358 Appendix ■ Answers
9 9. D. MAC addresses and their organizationally unique identifiers are used at the Data
Link layer to identify systems on a network. The Application and Session layers don’t
care about physical addresses, while the Physical layer involves electrical connectivity and
handling physical interfaces rather than addressing.- C. Domain Keys Identified Mail, or DKIM, is designed to allow assertions of domain identity
to validate email. S/MIME, PEM, and MOSS are all solutions that can provide authentication,
integrity, nonrepudiation, and confidentiality, depending on how they are used.
Chapter 5: Identity and Access Management (Domain 5)
- C. Capability tables list the privileges assigned to subjects and identify the objects that
subjects can access. Access control lists are object-focused rather than subject-focused.
Implicit deny is a principle that states that anything that is not explicitly allowed is denied,
and a rights management matrix is not an access control model. - B. Since Jim’s organization is using a cloud-based identity as a service solution, a third-
party, on-premises identity service can provide the ability to integrate with the IDaaS
solution, and the company’s use of Active Directory is widely supported by third-party
vendors. OAuth is used to log into third-party websites using existing credentials and
would not meet the needs described. SAML is a markup language and would not meet the
full set of AAA needs. Since the organization is using Active Directory, a custom in-house
solution is unlikely to be as effective as a preexisting third-party solution and may take far
more time and expense to implement. - C. Kerberos encrypts messages using secret keys, providing protection for authentication
traffic. The KDC both is a single point of failure and can cause problems if compromised
because keys are stored on the KDC that would allow attackers to impersonate any user.
Like many authentication methods, Kerberos can be susceptible to password guessing. - C. Voice pattern recognition is “something you are,” a biometric authentication factor,
because it measures a physical characteristic of the individual authenticating. - B. Susan has used two distinct types of factors: the PIN and password are both Type 1
factors, and the retina scan is a Type 3 factor. Her username is not a factor. - B. Menus, shells, and database views are all commonly used for constrained interfaces.
A keyboard is not typically a constrained interface, although physically constrained
interfaces like those found on ATMs, card readers, and other devices are common. - C. Dictionary attacks use a dictionary or list of common passwords as well as variations
of those words to attempt to log in as an authorized user. This attack shows a variety of
passwords based on a similar base word, which is often a good indicator of a dictionary
attack. A brute-force attack will typically show simple iteration of passwords, while a