Domain 5 Exam.
A minimum of 70% is required to pass.
#1. What provisioning process should be implemented when an employee leaves the company?
〇：Promptly deactivate the use of employee-only accounts.
Provisioning is the process of adding accounts for use in the system. Conversely, de-provisioning is the removal of an account. An employee’s account should be deactivated at the time the employee leaves the organization. Giving a former employee access to the organization’s resources is an information leak. Therefore, the correct answer is “promptly deactivate the employee’s dedicated account.” will be
×：Retrieve the employee’s loaner computer.
This is not provisioning, but should be done at the time the employee leaves the company.
×：Signing an NDA.
A non-disclosure agreement (NDA, Non-Disclosure Agreement) is an agreement that prohibits the disclosure to others of trade secrets, etc. of the other party learned in the course of business. It is not provisioning.
×：Securing the personal contact information of employees.
A normal company would not attempt to collect such private information upon separation from employment. It is not provisioning.
#2. If you set a password with the string “password”, what kind of threats will you be the target of?
There is a limit to the complexity that humans can remember. Consciously, we treat words and character strings we already know as passwords. To address such vulnerabilities, the act of cracking passwords by guessing passwords based on existing words or character strings is called a dictionary attack.
×：Typical Sentence attack
There is no such attack named as such yet.
×：Brute force attack
Brute force is an unauthorized login in which the user tries to guess a password at random.
A birthday attack is an efficient method of unauthorized login by taking advantage of encryption collisions heightened by at least one overlapping probability theory.
#3. Hannah is assigned the task of installing Web Access Management (WAM) software. What is an appropriate description of the environment in which WAM is typically used?
Web access management (WAM) software controls what users can access when interacting with Web-based corporate assets using a Web browser. This type of technology is continually becoming more robust and experiencing increased deployment. This is due to the increased use of e-commerce, online banking, content delivery, and Web services. The basic components and activities of the Web access control management process are
- The user submits credentials to the web server.
- The web server requests the WAM platform to authenticate the user. WAM authenticates to the LDAP directory and obtains credentials from the policy database.
- The user requests access to a resource (object).
- The web server verifies that object access is allowed and grants access to the requested resource.
When the complicated term WAM is mentioned, the journey begins to search for a definition of WAM that may be at the end of one’s brain. But as these thoughts begin, you will want the hard answers, like the X.500 database. But if you don’t know, it is straightforward to interpret and answer to the best of your understanding; if you interpret WAM as software that controls access to a Web server, then the question is, “Which is the correct definition of WAM?” Rather than “What do you think software that controls access to a web server does?” rather than “What do you think software that controls access to a web server does? However, it is still tempting to factor in the possibility that WAM is a solution that uses a specific technology that may be unfamiliar to you.
#4. Which password management method would decrease help desk call volume and facilitate access to multiple resources in the event of a password compromise?
〇：Password synchronization between different systems
Password synchronization is designed to reduce the complexity of maintaining different passwords for different systems. Password synchronization technology allows a single password to be maintained across multiple systems by transparently synchronizing passwords to other systems in real time. This reduces help desk call volume. However, one of the disadvantages of this approach is that only one password is used to access different resources. This means that a hacker only needs to figure out one set of credentials to gain unauthorized access to all resources. Therefore, the correct answer is “password synchronization between different systems”.
×：Password reset by administrator query
This does not reduce the amount of help desk support because the end user must contact the administrator.
×：End-user manual password reset by self-service
This is the so-called “self-service” password reset, in which end users change their passwords themselves from their profile pages.
This is the most practical way to reduce the amount of helpdesk support, but it does not meet the requirement of easy access to multiple resources in case of a password compromise.
×：Password reset by inquiry
This does not reduce the amount of helpdesk support because it requires the end user to contact the administrator. An inquiry is an inquiry whether or not an administrator is attached.
#5. In United States, federal agencies must comply with the Federal Information Processing Standard 201-2 to ensure which of the following?
〇：That the identity of the public official has been properly verified.
FIPS 201-2 establishes U.S. government standards for personal identity verification (PIV) and gives various requirements for assurance. Access to restricted information by government employees and contracting agents depends on their level of clearance and need to know it, but first the government must assure the individual that they are who they say they are.
×：That government employees are properly cleared for the work to which they are assigned.
Government employees must be properly cleared for the information to which they have been granted access, and therefore true identification must be available for review and verification prior to such access.
×：Government employees are only allowed access to data at their clearance level.
This is wrong because government employees only need to get acquainted and have access to the information they need to access. But again, this must be based on a clear level of assurance that the clearance they possess is valid.
×：That the data to which public officials have access is properly classified.
This is incorrect because the classification of data is not directly related to the validation of personal information.
#6. Which of the following is a centralized access control protocol?
Diameter is an authentication, authorization, and audit (AAA) protocol that not only provides the same kind of functionality as RADIUS and TACACS, but also offers more flexibility and capabilities to meet the emerging demands of today’s complex and diverse networks. Once all remote communication is done via Point-to-Point Protocol (PPP) and Serial Line Internet Protocol (SLIP) connections, users can authenticate themselves via Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) to authenticated. The technology has become much more complex and there are multiple devices and protocols to choose from over the ever increasing Diameter protocol, Mobile IP, PPP, Voice over IP (VoIP), and other over Ethernet, wireless devices, smart phones, and other devices can authenticate themselves to the network using roaming protocols.
Watchdog timers are wrong because such processes are generally used to detect software failures such as abnormal termination or hangs. The watchdog function sends out “heartbeat” packets to determine if the service is responding. If not, the process can be terminated or reset. These packets help prevent software deadlocks, infinite loops, and process prioritization problems. This feature can be used in the AAA protocol to determine if a packet needs to be retransmitted and if a problem occurs and the connection should be closed and reopened, but it is not in the access control protocol itself.
Remote Authentication Dial-In User Service (RADIUS) is wrong because it is a network protocol and provides client/server authentication, authorization, and auditing for remote users.
Terminal Access Controller Access Control System Plus (TACACS ) is incorrect because it provides essentially the same functionality as RADIUS.
#7. An attacker used a brute force attack to break my password. How did you know it was a brute force attack?
#8. If you use one-time passwords, which authentication type are you referring to?
#9. Security measures must be transparent to users and attackers. Which of the following does not describe transparency?
Unfortunately, security components usually affect system performance but go unnoticed by the user. If system performance is significantly slower, security controls may be enforced. The reason controls must be transparent is so that users and intruders do not know enough to disable or bypass them.
While it is important to understand the term “transparent” in the realm of security, there is another way to answer the question in terms of solving it. If there is only one answer to a four-answer question, then answers that mean the same thing cannot be correct. Therefore, by grouping, the only answer that is correct is the one that does not belong to a group.
And the key point in this question is whether the user knows. The other choices indicate that the situation is communicated on the server side as an outsider, whether a legitimate user or an attacker, whereas only one is acknowledged on the server administrator’s side.
#10. SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between systems on different security domains. SAML allows for the sharing of authentication information, such as how the authentication was performed, the attributes of an entity, and the permissions to which the entity has access. Which of the following definitions is associated with the correct SAML component?
〇：SAML assertions are used to enable identity federation and distributed systems.
SAML provides a model that allows two parties to share authentication information about one entity. The two parties are considered a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider asserts information about the principal, such as whether the subject is authenticated or has certain attributes. The service provider uses the information provided by the identity provider to make access decisions about the services it provides, including whether to trust the identity provider’s assertions. By trusting the identity provider’s information, the service provider can provide services without requiring the principal to authenticate again. This framework enables federated identification and distributed authentication across domains.
A SAML assertion is information about a principal contained in a SAML response that is returned to the service provider after authentication has been processed by the identity provider.
×：Two SAML assertions (authentication and authorization) are used to indicate that an authority by SAML has validated a particular subject.
The Identity Provider will not return two SAML assertions; one assertion will be returned per request.
×：The SAML binding specification describes how to embed SAML messages within the TCP and UDP protocols.
It is not classified in the sense of within the TCP and UDP protocols.
×：The SAML profile has a definition for issuing a refresh token.
Refresh tokens are a concept in the OAuth/OIDC family.
#11. Which functional table was the table based primarily on?
The functionality table identifies the access rights that a particular subject owns with respect to a particular object. Each subject is mapped for a function (capability) such as read or write perform. Therefore, the subject is the one that seems to fit in the choices.
Incorrect because the Object is bound to an Access Control List (ACL), not a functional component.
Product is incorrect because it is just an example to implement a subject, object, or feature table.
Application is incorrect because it is just a concrete example of an object.
#12. Audits are needed to maintain security. Among other things, we want to ensure that provisioning is done properly. Which of the following is not provisioning?
〇：Reviewing and evaluating against security documentation.
Provisioning refers to the management of account information. Reviewing documents is not part of provisioning. Therefore, the correct answer is: “Review and evaluate security documentation.” The answer will be
×：When an employee leaves the company, the account should be deactivated as soon as possible.
This is proper provisioning for users and account usage that belong to the organization.
×：Periodic review and adherence to the principle of least privilege.
This is appropriate provisioning for account access privileges.
×：Appropriate deletion of accounts that are no longer needed.
This is appropriate provisioning for the management of minimum account information.
#13. There are two main design philosophies for systems that implement access control: distributed or integrated. Which are the advantages of distributed access control?
〇：The ability to control access close to the resource.
Central access control has various advantages such as uniform rules and reduced operational burden. Distributed access control allows access control in close proximity to resources, thus protecting resources independently.
×：It should be possible to design a comprehensive
Distributed access control is not a comprehensive design because the authentication and authorization functions are distributed.
×：Relatively low cost.
Whether or not costs can be kept down cannot be determined by this design concept alone.
×：Logs from various devices make it easier to understand the current status.
Both central access control and distributed access control can acquire logs from various devices.
#14. Emily observes network traffic and retrieves passwords from them that are sent to the authentication server. She plans to use the passwords as part of a future attack. What type of attack is this?
Replay attacks occur when an intruder stores the acquired information and uses it to gain unauthorized access later. In this case, Emily uses a technique called electronic monitoring (sniffing) to retrieve passwords sent over the wire to an authentication server. She can later use the password to access network resources. Even if the password is encrypted, resending valid credentials can be enough to gain access.
×：Brute force attacks
Brute force attacks are incorrect because the cycle is done through many possible combinations of letters, numbers, and symbols, using tools to discover the password.
Dictionary attacks are incorrect because they involve an automatic comparison of a user’s password to a file of thousands of words.
×：Social Engineering attack
A social engineering attack is incorrect because in a social engineering attack, the attacker mistakenly convinces an individual that she has the necessary permissions to access certain resources.
#15. The importance of protecting audit logs generated by computers and network devices is being stressed more than ever before, as required by and as per many regulations today. Which of the following does not explain why audit logs should be protected?
〇：The format of the audit log is unknown and is not available to the intruder in the first place.
Audit tools are technical controls that track activity within a network, on a network device, or on a specific computer. Auditing is not activity that denies an entity access to a network or computer, but it tracks activity so that the security administrator can understand the type of access made, identify security violations, or alert the administrator of suspicious activity. This information points out weaknesses in other technical controls and helps the administrator understand where changes need to be made to maintain the required level of security within the environment. Intruders can also use this information to exploit these weaknesses. Therefore, audit logs should be protected by controls on privileges, permissions, and integrity, such as hashing algorithms. However, the format of system logs is generally standardized for all similar systems. Hiding the log format is not a normal measure and is not a reason to protect audit log files.
×：If not properly protected, audit logs may not be admissible during prosecution.
This is incorrect because great care must be taken to protect audit logs in order for them to be admissible in court. Audit trails can be used to provide alerts about suspicious activity that can be investigated later. In addition, it is useful in determining exactly how far away the attack took place and the extent of any damage that may have occurred. It is important to ensure that a proper chain of custody is maintained so that all data collected can be properly and accurately represented in case it needs to be used in later events such as criminal proceedings or investigations.
×：Because audit logs contain sensitive data, only a specific subset of users should have access to them.
This is incorrect because only administrators and security personnel need to be able to view, modify, and delete audit trail information. Others cannot see this data and can rarely change or delete it. The use of digital signatures, message digest tools, and strong access controls can help ensure the integrity of the data. Its confidentiality can be protected with encryption and access control as needed, and it can be stored on write-once media to prevent data loss or tampering. Unauthorized access attempts to audit logs should be captured and reported.
×：Intruders may attempt to scrub logs to hide their activities.
If an intruder breaks into your home, do your best to leave no fingerprints or clues that can be used to link them to criminal activity. The same is true for computer fraud and illegal activity. Attackers often delete audit logs that hold this identifying information. In the text, deleting is described as scrubbing. Deleting this information may alert administrators to an alert or perceived security breach and prevent valuable data from being destroyed. Therefore, audit logs should be protected by strict access controls.
#16. Which authentication types are PINs, passwords, and passphrases?
#17. Jill has established a company-wide sales program that requires user groups with different privileges in accessing information on a centralized database. What database should the security manager secure?
〇：Increasing database security controls and providing more granularity.
The best approach to protecting the database in this situation would be to increase controls and assign detailed permissions. These measures would ensure that users cannot abuse their permissions and that the confidentiality of the information is maintained. The granularity of permissions would give network administrators and security professionals additional control over the resources they are charged with protecting, and the granular level would allow them to give individuals just the exact level of access they need.
×：Implement an access control where each user’s privileges are displayed each time they access the database.
Implementing an access control that displays each user’s permissions is incorrect because they are an example of one control each time they access the database. This is not the overall way of dealing with user access to a database full of information. This may be an example of better database security control, but it needs to be limited to the right places.
×：Change the classification label of the database to a higher security status.
The classification level of the information in the database should previously be determined based on its level of confidentiality, integrity, and availability. This option implies that a higher level of authorization should be given, but there is no indication in the question text that the security level is inappropriate.
×：Reduce security. Allow all users to access information as needed.
The answer to reduce security is incorrect.
#18. SElinux is set up. Which access control will be followed?
〇：Mandatory Access Control (MAC)
Mandatory Access Control (MAC) is an access control that enforces access privileges by pre-classifying resources into levels. There are several types of access rights to data files. There are several types of access rights to data files: the user of the data file, the owner who creates the data file, and the administrator who decides which owner can create the data. SELinux, TOMOYO Linux, Trusted BSD, and Trusted Solaris are methods used by MACs.
×：Discretionary Access Control (DAC)
Discretionary Access Control (DAC) is an access control method that allows the owner of an access target to change access privileges.
×：Role Access Control (RAC)
There is no such term. A close equivalent is role-based access control, which divides accounts by role and applies access control to those roles.
×：Voluntary Access Control (VAC)
There is no such term.
#19. Which of the following is the best way to reduce brute force attacks that allow intruders to reveal user passwords?
〇：Lock out the account for a certain period of time after reaching the clipping level.
Brute force attack is an attack that continuously tries different inputs to achieve a predefined goal that can then be used to qualify for unauthorized access. A brute force attack to discover the password means that the intruder is trying all possible sequences of characters to reveal the correct password. This proves to be a good countermeasure if the account will be disabled (or locked out) after this type of attack attempt is made.
×：Increase the clipping level.
Clipping levels are wrong because they need to be implemented to establish a baseline of user activity and acceptable error. Entities attempting to log into an account after the clipping level is met should be locked out. A high clipping level gives the attacker more attempts during a warning or lockout. Lowering the clipping level is a good countermeasure.
×：After the threshold for failed login attempts is met, the administrator should physically lock out the account.
This is incorrect because it is impractical to have an administrator physically lock out an account. This type of activity can easily be taken care of through automated software mechanisms. Accounts should be automatically locked out for a certain amount of time after a threshold of failed login attempts is met.
×：Encrypt password files and choose a weaker algorithm.
Encrypting passwords and/or password files and using a weaker algorithm is incorrect as it increases the likelihood of a successful brute force attack.
#20. Which of the following are effective measures against rainbow tables?
A rainbow table is a pre-built list of ciphertexts that match plaintext and have hashes that match passwords. The table can contain millions of pairs. Salting is random data used as additional input to a one-way function that “hashes” a password or passphrase. The primary function of a salting is to protect against dictionary or compiled rainbow table attacks.
×：Login Attempt Restrictions
Effective against all unauthorized login methods, but not a direct or effective countermeasure against rainbow tables.
Replacing passwords with longer, random strings for encryption purposes.
Password hashing is a fixed-length cipher (hash) statement for secure password storage.