CISSP Domain 5: Questions & Answers: A+ Score Guide
In our access control implementations, keeping the IAAA model in mind, which of
these could we use for authorization? - ANSWERWe use Access Control models to
determine what a subject allowed to access. This could be with RBAC (Role Based
Access Control).
Jane is tasked with looking at federated identity management (FIdM). Which of these
would she NOT consider? - ANSWERRFID (Radio Frequency Identification) is used a
variety of things including smart cards and not federated identity management
(FIdM)
If we are using Active Directory (AD) for our Role Based Access Control (RBAC)
authentication, we would innately use which authentication protocol? -
ANSWERUses LDAP (Lightweight Directory Access Protocol) versions 2 and 3,
Microsoft's version of Kerberos, and DNS.
Which type of authentication will ask the user for something they have? -
ANSWERSomething you have - Type 2 Authentication: ID, passport, smart card,
token, cookie on PC, these are called Possession factors.
We are using Kerberos. What does the client send to the Authentication Server (AS)?
- ANSWERThe client sends a cleartext user ID to the AS (Authentication Server)
requesting services on behalf of the user.
Bob is working on designing new access controls across our organization. Which
documentation should he reference to know how and what to implement? -
ANSWEROur Access Control is determined by our policies, procedures, and
standards. This outlines how we grant access whom to what: We use least privilege,
need to know, and we give our staff and systems exactly the access they need and
no more.
Which of these is NOT a downside to enforcing software tokens on phones for
multifactor authentication? - ANSWERuser friendly. Software tokens on phones are
easy, user friendly, but also comes with some challenges. What can a user do if they
lose the phone, if their SIM card is cloned, the phone is not charged, ...
Which of these countermeasures would be the LEAST effective against brute force
attacks? - ANSWERSalting is adding random characters to passwords before hashing,
it does nothing against brute force attacks.
Jane is looking at the Kerberos implementation we have in place and is working on
the Key Distribution Center (KDC). Which of these is part of the KDC? - ANSWERThe
KDC (Key Distribution Center) consists of the AS (Authentication Server) and the TGS
(Ticket Granting Server).
, Diameter was designed to replace Radius, but the change never happened. Where is
Diameter COMMONLY used now? - ANSWERDiameter is largely used in the 3/4G
space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the
use cases changed and both now have different uses.
Jane has a project to looking at possible Federated Identity Management (FIDM)
implementations at our organization. Which of these would she NOT consider? -
ANSWERLDAP (The Lightweight Directory Access Protocol) is used for accessing and
maintaining distributed directory information services over an IP network and not
FIDM (Federated Identity Management).
In a security audit, we are looking at the authentication protocols we use. Which of
these uses a key-distribution center? - ANSWERKerberos: Authentication protocol
that works on the basis of tickets to allow nodes communicating over a non-secure
network to prove their identity to each other in a secure manner.
If we are using magnetic stripe ID cards and we are wanting to add additional
security measures, which of these could we implement for visual inspection and
have it be the MOST secure? - ANSWEREmbedded holograms on IDs are much
harder to replicate than pictures and other things that can be printed on the card.
We would never have Protected Health Information (PHI) on an ID card.
Which type of access control could we use to limit access outside of regular work
hours? - ANSWERContext-based access control: Access to an object is controlled
based on certain contextual parameters, such as location, time, sequence of
responses, access history.
We have had a security breach. We have already reissued Type 1 and 2
authentications to our users. How would we reissue a new type 3 authentication to
them? - ANSWERWith biometrics we can't reissue authentication factors. You have
the same fingerprints. If compromised, nothing can be done other than to stop using
them.
When we look at using type 3 authentication, we would talk about all these terms
EXCEPT which? - ANSWERSomething you are - Type 3 Authentication (Biometrics),
uses Errors for Biometric Authentication: FRR (False rejection rate), FAR (False accept
rate) and CER (Crossover Error Rate).
We have been using Kerberos for some years. Bob is explaining the traffic flow to a
new colleague. What does the client send to the TGS? - ANSWERWhen requesting
services, the client sends the following messages to the TGS: #1 The TGT and the ID
of the requested service. #2 Authenticator (which is composed of the client ID and
the timestamp), encrypted using the Client/TGS Session Key.
John is not allowed to access the organization's network from anywhere but his
home and at his desk at work. He just went on vacation and tried to log in. His access
request was denied. This is a type of what? - ANSWERContext-based access control:
In our access control implementations, keeping the IAAA model in mind, which of
these could we use for authorization? - ANSWERWe use Access Control models to
determine what a subject allowed to access. This could be with RBAC (Role Based
Access Control).
Jane is tasked with looking at federated identity management (FIdM). Which of these
would she NOT consider? - ANSWERRFID (Radio Frequency Identification) is used a
variety of things including smart cards and not federated identity management
(FIdM)
If we are using Active Directory (AD) for our Role Based Access Control (RBAC)
authentication, we would innately use which authentication protocol? -
ANSWERUses LDAP (Lightweight Directory Access Protocol) versions 2 and 3,
Microsoft's version of Kerberos, and DNS.
Which type of authentication will ask the user for something they have? -
ANSWERSomething you have - Type 2 Authentication: ID, passport, smart card,
token, cookie on PC, these are called Possession factors.
We are using Kerberos. What does the client send to the Authentication Server (AS)?
- ANSWERThe client sends a cleartext user ID to the AS (Authentication Server)
requesting services on behalf of the user.
Bob is working on designing new access controls across our organization. Which
documentation should he reference to know how and what to implement? -
ANSWEROur Access Control is determined by our policies, procedures, and
standards. This outlines how we grant access whom to what: We use least privilege,
need to know, and we give our staff and systems exactly the access they need and
no more.
Which of these is NOT a downside to enforcing software tokens on phones for
multifactor authentication? - ANSWERuser friendly. Software tokens on phones are
easy, user friendly, but also comes with some challenges. What can a user do if they
lose the phone, if their SIM card is cloned, the phone is not charged, ...
Which of these countermeasures would be the LEAST effective against brute force
attacks? - ANSWERSalting is adding random characters to passwords before hashing,
it does nothing against brute force attacks.
Jane is looking at the Kerberos implementation we have in place and is working on
the Key Distribution Center (KDC). Which of these is part of the KDC? - ANSWERThe
KDC (Key Distribution Center) consists of the AS (Authentication Server) and the TGS
(Ticket Granting Server).
, Diameter was designed to replace Radius, but the change never happened. Where is
Diameter COMMONLY used now? - ANSWERDiameter is largely used in the 3/4G
space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the
use cases changed and both now have different uses.
Jane has a project to looking at possible Federated Identity Management (FIDM)
implementations at our organization. Which of these would she NOT consider? -
ANSWERLDAP (The Lightweight Directory Access Protocol) is used for accessing and
maintaining distributed directory information services over an IP network and not
FIDM (Federated Identity Management).
In a security audit, we are looking at the authentication protocols we use. Which of
these uses a key-distribution center? - ANSWERKerberos: Authentication protocol
that works on the basis of tickets to allow nodes communicating over a non-secure
network to prove their identity to each other in a secure manner.
If we are using magnetic stripe ID cards and we are wanting to add additional
security measures, which of these could we implement for visual inspection and
have it be the MOST secure? - ANSWEREmbedded holograms on IDs are much
harder to replicate than pictures and other things that can be printed on the card.
We would never have Protected Health Information (PHI) on an ID card.
Which type of access control could we use to limit access outside of regular work
hours? - ANSWERContext-based access control: Access to an object is controlled
based on certain contextual parameters, such as location, time, sequence of
responses, access history.
We have had a security breach. We have already reissued Type 1 and 2
authentications to our users. How would we reissue a new type 3 authentication to
them? - ANSWERWith biometrics we can't reissue authentication factors. You have
the same fingerprints. If compromised, nothing can be done other than to stop using
them.
When we look at using type 3 authentication, we would talk about all these terms
EXCEPT which? - ANSWERSomething you are - Type 3 Authentication (Biometrics),
uses Errors for Biometric Authentication: FRR (False rejection rate), FAR (False accept
rate) and CER (Crossover Error Rate).
We have been using Kerberos for some years. Bob is explaining the traffic flow to a
new colleague. What does the client send to the TGS? - ANSWERWhen requesting
services, the client sends the following messages to the TGS: #1 The TGT and the ID
of the requested service. #2 Authenticator (which is composed of the client ID and
the timestamp), encrypted using the Client/TGS Session Key.
John is not allowed to access the organization's network from anywhere but his
home and at his desk at work. He just went on vacation and tried to log in. His access
request was denied. This is a type of what? - ANSWERContext-based access control:
