Mike Chapple

(ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests


Скачать книгу

to create roles that provide access to resources used by each group. What should she do to maintain the appropriate security and rights for each group?Put both the marketing and communications teams into the existing group because they will have similar access requirements.Keep the marketing team in the existing group and create a new communications group based on their specific needs.Keep the communications team in the existing group and create a new marketing group based on their specific needs.Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.

      36 When a subject claims an identity, what process is occurring?LoginIdentificationAuthorizationToken presentation

      37 Dogs, guards, and fences are all common examples of what type of control?DetectiveRecoveryAdministrativePhysical

      38 Susan's organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute-force attacks?Change maximum age from 1 year to 180 days.Increase the minimum password length from 8 characters to 16 characters. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.Retain a password history of at least four passwords to prevent reuse.

      39 Alaina is performing a regularly scheduled review for service accounts. Which of the following events should she be most concerned about?An interactive login for the service accountA password change for the service accountLimitations placed on the service account's rightsLocal use of the service account

      40 When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?When security is more important than usabilityWhen false rejection is not a concern due to data qualityWhen the CER of the system is not knownWhen the CER of the system is very high

      41 After recent reports of undesired access to workstations after hours, Derek has been asked to find a way to ensure that maintenance staff cannot log in to workstations in business offices. The maintenance staff members do have systems in their break rooms and their offices for the organization, which they still need access to. What should Derek do to meet this need?Require multifactor authentication and only allow office staff to have multifactor tokens.Use rule-based access control to prevent logins after hours in the business area.Use role-based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations.Use geofencing to only allow logins in maintenance areas.

      42 Nick wants to do session management for his web application. Which of the following are common web application session management techniques or methods? (Select all that apply.)IP trackingCookiesURL rewritingTLS tokensFor questions 43–45, please use your knowledge of SAML integrations and security architecture design and refer to the following scenario and diagram:Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization.

      43 Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks?Use SAML's secure mode to provide secure authentication.Implement TLS using a strong cipher suite, which will protect against both types of attacks.Implement TLS using a strong cipher suite and use digital signatures.Implement TLS using a strong cipher suite and message hashing.

      44 If Alex's organization is one that is primarily made up of off-site, traveling users, what availability risk does integration of critical business applications to on-site authentication create, and how could he solve it?Third-party integration may not be trustworthy; use SSL and digital signatures.If the home organization is offline, traveling users won't be able to access third-party applications; implement a hybrid cloud/local authentication system.Local users may not be properly redirected to the third-party services; implement a local gateway.Browsers may not properly redirect; use host files to ensure that issues with redirects are resolved.

      45 What solution can best help address concerns about third parties that control SSO redirects as shown in step 2 in the diagram?An awareness campaign about trusted third partiesTLSHandling redirects at the local siteImplementing an IPS to capture SSO redirect attacks

      46 Susan has been asked to recommend whether her organization should use a MAC scheme or a DAC scheme. If flexibility and scalability are important requirements for implementing access controls, which scheme should she recommend and why?MAC, because it provides greater scalability and flexibility because you can simply add more labels as neededDAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibilityMAC, because compartmentalization is well suited to flexibility and adding compartments will allow it to scale wellDAC, because a central decision process allows quick responses and will provide scalability by reducing the number of decisions required and flexibility by moving those decisions to a central authority

      47 Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed?Log reviewManual review of permissionsSignature-based detectionReview the audit trail

      48 Jessica needs to send information about services she is provisioning to a third-party organization. What standards-based markup language should she choose to build the interface?SAMLSOAPSPMLXACML

      49 During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?A brute-force attackA pass-the-hash attackA rainbow table attackA salt recovery attack

      50 Google's identity integration with a variety of organizations and applications across domains is an example of which of the following?PKIFederationSingle sign-onProvisioning

      51 Amanda starts at her new job and finds that she has access to a variety of systems that she does not need to accomplish her job. What problem has she encountered?Privilege creepRights collisionLeast privilegeExcessive privileges

      52 When Chris verifies an individual's identity and adds a unique identifier like a user ID to an identity system, what process has occurred?Identity proofingRegistrationDirectory managementSession management

      53 Selah wants to provide accountability for actions performed via her organization's main line of business application. What controls are most frequently used to provide accountability in a situation like this? (Select all that apply.)Enable audit logging.Provide every staff member with a unique account and enable multifactor authentication.Enable time- and location-based login requirements.Provide every staff member with a unique account and require a self-selected password.

      54 Charles wants to provide authorization services as part of his web application. What standard should he use if he wants to integrate easily with other web identity providers?OpenIDTACACS+RADIUSOAuth

      55 The company that Cameron works for uses a system that allows users to request privileged access to systems when necessary. Cameron requests access, and the request is pre-approved due to his role. He is then able to access the system to perform the task. Once he is done, the rights are removed. What type of system is he using?Zero trustFederated identity management Single sign-onJust-in-time access

      56 Elle is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?Require users to create unique questions that only they will know.Require new users to bring their driver's license or passport in person to the bank.Use information that both the bank and the user have such as questions pulled from their credit report.Call the user on their registered phone number to verify that they are who they claim to be.

      57 Susan's organization is part of a federation that allows users from multiple organizations to access resources and services at other federated sites. When Susan wants to use a service at a partner site, which identity provider is used?Susan's home organization's identity providerThe service provider's identity providerBoth their identity provider and the service provider's identity providerThe service provider creates a new identity

      58 A new customer at a bank that uses fingerprint scanners to authenticate its users is surprised when he scans his fingerprint