PRACTICE

04 Identity & Access Management
Mini Quiz Answers

Question 1: An organization is revising its password policy to align with modern NIST guidelines. Which approach BEST reflects these updated guidelines?

  • A. Enforcing maximum password age of 30 days regardless of compromise status. This goes against modern NIST guidelines which recommend against mandatory periodic password changes unless there is evidence of compromise, as forced changes lead to predictable patterns and weaker passwords.
  • B. Requiring at least one uppercase letter, one lowercase, one number, and one special character. NIST no longer recommends complexity requirements because they result in users choosing predictable substitutions (like "Password1!") that are easily cracked while being hard to remember.
  • C. Only require password changes if compromise is suspected. This aligns with current NIST guidelines which advocate for checking passwords against breached credential lists and eliminating arbitrary expiration periods, changing passwords only when there is indication of compromise.
  • D. Requiring memorization of unique complex passwords for each system. This is contrary to NIST recommendations which encourage the use of password managers rather than human memorization, as humans cannot reliably memorize unique complex passwords for dozens of systems.

Question 2: An employee has been using the same password across 15 different websites. After one site is breached, attackers use the stolen credentials to access the employee's corporate email. Which solution would have prevented this credential-stuffing attack while maintaining usability?

  • A. Implementing shorter password expiration cycles. Shorter expiration cycles do not prevent credential stuffing attacks and actually encourage poor password practices like minor variations, and modern guidelines recommend against arbitrary password aging.
  • B. Deploying an enterprise password manager to generate and store unique passwords for each website. A password manager creates strong, unique passwords for every site, preventing credential stuffing attacks where breached passwords from one site are used on others, while the user only needs to remember one master password.
  • C. Requiring employees to write passwords in encrypted notebooks. While better than plaintext, physical notebooks are easily lost, stolen, or copied, and do not provide the security or convenience of a password manager.
  • D. Mandating passwords contain at least 16 random special characters. While long passwords are good, requiring humans to memorize multiple unique 16-character random strings is impractical and will result in them writing them down or reusing patterns, whereas a password manager automates this.

Question 3: A company wants to eliminate passwords entirely because employees consistently choose weak, guessable passwords or add predictable numbers to common words. They plan to implement authentication using hardware security keys that use public-key cryptography. Which technology BEST enables this passwordless approach?

  • A. SMS-based one-time passwords. SMS is not passwordless, requires a password or PIN to be set up initially, and is vulnerable to SIM swapping and interception, plus it doesn't use hardware-based public-key cryptography.
  • B. FIDO2-based keys. FIDO2/WebAuthn enables true passwordless authentication using hardware security keys that perform public-key cryptography where the private key never leaves the device, verifying the user is on the legitimate site and not a phishing site.
  • C. TOTP software tokens. TOTP is not passwordless as it typically acts as a second factor alongside a password, and software tokens store secrets that can be extracted, unlike hardware-bound FIDO2 keys.
  • D. Biometric fingerprint scanners. While biometrics provide authentication, they are not the passwordless technology described; FIDO2 uses hardware authenticators that may incorporate biometrics but rely on public-key cryptography, whereas standalone biometrics don't prevent phishing.

Question 4: A user logs into their bank by entering a password (something they know) and then approving a push notification on their phone (something they have). Which term describes this situation?

  • A. SSO. Single Sign-On allows access to multiple applications with one set of credentials, but it does not describe the use of multiple authentication factors like passwords and push notifications.
  • B. MFA. Multifactor Authentication requires two or more different authentication factors (something you know like a password, and something you have like a phone for push notifications) to verify identity.
  • C. Federation. Federation involves trust relationships between organizations to share authentication across domains, not the specific use of multiple authentication factors for a single login.
  • D. Transitive Trust. Transitive trust is a concept where if A trusts B and B trusts C, then A trusts C, which is unrelated to the use of multiple authentication factors.

Question 5: One of the company’s accountants submitted a ticket stating they could not access a particular section of the accounting software. Why might the accountant not have access to every part of the accounting software?

  • A. The software is not properly licensed. Software licensing affects legal usage rights but does not determine which sections of the software a user can access within the application.
  • B. The company is using discretionary access control. While DAC allows owners to set permissions, it doesn't specifically explain why an accountant is restricted to only necessary functions; least privilege is the specific principle explaining limited access.
  • C. The company has applied the principle of least privilege. The principle of least privilege restricts users to only the minimum levels of access—or permissions—needed to perform their job functions, explaining why the accountant cannot access all sections.
  • D. The software has not been updated and it contains a zero-day. A zero-day vulnerability is an unpatched security flaw, not a reason for restricting legitimate user access to application features.

Question 6: An organization wishes to implement a ticket-based protocol for a Windows network that will manage authentication and authorization in a single centralized service. Which standard protocol would they use?

  • A. Kerberos. Kerberos is the standard ticket-based authentication protocol used in Windows networks that provides centralized authentication and authorization through a Key Distribution Center, using tickets to grant access to resources without retransmitting passwords.
  • B. WebAuthn. WebAuthn is a web API standard for passwordless authentication in browsers, not a Windows network protocol for general authentication and authorization services.
  • C. SAML. SAML is an XML-based standard for exchanging authentication and authorization data between identity providers and service providers, typically used for web-based SSO, not for Windows network authentication.
  • D. LDAP. LDAP is a protocol for accessing and maintaining distributed directory information services, used for reading and writing directory data, but it is not a ticket-based authentication protocol like Kerberos.

Question 7: A government agency requires employees to insert a smartcard into their workstations and enter a PIN to decrypt emails. The private key cannot be exported from the smartcard's secure chip. Which authentication factor combination does this represent?

  • A. Something you know and something you are. This describes a combination like a password and a fingerprint, but the smartcard is something you have, not something you are (biometric).
  • B. Something you have and something you know. The smartcard is something the user possesses (something they have), and the PIN is knowledge (something they know), combining two distinct authentication factors.
  • C. Something you are and somewhere you are. This would describe biometrics plus location-based authentication, but the scenario involves a physical token and a PIN.
  • D. Something you have and something you do. This would describe a token plus a behavioral biometric like typing pattern, but the PIN is knowledge-based, not an action-based characteristic.

Question 8: A high-security facility installs fingerprint scanners at entry points. During testing, the system occasionally grants access to unauthorized individuals whose fingerprints are not in the database. Which biometric error rate metric describes this specific failure mode?

  • A. Type I Error. Type I Error (False Rejection) occurs when the system denies access to an authorized user, which is the opposite of granting access to an unauthorized individual.
  • B. Type II Error. Type II Error (False Acceptance) occurs when the system incorrectly grants access to an unauthorized individual whose biometric does not match, which matches the scenario described.
  • C. Crossover Error Rate. The Crossover Error Rate is the point at which the False Acceptance Rate equals the False Rejection Rate, not the specific error of allowing unauthorized access.
  • D. Failure to Enroll Rate. Failure to Enroll Rate measures the percentage of users who cannot successfully register their biometric template initially, not the rate of incorrectly granting access.

Question 9: A company is evaluating facial recognition for building access but is concerned about processing delays during peak hours, potential privacy violations from storing biometric templates, and compliance with accessibility laws for employees with facial differences. Which three concerns align with the discussed biometric evaluation criteria?

  • A. Cost, collision resistance, and entropy. Collision resistance and entropy are concepts related to cryptographic hashing and key generation, not biometric evaluation criteria.
  • B. Throughput, privacy, and accessibility. Throughput refers to processing speed during peak hours, privacy concerns involve storing and protecting biometric templates, and accessibility ensures compliance with laws for people with disabilities or facial differences.
  • C. Availability, integrity, and confidentiality. These are the three components of the CIA triad for information security, not specific biometric evaluation criteria for physical access systems.
  • D. Key length, algorithm strength, and revocation. These are criteria for evaluating cryptographic systems and PKI, not for assessing biometric authentication systems.

Question 10: In a Windows environment, permissions are assigned based on a user's department and job function (e.g., "Accounting-ReadOnly" or "IT-Admin"), making it easy to modify access for entire groups when employees change roles. Which access control model and management technique does this describe?

  • A. MAC with security labels. Mandatory Access Control uses security labels (like Top Secret/Secret) assigned by the system, not roles based on department and job function.
  • B. RBAC using security groups. Role-Based Access Control assigns permissions based on job roles (like Accounting-ReadOnly) and uses security groups to manage large numbers of accounts efficiently, allowing easy modification when employees change roles.
  • C. DAC with Access Control Lists. Discretionary Access Control allows resource owners to determine who has access, rather than using predefined roles and security groups based on job functions.
  • D. Rule-based Access Control with time restrictions. Rule-based access control applies permissions based on system-wide rules (like time of day), not on user roles or group memberships.

Question 11: A user creates a spreadsheet on a shared drive and manually sets permissions to allow specific colleagues to edit it while restricting others to read-only access. As the resource owner, the user determines who can access the file. Which access control model is in use?

  • A. MAC. Mandatory Access Control is system-enforced based on security labels and classifications, not determined by the resource owner.
  • B. RBAC. Role-Based Access Control assigns permissions based on predefined roles, not at the discretion of the individual resource owner.
  • C. DAC. Discretionary Access Control allows the owner of the resource (the user who created the spreadsheet) to decide who can access it and what permissions they have.
  • D. Federated Access Control. Federated Access Control involves accessing resources across organizational boundaries using shared trust relationships, not local file permissions set by an owner.

Question 12: A classified military system labels documents as "Top Secret" and "Secret," and automatically prevents a user with "Secret" clearance from viewing "Top Secret" documents regardless of file ownership or user requests. Which access control model enforces these security labels?

  • A. DAC. Discretionary Access Control allows users to control access to their own resources, whereas the scenario describes system-enforced labels regardless of user preference.
  • B. RBAC. Role-Based Access Control assigns permissions based on job functions, not on security clearance labels like Top Secret or Secret.
  • C. MAC. Mandatory Access Control enforces security labels (Top Secret, Secret) assigned by the system administrator, preventing access based on clearance levels regardless of file ownership or user requests.
  • D. Attribute-Based Access Control. ABAC uses attributes of users, resources, and environment to make decisions, but the specific use of military security labels (Top Secret/Secret) is the defining characteristic of MAC.

Question 13: After a company fires a system administrator, the fired employee logs into their administrator account using valid credentials, and deletes thousands of confidential files. What critical process was likely not followed?

  • A. Onboarding. Onboarding is the process of integrating new employees into the organization, not the process of removing access for departing employees.
  • B. Offboarding. Offboarding is the process of removing an employee's access to systems and accounts when they leave the organization, which was clearly not followed since the fired employee retained access.
  • C. Gamified learning. Gamified learning uses game elements in training programs to increase engagement, unrelated to account access management.
  • D. Situational awareness. Situational awareness involves understanding one's environment and potential threats, not the administrative process of disabling accounts.

Question 14: An employee has worked at a company for 10 years, moving from Marketing to Sales to Management, and has accumulated access rights from each previous role that they no longer need for their current position. Which risk describes this accumulation of excessive permissions over time?

  • A. Privilege escalation. Privilege escalation involves exploiting a vulnerability to gain higher-level permissions than authorized, whereas authorization creep is the gradual accumulation of permissions through normal role changes.
  • B. Authorization creep. Authorization creep (or privilege creep) occurs when users accumulate access rights from previous roles that they no longer need, violating the principle of least privilege.
  • C. Separation of Duties violation. Separation of Duties requires splitting critical tasks among different people to prevent fraud, which is different from having accumulated permissions from old roles.
  • D. Transitive Trust exploitation. Transitive Trust involves trust relationships where if A trusts B and B trusts C, then A trusts C, which is unrelated to accumulated user permissions.

Question 15: An HR manager notices that a terminated employee's Active Directory account remained enabled for three months because the automated offboarding workflow failed, allowing the former employee to VPN into the network. Which process failure created this risk?

  • A. Inadequate account provisioning. Account provisioning is the process of creating new accounts and granting initial access, not the process of removing access when someone leaves.
  • B. Failed account deprovisioning. Account deprovisioning is the process of disabling or deleting user accounts and revoking access when an employee terminates, which failed here since the account remained active.
  • C. Excessive authorization creep. While the employee may have had accumulated rights, the specific failure described is the account remaining enabled after termination, which is a deprovisioning failure
  • D. Lack of federation. Federation involves establishing trust relationships between organizations for SSO, unrelated to the internal process of disabling terminated employee accounts.

Question 16: A Cloud security system detects a user logging in from New York at 9:00 AM and then from Tokyo at 9:30 AM, triggering an automatic account lockdown. Which type of access policy detected this anomaly?

  • A. Time-based restriction. Time-based restrictions limit when users can log in (e.g., business hours only), but do not detect physically impossible travel between locations.
  • B. Location-based policy. Location-based policies restrict access based on geographic location, but do not specifically detect the impossibility of travel between distant locations in a short timeframe.
  • C. Impossible travel time. Impossible travel time detection identifies when a user appears to log in from two geographically distant locations within a timeframe that would be physically impossible to travel between, indicating potential account compromise.
  • D. Role-based access restriction. Role-based restrictions limit what resources users can access based on their job role, not where or when they can log in from

Question 17: A database administrator must perform critical maintenance but normally operates under a standard user account. They temporarily elevate privileges using a separate account with administrative rights that expires after 4 hours, requiring approval and logging all commands. What term describes these controls?

  • A. PAM. Privileged Access Management (PAM) encompasses solutions that provide temporary elevation of privileges (Just-In-Time/Just-Enough-Access), session monitoring, and approval workflows for administrative tasks.
  • B. PIM. Privileged Identity Management focuses on managing and securing privileged accounts and credentials, but PAM is the broader term that includes the session control and temporary elevation described.
  • C. FDE. Full Disk Encryption protects data at rest by encrypting entire drives, unrelated to administrative privilege elevation and session management.
  • D. Passwordless authentication. Passwordless authentication eliminates passwords entirely, whereas the scenario describes temporary elevation of privileged accounts that still use authentication.

Question 18: An organization requires that all administrative tasks be performed from hardened, isolated workstations with no internet access and no email capabilities, separate from regular user machines. Which security control does this describe?

  • A. SAW. A Secure Admin Workstation (SAW), also known as a Privileged Access Workstation (PAW), is a hardened, isolated system dedicated to administrative tasks with no internet or email access, separate from standard user workstations.
  • B. Ephemeral passwords. Ephemeral passwords are temporary passwords that expire after a single use or short duration, not a physical workstation configuration.
  • C. SAML. SAML is a protocol for exchanging authentication and authorization data between identity and service providers, not a workstation security configuration.
  • D. PIM. Privileged Identity Management manages the lifecycle of privileged accounts, not the physical isolation of administrative workstations.

Question 19: A Linux system allows regular users to execute specific administrative commands with elevated privileges temporarily, requiring re-authentication and logging the elevated session separately from normal activity. Which mechanism provides this controlled privilege elevation?

  • A. sudo. Sudo (superuser do) is a Unix/Linux command that allows authorized users to execute commands with elevated privileges (often root), requiring authentication and logging the elevated session separately.
  • B. UAC. User Account Control is a Windows security feature that prompts for permission when applications try to make system changes, not a Linux/Unix mechanism.
  • C. RunAs. RunAs is a Windows command to execute programs as a different user, not the standard Linux mechanism for privilege elevation.
  • D. OAuth delegation. OAuth is an authorization framework for delegated access to resources, typically used for web API authorization, not for local system privilege elevation.

Question 20: A company using Windows Server technology needs to link its Active Directory domain to a third-party service to allow Single Sign On. Which service that uses the standard X.500 would work for the company?

  • A. VPN. A Virtual Private Network provides secure remote access to a network but does not use X.500 standards or provide directory services for SSO integration.
  • B. LDAP. LDAP (Lightweight Directory Access Protocol) is derived from the X.500 standard and is the protocol used by Active Directory to communicate, making it the correct service for linking AD to third-party services using X.500-based directory standards.
  • C. API. An Application Programming Interface is a general term for software interfaces and does not specifically refer to the X.500-based directory service protocol.
  • D. LSASS. Local Security Authority Subsystem Service is a Windows process that handles authentication and stores credentials in memory, not a protocol for linking directories or enabling SSO with third parties.