672  Chapter 13  ■  Managing Identity and Authentication

Review Questions

1.An organization is considering creating a cloud-based federation using a third-party service to share federated identities. After it’s completed, what will people use as their login ID?

A.Their normal account

B.An account given to them from the cloud-based federation

C.Hybrid identity management

D.Single-sign on

2.Which of the following best expresses the primary goal when controlling access to assets?

A.Preserve confidentiality, integrity, and availability of systems and data.

B.Ensure that only valid objects can authenticate on a system.

C.Prevent unauthorized access to subjects.

D.Ensure that all subjects are authenticated.

3.Which of the following is true related to a subject?

A.A subject is always a user account.

B.The subject is always the entity that provides or hosts information or data.

C.The subject is always the entity that receives information about or data from an object.

D.A single entity can never change roles between subject and object.

4.Based on advice from the National Institute of Standards and Technology (NIST), when should regular users be required to change their passwords?

A.Every 30 days

B.Every 60 days

C.Every 90 days

D.Only if the current password is compromised

5.Security administrators have learned that users are switching between two passwords. When the system prompts them to change their password, they use the second password. When the system prompts them to change their password again, they use the first password. What can prevent users from rotating between two passwords?

A.Password complexity

B.Password history

C.Password length

D.Password age

6.Which of the following best identifies the benefit of a passphrase?

A.It is short.

B.It is easy to remember.

C.It includes a single set of characters.

D.It is easy to crack.

7.Your organization issues devices to employees. These devices generate onetime passwords every 60 seconds. A server hosted within the organization knows what this password is at any given time. What type of device is this?

A.Synchronous token

B.Asynchronous token

C.Smartcard

D.Common access card

8.What does the CER for a biometric device indicate?

A.It indicates that the sensitivity is too high.

B.It indicates that the sensitivity is too low.

C.It indicates the point where the false rejection rate equals the false acceptance rate.

D.When high enough, it indicates the biometric device is highly accurate.

9.Sally has a user account and has previously logged on using a biometric system. Today, the biometric system didn’t recognize her, so she wasn’t able to log on. What does this describe?

A.False rejection

B.False acceptance

C.Crossover error

D.Equal error

10.Users log on with a username when accessing the company network from home. Management wants to implement a second factor of authentication for these users. They want a secure solution, but they also want to limit costs. Which of the following best meets these requirements?

A.Short Message Service (SMS)

B.Fingerprint scans

C.Authenticator app

D.Personal identification number (PIN)

11.Which of the following provides authentication based on a physical characteristic of a subject?

A.Account ID

B.Biometrics

C.Token

D.PIN

674  Chapter 13  ■  Managing Identity and Authentication

12.Fingerprint readers match minutiae from a fingerprint with data in a database. Which of the following accurately identify fingerprint minutiae? (Choose three.)

A.Vein pattern

B.Ridges

C.Bifurcations

D.Whorls

13.An organization wants to implement biometrics for authentication, but management doesn’t want to use fingerprints. Which of the following is the most likely reason why management doesn’t want to use fingerprints?

A.Fingerprints can be counterfeited.

B.Fingerprints can be changed.

C.Fingerprints aren’t always available.

D.Registration takes too long.

14.Which of the following items are required to ensure logs accurately support accountability? (Choose two.)

A.Identification

B.Authorization

C.Auditing

D.Authentication

15.Management wants to ensure that an IT network supports accountability. Which of the following is necessary to meet this requirement?

A.Identification

B.Integrity

C.Authentication

D.Confidentiality

16.A company’s security policy states that user accounts should be disabled during the exit interview for any employee leaving the company. Which of the following is the most likely reason for this policy?

A.To remove the account

B.To remove privileges assigned to the count

C.To prevent sabotage

D.To encrypt user data

17.When employees leave an organization, personnel either delete or disable accounts. In which of the following situations would they most likely delete an account?

A.An administrator who has used their account to run services left the organization.

B.A disgruntled employee who encrypted files with their account left the organization.

C.An employee has left the organization and will start a new job tomorrow.

D.A temporary employee using a shared account will not return to the organization.

18.Karen is taking maternity leave and will be away from the job for at least 12 weeks. Which of the following actions should be taken while she is taking this leave of absence?

A.Delete the account.

B.Reset the account’s password.

C.Do nothing.

D.Disable the account.

19.Security investigators discovered that after attackers exploited a database server, they identified the password for the sa account. They then used this to access other servers in the network. What can be implemented to prevent this from happening in the future?

A.Account deprovisioning

B.Disabling an account

C.Account access review

D.Account revocation

20.Fred, an administrator, has been working within an organization for over 10 years. He previously maintained database servers while working in a different division. He now works in the programming department but still retains privileges on the database servers. He recently modified a setting on a database server so that a script he wrote will run. Unfortunately, his change disabled the server for several hours before database administrators discovered the change and reversed it. Which of the following could have prevented this outage?

A.A policy requiring strong authentication

B.Multifactor authentication

C.Logging

D.Account access review