CISSP Domain 5: Questions & Answers
In our access control implementations, keeping the IAAA model in mind, which of these could we use for authorization?(Ans- We use Access Control models to determine what a subject allowed to access. This could be with RBAC (Role Based Access Control).
Jane is tasked with looking at federated identity management (FIdM).Which of these would she NOT consider?(Ans- RFID (Radio Frequency Identification) is used a variety of things including smart cards and not federated identity management (FIdM)
If we are using Active Directory (AD) for our Role Based Access Control (RBAC) authentication, we would innately use which authentication protocol?(Ans- Uses LDAP (Lightweight Directory Access Protocol) versions 2 and 3, Microsoft's version of Kerberos, and DNS.
Which type of authentication will ask the user for something they have?
(Ans- Something you have - Type 2 Authentication: ID, passport, smart
card, token, cookie on PC, these are called Possession factors.
We are using Kerberos. What does the client send to the Authentication Server (AS)?(Ans- The client sends a cleartext user ID to the AS (Authentication Server) requesting services on behalf of the user.
Bob is working on designing new access controls across our organization.Which documentation should he reference to know how and what to implement?(Ans- Our Access Control is determined by our policies, procedures, and
standards. This outlines how we grant access whom to what: We use least
privilege, need to know, and we give our staff and systems exactly the access they need and no more. 1 / 2
Which of these is NOT a downside to enforcing software tokens on phones for multifactor authentication?(Ans- user friendly. Software tokens on phones are easy, user friendly, but also comes with some challenges. What can a user do if they lose the phone, if their SIM card is cloned, the phone is not charged, ...
Which of these countermeasures would be the LEAST effective against brute force attacks?(Ans- Salting is adding random characters to passwords before hashing, it does nothing against brute force attacks.
Jane is looking at the Kerberos implementation we have in place and is working on the Key Distribution Center (KDC). Which of these is part of the KDC?(Ans- The KDC (Key Distribution Center) consists of the AS (Authentication Server) and the TGS (Ticket Granting Server).
Diameter was designed to replace Radius, but the change never happened. Where is Diameter COMMONLY used now?(Ans- Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses.
Jane has a project to looking at possible Federated Identity Management (FIDM) implementations at our organization. Which of these would she NOT consider?(Ans- LDAP (The Lightweight Directory Access Protocol) is used for accessing and maintaining distributed directory information services over an IP network and not FIDM (Federated Identity Management).
- / 2