(ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests. Mike Chapple
Читать онлайн книгу.
and she just entered her password. What term best describes this activity?AuthenticationAuthorizationAccountingIdentification
31 Kelly is adjusting her organization’s password requirements to make them consistent with best practice guidance from NIST. What should she choose as the most appropriate time period for password expiration?30 days90 days180 daysNo expiration
32 Ben is working on integrating a federated identity management system and needs to exchange authentication and authorization information for browser-based single sign-on. What technology is his best option?HTMLXACMLSAMLSPML
33 What access control scheme labels subjects and objects and allows subjects to access objects when the labels match?DACMACRule-based access control (RBAC)Role-based access control (RBAC)
34 Mandatory access control is based on what type of model?DiscretionaryGroup-basedLattice-basedRule-based
35 Ricky would like to access a remote file server through a VPN connection. He begins this process by connecting to the VPN and attempting to log in. Applying the subject/object model to this request, what is the subject of Ricky’s login attempt?RickyVPNRemote file serverFiles contained on the remote server
36 What type of access control is typically used by firewalls?Discretionary access controlsRule-based access controlsTask-based access controlMandatory access controls
37 Gabe is concerned about the security of passwords used as a cornerstone of his organization’s information security program. Which one of the following controls would provide the greatest improvement in Gabe’s ability to authenticate users?More complex passwordsUser education against social engineeringMultifactor authenticationAddition of security questions based on personal knowledge
38 During a review of support incidents, Ben’s organization discovered that password changes accounted for more than a quarter of its help desk’s cases. Which of the following options would be most likely to decrease that number significantly?Two-factor authenticationBiometric authenticationSelf-service password resetPassphrases
39 Jim wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that?KerberosOAuthOpenIDLDAP
40 Which one of the following activities is an example of an authorization process?User providing a passwordUser passing a facial recognition checkSystem logging user activitySystem consulting an access control list
41 Raul is creating a trust relationship between his company and a vendor. He is implementing the system so that it will allow users from the vendor’s organization to access his accounts payable system using the accounts created for them by the vendor. What type of authentication is Raul implementing?Federated authenticationTransitive trustMultifactor authenticationSingle sign-on
42 In Luke’s company, users change job positions on a regular basis. Luke would like the company’s access control system to make it easy for administrators to adjust permissions when these changes occur. Which model of access control is best suited for Luke’s needs?Mandatory access controlDiscretionary access controlRule-based access controlRole-based access control
43 When you input a user ID and password, you are performing what important identity and access management activity?AuthorizationValidationAuthenticationLogin
44 Which of the following is a ticket-based authentication protocol designed to provide secure communication?RADIUSOAuthSAMLKerberos
45 Which of the following authenticators is appropriate to use by itself rather than in combination with other biometric factors?Voice pattern recognitionHand geometryPalm scansHeart/pulse patterns
46 What type of token-based authentication system uses a challenge/response process in which the challenge must be entered on the token?AsynchronousSmart cardSynchronousRFID
47 As part of hiring a new employee, Kathleen’s identity management team creates a new user object and ensures that the user object is available in the directories and systems where it is needed. What is this process called?RegistrationProvisioningPopulationAuthenticator loading
48 What access control system lets owners decide who has access to the objects they own?Role-based access controlTask-based access controlDiscretionary access controlRule-based access control
49 When Alex sets the permissions shown in the following image as one of many users on a Linux server, what type of access control model is he leveraging?Role-based access controlRule-based access controlMandatory access control (MAC)Discretionary access control (DAC)
50 The U.S. government CAC is an example of what form of Type 2 authentication factor?A tokenA biometric identifierA smart cardA PIV
51 Donna is conducting an ongoing review of her organization’s identity and access management system and identifies a problem. She finds that when users change jobs, they never have the access rights associated with their old jobs removed. What term best describes this issue?Rights managementPrivilege creepTwo-person controlLeast privilege
52 Which objects and subjects have a label in a MAC model?Objects and subjects that are classified as Confidential, Secret, or Top Secret have a label.All objects have a label, and all subjects have a compartment.All objects and subjects have a label.All subjects have a label and all objects have a compartment.
53 Jack’s organization is a government agency that handles very sensitive information. They need to implement an access control system that allows administrators to set access rights but does not allow the delegation of those rights to other users. What is the best type of access control design for Jack’s organization?Discretionary access controlMandatory access controlDecentralized access controlRule-based access control
54 Kathleen works for a data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where their servers reside. In the past month, several servers have been stolen, but the logs for the pass cards show only valid IDs. What is Kathleen’s best option to make sure that the users of the pass cards are who they are supposed to be?Add a reader that requires a PIN for passcard users.Add a camera system to the facility to observe who is accessing servers.Add a biometric factor.Replace the magnetic stripe keycards with smartcards.
55 What term is used to describe the default set of privileges assigned to a user when a new account is created?AggregationTransitivityBaselineEntitlement
56 Kathleen is implementing an access control system for her organization and builds the following array:Reviewers: update files, delete filesSubmitters: upload filesEditors: upload files, update filesArchivists: delete filesWhat type of access control system has Kathleen implemented?Role-based access controlTask-based access controlRule-based access controlDiscretionary access control
57 When a user attempts to log into their online account, Google sends a text message with a code to their cell phone. What type of verification is this?Knowledge-based authenticationDynamic knowledge-based authenticationOut-of-band identity proofingRisk-based identity proofing
58 In a zero-trust network architecture, what criterion is used to make trust decisions?Identity of a user or deviceIP addressNetwork segmentVLAN membership
Chapter 3 Risk Identification, Monitoring, and Analysis (Domain 3)
THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:
Domain 3.0: Risk Identification, Monitoring, and Analysis3.1 Understand the risk management processRisk visibility and reporting (e.g., risk register, sharing threat intelligence/Indicators of Compromise (IOC), Common Vulnerability Scoring System (CVSS))Risk management concepts (e.g., impact assessments, threat modeling)Risk management frameworks (e.g., International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST))Risk tolerance (e.g., appetite)Risk treatment (e.g., accept, transfer, mitigate, avoid, ignore)3.2 Understand legal and regulatory concerns (e.g., jurisdiction, limitations, privacy)3.3 Participate in security assessment