Domain 5 CISSP Exam: Identity and Access Management

Explanation: Logging and monitoring actions are the most common way of enforcing accountability in a system. By doing so, users and processes can be held responsible for their actions and decisions. This knowledge of who did what is the foundation of accountability and relies on unique identification and proven authenticity of users or processes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 509 in PDF)

Explanation: Deprovisioning is the process of removing access when accounts are no longer needed or when a user leaves or changes roles. This is important for security reasons, as unnecessary access can lead to increased risk of unauthorized access or data breaches. Deprovisioning can include actions like revoking, disabling, or deleting the account or authorizations.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 527 in PDF)

Explanation: Turnstiles and mantraps are both designed to explicitly limit the rate of access to a facility. Turnstiles typically allow only one person through at a time, while a mantrap requires a user to enter a secure vestibule space by presenting one set of credentials and then requires a different set of credentials to move from the vestibule into the main space. These can be useful to guard against piggybacking, where one user attempts to gain access without presenting credentials by closely following an authorized user.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 493 in PDF)

Explanation: Secured doors, similar to gates, allow the opportunity to make an access decision. Unauthorized users are denied access, while those who can present proper credentials are granted access. This could be done by presenting some form of ID or an authorization token like a smart card, smartphone app, or PIN code.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 492 in PDF)

Explanation: The fundamental practice of access control defines how access is granted, used, and monitored. Subjects require access to objects like files, systems, and facilities, and the fundamental practice of access control defines how such access is granted, used, and monitored. This means that the main function of access control is to grant access to objects.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 485 in PDF)

Explanation: One of the primary concerns in device IAM is ensuring access is restricted to only authorized users. With the increased use of cloud computing services and the explosion of new device types, IAM challenges have emerged. Early smartphones, for example, supported only four-digit PINs, which made them vulnerable to unauthorized access. Ensuring access is restricted to only authorized users remains a critical component of device IAM.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 488 in PDF)

Explanation: An Identity Management (IdM) system provides functionalities for user access management throughout the access management lifecycle, including Provisioning, Deprovisioning, Identity and account management, Authorization management and Identity Review. IdM systems do not provide Configuration management functionalities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 499 in PDF)

Explanation: Turnstiles and mantraps are both designed to explicitly limit the rate of access to a facility. Turnstiles typically allow only one person through at a time, while a mantrap requires a user to enter a secure vestibule space by presenting one set of credentials and then requires a different set of credentials to move from the vestibule into the main space.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 492 in PDF)

Explanation: Remote lock or wipe is a common practice for countering risks to devices and the data they contain. This feature allows the organization to prevent unauthorized users from gaining access by either locking the device or wiping all data. It is usually only used in situations where the device cannot be recovered.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 489 in PDF)

Explanation: One common method for identifying people entering or leaving a secured area is through the use of a badge, sticker, radio frequency ID (RFID) tag, barcode, or Quick Response (QR) code. QR codes can be scanned by smartphones or other devices to quickly and easily identify individuals.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 491 in PDF)

Explanation: Nonrepudiation in IAM systems ensures that a user or system cannot deny having taken a specific action. This supports authenticity which leverages the use of authentication to prove that information, commands or other data in a system can be trusted.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 487 in PDF)

Explanation: In IAL1, the user is only required to self-assert an identity, and the CSP is not required to link the individual to a verified, real-life identity.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 511 in PDF)

Explanation: Authorization management is a function supported by an IdM throughout the access management lifecycle. Once an identity is created, the IdM supports the initial authorization of access for the identity. For example, once a user account is created, it can be placed into a group that has specific permissions assigned.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 498 in PDF)

Explanation: While biometrics are highly unique and provide strong authentication methods, they require visible skin and public access to body parts that may be culturally unacceptable. Security practitioners must balance user and cultural requirements when designing authentication schemes that utilize biometrics. For example if facial coverings are common in a country, a biometric scanner that requires a facial scan would be problematic.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 507 in PDF)

Explanation: A credential management system (CMS) should support processes needed to enroll users, produce credentials, issue credentials, and support management and oversight of existing credentials. Authentication is not a process of a CMS but instead refers to the verification of the users identity and the granting of access to the system based on that identity.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 513 in PDF)

Explanation: Turnstiles and mantraps are designed to explicitly limit the rate of access to a facility and guard against piggybacking. Turnstiles typically allow only one person through at a time, while a mantrap requires a user to enter a secure vestibule space by presenting one set of credentials and then requires a different set of credentials to move from the vestibule into the main space. This can ensure that only authorized personnel are allowed access to sensitive areas and can help to prevent unauthorized access through tailgating or piggybacking.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 492 in PDF)

Explanation: Risk-based access control models are different from other models because they provide dynamic access control using a variety of parameters to determine authorization based on the changing nature of risks over time. This allows for more responsive and adaptive security measures, such as temporary increases in MFA in response to a heightened threat level.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 525 in PDF)

Explanation: Centralized IAM administration uses a dedicated access control function, like a team or specific department to manage all access control, which offers the advantage of very strict oversight and monitoring. Decentralized IAM administration breaks the function out and typically assigns access control decisions to system or information owners. This can offer greater freedom and flexibility, with the potential downside of inconsistent enforcement and lack of unified oversight.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 486 in PDF)

Explanation: The updated guidance for managing Type 1 authentication factors emphasizes on allowing longer passphrases of common words without added complexity requirements. The guidance prefers passphrases over passwords, as they create more easily remembered authentication material. The increased length over complexity makes it harder for attackers to guess or crack the passphrases.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 502 in PDF)

Explanation: The text states that there are two popular approaches to implementing SSO. The first is a web-based dashboard or portal, where users log in to a specific website using a single set of credentials and are presented with links to access additional SSO-enabled applications. The second approach is federated identity, where users log in to a single work resource like the Microsoft 365 or Google Workspace collaboration platforms. Once authenticated, they are able to log in to other, outside resources such as web or smartphone apps using their organization credentials. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 514 in PDF)

Explanation: Full disk encryption (FDE) is an implementation of confidentiality control in system-level IAM. It ensures that information in a system is kept secure from unauthorized access by ensuring that only authorized users can access the sensitive data, even if the device itself is stolen. Physical access controls, authentication, and logging are other important controls but are not specifically confidentiality controls.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 487 in PDF)

Explanation: IAL3 is the highest level of assurance and requires physical presence for identity proofing, presentation of highly reliable identity evidence like government-issued ID, and formal review of the identity and supporting documentation by trained CSP staff.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 512 in PDF)

Explanation: Fences and gates can prevent unwanted access or be designed to guide people to a controlled entry point, depending on the sensitivity of the facility. Gates offer the ability to implement additional checks, such as presenting an ID badge or entering a code, where identification and authentication occurs. They provide an opportunity to make an access decision — unauthorized users are denied access, while those who can present proper credentials are granted access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 491 in PDF)

Explanation: Device identification in PACSs is used to track and control the flow of assets entering and leaving the facility by tracking nonhuman users using methods like identification stickers and RFID tags. This allows for effective asset and property management.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 491 in PDF)

Explanation: IdM supports oversight of identities and access by providing key details about the authorizations that are granted to an identity. This list of accounts and access forms the basis of an access review, all current access is reviewed for appropriateness and deprovisioned if no longer needed.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 498 in PDF)

Explanation: Session hijacking occurs when an attacker impersonates one of the authentic communicating parties to misdirect information. Man-in-the-middle attacks are often used to hijack sessions as information is flowing between the two parties.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 510 in PDF)

Explanation: Type 2 authentication includes something the user or entity has possession of, such as a preregistered mobile device or physical key card. Therefore, the correct answer is C as a smartphone app is an example of a preregistered mobile device that can be used for authentication.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 497 in PDF)

Explanation: Deprovisioning under hostile/involuntary circumstances carries a higher risk because employees may act out in retaliation. Therefore, procedures will typically require faster deprovisioning and more oversight.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 531 in PDF)

Explanation: The role-based access control (RBAC) model can be helpful in identifying common need-to-know criteria and granting appropriate access, but not excessive, to applications. RBAC ensures that users are only able to access information and resources necessary to perform their job functions. DAC grants access based on who owns the resource and who is accessing it, MAC grants access based on security clearance and need-to-know basis, and ABAC grants access based on attributes related to the user, object, and environment.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 495 in PDF)

Explanation: MFA (Multi-Factor Authentication) can enforce security policy restrictions such as the use of a complex passcode or encryption on a user device. MFA allows the organization to gain greater assurance about the entity requesting access, and MDM can be used to enforce security policy restrictions. For instance, requiring complex passcodes or enforcing encryption.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 493 in PDF)

Explanation: Containerization is an effective way to isolate organization data from other apps on a personal device. Placing organization data into a logical container isolates it from being accessed by other apps on the device. This is a common choice for organizations with a bring your own device (BYOD) policy that allows users to access organization resources from a personal device. Enforcing restrictions on the personal device may be difficult, so the restrictions are instead limited to the container, which can be locked or wiped if the user loses the device or leaves employment.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 489 in PDF)

Explanation: Proper endpoint security is crucial for effective IAM for devices. Endpoint detection and response (EDR) are some practices that can be used to ensure access controls are applied appropriately. It is essential that access controls be applied with respect to the security of these devices. This is discussed in more detail in Chapters 4 and 7. Access controls should be put in place to guarantee that devices are secured and only authorized users are granted access to them.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 489 in PDF)

Explanation: Toxic role combinations should be prevented in RBAC to ensure that users with administrative privileges cannot take malicious action on a system and erase evidence of their actions from logs on the SIEM. This is important from a security perspective because it helps prevent insider threats and ensures accountability.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 522 in PDF)

Explanation: Objects within the context of access control models are assets that require access control, such as information like files or datasets, system objects like compute resources and networks, and even facilities like office buildings, computer rooms, and sensitive information handling facilities. They share a common need for protection of basic security attributes including confidentiality, integrity, availability, nonrepudiation, and authenticity (CIANA). However, objects can also include non-human entities like systems, processes, and devices that require access to specific data objects based on the sensitivity level of the objects in question.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 484 in PDF)

Explanation: Decentralized IAM administration breaks the access control decision-making function out and typically assigns it to system or information owners. This can offer greater freedom and flexibility, with the potential downside of inconsistent enforcement and lack of unified oversight.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 487 in PDF)

Explanation: Biometric scanners require visible skin and public access to body parts, which may be culturally unacceptable. Security practitioners must balance user and cultural requirements when designing authentication schemes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 506 in PDF)

Explanation: One primary concern for device IAM is ensuring access is restricted to only authorized users. Devices can be both objects and subjects in an access control model. It is important to control access to the device objects if they contain sensitive data or grant access to sensitive functions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 489 in PDF)

Explanation: Intrusion detection sensors in Physical Access Control Systems (PACSs) are a detective control and can be useful to identify if improper access has been gained. They detect an intruder based on body heat, sounds like breaking glass, or movement as the intruder walks about.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 490 in PDF)

Explanation: A role-based access control (RBAC) model can be helpful in identifying common need-to-know criteria and granting access that is appropriate but not excessive. This model is based on the idea of assigning permissions to roles rather than to individual users. Access is granted to users based on the roles they have been assigned to within the organization. Assigning roles based on job functions or responsibilities can ensure that users only have access to the applications they need to do their job, and not more than that, following the principle of least privilege.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 495 in PDF)

Explanation: The updated guidance, specifically 800-63B, emphasizes allowing longer passphrases of common words without added complexity requirements to improve usability without sacrificing security. This updated guidance provides a risk-based approach to managing authentication factors.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 501 in PDF)

Explanation: According to the text, hostile or involuntary circumstances such as a staff member being let go at the companys decision carry higher risk because employees may be disgruntled or act out in retaliation, and procedures will typically require faster deprovisioning and more oversight.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 531 in PDF)

Explanation: Intrusion detection sensors are a detective control and are designed to identify if improper access has been gained, such as an unauthorized user entering a secured area. Examples include heat, sound, and weight or pressure sensors, which can detect an intruder based on body heat, sounds like breaking glass, or movement as the intruder walks about.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 492 in PDF)

Explanation: IAM consists of processes and tools designed to restrict access to only properly authorized users. This is essential to balance the need for system availability with other requirements like preventing unwanted changes or unauthorized access to data.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 540 in PDF)

Explanation: In the case of a discretionary access control (DAC) model, the system or data owner makes access decisions at their discretion, deciding which subjects can access an object. This includes defining the functions users can perform, like reading or updating the file. The flexibility of DAC may also be a security drawback, as it may be more difficult to enforce consistency when a large group of data owners is making access control decisions, leading to potential abuse by insider threats.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 524 in PDF)

Explanation: The Key Distribution Center (KDC) is used to maintain the database of secret keys and perform registration for new users within a Kerberos realm.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 537 in PDF)

Explanation: One of the primary advantages of federating identity management across organizations in a FIM scheme is the simplified administrative overhead of account management. This benefit reduces the need for multiple sets of credentials for each user, and it helps both the administrators and users have easier access to multiple systems. In other words, it reduces both the administrative and user overhead of managing multiple sets of credentials for each user.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 512 in PDF)

Explanation: As stated in the text, rule-based access control, also known as RuBAC, is based on a list of predefined rules to determine authorization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 523 in PDF)

Explanation: Access is anything a subject is permitted to do with or to an object. In this example, the subject is granted read and write access to a file, which is an example of access in the context of access control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 484 in PDF)

Explanation: TACACS+ is generally implemented to control access to network infrastructure resources like routers and enables users logging in to perform maintenance and other administrative functions, as well as supporting authenticating users and providing a centralized method for authorizing user access and auditing user access and actions.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 539 in PDF)

Explanation: While biometrics provide one of the strongest methods to prove authenticity of an identity, disabled users may have difficulty using biometric systems or even lack the needed body parts. A user who is missing a right hand will not be able to utilize a hand geometry scanner that supports right-hand scans only. Therefore, this is a weakness of biometric authentication systems in terms of accessibility.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 507 in PDF)

Explanation: Identity review is a key functionality of Identity Management (IdM) systems in providing oversight of identities and access by providing key details about the authorizations that are granted to an identity.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 499 in PDF)

Explanation: Identity review is a functionality of an IdM that supports oversight of identities and access by providing key details about the authorizations that are granted to an identity. All current access is reviewed for appropriateness and deprovisioned if no longer needed. This is important for maintaining accountability and preventing unauthorized access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 498 in PDF)

Explanation: Open Authorization (OAuth) is a secure authorization protocol for web, mobile, and desktop applications. It defines four key roles in an OAuth federation which are the resource owner, resource server, client, and authorization server.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 535 in PDF)

Explanation: The CER is the point at which the Type 1 and Type 2 errors are equal. This means that at the CER, the system is equally likely to reject an authorized user (Type 1 error) as it is to accept an unauthorized user (Type 2 error). The CER is a crucial factor in choosing an authentication system, as it determines the level of risk to the system.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 508 in PDF)

Explanation: Identifying the needs for information access control is a fundamental requirement for the security practitioner. Not all information needs the same type or level of protection, and the requirements for protecting a specific piece of information will change over time.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 485 in PDF)

Explanation: MAC model is a nondiscretionary access control model, in which access control is enforced systematically and is not at the discretion of data owners or others. It is achieved by applying security labels to both subjects and objects, and when a subject attempts to access an object, the system verifies the security labels and enforces appropriate access control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 523 in PDF)

Explanation: The four foundational elements of IAM are identification, authentication, authorization, and accountability (IAAA). Accountability is the process of holding entities responsible for their actions. This is not a foundational element of IAM, but it is a related concept that falls under the larger umbrella of access control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 483 in PDF)

Explanation: The Ticket Granting Server (TGS) in a Kerberos environment provides a ticket to an authenticated principal, which allows them to request service tickets. A service ticket is used by a kerberized application to grant access to a properly authenticated user. Therefore, option C is the correct answer.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 538 in PDF)

Explanation: ABAC is an access control model that combines attributes about the subject and object, and evaluates them against a policy to make an access decision. Attributes can be the users identity, role, location, device, and time of day, among others. ABAC provides more flexibility than other access control models and can be used to achieve more dynamic and risk-based access control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 524 in PDF)

Explanation: Authorization management is a critical task in the access management lifecycle that is supported by an IdM system. IdM supports the initial authorization of access for the identity by placing a user account into a group that has specific permissions assigned. This helps to ensure that users only have access to the resources that they need and are authorized to use. The other listed tasks – secure socket interface management, firewall configuration management, and data backup management – are not directly related to IdM or the access management lifecycle.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 499 in PDF)

Explanation: The updated guidance in NIST SP 800-63B emphasizes allowing longer passphrases of common words without added complexity requirements, and more generous input attempts to account for a user mistyping. This means that passphrases that are longer but easier to remember are preferred over complex passwords, since they create more easily remembered authentication material and prevent unintended user lockouts.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 502 in PDF)

Explanation: The potential risk of outsourcing identity and access management to a third-party IDaaS provider is high. If the provider suffers a data breach, the organizations identity and access management information could be compromised, leading to a potential loss of control.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 517 in PDF)

Explanation: The identity provider (IdP) verifies the users identity by authenticating and authorizing them. The service provider (SP) relies on the assertion made by the IdP for user identification, authentication, and authorization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 536 in PDF)

Explanation: Passwords are one of the most common examples of logical access controls, which restrict access to digital assets like data, applications, and systems based on an authentication mechanism like a password, a PIN or a shared symmetric key.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 484 in PDF)

Explanation: Integrity can be supported via access controls by preventing unauthorized users from making changes to information.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 487 in PDF)

Explanation: IAL1 is the lowest level of assurance and only requires the user to self-assert an identity without requiring a link to a verified real-life identity. It is appropriate for systems where accountability does not extend to real-world consequences such as criminal action.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 512 in PDF)

Explanation: Vertical privilege escalation is an attack that seeks to gain increased privileges on a system, such as using SQL injection to gain direct database access when the user is only authorized to access data through a web front end.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 532 in PDF)

Explanation: Deprovisioning is the opposite action of provisioning, which may include suspending, terminating, or even deleting the access credentials. An access review must be performed to identify which systems and data the user has access to, and confirmation must be obtained when the access has been deprovisioned.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 531 in PDF)

Explanation: The primary reason for performing a usage review of user, system, and nonhuman accounts is to enforce accountability for system usage. This helps organizations identify unwanted or inappropriate use of permissions, as well as account permissions that are inappropriate.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 530 in PDF)

Explanation: The Authentication Server (AS) is responsible for authenticating principals by exchanging encrypted data. In a Type 2 authentication factor, the user is authenticated if they can successfully decrypt the encrypted data using a pre-shared symmetric key. A Kerberos realm comprises a set of services and resources including Principals, Key Distribution Center (KDC), Authentication Server (AS), and Ticket Granting Server (TGS).

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 538 in PDF)

Explanation: Turnstiles and mantraps are designed to explicitly limit the rate of access to a facility. A turnstile typically allows only one person through at a time, while a mantrap requires a user to present one set of credentials to enter a secure vestibule space and another set of credentials to move from the vestibule into the main space. These methods can help guard against piggybacking, where an unauthorized user closely follows an authorized user to gain access.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 492 in PDF)

Explanation: Physical security is particularly important when discussing information system security. The secure perimeter paradigm, with layered defenses that provide increasing levels of security, is often used as a physical defense-in-depth strategy to secure facilities.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 490 in PDF)

Explanation: The correct answer is A. Rule-based access control (RBAC) model can be helpful in identifying common need-to-know criteria and granting access that is appropriate but not excessive. RBAC assigns permissions to roles rather than individual users, allowing for more efficient management of access privileges – this can help to ensure that users are given the least privileges required to perform a task, and help prevent unauthorized access or privilege escalation.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 495 in PDF)

Explanation: One of the primary use cases for JIT identity is to reduce management overhead with respect to user administration by provisioning access based on a users role or job function within an organization.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 515 in PDF)

Explanation: A trusted smartphone is a popular Type 2 authentication factor that users can use to provide additional authentication information in the form of a numeric code that the user must enter during login, further proving the authenticity of their asserted identity. Unlike Type 1 factors, there is no requirement for users to remember information related to Type 2 factors. However, some Type 2 factors do require the user to remember to physically bring a device, such as a trusted smartphone. Safeguarding the confidentiality and availability of the physical devices is an important security consideration if they are used.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 505 in PDF)

Explanation: In a Kerberos realm, the Key Distribution Center (KDC) is responsible for performing registration for new users and maintaining the database of secret keys. It is the component that issues service tickets to authenticated users, which are then used to gain access to specific resources.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 538 in PDF)

Explanation: According to the text, a role-based access control (RBAC) model can be helpful in identifying common need-to-know criteria and granting access that is appropriate but not excessive to applications. This model helps to identify a users role/job and provide access based on their role. It is a common access management mechanism that enables access privileges to be allocated to a particular job or function, ensuring that access is given based on the principle of least privilege. In RBAC, policies are created that limit the permissions of users to the least amount necessary to accomplish their intended job function. Therefore, the correct answer is A.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 495 in PDF)

Explanation: The Key Distribution Center (KDC) performs registration for new users, assigning them a new secret key, and also maintains the database of secret keys. This allows the KDC to authenticate users by exchanging encrypted data with them.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 538 in PDF)

Explanation: Session sidejacking is an attack where an attacker steals session cookie information from a user on the same network, allowing them to impersonate the authorized user. This attack is possible because session cookies are often sent over unencrypted channels, making them easily accessible to anyone who can intercept the traffic. By stealing the session cookie, an attacker can access the users session and perform actions on their behalf. To prevent session sidejacking, it is recommended to use HTTPS to encrypt all traffic, including session cookies.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 510 in PDF)

Explanation: The principle of least privilege is important in access management and should be considered when defining roles. Access should be granted to the lowest level of privilege necessary to perform job duties. This limits the potential damage if an account is compromised.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 532 in PDF)

Explanation: According to NIST SP 800-63-3, IAL3 is the highest level of assurance for identity proofing. It requires physical presence for identity proofing, presentation of highly reliable identity evidence like government-issued ID, and formal review of the identity and supporting documentation by trained CSP staff.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 511 in PDF)

Explanation: Session management is the practice of initiating, managing, and terminating sessions, and is critical because session information is an authentication method. Hypertext Transfer Protocol (HTTP) is stateless, so sessions can be used to maintain a persistent state, such as the items a user has placed in an online shopping cart, which in turn allow for more complex applications.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 509 in PDF)

Explanation: A weakness of biometrics that requires the security practitioner to balance the needs for authentication and acceptance of a biometric solution is cultural acceptance. Biometric scanners require visible skin and public access to body parts that may be culturally unacceptable, which can cause problems in certain countries or cultures where facial coverings are common. Therefore, security practitioners must consider cultural requirements when designing authentication schemes with biometrics.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 507 in PDF)

Explanation: Local authentication functions grant access to one computer or a set of files only, and it is not networked. It does not provide access across networks or a network of resources. Other authentication systems like LDAP or IDaaS support networked authentication, while remote access and federated identity authentication provides other specialized authentication needs.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 535 in PDF)

Explanation: Cloud-based IDaaS solutions can integrate with popular cloud services and offer native integration with them, reducing administrative overhead associated with user provisioning. This can be used to implement JIT provisioning for new user accounts on cloud services, benefiting users and administrators by automating the process of checking authorizations and provisioning accounts.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 518 in PDF)

Explanation: Biometric scanners require visible skin and public access to body parts that may be culturally unacceptable, so security practitioners must balance user and cultural requirements when designing authentication schemes.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 507 in PDF)

Explanation: Role-based access control (RBAC) provides specific permissions based on job functions. In RBAC, permissions are assigned to roles, and then roles are assigned to users. This reduces administrative overhead and makes it easier to manage access control for large organizations. Rule-based access control is based on pre-determined rules that allow or deny access. Discretionary access control allows users to control access to their own resources. Attribute-based access control allows access to be granted based on user attributes such as age or location.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 521 in PDF)

Explanation: The updated guidance in NIST SP 800-63B for managing Type 1 authentication factors includes emphasizing usability over complexity by allowing longer passphrases of common words without added complexity requirements.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 502 in PDF)

Explanation: The use of a hybrid approach to Identity and Access Management helps to reduce the management overhead by offering users one set of credentials for both on-premise and cloud IAM. It acts as a single sign-on (SSO) solution. This reduces the complexity of managing multiple sets of credentials, leading to a reduction in administration and management overhead.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 519 in PDF)

Explanation: Single-factor authentication requires only one authentication factor to verify an identity, while multifactor authentication requires the use of multiple authentication factors such as a username, password, and a randomly generated code from an authenticator app. Multifactor authentication provides an extra layer of security against account compromises like phishing attacks.

Ref: The Official ISC2 CISSP CBK Reference 6th Edition

(Page 500 in PDF)