86 Isabelle wants to prevent privilege escalation attacks via her organization's service accounts. Which of the following security practices is best suited to this?Remove unnecessary rights.Disable interactive login for service accounts.Limit when accounts can log in.Use meaningless or randomized names for service accounts.
87 What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider?It may cause incorrect selection of the proper OpenID provider.It creates the possibility of a phishing attack by sending data to a fake OpenID provider. The relying party may be able to steal the client's username and password.The relying party may not send a signed assertion.
88 Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place?Identity as a serviceEmployee ID as a serviceCloud-based RADIUSOAuth
89 Kristen wants to control access to an application in her organization based on a combination of staff member's job titles, the permissions each group of titles need for the application, and the time of day and location. What type of control scheme should she select?ABACDACMACRole BAC
90 When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging?Role-based access controlRule-based access controlMandatory access control (MAC)Discretionary access control (DAC)
91 Joanna leads her organization's identity management team and wants to ensure that roles are properly updated when staff members change to new positions. What issue should she focus on for those staff members to avoid future issues with role definition?RegistrationPrivilege creepDeprovisioningAccountability
92 What type of authorization mechanism is shown in the following chart?RBACABACMACDAC
93 Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?The Kerberos server is offline.There is a protocol mismatch.The client's TGTs have been marked as compromised and de-authorized.The Kerberos server and the local client's time clocks are not synchronized.
94 Brian wants to explain the benefits of an on-premise federation approach for identity to his organization's leadership. Which of the following is not a common benefit of a federated identity system?Ease of account managementSingle sign-onPrevention of brute-force attacksIncreased productivity
95 The bank that Aaron works for wants to allow customers to use a new add-on application from a third-party partner they are working with. Since not every customer will want or need an account, Aaron has suggested that the bank use a SAML-based workflow that creates an account when a user downloads the app and tries to log in. What type of provisioning system has he suggested?JITOpenIDOAuthKerberos
96 What authentication protocol does Windows use by default for Active Directory systems?RADIUSKerberosOAuthTACACS+
97 Valerie needs to control access to applications that are deployed to mobile devices in a BYOD environment. What type of solution will best allow her to exercise control over the applications while ensuring that they do not leave remnant data on the devices used by her end users?Deploy the applications to the BYOD devices and require unique PINs on every device.Deploy the application to desktop systems and require users to use remote desktop to access them using enterprise authentication.Deploy the applications to the BYOD devices using application containers and require unique PINs on every device.Use a virtual hosted application environment that requires authentication using enterprise credentials.
98 Match the following authorization mechanisms with their descriptions:Role-BACRule BACDACABACMACAn access control model enforced by the operating system.Permissions or rights are granted based on parameters like an IP address, time, or other specific details that match requirements.Sometimes called policy-based access control, this model uses information about the subject to assign permissions.A model where subjects with the proper rights can assign or pass those rights to other subjects.Used to assign permissions based on job or function.
99 Match each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all.Authentication techniquePasswordID cardRetinal scanSmartphone tokenFingerprint analysisCategorySomething you haveSomething you knowSomething you are
100 Match the following identity and access controls with the asset type they are best suited to protect. Each only has one option.Information assetsSystemsMobile devicesFacilitiesPartner applicationsDiscretionary access controlsBadge readersFederated identity managementBiometric authenticationUser accounts with multifactor authentication
Chapter 6 Security Assessment and Testing (Domain 6)
SUBDOMAINS:
6.1 Design and validate assessment, test, and audit strategies
6.2 Conduct security control testing
6.3 Collect security process data (e.g. technical and administrative)
6.4 Analyze test output and generate report
6.5 Conduct or facilitate security audits
1 During a port scan, Susan discovers a system running services on TCP and UDP 137–139 and TCP 445, as well as TCP 1433. What type of system is she likely to find if she connects to the machine?A Linux email serverA Windows SQL serverA Linux file serverA Windows workstation
2 Which of the following is a method used to automatically design new software tests and to ensure the quality of tests?Code auditingStatic code analysisRegression testingMutation testing
3 During a port scan, Naomi found TCP port 443 open on a system. Which tool is best suited to scanning the service that is most likely running on that port?zzufNiktoMetasploitsqlmap
4 What message logging standard is commonly used by network devices, Linux and Unix systems, and many other enterprise devices?SyslogNetlogEventlogRemote Log Protocol (RLP)
5 Alex wants to use an automated tool to fill web application forms to test for format string vulnerabilities. What type of tool should he use?A black boxA brute-force toolA fuzzerA static analysis tool
6 Susan needs to scan a system for vulnerabilities, and she wants to use an open source tool to test the system remotely. Which of the following tools will meet her requirements and allow vulnerability scanning?NmapOpenVASMBSANessus
7 Morgan is implementing a vulnerability management system that uses standards-based components to score and evaluate the vulnerabilities it finds. Which of the following is most commonly used to provide a severity score for vulnerabilities?CCECVSSCPEOVAL
8 Jim has been contracted to perform a penetration test of a bank's primary branch. To make the test as real as possible, he has not been given any information about the bank other than its name and address. What type of penetration test has Jim agreed to perform?A crystal-box penetration testA gray-box penetration testA black-box penetration testA white-box penetration test
9 In a response to a request for proposal, Susan receives an SSAE 18 SOC report. If she wants a report that includes operating effectiveness detail, what should Susan ask for as follow-up and why?A SOC 2 Type II report, because Type I does not cover operating effectivenessA SOC 1 Type I report, because SOC 2 does not cover operating effectivenessA SOC 2 Type I report, because SOC 2 Type II does not cover operating effectivenessA SOC 3 report, because SOC 1 and SOC 2 reports are outdated
10 During a wireless network penetration test, Susan runs aircrack-ng against the network using a password file. What might cause her to