Page417

  1. What is the most important decision an organization needs to make when implementing Role-Based Access Control (RBAC)?
    A. Each user’s security clearance needs to be finalized
    B. The roles users have on the system needs to be clearly defined
    C. Users’ data needs to be clearly labeled
    D. Users must be segregated from one another on the IT system to prevent spillage of sensitive data

Correct Answer and Explanation: B. Answer B is correct; in Role-Based Access Control (RBAC), users' roles must be clearly defined so access to data based upon those roles can be limited according to organization policy.

Incorrect Answers and Explanations: A, C, and D. Answer A is incorrect because in RBAC user's clearances are not considered. Answer C is incorrect because MAC labels every object and compares it to a subject’s clearance, not RBAC. Answer D is incorrect because in RBAC users are not segregated from one another.

  1. What access control method could scrutinize additional factors such as time of attempted access before granting access?
    A. Discretionary access control
    B. Attribute-based access control
    C. Role-based access control
    D. Rule-based access control

Correct Answer and Explanation: B. Answer B is correct; attribute-based access control (ABAC) allows consideration of myriad additional factors, including elements like the time of attempted access, for access control decisions.

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are incorrect. Discretionary access control involves access to objects being controlled by subjects, who exercise complete control over objects they created or have been granted full control over. Role-based control is based on the subject’s role. Rule-based access control considers defined rules that govern access decisions and are most closely associated with firewalls, or similar types of controls.

  1. What service is known as cloud identity, and allows organizations to leverage cloud services for identity management?
    A. IaaS
    B. IDaaS
    C. PaaS
    D. SaaS

Correct Answer and Explanation: B. Answer B is correct; Identity as a Service, also called cloud identity, allows organizations to leverage cloud services for identity management.

Incorrect Answers and Explanations: A, C, and D. Answers A, C, and D are incorrect. IaaS (Infrastructure as a Service) provides an entire virtualized operating system, which the customer configures from the OS on up. PaaS (Platform as a Service) provides a pre-configured operating system, and the customer configures the applications. SaaS (Software as a Service) is completely configured, from the operating system to applications, and the customer simply uses the application.

  1. A type II biometric is also known as what?
    A. Crossover Error Rate (CER)
    B. Equal Error Rate (EER)
    C. False Accept Rate (FAR)
    D. False Reject Rate (FRR)

Correct Answer and Explanation: C. Answer C is correct; the False Accept Rate (FAR) is known as a type II error. Remember that false rejects are normally worse than false accepts, and II is greater than I.

Incorrect Answers and Explanations: A, B, and D. Answers A, B, and D are incorrect. The Crossover Error Rate (CER) and Equal Error Rate (EER) are synonyms used to gauge the accuracy of a biometric system. A False Reject Rate (FRR) is a type I error.

  1. Within Kerberos, which part is the single point of failure?
    A. The Ticket Granting Ticket
    B. The Realm
    C. The Key Distribution Center
    D. The Client-Server session key

Correct Answer and Explanation: C. Answer C is the correct answer because the KDC is the only service within Kerberos that can authenticate subjects. If the KDC loses availability, then ticket granting tickets will not be issued and no new authentications may take place.

Incorrect Answers and Explanations: A, B, and D. A is incorrect because the TGT is received by the subject from the KDC. B is incorrect because the realm is a Kerberos network that shares authentication. D is incorrect because new C-S session keys can be issued.