Practice Test(DOMAIN5)

Domain 5 Exam.

A minimum of 70% is required to pass.



There may be content you haven’t seen yet.

#1. An attacker used a brute force attack to break my password. How did you know it was a brute force attack?

Brute force can be used to decrypt the plaintext, given enough time. This is valid for all key-based ciphers except one-time pads. Eventually the data will be decrypted, but so many false positives will occur that the data will be rendered useless.

#2. SElinux is set up. Which access control will be followed?

〇:Mandatory Access Control (MAC)

Mandatory Access Control (MAC) is an access control that enforces access privileges by pre-classifying resources into levels. There are several types of access rights to data files. There are several types of access rights to data files: the user of the data file, the owner who creates the data file, and the administrator who decides which owner can create the data. SELinux, TOMOYO Linux, Trusted BSD, and Trusted Solaris are methods used by MACs.


×:Discretionary Access Control (DAC)

Discretionary Access Control (DAC) is an access control method that allows the owner of an access target to change access privileges.


×:Role Access Control (RAC)

There is no such term. A close equivalent is role-based access control, which divides accounts by role and applies access control to those roles.


×:Voluntary Access Control (VAC)

There is no such term.

#3. Which access control defines clearance and object labels for a subject?

MAC (mandatory access control) is often used when confidentiality is of utmost importance. Access to objects is determined by labels and clearances. It is often used in organizations where confidentiality is very important, such as the military.

#4. Which password management method would decrease help desk call volume and facilitate access to multiple resources in the event of a password compromise?

〇:Password synchronization between different systems

Password synchronization is designed to reduce the complexity of maintaining different passwords for different systems. Password synchronization technology allows a single password to be maintained across multiple systems by transparently synchronizing passwords to other systems in real time. This reduces help desk call volume. However, one of the disadvantages of this approach is that only one password is used to access different resources. This means that a hacker only needs to figure out one set of credentials to gain unauthorized access to all resources. Therefore, the correct answer is “password synchronization between different systems”.


×:Password reset by administrator query

This does not reduce the amount of help desk support because the end user must contact the administrator.


×:End-user manual password reset by self-service

This is the so-called “self-service” password reset, in which end users change their passwords themselves from their profile pages.

This is the most practical way to reduce the amount of helpdesk support, but it does not meet the requirement of easy access to multiple resources in case of a password compromise.


×:Password reset by inquiry

This does not reduce the amount of helpdesk support because it requires the end user to contact the administrator. An inquiry is an inquiry whether or not an administrator is attached.

#5. In United States, federal agencies must comply with the Federal Information Processing Standard 201-2 to ensure which of the following?

〇:That the identity of the public official has been properly verified.

FIPS 201-2 establishes U.S. government standards for personal identity verification (PIV) and gives various requirements for assurance. Access to restricted information by government employees and contracting agents depends on their level of clearance and need to know it, but first the government must assure the individual that they are who they say they are.


×:That government employees are properly cleared for the work to which they are assigned.

Government employees must be properly cleared for the information to which they have been granted access, and therefore true identification must be available for review and verification prior to such access.


×:Government employees are only allowed access to data at their clearance level.

This is wrong because government employees only need to get acquainted and have access to the information they need to access. But again, this must be based on a clear level of assurance that the clearance they possess is valid.


×:That the data to which public officials have access is properly classified.

This is incorrect because the classification of data is not directly related to the validation of personal information.

#6. If you use one-time passwords, which authentication type are you referring to?

Disposable passwords and one-time pads are passwords but generated from something you own, not something you know. In other words, possession.

#7. Which authentication types are PINs, passwords, and passphrases?

Type 1 authentication treats what you know as credentials. This is accomplished through passwords, passphrases, PINs, etc., and is also referred to as the knowledge factor.

#8. If you set a password with the string “password”, what kind of threats will you be the target of?

〇:Dictionary attack

There is a limit to the complexity that humans can remember. Consciously, we treat words and character strings we already know as passwords. To address such vulnerabilities, the act of cracking passwords by guessing passwords based on existing words or character strings is called a dictionary attack.


×:Typical Sentence attack

There is no such attack named as such yet.


×:Brute force attack

Brute force is an unauthorized login in which the user tries to guess a password at random.


×:Birthday attack

A birthday attack is an efficient method of unauthorized login by taking advantage of encryption collisions heightened by at least one overlapping probability theory.

#9. SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between systems on different security domains. SAML allows for the sharing of authentication information, such as how the authentication was performed, the attributes of an entity, and the permissions to which the entity has access. Which of the following definitions is associated with the correct SAML component?

〇:SAML assertions are used to enable identity federation and distributed systems.

SAML provides a model that allows two parties to share authentication information about one entity. The two parties are considered a Service Provider (SP) and an Identity Provider (IdP). The Identity Provider asserts information about the principal, such as whether the subject is authenticated or has certain attributes. The service provider uses the information provided by the identity provider to make access decisions about the services it provides, including whether to trust the identity provider’s assertions. By trusting the identity provider’s information, the service provider can provide services without requiring the principal to authenticate again. This framework enables federated identification and distributed authentication across domains.

A SAML assertion is information about a principal contained in a SAML response that is returned to the service provider after authentication has been processed by the identity provider.


×:Two SAML assertions (authentication and authorization) are used to indicate that an authority by SAML has validated a particular subject.

The Identity Provider will not return two SAML assertions; one assertion will be returned per request.


×:The SAML binding specification describes how to embed SAML messages within the TCP and UDP protocols.

It is not classified in the sense of within the TCP and UDP protocols.


×:The SAML profile has a definition for issuing a refresh token.

Refresh tokens are a concept in the OAuth/OIDC family.

#10. Jill has established a company-wide sales program that requires user groups with different privileges in accessing information on a centralized database. What database should the security manager secure?

〇:Increasing database security controls and providing more granularity.

The best approach to protecting the database in this situation would be to increase controls and assign detailed permissions. These measures would ensure that users cannot abuse their permissions and that the confidentiality of the information is maintained. The granularity of permissions would give network administrators and security professionals additional control over the resources they are charged with protecting, and the granular level would allow them to give individuals just the exact level of access they need.


×:Implement an access control where each user’s privileges are displayed each time they access the database.

Implementing an access control that displays each user’s permissions is incorrect because they are an example of one control each time they access the database. This is not the overall way of dealing with user access to a database full of information. This may be an example of better database security control, but it needs to be limited to the right places.


×:Change the classification label of the database to a higher security status.

The classification level of the information in the database should previously be determined based on its level of confidentiality, integrity, and availability. This option implies that a higher level of authorization should be given, but there is no indication in the question text that the security level is inappropriate.


×:Reduce security. Allow all users to access information as needed.

The answer to reduce security is incorrect.

#11. The importance of protecting audit logs generated by computers and network devices is being stressed more than ever before, as required by and as per many regulations today. Which of the following does not explain why audit logs should be protected?

〇:The format of the audit log is unknown and is not available to the intruder in the first place.

Audit tools are technical controls that track activity within a network, on a network device, or on a specific computer. Auditing is not activity that denies an entity access to a network or computer, but it tracks activity so that the security administrator can understand the type of access made, identify security violations, or alert the administrator of suspicious activity. This information points out weaknesses in other technical controls and helps the administrator understand where changes need to be made to maintain the required level of security within the environment. Intruders can also use this information to exploit these weaknesses. Therefore, audit logs should be protected by controls on privileges, permissions, and integrity, such as hashing algorithms. However, the format of system logs is generally standardized for all similar systems. Hiding the log format is not a normal measure and is not a reason to protect audit log files.


×:If not properly protected, audit logs may not be admissible during prosecution.

This is incorrect because great care must be taken to protect audit logs in order for them to be admissible in court. Audit trails can be used to provide alerts about suspicious activity that can be investigated later. In addition, it is useful in determining exactly how far away the attack took place and the extent of any damage that may have occurred. It is important to ensure that a proper chain of custody is maintained so that all data collected can be properly and accurately represented in case it needs to be used in later events such as criminal proceedings or investigations.


×:Because audit logs contain sensitive data, only a specific subset of users should have access to them.

This is incorrect because only administrators and security personnel need to be able to view, modify, and delete audit trail information. Others cannot see this data and can rarely change or delete it. The use of digital signatures, message digest tools, and strong access controls can help ensure the integrity of the data. Its confidentiality can be protected with encryption and access control as needed, and it can be stored on write-once media to prevent data loss or tampering. Unauthorized access attempts to audit logs should be captured and reported.


×:Intruders may attempt to scrub logs to hide their activities.

If an intruder breaks into your home, do your best to leave no fingerprints or clues that can be used to link them to criminal activity. The same is true for computer fraud and illegal activity. Attackers often delete audit logs that hold this identifying information. In the text, deleting is described as scrubbing. Deleting this information may alert administrators to an alert or perceived security breach and prevent valuable data from being destroyed. Therefore, audit logs should be protected by strict access controls.

#12. Which of the following is a centralized access control protocol?


Diameter is an authentication, authorization, and audit (AAA) protocol that not only provides the same kind of functionality as RADIUS and TACACS, but also offers more flexibility and capabilities to meet the emerging demands of today’s complex and diverse networks. Once all remote communication is done via Point-to-Point Protocol (PPP) and Serial Line Internet Protocol (SLIP) connections, users can authenticate themselves via Password Authentication Protocol (PAP) or Challenge Handshake Authentication Protocol (CHAP) to authenticated. The technology has become much more complex and there are multiple devices and protocols to choose from over the ever increasing Diameter protocol, Mobile IP, PPP, Voice over IP (VoIP), and other over Ethernet, wireless devices, smart phones, and other devices can authenticate themselves to the network using roaming protocols.



Watchdog timers are wrong because such processes are generally used to detect software failures such as abnormal termination or hangs. The watchdog function sends out “heartbeat” packets to determine if the service is responding. If not, the process can be terminated or reset. These packets help prevent software deadlocks, infinite loops, and process prioritization problems. This feature can be used in the AAA protocol to determine if a packet needs to be retransmitted and if a problem occurs and the connection should be closed and reopened, but it is not in the access control protocol itself.



Remote Authentication Dial-In User Service (RADIUS) is wrong because it is a network protocol and provides client/server authentication, authorization, and auditing for remote users.



Terminal Access Controller Access Control System Plus (TACACS ) is incorrect because it provides essentially the same functionality as RADIUS.

#13. Formac is considering a design that requires users to authenticate properly when developing mobile apps. which of the following is not two-factor authentication and does not provide enhanced security?

〇:Password authentication and secret questions

Passwords are a memory-based authentication method. The secret question is also a memory-based authentication method, and is not a combination of two-factor authentication methods. Therefore, the correct answer is “password authentication and secret question.


×:Password authentication and fingerprint authentication

It is memory authentication information x body authentication information. This is a multi-factor authentication.


×:Password authentication and one-time password authentication using a token machine.

This is memory authentication information x possession authentication information. This is a multi-factor authentication.


×:Password authentication and IC card authentication

This is memory authentication information × possession authentication information. This is a multi-factor authentication.

#14. Hannah is assigned the task of installing Web Access Management (WAM) software. What is an appropriate description of the environment in which WAM is typically used?

Web access management (WAM) software controls what users can access when interacting with Web-based corporate assets using a Web browser. This type of technology is continually becoming more robust and experiencing increased deployment. This is due to the increased use of e-commerce, online banking, content delivery, and Web services. The basic components and activities of the Web access control management process are

  • The user submits credentials to the web server.
  • The web server requests the WAM platform to authenticate the user. WAM authenticates to the LDAP directory and obtains credentials from the policy database.
  • The user requests access to a resource (object).
  • The web server verifies that object access is allowed and grants access to the requested resource.

When the complicated term WAM is mentioned, the journey begins to search for a definition of WAM that may be at the end of one’s brain. But as these thoughts begin, you will want the hard answers, like the X.500 database. But if you don’t know, it is straightforward to interpret and answer to the best of your understanding; if you interpret WAM as software that controls access to a Web server, then the question is, “Which is the correct definition of WAM?” Rather than “What do you think software that controls access to a web server does?” rather than “What do you think software that controls access to a web server does? However, it is still tempting to factor in the possibility that WAM is a solution that uses a specific technology that may be unfamiliar to you.

#15. Which technology can generate time-based one-time passwords?

〇:Time-Based Synchronous Dynamic Token

A synchronous token device synchronizes with the authentication service using time or a counter as a core part of the authentication process. When synchronization is time-based, the token device and authentication service must maintain the same time within their internal clocks. The time values of the token device and private key are used to generate a one-time password that is displayed to the user. The user then passes this value and user ID to the server running the authentication service and enters this value and user ID into the computer. The authentication service decrypts this value and compares it to the expected value. If both match, the user is authenticated and allowed to use the computer and resources.


×:Counter-Based Synchronous Dynamic Token

If the token device and authentication service use counter synchronization, it is incorrect because it is not based on time. When using a counter-synchronized token device, the user must initiate the creation of a one-time password by pressing a button on the token device. This causes the token device and authentication service to proceed to the next authentication value. This value, the base secret, is hashed and displayed to the user. The user enters this resulting value along with the user ID to be authenticated. For either time or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption.


×:Asynchronous Tokens

Asynchronous token generation methods are incorrect because they use a challenge/response method for the token device to authenticate the user. Instead of using synchronization, this technique does not use separate steps in the authentication process.


×:Mandatory Tokens

Wrong because there is no such thing as a mandatory token. This is an incorrect answer.

#16. Which of the following are effective measures against rainbow tables?


A rainbow table is a pre-built list of ciphertexts that match plaintext and have hashes that match passwords. The table can contain millions of pairs. Salting is random data used as additional input to a one-way function that “hashes” a password or passphrase. The primary function of a salting is to protect against dictionary or compiled rainbow table attacks.


×:Login Attempt Restrictions

Effective against all unauthorized login methods, but not a direct or effective countermeasure against rainbow tables.


×:Key stretching

Replacing passwords with longer, random strings for encryption purposes.



Password hashing is a fixed-length cipher (hash) statement for secure password storage.

#17. Audits are needed to maintain security. Among other things, we want to ensure that provisioning is done properly. Which of the following is not provisioning?

〇:Reviewing and evaluating against security documentation.

Provisioning refers to the management of account information. Reviewing documents is not part of provisioning. Therefore, the correct answer is: “Review and evaluate security documentation.” The answer will be


×:When an employee leaves the company, the account should be deactivated as soon as possible.

This is proper provisioning for users and account usage that belong to the organization.


×:Periodic review and adherence to the principle of least privilege.

This is appropriate provisioning for account access privileges.


×:Appropriate deletion of accounts that are no longer needed.

This is appropriate provisioning for the management of minimum account information.

#18. Which of the following is the best way to reduce brute force attacks that allow intruders to reveal user passwords?

〇:Lock out the account for a certain period of time after reaching the clipping level.

Brute force attack is an attack that continuously tries different inputs to achieve a predefined goal that can then be used to qualify for unauthorized access. A brute force attack to discover the password means that the intruder is trying all possible sequences of characters to reveal the correct password. This proves to be a good countermeasure if the account will be disabled (or locked out) after this type of attack attempt is made.


×:Increase the clipping level.

Clipping levels are wrong because they need to be implemented to establish a baseline of user activity and acceptable error. Entities attempting to log into an account after the clipping level is met should be locked out. A high clipping level gives the attacker more attempts during a warning or lockout. Lowering the clipping level is a good countermeasure.


×:After the threshold for failed login attempts is met, the administrator should physically lock out the account.

This is incorrect because it is impractical to have an administrator physically lock out an account. This type of activity can easily be taken care of through automated software mechanisms. Accounts should be automatically locked out for a certain amount of time after a threshold of failed login attempts is met.


×:Encrypt password files and choose a weaker algorithm.

Encrypting passwords and/or password files and using a weaker algorithm is incorrect as it increases the likelihood of a successful brute force attack.

#19. There are two main design philosophies for systems that implement access control: distributed or integrated. Which are the advantages of distributed access control?

〇:The ability to control access close to the resource.

Central access control has various advantages such as uniform rules and reduced operational burden. Distributed access control allows access control in close proximity to resources, thus protecting resources independently.


×:It should be possible to design a comprehensive

Distributed access control is not a comprehensive design because the authentication and authorization functions are distributed.


×:Relatively low cost.

Whether or not costs can be kept down cannot be determined by this design concept alone.


×:Logs from various devices make it easier to understand the current status.

Both central access control and distributed access control can acquire logs from various devices.

#20. Is it an identity management technology that can be used across business boundaries?

〇:Federation Identity

A federation identity is a portable identity and associated credentials that can be used across business boundaries. It allows users to authenticate across multiple IT systems and across the enterprise. Federation Identity is based on linking otherwise distinct identities of users in two or more locations without the need to synchronize or consolidate directory information. Federated Identity is an important component of e-commerce, providing businesses and consumers with a more convenient way to access distributed resources.


×:User Provisioning

User provisioning is incorrect because it refers to the creation, maintenance, and deactivation of user objects and attributes.



While most companies have some type of directory that contains information about company network resources and users, generally these directories are not utilized as spread across different companies. It is true that nowadays, with open APIs and cloud computing, there is a trend to deploy services through a single directory, but the directory service itself does not include resource sharing implications. In other words, it is just used as a shared service.


×:Web Access Management

Web Access Management (WAM) software is incorrect because it controls what users can access when using a Web browser to interact with Web-based corporate assets.