Chapter 5: Identity and Access Management (Domain 5) 361
- A. Resource-based access controls match permissions to resources like a storage volume.
Resource-based access controls are becoming increasingly common in cloud-based
infrastructure as a service environments. The lack of roles, rules, or a classification system
indicate that role-based, rule-based, and mandatory access controls are not in use here. - C. By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP
and TLS, but this is not a default setting. - D. A key distribution center (KDC) provides authentication services, and ticket-granting
tickets (TGTs) provide proof that a subject has authenticated and can request tickets to
access objects. Authentication services (ASs) are part of the KDC. There is no TS in a
Kerberos infrastructure. - D. Authorization provides a user with capabilities or rights. Roles and group management
are both methods that could be used to match users with rights. Logins are used to
validate a user. - C. Privilege creep occurs when users retain from roles they held previously rights
they do not need to accomplish their current job. Unauthorized access occurs when an
unauthorized user accesses files. Excessive provisioning is not a term used to describe
permissions issues, and account review would help find issues like this. - B. Phishing is not an attack against an access control mechanism. While phishing can
result in stolen credentials, the attack itself is not against the control system and is instead
against the person being phished. Dictionary attacks and man-in-the-middle attacks both
target access control systems. - B. Race conditions occur when two or more processes need to access the same resource in
the right order. If an attacker can disrupt this order, they may be able to affect the normal
operations of the system and gain unauthorized access or improper rights. Collisions occur
when two different files produce the same result from a hashing operation, out-of-order
execution is a CPU architecture feature that allows the use of otherwise unused cycles, and
determinism is a philosophical term rather than something you should see on the CISSP
exam! - C. Mandatory access controls use a lattice to describe how classification labels relate
to each other. In this image, classification levels are set for each of the labels shown. A
discretionary access control (DAC) system would show how the owner of the objects
allows access. RBAC could be either rule- or role-based access control and would use
either system-wide rules or roles. Task-based access control (TBAC) would list tasks for
users. - C. LDAP distinguished names are made up of zero or more comma-separated components
known as relative distinguished names. cn=ben,ou=example; ends with a semicolon and
is not a valid DN. It is possible to have additional values in the same RDN by using a plus
sign between then. - B. The process of a subject claiming or professing an identity is known as identification.
Authorization verifies the identity of a subject by checking a factor like a password. Logins
typically include both identification and authorization, and token presentation is a type of
authentication.