1. CISSP
  2. Identity and Access Management

  1. CISSP - Identity and Access Management (IAM)

CISSP - Identity and Access Management (IAM)

Jane has been tasked with finding multifactor authentication solutions for our organization. Which of these is TRUE multifactor authentication?

Options are :

  • Username and password.
  • Password and PIN.
  • Fingerprint and password. (Correct)
  • Fingerprint and retina scan.

Answer : Fingerprint and password.

Explanation Multifactor requires more than one type of authentication; username/password are both knowledge factors, so is password/pin and fingerprint/retina scans are both biometrics.

CISSP - Communications and Network Security Mock Questions

In our best practice password policy, which of these would be allowed?

Options are :

  • Whole dictionary words.
  • Minimum length passwords. (Correct)
  • Birthdays.
  • Family members' names.

Answer : Minimum length passwords.

Explanation Passwords should never contain: The name of a pet, child, family member, or significant other, anniversary dates, birthdays, birthplace, favorite holiday, something related to a favorite sports team, or the word "password." Winter2017 is not a good password, even if it does fulfill the password requirements. Official recommendations by the U.S. Department of Defense and Microsoft: password history = set to remember 24 passwords; maximum password age = 90 days; minimum password age = 2 days (to prevent users from cycling through 24 passwords to return to their favorite password again). Minimum password length = 8 characters. Passwords must meet complexity requirements = true. Store password using reversible encryption = false.

Which of these describes Type 1 authentication?

Options are :

  • Something you have.
  • Something you are.
  • Something you know. (Correct)
  • Somewhere you are.

Answer : Something you know.

Explanation Something you know - Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.

Which type of authentication is the WORST to have compromised, because we are unable to reissue it?

Options are :

  • Type 1.
  • Type 2.
  • Type 3. (Correct)
  • Type 4.

Answer : Type 3.

Explanation Something you are - Type 3 Authentication (Biometrics): Lost passwords and ID cards can be replaced with new different ones. Biometrics can’t. You can't change your fingerprints; once compromised they are always compromised.

CISSP - Security Engineering Mock Questions

PINs, passwords, and passphrases are all which type of authentication?

Options are :

  • Type 1. (Correct)
  • Type 2.
  • Type 3.
  • Type 5.

Answer : Type 1.

Explanation Something you know - Type 1 Authentication: passwords, pass phrase, PIN, etc., also called knowledge factors. The subject uses these to authenticate their identity: they know the secret, therefore they must be who they say they are.

We are adding random data to our password hashes, to prevent attackers from successfully using rainbow table and dictionary attacks. What are we adding to the hash function?

Options are :

  • Nonce.
  • Salting. (Correct)
  • Key stretching.
  • Clipping levels.

Answer : Salting.

Explanation Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase.

What is the PRIMARY reason we would implement clipping levels?

Options are :

  • To prevent password guessing.
  • To prevent administrative overhead. (Correct)
  • To allow users to unlock their own account when they mistype their password too many times.
  • To allow users a few tries when they fat finger their password.

Answer : To prevent administrative overhead.

Explanation Clipping levels: Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.

CISSP - Security Assessment and Testing Mock

We can use smart cards, tokens, passports, and IDs for which type of authentication?

Options are :

  • Type 1.
  • Type 2. (Correct)
  • Type 3.
  • Type 5.

Answer : Type 2.

Explanation Something you have - Type 2 Authentication: ID, passport, smart card, token, cookie on PC; these are called Possession factors.

When we use single-use passwords and one-time pads, we are using which type of authentication?

Options are :

  • Something you know.
  • Something you are.
  • Something you have. (Correct)
  • Somewhere you are.

Answer : Something you have.

Explanation Single-use passwords and one-time pads. While they are passwords, it is something you have in your possession, not something you know.

We have implemented contactless ID cards in our organization. Which type of technology do they use?

Options are :

  • RIPE.
  • RFID. (Correct)
  • Magnetic stripe.
  • RAID.

Answer : RFID.

Explanation Contactless Cards - can be read by proximity. Key fobs or credit cards where you just hold it close to a reader. They use a RFID (Radio Frequency Identification) tag (transponder) which is then read by a RFID Transceiver.

CISSP Security Engineering Certification Practice Exam Set 1

As part of our authentication process, we have issued our staff TOTP tokens. How do they work?

Options are :

  • Generates a new password often. (Correct)
  • Generate a password that is valid until it is used.
  • Does not need the clocks of the token and the server to be synchronized.
  • Sends us a new password when we request it, but never when we don't.

Answer : Generates a new password often.

Explanation Something you have - Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.

Without using anything to trick our systems, an unauthorized individual is allowed access using our biometric authentication. This is an example of what?

Options are :

  • FRR.
  • FAR. (Correct)
  • CER.
  • CRR.

Answer : FAR.

Explanation FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.

Which kind of type 3 authentication errors are the WORST?

Options are :

  • False acceptance. (Correct)
  • True acceptance.
  • False rejection.
  • True acceptance.

Answer : False acceptance.

Explanation FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.

CISSP - Security and Risk Management Pratice Questions

Which type of access control model would we use if confidentiality was the MOST important factor to us?

Options are :

  • DAC.
  • RBAC.
  • MAC. (Correct)
  • RUBAC.

Answer : MAC.

Explanation MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important.

We are using DAC (Discretionary access control) in our organization. What is DAC based on?

Options are :

  • Labels and clearance.
  • The discretion of the object owner. (Correct)
  • The job role of the user.
  • IF/THEN statements.

Answer : The discretion of the object owner.

Explanation DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACL’s (Discretionary ACL), based on user identity.

In which type of access control does subjects have clearance and object labels?

Options are :

  • RBAC.
  • MAC. (Correct)
  • DAC.
  • RUBAC.

Answer : MAC.

Explanation MAC (Mandatory Access Control): Often used when confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.

CISSP-ISSEP Information Systems Security Engineering Exam Set 6

Which type of access control could we use to limit access outside of regular work hours?

Options are :

  • Context-based access control. (Correct)
  • Content-based access control.
  • Role-based access control.
  • Discretionary access control.

Answer : Context-based access control.

Explanation Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.

When we talk about auditing in the IAAA model, what does that mean?

Options are :

  • Allows users to access data 24/7.
  • Compares object labels to the clearance of the subject.
  • Traces actions to subjects identities. (Correct)
  • Assigns attributes to identities.

Answer : Traces actions to subjects identities.

Explanation Accountability (often referred to as Auditing): Trace an Action to a Subjects Identity: Proves who performed given action, it provides non-repudiation. Group or shared accounts are never OK, they have zero accountability. Uses audit trails and logs, to associate a subject with its actions.

Why would we choose a centralized access control system over a decentralized one?

Options are :

  • Faster response time at remote locations.
  • Different security postures at different locations.
  • If the internet between sites is down, we can't authenticate.
  • It is easier to manage. (Correct)

Answer : It is easier to manage.

Explanation Centralized Pros: (Decentralized Cons): All systems and locations have the same security posture. Easier to manage: All records, configurations and policies are centralized and only configured once per policy. Attackers look for the weakest link in our chain, if a small satellite office is not following our security posture, they can be an easy way onto our network. It is more secure, only a few people have access and can make changes to the system. It can also provide separation of duties, the local admin can't edit/delete logs from their facility. SSO can be used for user access to multiple systems with one login. Centralized Con’s: (Decentralized Pros): Traffic overhead and response time, how long does it take for a door lock to authenticate the user against the database at the head office? Is connectivity to the head office stable, is important equipment on redundant power and internet?

CISSP - Mock Questions with all domains

Which of these would NOT be part of a good identity and access provisioning lifecycle?

Options are :

  • Notifying users to change their passwords before they expire. Revoking accounts and access when contractors stop working for us.
  • Leaving accounts unlocked when employees leave the organization. (Correct)
  • Identify accounts that has not been used for more than 10 days following their creation.
  • Locking accounts when employees leave the organization.

Answer : Leaving accounts unlocked when employees leave the organization.

Explanation Account should be locked when employees leave the organization. Deleting them makes it harder to audit, deactivation/locking is preferred.

What could be one of the NEGATIVE consequences of implementing Single Sign On (SSO) in our organization?

Options are :

  • It is easier for users to just use one login.
  • If compromised the attacker has access to all the systems the user does. (Correct)
  • SSO has weaker password requirements than regular applications does.
  • It takes too long to remember a single password over many.

Answer : If compromised the attacker has access to all the systems the user does.

Explanation SSO (Single sign-on): Users use a single sign-on for multiple systems. If an attacker compromises a single password they have access to everything that user can access. Often deployed in organizations where users have to access 10+ systems, and they think it is too burdensome to remember all those passwords. SSO have the same strong password requirements as normal single system passwords.

What is LDAP COMMONLY used for?

Options are :

  • Central username and password storage. (Correct)
  • Internet routing protocol.
  • Hashing passwords.
  • Managing firewall and router access lists.

Answer : Central username and password storage.

Explanation LDAP (The Lightweight Directory Access Protocol) is commonly used for central usernames and passwords storage, many different applications and services can connect to the LDAP server to validate users. Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Application layer protocol and use TCP and UDP port 389.

CISSP - Security and Risk Management Pratice Questions

Diameter was designed to replace Radius, but the change never happened. Where is Diameter COMMONLY used now?

Options are :

  • Router management.
  • In the 3/4G space. (Correct)
  • Wireless access points.
  • Webserver file uploads and downloads.

Answer : In the 3/4G space.

Explanation Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses. Also provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a network service.

Which of these authentication protocols is no longer considered secure?

Options are :

  • Diameter.
  • Radius.
  • TACACS. (Correct)
  • TACACS+.

Answer : TACACS.

Explanation TACACS (The Terminal Access Controller Access Control System): Centralized access control system requiring users to send an ID and reusable (vulnerable) passwords for authentication, because of this it is no longer considered secure. Uses TCP/UDP port 49. TACACS has generally been replaced by TACACS+ and RADIUS.

What is a WEAKNESS of the Challenge Handshake Authentication Protocol (CHAP)?

Options are :

  • Credentials are sent over the network in plaintext.
  • Credentials are stored in plaintext on the server. (Correct)
  • It periodically verifies the identity of clients with a 3-way handshake.
  • It uses incremental changing identifiers and variable challenge-values.

Answer : Credentials are stored in plaintext on the server.

Explanation CHAP (Challenge-Handshake Authentication Protocol): The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it. Provides protection against replay attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. Requires the client and server know the plaintext of a shared secret, but it is never sent over the network. Providing better security compared to PAP which is vulnerable for both these reasons. Used by PPP (Point to Point Protocol) servers to validate the remote clients. CHAP periodically verifies the identity of the client by using a three-way handshake.

CISSP Security Engineering Certification Practical Exam Set 6

We are implementing Active Directory (AD) to use for managing our access control. Which of these OS families have AD natively included in their processes and services?

Options are :

  • Linux.
  • Unix.
  • MacOS.
  • Windows. (Correct)

Answer : Windows.

Explanation AD (Active Directory): Included in most Windows Server OS as a set of processes and services. Directory service that Microsoft developed for Windows domain networks. Originally it was only in charge of centralized domain management. As of Windows Server 2008, AD became an umbrella term for a broad range of directory-based identity-related services.

Active Directory (AD) uses trust domains; one domain establishes a trust relationship with another domain. Which of these is NOT an AD trust domain?

Options are :

  • Reflective trust. (Correct)
  • One-way trust.
  • Transitive trust.
  • Intransitive trust.

Answer : Reflective trust.

Explanation One-way trust, Two-way trust, Trusted domain, Transitive trust and Intransitive trust are all trust domains, there is no reflective trust.

Bob is working on designing new access controls across our organization. Which documentation should he reference to know how and what to implement?

Options are :

  • The latest tech reviews and technology.
  • Our policies, procedures and standards. (Correct)
  • It is at his discretion, Bob is the most knowledgeable employee we have on access control.
  • He would ask his peers what they would implement since they know best and when they agree implement that.

Answer : Our policies, procedures and standards.

Explanation Our Access Control is determined by our policies, procedures, and standards. This outlines how we grant access whom to what: We use least privilege, need to know, and we give our staff and systems exactly the access they need and no more.

CISSP - Security and Risk Management Pratice Questions

When we are implementing new access control mechanisms, looking at the IAAA model, what could we use for identification?

Options are :

  • Usernames. (Correct)
  • A password.
  • Role based access control.
  • Non-repudiation.

Answer : Usernames.

Explanation User names are used for identification, we should never allow group logins or accounts. Your name, username, ID number, employee number, SSN etc.

When we are using knowledge-based factors in our authentication process, we would use all of these, EXCEPT which?

Options are :

  • Passwords.
  • Pass phrases.
  • PINs.
  • Single-use passwords. (Correct)

Answer : Single-use passwords.

Explanation Single-use password is not a knowledge based factor, it is a possession based factor.

Which of these is the WEAKEST form of authentication we can implement?

Options are :

  • Something you know. (Correct)
  • Something you are.
  • Something you have.
  • Biometrics.

Answer : Something you know.

Explanation Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. It is the weakest form of authentication, and can easily be compromised.

CISSP Security and Risk Management Certified Practice Exam Set 3

We often allow users to use "secret questions and answers" to unlock their accounts, because it makes our administrators workload lighter. Can they also be used as an attack vector?

Options are :

  • No, no one else would know the answers.
  • Yes, but it would be harder to break than encryption.
  • Yes, the answers are often something that can be researched. (Correct)
  • Yes, but it really never happens, the information we use for them is so hard to get it is hardly worth it.

Answer : Yes, the answers are often something that can be researched.

Explanation Secret questions like "Where were you born?" are poor examples of a knowledge factor, it is known by a lot of people and can often be researched easily.

We are using some of the best practice rules on our passwords requirements. Which of these would NOT be part of that?

Options are :

  • Password hashing and salting.
  • Minimum password age.
  • No minimum password age. (Correct)
  • Maximum password age.

Answer : No minimum password age.

Explanation Minimum password age is implemented to prevent users from cycling through the last used passwords to return to their favorite password again. They should also use contain minimum length, upper/lower case letters, numbers and symbols, they should not contain full words or other easy to guess phrases.

Jane has been tasked with implementing multifactor authentication for our organization. The request from senior management is to make it secure, but also to protect employees' privacy and not inadvertently record something that could reveal private employee health information. What would be some good reasons to NOT use biometric authentication in Janes implementation?

Options are :

  • It can reveal private employee information. (Correct)
  • It is wrong more often than not.
  • Biometrics often change.
  • Biometrics are easily copied.

Answer : It can reveal private employee information.

Explanation Something you are - Type 3 Authentication (Biometrics): Can inadvertently breach our employees privacy: Some fingerprint patterns are related to chromosomal diseases. Iris patterns could reveal genetic sex, retina scans can show if a person is pregnant or diabetic. Hand vein patterns could reveal vascular diseases. Most behavioral biometrics could reveal neurological diseases, etc.

CISSP Security Engineering Certification Practice Exam Set 5

We are thinking about implementing biometrics throughout our organization. Which of these could be reasons we should consider as reason to NOT implement biometrics? (Select all that apply).

Options are :

  • We can't reissue new biometric credentials if we are compromised. (Correct)
  • Biometrics can reveal personal health information. (Correct)
  • It is very expensive compared to other authentication methods. (Correct)
  • Biometrics are easy to replicate for an attacker.
  • It is a very new field and the technology is not very good.

Answer : We can't reissue new biometric credentials if we are compromised. Biometrics can reveal personal health information. It is very expensive compared to other authentication methods.

Explanation Biometrics can be very effective if implemented right, but it does have some risks we need to be aware of. We can't reissue new biometrics, it is possible to learn about genetic diseases, pregnancy and other personal information from some biometrics and it is more expensive to implement than type 1 and 2 authentication.

What is Mandatory Access Control (MAC) based on?

Options are :

  • Labels and clearance. (Correct)
  • The discretion of the object owner.
  • The job role of the user.
  • IF/THEN statements.

Answer : Labels and clearance.

Explanation MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance. This is often used in the military or in organizations where confidentiality is very important.

Jane is implementing active directory throughout our organization. She wants all the domains to trust each other, which type of trust domain should she implement?

Options are :

  • Two-way trust.
  • Intransitive trust.
  • Transitive trust. (Correct)
  • One-way trust.

Answer : Transitive trust.

Explanation Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.

CISSP - Software Development Security Mock Questions

We are implementing new access control in our organization. If we look at the IAAA model, what could we use for authentication?

Options are :

  • Their username.
  • A password. (Correct)
  • Role based access control.
  • Non-repudiation.

Answer : A password.

Explanation Authentication: Something you know - Type 1 Authentication (passwords, pass phrase, PIN etc.). Something you have - Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.). Something you are - Type 3 Authentication (and Biometrics) (Fingerprint, Iris Scan, Facial geometry etc.).

A disgruntled former employee of our organization is trying to break the passwords of one of our administrator accounts. He is using a keylogger; how does he do that?

Options are :

  • He uses the entire key space.
  • He uses full words often with numbers at the end.
  • He uses precompiled hashes to compare the password hash to.
  • He has software installed on a computer that records all keystrokes. (Correct)

Answer : He has software installed on a computer that records all keystrokes.

Explanation Keylogging (Keystroke logging): A keylogger is added to the users computer and it records every keystroke the user enters. Software, a program installed on the computer. The computer is often compromised by a trojan, where the payload is the keylogger or a backdoor. The keylogger calls home or uploads the keystrokes to a server at regular intervals. Hardware, attached to the USB port where the keyboard is plugged in. Can either call home or needs to be removed to retrieve the information.

An attacker is using brute force on a user accounts password to gain access to our systems. We have not implemented clipping levels yet. Which of these other countermeasures could help mitigate brute force attacks?

Options are :

  • Rainbow tables.
  • Minimum password age.
  • Key stretching. (Correct)
  • Password complexity.

Answer : Key stretching.

Explanation Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack. Brute Force attacks uses the entire keyspace (every possible key), with enough time any plaintext can be decrypted. Effective against all key based ciphers except the one-time pad, it would eventually decrypt it, but it would also generate so many false positives the data would be useless.

CISSP Security Engineering Certification Practice Exam Set 1

When we add salting to our hashed password, what would that possibly protect us against?

Options are :

  • Brute force.
  • Physical access.
  • Rainbow tables. (Correct)
  • Smurf attacks.

Answer : Rainbow tables.

Explanation Salt (salting): Random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack.

When we swipe an access card, it is using which technology?

Options are :

  • Magnetic stripe. (Correct)
  • Contactless cards.
  • Contact cards.
  • HOTP tokens.

Answer : Magnetic stripe.

Explanation Magnetic Stripe Cards: Swiped through a reader, no circuit. Very easy to duplicate.

After we have implemented biometrics in our organization, we are having issues with too high rejection rate of authorized employees. Which of these is the false rejection rate?

Larger image


Options are :

  • A
  • B
  • C (Correct)

Answer : C

Explanation FRR (False rejection rate) Type 1 error: Authorized users are rejected. This can be too high settings - 99% accuracy on biometrics.

CISSP (Information Systems Security) Practice Tests 2019 Set 4

Which of these countermeasures would be the LEAST effective against brute force attacks?

Options are :

  • Salting. (Correct)
  • Key stretching.
  • Limit number of wrong logins.
  • Strong password requirements.

Answer : Salting.

Explanation Salting is adding random characters to passwords before hashing, it does nothing against brute force attacks. Key stretching and limited login attempts are good countermeasures, complex passwords can help, but will eventually be broken.

We are using our username and password online. What can we add to that to get multifactor authentication?

Options are :

  • PINs.
  • Passphrases.
  • Challenge response.
  • Cookies. (Correct)

Answer : Cookies.

Explanation The cookie is a possession factor, we still have multifactor authentication with the username, password and cookie. Username and password are knowledge factors just like PINs, passphrases and challenge response.

Looking at the authentication methods we use, which type is expected to be something you memorize?

Options are :

  • Type 1. (Correct)
  • Type 2.
  • Type 3.
  • Type 0.

Answer : Type 1.

Explanation Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors.

CISSP - Mock Questions with all domains

Storing passwords in plaintext on a server is obviously a big security vulnerability. Why would an organization choose to do that?

Options are :

  • Because plaintext is more secure than encrypted.
  • Because the server is secure enough to not need the password encryption.
  • Access controls are only used on critical systems.
  • It is slightly faster than having to decrypt or check the password hash when the user tries to log in. (Correct)

Answer : It is slightly faster than having to decrypt or check the password hash when the user tries to log in.

Explanation It can take a second or two on older systems to authenticate if the passwords are hashed or encrypted. We should, however, never leave passwords in plaintext to save a second or two.

An attacker has gained access to our hashed passwords. We haven't started used salting or nonces yet. Why is that a problem?

Options are :

  • The attacker can circumvent clipping levels. (Correct)
  • It isn't a problem, hashes are one-way functions and can't be reversed.
  • Because the attacker now known our encryption keys.
  • The attacker can now reverse the hash to the real password by hashing the hash he stole.

Answer : The attacker can circumvent clipping levels.

Explanation If an attacker can get access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value. This will circumvent the clipping levels (limit on wrong login attempts).

When we are storing our passwords, which of these would be the MOST secure way to do so?

Options are :

  • Plain text.
  • Encrypted asymmetric.
  • Hashed with salt. (Correct)
  • Encrypted symmetric.

Answer : Hashed with salt.

Explanation Hashing with salting is the best way of password storage, confirmation can be near instant and the password can't be reverse engineered.

CISSP - Software Development Security Mock Questions

Which of these, if used right, is the MOST secure form of "something you have" authentication?

Options are :

  • Smart card.
  • Passport.
  • Magnetic card.
  • Single-use password. (Correct)

Answer : Single-use password.

Explanation Single-use passwords: Having passwords which are only valid once makes many potential attacks ineffective, just like one-time pads. While they are passwords, it is something you have in your possession, not something you know.

Brute force can, in theory, break any password, even one-time pads. Is that a problem we should consider if we use proper security measures around our one-time pads?

Options are :

  • Yes. If broken, the one-time pad is useless.
  • Yes, The attacker would have the key.
  • No. There would be too many false positives for it to matter. (Correct)
  • Brute force can't break one-time pads.

Answer : No. There would be too many false positives for it to matter.

Explanation Brute Force attacks uses the entire keyspace (every possible key). With enough time, any plaintext can be decrypted. Effective against all key-based ciphers except the one-time pad; it would eventually decrypt it, but it would also generate so many false positives the data would be useless.

When we look at using type 3 authentication, we would talk about all these terms EXCEPT which?

Options are :

  • FAR.
  • CER.
  • FRR.
  • CRR. (Correct)

Answer : CRR.

Explanation Something you are - Type 3 Authentication (Biometrics), uses Errors for Biometric Authentication: FRR (False rejection rate), FAR (False accept rate) and CER (Crossover Error Rate).

CISSP Security and Risk Management Certified Practice Exam Set 3

If we set too high sensitivity on our biometrics readers, it can often cause too many what?

Options are :

  • False accepts.
  • False rejects. (Correct)
  • True accepts.
  • True rejects.

Answer : False rejects.

Explanation FRR (False rejection rate) Type 1 error: Authorized users are rejected. This can be too high settings - 99% accuracy on biometrics.

We have had a security breach. We have already reissued Type 1 and 2 authentications to our users. How would we reissue a new type 3 authentication to them?

Options are :

  • Give them a new password.
  • Give them a new ID card.
  • We can't. (Correct)
  • Give them a HOTP token.

Answer : We can't.

Explanation With biometrics we can't reissue authentication factors. You have the same fingerprints. If compromised, nothing can be done other than to stop using them.

In which access control model can the data owner add and remove rights to or from a user?

Options are :

  • DAC. (Correct)
  • MAC.
  • RBAC.
  • RUBAC.

Answer : DAC.

Explanation DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OSes. Uses DACL’s (Discretionary ACL), based on user identity.

CISSP - Security and Risk Management Pratice Questions

We have an employee who is moving from IT to HR. If we are using RBAC access control, what would we do to his access?

Options are :

  • Add HR to his rights.
  • Add HR remove IT. (Correct)
  • Check his clearance and add access accordingly to that.
  • Have the data owner give the employee the rights he needs.

Answer : Add HR remove IT.

Explanation RBAC (Role Based Access Control): A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.

Bob has been tasked with adding content-based access control, in addition to our existing security controls. Which of these could be part of what he implements?

Options are :

  • Hiding or showing menus in an application. (Correct)
  • Access to data only between 0800 (8AM) and 1700 (5PM).
  • Access to data depending on labels and clearance.
  • Access to data dependent on job title.

Answer : Hiding or showing menus in an application.

Explanation Content-based access control: Access is provided based on the attributes or content of an object, then it is known as a content-dependent access control. Hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent. In this type of control, the value and attributes of the content that is being accessed determines the control requirements.

In identity and access provisioning, your identities would correspond to what?

Options are :

  • Entities. (Correct)
  • Rights.
  • Attributes.
  • Objects.

Answer : Entities.

Explanation We can have multiple identities per entity and each identity can have multiple attributes. I can be staff, alumni and enrolled student at a college. As staff I could have access to different areas and data than I would as alumni and student.

CISSP (Information Systems Security) Practice Tests 2019 Set 4

Jane is tasked with looking at federated identity management (FIdM). Which of these would she NOT consider?

Options are :

  • Security tokens.
  • Microsoft Azure cloud.
  • RFID. (Correct)
  • Windows identity foundation.

Answer : RFID.

Explanation RFID (Radio Frequency Identification) is used a variety of things including smart cards and not federated identity management (FIdM)

Jane chose Security Assertion Markup Language (SAML) for our federated identity management (FIdM). Which type of Single sign-on (SSO) is that?

Options are :

  • Recursive.
  • Web browser. (Correct)
  • SQL.
  • Cloud.

Answer : Web browser.

Explanation SAML (Security Assertion Markup Language): The single most important requirement that SAML addresses is web browser SSO. An XML-based, open-standard data format for exchanging authentication and authorization data between parties.

Bob is implementing SSO for our internal applications, he is adding a fingerprint reader to each workstation for users to authenticate with. What is Bob implementing?

Options are :

  • Super sign-on.
  • Secret sign-on.
  • Secure sign-on.
  • Single sign-on. (Correct)

Answer : Single sign-on.

Explanation SSO (Single sign-on): Users use a single sign-on for multiple systems. Often deployed in organizations where users have to access 10+ systems, and they think it is too burdensome to remember all those passwords.

CISSP Security Engineering Certification Practical Exam Set 3

Jane is looking at the Kerberos implementation we have in place and is working on the Key Distribution Center (KDC). Which of these is part of the KDC?

Options are :

  • AS. (Correct)
  • PSG.
  • TGT.
  • KDR.

Answer : AS.

Explanation The KDC (Key Distribution Center) consists of the AS (Authentication Server) and the TGS (Ticket Granting Server).

We are using Kerberos. What does the client send to the Authentication Server (AS)?

Options are :

  • User ID. (Correct)
  • Authenticator.
  • Session key.
  • Plaintext password.

Answer : User ID.

Explanation The client sends a cleartext user ID to the AS (Authentication Server) requesting services on behalf of the user.

Recommended Readings

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions