep the marketing team in the existing group and create a new communications group based on their specific needs. Keep the communications’ team in the existing group and create a new marketing group based on their specific needs. Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.

Which of the following is a common account setting for a service account?. Disable password expiration. Set maximum password age to 90 days. Set minimum password age to 1 day. Disable complexity requirements.

Susan’s organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute‐force attacks?. Change the maximum age from 1 year to 180 days. Increase the minimum password length from 8 characters to 16 characters. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required. Retain a password history of at least four passwords to prevent reuse.

Alaina is performing a regularly scheduled review for service accounts. Which of the following events should she be most concerned about?. An interactive login for the service account. A password change for the service account. Limitations placed on the service account’s rights. Local use of the service account.

When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?. When security is more important than usability. When false rejection is not a concern due to data quality. When the CER of the system is not known. When the CER of the system is very high.

After recent reports of undesired access to workstations after hours, Derek has been asked to find a way to ensure that maintenance staff cannot log into workstations in business offices. The maintenance staff members do have systems in their break rooms and their offices for the organization, which they still need access to. What should Derek do to meet this need?. Require multifactor authentication and allow only office staff to have multifactor tokens. Use rule‐based access control to prevent logins after hours in the business area. Use role‐based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations. Use geofencing to only allow logins in maintenance areas.

Nick wants to do session management for his web application. Which of the following are common web application session management techniques or methods? (Select all that apply.). IP tracking. Cookies. URL rewriting. TLS tokens.

Alex is in charge of SAML integration with a major third‐party partner that provides a variety of business productivity services for his organization. Use SAML’s secure mode to provide secure authentication. Implement TLS using a strong cipher suite, which will protect against both types of attacks. Implement TLS using a strong cipher suite and use digital signatures. Implement TLS using a strong cipher suite and message hashing.

Alex is in charge of SAML integration with a major third‐party partner that provides a variety of business productivity services for his organization. If Alex’s organization is one that is primarily made up of off‐site, traveling users, what availability risk does integration of critical business applications to on‐site authentication create, and how could he solve it?. Third‐party integration may not be trustworthy; use SSL and digital signatures. If the home organization is offline, traveling users won’t be able to access third‐party applications; implement a hybrid cloud/local authentication system. Local users may not be properly redirected to the third‐party services; implement a local gateway. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.

Alex is in charge of SAML integration with a major third‐party partner that provides a variety of business productivity services for his organization. What solution can best help address concerns about third parties that control SSO redirects as shown in step 2 in the diagram?. An awareness campaign about trusted third parties. TLS. Handling redirects at the local site. Implementing an IPS to capture SSO redirect attacks.

Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority.

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization’s security policy is being followed?. Log review. Manual review of permissions. Signature‐based detection. Review the audit trail.

Jessica wants to adopt an open standard to provide authentication, authorization, and attribute information as part of her cloud identity federation efforts. What standard should she adopt to leverage the flexibility of XML as part of her efforts?. SAML. SOAP. OAuth. OpenID Connect.

Google’s identity integration with a variety of organizations and applications across domains is an example of which of the following?. PKI. Federation. Single sign‐on. Provisioning.

Amanda starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?. Privilege creep. Rights collision. Least privilege. Excessive privileges.

When Chris verifies an individual’s identity and adds a unique identifier like a user ID to an identity system, what process has occurred?. Identity proofing. Registration. Directory management. Session management.

Selah wants to provide accountability for actions performed via her organization’s main line‐of‐business application. What controls are most frequently used to provide accountability in a situation like this? (Select all that apply.). Enable audit logging. Provide every staff member with a unique account and enable multifactor authentication. Enable time‐ and location‐based login requirements. Provide every staff member with a unique account and require a self‐selected password.

Charles wants to provide authorization services as part of his web application. What standard should he use if he wants to integrate easily with other web identity providers?. OpenID. TACACS+. RADIUS. OAuth.

The company that Cameron works for uses a system that allows users to request privileged access to systems when necessary. Cameron requests access, and the request is pre‐approved due to his role. He is then able to access the system to perform the task. Once he is done, the rights are removed. What type of system is he using?. Zero trust. Federated identity management. Single sign‐on. Just‐in‐time access.

Elle is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?. Require users to create unique questions that only they will know. Require new users to bring their driver’s license or passport in person to the bank. Use information that both the bank and the user have such as questions pulled from their credit report. Call the user on their registered phone number to verify that they are who they claim to be.

Susan’s organization is part of a federation that allows users from multiple organizations to access resources and services at other federated sites. When Susan wants to use a service at a partner site, which identity provider is used?. Susan’s home organization’s identity provider. The service provider’s identity provider. Both their identity provider and the service provider’s identity provider. The service provider creates a new identity.

A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged into another customer’s account. What type of biometric factor error occurred?. A registration error. A Type 1 error. A Type 2 error. A time of use, method of use error.

When you input a user ID and password, you are performing what important identity and access management activity?. Authorization. Validation. Authentication. Login.

Theresa wants to allow her staff to securely store and manage passwords for systems including service accounts and other rarely used administrative credentials. What type of tool should she implement to enable this?. Single sign‐on. A federated identity system. A password vault. A multifactor authentication system.

Olivia wants to limit the commands that a user can run via sudo to limit the potential for privilege escalation attacks. What Linux file should she modify to allow this?. The bash .bin configuration file. The sudoers file. The bash .allowed configuration file. The sudont file.

Which objects and subjects have a label in a MAC model?. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label. All objects have a label, and all subjects have a compartment. All objects and subjects have a label. All subjects have a label and all objects have a compartment.

Chris is the identity architect for a growing e‐commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e‐commerce site. This means that when a new user initially connects to the e‐commerce platform, they are given the choice between using their Google account using OAuth 2.0 or creating a new account on the platform using their own email address and a password of their choice. When the e‐commerce application creates an account for a Google user, where should that user’s password be stored?. The password is stored in the e‐commerce application’s database. The password is stored in memory on the e‐commerce application’s server. The password is stored in Google’s account management system. The password is never stored; instead, a salted hash is stored in Google’s account management system.

Chris is the identity architect for a growing e‐commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e‐commerce site. This means that when a new user initially connects to the e‐commerce platform, they are given the choice between using their Google account using OAuth 2.0 or creating a new account on the platform using their own email address and a password of their choice. Which of the following is responsible for user authentication for Google users?. The e‐commerce application. Both the e‐commerce application and Google servers. Google servers. The diagram does not provide enough information to determine this.

Chris is the identity architect for a growing e‐commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e‐commerce site. This means that when a new user initially connects to the e‐commerce platform, they are given the choice between using their Google account using OAuth 2.0 or creating a new account on the platform using their own email address and a password of their choice. What type of attack is the creation and exchange of state tokens intended to prevent?. XSS. CSRF. SQL injection. XACML.

Madhuri creates a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the object. What type of access control system is Madhuri using?. A capability table. An access control list. An access control matrix. A subject/object rights management system.

Brian’s large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?. Use the built‐in encryption in RADIUS. Implement RADIUS over its native UDP using TLS for protection. Implement RADIUS over TCP using TLS for protection. Use an AES256 pre‐shared cipher between devices.

Jim wants to allow cloud‐based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?. Kerberos. OAuth. OpenID. LDAP.

Ben’s organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren’t at their desk. What are the best types of session management solutions for Ben to recommend to help prevent this type of access?. Use session IDs for all access and verify system IP addresses of all workstations. Set session timeouts for applications and use password‐protected screensavers with inactivity timeouts on workstations. Use session IDs for all applications, and use password‐protected screensavers with inactivity timeouts on workstations. Set session timeouts for applications and verify system IP addresses of all workstations.

What type of authentication scenario is shown in the following diagram?. Hybrid federation. On‐premise federation. Cloud federation. Kerberos federation.

A device like Yubikey or Titan Security Key is what type of Type 2 authentication factor?. A token. A biometric identifier. A smart card. A PIV.

What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?. SAML. Shibboleth. OpenID Connect. Higgins.

Jesse wants to access a resource protected by a zero trust solution. What component of the system will he connect through to conduct a transaction?. The constrained interface. The policy engine. The policy decision point. A policy enforcement point.

Ben uses a software‐based token that changes its code every minute. What type of token is he using?. Asynchronous. Smart card. Synchronous. Static.

Which of the following is not a commonly used single sign‐on solution for internal networks?. Kerberos. SENTRY. RADIUS. TACACS+.

Michelle works for a financial services company and wants to register customers for her web application. What type of authentication mechanism could she use for the initial login if she wants to quickly and automatically verify that the person is who they claim to be without having a previous relationship with them?. Request their Social Security number. Use knowledge‐based authentication. Perform manual identity verification. Use a biometric factor.

Megan’s company wants to use Google accounts to allow users to quickly adopt their web application. What common cloud federation technologies will Megan need to implement? (Select all that apply.). Kerberos. OpenID. OAuth. RADIUS.

Session ID length and session ID entropy are both important to prevent what type of attack?. Denial of service. Cookie theft. Session guessing. Man‐in‐the‐middle attacks.

Naomi’s organization employs an access control system that evaluates the security readiness of a device before granting network access. The system checks whether the device is fully patched, if the latest antimalware scans are clean, and if the firewall is active. If there are potential issues that may indicate a compromise, she is not permitted to connect and must contact support. What type of access control scheme best describes this type of process?. MAC. Rule‐based access control. Role‐based access control. Risk‐based access control.

Isabelle wants to prevent privilege escalation attacks via her organization’s service accounts. Which of the following security practices is best suited to this?. Remove unnecessary rights. Disable interactive login for service accounts. Limit when accounts can log in. Use meaningless or randomized names for service accounts.

In the NIST zero trust model, what component includes the Policy Engine and the Policy Administrator as shown here?. The control plane module. The policy decision point. The enterprise management console. The zero trust engine.

Jim’s organization has joined a federation and has begun to allow users from other organizations in the federation to use their services. What services will the members of other organizations be able to use?. All of the services provided by Jim’s company. Only the services their own organization provides. Services that Jim’s company grants access to on a per‐user or per‐organization basis. Only services that they pay for that Jim’s company provides.

When Alex sets the permissions shown here as one of many users on a Linux server, what type of access control model is he leveraging?. Role‐based access control. Rule‐based access control. Mandatory access control (MAC). Discretionary access control (DAC).

Joanna leads her organization’s identity management team and wants to ensure that roles are properly updated when staff members change to new positions. What issue should she focus on for those staff members to avoid future issues with role definition?. Registration. Privilege creep. Deprovisioning. Accountability.

The bank that Aaron works for wants to allow customers to use a new add‐on application from a third‐party partner they are working with. Since not every customer will want or need an account, Aaron has suggested that the bank use a SAML‐based workflow that creates an account when a user downloads the app and tries to log in. What type of provisioning system has he suggested?. JIT. OpenID. OAuth. Kerberos.

What authentication protocol does Windows use by default for Active Directory systems?. RADIUS. Kerberos. OAuth. TACACS+.

Valerie needs to control access to applications that are deployed to mobile devices in a BYOD environment. What type of solution will best allow her to exercise control over the applications while ensuring that they do not leave remnant data on the devices used by her end users?. Deploy the applications to the BYOD devices and require unique PINs on every device. Deploy the application to desktop systems and require users to use remote desktop to access them using enterprise authentication. Deploy the applications to the BYOD devices using application containers and require unique PINs on every device. Use a virtual hosted application environment that requires authentication using enterprise credentials.