〇：SAML assertions are used to enable identity federation and distributed systems.

SAML provides a model that allows two parties to share authentication information about one entity. The two parties are considered a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider asserts information about the principal, such as whether the subject is authenticated or has certain attributes. The service provider uses the information provided by the identity provider to make access decisions about the services it provides, including whether to trust the identity provider’s assertions. By trusting the identity provider’s information, the service provider can provide services without requiring the principal to authenticate again. This framework enables federated identification and distributed authentication across domains.

A SAML assertion is information about a principal contained in a SAML response that is returned to the service provider after authentication has been processed by the identity provider.

×：Two SAML assertions (authentication and authorization) are used to indicate that an authority by SAML has validated a particular subject.

The Identity Provider will not return two SAML assertions; one assertion will be returned per request.

×：The SAML binding specification describes how to embed SAML messages within the TCP and UDP protocols.

It is not classified in the sense of within the TCP and UDP protocols.

×：The SAML profile has a definition for issuing a refresh token.

Refresh tokens are a concept in the OAuth/OIDC family.

〇：Replay attacks

Replay attacks occur when an intruder stores the acquired information and uses it to gain unauthorized access later. In this case, Emily uses a technique called electronic monitoring (sniffing) to retrieve passwords sent over the wire to an authentication server. She can later use the password to access network resources. Even if the password is encrypted, resending valid credentials can be enough to gain access.

×：Brute force attacks

Brute force attacks are incorrect because the cycle is done through many possible combinations of letters, numbers, and symbols, using tools to discover the password.

×：Dictionary attacks

Dictionary attacks are incorrect because they involve an automatic comparison of a user’s password to a file of thousands of words.

×：Social Engineering attack

A social engineering attack is incorrect because in a social engineering attack, the attacker mistakenly convinces an individual that she has the necessary permissions to access certain resources.

〇：The ability to control access close to the resource.

Central access control has various advantages such as uniform rules and reduced operational burden. Distributed access control allows access control in close proximity to resources, thus protecting resources independently.

×：It should be possible to design a comprehensive

Distributed access control is not a comprehensive design because the authentication and authorization functions are distributed.

×：Relatively low cost.

Whether or not costs can be kept down cannot be determined by this design concept alone.

×：Logs from various devices make it easier to understand the current status.

Both central access control and distributed access control can acquire logs from various devices.

Disposable passwords and one-time pads are passwords but generated from something you own, not something you know. In other words, possession.

〇：Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is an access control that enforces access privileges by pre-classifying resources into levels. There are several types of access rights to data files. There are several types of access rights to data files: the user of the data file, the owner who creates the data file, and the administrator who decides which owner can create the data. SELinux, TOMOYO Linux, Trusted BSD, and Trusted Solaris are methods used by MACs.

×：Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is an access control method that allows the owner of an access target to change access privileges.

×：Role Access Control (RAC)

There is no such term. A close equivalent is role-based access control, which divides accounts by role and applies access control to those roles.

×：Voluntary Access Control (VAC)

There is no such term.

〇：Subject

The functionality table identifies the access rights that a particular subject owns with respect to a particular object. Each subject is mapped for a function (capability) such as read or write perform. Therefore, the subject is the one that seems to fit in the choices.

×：Objects

Incorrect because the Object is bound to an Access Control List (ACL), not a functional component.

×：Product

Product is incorrect because it is just an example to implement a subject, object, or feature table.

×：Application

Application is incorrect because it is just a concrete example of an object.

Web access management (WAM) software controls what users can access when interacting with Web-based corporate assets using a Web browser. This type of technology is continually becoming more robust and experiencing increased deployment. This is due to the increased use of e-commerce, online banking, content delivery, and Web services. The basic components and activities of the Web access control management process are

• The user submits credentials to the web server.
• The web server requests the WAM platform to authenticate the user. WAM authenticates to the LDAP directory and obtains credentials from the policy database.
• The user requests access to a resource (object).
• The web server verifies that object access is allowed and grants access to the requested resource.

When the complicated term WAM is mentioned, the journey begins to search for a definition of WAM that may be at the end of one’s brain. But as these thoughts begin, you will want the hard answers, like the X.500 database. But if you don’t know, it is straightforward to interpret and answer to the best of your understanding; if you interpret WAM as software that controls access to a Web server, then the question is, “Which is the correct definition of WAM?” Rather than “What do you think software that controls access to a web server does?” rather than “What do you think software that controls access to a web server does? However, it is still tempting to factor in the possibility that WAM is a solution that uses a specific technology that may be unfamiliar to you.

Type 1 authentication treats what you know as credentials. This is accomplished through passwords, passphrases, PINs, etc., and is also referred to as the knowledge factor.

〇：Time-Based Synchronous Dynamic Token

A synchronous token device synchronizes with the authentication service using time or a counter as a core part of the authentication process. When synchronization is time-based, the token device and authentication service must maintain the same time within their internal clocks. The time values of the token device and private key are used to generate a one-time password that is displayed to the user. The user then passes this value and user ID to the server running the authentication service and enters this value and user ID into the computer. The authentication service decrypts this value and compares it to the expected value. If both match, the user is authenticated and allowed to use the computer and resources.

×：Counter-Based Synchronous Dynamic Token

If the token device and authentication service use counter synchronization, it is incorrect because it is not based on time. When using a counter-synchronized token device, the user must initiate the creation of a one-time password by pressing a button on the token device. This causes the token device and authentication service to proceed to the next authentication value. This value, the base secret, is hashed and displayed to the user. The user enters this resulting value along with the user ID to be authenticated. For either time or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption.

×：Asynchronous Tokens

Asynchronous token generation methods are incorrect because they use a challenge/response method for the token device to authenticate the user. Instead of using synchronization, this technique does not use separate steps in the authentication process.

×：Mandatory Tokens

Wrong because there is no such thing as a mandatory token. This is an incorrect answer.

〇：Federation Identity

A federation identity is a portable identity and associated credentials that can be used across business boundaries. It allows users to authenticate across multiple IT systems and across the enterprise. Federation Identity is based on linking otherwise distinct identities of users in two or more locations without the need to synchronize or consolidate directory information. Federated Identity is an important component of e-commerce, providing businesses and consumers with a more convenient way to access distributed resources.

×：User Provisioning

User provisioning is incorrect because it refers to the creation, maintenance, and deactivation of user objects and attributes.

×：Directory

While most companies have some type of directory that contains information about company network resources and users, generally these directories are not utilized as spread across different companies. It is true that nowadays, with open APIs and cloud computing, there is a trend to deploy services through a single directory, but the directory service itself does not include resource sharing implications. In other words, it is just used as a shared service.

×：Web Access Management

Web Access Management (WAM) software is incorrect because it controls what users can access when using a Web browser to interact with Web-based corporate assets.

〇：Reviewing and evaluating against security documentation.

Provisioning refers to the management of account information. Reviewing documents is not part of provisioning. Therefore, the correct answer is: “Review and evaluate security documentation.” The answer will be

×：When an employee leaves the company, the account should be deactivated as soon as possible.

This is proper provisioning for users and account usage that belong to the organization.

×：Periodic review and adherence to the principle of least privilege.

This is appropriate provisioning for account access privileges.

×：Appropriate deletion of accounts that are no longer needed.

This is appropriate provisioning for the management of minimum account information.

〇：Promptly deactivate the use of employee-only accounts.

Provisioning is the process of adding accounts for use in the system. Conversely, de-provisioning is the removal of an account. An employee’s account should be deactivated at the time the employee leaves the organization. Giving a former employee access to the organization’s resources is an information leak. Therefore, the correct answer is “promptly deactivate the employee’s dedicated account.” will be

×：Retrieve the employee’s loaner computer.

This is not provisioning, but should be done at the time the employee leaves the company.

×：Signing an NDA.

A non-disclosure agreement (NDA, Non-Disclosure Agreement) is an agreement that prohibits the disclosure to others of trade secrets, etc. of the other party learned in the course of business. It is not provisioning.

×：Securing the personal contact information of employees.

A normal company would not attempt to collect such private information upon separation from employment. It is not provisioning.

〇：Provisioning accounts, modifying accounts, auditing account usage, and deactivating accounts.

All phases of the authenticated access lifecycle should be considered. Access should not be granted without proper instructions, nor should access be granted or denied without expected authorization. Suspension of access must also be auditable.

×：Provisioning or adding accounts, changing accounts, and suspending accounts.

Incorrect because it does not include auditing of account usage.

×：Adding an account, deleting an account, or deleting a user’s data.

Incorrect because deletion of user data may conflict with data retention requirements.

×：Verifying account passwords, checking account usage, and deleting accounts.

Incorrect because it is merely an authentication step and not related to account management.

〇：Salt

A rainbow table is a pre-built list of ciphertexts that match plaintext and have hashes that match passwords. The table can contain millions of pairs. Salting is random data used as additional input to a one-way function that “hashes” a password or passphrase. The primary function of a salting is to protect against dictionary or compiled rainbow table attacks.

×：Login Attempt Restrictions

Effective against all unauthorized login methods, but not a direct or effective countermeasure against rainbow tables.

×：Key stretching

Replacing passwords with longer, random strings for encryption purposes.

×：Hashing

Password hashing is a fixed-length cipher (hash) statement for secure password storage.

〇：ACL

Access Control List (ACL) A map value from the Access Control Matrix to an object; ACLs are used in several operating system, application, and router configurations. They are lists of items that are authorized to access a particular object and they define the level of authorization to be granted. Authorization can be specified to an individual or to a group. Therefore, ACLs are bound to an object and indicate which subjects can access it, and feature tables are bound to a subject and indicate which objects the subject can access.

×：Function table

The function table is a row in the access control matrix.

×：Constraint Interface

Constraint interfaces are wrong because they limit the user’s access ability by not allowing them to request certain functions or information or have access to certain system resources.

×：Role-based values

The role-based access control (RBAC) model, called non-discretionary access control, is wrong because it uses a centralized set of controls to determine how subjects and objects interact.

〇：Lock out the account for a certain period of time after reaching the clipping level.

Brute force attack is an attack that continuously tries different inputs to achieve a predefined goal that can then be used to qualify for unauthorized access. A brute force attack to discover the password means that the intruder is trying all possible sequences of characters to reveal the correct password. This proves to be a good countermeasure if the account will be disabled (or locked out) after this type of attack attempt is made.

×：Increase the clipping level.

Clipping levels are wrong because they need to be implemented to establish a baseline of user activity and acceptable error. Entities attempting to log into an account after the clipping level is met should be locked out. A high clipping level gives the attacker more attempts during a warning or lockout. Lowering the clipping level is a good countermeasure.

×：After the threshold for failed login attempts is met, the administrator should physically lock out the account.

This is incorrect because it is impractical to have an administrator physically lock out an account. This type of activity can easily be taken care of through automated software mechanisms. Accounts should be automatically locked out for a certain amount of time after a threshold of failed login attempts is met.

×：Encrypt password files and choose a weaker algorithm.

Encrypting passwords and/or password files and using a weaker algorithm is incorrect as it increases the likelihood of a successful brute force attack.

Brute force can be used to decrypt the plaintext, given enough time. This is valid for all key-based ciphers except one-time pads. Eventually the data will be decrypted, but so many false positives will occur that the data will be rendered useless.

〇：Increasing database security controls and providing more granularity.

The best approach to protecting the database in this situation would be to increase controls and assign detailed permissions. These measures would ensure that users cannot abuse their permissions and that the confidentiality of the information is maintained. The granularity of permissions would give network administrators and security professionals additional control over the resources they are charged with protecting, and the granular level would allow them to give individuals just the exact level of access they need.

×：Implement an access control where each user’s privileges are displayed each time they access the database.

Implementing an access control that displays each user’s permissions is incorrect because they are an example of one control each time they access the database. This is not the overall way of dealing with user access to a database full of information. This may be an example of better database security control, but it needs to be limited to the right places.

×：Change the classification label of the database to a higher security status.

The classification level of the information in the database should previously be determined based on its level of confidentiality, integrity, and availability. This option implies that a higher level of authorization should be given, but there is no indication in the question text that the security level is inappropriate.

×：Reduce security. Allow all users to access information as needed.

The answer to reduce security is incorrect.

〇：Password synchronization between different systems

Password synchronization is designed to reduce the complexity of maintaining different passwords for different systems. Password synchronization technology allows a single password to be maintained across multiple systems by transparently synchronizing passwords to other systems in real time. This reduces help desk call volume. However, one of the disadvantages of this approach is that only one password is used to access different resources. This means that a hacker only needs to figure out one set of credentials to gain unauthorized access to all resources. Therefore, the correct answer is “password synchronization between different systems”.

×：Password reset by administrator query

This does not reduce the amount of help desk support because the end user must contact the administrator.

×：End-user manual password reset by self-service

This is the so-called “self-service” password reset, in which end users change their passwords themselves from their profile pages.

This is the most practical way to reduce the amount of helpdesk support, but it does not meet the requirement of easy access to multiple resources in case of a password compromise.

×：Password reset by inquiry

This does not reduce the amount of helpdesk support because it requires the end user to contact the administrator. An inquiry is an inquiry whether or not an administrator is attached.

〇：Password authentication and secret questions

Passwords are a memory-based authentication method. The secret question is also a memory-based authentication method, and is not a combination of two-factor authentication methods. Therefore, the correct answer is “password authentication and secret question.

×：Password authentication and fingerprint authentication

It is memory authentication information x body authentication information. This is a multi-factor authentication.

×：Password authentication and one-time password authentication using a token machine.

This is memory authentication information x possession authentication information. This is a multi-factor authentication.

×：Password authentication and IC card authentication

This is memory authentication information × possession authentication information. This is a multi-factor authentication.