(ISC)2 CISSP Certified Information Systems Security Professional Official Practice Tests. Mike Chapple

Чтение книги онлайн.

СКАЧАТЬ is planning his organization's biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?Retina scans can reveal information about medical conditions.Retina scans are painful because they require a puff of air in the user's eye.Retina scanners are the most expensive type of biometric device.Retina scanners have a high false positive rate and will cause support issues.

      21 Mandatory access control is based on what type of model?DiscretionaryGroup-basedLattice-basedRule-based

      22 Greg wants to control access to iPads used throughout his organization as point-of-sale terminals. Which of the following methods should he use to allow logical access control for the devices in a shared environment?Use a shared PIN for all point-of-sale terminals to make them easier to use.Use OAuth to allow cloud logins for each user.Issue a unique PIN to each user for the iPad they are issued.Use Active Directory and user accounts for logins to the iPads using the AD userID and password.

      23 What is the best way to provide accountability for the use of identities?LoggingAuthorizationDigital signaturesType 1 authentication

      24 Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What type of process should his company perform to ensure that he has appropriate rights?Re-provisioningAccount reviewPrivilege creepAccount revocation

      25 Biba is what type of access control model?MACDACRole BACABAC

      26 Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?KerberosEAPRADIUSOAuth

      27 Henry is working with a web application development team on their authentication and authorization process for his company's new application. The team wants to make session IDs as secure as possible. Which of the following is not a best practice that Henry should recommend?The session ID token should be predictable.The session ID should have at least 64 bits of entropy.The session length should be at least 128 bits.The session ID should be meaningless.

      28 Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor, and what traffic will she be able to read?UDP, none. All RADIUS traffic is encrypted.TCP, all traffic but the passwords, which are encrypted. UDP, all traffic but the passwords, which are encrypted.TCP, none. All RADIUS traffic is encrypted.

      29 What type of access control best describes NAC's posture assessment capability?A mandatory access controlA risk-based access controlA discretionary access controlA role-based access control

      30 When an application or system allows a logged-in user to perform specific actions, it is an example of what?RolesGroup managementLoginsAuthorization

      31 Alex has been employed by his company for more than a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications because of his former roles. What issue has Alex's company encountered?Excessive provisioningUnauthorized accessPrivilege creepAccount review

      32 Geoff wants to prevent privilege escalation attacks in his organization. Which of the following practices is most likely to prevent horizontal privilege escalation?Multifactor authenticationLimiting permissions for groups and accountsDisabling unused ports and servicesSanitizing user inputs to applications

      33 Jim's Microsoft Exchange environment includes servers that are located in local data centers at multiple business offices around the world as well as an Office 365 deployment for employees who are not located at one of those offices. Identities are created and used in both environments and will work in both. What type of federated system is Jim running?A primary cloud systemA primary on-premise systemA hybrid systemA multitenant system

      34 What type of access control scheme is shown in the following table?Highly SensitiveRedBlueGreenConfidentialPurpleOrangeYellowInternal UseBlackGrayWhitePublicClearClearClearRBACDACMACTBAC

      35 Michelle's company is creating a new division by splitting the marketing and communications departments into two separate groups. She wants to create roles that provide access to resources used by each group. What should she do to maintain the appropriate security and rights for each group?Put both the marketing and communications teams into the existing group because they will have similar access requirements.Keep the marketing team in the existing group and create a new communications group based on their specific needs.Keep the communications team in the existing group and create a new marketing group based on their specific needs.Create two new groups, assess which rights they need to perform their roles, and then add additional rights if required.

      36 When a subject claims an identity, what process is occurring?LoginIdentificationAuthorizationToken presentation

      37 Dogs, guards, and fences are all common examples of what type of control?DetectiveRecoveryAdministrativePhysical

      38 Susan's organization is updating its password policy and wants to use the strongest possible passwords. What password requirement will have the highest impact in preventing brute-force attacks?Change maximum age from 1 year to 180 days.Increase the minimum password length from 8 characters to 16 characters. Increase the password complexity so that at least three character classes (such as uppercase, lowercase, numbers, and symbols) are required.Retain a password history of at least four passwords to prevent reuse.

      39 Alaina is performing a regularly scheduled review for service accounts. Which of the following events should she be most concerned about?An interactive login for the service accountA password change for the service accountLimitations placed on the service account's rightsLocal use of the service account

      40 When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?When security is more important than usabilityWhen false rejection is not a concern due to data qualityWhen the CER of the system is not knownWhen the CER of the system is very high

      41 After recent reports of undesired access to workstations after hours, Derek has been asked to find a way to ensure that maintenance staff cannot log in to workstations in business offices. The maintenance staff members do have systems in their break rooms and their offices for the organization, which they still need access to. What should Derek do to meet this need?Require multifactor authentication and only allow office staff to have multifactor tokens.Use rule-based access control to prevent logins after hours in the business area.Use role-based access control by setting up a group that contains all maintenance staff and then give that group rights to log into only the designated workstations.Use geofencing to only allow logins in maintenance areas.

      42 Nick wants to do session management for his web application. Which of the following are common web application session management techniques or methods? (Select all that apply.)IP trackingCookiesURL rewritingTLS tokensFor questions 43–45, please use your knowledge of SAML integrations and security architecture design and refer to the following scenario and diagram:Alex is in charge of SAML integration with a major third-party partner that provides a variety of business productivity services for his organization.

      43 Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertions will not be successful. What should he do to prevent these potential attacks?Use SAML's secure mode to provide secure authentication.Implement TLS using a strong cipher suite, which will protect against both types of attacks.Implement TLS using a strong cipher suite and use digital signatures.Implement TLS using a strong cipher suite and message hashing.

      44 If Alex's organization is one that is primarily made up of off-site, traveling users, what availability risk does integration of critical business applications to on-site authentication create, and how could he solve it?Third-party integration may not СКАЧАТЬ