〇：SAML assertions are used to enable identity federation and distributed systems.

SAML provides a model that allows two parties to share authentication information about one entity. The two parties are considered a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider asserts information about the principal, such as whether the subject is authenticated or has certain attributes. The service provider uses the information provided by the identity provider to make access decisions about the services it provides, including whether to trust the identity provider’s assertions. By trusting the identity provider’s information, the service provider can provide services without requiring the principal to authenticate again. This framework enables federated identification and distributed authentication across domains.

A SAML assertion is information about a principal contained in a SAML response that is returned to the service provider after authentication has been processed by the identity provider.

×：Two SAML assertions (authentication and authorization) are used to indicate that an authority by SAML has validated a particular subject.

The Identity Provider will not return two SAML assertions; one assertion will be returned per request.

×：The SAML binding specification describes how to embed SAML messages within the TCP and UDP protocols.

It is not classified in the sense of within the TCP and UDP protocols.

×：The SAML profile has a definition for issuing a refresh token.

Refresh tokens are a concept in the OAuth/OIDC family.

〇：ACL

Access Control List (ACL) A map value from the Access Control Matrix to an object; ACLs are used in several operating system, application, and router configurations. They are lists of items that are authorized to access a particular object and they define the level of authorization to be granted. Authorization can be specified to an individual or to a group. Therefore, ACLs are bound to an object and indicate which subjects can access it, and feature tables are bound to a subject and indicate which objects the subject can access.

×：Function table

The function table is a row in the access control matrix.

×：Constraint Interface

Constraint interfaces are wrong because they limit the user’s access ability by not allowing them to request certain functions or information or have access to certain system resources.

×：Role-based values

The role-based access control (RBAC) model, called non-discretionary access control, is wrong because it uses a centralized set of controls to determine how subjects and objects interact.

Disposable passwords and one-time pads are passwords but generated from something you own, not something you know. In other words, possession.

〇：Federation Identity

A federation identity is a portable identity and associated credentials that can be used across business boundaries. It allows users to authenticate across multiple IT systems and across the enterprise. Federation Identity is based on linking otherwise distinct identities of users in two or more locations without the need to synchronize or consolidate directory information. Federated Identity is an important component of e-commerce, providing businesses and consumers with a more convenient way to access distributed resources.

×：User Provisioning

User provisioning is incorrect because it refers to the creation, maintenance, and deactivation of user objects and attributes.

×：Directory

While most companies have some type of directory that contains information about company network resources and users, generally these directories are not utilized as spread across different companies. It is true that nowadays, with open APIs and cloud computing, there is a trend to deploy services through a single directory, but the directory service itself does not include resource sharing implications. In other words, it is just used as a shared service.

×：Web Access Management

Web Access Management (WAM) software is incorrect because it controls what users can access when using a Web browser to interact with Web-based corporate assets.

〇：Time-Based Synchronous Dynamic Token

A synchronous token device synchronizes with the authentication service using time or a counter as a core part of the authentication process. When synchronization is time-based, the token device and authentication service must maintain the same time within their internal clocks. The time values of the token device and private key are used to generate a one-time password that is displayed to the user. The user then passes this value and user ID to the server running the authentication service and enters this value and user ID into the computer. The authentication service decrypts this value and compares it to the expected value. If both match, the user is authenticated and allowed to use the computer and resources.

×：Counter-Based Synchronous Dynamic Token

If the token device and authentication service use counter synchronization, it is incorrect because it is not based on time. When using a counter-synchronized token device, the user must initiate the creation of a one-time password by pressing a button on the token device. This causes the token device and authentication service to proceed to the next authentication value. This value, the base secret, is hashed and displayed to the user. The user enters this resulting value along with the user ID to be authenticated. For either time or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption.

×：Asynchronous Tokens

Asynchronous token generation methods are incorrect because they use a challenge/response method for the token device to authenticate the user. Instead of using synchronization, this technique does not use separate steps in the authentication process.

×：Mandatory Tokens

Wrong because there is no such thing as a mandatory token. This is an incorrect answer.

〇：Password authentication and secret questions

Passwords are a memory-based authentication method. The secret question is also a memory-based authentication method, and is not a combination of two-factor authentication methods. Therefore, the correct answer is “password authentication and secret question.

×：Password authentication and fingerprint authentication

It is memory authentication information x body authentication information. This is a multi-factor authentication.

×：Password authentication and one-time password authentication using a token machine.

This is memory authentication information x possession authentication information. This is a multi-factor authentication.

×：Password authentication and IC card authentication

This is memory authentication information × possession authentication information. This is a multi-factor authentication.

〇：Salt

A rainbow table is a pre-built list of ciphertexts that match plaintext and have hashes that match passwords. The table can contain millions of pairs. Salting is random data used as additional input to a one-way function that “hashes” a password or passphrase. The primary function of a salting is to protect against dictionary or compiled rainbow table attacks.

×：Login Attempt Restrictions

Effective against all unauthorized login methods, but not a direct or effective countermeasure against rainbow tables.

×：Key stretching

Replacing passwords with longer, random strings for encryption purposes.

×：Hashing

Password hashing is a fixed-length cipher (hash) statement for secure password storage.

〇：Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is an access control that enforces access privileges by pre-classifying resources into levels. There are several types of access rights to data files. There are several types of access rights to data files: the user of the data file, the owner who creates the data file, and the administrator who decides which owner can create the data. SELinux, TOMOYO Linux, Trusted BSD, and Trusted Solaris are methods used by MACs.

×：Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is an access control method that allows the owner of an access target to change access privileges.

×：Role Access Control (RAC)

There is no such term. A close equivalent is role-based access control, which divides accounts by role and applies access control to those roles.

×：Voluntary Access Control (VAC)

There is no such term.

〇：The format of the audit log is unknown and is not available to the intruder in the first place.

Audit tools are technical controls that track activity within a network, on a network device, or on a specific computer. Auditing is not activity that denies an entity access to a network or computer, but it tracks activity so that the security administrator can understand the type of access made, identify security violations, or alert the administrator of suspicious activity. This information points out weaknesses in other technical controls and helps the administrator understand where changes need to be made to maintain the required level of security within the environment. Intruders can also use this information to exploit these weaknesses. Therefore, audit logs should be protected by controls on privileges, permissions, and integrity, such as hashing algorithms. However, the format of system logs is generally standardized for all similar systems. Hiding the log format is not a normal measure and is not a reason to protect audit log files.

×：If not properly protected, audit logs may not be admissible during prosecution.

This is incorrect because great care must be taken to protect audit logs in order for them to be admissible in court. Audit trails can be used to provide alerts about suspicious activity that can be investigated later. In addition, it is useful in determining exactly how far away the attack took place and the extent of any damage that may have occurred. It is important to ensure that a proper chain of custody is maintained so that all data collected can be properly and accurately represented in case it needs to be used in later events such as criminal proceedings or investigations.

×：Because audit logs contain sensitive data, only a specific subset of users should have access to them.

This is incorrect because only administrators and security personnel need to be able to view, modify, and delete audit trail information. Others cannot see this data and can rarely change or delete it. The use of digital signatures, message digest tools, and strong access controls can help ensure the integrity of the data. Its confidentiality can be protected with encryption and access control as needed, and it can be stored on write-once media to prevent data loss or tampering. Unauthorized access attempts to audit logs should be captured and reported.

×：Intruders may attempt to scrub logs to hide their activities.

If an intruder breaks into your home, do your best to leave no fingerprints or clues that can be used to link them to criminal activity. The same is true for computer fraud and illegal activity. Attackers often delete audit logs that hold this identifying information. In the text, deleting is described as scrubbing. Deleting this information may alert administrators to an alert or perceived security breach and prevent valuable data from being destroyed. Therefore, audit logs should be protected by strict access controls.

Brute force can be used to decrypt the plaintext, given enough time. This is valid for all key-based ciphers except one-time pads. Eventually the data will be decrypted, but so many false positives will occur that the data will be rendered useless.

〇：Provisioning accounts, modifying accounts, auditing account usage, and deactivating accounts.

All phases of the authenticated access lifecycle should be considered. Access should not be granted without proper instructions, nor should access be granted or denied without expected authorization. Suspension of access must also be auditable.

×：Provisioning or adding accounts, changing accounts, and suspending accounts.

Incorrect because it does not include auditing of account usage.

×：Adding an account, deleting an account, or deleting a user’s data.

Incorrect because deletion of user data may conflict with data retention requirements.

×：Verifying account passwords, checking account usage, and deleting accounts.

Incorrect because it is merely an authentication step and not related to account management.

〇：Diameter

Diameter is an authentication, authorization, and audit (AAA) protocol that not only provides the same kind of functionality as RADIUS and TACACS, but also offers more flexibility and capabilities to meet the emerging demands of today’s complex and diverse networks. Once all remote communication is done via Point-to-Point Protocol (PPP) and Serial Line Internet Protocol (SLIP) connections, users can authenticate themselves via Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) to authenticated. The technology has become much more complex and there are multiple devices and protocols to choose from over the ever increasing Diameter protocol, Mobile IP, PPP, Voice over IP (VoIP), and other over Ethernet, wireless devices, smart phones, and other devices can authenticate themselves to the network using roaming protocols.

×：Watchdog

Watchdog timers are wrong because such processes are generally used to detect software failures such as abnormal termination or hangs. The watchdog function sends out “heartbeat” packets to determine if the service is responding. If not, the process can be terminated or reset. These packets help prevent software deadlocks, infinite loops, and process prioritization problems. This feature can be used in the AAA protocol to determine if a packet needs to be retransmitted and if a problem occurs and the connection should be closed and reopened, but it is not in the access control protocol itself.

×：RADIUS

Remote Authentication Dial-In User Service (RADIUS) is wrong because it is a network protocol and provides client/server authentication, authorization, and auditing for remote users.

×：TACACS

Terminal Access Controller Access Control System Plus (TACACS ) is incorrect because it provides essentially the same functionality as RADIUS.

〇：Reviewing and evaluating against security documentation.

Provisioning refers to the management of account information. Reviewing documents is not part of provisioning. Therefore, the correct answer is: “Review and evaluate security documentation.” The answer will be

×：When an employee leaves the company, the account should be deactivated as soon as possible.

This is proper provisioning for users and account usage that belong to the organization.

×：Periodic review and adherence to the principle of least privilege.

This is appropriate provisioning for account access privileges.

×：Appropriate deletion of accounts that are no longer needed.

This is appropriate provisioning for the management of minimum account information.

Unfortunately, security components usually affect system performance but go unnoticed by the user. If system performance is significantly slower, security controls may be enforced. The reason controls must be transparent is so that users and intruders do not know enough to disable or bypass them.

While it is important to understand the term “transparent” in the realm of security, there is another way to answer the question in terms of solving it. If there is only one answer to a four-answer question, then answers that mean the same thing cannot be correct. Therefore, by grouping, the only answer that is correct is the one that does not belong to a group.

And the key point in this question is whether the user knows. The other choices indicate that the situation is communicated on the server side as an outsider, whether a legitimate user or an attacker, whereas only one is acknowledged on the server administrator’s side.

〇：Replay attacks

Replay attacks occur when an intruder stores the acquired information and uses it to gain unauthorized access later. In this case, Emily uses a technique called electronic monitoring (sniffing) to retrieve passwords sent over the wire to an authentication server. She can later use the password to access network resources. Even if the password is encrypted, resending valid credentials can be enough to gain access.

×：Brute force attacks

Brute force attacks are incorrect because the cycle is done through many possible combinations of letters, numbers, and symbols, using tools to discover the password.

×：Dictionary attacks

Dictionary attacks are incorrect because they involve an automatic comparison of a user’s password to a file of thousands of words.

×：Social Engineering attack

A social engineering attack is incorrect because in a social engineering attack, the attacker mistakenly convinces an individual that she has the necessary permissions to access certain resources.

〇：Dictionary attack

There is a limit to the complexity that humans can remember. Consciously, we treat words and character strings we already know as passwords. To address such vulnerabilities, the act of cracking passwords by guessing passwords based on existing words or character strings is called a dictionary attack.

×：Typical Sentence attack

There is no such attack named as such yet.

×：Brute force attack

Brute force is an unauthorized login in which the user tries to guess a password at random.

×：Birthday attack

A birthday attack is an efficient method of unauthorized login by taking advantage of encryption collisions heightened by at least one overlapping probability theory.

〇：That the identity of the public official has been properly verified.

FIPS 201-2 establishes U.S. government standards for personal identity verification (PIV) and gives various requirements for assurance. Access to restricted information by government employees and contracting agents depends on their level of clearance and need to know it, but first the government must assure the individual that they are who they say they are.

×：That government employees are properly cleared for the work to which they are assigned.

Government employees must be properly cleared for the information to which they have been granted access, and therefore true identification must be available for review and verification prior to such access.

×：Government employees are only allowed access to data at their clearance level.

This is wrong because government employees only need to get acquainted and have access to the information they need to access. But again, this must be based on a clear level of assurance that the clearance they possess is valid.

×：That the data to which public officials have access is properly classified.

This is incorrect because the classification of data is not directly related to the validation of personal information.

MAC (mandatory access control) is often used when confidentiality is of utmost importance. Access to objects is determined by labels and clearances. It is often used in organizations where confidentiality is very important, such as the military.

〇：Subject

The functionality table identifies the access rights that a particular subject owns with respect to a particular object. Each subject is mapped for a function (capability) such as read or write perform. Therefore, the subject is the one that seems to fit in the choices.

×：Objects

Incorrect because the Object is bound to an Access Control List (ACL), not a functional component.

×：Product

Product is incorrect because it is just an example to implement a subject, object, or feature table.

×：Application

Application is incorrect because it is just a concrete example of an object.

〇：The ability to control access close to the resource.

Central access control has various advantages such as uniform rules and reduced operational burden. Distributed access control allows access control in close proximity to resources, thus protecting resources independently.

×：It should be possible to design a comprehensive

Distributed access control is not a comprehensive design because the authentication and authorization functions are distributed.

×：Relatively low cost.

Whether or not costs can be kept down cannot be determined by this design concept alone.

×：Logs from various devices make it easier to understand the current status.

Both central access control and distributed access control can acquire logs from various devices.