Options are :
Explanation
Multifactor requires more than one type of authentication; username/password are both knowledge factors, so is password/pin and fingerprint/retina scans are both biometrics.
CISSP - Communications and Network Security Mock Questions
Options are :
Explanation
Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word "password." Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.
Options are :
Explanation
Something you know - Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.
Options are :
Explanation
Something you are - Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can't change your fingerprints; once compromised they are always compromised.
CISSP - Security Engineering Mock Questions
Options are :
Explanation
Something you know - Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.
Options are :
Explanation
Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase.
Options are :
Explanation
Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.
CISSP - Security Assessment and Testing Mock
Options are :
Explanation
Something you have - Type 2 Authentication: ID, passport, smart card, token, cookie on PC; these are called Possession factors.
Options are :
Explanation
Single-use passwords and one-time pads. While they are passwords, it is something you have in your possession, not something you know.
Options are :
Explanation
Contactless Cards - can be read by proximity. Key fobs or credit cards where you just hold it close to a reader. They use a RFID (Radio Frequency Identification) tag (transponder) which is then read by a RFID Transceiver.
CISSP Security Engineering Certification Practice Exam Set 1
Options are :
Explanation
Something you have - Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.
Options are :
Explanation
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
Options are :
Explanation
FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.
CISSP - Security and Risk Management Pratice Questions
Options are :
Explanation
MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important.
Options are :
Explanation
DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.
Options are :
Explanation
MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.
CISSP-ISSEP Information Systems Security Engineering Exam Set 6
Options are :
Explanation
Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.
Options are :
Explanation
Accountability (often referred to as Auditing): Trace an Action to a Subjects Identity: Proves who performed given action, it provides non-repudiation. Group or shared accounts are never OK, they have zero accountability. Uses audit trails and logs, to associate a subject with its actions.
Options are :
Explanation
Centralized Pros: (Decentralized Cons): All systems and locations have the same security posture. Easier to manage: All records, configurations and policies are centralized and only configured once per policy. Attackers look for the weakest link in our chain, if a small satellite office is not following our security posture, they can be an easy way onto our network. It is more secure, only a few people have access and can make changes to the system. It can also provide separation of duties, the local admin can't edit/delete logs from their facility. SSO can be used for user access to multiple systems with one login. Centralized Con’s: (Decentralized Pros): Traffic overhead and response time, how long does it take for a door lock to authenticate the user against the database at the head office? Is connectivity to the head office stable, is important equipment on redundant power and internet?
CISSP - Mock Questions with all domains
Options are :
Explanation
Account should be locked when employees leave the organization. Deleting them makes it harder to audit, deactivation/locking is preferred.
Options are :
Explanation
SSO (Single sign-on): Users use a single sign-on for multiple systems. If an attacker compromises a single password they have access to everything that user can access. Often deployed in organizations where users have to access 10+ systems, and they think it is too burdensome to remember all those passwords. SSO have the same strong password requirements as normal single system passwords.
Options are :
Explanation
LDAP (The Lightweight Directory Access Protocol) is commonly used for central usernames and passwords storage, many different applications and services can connect to the LDAP server to validate users. Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Application layer protocol and use TCP and UDP port 389.
CISSP - Security and Risk Management Pratice Questions
Options are :
Explanation
Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses. Also provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a network service.
Options are :
Explanation
TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.
Options are :
Explanation
CHAP (Challenge-Handshake Authentication Protocol): The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it. Provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. Requires the client and server know the plaintext of a shared secret, but it is never sent over the network. Providing better security compared to PAP which is vulnerable for both these reasons. Used by PPP (Point to Point Protocol) servers to validate the remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.
CISSP Security Engineering Certification Practical Exam Set 6
Options are :
Explanation
AD (Active Directory): Included in most Windows Server OS as a set of processes and services. Directory service that Microsoft developed for Windows domain networks. Originally it was only in charge of centralized domain management. As of Windows Server 2008, AD became an umbrella term for a broad range of directory-based identity-related services.
Options are :
Explanation
One-way trust, Two-way trust, Trusted domain, Transitive trust and Intransitive trust are all trust domains, there is no reflective trust.
Options are :
Explanation
Our Access Control is determined by our policies, procedures, and standards. This outlines how we grant access whom to what: We use least privilege, need to know, and we give our staff and systems exactly the access they need and no more.
CISSP - Security and Risk Management Pratice Questions
Options are :
Explanation
User names are used for identification, we should never allow group logins or accounts. Your name, username, ID number, employee number, SSN etc.
Options are :
Explanation
Single-use password is not a knowledge based factor, it is a possession based factor.
Options are :
Explanation
Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. It is the weakest form of authentication, and can easily be compromised.
CISSP Security and Risk Management Certified Practice Exam Set 3
Options are :
Explanation
Secret questions like "Where were you born?" are poor examples of a knowledge factor, it is known by a lot of people and can often be researched easily.
Options are :
Explanation
Minimum password age is implemented to prevent users from cycling through the last used passwords to return to their favorite password again. They should also use contain minimum length, upper/lower case letters, numbers and symbols, they should not contain full words or other easy to guess phrases.
Options are :
Explanation
Something you are - Type 3 Authentication (Biometrics): Can inadvertently breach our employees privacy: Some fingerprint patterns are related to chromosomal diseases. Iris patterns could reveal genetic sex, retina scans can show if a person is pregnant or diabetic. Hand vein patterns could reveal vascular diseases. Most behavioral biometrics could reveal neurological diseases, etc.
CISSP Security Engineering Certification Practice Exam Set 5
Options are :
Explanation
Biometrics can be very effective if implemented right, but it does have some risks we need to be aware of. We can't reissue new biometrics, it is possible to learn about genetic diseases, pregnancy and other personal information from some biometrics and it is more expensive to implement than type 1 and 2 authentication.
Options are :
Explanation
MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.
Options are :
Explanation
Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.
CISSP - Software Development Security Mock Questions
Options are :
Explanation
Authentication: Something you know - Type 1 Authentication (passwords, pass phrase, PIN etc.). Something you have - Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.). Something you are - Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).
Options are :
Explanation
Keylogging (Keystroke logging): A keylogger is added to the users computer and it records every keystroke the user enters. Software, a program installed on the computer. The computer is often compromised by a trojan, where the payload is the keylogger or a backdoor. The keylogger calls home or uploads the keystrokes to a server at regular intervals. Hardware, attached to the USB port where the keyboard is plugged in. Can either call home or needs to be removed to retrieve the information.
Options are :
Explanation
Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack. Brute Force attacks uses the entire keyspace (every possible key), with enough time any plaintext can be decrypted. Effective against all key based ciphers except the one-time pad, it would eventually decrypt it, but it would also generate so many false positives the data would be useless.
CISSP Security Engineering Certification Practice Exam Set 1
Options are :
Explanation
Salt (salting): Random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack.
Options are :
Explanation
Magnetic Stripe Cards: Swiped through a reader, no circuit. Very easy to duplicate.
After we have implemented biometrics in our organization, we are having issues with too high rejection rate of authorized employees. Which of these is the false rejection rate?
Options are :
Explanation
FRR (False rejection rate) Type 1 error: Authorized users are rejected. This can be too high settings - 99% accuracy on biometrics.
CISSP (Information Systems Security) Practice Tests 2019 Set 4
Options are :
Explanation
Salting is adding random characters to passwords before hashing, it does nothing against brute force attacks. Key stretching and limited login attempts are good countermeasures, complex passwords can help, but will eventually be broken.
Options are :
Explanation
The cookie is a possession factor, we still have multifactor authentication with the username, password and cookie. Username and password are knowledge factors just like PINs, passphrases and challenge response.
Options are :
Explanation
Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors.
CISSP - Mock Questions with all domains
Options are :
Explanation
It can take a second or two on older systems to authenticate if the passwords are hashed or encrypted. We should, however, never leave passwords in plaintext to save a second or two.
Options are :
Explanation
If an attacker can get access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value. This will circumvent the clipping levels (limit on wrong login attempts).
Options are :
Explanation
Hashing with salting is the best way of password storage, confirmation can be near instant and the password can't be reverse engineered.
CISSP - Software Development Security Mock Questions
Options are :
Explanation
Single-use passwords: Having passwords which are only valid once makes many potential attacks ineffective, just like one-time pads. While they are passwords, it is something you have in your possession, not something you know.
Options are :
Explanation
Brute Force attacks uses the entire keyspace (every possible key). With enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives the data would be useless.
Options are :
Explanation
Something you are - Type 3 Authentication (Biometrics), uses Errors for Biometric Authentication: FRR (False rejection rate), FAR (False accept rate) and CER (Crossover Error Rate).
CISSP Security and Risk Management Certified Practice Exam Set 3
Options are :
Explanation
FRR (False rejection rate) Type 1 error: Authorized users are rejected. This can be too high settings - 99% accuracy on biometrics.
Options are :
Explanation
With biometrics we can't reissue authentication factors. You have the same fingerprints. If compromised, nothing can be done other than to stop using them.
Options are :
Explanation
DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OSes. Uses DACL’s (Discretionary ACL), based on user identity.
CISSP - Security and Risk Management Pratice Questions
Options are :
Explanation
RBAC (Role Based Access Control): A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.
Options are :
Explanation
Content-based access control: Access is provided based on the attributes or content of an object, then it is known as a content-dependent access control. Hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent. In this type of control, the value and attributes of the content that is being accessed determines the control requirements.
Options are :
Explanation
We can have multiple identities per entity and each identity can have multiple attributes. I can be staff, alumni and enrolled student at a college. As staff I could have access to different areas and data than I would as alumni and student.
CISSP (Information Systems Security) Practice Tests 2019 Set 4
Options are :
Explanation
RFID (Radio Frequency Identification) is used a variety of things including smart cards and not federated identity management (FIdM)
Options are :
Explanation
SAML (Security Assertion Markup Language): The single most important requirement that SAML addresses is web browser SSO. An XML-based, open-standard data format for exchanging authentication and authorization data between parties.
Options are :
Explanation
SSO (Single sign-on): Users use a single sign-on for multiple systems. Often deployed in organizations where users have to access 10+ systems, and they think it is too burdensome to remember all those passwords.
CISSP Security Engineering Certification Practical Exam Set 3
Options are :
Explanation
The KDC (Key Distribution Center) consists of the AS (Authentication Server) and the TGS (Ticket Granting Server).
Options are :
Explanation
The client sends a cleartext user ID to the AS (Authentication Server) requesting services on behalf of the user.