CISSP - Identity and Access Management (IAM)

If we were to implement SESAME instead of KERBEROS, what would it uses instead of tickets?

Options are :

  • PACs. (Correct)
  • PASs.
  • RASs.
  • PKI.

Answer : PACs.

Explanation SESAME (Secure European System for Applications in a Multi-vendor Environment): Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos’ tickets. It uses PKI encryption (asymmetric), which fixed the Kerberos the plaintext storage of symmetric keys issue.

CISSP - Security Operations Mock Questions

We have found some older systems on our network using the Password Authentication Protocol (PAP) protocol. What would be a reason we would want to migrate away from using it?

Options are :

  • Credentials are sent in plaintext over the network. (Correct)
  • It uses SSL.
  • It uses PPP.
  • The client and server need to know a plaintext shared secret. It is stored in plaintext on the server, but never sent over the network.

Answer : Credentials are sent in plaintext over the network.

Explanation PAP (Password Authentication Protocol): One of the oldest authentication protocols, no longer secure. Credentials are sent over the network in plain text. Authentication is initialized by client/user by sending packet with credentials (username and password) at the beginning of the connection.

If we are using Active Directory (AD) for our role-based access control (RBAC) authentication, we would innately use which authentication protocol?

Options are :

  • LDAP. (Correct)
  • Diameter.
  • Radius.
  • TACACS

Answer : LDAP.

Explanation AD (Active Directory):Included in most Windows Server OS as a set of processes and services. Uses LDAP (Lightweight Directory Access Protocol) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

For our authentication, we are looking at knowledge factors. Which is the MOST common knowledge factor in use today?

Options are :

  • Pass phrase.
  • PINs.
  • Passwords. (Correct)
  • One-time passwords.

Answer : Passwords.

Explanation Something you know - Type 1 Authentication: This is the most commonly used form of authentication, and a password is the most common knowledge factor.

CISSP Security Engineering Certification Practical Exam Set 9

An attacker has stolen some of our hashed passwords. Which of these countermeasures, if already implemented, could prevent the attacker from finding the plaintext passwords with rainbow tables?

Options are :

  • Salting. (Correct)
  • Key stretching.
  • Limit number of wrong logins.
  • Strong password requirements.

Answer : Salting.

Explanation Salt (salting): Random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks or a pre-compiled rainbow table attack.

An attacker has been listening to our network traffic and has captured some passwords and session IDs. She is planning to use them in an attack in 2 days. What would the attack be using?

Options are :

  • Dictionary.
  • Brute force.
  • Replay. (Correct)
  • Reverse engineering.

Answer : Replay.

Explanation Using sessions or passwords at a later time is replaying the information.

When we are using our username and password online for authentication, what else can we use for multifactor authentication?

Options are :

  • Passphrases.
  • PINs.
  • Tokens. (Correct)
  • Security questions.

Answer : Tokens.

Explanation Tokens are a possession factor, we have multifactor authentication with the username, password and token.

CISSP - Mock Questions with all domains

Looking at how we authenticate our employees, which of the authentication methods is something you are?

Options are :

  • Type 1.
  • Type 2.
  • Type 3. (Correct)
  • Type 0.

Answer : Type 3.

Explanation Something you are - Type 3 Authentication (Biometrics): Fingerprint, iris scan, facial geometry etc., these are also called realistic authentication. The subject uses these to authenticate their identity, if they are that, they must be who they say they are.

In which of these authentication method is NOT something physical?

Options are :

  • Type 1. (Correct)
  • Type 2.
  • Type 3.
  • Type 0.

Answer : Type 1.

Explanation Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. Since it is something you know it is not physical.

Jane has a project to looking at possible Federated Identity Management (FIDM) implementations at our organization. Which of these would she NOT consider?

Options are :

  • SAML.
  • OAuth.
  • OpenID.
  • LDAP. (Correct)

Answer : LDAP.

Explanation LDAP (The Lightweight Directory Access Protocol) is used for accessing and maintaining distributed directory information services over an IP network and not FIDM (Federated Identity Management).

CISSP - Security and Risk Management Pratice Questions

Which of these security issues could be a reason we would NOT want to implement Kerberos?

Options are :

  • Asymmetric plaintext key storage.
  • Symmetric plaintext key storage. (Correct)
  • PKI.
  • Never sending the password over the network.

Answer : Symmetric plaintext key storage.

Explanation Kerberos stores the plaintext of symmetric keys.

Which of these protocols is vendor neutral?

Options are :

  • LDAP. (Correct)
  • AD.
  • EIGRP.
  • VTP.

Answer : LDAP.

Explanation LDAP (The Lightweight Directory Access Protocol): Open, vendor-neutral, industry standard application protocol for accessing and maintaining distributed directory information services over an IP network. Application layer protocol and use TCP and UDP port 389. LDAP is commonly used for central usernames and passwords storage, many different applications and services can connect to the LDAP server to validate users.

Which of these protocols is the MOST commonly used for remote management of routers and switches?

Options are :

  • Kerberos.
  • RADIUS. (Correct)
  • DIAMETER.
  • LDAP.

Answer : RADIUS.

Explanation RADIUS (Remote Authentication Dial-In User Service): A networking protocol that provides centralized Authentication, Authorization, and Accounting management for users who connect and use a network service. Widely used by ISPs (Internet service providers) and large organizations to manage access to IP networks, APs, VPNs, Servers, 802.1x, etc. Uses a client/server protocol that runs in the application layer, and can use either TCP or UDP as transport. Network access servers, the gateways that control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. Use UDP ports 1812 for authentication and 1813 for accounting, can use TCP as the transport layer with TLS for security.

CISSP Security Engineering Certification Practical Exam Set 7

The TACACS+ protocol as default uses which TCP port?

Options are :

  • 443
  • 80
  • 49 (Correct)
  • 23

Answer : 49

Explanation TACACS+: Provides better password protection by using two-factor strong authentication. Not backwards compatible with TACACS. Uses TCP port 49 for authentication with the TACACS+ server. Similar to RADIUS, but RADIUS only encrypts the password TACACS+, encrypts the entire data package.

We want to protect against rainbow tables by implementing salting. What are rainbow tables made up of?

Options are :

  • Pre-made list of matching passwords and hashes. (Correct)
  • Pre-arranged lists of full words and numbers.
  • Pre-made list of matching biometrics and passwords.
  • Pre-made list of matching passwords and hashes using salts.

Answer : Pre-made list of matching passwords and hashes.

Explanation Rainbow tables attacks: Pre-made list of plaintext and matching ciphertext. Often Passwords and matching Hashes a table can have 1,000,000's of pairs.

In our access control implementations, we are wanting to ensure the accountability of our users. Which of these could be something we could use for that?

Options are :

  • Their username.
  • A password.
  • Role based access control.
  • Non-repudiation. (Correct)

Answer : Non-repudiation.

Explanation Accountability (often referred to as Auditing): Trace an Action to a Subjects Identity. Proves who performed given action, it provides non-repudiation. Group or shared accounts are never OK, they have zero accountability. Uses audit trails and logs, to associate a subject with its actions.

CISSP Security Engineering Certification Practical Exam Set 7

A disgruntled employee in our organization is trying to break administrator passwords using dictionary attacks. How would he do that?

Options are :

  • He uses the entire key space.
  • He uses full words often with numbers at the end. (Correct)
  • He uses precompiled hashes to compare the password hash to.
  • He has software installed on a computer that records all keystrokes.

Answer : He uses full words often with numbers at the end.

Explanation Dictionary attacks: Based on a pre-arranged listing, often dictionary words. Often succeed because people choose short passwords that are ordinary words and numbers at the end.

Which of these could be a countermeasure we can use to detect a software keylogger?

Options are :

  • Physical inspection of the system.
  • Look at which programs are running on the system. (Correct)
  • We could see unauthorized access to certain files.
  • They are not detectable.

Answer : Look at which programs are running on the system.

Explanation keylogging (Keystroke logging): A keylogger is added to the users computer and it records every keystroke the user enters. Software, a program installed on the computer. The computer is often compromised by a trojan, where the payload is the keylogger or a backdoor. The keylogger calls home or uploads the keystrokes to a server at regular intervals.

When we have our employees insert a card into a reader, it is using which type of technology?

Options are :

  • Magnetic stripe.
  • Contactless cards.
  • Contact cards. (Correct)
  • HOTP tokens.

Answer : Contact cards.

Explanation Contact Cards - Inserted into a machine to be read. This can be credit cards you insert into the chip reader or the DOD CAC (Common Access Card).

CISSP Security Engineering Certification Practical Exam Set 4

After our CEO has had issues getting her finger printer reader to recognize her fingerprint, she is wanting us to lower the sensitivity on the readers. What could be a NEGATIVE side effect of doing what she is asking us to do?

Options are :

  • False accepts. (Correct)
  • False rejects.
  • True accepts.
  • True rejects.

Answer : False accepts.

Explanation FAR (False accept rate) Type 2 error: Unauthorized user is granted access. This is a very serious error.

In which type of access control model would your access to data be determined by your job title?

Options are :

  • DAC.
  • MAC.
  • RBAC. (Correct)
  • RUBAC.

Answer : RBAC.

Explanation RBAC (Role Based Access Control): Often used when Integrity is most important. Policy neutral access control mechanism defined around roles and privileges. A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.

In our authentication process we are wanting to add a pseudo random number to ensure old data is not replayed. Which of these would we add?

Options are :

  • Salting.
  • Nonce. (Correct)
  • Key-stretching.
  • Clipping levels.

Answer : Nonce.

Explanation Nonce: (arbitrary number that may only be used once). It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. They can also be useful as initialization vectors and in cryptographic hash function.

CISSP - Software Development Security Mock Questions

We are already using usernames and passwords online. Which of these could be something else we would add to get multifactor authentication?

Options are :

  • PINs.
  • Single-use password. (Correct)
  • Security questions.
  • Challenge response.

Answer : Single-use password.

Explanation Single-use passwords are possession factors, you don't remember them you have them on a piece of paper or on a token, we have multifactor authentication with the username, password and single-use password.

Which authentication method would use something you are expected to have?

Options are :

  • Type 1.
  • Type 2. (Correct)
  • Type 3.
  • Type 0.

Answer : Type 2.

Explanation Something you have - Type 2 Authentication: ID, passport, smart card, token, cookie on PC, these are called Possession factors. The subject uses these to authenticate their identity, if they have the item, they must be who they say they are.

If we are using magnetic stripe ID cards and we are wanting to add additional security measures, which of these could we implement for visual inspection and have it be the MOST secure?

Options are :

  • Picture of the user.
  • Embedded hologram. (Correct)
  • Name, title and department.
  • PHI.

Answer : Embedded hologram.

Explanation Embedded holograms on IDs are much harder to replicate than pictures and other things that can be printed on the card. We would never have PHI on an ID card.

CISSP - Security and Risk Management Pratice Questions

We have realized our current use of magnetic stripe ID cards is not matching the security profile senior management wants. What could we use on the cards in addition to the magnetic stripe to make them smart cards?

Options are :

  • Holograms.
  • UV printing.
  • RFID chip. (Correct)
  • RFII chip.

Answer : RFID chip.

Explanation Smart Cards and tokens (contact or contactless): They contain a computer circuit using an ICC (Integrated Circuit Chip).

When we have a system requiring users to reauthenticate every hour, what is that system using?

Options are :

  • Multifactor authentication.
  • Continuous authentication. (Correct)
  • Single factor authentication.
  • Reverse proxy.

Answer : Continuous authentication.

Explanation Continuous authentication can either prompt the user to login every hour or monitor things like keystroke patterns which analyze typing rhythm, mouse movement, etc. this would be compared against a user baseline.

When someone is using a fake ID, it is an attack on which type of authentication?

Options are :

  • Type 1.
  • Type 2. (Correct)
  • Type 3.
  • Type 4.

Answer : Type 2.

Explanation Something you have - Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.).

CISSP - Software Development Security Mock Questions

In implementing type 1 authentication, we could implement which of these? (Select all that apply).

Options are :

  • Passwords. (Correct)
  • PINs. (Correct)
  • One-time passwords.
  • Pass phrases. (Correct)
  • Tokens
  • Biometrics.

Answer : Passwords. PINs. Pass phrases.

Explanation Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. The subject uses these to authenticate their identity, if they know the secret, they must be who they say they are. This is the most commonly used form of authentication, and a password is the most common knowledge factor. The user is required to prove knowledge of a secret to authenticate.

Which of these protocols provides mutual authentication?

Options are :

  • LDAP.
  • Kerberos. (Correct)
  • Radius.
  • Diameter.

Answer : Kerberos.

Explanation Kerberos: Authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to each other in a secure manner. It is based on a client–server model and it provides mutual authentication both the user and the server verify each other's identity. Messages are protected against eavesdropping and replay attacks. Builds on symmetric keys and requires a trusted third party, and can optionally use PKI during certain phases of authentication. Uses UDP port 88 by default, used in Active Directory from Windows 2000 and onwards, and many Unix OS’.

In a security audit, we are looking at the authentication protocols we use. Which of these uses a key-distribution center?

Options are :

  • Kerberos. (Correct)
  • Radius.
  • Diameter.
  • LDAP.

Answer : Kerberos.

Explanation Kerberos: Authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to each other in a secure manner. It uses an AS (Authentication Server), a TGS (ticket-granting server) which are part the KDC (Key distribution center).

CISSP Security Engineering Certification Practical Exam Set 1

Jane is suggesting we use LDAP for our authentication protocol. What is the LDAP protocol?

Options are :

  • Lightweight Directory Authentication Protocol.
  • Lightweight Directory Authorization Protocol.
  • Lightweight Directory Access Protocol. (Correct)
  • Lightweight Direction Address Protocol.

Answer : Lightweight Directory Access Protocol.

Explanation LDAP (Lightweight Directory Access Protocol), we currently use versions 2 and 3, it is Microsoft's version of Kerberos, and DNS.

If we wanted to implement the CHEAPEST and the WEAKEST type of authentication, what would we implement?

Options are :

  • Knowledge based factors. (Correct)
  • Possession based factors.
  • Realistic based factors.
  • Reflective based factors.

Answer : Knowledge based factors.

Explanation Something you know - Type 1 Authentication: It is the weakest form of authentication, and can easily be compromised, it is also the cheapest, we just tell users their password, nothing is issues and we don't need biometric readers.

Which of these options could be something that can help an attacker circumvent clipping levels?

Options are :

  • The attacker using brute force.
  • The attacker getting a hashed password. (Correct)
  • The attacker knowing the username.
  • The attacker using rainbow tables.

Answer : The attacker getting a hashed password.

Explanation If an attacker can get access to the file of hashed passwords guessing can be done offline, rapidly testing candidate passwords against the true password's hash value.

CISSP Security Engineering Certification Practice Exam Set 10

An administrator account keeps getting locked for too many logins. There is no malicious activity and the administrator is not using the account. What is MOST LIKELY happening?

Options are :

  • The administrator used the wrong credentials on a system and it is using the administrator credentials and not the proper system credentials to authenticate. (Correct)
  • The password does not meet our requirements and because of that the account is being locked.
  • The password has reached its maximum age and the administrator has chosen a new password.
  • The administrator has configured a system to use his password for authentication and he has entered the right username and password.

Answer : The administrator used the wrong credentials on a system and it is using the administrator credentials and not the proper system credentials to authenticate.

Explanation When an administrator uses their own credentials to allow systems access, the system will keep those credentials until logged out. It should not be done. If the administrator enters a wrong password, the system will keep re-authenticating, and that will eventually keep locking the account.

Jane is manually reviewing our logs. As the organization has grown, there are simply too many logs to review manually in a timely fashion. Which of these could help her?

Options are :

  • IPS.
  • IDS.
  • SIEM. (Correct)
  • FIDI.

Answer : SIEM.

Explanation SIEM (Security Information and Event Management) provide real-time analysis of security alerts generated by network hardware and applications.

An administrator notices a user's account is being used from across the world and at 0300 in the morning. They know the employee is not out of the country. What is the FIRST thing they should do?

Options are :

  • Call the user.
  • Lock the account. (Correct)
  • Monitor what the attacker is doing.
  • Nothing, we don't have any policies to address that.

Answer : Lock the account.

Explanation The administrator should lock the account, then if deemed appropriate call the user. We would assume the credentials are compromised and we don't want the attacker to stay on our network.

CISSP Security Engineering Certification Practical Exam Set 10

Your bank sends you a test message with a number to enter along with your username and password. What is this an example of?

Options are :

  • Single factor authentication.
  • Cookie.
  • Multifactor authentication. (Correct)
  • Salting.

Answer : Multifactor authentication.

Explanation Multifactor authentication, username and password is both knowledge factors, the bank sending you a code is a possession factor, we now have true multifactor authentication.

Your bank sends you an email with a number to enter along with your username and password. After having done this for the first time, you may not have to do it again why is that?

Options are :

  • They know it is you, and single factor authentication is OK now.
  • You have a cookie on your computer, that and username/password is multifactor authentication. (Correct)
  • Because it is too cumbersome, people would stop using online banking if they had to do it every time.
  • It is salting and only done once.

Answer : You have a cookie on your computer, that and username/password is multifactor authentication.

Explanation After the initial entry it can be stored in a cookie on your computer, the cookie is also a possession factor, we still have multifactor authentication with the username, password and cookie.

Jane has been tasked with implementing multifactor authentication at our organization. The request from senior management is to make it secure, but also to protect employees' privacy and not inadvertently record something that could reveal private employee health information. To make passwords safer Jane implements some safeguards. Which of these should NOT be one of them?

Options are :

  • Key stretching.
  • Salting.
  • Nonce.
  • No minimum password age. (Correct)

Answer : No minimum password age.

Explanation We could use nonces, salting and key stretching as well as minimum password age. Nonce is arbitrary number that may only be used once. Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase. Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack. Minimum password age is used to prevent users from cycling through passwords to return to their favorite password again.

CISSP Security Engineering Certification Practice Exam Set 7

Which type of access control model would we use, if availability is MOST important?

Options are :

  • DAC. (Correct)
  • RBAC.
  • MAC.
  • RUBAC.

Answer : DAC.

Explanation DAC (Discretionary Access Control): Often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’. Uses DACLs (Discretionary ACL), based on user identity.

We are using RBAC access control in our organization. What is that based on?

Options are :

  • Labels and clearance.
  • The discretion of the object owner.
  • The job role of the user. (Correct)
  • IF/THEN statements.

Answer : The job role of the user.

Explanation RBAC (Role Based Access Control): Often used when Integrity is most important. Policy neutral access control mechanism defined around roles and privileges. A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position.

A disgruntled former employee is trying to break the passwords of our administrator accounts using rainbow tables. What is he using for that?

Options are :

  • He uses the entire key space.
  • He uses full words often with numbers at the end.
  • He uses precompiled hashes to compare the password hash to. (Correct)
  • He has software installed on a computer that records all keystrokes.

Answer : He uses precompiled hashes to compare the password hash to.

Explanation Rainbow tables attacks: Pre-made list of plaintext and matching ciphertext. Often Passwords and matching Hashes a table can have 1,000,000's of pairs.

CISSP - Security and Risk Management Pratice Questions

In our access control implementations, keeping the IAAA model in mind, which of these could we use for authorization?

Options are :

  • Usernames.
  • Passwords.
  • Role based access control. (Correct)
  • Non-repudiation.

Answer : Role based access control.

Explanation We use Access Control models to determine what a subject allowed to access. This could be with RBAC (Role Based Access Control).

We are using AD (Active Directory) in our organization. We have just bought out a competitor. They are also using AD, but we are not sure on their security posture yet. Which of these are common types of AD trust domains? (Select all that apply).

Options are :

  • Bidirectional trust.
  • Two-way trust. (Correct)
  • Transitive trust. (Correct)
  • Intransitive (non-transitive) trust. (Correct)
  • Active trust.
  • Proven trust.

Answer : Two-way trust. Transitive trust. Intransitive (non-transitive) trust.

Explanation AD (Active Directory), can use Trust domains which allow users in one domain to access resources in another. One-way trust: One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. Two-way trust: Two domains allow access to users on both domains. Trusted domain: The domain that is trusted; whose users have access to the trusting domain. Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest. Intransitive (non-transitive) trust: A one way trust that does not extend beyond two domains.

We have discovered we may have hardware keyloggers on some of our workstations. How could we detect a hardware keylogger?

Options are :

  • Physical inspection of the system. (Correct)
  • Look at which programs are running on the system.
  • We could see unauthorized access to certain files.
  • They are not detectable.

Answer : Physical inspection of the system.

Explanation Keylogging (Keystroke logging): A keylogger is added to the users computer and it records every keystroke the user enters. Hardware, attached to the USB port where the keyboard is plugged in. Can either call home or needs to be removed to retrieve the information.

CISSP - Security Operations Mock Questions

When we have our users hold their employee ID cards close to a reader, we are using which technology?

Options are :

  • Magnetic stripe.
  • Contactless cards. (Correct)
  • Contact cards.
  • HOTP tokens.

Answer : Contactless cards.

Explanation Contactless Cards - can be read by proximity. Key fobs or credit cards where you just hold it close to a reader. They use a RFID (Radio Frequency Identification) tag (transponder) which is then read by a RFID Transceiver.

We have, after a long project, implemented biometrics in our organization. What do we want for our biometrics?

Options are :

  • FAR.
  • CER. (Correct)
  • FRR.
  • CRR.

Answer : CER.

Explanation Something you are - Type 3 Authentication (Biometrics), we want a good mix of FRR and FAR they are both curved graphs, where they meet on the graph is the CER (Crossover Error Rate), this is where we want to be.

Which of these is NOT a problem when we are talking about our biometrics?

Options are :

  • False accept.
  • False reject.
  • True reject. (Correct)
  • FAR.

Answer : True reject.

Explanation True reject is rejecting someone who should be rejected, our biometrics are working, all is well.

CISSP - Security Assessment and Testing Mock

In which type of access control system would access to data be determined by a subject’s clearance?

Options are :

  • DAC.
  • MAC. (Correct)
  • RBAC.
  • RUBAC.

Answer : MAC.

Explanation MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important. Labels: Objects have Labels assigned to them, the subjects clearance must dominate the objects label. The label is used to allow Subjects with the right clearance access them. Labels are often more granular than just “Top Secret?, they can be “Top Secret – Nuclear?.

Bob is working on adding context-based access control in addition to our existing security controls. What could be something he would implement?

Options are :

  • Hiding or showing menus in an application.
  • Access to data only between 0800 and 1700 (5PM). (Correct)
  • Access to data depending on labels and clearance.
  • Access to data dependent on job title.

Answer : Access to data only between 0800 and 1700 (5PM).

Explanation Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.

Looking at identity and access provisioning, identities consist of which of these?

Options are :

  • Entities.
  • Rights.
  • Attributes. (Correct)
  • Objects.

Answer : Attributes.

Explanation We can have multiple identities per entity and each identity can have multiple attributes. I can be staff, alumni and enrolled student at a college. As staff I could have access to different areas and data than I would as alumni and student.

CISSP Security Engineering Certification Practice Exam Set 2

Jane is looking at the Kerberos implementation we have in place and is working on the Key Distribution Center (KDC). Which of these is part of the KDC?

Options are :

  • TGT.
  • SWG.
  • BGP.
  • TGS. (Correct)

Answer : TGS.

Explanation The KDC (Key Distribution Center) consists of the AS (Authentication Server) and the TGS (Ticket Granting Server).

We have been using Kerberos for some years. Bob is explaining the traffic flow to a new colleague. What does the client send to the TGS?

Options are :

  • User ID.
  • Authenticator. (Correct)
  • Session key.
  • Plaintext password.

Answer : Authenticator.

Explanation When requesting services, the client sends the following messages to the TGS: #1 The TGT and the ID of the requested service. #2 Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key.

Which security issue in Kerberos was addressed in SESAME with Public Key Infrastructure (PKI)?

Options are :

  • Asymmetric plaintext key storage.
  • Symmetric plaintext key storage. (Correct)
  • PKI.
  • Never sending the password over the network.

Answer : Symmetric plaintext key storage.

Explanation SESAME (Secure European System for Applications in a Multi-vendor Environment): Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos’ tickets. It uses PKI encryption (asymmetric), which fixed the Kerberos the plaintext storage of symmetric keys issue.

CISSP - Software Development Security Mock Questions

We have found some older systems on our network using CHAP. What could be a reason we would want to migrate away from using CHAP?

Options are :

  • Credentials are sent in plaintext over the network.
  • It uses SSL.
  • It uses PPP.
  • It stores client passwords on the server, they are never sent over the network. (Correct)

Answer : It stores client passwords on the server, they are never sent over the network.

Explanation The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it.

Which of these is NOT a downside to enforcing software tokens on phones for multifactor authentication?

Options are :

  • Phones can be lost.
  • Phones has to be charged.
  • SIM cloning.
  • It is user friendly. (Correct)

Answer : It is user friendly.

Explanation Software tokens on phones are easy, user friendly, but also comes with some challenges. What can a user do if they lose the phone, if their SIM card is cloned, the phone is not charged, …

What can we implement that could help DECREASE identity theft online?

Options are :

  • Multifactor authentication. (Correct)
  • Single factor authentication.
  • Usernames and passwords.
  • Saving usernames and passwords on your computer.

Answer : Multifactor authentication.

Explanation Multifactor authentication is a good way to decrease online identity theft, passwords and usernames are easily compromised, adding a possession based factor to it makes it much more secure.

CISSP - Security and Risk Management Pratice Questions

In our access management, we would NEVER want to use group user accounts. Why is that?

Options are :

  • No authentication.
  • No accountability. (Correct)
  • No authorization.
  • No availability.

Answer : No accountability.

Explanation Accountability (often referred to as Auditing): Trace an Action to a Subjects Identity: Proves who performed given action, it provides non-repudiation. Group or shared accounts are never OK, they have zero accountability.

Which type of authentication can also be used for identification?

Options are :

  • Fingerprint.
  • Password.
  • Passport. (Correct)
  • PIN.

Answer : Passport.

Explanation In this case the passport is both something you have and something that can be used for identification. For multiple factor authentication we would still want a knowledge factor or a biometric factor.

Type 2 authentication includes all these, EXCEPT which?

Options are :

  • TOTP token.
  • Passport.
  • Cookie.
  • Password. (Correct)

Answer : Password.

Explanation Something you have - Type 2 Authentication (ID, Passport, Smart Card, Token, cookie on PC etc.). A password is something you know (type 1 factor).

CISSP - Mock Questions with all domains

What can we do we do when a type 1 authentication is compromised?

Options are :

  • Issue a new password. (Correct)
  • Issue a new ID card.
  • Stop use of that type of biometric for that employee or use another finger if fingerprint.
  • Revoke the token.

Answer : Issue a new password.

Explanation Type 1 Authentication is something you know, this could be passwords, pass phrase, PIN etc. We would issue a new different password.

Which type of authentication will ask the user for something they have?

Options are :

  • Type 1.
  • Type 2. (Correct)
  • Type 3.
  • Type 4.

Answer : Type 2.

Explanation Something you have - Type 2 Authentication: ID, passport, smart card, token, cookie on PC, these are called Possession factors. The subject uses these to authenticate their identity, if they have the item, they must be who they say they are.

For our new startup, we are looking at different types of identity and access management. Which of these are COMMON types of that? (Select all that apply).

Options are :

  • DAC (Discretionary Access Control). (Correct)
  • RUBAC (Rule Based Access Control).
  • MAC (Mandatory Access Control). (Correct)
  • RBAC (Role Based Access Control). (Correct)
  • TRAC (Trust Ratio Access Control).

Answer : DAC (Discretionary Access Control). MAC (Mandatory Access Control). RBAC (Role Based Access Control).

Explanation In Identity and Access Management we can use DAC (Discretionary Access Control), which is often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important. RBAC (Role Based Access Control): Often used when Integrity is most important. Policy neutral access control mechanism defined around roles and privileges. A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position. RUBAC is based on IF/THEN statements (think older firewalls), and is not a type of Identity and Access Management. TRAC is .. well nothing, I made it up 0_o

CISSP Security Engineering Certification Practice Exam Set 5

A HMAC-based one-time password (HOTP) is an example of which type of authentication method?

Options are :

  • Something you know.
  • Something you have. (Correct)
  • Something you are.
  • Somewhere you are.

Answer : Something you have.

Explanation Something you have - Type 2 Authentication: HOTP (HMAC-based one-time password): Shared secret and incremental counter, generate code when asked, valid till used.

We are using one-time passwords that are pushed every 30 seconds to an application on our technical staff's phones. Which type of tokens are we using?

Options are :

  • HOTP.
  • TOTP. (Correct)
  • ROTP.
  • BOTP.

Answer : TOTP.

Explanation Something you have - Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.

Implementing our access control model, you are asked, "In which type of access management would you use access lists?" What do you answer?

Options are :

  • MAC.
  • DAC. (Correct)
  • RBAC.
  • RAC.

Answer : DAC.

Explanation DAC (Discretionary Access Control): Often used when Availability is most important. Uses DACLs (Discretionary access lists), based on user identity. Access to an object is assigned at the discretion of the object owner. The owner can add, remove rights, commonly used by most OS’.

CISSP - Security and Risk Management Pratice Questions

In which type of access management would we use labels for objects?

Options are :

  • MAC. (Correct)
  • DAC.
  • RBAC.
  • RAC.

Answer : MAC.

Explanation MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important. Labels: Objects have Labels assigned to them, the subjects clearance must dominate the objects label. The label is used to allow Subjects with the right clearance access them. Labels are often more granular than just “Top Secret?, they can be “Top Secret – Nuclear?.

John is not allowed to access the organization's network from anywhere but his home and at his desk at work. He just went on vacation and tried to log in. His access request was denied. This is a type of what?

Options are :

  • Content-based access control.
  • Context-based access control. (Correct)
  • Both context and content.
  • Role based access control.

Answer : Context-based access control.

Explanation Context-based access control: Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, and access history. Providing the username and password combination, followed by a challenge and response mechanism such as CAPTCHA, filtering the access based on MAC addresses on wireless, or a firewall filtering the data based on packet analysis, are all examples of context-dependent access control mechanisms.

Comment / Suggestion Section
Point our Mistakes and Post Your Suggestions