- Which of the following would not be an asset that an organization would want to protect with access controls?
A. Information B. Systems C. Devices D. Facilities E. None of the above
Answer: E
All of the answers are included in the types of assets that an organization would try to protect with access controls.
- Which of the following is true related to a subject?
A. A subject is always a user account.
B. The subject is always the entity that provides or hosts the information or data.
C. The subject is always the entity that receives information about or data from an object.
D. A single entity can never change roles between subject and object.
Answer: C
The subject is active and is always the entity that receives information about, or data from, the object. A subject can be a user, a program, a process, a file, a computer, a database, and so on. The object is always the entity that provides or hosts information or data. The roles of subject and object can switch while two entities communicate to accomplish a task.
- Which of the following types of access control uses fences, security policies, security awareness training, and antivirus software to stop an unwanted or unauthorized activity from occurring?
A. Preventive
B. Detective
C. Corrective
D. Authoritative
Answer: A
A preventive access control helps stop an unwanted or unauthorized activity from occurring. Detective controls discover the activity after it has occurred, and corrective controls attempt to reverse any problems caused by the activity. Authoritative isn’t a valid type of access control.
- What type of access controls are hardware or software mechanisms used to manage access to resources and systems, and provide protection for those resources and systems?
A. Administrative
B. Logical/technical
C. Physical
D. Preventive
Answer: B
Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems. Administrative controls are managerial controls and physical controls use physical items to control physical access. A preventive control attempts to prevent security incidents.
- Which of the following best expresses the primary goal when controlling access to assets?
A. Preserve confidentiality, integrity, and availability of systems and data.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.
Answer: A
A primary goal when controlling access to assets is to protect against losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system, but objects do not authenticate. Subjects access objects, but objects do not access subjects. Identification and authentication is important as a first step in access control, but much more is needed to protect assets.
- A user logs in with a login ID and a password. What is the purpose of the login ID?
A. Authentication
B. Authorization
C. Accountability
D. Identification
Answer: D
A user professes an identity with a login ID. The combination of the login ID and the password provides authentication. Subjects are authorized access to objects after authentication. Logging and auditing provides accountability.
- Accountability requires all of the following items except one. Which item is not required for accountability?
A. Identification
B. Authentication
C. Auditing
D. Authorization
Answer: D
Accountability does not include authorization. Accountability requires proper identification and authentication. After authentication, accountability requires logging to support auditing.
- What can you use to prevent users from rotating between two passwords?
A. Password complexity
B. Password history
C. Password age
D. Password length
Answer: B
Password history can prevent users from rotating between two passwords. It remembers previously used passwords. Password complexity and password length help ensure users create strong passwords. Password age ensures users change their password regularly.
- Which of the following best identifies the benefit of a passphrase?
A. It is short.
B. It is easy to remember.
C. It includes a single set of characters.
D. It is easy to crack.
Answer: B
A passphrase is a long string of characters that is easy to remember, such as IP@$$edTheCISSPEx@m. It is not short and typically includes all four sets of character types. It is strong and complex, making it difficult to crack.
- Which of the following is an example of a Type 2 authentication factor?
A. Something you have
B. Something you are
C. Something you do
D. Something you know
Answer: A
A Type 2 authentication factor is based on something you have, such as a smartcard or token device. Type 3 authentication is based on something you are and sometimes something you do, which uses physical and behavioral biometric methods. Type 1 authentication is based on something you know, such as passwords or PINs.
- Your organization issues devices to employees. These devices generate one-time passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?
A. Synchronous token
B. Asynchronous token
C. Smartcard
D. Common access card
Answer: A
A synchronous token generates and displays one-time passwords, which are synchronized with an authentication server. An asynchronous token uses a challenge-response process to generate the one-time password. Smartcards do not generate one-time passwords, and common access cards are a version of a smartcard that includes a picture of the user.
- Which of the following provides authentication based on a physical characteristic of a subject?
A. Account ID
B. Biometrics
C. Token
D. PIN
Answer: B
Physical biometric methods such as fingerprints and iris scans provide authentication for subjects. An account ID provides identification. A token is something you have and it creates one-time passwords, but it is not related to physical characteristics. A personal identification number (PIN) is something you know.
- What does the crossover error rate (CER) for a biometric device indicate?
A. It indicates that the sensitivity is too high.
B. It indicates that the sensitivity is too low.
C. It indicates the point where the false rejection rate equals the false acceptance rate.
D. When high enough, it indicates the biometric device is highly accurate.
Answer: C
The point at which biometric Type 1 errors (false rejection rate) and Type 2 errors (false acceptance rate) are equal is the crossover error rate (CER). A lower CER indicates a higher quality biometric device. It does not indicate that sensitivity is too high or too low.
- A biometric system has falsely rejected a valid user, indicating that the user is not recognized. What type of error is this?
A. Type 1 error
B. Type 2 error
C. Crossover error rate
D. Equal error rate
Answer: A
A Type 1 error (false rejection or false negative) occurs when a valid subject is not authenticated. A Type 2 error (false acceptance or false positive) occurs when an invalid subject is authenticated. The crossover error rate (also called equal error rate) compares the rate of Type 1 errors to Type 2 errors and provides a measurement of the accuracy of the biometric system.
- What is the primary purpose of Kerberos?
A. Confidentiality
B. Integrity
C. Authentication
D. Accountability
Answer: C
The primary purpose of Kerberos is authentication, as it allows users to prove their identity. It also provides a measure of confidentiality and integrity using symmetric key encryption, but these are not the primary purpose. Kerberos does not include logging capabilities, so it does not provide accountability.
- Which of the following is the best choice to support a federated identity management system?
A. Kerberos
B. Hypertext Markup Language (HTML)
C. Extensible Markup Language (XML)
D. Security Assertion Markup Language (SAML)
Answer: D
SAML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. XML could be used, but it would require redefining tags already defined in SAML.
- What is the function of the network access server within a RADIUS architecture?
A. Authentication server
B. Client
C. AAA server
D. Firewall
Answer: B
The network access server is the client within a RADIUS architecture. The RADIUS server is the authentication server and it provides authentication, authorization, and accounting (AAA) services. The network access server might have a host firewall enabled, but that isn’t the primary function.
- Which of the following authentication, authorization, and accounting (AAA) protocols is based on RADIUS and supports Mobile IP and Voice over IP?
A. Distributed access control
B. Diameter
C. TACACS+
D. TACACS
Answer: B
Diameter is based on RADIUS and it supports Mobile IP and Voice over IP. Distributed access control systems such as a federated identity management system are not a specific protocol, and they don’t necessarily provide authentication, authorization, and accounting. TACACS and TACACS+ are AAA protocols, but they are alternatives to RADIUS, not based on RADIUS.
- Scenario: An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he’s had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter.
Which of the following basic principles was violated during the administrator’s employment?
A. Implicit deny
B. Loss of availability
C. Defensive privileges
D. Least privilege
Answer: D
The principle of least privilege was violated because he retained privileges from all his previous administrator positions in different divisions. Implicit deny ensures that only access that is explicitly granted is allowed, but the administrator was explicitly granted privileges. While the administrator’s actions could have caused loss of availability, loss of availability isn’t a basic principle. Defensive privileges aren’t a valid security principle.
- Scenario: An administrator has been working within an organization for over 10 years. He has moved between different IT divisions within the company and has retained privileges from each of the jobs that he’s had during his tenure. Recently, supervisors admonished him for making unauthorized changes to systems. He once again made an unauthorized change that resulted in an unexpected outage and management decided to terminate his employment at the company. He came back to work the following day to clean out his desk and belongings, and during this time he installed a malicious script that was scheduled to run as a logic bomb on the first day of the following month. The script will change administrator passwords, delete files, and shut down over 100 servers in the datacenter.
What could have discovered problems with this user’s account while he was employed?
A. Policy requiring strong authentication
B. Multifactor authentication
C. Logging
D. Account review
Answer: D
Account review can discover when users have more privileges than they need and could have been used to discover that this employee had permissions from several positions. Strong authentication methods (including multifactor authentication) would not have prevented the problems in this scenario. Logging could have recorded activity, but a review is necessary to discover the problems.
