QUESTION 208
Who developed one of the first mathematical models of a multilevel-security computer system?
A. Diffie Hillman
B. Clark and Wilson
C. Bell and LaPadula
D. Gasser and Lipner
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 209
Which of the following was the first mathematical model of multilevel security policy?
A. Biba
B. Take-Grant
C. Bell-La Padula
D. Clark Wilson
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: “In the 1970’s, the US military used time-sharing mainframe systems and was concerned about
these systems and leakage of classified information. The Bell-LaPadula model was developed to address these
concerns. It was the first mathematical model of a multilevel security policy used to define the concept of a
secure state machine and modes of access and outline rules of access.” Pg 212 Shon Harris: All-in-One CISSP
Certification
98
ISC CISSP Exam
QUESTION 210
Which security model allows the data custodian to grant access privileges to other users?
A. Mandatory
B. Bell-LaPadula
C. Discretionary
D. Clark-Wilson
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: ” Discretionary Access Control. The subject has authority, within certain limitations, to specify what
objects are accessible.” -Ronald Krutz The CISSP PREP Guide (gold edition) pg
QUESTION 211
What is one issue NOT addressed by the Bell-LaPadula model?
A. Information flow control
B. Security levels
C. Covert channels
D. Access modes
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: As with any model, the Bell-LaPadula model has some weaknesses. These are the major ones.
The model considers normal channels of the information exchange and does not address covert channels. –
Ronald Krutz The CISSP PREP Guide (gold edition) pg 275-276
QUESTION 212
Which one of the following access control models associates every resource and every user of a resource with
one of an ordered set of classes?
99
ISC CISSP Exam
A. Take-Grant model
B. Biba model
C. Lattice model
D. Clark-Wilson model
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: With a lattice model you first have to define a set of security classes that can be assigned to users
or objects…After you have defined set of security classes, you define a set flow operations showing when
information can flow from one class to another – Roberta Bragg Cissp Certification Training Guide (que) pg 23
QUESTION 213
What scheme includes the requirement that the system maintain the separation of duty requirement expressed
in the access control triples?
A. Bella
B. Lattice
C. Clark-Wilson
D. Bell-LaPadula
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Separation of duty is necessarily determined by conditions external to the computer system. The Clark-Wilson
scheme includes the requirement that the system maintain the separation of duty requirement expressed in the
access control triples. Enforcement is on a per-user basis, using the user ID from the access control triple.
QUESTION 214
The access matrix model consists of which of the following parts? (Choose all that apply)
A. A function that returns an objects type.
100
ISC CISSP Exam
B. A list of subjects.
C. A list of objects.
Correct Answer: ABC
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The access matrix model consists of four major parts:
A list of objects
A list of subjects
A function T that returns an object’s type
The matrix itself, with the objects making the columns and the subjects making the rows
Note: This question seems to confuse access control matrix, Harris, 3rd Ed, p 169 with access control types,
Ibid, p 188ff
“An access control matrix is a table of subjects and objects indicating what actions … subjects can take upon …
objects”, Harris, 3rd Ed, p 169.
It would be right if item “A” was “a function that returned an access right”
QUESTION 215
The access matrix model has which of the following common implementations?
A. Access control lists and capabilities.
B. Access control lists.
C. Capabilities.
D. Access control list and availability.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The two most used implementations are access control lists and capabilities. Access control lists are achieved
by placing on each object a list of users and their associated rights to that object.
101
ISC CISSP Exam
QUESTION 216
The lattice-based model aims at protecting against:
A. Illegal attributes.
B. None of the choices.
C. Illegal information flow among the entities.
D. Illegal access rights
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The lattice-based model aims at protecting against illegal information flow among the entities. One security
class is given to each entity in the system. A flow relation among the security classes is defined to denote that
information in one class can flow into another class.
QUESTION 217
Which of the following are the components of the Chinese wall model?
A. Conflict of interest.
B. All of the choices.
C. Subject
D. Company Datasets.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The model has the following component:
COMPONENT EXAMPLE
Subject Analyst
Object Data item for a single client
Company Datasets Give for each company its own company dataset Conflict of interest classes Give for each
object companies that have a conflict of interest
Labels Company dataset + conflict of interest class
Sanitized information No access restriction
102
ISC CISSP Exam
QUESTION 218
Enforcing minimum privileges for general system users can be easily achieved through the use of:
A. TSTEC
B. RBAC
C. TBAC
D. IPSEC
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Ensuring least privilege requires identifying what the user’s job is, determining the minimum set of privileges
required to perform that job, and restricting the user to a domain with those privileges and nothing more. By
denying to subjects transactions that are not necessary for the performance of their duties, those denied
privileges couldn’t be used to circumvent the organizational security policy. Although the concept of least
privilege currently exists within the context of the TCSEC, requirements restrict those privileges of the system
administrator. Through the use of RBAC, enforced minimum privileges for general system users can be easily
achieved.
QUESTION 219
What is necessary for a subject to have write access to an object in a Multi-Level Security Policy?
A. The subject’s sensitivity label must dominate the object’s sensitivity label
B. The subject’s sensitivity label subordinates the object’s sensitivity label
C. The subject’s sensitivity label is subordinated by the object’s sensitivity label
D. The subject’s sensitivity label is dominated by the object’s sensitivity label
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The correct answer is: The subject’s sensitivity label must dominate the object’s sensitivity label.
103
ISC CISSP Exam
With a Multi-level security policy you have information that has different sensitivity labels. In order to read an
object the subject’s sensitivity label must be equal to or greater than that of the object.
So it would be considered to dominate it, no read up.
The following answers are incorrect:
The subject’s sensitivity label subordinates the object’s sensitivity label. Is incorrect because if the subject’s
sensitivity label subordinates the object’s sensitivity label that would mean it is lower and the subject should not
have read access to the object.
The subject’s sensitivity label is subordinated by the object’s sensitivity label. Is incorrect because the this would
not allow for read access if the sensitivity lables were equal. So the subject’s sensitivity label is not
subordinated by the object’s sensitivity label, the subject’s label must dominate the object’s label. Remember
dominate means equal to or greater than where subordinate means less than.
The subject’s sensitivity label is dominated by the object’s sensitivity label. Is incorrect because if the object’s
sensitivity label dominates the subject’s sensitivity label then the subject should not have access, it is the
subject that must dominate the object and not the other way around. Remember dominate means equal to or
greater than so this would mean that the object’s sensitivity label is equal to or greater than the subject.
According to the OIG, Multi-level security is defined as a class of system-containing information with different
sensitivities that simultaneously permits access by users with different security clearances and need-to-know,
but prevents users from obtaining access to information for which they lack authorization. The Subject’s
sensitivity label must be equal to or greater than the object’s sensitivity label in order for the subject to have
read access to it, no read up.
QUESTION 220
Which of the following security modes of operation involved the highest risk?
A. Compartmented Security Mode
B. Multilevel Security Mode
C. System-High Security Mode
D. Dedicated Security Mode
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
104
ISC CISSP Exam
Explanation: “Security Modes
In a secure environment, information systems are configured to process information in one of four security
modes. These modes are set out by the Department of Defense as follows:
Systems running compartmental security mode may process two or more types of compartmented information.
All system users must have an appropriate clearance to access all information processed by the system but do
not necessarily have a need to know all of the information in the system. Compartments are subcategories or
compartments within the different classification levels and extreme care is taken to preserve the information
within the different compartments. The system may be classified at the Secret level but contain five different
compartments, all classified Secret. If a user has only the need to know about two of the five different
compartments to do their job, that user can access the system but can only access the two compartments.
Compartmented systems are usually dedicated systems for each specific compartment to prevent the chance
of any errors, because compartmentalization is the most secret of all the secrets.
Systems running in the dedicated security mode are authorized to process only a specific classification level at
a time, and all system users must have clearance and a need to know that information.
Systems running in multilevel security mode are authorized to process information at more than one level of
security even when all system users do not have appropriate clearances or a need to know for all information
processed by the system.
Systems running in system-high security mode are authorized to process only information that all system users
are cleared to read and to have a valid need to know. These systems are not trusted to maintain separation
between security levels, and all information processed by these systems must be handled as if it were classified
at the same level as the most highly classified information processed by the system.”
Pg. 234 Tittel: CISSP Study Guide
QUESTION 221
Controlled Security Mode is also known as:
A. Multilevel Security Mode
B. Partitioned Security Mode
105
ISC CISSP Exam
C. Dedicated Security Mode
D. System-high Security Mode
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: pg 264 Krutz: CISSP Prep Guide: Gold Edition
QUESTION 222
The unauthorized mixing of data of one sensitivity level and need-to-know with data of a lower sensitivity level,
or different need-to-know, is called data
A. Contamination
B. Seepage
C. Aggregation
D. Commingling
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: WOW if you are reading these comments then you know I have disagreed with a bunch of the
original answers! Well here is another. The original was Seepage. I think it is Contamination.
“The intermixing of data at different sensitivity and need-to-know levels. The lower-level data is said to be
contaminated by the higher-level data; thus contaminating (higher-level) data might not receive the required
level of protection” -Ronald Krutz The CISSP PREP Guide (gold edition) pg
QUESTION 223
Which one of the following should be employed to protect data against undetected corruption?
A. Non-repudiation
B. Encryption
C. Authentication
D. Integrity
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
106
ISC CISSP Exam
Explanation:
QUESTION 224
Which of the following is a communication path that is not protected by the system’s normal security
mechanisms?
A. A trusted path
B. A protection domain
C. A covert channel
D. A maintenance hook
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 225
A channel within a computer system or network that is designed for the authorized transfer of information is
identified as a(n)?
A. Covert channel
B. Overt channel
C. Opened channel
D. Closed channel
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: “An overt channel is a channel of communication that was developed specifically for
communication purposes. Processes should be communicating through overt channels, not covert channels.”
Pg 237 Shon Harris: All-In-One CISSP Certification Guide.
QUESTION 226
Covert channel is a communication channel that can be used for:
107
ISC CISSP Exam
A. Hardening the system.
B. Violating the security policy.
C. Protecting the DMZ.
D. Strengthening the security policy.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Covert channel is a communication channel that allows transfer of information in a manner that violates the
system’s security policy.
QUESTION 227
What is an indirect way to transmit information with no explicit reading of confidential information?
A. Covert channels
B. Backdoor
C. Timing channels
D. Overt channels
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Covert channels: indirect ways for transmitting information with no explicit reading of confidential information.
This kind of difficulties induced some researchers to re-think from scratch the whole problem of guaranteeing
security in computer systems.
QUESTION 228
Which one of the following describes a covert timing channel?
A. Modulated to carry an unintended information signal that can only be detected by special, sensitive
receivers.
B. Used by a supervisor to monitor the productivity of a user without their knowledge.
C. Provides the timing trigger to activate a malicious program disguised as a legitimate function.
108
ISC CISSP Exam
D. Allows one process to signal information to another by modulating its own use of system resources.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: A covert channel in which one process signals information to another by modulating its own use of
system resources (for example, CPU time) in such a way that this manipulation affects the real response time
observed by the second process. – Shon Harris All-in-one CISSP Certification Guide pg 929
QUESTION 229
Covert channel analysis is required for
A. Systems processing Top Secret or classified information.
B. A Trusted Computer Base with a level of trust B2 or above.
C. A system that can be monitored in a supervisor state.
D. Systems that use exposed communication links.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Table 6.6 Standards Comparison
B2 Structured Protection (covert channel, device labels, subject sensitivity labels, trusted path, trusted facility
management, configuration management) F4+E4 EAL5 – Roberta Bragg CISSP Certification Training Guide
(que) pg 370
QUESTION 230
In multi-processing systems, which one of the following lacks mandatory controls and is NORMALLY AVOIDED
for communication?
A. Storage channels
B. Covert channels
C. Timing channels
D. Object channels
109
ISC CISSP Exam
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Covert channel – A communication path that enables a process to transmit information in a way
that violates the system’s security policy. – Shon Harris All-in-one CISSP Certification Guide pg 929
QUESTION 231
What security risk does a covert channel create?
A. A process can signal information to another process.
B. It bypasses the reference monitor functions.
C. A user can send data to another user.
D. Data can be disclosed by inference.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: The risk is not that a process can signal another process. The risk is that the signaling bypasses
the reference monitor functions
(ie the communication is not screened by the security kernel that implements the reference monitor).
QUESTION 232
What is the essential difference between a self-audit and an independent audit?
A. Tools used
B. Results
C. Objectivity
D. Competence
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
110
ISC CISSP Exam
QUESTION 233
What is called the formal acceptance of the adequacy of a system’s overall security by the management?
A. Certification
B. Acceptance
C. Accreditation
D. Evaluation
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 234
FIPS-140 is a standard for the security of:
A. Cryptographic service providers
B. Smartcards
C. Hardware and software cryptographic modules
D. Hardware security modules
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Topic 3, Access
QUESTION 235
Which of the following will you consider as the MOST secure way of authentication?
A. Biometric
B. Password
C. Token
D. Ticket Granting
111
ISC CISSP Exam
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Biometric authentication systems take advantage of an individual’s unique physical characteristics in order to
authenticate that person’s identity. Various forms of biometric authentication include face, voice, eye, hand,
signature, and fingerprint, each have their own advantages and disadvantages. When combined with the use of
a PIN it can provide two factors authentication.
QUESTION 236
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could
only be based on physical attributes of a person. This raised the necessicity of answering 2 questions:
A. what was the sex of a person and his age
B. what part of the body to be used and how to accomplish identification to be viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 237
What is called the percentage of invalid subjects that are falsely accepted?
A. False Rejection Rate (FRR) or Type I Error
B. False Acceptance Rate (FAR) or Type II Error
C. Crossover Error Rate (CER)
D. True Acceptance Rate (TAR) or Type III error
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
112
ISC CISSP Exam
QUESTION 238
Which of the following biometrics devices has the highs Crossover Error Rate (CER)?
A. Iris scan
B. Hang Geometry
C. Voice pattern
D. Fingerprints
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 239
Which of the following biometric parameters are better suited for authentication use over a long period of time?
A. Iris pattern
B. Voice pattern
C. Signature dynamics
D. Retina pattern
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 240
Which one of the following is the MOST critical characteristic of a biometrics system?
A. Acceptability
B. Accuracy
C. Throughput
D. Reliability
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: We don’t agree with the original answer, which was throughput. Granted throughput is vital but
Krutz lists accuracy is most important.
113
ISC CISSP Exam
In addition to the accuracy of the biometric systems, there are OTHER factors that must also be considered.
These factors include the enrollment time, the throughput rate, and acceptability. – Ronald Krutz The CISSP
PREP Guide (gold edition) pg 51
QUESTION 241
Which of the following biometric devices has the lowest user acceptance level?
A. Voice recognition
B. Fingerprint scan
C. Hand geometry
D. Signature recognition
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 242
Biometric performance is most commonly measured in terms of:
A. FRR and FAR
B. FAC and ERR
C. IER and FAR
D. FRR and GIC
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Biometric performance is most commonly measured in two ways: False Rejection Rate (FRR), and False
Acceptance Rate (FAR). The FRR is the probability that you are not authenticated to access your account. A
strict definition states that the FRR is the probability that a mated comparison (i.e. 2 biometric samples of the
same finger) incorrectly determines that there is no match.
114
ISC CISSP Exam
QUESTION 243
What is the most critical characteristic of a biometric identifying system?
A. Perceived intrusiveness
B. Storage requirements
C. Accuracy
D. Reliability
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 244
Which of the following biometric characteristics cannot be used to uniquely authenticate an individual’s identity?
A. Retina scans
B. Iris scans
C. Palm scans
D. Skin scans
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: Biometrics:
Fingerprints
Palm Scan
Hand Geometry
Retina Scan
Iris Scan
Signature Dynamics
Keyboard Dynamic
Voice Print
Facial Scan
Hand Topology
Pg. 128-130 Shon Harris All-In-One CISSP Certification Exam Guide
115
ISC CISSP Exam
QUESTION 245
In biometric identification systems, at the beginning, it was soon apparent that truly positive identification could
only be based on physical attributes of a person. This raised the necessicity of answering 2 questions:
A. What was the sex of a person and his age
B. what part of body to be used and how to accomplish identification to be viable
C. what was the age of a person and his income level
D. what was the tone of the voice of a person and his habits
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 246
You are comparing biometric systems. Security is the top priority. A low ________ is most important in this
regard.
A. FAR
B. FRR
C. MTBF
D. ERR
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
When comparing biometric systems, a low false acceptance rate is most important when security is the priority.
Whereas, a low false rejection rate is most important when convenience is the priority. All biometric
implementations balance these two criteria. Some systems use very high FAR’s such as 1 in 300. This means
that the likelihood that the system will accept someone other than the enrolled user is 1 in 300. However, the
likelihood that the system will reject the enrolled user (its FRR) is very low, giving them ease of use, but with low
security. Most fingerprint systems should be able to run with FARs of 1 in 10,000 or better.
116
ISC CISSP Exam
QUESTION 247
Almost all types of detection permit a system’s sensitivity to be increased or decreased during an inspection
process. To have a valid measure of the system performance:
A. The CER is used.
B. the FRR is used
C. the FAR is used
D. none of the above choices is correct
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: “When a biometric system reject an authorized individual, it is called a Type 1 error. When the
system accepts impostors who should be rejected, it is called a Type II error. The goal is to obtain low numbers
for each type of error. When comparing different biometric systems, many different variables are used, but one
of the most important variables is the crossover error rate (CER). This rating is stated in a percentage and
represents the point at which the false rejection rate equals the false acceptance rate. This rating is the most
important measurement when determining the system’s accuracy.” Pg 113 Shon Harris: All-in-One CISSP
Certification
QUESTION 248
The quality of finger prints is crucial to maintain the necessary:
A. FRR
B. ERR and FAR
C. FAR
D. FRR and FAR
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Another factor that must be taken into account when determining the necessary FAR and FRR for your
organization is the actual quality of the fingerprints in your user population. ABC’s experience with several
thousand users, and the experience of its customers, indicates that a percentage of the populations do not
have fingerprints of sufficient quality to allow for authentication of the individual. Approximately 2.5% of
117
ISC CISSP Exam
employees fall into this group in the general office worker population. For these users, a smart card token with
password authentication is recommended.
QUESTION 249
By requiring the user to use more than one finger to authenticate, you can:
A. Provide statistical improvements in EAR.
B. Provide statistical improvements in MTBF.
C. Provide statistical improvements in FRR.
D. Provide statistical improvements in ERR.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Statistical improvements in false rejection rates can also be achieved by requiring the user to use more than
one finger to authenticate. Such techniques are referred to as flexible verification.
QUESTION 250
Which of the following is being considered as the most reliable kind of personal identification?
A. Token
B. Finger print
C. Password
D. Ticket Granting
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Every person’s fingerprint is unique and is a feature that stays with the person throughout his/her life. This
makes the fingerprint the most reliable kind of personal identification because it cannot be forgotten, misplaced,
or stolen. Fingerprint authorization is potentially the most affordable and convenient method of verifying a
118
ISC CISSP Exam
person’s identity.
QUESTION 251
Which of the following methods is more microscopic and will analyze the direction of the ridges of the
fingerprints for matching?
A. None of the choices.
B. Flow direct
C. Ridge matching
D. Minutia matching
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
There are two approaches for capturing the fingerprint image for matching: minutia matching and global pattern
matching. Minutia matching is a more microscopic approach that analyzes the features of the fingerprint, such
as the location and direction of the ridges, for matching. The only problem with this approach is that it is difficult
to extract the minutiae points accurately if the fingerprint is in some way distorted. The more macroscopic
approach is global pattern matching where the flow of the ridges is compared at all locations between a pair of
fingerprint images; however, this can be affected by the direction that the image is rotated.
QUESTION 252
Which of the following are the types of eye scan in use today?
A. Retinal scans and body scans.
B. Retinal scans and iris scans.
C. Retinal scans and reflective scans.
D. Reflective scans and iris scans.
119
ISC CISSP Exam
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
There are two types of eye scan in use today for authentication purposes: retinal scans and iris scans. Retinal
Scan technology maps the capillary pattern of the retina, a thin (1/50th inch) nerve on the back of the eye. To
enroll, a minimum of five scans is required, which takes 45 seconds. The subject must keep his head and eye
motionless within 1/2″ of the device, focusing on a small rotating point of green light. 320 – 400 points of
reference are captured and stored in a 35-byte field, ensuring the measure is accurate with a negligible false
rejection rate.
This compares to 30-70 points of reference for a finger scan. Unfortunately a retinal scan is considerably more
intrusive than an iris scans and many people are hesitant to use the device [Retina-scan]. In addition a
significant number of people may be unable to perform a successful enrolment, and there exist degenerative
diseases of the retina that alter the scan results over time. Despite these disadvantages, there are several
successful implementations of this technology [Retina-scan].
QUESTION 253
Which of the following eye scan methods is considered to be more intrusive?
A. Iris scans
B. Retinal scans
C. Body scans
D. Reflective scans
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
There are two types of eye scan in use today for authentication purposes: retinal scans and iris scans. Retinal
Scan technology maps the capillary pattern of the retina, a thin (1/50th inch) nerve on the back of the eye. To
enroll, a minimum of five scans is required, which takes 45 seconds. The subject must keep his head and eye
motionless within 1/2″ of the device, focusing on a small rotating point of green light. 320 – 400 points of
reference are captured and stored in a 35-byte field, ensuring the measure is accurate with a negligible false
rejection rate.
This compares to 30-70 points of reference for a finger scan. Unfortunately a retinal scan is considerably more
intrusive than an iris scans and many people are hesitant to use the device [Retina-scan]. In addition a
significant number of people may be unable
120
ISC CISSP Exam
to perform a successful enrolment, and there exist degenerative diseases of the retina that alter the scan
results over time. Despite these disadvantages, there are several successful implementations of this
technology [Retina-scan].
QUESTION 254
Which of the following offers greater accuracy then the others?
A. Facial recognition
B. Iris scanning
C. Finger scanning
D. Voice recognition
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Iris scanning offers greater accuracy than finger scanning, voice or facial recognition, hand geometry or
keystroke analysis. It is safer and less invasive than retinal scanning, an important legal consideration [Nuger].
Any company thinking of using biometrics would do well to ensure that they comply with existing privacy laws.
QUESTION 255
In addition to the accuracy of the biometric systems, there are other factors that must also be considered:
A. These factors include the enrollment time and the throughput rate, but not acceptability.
B. These factors do not include the enrollment time, the throughput rate, and acceptability.
C. These factors include the enrollment time, the throughput rate, and acceptability.
D. These factors include the enrollment time, but not the throughput rate, neither the acceptability.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: In addition to the accuracy of the biometric systems, there are OTHER factors that must also be
considered. These factors include the enrollment time, the throughput rate, and acceptability. -Ronald Krutz
The CISSP PREP Guide (gold edition) pg 51
121
ISC CISSP Exam
QUESTION 256
What physical characteristics does a retinal scan biometric device measure?
A. The amount of light reaching the retina
B. The amount of light reflected by the retina
C. The size, curvature, and shape of the retina
D. The pattern of blood vessels at the back of the eye
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 257
Type II errors occur when which of the following biometric system rates is high?
A. False accept rate
B. False reject rate
C. Crossover error rate
D. Speed and throughput rate
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: There are three main performance issues in biometrics. These measures are as follows:
False Rejection Rate (FRR) or Type 1 Error. The percentage of valid subjects that are falsely rejected.
False Acceptance Rate (FAR) or Type 2 Error. The percentage of invalid subjects that are falsely accepted.
Crossover Error Rate (CER). The percent in which the False Rejection Rate equals the False Acceptance Rate.
122
ISC CISSP Exam
pg 38 Krutz: The CISSP Prep Guide
QUESTION 258
Which of the following are the valid categories of hand geometry scanning?
A. Electrical and image-edge detection.
B. Mechanical and image-edge detection.
C. Logical and image-edge detection.
D. Mechanical and image-ridge detection.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Hand geometry reading (scanning) devices usually fall into one of two categories:
mechanical or image-edge detection. Both methods are used to measure specific characteristics of a person’s
hand such as length of fingers and thumb, widths, and depth.
QUESTION 259
In the world of keystroke dynamics, what represents the amount of time you hold down in a particular key?
A. Dwell time
B. Flight time
C. Dynamic time
D. Systems time
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Keystroke dynamics looks at the way a person types at a keyboard. Specifically, keyboard dynamics measures
two distinct variables: “dwell time” which is the amount of time you hold down a particular key and “flight time”
which is the amount of time it
123
ISC CISSP Exam
takes a person to switch between keys. Keyboard dynamics systems can measure one’s keyboard input up to
1000 times per second.
QUESTION 260
In the world of keystroke dynamics, what represents the amount of time it takes a person to switch between
keys?
A. Dynamic time
B. Flight time
C. Dwell time
D. Systems time.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Keystroke dynamics looks at the way a person types at a keyboard. Specifically, keyboard dynamics measures
two distinct variables: “dwell time” which is the amount of time you hold down a particular key and “flight time”
which is the amount of time it takes a person to switch between keys. Keyboard dynamics systems can
measure one’s keyboard input up to 1000 times per second.
QUESTION 261
Which of the following are the benefits of Keystroke dynamics?
A. Low cost
B. Unintrusive device
C. Transparent
D. All of the choices.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
124
ISC CISSP Exam
Keystroke dynamics is behavioral in nature. It works well with users that can “touch type”. Key advantages in
applying keyboard dynamics are that the device used in this system, the keyboard, is unintrusive and does not
detract from one’s work. Enrollment as well as identification goes undetected by the user. Another inherent
benefit to using keystroke dynamics as an identification device is that the hardware (i.e. keyboard) is
inexpensive. Currently, plug-in boards, built-in hardware and firmware, or software can represent keystroke
dynamics systems.
QUESTION 262
DSV as an identification method check against users:
A. Fingerprints
B. Signature
C. Keystrokes
D. Facial expression
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Signature identification, also known as Dynamic Signature Verification (DSV), is another natural fit in the world
of biometrics since identification through one’s signature occurs during many everyday transactions. Any
process or transaction that requires an individual’s signature is a prime contender for signature identification.
QUESTION 263
Signature identification systems analyze what areas of an individual’s signature?
A. All of the choices EXCEPT the signing rate.
B. The specific features of the signature.
C. The specific features of the process of signing one’s signature.
D. The signature rate.
125
ISC CISSP Exam
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Signature identification systems analyze two different areas of an individual’s signature: the specific features of
the signature and specific features of the process of signing one’s signature. Features that are taken into
account and measured include speed, pen pressure, directions, stroke length, and the points in time when the
pen is lifted from the paper.
QUESTION 264
What are the advantages to using voice identification?
A. All of the choices.
B. Timesaving
C. Reliability
D. Flexibility
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The many advantages to using voice identification include:
Considered a “natural” biometric technology
Provides eyes and hands-free operation
Reliability
Flexibility
Timesaving data input
Eliminate spelling errors
Improved data accuracy
QUESTION 265
What are the methods used in the process of facial identification?
126
ISC CISSP Exam
A. None of the choices.
B. Detection and recognition.
C. Scanning and recognition.
D. Detection and scanning.
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The process of facial identification incorporates two significant methods: detection and recognition.
QUESTION 266
In the process of facial identification, the basic underlying recognition technology of facial identification involves:
A. Eigenfeatures of eigenfaces.
B. Scanning and recognition.
C. Detection and scanning.
D. None of the choices.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Recognition is comparing the captured face to other faces that have been saved and stored in a database. The
basic underlying recognition technology of facial feature identification involves either eigenfeatures (facial
metrics) or eigenfaces. The German word “eigen” refers to recursive mathematics used to analyze unique facial
characteristics.
QUESTION 267
What is known as the probability that you are not authenticated to access your account?
A. ERR
127
ISC CISSP Exam
B. FRR
C. MTBF
D. FAR
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Biometric performance is most commonly measured in two ways: False Rejection Rate (FRR), and False
Acceptance Rate (FAR). The FRR is the probability that you are not authenticated to access your account. A
strict definition states that the FRR is the probability that a mated comparison (i.e. 2 biometric samples of the
same finger) incorrectly determines that there is no match.
QUESTION 268
What is known as the chance that someone other than you is granted access to your account?
A. ERR
B. FAR
C. FRR
D. MTBF
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The FAR is the chance that someone other than you is granted access to your account, in other words, the
probability that a non-mated comparison (i.e. two biometric samples of different fingers) match. FAR and FRR
numbers are generally expressed in terms of probability.
Note:
false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input
pattern to a non-matching template in the database. It measures the percent of invalid inputs which are
incorrectly accepted.
* false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match
between the input pattern and a matching template in the database. It measures the percent of valid inputs
which are incorrectly rejected.
FRR is a Type 1 error
FAR is a Type 2 error
128
ISC CISSP Exam
QUESTION 269
What is typically used to illustrate the comparative strengths and weaknesses of each biometric technology?
A. Decipher Chart
B. Zephyr Chart
C. Cipher Chart
D. Zapper Chart
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The Zephyr Chart illustrates the comparative strengths and weaknesses of each biometric technology. The
eight primary biometric technologies are listed around the outer border, and for each technology the four major
evaluation criteria are ranked from outside (better) to inside (worse). Looking at dynamic signature verification
(DSV) will illustrate how the Zephyr Chart works.
QUESTION 270
In terms of the order of effectiveness, which of the following technologies is the most affective?
A. Fingerprint
B. Iris scan
C. Keystroke pattern
D. Retina scan
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The order of effectiveness has not changed for a few years. It is still the same today as it was three years ago.
The list below present them from most effective to list effective:
129
ISC CISSP Exam
Iris scan
Retina scan
Fingerprint
Hand geometry
Voice pattern
Keystroke pattern
Signature
QUESTION 271
In terms of the order of effectiveness, which of the following technologies is the least effective?
A. Voice pattern
B. Signature
C. Keystroke pattern
D. Hand geometry
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The order of effectiveness has not changed for a few years. It is still the same today as it was three years ago.
The list below present them from most effective to list effective:
Iris scan
Retina scan
Fingerprint
Hand geometry
Voice pattern
Keystroke pattern
Signature
QUESTION 272
In terms of the order of acceptance, which of the following technologies is the MOST accepted?
130
ISC CISSP Exam
A. Hand geometry
B. Keystroke pattern
C. Voice Pattern
D. Signature
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The order of acceptance has slightly changed in the past years. It was Iris that was the most accepted method
three years ago but today we have Voice Pattern that is by far the most accepted. Here is the list from most
accepted first to least accepted at the bottom of the list:
Voice Pattern
Keystroke pattern
Signature
Hand geometry
Handprint
Fingerprint
Iris
Retina pattern
QUESTION 273
In terms of the order of acceptance, which of the following technologies is the LEAST accepted?
A. Fingerprint
B. Iris
C. Handprint
D. Retina patterns
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The order of acceptance has slightly changed in the past years. It was Iris that was the most accepted method
three years ago but today we have Voice Pattern that is by far the most accepted. Here is the list from most
accepted first to least accepted at the bottom of the list:
Voice Pattern
Keystroke pattern
Signature
131
ISC CISSP Exam
Hand geometry
Handprint
Fingerprint
Iris
Retina pattern
QUESTION 274
Which of the following biometric characteristics cannot be used to uniquely authenticate an individual’s identity?
A. Retina scans
B. Iris scans
C. Palm scans
D. Skin scans
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 275
Which of the following is true of two-factor authentication?
A. It uses the RSA public-key signature based algorithm on integers with large prime factors
B. It requires two measurements of hand geometry
C. It does not use single sign-on technology
D. It relies on two independent proofs of identity
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 276
132
ISC CISSP Exam
What is Kerberos?
A. A three-headed dog from Egyptian Mythology
B. A trusted third-party authentication protocol
C. A security model
D. A remote authentication dial in user server
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 277
Which of the following is true about Kerberos?
A. It utilized public key cryptography
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text
C. It depends upon symmetric ciphers
D. It is a second party authentication system
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Kerberos relies upon symmetric key cryptography, specifically Data Encryption Standard (DES),
and provides end-to-end security for authentication traffic between the client and the Key Distribution Center
(KDC).” Pg. 15 Tittel: CISSP Study Guide
QUESTION 278
Kerberos depends upon what encryption method?
A. Public Key cryptography
B. Private Key cryptography
C. El Gamal cryptography
D. Blowfish cryptography
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation: Kerberos uses symmetric key cryptography and provides end-to-end security, meaning that
information being passed between a user and a service is protected without the need of an intermediate
component. Although it allows the use of passwords for authentication, it was designed specifically to eliminate
the need for transmitting passwords over the network. Most
133
ISC CISSP Exam
Kerberos implementations work with cryptography keys and shared secret keys (private keys) instead of
passwords. Pg 148 Shon Harris All-In-One CISSP Certification Exam Guide
QUESTION 279
The primary service provided by Kerberos is which of the following?
A. non-repudiation
B. confidentiality
C. authentication
D. authorization
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 280
Which of the following are authentication server systems with operational modes that can implement SSO?
A. Kerberos, SESAME and KryptoKnight
B. SESAME, KryptoKnight and NetSP
C. Kerberos and SESAME
D. Kerberos, SESAME, KryptoKnight, and NetSP
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Scripts, directory services, thin clients, Kerberos, SESAME, NetSP, scripted access, and
KrtyptoKnight are examples of SSO(single sign on) mechanisms.”
Pg. 14 Tittel: CISSP Study Guide Second Edition
QUESTION 281
134
ISC CISSP Exam
Which of the following is a trusted, third party authentication protocol that was developed under Project Athena
at MIT?
A. Kerberos
B. SESAME
C. KryptoKnight
D. NetSP
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Kerberos is an authentication protocol and was designed in the mid-1980s as part of MIT’s
Project Athena.” Pg 129 Shon Harris: All-in-One CISSP Certification
QUESTION 282
Which of the following is true about Kerberos?
A. It utilizes public key cryptography
B. It encrypts data after a ticket is granted, but passwords are exchanged in plain text.
C. It depends upon symmetric ciphers
D. It is a second party authentication system
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 283
One of the differences between Kerberos and KryptoKnight is that there is:
A. a mapped relationship among the parties takes place
B. there is a peer-to-peer relationship among the parties with themselves.
C. there is no peer-to-peer relationship among the parties and the KDC
D. a peer-to-peer relationship among the parties and the KDC
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Krytponight
The IBM Kryptonight system provides authentication, SSO, and key distribution services. It was
135
ISC CISSP Exam
designed to support computers with widely varying computational capabilities. KryptoKnight uses a trusted Key
Distribution Center (KDC) that knows the secret key of each party. One of the differences between kerberos
and KrytoKnight is that there is a peer-to-peer relationship among the parties and the KDC.”
Pg. 58 Krutz: The CISSP Prep Guide: Gold Edition
QUESTION 284
Which of the following is the MOST secure network access control procedure to adopt when using a callback
device?
A. The user enters a userid and PIN, and the device calls back the telephone number that corresponds to the
userid.
B. The user enters a userid, PIN, and telephone number, and the device calls back the telephone number
entered.
C. The user enters the telephone number, and the device verifies that the number exists in its database before
calling back.
D. The user enters the telephone number, and the device responds with a challenge.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation: Usually a request for a username and password takes place and the NAS may hang up the call in
order to call the user back at a predefined phone number. This is a security activity that is used to try and
ensure that only authenticated users are given access to the network and it reverse the long distance charges
back to the company…However, this security measure can be compromised if someone implements call
forwarding. – Shon Harris All-in-one CISSP Certification Guide pg 463
QUESTION 285
What is called the access protection system that limits connections by calling back the number of a previously
authorized location?
A. Sendback system
B. Callback forward systems
136
ISC CISSP Exam
C. Callback systems
D. Sendback forward systems
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: “Callback systems provide access protection by calling back the number of a previously authorized
location, but this control can be compromised by call forwarding.” Pg 48 Krutz: CISSP Prep Guide: Gold Edition.
QUESTION 286
A confidential number to verify a user’s identity is called a:
A. PIN
B. userid
C. password
D. challenge
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 287
How are memory cards and smart cards different?
A. Memory cards normally hold more memory than smart cards
B. Smart cards provide a two-factor authentication whereas memory cards don’t
C. Memory cards have no processing power
D. Only smart cards can be used for ATM cards
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation: “The main difference between memory cards and smart cards is the processing power. A memory
card holds information, but does not process information. A smart card has the necessary hardware and logic
to actually process information.” Pg 121 Shon Harris CISSP All-In- One Exam Guide
137
ISC CISSP Exam
QUESTION 288
They in form of credit card-size memory cards or smart cards, or those resembling small calculators, are used
to supply static and dynamic passwords are called:
A. Tickets
B. Tokens
C. Token passing networks
D. Coupons
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 289
Tokens, as a way to identify users are subject to what type of error?
A. Token error
B. Decrypt error
C. Human error
D. Encrypt error
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Tokens are a fantastic way of ensuring the identity of a user. However, you must remember that no system is
immune to “human error”. If the token is lost with it’s pin written on it, or if it were loaned with the corresponding
pin it would allow for masquerading. This is one of the greatest threats that you have with tokens.
QUESTION 290
Which of the following factors may render a token based solution unusable?
138
ISC CISSP Exam
A. Token length
B. Card size
C. Battery lifespan
D. None of the choices.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Another limitation of some of the tokens is their battery lifespan. For example, in the case of SecurID you have
a token that has a battery that will last from 1 to 3 years depending on the type of token you acquired. Some
token companies such as Cryptocard have introduced tokens that have a small battery compartment allowing
you to change the battery when it is discharged.
QUESTION 291
Memory only cards work based on:
A. Something you have.
B. Something you know.
C. None of the choices.
D. Something you know and something you have.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Memory Only Card – This type of card is the most common card. It has a magnetic stripe on the back. These
cards can offer two-factor authentication, the card itself (something you have) and the PIN (something you
know). Everyone is familiar with the use of an ATM (Automated Teller Machine) card. These memory cards are
very easy to counterfeit. There was a case in Montreal where a storeowner would swipe the card through for
the transaction; he would then swipe it through a card reader to get a copy, while a small hidden camera was
registering the PIN as the user was punching it on the pad. This scheme was quickly identified as the victims
had one point in common; they all visited the same store.
139
ISC CISSP Exam
QUESTION 292
Which of the following is a disadvantage of a memory only card?
A. High cost to develop.
B. High cost to operate.
C. Physically infeasible.
D. Easy to counterfeit.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Memory Only Card – This type of card is the most common card. It has a magnetic stripe on the back. These
cards can offer two-factor authentication, the card itself (something you have) and the PIN (something you
know). Everyone is familiar with the use of an ATM (Automated Teller Machine) card. These memory cards are
very easy to counterfeit. There was a case in Montreal where a storeowner would swipe the card through for
the transaction; he would then swipe it through a card reader to get a copy, while a small hidden camera was
registering the PIN as the user was punching it on the pad. This scheme was quickly identified as the victims
had one point in common; they all visited the same store.
QUESTION 293
The word “smart card” has meanings of:
A. Personal identity token containing IC-s.
B. Processor IC card.
C. IC card with ISO 7816 interface.
D. All of the choices.
Correct Answer: D
Section: (none)
Explanation
Explanation/Reference:
Explanation:
The word “smart card” has four different meanings (in order of usage frequency):
IC card with ISO 7816 interface
Processor IC card
140
ISC CISSP Exam
Personal identity token containing IC-s
Integrated Circuit(s) Card is ad ID-1 type (specified in ISO 7810) card, into which has been inserted one or
more integrated circuits. [ISO 7816]
QUESTION 294
Processor card contains which of the following components?
A. Memory and hard drive.
B. Memory and flash.
C. Memory and processor.
D. Cache and processor.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Processor cards contain memory and a processor. They have remarkable data processing capabilities. Very
often the data processing power is used to encrypt/decrypt data, which makes this type of card a very unique
personal identification token. Data processing also permits dynamic storage management, which enables the
realization of flexible multifunctional cards.
QUESTION 295
Which of the following offers advantages such as the ability to use stronger passwords, easier password
administration, and faster resource access?
A. Smart cards
B. Single Sign-on (SSO)
C. Kerberos
D. Public Key Infrastructure (PKI)
Correct Answer: B
Section: (none)
Explanation
Explanation/Reference:
Explanation:
141
ISC CISSP Exam
QUESTION 296
What is the main concern with single sign-on?
A. Maximum unauthorized access would be possible if a password is disclosed
B. The security administrator’s workload would increase
C. The users’ password would be to hard to remember
D. User access rights would be increased
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 297
Which of the following describes the major disadvantage of many SSO implementations?
A. Once a user obtains access to the system through the initial log-on they can freely roam the network
resources without any restrictions
B. The initial logon process is cumbersome to discourage potential intruders
C. Once a user obtains access to the system through the initial log-on, they only need to logon to some
applications.
D. Once a user obtains access to the system through the initial log-on, he has to logout from all other systems
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Reference: “The major disadvantage of many SSO implementations is that once a user obtains access to the
system through the initial logon, the user can freely roam the network resources without any restrictions.” pg 53
Krutz: CISSP Prep Guide: Gold Edition
QUESTION 298
Which of the following addresses cumbersome situations where users need to log on multiple times to access
different resources?
A. Single Sign-On (SSO) systems
142
ISC CISSP Exam
B. Dual Sign-On (DSO) systems
C. Double Sign-On (DS0) systems
D. Triple Sign-On (TSO) systems
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
QUESTION 299
A method for a user to identify and present credentials only once to a system is known as:
A. SEC
B. IPSec
C. SSO
D. SSL
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Single Sign-On (SSO) – This is a method for a users to identify and present credentials only once to a system.
Information needed for future system access to resources is forwarded by the initial System.
BENEFITS
More efficient user log-on process
Users select stronger passwords
Inactivity timeout and attempt thresholds applied uniformly closer to user point of entry
Improved timely disabling of all network/computer accounts for terminated users
QUESTION 300
Which of the following correctly describe the features of SSO?
A. More efficient log-on.
143
ISC CISSP Exam
B. More costly to administer.
C. More costly to setup.
D. More key exchanging involved.
Correct Answer: A
Section: (none)
Explanation
Explanation/Reference:
Explanation:
Single Sign-On (SSO) – This is a method for a users to identify and present credentials only once to a system.
Information needed for future system access to resources is forwarded by the initial System.
BENEFITS
More efficient user log-on process
Users select stronger passwords
Inactivity timeout and attempt thresholds applied uniformly closer to user point of entry
Improved timely disabling of all network/computer accounts for terminated users
QUESTION 301
What is the PRIMARY advantage of using a separate authentication server (e.g., Remote Access Dial-In User
System, Terminal Access Controller Access Control System) to authenticate dial-in users?
A. Single user logons are easier to manage and audit.
B. Each session has a unique (one-time) password assigned to it.
C. Audit and access information are not kept on the access server.
D. Call-back is very difficult to defeat.
Correct Answer: C
Section: (none)
Explanation
Explanation/Reference:
Explanation:
TACACS integrates the authentication and authorization processes. XTACACS keeps the authentication,
authorization and accounting processes separate. TACACS+ improves XTACACS by adding two-factor
authentication. – Ed Tittle CISSP Study Guide (sybex) pg 745<