Chapter 5
Identity and Access Management (Domain 5)

  1. Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?
    1. An access control list
    2. An implicit denial list
    3. A capability table
    4. A rights management matrix
  2. Jim's organization-wide implementation of IDaaS offers broad support for cloud-based applications. Jim's company does not have internal identity management staff and does not use centralized identity services. Instead, they rely upon Active Directory for AAA services. Which of the following options should Jim recommend to best handle the company's on-site identity needs?
    1. Integrate on-site systems using OAuth.
    2. Use an on-premises third-party identity service.
    3. Integrate on-site systems using SAML.
    4. Design an internal solution to handle the organization's unique needs.
  3. Which of the following is not a weakness in Kerberos?
    1. The KDC is a single point of failure.
    2. Compromise of the KDC would allow attackers to impersonate any user.
    3. Authentication information is not encrypted.
    4. It is susceptible to password guessing.
  4. Voice pattern recognition is what type of authentication factor?
    1. Something you know
    2. Something you have
    3. Something you are
    4. Somewhere you are
  5. If Susan's organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct authentication factor types has she used?
    1. One
    2. Two
    3. Three
    4. Four
  6. Charles wants to deploy a credential management system (CMS). He wants to keep the keys as secure as possible. Which of the following is the best design option for his CMS implementation?
    1. Use AES-256 instead of 3DES.
    2. Use long keys.
    3. Use an HSM.
    4. Change passphrases regularly.
  7. Brian is a researcher at a major university. As part of his research, he logs into a computing cluster hosted at another institution using his own university's credentials. Once logged in, he is able to access the cluster and use resources based on his role in a research project, as well as using resources and services in his home organization. What has Brian's home university implemented to make this happen?
    1. Domain stacking
    2. Federated identity management
    3. Domain nesting
    4. Hybrid login
  8. Place the following steps in the order in which they occur during the Kerberos authentication process.
    1. Client/server ticket generated
    2. TGT generated
    3. Client/TGS key generated
    4. User accesses service
    5. User provides authentication credentials
    1. 5, 3, 2, 1, 4
    2. 5, 4, 2, 1, 3
    3. 3, 5, 2, 1, 4
    4. 5, 3, 1, 2, 4
  9. What major issue often results from decentralized access control?
    1. Access outages may occur.
    2. Control is not consistent.
    3. Control is too granular.
    4. Training costs are high.
  10. Callback to a landline phone number is an example of what type of factor?
    1. Something you know
    2. Somewhere you are
    3. Something you have
    4. Something you are
  11. Kathleen needs to set up an Active Directory trust to allow authentication with an existing Kerberos K5 domain. What type of trust does she need to create?
    1. A shortcut trust
    2. A forest trust
    3. An external trust
    4. A realm trust
  12. Which of the following AAA protocols is the most commonly used?
    1. TACACS
    2. TACACS+
    3. XTACACS
    4. Super TACACS
  13. Which of the following is not a single sign-on implementation?
    1. Kerberos
    2. ADFS
    3. CAS
    4. RADIUS
  14. As shown in the following image, a user on a Windows system is not able to use the Send Message functionality. What access control model best describes this type of limitation?
    Snapshot shows that a user on a Windows system is not able to use the Send Message functionality.
    1. Least privilege
    2. Need to know
    3. Constrained interface
    4. Separation of duties
  15. What type of access controls allow the owner of a file to grant other users access to it using an access control list?
    1. Role-based
    2. Nondiscretionary
    3. Rule-based
    4. Discretionary
  16. Alex's job requires him to see protected health information (PHI) to ensure proper treatment of patients. His access to their medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?
    1. Separation of duties
    2. Constrained interfaces
    3. Context-dependent control
    4. Need to know

    For questions 17–19, please use your knowledge of the Kerberos logon process and refer to the following diagram:

    Schematic illustration of the diagram of the Kerberos logon process.
  17. At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?
    1. 3DES encryption
    2. TLS encryption
    3. SSL encryption
    4. AES encryption
  18. At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?
    1. An encrypted TGT and a public key
    2. An access ticket and a public key
    3. An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user's password
    4. An encrypted, time-stamped TGT and an access token
  19. What tasks must the client perform before it can use the TGT?
    1. It must generate a hash of the TGT and decrypt the symmetric key.
    2. It must accept the TGT and decrypt the symmetric key.
    3. It must decrypt the TGT and the symmetric key.
    4. It must send a valid response using the symmetric key to the KDC and must install the TGT.
  20. Jacob is planning his organization's biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
    1. Retina scans can reveal information about medical conditions.
    2. Retina scans are painful because they require a puff of air in the user's eye.
    3. Retina scanners are the most expensive type of biometric device.
    4. Retina scanners have a high false positive rate and will cause support issues.
  21. Mandatory access control is based on what type of model?
    1. Discretionary
    2. Group-based
    3. Lattice-based
    4. Rule-based
  22. Greg wants to control access to iPads used throughout his organization as point-of-sale terminals. Which of the following methods should he use to allow logical access control for the devices in a shared environment?
    1. Use a shared PIN for all point-of-sale terminals to make them easier to use.
    2. Use OAuth to allow cloud logins for each user.
    3. Issue a unique PIN to each user for the iPad they are issued.
    4. Use Active Directory and user accounts for logins to the iPads using the AD userID and password.
  23. What is the best way to provide accountability for the use of identities?
    1. Logging
    2. Authorization
    3. Digital signatures
    4. Type 1 authentication
  24. Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?
    1. Re-provisioning
    2. Account review
    3. Privilege creep
    4. Account revocation
  25. Biba is what type of access control model?
    1. MAC
    2. DAC
    3. Role BAC
    4. ABAC
  26. Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?
    1. Kerberos
    2. EAP
    3. RADIUS
    4. OAuth
  27. Henry is working with a web application development team on their authentication and authorization process for his company's new application. The team wants to make session IDs as secure as possible. Which of the following is not a best practice that Henry should recommend?
    1. The session ID token should be predictable.
    2. The session ID should have at least 64 bits of entropy.
    3. The session length should be at least 128 bits.
    4. The session ID should be meaningless.
  28. Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor, and what traffic will she be able to read?
    1. UDP, none. All RADIUS traffic is encrypted.
    2. TCP, all traffic but the passwords, which are encrypted.
    3. UDP, all traffic but the passwords, which are encrypted.
    4. TCP, none. All RADIUS traffic is encrypted.
  29. What type of access control best describes NAC's posture assessment capability?
    1. A mandatory access control
    2. A risk-based access control
    3. A discretionary access control
    4. A role-based access control
  30. When an application or system allows a logged-in user to perform specific actions, it is an example of what?
    1. Roles
    2. Group management
    3. Logins
    4. Authorization
  31. Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex's company encountered?
    1. Excessive provisioning
    2. Unauthorized access
    3. Privilege creep
    4. Account review
  32. Geoff wants to prevent privilege escalation attacks in his organization. Which of the following practices is most likely to prevent horizontal privilege escalation?
    1. Multifactor authentication
    2. Limiting permissions for groups and accounts
    3. Disabling unused ports and services
    4. Sanitizing user inputs to applications
  33. Jim's Microsoft Exchange environment includes servers that are located in local data centers at multiple business offices around the world as well as an Office 365 deployment for employees who are not located at one of those offices. Identities are created and used in both environments and will work in both. What type of federated system is Jim running?
    1. A primary cloud system
    2. A primary on-premise system
    3. A hybrid system
    4. A multitenant system
  34. What type of access control scheme is shown in the following table?
    Highly Sensitive Red Blue Green
    Confidential Purple Orange Yellow
    Internal Use Black Gray White
    Public Clear Clear Clear
    1. RBAC
    2. DAC
    3. MAC
    4. TBAC
  35. Michelle's company is creating a new division by splitting the marketing and communications departments into two separate groups. She wants to create roles that provide access to resources used by each group. What should she do to maintain the appropriate security and rights for each group?
    1. Put both the marketing and communications teams into the existing group because they will have similar access requirements.
    2. Keep the marketing team in the existing group and create a new communications group based on their specific needs.
    3. Keep the communications team in the existing group and create a new marketing group based on their specific needs.
    4. Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.
  36. When a subject claims an identity, what process is occurring?
    1. Login
    2. Identification
    3. Authorization
    4. Token presentation
  37. Dogs, guards, and fences are all common examples of what type of control?
    1. Detective
    2. Recovery
    3. Administrative
    4. Physical
  38. Susan's organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute-force attacks?
    1. Change maximum age from 1 year to 180 days.
    2. Increase the minimum password length from 8 characters to 16 characters.
    3. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.
    4. Retain a password history of at least four passwords to prevent reuse.
  39. Alaina is performing a regularly scheduled review for service accounts. Which of the following events should she be most concerned about?
    1. An interactive login for the service account
    2. A password change for the service account
    3. Limitations placed on the service account's rights
    4. Local use of the service account
  40. When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?
    1. When security is more important than usability
    2. When false rejection is not a concern due to data quality
    3. When the CER of the system is not known
    4. When the CER of the system is very high
  41. After recent reports of undesired access to workstations after hours, Derek has been asked to find a way to ensure that maintenance staff cannot log in to workstations in business offices. The maintenance staff members do have systems in their break rooms and their offices for the organization, which they still need access to. What should Derek do to meet this need?
    1. Require multifactor authentication and only allow office staff to have multifactor tokens.
    2. Use rule-based access control to prevent logins after hours in the business area.
    3. Use role-based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations.
    4. Use geofencing to only allow logins in maintenance areas.
  42. Nick wants to do session management for his web application. Which of the following are common web application session management techniques or methods? (Select all that apply.)
    1. IP tracking
    2. Cookies
    3. URL rewriting
    4. TLS tokens

    For questions 43–45, please use your knowledge of SAML integrations and security architecture design and refer to the following scenario and diagram:

    Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization.

    Schematic illustration of the diagram of SAML integrations and security architecture design.
  43. Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks?
    1. Use SAML's secure mode to provide secure authentication.
    2. Implement TLS using a strong cipher suite, which will protect against both types of attacks.
    3. Implement TLS using a strong cipher suite and use digital signatures.
    4. Implement TLS using a strong cipher suite and message hashing.
  44. If Alex's organization is one that is primarily made up of off-site, traveling users, what availability risk does integration of critical business applications to on-site authentication create, and how could he solve it?
    1. Third-party integration may not be trustworthy; use SSL and digital signatures.
    2. If the home organization is offline, traveling users won't be able to access third-party applications; implement a hybrid cloud/local authentication system.
    3. Local users may not be properly redirected to the third-party services; implement a local gateway.
    4. Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.
  45. What solution can best help address concerns about third parties that control SSO redirects as shown in step 2 in the diagram?
    1. An awareness campaign about trusted third parties
    2. TLS
    3. Handling redirects at the local site
    4. Implementing an IPS to capture SSO redirect attacks
  46. Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?
    1. MAC, because it provides greater scalability and flexibility because you can simply add more labels as needed
    2. DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
    3. MAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale well
    4. DAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority
  47. Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed?
    1. Log review
    2. Manual review of permissions
    3. Signature-based detection
    4. Review the audit trail
  48. Jessica needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?
    1. SAML
    2. SOAP
    3. SPML
    4. XACML
  49. During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?
    1. A brute-force attack
    2. A pass-the-hash attack
    3. A rainbow table attack
    4. A salt recovery attack
  50. Google's identity integration with a variety of organizations and applications across domains is an example of which of the following?
    1. PKI
    2. Federation
    3. Single sign-on
    4. Provisioning
  51. Amanda starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?
    1. Privilege creep
    2. Rights collision
    3. Least privilege
    4. Excessive privileges
  52. When Chris verifies an individual's identity and adds a unique identifier like a user ID to an identity system, what process has occurred?
    1. Identity proofing
    2. Registration
    3. Directory management
    4. Session management
  53. Selah wants to provide accountability for actions performed via her organization's main line of business application. What controls are most frequently used to provide accountability in a situation like this? (Select all that apply.)
    1. Enable audit logging.
    2. Provide every staff member with a unique account and enable multifactor authentication.
    3. Enable time- and location-based login requirements.
    4. Provide every staff member with a unique account and require a self-selected password.
  54. Charles wants to provide authorization services as part of his web application. What standard should he use if he wants to integrate easily with other web identity providers?
    1. OpenID
    2. TACACS+
    3. RADIUS
    4. OAuth
  55. The company that Cameron works for uses a system that allows users to request privileged access to systems when necessary. Cameron requests access, and the request is pre-approved due to his role. He is then able to access the system to perform the task. Once he is done, the rights are removed. What type of system is he using?
    1. Zero trust
    2. Federated identity management
    3. Single sign-on
    4. Just-in-time access
  56. Elle is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
    1. Require users to create unique questions that only they will know.
    2. Require new users to bring their driver's license or passport in person to the bank.
    3. Use information that both the bank and the user have such as questions pulled from their credit report.
    4. Call the user on their registered phone number to verify that they are who they claim to be.
  57. Susan's organization is part of a federation that allows users from multiple organizations to access resources and services at other federated sites. When Susan wants to use a service at a partner site, which identity provider is used?
    1. Susan's home organization's identity provider
    2. The service provider's identity provider
    3. Both their identity provider and the service provider's identity provider
    4. The service provider creates a new identity
  58. A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint and is logged in to another customer's account. What type of biometric factor error occurred?
    1. A registration error
    2. A Type 1 error
    3. A Type 2 error
    4. A time of use, method of use error
  59. What type of access control is typically used by firewalls?
    1. Discretionary access controls
    2. Rule-based access controls
    3. Task-based access control
    4. Mandatory access controls
  60. When you input a user ID and password, you are performing what important identity and access management activity?
    1. Authorization
    2. Validation
    3. Authentication
    4. Login
  61. Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, a number of servers have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen's best option to make sure that the users of the passcards are who they are supposed to be?
    1. Add a reader that requires a PIN for passcard users.
    2. Add a camera system to the facility to observe who is accessing servers.
    3. Add a biometric factor.
    4. Replace the magnetic stripe keycards with smartcards.
  62. Theresa wants to allow her staff to securely store and manage passwords for systems including service accounts and other rarely used administrative credentials. What type of tool should she implement to enable this?
    1. Single sign-on
    2. A federated identity system
    3. A password manager
    4. A multifactor authentication system
  63. Olivia wants to limit the commands that a user can run via sudo to limit the potential for privilege escalation attacks. What Linux file should she modify to allow this?
    1. The bash .bin configuration file
    2. The sudoers file
    3. The bash .allowed configuration file
    4. The sudont file
  64. Which objects and subjects have a label in a MAC model?
    1. Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label.
    2. All objects have a label, and all subjects have a compartment.
    3. All objects and subjects have a label.
    4. All subjects have a label and all objects have a compartment.

    For questions 65–67, please refer to the following scenario and diagram:

    Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to use their existing Google accounts as their primary accounts when using the e-commerce site. This means that when a new user initially connects to the e-commerce platform, they are given the choice between using their Google account using OAuth 2.0 or creating a new account on the platform using their own email address and a password of their choice.

    Schematic illustration of the scenario and diagram of a MAC model.
  65. When the e-commerce application creates an account for a Google user, where should that user's password be stored?
    1. The password is stored in the e-commerce application's database.
    2. The password is stored in memory on the e-commerce application's server.
    3. The password is stored in Google's account management system.
    4. The password is never stored; instead, a salted hash is stored in Google's account management system.
  66. Which of the following is responsible for user authentication for Google users?
    1. The e-commerce application.
    2. Both the e-commerce application and Google servers.
    3. Google servers.
    4. The diagram does not provide enough information to determine this.
  67. What type of attack is the creation and exchange of state tokens intended to prevent?
    1. XSS
    2. CSRF
    3. SQL injection
    4. XACML
  68. Questions like “What is your pet's name?” are examples of what type of identity proofing?
    1. Knowledge-based authentication
    2. Dynamic knowledge-based authentication
    3. Out-of-band identity proofing
    4. A Type 3 authentication factor
  69. Madhuri creates a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control system is Madhuri using?
    1. A capability table
    2. An access control list
    3. An access control matrix
    4. A subject/object rights management system
  70. During a review of support tickets, Ben's organization discovered that password changes accounted for more than a quarter of its help desk's cases. Which of the following options would be most likely to decrease that number significantly?
    1. Two-factor authentication
    2. Biometric authentication
    3. Self-service password reset
    4. Passphrases
  71. Brian's large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?
    1. Use the built-in encryption in RADIUS.
    2. Implement RADIUS over its native UDP using TLS for protection.
    3. Implement RADIUS over TCP using TLS for protection.
    4. Use an AES256 pre-shared cipher between devices.
  72. Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?
    1. Kerberos
    2. OAuth
    3. OpenID
    4. LDAP
  73. Ben's organization has had an issue with unauthorized access to applications and workstations during the lunch hour when employees aren't at their desk. What are the best types of session management solutions for Ben to recommend to help prevent this type of access?
    1. Use session IDs for all access and verify system IP addresses of all workstations.
    2. Set session timeouts for applications and use password-protected screensavers with inactivity timeouts on workstations.
    3. Use session IDs for all applications, and use password-protected screensavers with inactivity timeouts on workstations.
    4. Set session timeouts for applications and verify system IP addresses of all workstations.
  74. What type of authentication scenario is shown in the following diagram?
    Schematic illustration of a diagram of type of authentication scenario.
    1. Hybrid federation
    2. On-premise federation
    3. Cloud federation
    4. Kerberos federation
  75. Chris wants to control access to his facility while still identifying individuals. He also wants to ensure that the individuals are the people who are being admitted without significant ongoing costs. Which solutions from the following options would meet all of these requirements? (Select all that apply.)
    1. Security guards and photo identification badges
    2. RFID badges and readers with PIN pads
    3. Magstripe badges and readers with PIN pads
    4. Security guards and magstripe readers
  76. A device like Yubikey or Titan Security Key is what type of Type 2 authentication factor?
    1. A token
    2. A biometric identifier
    3. A smart card
    4. A PIV
  77. What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?
    1. SAML
    2. Shibboleth
    3. OpenID Connect
    4. Higgins
  78. Jim wants to implement an access control scheme that will ensure that users cannot delegate access. He also wants to enforce access control at the operating system level. What access control mechanism best fits these requirements?
    1. Role-based access control
    2. Discretionary access control
    3. Mandatory access control
    4. Attribute-based access control
  79. The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation?
    1. Constrained interface
    2. Context-dependent control
    3. Content-dependent control
    4. Least privilege
  80. Ben uses a software-based token that changes its code every minute. What type of token is he using?
    1. Asynchronous
    2. Smart card
    3. Synchronous
    4. Static
  81. Firewalls are an example of what type of access control mechanism?
    1. Mandatory access control
    2. Attribute-based access control
    3. Discretionary access control
    4. Rule-based access control
  82. Michelle works for a financial services company and wants to register customers for her web application. What type of authentication mechanism could she use for the initial login if she wants to quickly and automatically verify that the person is who they claim to be without having a previous relationship with them?
    1. Request their Social Security number.
    2. Use knowledge-based authentication.
    3. Perform manual identity verification.
    4. Use a biometric factor.
  83. Megan's company wants to use Google accounts to allow users to quickly adopt their web application. What common cloud federation technologies will Megan need to implement? (Select all that apply.)
    1. Kerberos
    2. OpenID
    3. OAuth
    4. RADIUS
  84. Session ID length and session ID entropy are both important to prevent what type of attack?
    1. Denial of service
    2. Cookie theft
    3. Session guessing
    4. Man-in-the-middle attacks
  85. The access control system for Naomi's organization checks if her computer is fully patched, if it has a successful clean anti-malware scan, and if the firewall is turned on among other security validations before it allows her to connect to the network. If there are potential issues, she is not permitted to connect and must contact support. What type of access control scheme best describes this type of process?
    1. MAC
    2. Rule-based access control
    3. Role-based access control
    4. Risk-based access control
  86. Isabelle wants to prevent privilege escalation attacks via her organization's service accounts. Which of the following security practices is best suited to this?
    1. Remove unnecessary rights.
    2. Disable interactive login for service accounts.
    3. Limit when accounts can log in.
    4. Use meaningless or randomized names for service accounts.
  87. What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider?
    1. It may cause incorrect selection of the proper OpenID provider.
    2. It creates the possibility of a phishing attack by sending data to a fake OpenID provider.
    3. The relying party may be able to steal the client's username and password.
    4. The relying party may not send a signed assertion.
  88. Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place?
    1. Identity as a service
    2. Employee ID as a service
    3. Cloud-based RADIUS
    4. OAuth
  89. Kristen wants to control access to an application in her organization based on a combination of staff member's job titles, the permissions each group of titles need for the application, and the time of day and location. What type of control scheme should she select?
    1. ABAC
    2. DAC
    3. MAC
    4. Role BAC
  90. When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging?
    Snapshot of coding on the Linux server.
    1. Role-based access control
    2. Rule-based access control
    3. Mandatory access control (MAC)
    4. Discretionary access control (DAC)
  91. Joanna leads her organization's identity management team and wants to ensure that roles are properly updated when staff members change to new positions. What issue should she focus on for those staff members to avoid future issues with role definition?
    1. Registration
    2. Privilege creep
    3. Deprovisioning
    4. Accountability
  92. What type of authorization mechanism is shown in the following chart?
    Schematic illustration of a chart to analyse the type of authorization mechanism.
    1. RBAC
    2. ABAC
    3. MAC
    4. DAC
  93. Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?
    1. The Kerberos server is offline.
    2. There is a protocol mismatch.
    3. The client's TGTs have been marked as compromised and de-authorized.
    4. The Kerberos server and the local client's time clocks are not synchronized.
  94. Brian wants to explain the benefits of an on-premise federation approach for identity to his organization's leadership. Which of the following is not a common benefit of a federated identity system?
    1. Ease of account management
    2. Single sign-on
    3. Prevention of brute-force attacks
    4. Increased productivity
  95. The bank that Aaron works for wants to allow customers to use a new add-on application from a third-party partner they are working with. Since not every customer will want or need an account, Aaron has suggested that the bank use a SAML-based workflow that creates an account when a user downloads the app and tries to log in. What type of provisioning system has he suggested?
    1. JIT
    2. OpenID
    3. OAuth
    4. Kerberos
  96. What authentication protocol does Windows use by default for Active Directory systems?
    1. RADIUS
    2. Kerberos
    3. OAuth
    4. TACACS+
  97. Valerie needs to control access to applications that are deployed to mobile devices in a BYOD environment. What type of solution will best allow her to exercise control over the applications while ensuring that they do not leave remnant data on the devices used by her end users?
    1. Deploy the applications to the BYOD devices and require unique PINs on every device.
    2. Deploy the application to desktop systems and require users to use remote desktop to access them using enterprise authentication.
    3. Deploy the applications to the BYOD devices using application containers and require unique PINs on every device.
    4. Use a virtual hosted application environment that requires authentication using enterprise credentials.
  98. Match the following authorization mechanisms with their descriptions:
    1. Role-BAC
    2. Rule BAC
    3. DAC
    4. ABAC
    5. MAC
    1. An access control model enforced by the operating system.
    2. Permissions or rights are granted based on parameters like an IP address, time, or other specific details that match requirements.
    3. Sometimes called policy-based access control, this model uses information about the subject to assign permissions.
    4. A model where subjects with the proper rights can assign or pass those rights to other subjects.
    5. Used to assign permissions based on job or function.
  99. Match each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all.

    Authentication technique

    1. Password
    2. ID card
    3. Retinal scan
    4. Smartphone token
    5. Fingerprint analysis


    1. Something you have
    2. Something you know
    3. Something you are
  100. Match the following identity and access controls with the asset type they are best suited to protect. Each only has one option.
    1. Information assets
    2. Systems
    3. Mobile devices
    4. Facilities
    5. Partner applications
    1. Discretionary access controls
    2. Badge readers
    3. Federated identity management
    4. Biometric authentication
    5. User accounts with multifactor authentication
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.