Questão 1
Questão
Chris is the identity architect for a growing e-commerce website
that wants to leverage social identity. To do this, he and his team
intend to allow users to use their existing Google accounts as their
primary accounts when using the e-commerce site. This means
that when a new user initially connects to the e-commerce
platform, they are given the choice between using their Google
account using OAuth 2.0 or creating a new account on the platform
using their own email address and a password of their choice.
When the e-commerce application creates an account for a Google
user, where should that user’s password be stored?
Responda
-
A. The password is stored in the e-commerce application’s database.
-
B. The password is stored in memory on the e-commerce
application’s server.
-
C. The password is stored in Google’s account management system.
-
D. The password is never stored; instead, a salted hash is stored in
Google’s account management system.
Questão 2
Questão
Chris is the identity architect for a growing e-commerce website
that wants to leverage social identity. To do this, he and his team
intend to allow users to use their existing Google accounts as their
primary accounts when using the e-commerce site. This means
that when a new user initially connects to the e-commerce
platform, they are given the choice between using their Google
account using OAuth 2.0 or creating a new account on the platform
using their own email address and a password of their choice.
Which system or systems is/are responsible for user authentication for
Google users?
Responda
-
A. The e-commerce application.
-
B. Both the e-commerce application and Google servers.
-
C. Google servers.
-
D. The diagram does not provide enough information to determine
this.
Questão 3
Questão
What type of attack is the creation and exchange of state tokens
intended to prevent?
Responda
-
A. XSS
-
B. CSRF
-
C. SQL injection
-
D. XACML
Questão 4
Questão
Questions like “What is your pet’s name?” are examples of what type
of identity proofing?
Responda
-
A. Knowledge-based authentication
-
B. Dynamic knowledge-based authentication
-
C. Out-of-band identity proofing
-
D. A Type 3 authentication factor
Questão 5
Questão
Lauren builds a table that includes assigned privileges, objects, and
subjects to manage access control for the systems she is responsible
for. Each time a subject attempts to access an object, the systems
check the table to ensure that the subject has the appropriate rights to
the objects. What type of access control system is Lauren using?
Responda
-
A. A capability table
-
B. An access control list
-
C. An access control matrix
-
D. A subject/object rights management system
Questão 6
Questão
During a review of support incidents, Ben’s organization discovered
that password changes accounted for more than a quarter of its help
desk’s cases. Which of the following options would be most likely to
decrease that number significantly?
Responda
-
A. Two-factor authentication
-
B. Biometric authentication
-
C. Self-service password reset
-
D. Passphrases
Questão 7
Questão
Brian’s large organization has used RADIUS for AAA services for its
network devices for years and has recently become aware of security
issues with the unencrypted information transferred during
authentication. How should Brian implement encryption for RADIUS?
Responda
-
A. Use the built-in encryption in RADIUS.
-
B. Implement RADIUS over its native UDP using TLS for protection.
-
C. Implement RADIUS over TCP using TLS for protection.
-
D. Use an AES256 pre-shared cipher between devices.
Questão 8
Questão
Jim wants to allow cloud-based applications to act on his behalf to
access information from other sites. Which of the following tools can
allow that?
Responda
-
A. Kerberos
-
B. OAuth
-
C. OpenID
-
D. LDAP
Questão 9
Questão
Ben’s organization has had an issue with unauthorized access to
applications and workstations during the lunch hour when employees
aren’t at their desk. What are the best types of session management
solutions for Ben to recommend to help prevent this type of access?
Responda
-
A. Use session IDs for all access and verify system IP addresses of all
workstations.
-
B. Set session time-outs for applications and use password-protected
screensavers with inactivity time-outs on workstations.
-
C. Use session IDs for all applications, and use password protected
screensavers with inactivity time-outs on workstations.
-
D. Set session time-outs for applications and verify system IP
addresses of all workstations.
Questão 10
Questão
The financial services company that Susan works for provides a web
portal for its users. When users need to verify their identity, the
company uses information from third-party sources to ask questions
based on their past credit reports, such as “Which of the following
streets did you live on in 2007?” What process is Susan’s organization
using?
Questão 11
Questão
What authentication technology can be paired with OAuth to perform
identity verification and obtain user profile information using a
RESTful API?
Responda
-
A. SAML
-
B. Shibboleth
-
C. OpenID Connect
-
D. Higgins
Questão 12
Questão
Jim has Secret clearance and is accessing files that use a mandatory
access control scheme to apply the Top Secret, Secret, Confidential,
and Unclassified label scheme. What classification levels of data can
he access, provided that he has a valid need-to-know?
Responda
-
A. Top Secret and Secret
-
B. Secret, Confidential, and Unclassified
-
C. Secret data only
-
D. Secret and Unclassified
Questão 13
Questão
The security administrators at the company that Susan works for have
configured the workstation she uses to allow her to log in only during
her work hours. What type of access control best describes this
limitation?
Questão 14
Questão
Which of the following is not an access control layer?
Responda
-
A. Physical
-
B. Policy
-
C. Administrative
-
D. Technical
Questão 15
Questão
Ben uses a software-based token that changes its code every minute.
What type of token is he using?
Responda
-
A. Asynchronous
-
B. Smart card
-
C. Synchronous
-
D. Static
Questão 16
Questão
What type of token-based authentication system uses a
challenge/response process in which the challenge has to be entered
on the token?
Responda
-
A. Asynchronous
-
B. Smart card
-
C. Synchronous
-
D. RFID
Questão 17
Questão
Ben’s organization is adopting biometric authentication for its
high-security building’s access control system.
Ben’s company is considering configuring its systems to work at the
level shown by point A on the diagram. To what level is it setting the
sensitivity?
Responda
-
A. The FRR crossover
-
B. The FAR point
-
C. The CER
-
D. The CFR
Questão 18
Questão
Ben’s organization is adopting biometric authentication for its
high-security building’s access control system.
At point B, what problem is likely to occur?
Responda
-
A. False acceptance will be very high.
-
B. False rejection will be very high.
-
C. False rejection will be very low.
-
D. False acceptance will be very low.
Questão 19
Questão
Ben’s organization is adopting biometric authentication for its
high-security building’s access control system.
What should Ben do if the FAR and FRR shown in this diagram does
not provide an acceptable performance level for his organization’s
needs?
Responda
-
A. Adjust the sensitivity of the biometric devices.
-
B. Assess other biometric systems to compare them.
-
C. Move the CER.
-
D. Adjust the FRR settings in software.
Questão 20
Questão
What LDAP authentication mode can provide secure authentication?
Responda
-
A. Anonymous
-
B. SASL
-
C. Simple
-
D. S-LDAP
Questão 21
Questão
Which of the following Type 3 authenticators is appropriate to use by
itself rather than in combination with other biometric factors?
Questão 22
Questão
What danger is created by allowing the OpenID relying party to
control the connection to the OpenID provider?
Responda
-
A. It may cause incorrect selection of the proper OpenID provider.
-
B. It creates the possibility of a phishing attack by sending data to a
fake OpenID provider.
-
C. The relying party may be able to steal the client’s username and
password.
-
D. The relying party may not send a signed assertion.
Questão 23
Questão
Jim is implementing a cloud identity solution for his organization.
What type of technology is he putting in place?
Questão 24
Questão
RAID-5 is an example of what type of control?
Responda
-
A. Administrative
-
B. Recovery
-
C. Compensation
-
D. Logical
Questão 25
Questão
When Alex sets the permissions shown in the following image as one
of many users on a Linux server, what type of access control model is
he leveraging?
Responda
-
A. Role Based Access Control
-
B. Rule-based Access control
-
C. Mandatory Access Control (MAC)
-
D. Discretionary Access Control (DAC)
Questão 26
Questão
What open protocol was designed to replace RADIUS—including
support for additional commands and protocols, replacing UDP traffic
with TCP, and providing for extensible commands—but does not
preserve backward compatibility with RADIUS?
Responda
-
A. TACACS
-
B. RADIUS-NG
-
C. Kerberos
-
D. Diameter
Questão 27
Questão
LDAP distinguished names (DNs) are made up of comma-separated
components called relative distinguished names (RDNs) that have an
attribute name and a value. DNs become less specific as they progress
from left to right. Which of the following LDAP DNs best fits this rule?
Responda
-
A. uid=ben,ou=sales,dc=example,dc=com
-
B. uid=ben,dc=com,dc=example
-
C. dc=com,dc=example,ou=sales,uid=ben
-
D. ou=sales,dc=com,dc=example
Questão 28
Questão
Susan is troubleshooting Kerberos authentication problems with
symptoms including TGTs that are not accepted as valid and an
inability to receive new tickets. If the system she is troubleshooting is
properly configured for Kerberos authentication, her username and
password are correct, and her network connection is functioning, what
is the most likely issue?
Responda
-
A. The Kerberos server is offline.
-
B. There is a protocol mismatch.
-
C. The client’s TGTs have been marked as compromised and deauthorized.
-
D. The Kerberos server and the local client’s time clocks are not
synchronized.
Questão 29
Questão
Kerberos, KryptoKnight, and SESAME are all examples of what type of
system?
Responda
-
A. SSO
-
B. PKI
-
C. CMS
-
D. Directory
Questão 30
Questão
Which of the following access control categories would not include a
door lock?
Responda
-
A. Physical
-
B. Directive
-
C. Preventative
-
D. Deterrent
Questão 31
Questão
What authentication protocol does Windows use by default for Active
Directory systems?
Responda
-
A. RADIUS
-
B. Kerberos
-
C. OAuth
-
D. TACACS+
Questão 32
Questão
Alex configures his LDAP server to provide services on 636 and 3269.
What type of LDAP services has he configured based on LDAP’s
default ports?
Responda
-
A. Unsecure LDAP and unsecure global directory
-
B. Unsecure LDAP and secure global directory
-
C. Secure LDAP and secure global directory
-
D. Secure LDAP and unsecure global directory
Questão 33
Questão
Which of the following is best described as an access control model
that focuses on subjects and identifies the objects that each subject can
access?
Responda
-
A. An access control list
-
B. An implicit denial list
-
C. A capability table
-
D. A rights management matrix
Questão 34
Questão
Jim’s organization-wide implementation of IDaaS offers broad
support for cloud-based applications. Jim’s company does not have inhouse
identity management staff and does not use centralized identity
services. Instead, they rely upon Active Directory for AAA services.
Which of the following options should Jim recommend to best handle
the company’s onsite identity needs?
Responda
-
A. Integrate onsite systems using OAuth.
-
B. Use an on-premises third-party identity service.
-
C. Integrate onsite systems using SAML.
-
D. Design an in-house solution to handle the organization’s unique
needs.
Questão 35
Questão
Which of the following is not a weakness in Kerberos?
Responda
-
A. The KDC is a single point of failure.
-
B. Compromise of the KDC would allow attackers to impersonate any
user.
-
C. Authentication information is not encrypted.
-
D. It is susceptible to password guessing.
Questão 36
Questão
Voice pattern recognition is what type of authentication factor?
Responda
-
A. Something you know
-
B. Something you have
-
C. Something you are
-
D. Somewhere you are
Questão 37
Questão
If Susan’s organization requires her to log in with her username, a
PIN, a password, and a retina scan, how many distinct authentication
factor types has she used?
Responda
-
A. One
-
B. Two
-
C. Three
-
D. Four
Questão 38
Questão
Which of the following items are not commonly associated with
restricted interfaces?
Responda
-
A. Shells
-
B. Keyboards
-
C. Menus
-
D. Database views
Questão 39
Questão
During a log review, Saria discovers a series of logs that show login
failures, as shown here:
Jan 31 11:39:12 ip-10-0-0-2 sshd[29092]: Invalid user admin from
remotehost passwd=orange
Jan 31 11:39:20 ip-10-0-0-2 sshd[29098]: Invalid user admin from
remotehost passwd=Orang3
Jan 31 11:39:23 ip-10-0-0-2 sshd[29100]: Invalid user admin from
remotehost passwd=Orange93
Jan 31 11:39:31 ip-10-0-0-2 sshd[29106]: Invalid user admin from
remotehost passwd=Orangutan1
Jan 31 20:40:53 ip-10-0-0-254 sshd[30520]: Invalid user admin
from remotehost passwd=Orangemonkey
What type of attack has Saria discovered?
Questão 40
Questão
What major issue often results from decentralized access control?
Responda
-
A. Access outages may occur.
-
B. Control is not consistent.
-
C. Control is too granular.
-
D. Training costs are high.
Questão 41
Questão
Callback to a landline phone number is an example of what type of
factor?
Responda
-
A. Something you know
-
B. Somewhere you are
-
C. Something you have
-
D. Something you are
Questão 42
Questão
Kathleen needs to set up an Active Directory trust to allow
authentication with an existing Kerberos K5 domain. What type of
trust does she need to create?
Responda
-
A. A shortcut trust
-
B. A forest trust
-
C. An external trust
-
D. A realm trust
Questão 43
Questão
Which of the following AAA protocols is the most commonly used?
Responda
-
A. TACACS
-
B. TACACS+
-
C. XTACACS
-
D. Super TACACS
Questão 44
Questão
Which of the following is not a single sign-on implementation?
Responda
-
A. Kerberos
-
B. ADFS
-
C. CAS
-
D. RADIUS
Questão 45
Questão
As shown in the following image, a user on a Windows system is not
able to use the “Send Message” functionality. What access control
model best describes this type of limitation?
Responda
-
A. Least privilege
-
B. Need to know
-
C. Constrained interface
-
D. Separation of duties
Questão 46
Questão
What type of access controls allow the owner of a file to grant other
users access to it using an access control list?
Responda
-
A. Role based
-
B. Nondiscretionary
-
C. Rule based
-
D. Discretionary
Questão 47
Questão
Alex’s job requires him to see protected health information (PHI) to
ensure proper treatment of patients. His access to their medical
records does not provide access to patient addresses or billing
information. What access control concept best describes this control?
Questão 48
Questão
Use your knowledge of the Kerberos logon process and the
following diagram.
At point A in the diagram, the client sends the username and password
to the KDC. How is the username and password protected?
Responda
-
A. 3DES encryption
-
B. TLS encryption
-
C. SSL encryption
-
D. AES encryption
Questão 49
Questão
Use your knowledge of the Kerberos logon process and the
following diagram.
At point B in the diagram, what two important elements does the KDC
send to the client after verifying that the username is valid?
Responda
-
A. An encrypted TGT and a public key
-
B. An access ticket and a public key
-
C. An encrypted, time-stamped TGT and a symmetric key encrypted
with a hash of the user’s password
-
D. An encrypted, time-stamped TGT and an access token
Questão 50
Questão
Use your knowledge of the Kerberos logon process and the
following diagram.
What tasks must the client perform before it can use the TGT?
Responda
-
A. It must generate a hash of the TGT and decrypt the symmetric key.
-
B. It must accept the TGT and decrypt the symmetric key.
-
C. It must decrypt the TGT and the symmetric key.
-
D. It must send a valid response using the symmetric key to the KDC
and must install the TGT.