Mike Chapple - (ISC)2 SSCP Systems Security Certified Practitioner Official Practice Tests

THE SSCP EXAM TOPICS COVERED IN THIS CHAPTER INCLUDE:

Domain 2.0: Access Controls2.1 Implement and maintain authentication methodsSingle/multi-factor authentication (MFA)Single sign-on (SSO) (e.g., Active Directory Federation Services (ADFS), OpenID Connect)Device authenticationFederated access (e.g., Open Authorization 2 (OAuth2), Security Assertion Markup Language (SAML))2.2 Support internetwork trust architecturesTrust relationships (e.g., 1-way, 2-way, transitive, zero)Internet, intranet, and extranetThird-party connections2.3 Participate in the identity management lifecycleAuthorizationProofingProvisioning/de-provisioningMaintenanceEntitlementIdentity and access management (IAM) systems2.4 Understand and apply access controlsMandatoryDiscretionaryRole-based (e.g., attribute-, subject-, object-based)Rule-based

1 Greg is the network administrator for a large stadium that hosts many events throughout the course of the year. They equip ushers with handheld scanners to verify tickets. Ushers turn over frequently and are often hired at the last minute. Scanners are handed out to ushers before each event, but different ushers may use different scanners. Scanners are secured in a locked safe when not in use. What network access control approach would be most effective for this scenario?Multifactor authenticationDevice authenticationPassword authenticationNo authentication

2 Norma is helping her organization create a specialized third-party network connection for a set of vendors needing to connect to Norma’s organization’s network to process invoices and upload inventory. This network should be segmented from the rest of the corporate network but have a much higher degree of access than the general public. What type of network is Norma building?InternetIntranetOutranetExtranet

3 Which one of the following is an example of a nondiscretionary access control system?File ACLsMACDACVisitor list

4 Wanda is configuring device-based authentication for systems on her network. Which one of the following approaches offers the strongest way to authenticate devices?IP addressMAC addressDigital certificatePassword

5 Kaiden is creating an extranet for his organization and is concerned about unauthorized eavesdropping on network communications. Which one of the following technologies can he use to mitigate this risk?VPNFirewallContent filterProxy server

6 When Ben lists the files on a Linux system, he sees the set of attributes shown here.The letters rwx indicate different levels of what?IdentificationAuthorizationAuthenticationAccountability

7 Which one of the following tools is most often used for identification purposes and is not suitable for use as an authenticator?PasswordRetinal scanUsernameToken

8 Gary is preparing to create an account for a new user and assign privileges to the HR database. What two elements of information must Gary verify before granting this access?Credentials and need to knowClearance and need to knowPassword and clearancePassword and biometric scan

Ben’s organization is adopting biometric authentication for its high-security building’s access control system. Use the following chart to answer questions 9–11 about the organization’s adoption of the technology.

1 Ben’s company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?The FRR crossoverThe FAR pointThe CERThe CFR

2 At point B, what problem is likely to occur?False acceptance will be very high.False rejection will be very high.False rejection will be very low.False acceptance will be very low.

3 What should Ben do if the FAR and FRR shown in this diagram does not provide an acceptable performance level for his organization’s needs?Adjust the sensitivity of the biometric devices.Assess other biometric systems to compare them.Move the CER.Adjust the FRR settings in software.

4 When a subject claims an identity, what process is occurring?LoginIdentificationAuthorizationToken presentation

5 Files, databases, computers, programs, processes, devices, and media are all examples of what?SubjectsObjectsFile storesUsers

6 MAC models use three types of environments. Which of the following is not a mandatory access control design?HierarchicalBracketedCompartmentalizedHybrid

7 Ryan would like to implement an access control technology that is likely to both improve security and increase user satisfaction. Which one of the following technologies meets this requirement?Mandatory access controlsSingle sign-onMultifactor authenticationAutomated deprovisioning

8 The leadership at Susan’s company has asked her to implement an access control system that can support rule declarations like “Only allow access to salespeople from managed devices on the wireless network between 8 a.m. and 6 p.m.” What type of access control system would be Susan’s best choice?ABACRule-based access control (RBAC)DACMAC

9 What is the primary advantage of decentralized access control?It provides better redundancy.It provides control of access to people closer to the resources.It is less expensive.It provides more granular control of access.

10 Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?An access control listAn implicit denial listA capability tableA rights management matrix

11 Match each of the numbered authentication techniques with the appropriate lettered category. Each technique should be matched with exactly one category. Each category may be used once, more than once, or not at all.Authentication techniquePasswordID cardRetinal scanSmartphone tokenFingerprint analysisCategorySomething you haveSomething you knowSomething you are

12 Susan wants to integrate her website to allow users to use accounts from sites like Google. What technology should she adopt?KerberosLDAPOpenIDSESAME

13 Ben uses a software-based token that changes its code every minute. What type of token is he using?AsynchronousSmart cardSynchronousStatic

14 How does single sign-on increase security?It decreases the number of accounts required for a subject.It helps decrease the likelihood that users will write down their passwords.It provides logging for each system that it is connected to.It provides better encryption for authentication data.

15 Which of the following multifactor authentication technologies provides both low management overhead and flexibility?BiometricsSoftware tokensSynchronous hardware tokensAsynchronous hardware tokens

16 Tom is planning to terminate an employee this afternoon for fraud and expects that the meeting will be somewhat hostile. He is coordinating the meeting with human resources and wants to protect the company against damage. Which one of the following steps is most important to coordinate in time with the termination meeting?Informing other employees of the terminationRetrieving the employee’s photo IDCalculating the final paycheckRevoking electronic access rights

17 Jim wants to allow a partner organization’s Active Directory forest (B) to access his domain forest’s (A)’s resources but doesn’t want to allow users in his domain to access B’s resources. He also does not want the trust to flow upward through the domain tree as it is formed. What should he do?Set up a two-way transitive trust.Set up a one-way transitive trust.Set up a one-way nontransitive trust.Set up a two-way nontransitive trust.

18 The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from third-party sources to ask questions based on their past credit reports, such as “Which of the following streets did you live on in 2007?” What process is Susan’s organization using?Identity proofingPassword verificationAuthenticating with Type 2 authentication factorOut-of-band identity proofing