CCNA IAM Questions

68 questions · IAM topic · All types, answers revealed

1
Multi-Selecteasy

Which TWO principles are essential for implementing least privilege in identity and access management?

Select 2 answers
A.Minimum necessary permissions
B.Need-to-know
C.Segregation of duties
D.User awareness training
E.Password complexity requirements
AnswersA, B

Minimum necessary permissions are the core of least privilege.

Why this answer

A is correct because 'minimum necessary permissions' is the core principle of least privilege, ensuring users and processes are granted only the permissions required to perform their authorized tasks. This directly limits the attack surface by preventing access to resources beyond what is strictly needed for a specific role or function.

Exam trap

The trap here is that candidates often confuse 'need-to-know' (which applies to data confidentiality and information disclosure) with 'minimum necessary permissions' (which applies to system access and authorization), or mistakenly think segregation of duties is a subset of least privilege rather than a distinct control.

2
MCQmedium

Refer to the exhibit. A user reports they cannot authenticate to a web application after receiving a new token. The error log shows the above entries. Which of the following is the MOST likely cause?

A.The token uses a different signing algorithm than expected
B.The token has expired
C.The token's issuer claim does not match the expected issuer
D.The token was signed with a different secret key than the one used by the verifier
AnswerD

Signature mismatch indicates key mismatch.

Why this answer

The error log entries indicate a signature validation failure, which occurs when the token was signed with a secret key that differs from the one the verifier uses. In JSON Web Token (JWT) authentication, the verifier must possess the exact same secret (for HMAC) or the corresponding public key (for RSA/ECDSA) to validate the signature; a mismatch causes authentication to fail. This is the most likely cause because the user received a new token, suggesting a key rotation or misconfiguration where the signing key was changed without updating the verifier.

Exam trap

ISC2 often tests the distinction between signature validation failures (key mismatch) and claim validation failures (exp, iss, aud), and the trap here is that candidates confuse a token being 'invalid' with it being 'expired' or having a wrong issuer, when the error log specifically points to cryptographic signature failure.

How to eliminate wrong answers

Option A is wrong because a signing algorithm mismatch would typically produce an 'algorithm not allowed' or 'unexpected algorithm' error, not a generic signature validation failure; the error log does not mention algorithm issues. Option B is wrong because token expiration errors are explicitly logged as 'token expired' or 'exp' claim validation failure, not as a signature validation error. Option C is wrong because an issuer claim mismatch would generate an 'issuer not valid' or 'unexpected issuer' error, not a signature validation failure; the verifier checks the 'iss' claim separately from signature verification.

3
MCQeasy

A password policy requires passwords to be at least 12 characters, with uppercase, lowercase, digits, and special characters. Which of the following is an example of a password that meets the policy?

A.Abcdefghijkl
B.Pa$$w0rd
C.MyP@ssw0rd1
D.SecureP@ss1
E.Password123!
AnswerE

This is 12 characters, includes uppercase, lowercase, digits, and special character.

Why this answer

Option E (Password123!) meets the policy because it is 12 characters long and includes uppercase (P), lowercase (assword), digits (123), and a special character (!). The policy requires all four character types, and this password satisfies each requirement without any ambiguity.

Exam trap

The trap here is that candidates often overlook the exact length requirement and focus only on character variety, leading them to select options like C or D that contain all character types but are shorter than 12 characters.

How to eliminate wrong answers

Option A is wrong because it contains only uppercase and lowercase letters (no digits or special characters), failing the policy's requirement for all four character types. Option B is wrong because it is only 8 characters long (Pa$$w0rd), falling short of the 12-character minimum. Option C is wrong because it is 11 characters long (MyP@ssw0rd1), one character short of the 12-character minimum.

Option D is wrong because it is 10 characters long (SecureP@ss1), also failing the length requirement.

4
MCQmedium

An organization uses OAuth 2.0 for delegated access to APIs. A developer creates a public client application that runs on mobile devices. Which OAuth 2.0 grant type is MOST appropriate for this scenario?

A.Client Credentials Grant
B.Implicit Grant
C.Resource Owner Password Credentials Grant
D.Authorization Code Grant with PKCE
AnswerD

Provides secure token exchange for public clients.

Why this answer

The Authorization Code Grant with PKCE (Proof Key for Code Exchange) is the most appropriate for a public client on a mobile device because it prevents authorization code interception attacks. PKCE replaces the client secret with a dynamically generated code verifier and challenge, ensuring that even if the authorization code is intercepted, it cannot be exchanged for tokens without the original verifier. This is the OAuth 2.0 Security Best Current Practice (BCP) recommendation for native and mobile apps.

Exam trap

The trap here is that candidates often choose the Implicit Grant (Option B) because they mistakenly believe it is simpler for mobile apps, but the CISSP exam tests the current OAuth 2.0 Security BCP which deprecates Implicit and mandates PKCE for public clients.

How to eliminate wrong answers

Option A is wrong because the Client Credentials Grant is designed for server-to-server (confidential client) authentication without user involvement, not for a public client on a mobile device that requires delegated user access. Option B is wrong because the Implicit Grant is deprecated by OAuth 2.0 Security BCP (RFC 8252) due to security risks like access token leakage in the URL fragment and lack of client authentication, making it unsuitable for mobile apps. Option C is wrong because the Resource Owner Password Credentials Grant requires the client to directly handle the user's password, which violates security best practices for mobile apps and is only recommended when the client is highly trusted (e.g., first-party apps) and other grants are not viable.

5
MCQeasy

Refer to the exhibit. A user has obtained a Kerberos ticket. What does the presence of two service principals indicate?

A.The KDC is misconfigured
B.The user has authenticated to two different services
C.The user's credentials have been compromised
D.The user has been issued a Ticket-Granting Ticket and a service ticket
AnswerD

krbtgt is the TGT, and HTTP is a service ticket.

Why this answer

In Kerberos, a Ticket-Granting Ticket (TGT) is issued after initial authentication and is used to request service tickets for specific services. The presence of two service principals in a user's Kerberos ticket cache indicates that the user has both a TGT (identified by the krbtgt service principal) and a service ticket (identified by the target service's principal). This is the normal and expected state after a user has authenticated and then requested access to a service.

Exam trap

The trap here is that candidates often confuse the presence of two service principals with authentication to two services, failing to recognize that one of those principals is always the Ticket-Granting Ticket (krbtgt), not a service ticket for an actual application service.

How to eliminate wrong answers

Option A is wrong because a misconfigured KDC would typically result in authentication failures, missing tickets, or incorrect principal names, not the presence of two distinct service principals in a valid ticket cache. Option B is wrong because the presence of two service principals does not indicate authentication to two different services; one of the principals is always the TGT (krbtgt), and the other is a single service ticket. Option C is wrong because compromised credentials would lead to unauthorized ticket issuance or suspicious activity, not the standard coexistence of a TGT and a service ticket.

6
MCQeasy

Refer to the exhibit. An IAM policy is attached to a user. What is the effective permission when the user attempts to read the object 'confidential/report.pdf'?

A.Denied because the Deny statement explicitly denies all actions on that path
B.Allowed because the resource match is broader in the Allow
C.Allowed because the Allow statement grants GetObject
D.Denied only if the user has no other Allow policies
AnswerA

Explicit Deny always takes precedence over any Allow.

Why this answer

The correct answer is A because IAM policies evaluate explicit Deny statements before any Allow statements. Since the Deny statement explicitly denies all actions on the 'confidential/report.pdf' path, the user's GetObject request is denied regardless of any broader Allow statements. This is a fundamental principle of AWS IAM policy evaluation logic: an explicit Deny overrides all Allow permissions.

Exam trap

ISC2 often tests the principle that an explicit Deny overrides any Allow, even when the Allow appears more specific or broader, leading candidates to incorrectly assume that a broader Allow or a missing other policy would permit the action.

How to eliminate wrong answers

Option B is wrong because a broader resource match in an Allow statement does not override an explicit Deny; the Deny takes precedence in the evaluation. Option C is wrong because even though the Allow statement grants GetObject, the explicit Deny on the same action and resource path overrides it, resulting in denial. Option D is wrong because the Deny is explicit and does not depend on the absence of other Allow policies; it is effective immediately and independently.

7
MCQmedium

A company is implementing single sign-on (SSO) for its cloud applications. The security team wants to ensure that user authentication is handled by an on-premises identity provider (IdP) using Security Assertion Markup Language (SAML). Which of the following is a critical configuration step to prevent session hijacking?

A.Use HTTP POST binding instead of HTTP Redirect binding.
B.Set a short timeout for the SAML authentication request.
C.Encrypt the SAML assertions using the service provider's public key.
D.Validate the Issuer element in the SAML response.
AnswerD

Ensures the response is from the trusted IdP, preventing impersonation.

Why this answer

Option D is correct because validating the Issuer element in the SAML response ensures that the response originated from the trusted on-premises identity provider (IdP) and not from an attacker impersonating the IdP. Without this validation, an attacker could forge a SAML response with a manipulated Issuer value, leading to session hijacking or unauthorized access. This is a fundamental SAML security check specified in the SAML 2.0 core specification (section 3.3.4).

Exam trap

The trap here is that candidates often confuse encryption (Option C) with authentication integrity, or focus on binding methods (Option A) or timeouts (Option B), missing that Issuer validation is the critical step to ensure the response comes from the legitimate IdP and prevent session hijacking.

How to eliminate wrong answers

Option A is wrong because HTTP POST binding and HTTP Redirect binding are both valid SAML bindings; the choice between them affects message size and browser behavior but does not directly prevent session hijacking. Option B is wrong because setting a short timeout for the SAML authentication request only limits the window for replay attacks on the initial request, not session hijacking after authentication. Option C is wrong because encrypting SAML assertions with the service provider's public key protects confidentiality of the assertion data but does not prevent an attacker from replaying or forging a valid assertion to hijack a session.

8
MCQmedium

A security architect is designing access controls for a healthcare application where permissions are based on the user's role, the sensitivity of the data, and the context of the access (e.g., time of day). Which access control model best fits this requirement?

A.Role-Based Access Control (RBAC)
B.Mandatory Access Control (MAC)
C.Attribute-Based Access Control (ABAC)
D.Discretionary Access Control (DAC)
AnswerC

ABAC evaluates multiple attributes including user role, data sensitivity, and environment context.

Why this answer

Attribute-Based Access Control (ABAC) is the correct model because it evaluates access decisions based on multiple attributes: the user's role, the data sensitivity (object attributes), and environmental context such as time of day. Unlike simpler models, ABAC can combine subject, resource, and environment attributes using policy rules (e.g., XACML or ALFA) to enforce fine-grained, context-aware permissions, which is essential for healthcare applications with dynamic compliance requirements like HIPAA.

Exam trap

The trap here is that candidates see 'role' in the requirement and immediately choose RBAC, overlooking that the question explicitly includes data sensitivity and context (time of day), which are attributes that only ABAC can combine into a single policy decision.

How to eliminate wrong answers

Option A is wrong because Role-Based Access Control (RBAC) only considers the user's role and does not natively incorporate data sensitivity or environmental context like time of day; it would require additional custom logic or a hybrid model. Option B is wrong because Mandatory Access Control (MAC) enforces access based on fixed security labels (e.g., classification levels) and system-wide policies, not on dynamic attributes like time or user role; it is too rigid for context-aware healthcare scenarios. Option D is wrong because Discretionary Access Control (DAC) allows resource owners to set permissions at their discretion, which cannot enforce organization-wide policies based on data sensitivity or contextual factors like time of day, leading to inconsistent and insecure access.

9
MCQeasy

An organization wants to implement single sign-on (SSO) for multiple cloud applications. Which of the following is the most secure and scalable approach?

A.Implement SAML-based federation
B.Use OAuth for authentication
C.Use the same password for all applications
D.Implement LDAP directory
AnswerA

SAML is the standard for federated identity and SSO, offering secure token exchange and scalable integration.

Why this answer

Option D is correct because SAML-based federation is specifically designed for SSO and identity federation across domains, providing both security and scalability. Option A is incorrect because OAuth is primarily an authorization framework, not an authentication protocol. Option B is incorrect as LDAP is a directory service protocol and does not natively support SSO across web applications.

Option C is incorrect because reusing the same password across applications is insecure and not scalable.

10
MCQmedium

An organization is implementing biometric authentication. Which factor should be considered to minimize the false rejection rate?

A.Lower the sensitivity threshold
B.Increase enrollment sample quality
C.Use liveness detection
D.Store templates securely

Why this answer

The threshold setting balances FRR and FAR; reducing threshold increases FAR but decreases FRR. Liveness detection prevents spoofing, enrollment quality affects overall accuracy, and template storage is about security.

11
MCQeasy

A large enterprise uses Active Directory for authentication. Several users report intermittent authentication failures when accessing internal web applications. The help desk confirms that the failures occur at random times and affect both new and existing users. The security team discovers that the system clocks on domain controllers are within acceptable limits, but some client workstations show time drift of up to 10 minutes. The Kerberos protocol is used for authentication. What is the most likely cause of the authentication failures, and what action should be taken?

A.Implement password complexity policies to reduce authentication errors
B.Enable NTLM fallback authentication for the web applications
C.Synchronize all client workstation clocks using a centralized NTP server
D.Configure Kerberos ticket lifetimes to 24 hours to reduce sensitivity to time skew
AnswerC

Proper time synchronization resolves Kerberos time skew issues.

Why this answer

Kerberos authentication relies on synchronized clocks between clients and domain controllers, with a default maximum time skew tolerance of 5 minutes (RFC 4120). A client clock drift of up to 10 minutes exceeds this tolerance, causing intermittent authentication failures because Kerberos ticket requests are rejected as invalid or replay attacks. Synchronizing all client workstations to a centralized NTP server resolves the time skew and restores Kerberos authentication reliability.

Exam trap

The trap here is that candidates may think increasing Kerberos ticket lifetimes or enabling NTLM fallback will solve the issue, but they overlook the strict time synchronization requirement that is fundamental to Kerberos protocol security.

How to eliminate wrong answers

Option A is wrong because password complexity policies do not address time synchronization issues; they reduce the risk of password guessing but have no effect on Kerberos time skew errors. Option B is wrong because enabling NTLM fallback would degrade security by using a weaker, challenge-response protocol that is vulnerable to pass-the-hash attacks, and it does not fix the root cause of clock drift. Option D is wrong because increasing Kerberos ticket lifetimes does not change the maximum allowable time skew (default 5 minutes); tickets still require synchronized clocks for initial authentication, and a 10-minute drift will still cause failures regardless of ticket lifetime.

12
MCQeasy

A company wants employees to access multiple SaaS applications using a single set of credentials. Which technology should be deployed?

A.Single sign-on (SSO)
B.LDAP directory service
C.Multi-factor authentication (MFA)
D.Federated identity management
AnswerA

SSO enables users to authenticate once and access multiple applications without re-entering credentials.

Why this answer

Single sign-on (SSO) enables users to authenticate once and gain access to multiple SaaS applications without re-entering credentials. It works by establishing a trusted session (often via SAML assertions or OAuth tokens) that is shared across applications, reducing password fatigue and improving user experience. This directly meets the requirement for a single set of credentials across multiple SaaS apps.

Exam trap

The trap here is that candidates confuse federated identity management with SSO, but federation is designed for cross-organizational trust (e.g., using SAML between different companies), whereas SSO is the correct answer for a single organization's internal multi-application access with one credential set.

How to eliminate wrong answers

Option B (LDAP directory service) is wrong because LDAP is a protocol for accessing and maintaining distributed directory information (e.g., user attributes), not a mechanism for providing cross-application authentication with a single credential set; it stores credentials but does not orchestrate SSO sessions. Option C (MFA) is wrong because multi-factor authentication adds an extra layer of security by requiring multiple verification factors, but it does not enable a single set of credentials to access multiple applications; it is often used in conjunction with SSO, not as a replacement. Option D (Federated identity management) is wrong because while it allows identity sharing across different organizations or domains (e.g., using SAML or OpenID Connect), it is broader than SSO and typically involves trust relationships between separate identity providers; the question specifically asks for a technology to let employees access multiple SaaS apps with one credential set within the same company, which is SSO, not federation.

13
MCQhard

Refer to the exhibit. A user is unable to authenticate using Kerberos. What is the most likely cause?

A.The Kerberos ticket-granting ticket (TGT) has expired.
B.The user's account is locked out.
C.The client's system clock is not synchronized with the domain controller.
D.The user's password has expired.
AnswerC

Time offset causes pre-authentication to fail.

Why this answer

Kerberos relies heavily on time synchronization between the client and the Key Distribution Center (KDC) because it uses timestamps to prevent replay attacks. If the client's system clock differs from the domain controller's clock by more than the default maximum tolerance (typically 5 minutes in Windows Active Directory), the KDC will reject the authentication request, resulting in failure. This is the most likely cause because the user is unable to authenticate at all, not just after a period of inactivity.

Exam trap

The trap here is that candidates often assume Kerberos failures are always due to credential issues (expired passwords or locked accounts), but the protocol's strict time synchronization requirement is a classic and frequently tested cause of authentication failures.

How to eliminate wrong answers

Option A is wrong because a TGT expiration would cause a specific error when requesting service tickets, not a complete inability to authenticate; the user would still be able to obtain a new TGT by entering their password. Option B is wrong because a locked-out account would prevent authentication regardless of Kerberos, but the question specifically states the user is unable to authenticate using Kerberos, implying the issue is protocol-specific, not account state. Option D is wrong because an expired password would trigger a password change prompt or a specific 'password expired' error, not a generic authentication failure; Kerberos would still attempt to authenticate with the old password and fail with a specific error code.

14
MCQeasy

A user reports that they cannot access a file share after being moved to a different department. The file share is secured with NTFS permissions and share permissions. The user is a member of the 'Marketing' group, but the file share is only accessible by 'Sales' group. What is the most likely reason?

A.The share permissions deny access to Marketing
B.The user is not a member of the Sales group
C.The user's account is disabled
D.The NTFS permissions deny access
AnswerB

Access is granted only to Sales group; the user is Marketing.

Why this answer

Option A is correct because the user is not a member of the Sales group, which is required for access. Option B is wrong because there is no indication the account is disabled. Option C is wrong because share permissions are not the primary issue.

Option D is wrong because NTFS permissions are not the direct cause.

15
MCQeasy

An organization wants to implement a password policy that balances security and usability. Which of the following is the BEST practice according to current NIST guidelines?

A.Compare new passwords against a list of known compromised passwords
B.Set maximum password length to 8 characters
C.Require password changes every 30 days
D.Enforce a minimum of one uppercase, one lowercase, one digit, and one special character
AnswerA

This prevents use of common passwords from breach data.

Why this answer

NIST SP 800-63B explicitly recommends checking passwords against a list of known compromised passwords (e.g., from previous breaches) rather than enforcing arbitrary complexity rules. This approach directly mitigates credential stuffing and dictionary attacks by rejecting passwords that have already been exposed, while avoiding user frustration from frequent changes or complex composition requirements.

Exam trap

The trap here is that many candidates cling to outdated complexity rules (Option D) or frequent rotation (Option C) because they were once considered security best practices, but NIST now prioritizes breach-checking and longer, memorable passwords over arbitrary composition and expiry.

How to eliminate wrong answers

Option B is wrong because setting a maximum password length to 8 characters contradicts NIST guidance, which recommends a minimum of 8 characters but encourages longer passwords (up to 64 characters or more) to resist brute-force attacks. Option C is wrong because mandatory password changes every 30 days are discouraged by NIST SP 800-63B; frequent changes often lead to weaker passwords and are only recommended when there is evidence of compromise. Option D is wrong because enforcing complex composition rules (uppercase, lowercase, digit, special character) is no longer considered a best practice by NIST; such rules often result in predictable patterns (e.g., 'Password1!') and do not effectively defend against modern attacks like credential stuffing.

16
MCQhard

A medium-sized financial services company recently deployed a new identity governance and administration (IGA) solution to manage user access across on-premises Active Directory and cloud-based SaaS applications. The IGA system uses a role-based access control (RBAC) model with hundreds of roles defined. The company has a policy that all access certifications must be completed quarterly. During the first quarterly certification, the access reviewers complain that they are overwhelmed by the number of entitlements they need to review, and many certifications are not completed on time. The security team also notices that some users have accumulated excessive privileges because role assignments were not properly reviewed. The company wants to streamline the certification process without sacrificing security. Which of the following is the BEST course of action?

A.Increase the certification frequency to monthly and assign more reviewers
B.Eliminate role-based access and assign permissions directly to users
C.Implement a risk-based certification approach that focuses on high-risk access and uses automated certification for low-risk access
D.Automate all certifications by using scripts that approve access if no violations are detected
AnswerC

Reduces reviewer workload while maintaining security on critical access.

Why this answer

Option C is correct because a risk-based certification approach prioritizes high-risk entitlements for manual review while automating the certification of low-risk access, reducing reviewer fatigue and ensuring critical privileges are scrutinized. This aligns with the principle of 'defense in depth' and addresses the core issue of overwhelming certification volume without compromising security, as low-risk access can be certified based on predefined policies and automated workflows.

Exam trap

The trap here is that candidates may choose option D (automate all certifications) because it seems efficient, but they overlook the critical requirement for human oversight in high-risk access decisions, which is a core principle of identity governance and audit compliance.

How to eliminate wrong answers

Option A is wrong because increasing certification frequency to monthly would exacerbate reviewer overload and likely lead to even more incomplete certifications, as it increases the volume of reviews without addressing the root cause of excessive entitlements. Option B is wrong because eliminating role-based access and assigning permissions directly to users would abandon the RBAC model entirely, leading to a chaotic, unmanageable permission structure that violates the principle of least privilege and increases security risk. Option D is wrong because automating all certifications with scripts that approve access if no violations are detected removes human oversight entirely, which could allow inappropriate access to persist if violations are not detected by the scripts, undermining the certification process's purpose of ensuring proper access governance.

17
Multi-Selectmedium

When implementing a federated identity management system, which TWO components are essential for establishing trust between Identity Provider and Service Provider? (Select two.)

Select 2 answers
A.Metadata exchange
B.User directory synchronization
C.Single logout
D.Shared secret
E.Public key certificates
AnswersA, E

Metadata includes endpoints and certificates needed for trust.

Why this answer

Metadata exchange is essential because it allows the Identity Provider (IdP) and Service Provider (SP) to share configuration details such as endpoints, supported SAML bindings, and entity identifiers. This automated exchange establishes the initial trust relationship by ensuring both parties have accurate, verifiable information about each other before any authentication requests occur.

Exam trap

The trap here is that candidates confuse operational components like user synchronization or session management with the foundational trust-establishing mechanisms, forgetting that federated trust relies on cryptographic verification through metadata and certificates, not shared secrets or directory replication.

18
Multi-Selecthard

Which TWO of the following are valid methods to enforce separation of duties in an access control system?

Select 2 answers
A.Requiring mandatory vacations for all employees
B.Using time-based restrictions to prevent overlapping tasks
C.Performing job rotation every six months
D.Configuring shared accounts for each department
E.Implementing role-based access control with mutually exclusive roles
AnswersB, E

Can enforce that two actions cannot be done by same user in same time window.

Why this answer

Time-based restrictions enforce separation of duties by preventing a single user from performing conflicting tasks during overlapping time periods. For example, a user authorized to initiate a payment transaction cannot also approve it within the same time window, ensuring that no single individual has end-to-end control over a sensitive process. This is a technical control that directly supports the principle of separation of duties in an access control system.

Exam trap

The trap here is that candidates confuse administrative controls like mandatory vacations and job rotation with technical access control mechanisms that directly enforce separation of duties at the system level.

19
Multi-Selectmedium

Which TWO are security benefits of using a federated identity model?

Select 2 answers
A.Simplified user management across organizations
B.Stronger authentication due to shared trust
C.Elimination of password policies
D.Reduced risk of credential theft
E.Single point of failure for authentication
AnswersA, B

Federation reduces account duplication and administrative overhead.

Why this answer

Option A is correct because federated identity models allow organizations to trust identities issued by other members of the federation, eliminating the need for separate user accounts and enabling simplified user management across organizational boundaries. This is achieved through standards like SAML 2.0 or OpenID Connect, where identity assertions are exchanged between identity providers (IdPs) and service providers (SPs) without duplicating user directories.

Exam trap

The trap here is that candidates confuse 'federated identity' with 'single sign-on (SSO)' and assume it inherently improves security, when in fact it centralizes trust and can increase the impact of credential theft if the IdP is compromised.

20
Multi-Selecteasy

Which TWO are examples of 'something you know' authentication factors?

Select 2 answers
A.PIN
B.Security question answer
C.Retina scan
D.Fingerprint
E.Smart card
AnswersA, B

A secret known only to the user.

Why this answer

A PIN is a classic 'something you know' authentication factor because it relies on a secret value stored in the user's memory. Unlike biometric or possession-based factors, a PIN does not require any physical token or biological trait—only the recall of the correct numeric sequence. This aligns with the core definition of knowledge-based authentication (KBA) in IAM.

Exam trap

ISC2 often tests the distinction between authentication factor categories, and the trap here is confusing a smart card (possession) or biometric (inherence) with a knowledge factor because they may involve a PIN or password entry step, but the factor type is defined by the primary source of the secret.

21
Multi-Selecteasy

Which TWO of the following are considered the primary access control models in the context of the CISSP? (Select two.)

Select 2 answers
A.Role-Based Access Control (RBAC)
B.Mandatory Access Control (MAC)
C.Attribute-Based Access Control (ABAC)
D.Discretionary Access Control (DAC)
E.Risk-Based Access Control
AnswersB, D

MAC is the other primary model with system-enforced policies.

Why this answer

Mandatory Access Control (MAC) is a primary access control model where access decisions are based on fixed security labels (e.g., classification levels like Top Secret, Secret, Confidential) assigned to subjects and objects by a central authority. The system enforces these labels, and users cannot override them, making it a core model for high-security environments such as military or government systems. In the CISSP context, MAC and DAC are traditionally considered the two foundational models, with RBAC and ABAC often treated as extensions or implementations of DAC.

Exam trap

ISC2 often tests the misconception that RBAC or ABAC are 'primary' models because they are modern and common, but the CISSP exam historically defines MAC and DAC as the two primary models, with others as derivatives or extensions.

22
MCQmedium

A company implements a centralized authentication system using RADIUS for network devices. The security team notices that after a user's password is changed in Active Directory, the user can still authenticate to network devices using the old password for up to 30 minutes. What is the most likely cause?

A.Kerberos ticket lifetime
B.Network devices caching authentication responses
C.Active Directory replication delay
D.RADIUS server caching credentials
AnswerB

Network devices often cache successful authentications, causing the old password to be accepted until cache expires.

Why this answer

Option C is correct because network devices often cache successful authentication responses, so they accept the old password until the cache expires. Option A is wrong because RADIUS servers typically forward authentication to the directory and do not cache credentials. Option B is wrong because it is not the primary cause in this scenario.

Option D is wrong because Kerberos ticket lifetimes are unrelated to password changes in this context.

23
MCQhard

An organization uses a role-based access control (RBAC) model. After an audit, it was discovered that users have accumulated excessive permissions due to role proliferation. The security architect proposes migrating to an attribute-based access control (ABAC) model. Which challenge is MOST likely to be encountered during this migration?

A.Difficulty in assigning roles to users.
B.Reduced performance due to policy evaluation overhead.
C.Lack of support for ABAC in legacy applications.
D.Increased complexity in defining and managing attributes.
AnswerD

ABAC policies depend on attributes; creating and maintaining them is complex.

Why this answer

Option D is correct because migrating from RBAC to ABAC requires defining a comprehensive set of attributes (subject, resource, environment) and the policies that combine them, which is inherently more complex than managing static role assignments. Role proliferation in RBAC often results from an attempt to mimic attribute-based decisions, but ABAC shifts the complexity from role engineering to attribute governance and policy logic, making attribute definition and management the primary challenge.

Exam trap

The trap here is that candidates confuse the operational challenge of performance (Option B) with the architectural challenge of attribute management, but CISSP emphasizes that the most significant hurdle in ABAC adoption is the complexity of defining and governing attributes, not the runtime evaluation speed.

How to eliminate wrong answers

Option A is wrong because RBAC already involves assigning roles to users, and migrating to ABAC eliminates the need for role assignment entirely, replacing it with attribute-based policy evaluation; difficulty in assigning roles is a pre-existing RBAC problem, not a new challenge of migration. Option B is wrong while ABAC can introduce performance overhead due to real-time policy evaluation, this is typically mitigated by policy caching and optimized engines, and it is not the most likely challenge compared to the fundamental complexity of attribute management. Option C is wrong because lack of support for ABAC in legacy applications is a potential integration issue, but it is not the most likely challenge; many legacy systems can be adapted via a policy enforcement point (PEP) or attribute proxy, whereas the core difficulty lies in defining and maintaining the attribute schema and policies themselves.

24
MCQhard

A company is designing an access control system for a highly sensitive database. They want to ensure that only authorized users can access data, and that access is automatically revoked when the user's context changes (e.g., job role change). Which model BEST meets these requirements?

A.Attribute-based access control (ABAC) with dynamic policy evaluation.
B.Discretionary access control (DAC) with access control lists.
C.Role-based access control (RBAC) with periodic reviews.
D.Mandatory access control (MAC) with security labels.
AnswerA

ABAC can evaluate attributes like job role in real time and adjust access.

Why this answer

ABAC with dynamic policy evaluation is the best fit because it uses attributes (user, resource, environment) to make real-time access decisions. This allows access to be automatically revoked when context changes, such as a job role update, without manual intervention or periodic reviews.

Exam trap

The trap here is that candidates often choose RBAC (Option C) because it is role-based and seems to handle role changes, but they miss that RBAC typically requires manual or periodic updates to revoke access, whereas ABAC provides automatic, real-time revocation based on dynamic attribute changes.

How to eliminate wrong answers

Option B (DAC) is wrong because it relies on resource owners to grant permissions via ACLs, which lacks automatic revocation based on context changes and introduces security risks from user-controlled access. Option C (RBAC) is wrong because while it uses roles, it typically requires periodic reviews or manual updates to revoke access when a role changes, not automatic dynamic revocation. Option D (MAC) is wrong because it enforces access based on fixed security labels (e.g., classification levels) and does not adapt to dynamic context changes like job role updates; it is designed for static, hierarchical security policies.

25
Multi-Selecthard

Which THREE are components of a privileged access management (PAM) solution?

Select 3 answers
A.Credential vaulting
B.Password complexity rules
D.Just-in-time privilege elevation
E.Session recording and monitoring
AnswersA, D, E

Securely storing and rotating privileged credentials.

Why this answer

Credential vaulting is a core component of PAM because it securely stores privileged account credentials (e.g., root, admin, service accounts) in an encrypted repository, often using hardware security modules (HSMs) or strong encryption like AES-256. It enforces strict access controls, rotation policies, and checkout/check-in workflows to prevent credential exposure and misuse.

Exam trap

The trap here is that candidates confuse general security best practices (like password complexity or MFA for all users) with the specific architectural components that define a PAM solution, leading them to select options that are not core PAM elements.

26
MCQmedium

A security administrator is configuring role-based access control (RBAC) for a cloud storage system. Which of the following is the best practice for assigning permissions?

A.Use access control lists on each object
B.Implement mandatory access control
C.Create roles based on job functions and assign users to roles
D.Assign permissions directly to users for flexibility
AnswerC

This is the core of RBAC.

Why this answer

Option C is correct because RBAC assigns permissions to roles, then users are assigned to roles, ensuring scalability and manageability. Option A is wrong because direct permissions are difficult to manage. Option B is wrong after all, user-based permissions are not RBAC.

Option D is wrong because MAC is a different model. Option E is wrong because ABAC is attribute-based, not RBAC.

27
MCQhard

An organization uses a custom application that stores user passwords using salted SHA-256 hashes. During a security audit, the auditor recommends migrating to a more secure password storage mechanism. Which of the following is the best recommendation?

A.Use plaintext with database encryption
B.Use AES-256 encryption for passwords
C.Use bcrypt with a cost factor of 12
D.Use MD5 with a salt
E.Use PBKDF2 with 10,000 iterations
AnswerC

bcrypt is designed for password hashing with a work factor that resists brute-force.

Why this answer

bcrypt is a deliberately slow, adaptive password hashing function that includes a built-in salt and a configurable cost factor. A cost factor of 12 makes each hash computation computationally expensive, effectively thwarting brute-force and GPU-based attacks. Unlike SHA-256, which is designed for speed and can be cracked rapidly with modern hardware, bcrypt's design inherently resists parallelization and ASIC/GPU acceleration.

Exam trap

The trap here is that candidates often confuse 'encryption' (reversible) with 'hashing' (one-way) and mistakenly choose AES-256 or database encryption, failing to recognize that password storage must use a slow, salted, one-way hashing algorithm specifically designed for credential protection.

How to eliminate wrong answers

Option A is wrong because storing passwords in plaintext, even with database encryption, exposes them to any attacker who gains access to the decryption key or the running application, violating the fundamental principle of never storing passwords in recoverable form. Option B is wrong because AES-256 encryption is reversible; if the encryption key is compromised, all passwords are instantly exposed, and encryption does not protect against insider threats or application-level breaches. Option D is wrong because MD5 is cryptographically broken and vulnerable to collision attacks, and even with a salt, it is far too fast to compute, allowing attackers to crack hashes at billions per second.

Option E is wrong because while PBKDF2 is a reasonable key derivation function, 10,000 iterations is considered a weak and outdated iteration count; modern recommendations (e.g., NIST SP 800-63B) suggest at least 310,000 iterations for SHA-256, and PBKDF2 is less resistant to GPU/ASIC attacks than bcrypt or Argon2.

28
MCQhard

A financial institution mandates that all administrative access to network devices must go through a privileged access management (PAM) solution. The PAM solution manages and rotates credentials automatically and logs all sessions. Recently, an auditor discovered that a router's configuration was changed outside of the approved change window. PAM logs show no session during that time. The router supports both local and RADIUS authentication. Which of the following is the MOST likely explanation for the unauthorized change?

A.A local account on the router was used that is not managed by the PAM solution.
B.The PAM solution's database was corrupted and failed to log the session.
C.The router's RADIUS configuration pointed to a different, unmonitored authentication server.
D.The network administrator used a shared service account not unique to the PAM system.
AnswerA

Local accounts bypass PAM entirely, allowing unauthorized changes without being logged.

Why this answer

Option D is correct. A local account not managed by PAM would allow direct login without going through the PAM solution, thus bypassing logging and credential management. Option A is less likely because database corruption would cause widespread issues, not a single incident.

Option B is plausible but if the shared account was also managed by PAM, it would still be logged; if not, it is effectively a local account issue. Option C is possible but less likely because it would require modifying the RADIUS configuration without detection.

29
MCQmedium

Refer to the exhibit. An organization attaches this IAM policy to a user. What is a key security limitation of this policy?

A.It only allows the GetObject action, limiting functionality
B.It does not specify a Principal, so access is denied for all
C.It allows all actions except s3:GetObject
D.It allows access from any IP within the 10.0.0.0/8 range, which is too broad
AnswerA

The policy grants only read access, which may be too restrictive for some use cases.

Why this answer

Option A is correct because the policy only grants the s3:GetObject action, which restricts the user to read-only access on S3 objects. This is a key security limitation as it prevents the user from performing other necessary operations like listing buckets (s3:ListBucket) or writing data, which can hinder operational workflows. The policy's narrow scope ensures least privilege but may be too restrictive for roles requiring broader S3 interactions.

Exam trap

ISC2 often tests the misconception that an IAM policy without a Principal is invalid or denies all access, but in identity-based policies, the Principal is implicit and not required.

How to eliminate wrong answers

Option B is wrong because IAM policies attached to a user do not require a Principal element; the Principal is implicitly the user to whom the policy is attached, so access is not denied for all. Option C is wrong because the policy explicitly allows s3:GetObject, not all actions except s3:GetObject; a Deny effect would be needed to block a specific action while allowing others. Option D is wrong because the policy does not include a condition key like aws:SourceIp to restrict access to the 10.0.0.0/8 range; without such a condition, the policy applies globally regardless of IP address.

30
MCQhard

A security analyst discovers that a service account in Active Directory has not had its password changed in 5 years and has domain admin privileges. The account is used by a legacy application that does not support modern authentication protocols. Which of the following is the MOST secure approach to manage this account?

A.Convert the account to a group Managed Service Account (gMSA)
B.Set a very long, complex password and store it in a password manager
C.Decommission the legacy application and migrate to a modern alternative that supports secure authentication
D.Disable the account and create a new service account with limited privileges
AnswerC

Eliminates the risk entirely by removing the service account.

Why this answer

Option D is correct because the best security is to decommission the account and modernize the application. Option A is wrong because group Managed Service Accounts (gMSAs) require Windows Server 2012 or later and application support. Option B is wrong because a long, complex password still has risk of theft and is not automatically rotated.

Option C is wrong because disabling the account would break the application.

31
MCQeasy

A system administrator is configuring an LDAP directory for user authentication. The policy requires that account lockout occurs after a specified number of failed attempts. Which attribute should be configured?

A.failedLoginAttempts
B.lockoutThreshold
C.lockoutDuration
D.passwordLockoutTime
AnswerB

This attribute defines the number of failed attempts before account lockout.

Why this answer

The `lockoutThreshold` attribute in an LDAP directory specifies the maximum number of consecutive failed authentication attempts allowed before the account is locked. This directly satisfies the policy requirement to lock the account after a specified number of failed attempts, making it the correct attribute to configure.

Exam trap

The trap here is that candidates confuse the attribute that sets the failure limit (`lockoutThreshold`) with the attribute that tracks current failures (`failedLoginAttempts`) or the attribute that sets the lockout duration (`lockoutDuration`), leading them to pick a wrong option that describes a related but distinct function.

How to eliminate wrong answers

Option A is wrong because `failedLoginAttempts` is typically an operational attribute that tracks the current count of failed attempts, not a configuration parameter that sets the threshold for lockout. Option C is wrong because `lockoutDuration` defines how long the account remains locked after the threshold is exceeded, not the number of failed attempts that trigger the lockout. Option D is wrong because `passwordLockoutTime` is not a standard LDAP attribute; it may be confused with a timestamp of when the lockout occurred, but it does not set the failure count limit.

32
MCQeasy

A company requires employees to authenticate using a smart card and PIN to access the corporate network. This is an example of which type of authentication?

A.Single-factor authentication
B.Biometric authentication
D.Single sign-on
AnswerC

Correct – smart card (something you have) and PIN (something you know) are two distinct factors.

Why this answer

This scenario requires two distinct authentication factors: something you have (the smart card) and something you know (the PIN). Smart cards store a private key or certificate that must be unlocked by the PIN, and both factors must be presented simultaneously to authenticate. This meets the NIST SP 800-63 definition of multi-factor authentication, specifically two-factor authentication.

Exam trap

The trap here is that candidates may mistakenly think a smart card alone is a single factor, forgetting that the PIN is a separate knowledge factor, or they may confuse two-factor authentication with SSO because both can involve a single login event.

How to eliminate wrong answers

Option A is wrong because single-factor authentication uses only one factor (e.g., just a password or just a smart card), but here both a smart card and a PIN are required. Option B is wrong because biometric authentication relies on physical characteristics like fingerprints or iris patterns, not a smart card and PIN. Option D is wrong because single sign-on (SSO) allows a user to authenticate once and access multiple systems without re-entering credentials, but it does not define the number of factors used in that initial authentication.

33
MCQeasy

A system administrator notices that user accounts are often left active after employees leave the company. Which process should be automated to address this?

A.Single sign-on implementation
B.Password reset policy
D.Automated account provisioning and deprovisioning
AnswerD

This process ensures accounts are created and disabled in sync with HR records.

Why this answer

Automated provisioning and deprovisioning ensures accounts are disabled when employment ends. Password resets and SSO do not solve the issue of stale accounts. MFA adds security but does not remove accounts.

34
MCQmedium

A company uses smart cards for authentication to workstations. A user inserts their smart card but is prompted for a PIN. The user enters the correct PIN but authentication fails. The smart card is not expired. What is the most likely cause?

A.The user's certificate is revoked
B.The PIN is incorrectly stored on the card
C.The smart card driver is outdated
D.The workstation's clock is off by more than 5 minutes
AnswerA

Revoked certificate causes authentication failure despite correct PIN.

Why this answer

When a smart card is used for authentication, the PIN unlocks the private key stored on the card, but the actual authentication typically relies on a certificate chain and the validity of the user's certificate. If the certificate has been revoked (e.g., due to compromise or termination), the Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) check will fail, causing authentication to be denied even though the PIN is correct and the card is not expired.

Exam trap

The trap here is that candidates assume PIN entry failure is the only smart card authentication issue, but the PIN only unlocks the private key; the certificate's revocation status is a separate, often overlooked, layer that can cause authentication to fail after correct PIN entry.

How to eliminate wrong answers

Option B is wrong because the PIN is not stored on the card; the PIN is a user-entered secret used to unlock the card's private key, and if the PIN were incorrectly stored, the card would reject the PIN entry itself, not allow entry and then fail authentication. Option C is wrong because an outdated smart card driver would typically cause the card reader to not be recognized or the card to not be read at all, not allow PIN entry and then fail authentication. Option D is wrong because a workstation clock skew of more than 5 minutes could cause certificate validity period checks to fail, but this would affect the certificate's 'not before' or 'not after' dates, not revocation status; revocation is checked via CRL/OCSP independently of system time.

35
MCQhard

An organization uses a federated identity model with multiple external partners. The identity provider (IdP) notices that some partners are sending outdated SAML assertions. What is the best way to mitigate this issue?

A.Require partners to include a timestamp in the assertion.
B.Increase the NotBefore and NotOnOrAfter time window.
C.Configure the IdP to reject assertions with a stale timestamp using the Conditions element.
D.Implement short-lived assertions and require re-authentication.
AnswerC

This enforces assertion freshness and mitigates replay attacks.

Why this answer

Option C is correct because the SAML Conditions element explicitly defines the validity window for an assertion using NotBefore and NotOnOrAfter attributes. By configuring the IdP to validate these timestamps and reject assertions that fall outside the window, the organization directly enforces assertion freshness without relying on partner-side changes or weakening security.

Exam trap

The trap here is that candidates confuse 'requiring a timestamp' (which is already present) with 'validating the timestamp' (which is the actual control), or they mistakenly think widening the time window is a mitigation when it actually increases risk.

How to eliminate wrong answers

Option A is wrong because SAML assertions already include a timestamp (IssueInstant) and the Conditions element; merely requiring a timestamp does not enforce rejection of stale assertions. Option B is wrong because increasing the NotBefore and NotOnOrAfter time window would actually make the system more permissive to stale assertions, not mitigate the issue. Option D is wrong because implementing short-lived assertions and requiring re-authentication shifts the burden to partners and may cause usability issues; it does not directly address the IdP's ability to reject already-outdated assertions from non-compliant partners.

36
MCQhard

An organization is implementing a privileged access management (PAM) solution for managing administrative credentials. Which of the following is the most critical control to prevent credential theft?

A.Enforcing periodic password changes
B.Just-in-time (JIT) privilege elevation
C.Encrypting stored passwords
D.Multi-factor authentication on admin accounts
E.Session recording and monitoring
AnswerB

JIT reduces standing privileges, limiting the impact of credential theft.

Why this answer

Option A is correct because just-in-time privilege elevation minimizes the window of exposure and reduces standing privileges, which is the most effective against credential theft. Option B is wrong because multi-factor authentication is important but does not prevent theft of cached credentials. Option C is wrong because password rotation is reactive.

Option D is wrong because session recording is detective. Option E is wrong because encryption protects at rest but does not prevent theft in use.

37
MCQhard

A financial services firm recently deployed a multi-factor authentication (MFA) solution for remote access to its trading platform. The MFA requires a one-time password (OTP) via a mobile app, in addition to a username and password. Since deployment, remote traders have complained that the authentication process takes too long, especially during market open hours. The help desk reports that many traders are accidentally locking their accounts due to multiple failed OTP attempts. The security team wants to maintain strong security but improve user experience. Which action should the security team take?

A.Reduce MFA to two factors by removing the OTP requirement
B.Remove MFA requirements during peak hours to improve performance
C.Implement risk-based adaptive MFA that prompts only when anomalous activity is detected
D.Extend the OTP validity window to 10 minutes to reduce time pressure
AnswerC

Adaptive MFA balances security and user experience by requiring additional factors only when risk is elevated.

Why this answer

Option C is correct because risk-based adaptive MFA evaluates the context of each authentication request (e.g., location, device, time, behavior) and only triggers an OTP challenge when the risk score exceeds a threshold. This reduces friction for legitimate traders during peak hours while maintaining strong security against anomalous access attempts, directly addressing the complaint of slow authentication without weakening the overall security posture.

Exam trap

The trap here is that candidates may assume extending the OTP validity window (Option D) is a harmless usability fix, but CISSP tests the understanding that longer OTP windows increase the risk of replay attacks and violate the principle of short-lived credentials, whereas adaptive authentication is the correct balance of security and usability.

How to eliminate wrong answers

Option A is wrong because reducing MFA to two factors by removing the OTP requirement would weaken authentication to only username/password, violating the principle of defense-in-depth and exposing the trading platform to credential theft. Option B is wrong because removing MFA during peak hours creates a predictable window of vulnerability that attackers could exploit, directly contradicting the security team's goal to maintain strong security. Option D is wrong because extending the OTP validity window to 10 minutes increases the window of opportunity for replay attacks (e.g., if an OTP is intercepted or leaked) and does not address the root cause of user frustration—the frequency of unnecessary OTP prompts—while also violating NIST SP 800-63B recommendations for short-lived OTPs.

38
Multi-Selectmedium

Which TWO protocols are commonly used for identity federation?

Select 2 answers
A.LDAP
B.OAuth 2.0
C.OpenID Connect
E.SAML 2.0
AnswersC, E

OpenID Connect is an identity layer on top of OAuth 2.0 for federated authentication.

Why this answer

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that enables clients to verify the identity of an end-user based on the authentication performed by an authorization server. It provides a standardized way to obtain identity claims via an ID token (JWT) and is widely used for federated identity scenarios, such as single sign-on (SSO) across domains. SAML 2.0 is an XML-based protocol for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP), making it a cornerstone of enterprise identity federation.

Exam trap

The trap here is that candidates often confuse OAuth 2.0 with OpenID Connect, mistakenly selecting OAuth 2.0 as a federation protocol when it is solely an authorization framework, not an identity protocol—OpenID Connect is the correct identity layer built on top of it.

39
MCQmedium

During a security assessment, it is found that service accounts have interactive logon rights. What is the BEST remediation?

A.Implement Group Policy to deny interactive logon for service accounts.
B.Ensure service accounts use strong passwords.
C.Use managed service accounts instead.
D.Remove service accounts from the local Administrators group.
AnswerC

MSAs have no interactive logon rights and automatically rotate passwords.

Why this answer

Managed Service Accounts (MSAs) are the best remediation because they are designed specifically for service accounts, automatically manage password changes, and by default have no interactive logon rights. This eliminates the security risk of interactive logon while also addressing password management and reducing administrative overhead. Group Policy changes or manual password policies do not address the underlying architectural issue of using a standard user account for a service.

Exam trap

The trap here is that candidates often choose a Group Policy or password-strength solution because they focus on mitigating the symptom (interactive logon) rather than selecting the architectural fix (MSAs) that eliminates the root cause and aligns with the principle of least privilege and secure design.

How to eliminate wrong answers

Option A is wrong because implementing Group Policy to deny interactive logon for service accounts is a workaround that does not address the root cause; it can be bypassed or misconfigured, and it still leaves the account with other unnecessary privileges and manual password management. Option B is wrong because ensuring strong passwords only mitigates the risk of credential theft but does not prevent interactive logon, which is the primary vulnerability; service accounts should not have interactive logon rights regardless of password strength. Option D is wrong because removing service accounts from the local Administrators group reduces privileges but does not prevent interactive logon; a service account could still log on interactively with lower privileges, which is still a security concern.

40
MCQeasy

A company wants to implement multi-factor authentication (MFA) for remote access. Which combination of factors represents something you have and something you are?

A.Password and PIN
B.Hardware token and mobile phone
C.Smart card and fingerprint
D.Password and SMS code
AnswerC

Smart card (possession) + fingerprint (inherence) = two factors.

Why this answer

Option C is correct because a smart card is a physical device that you possess (something you have), and a fingerprint is a biometric characteristic unique to you (something you are). This combination satisfies the multi-factor authentication requirement by using two distinct factors from different categories, which is more secure than using two factors from the same category.

Exam trap

The trap here is that candidates often confuse 'something you have' with 'something you know' or fail to recognize that two factors from the same category (e.g., two knowledge factors) do not constitute true multi-factor authentication.

How to eliminate wrong answers

Option A is wrong because both a password and a PIN are knowledge-based factors (something you know), so they do not provide multi-factor authentication; they are two instances of the same factor type. Option B is wrong because both a hardware token and a mobile phone are possession-based factors (something you have), which again fails to combine two different factor categories. Option D is wrong because a password is something you know and an SMS code is typically considered something you have (possession of the phone), but SMS codes are vulnerable to interception and SIM-swapping attacks, and more importantly, the question asks for 'something you have and something you are'—an SMS code is not a biometric or inherent characteristic.

41
Multi-Selectmedium

Which THREE of the following are characteristics of a federated identity management system?

Select 3 answers
A.It relies on standard protocols such as SAML or OpenID Connect
B.It operates with a single identity provider for all organizations
C.It requires all participating organizations to use the same user directory
D.It enables identity information to be shared across different security domains
E.It provides single sign-on (SSO) across multiple organizations
AnswersA, D, E

Essential for interoperability.

Why this answer

Option A is correct because federated identity management systems rely on standard protocols like SAML (Security Assertion Markup Language) or OpenID Connect to exchange authentication and authorization data between identity providers (IdPs) and service providers (SPs). These protocols enable trust relationships across different security domains without requiring shared directories or a single IdP.

Exam trap

The trap here is that candidates confuse federation with centralized SSO, assuming a single IdP or shared directory is required, when in fact federation decouples identity providers and directories across organizational boundaries.

42
Multi-Selectmedium

Refer to the exhibit. Which TWO statements about this IAM policy are true?

Select 2 answers
A.The policy grants full administrative access to the bucket.
B.The policy implicitly denies access to users outside the 10.0.0.0/8 IP range.
C.The policy allows all S3 actions on the bucket.
D.The policy applies to all resources in the AWS account.
E.The policy allows read and write operations (GetObject and PutObject) on the example-bucket.
AnswersB, E

The condition prevents the Allow from applying outside that range, resulting in implicit deny.

Why this answer

Options A and C are correct. The policy allows s3:GetObject (read) and s3:PutObject (write) on the specified bucket, and the condition restricts access to the 10.0.0.0/8 IP range, implicitly denying all others. Option B is incorrect because the policy does not allow all S3 actions.

Option D is incorrect because the resource is limited to that specific bucket. Option E is incorrect because the policy only allows two actions, not full administrative access.

43
MCQeasy

A company's help desk receives many requests from users who have forgotten their passwords. Which solution is MOST effective in reducing these requests while maintaining security?

A.Implement a self-service password reset (SSPR) with identity verification.
B.Increase the password expiration period to 180 days.
C.Use single sign-on for all applications.
D.Reduce the password complexity requirements.
AnswerA

Allows users to reset passwords securely without help desk intervention.

Why this answer

Self-service password reset (SSPR) with identity verification directly addresses the root cause of help desk calls—forgotten passwords—by allowing users to reset their own passwords after proving their identity via pre-registered methods (e.g., SMS, security questions, or biometrics). This reduces operational overhead while maintaining security through multi-factor verification and policy enforcement, unlike options that weaken security or fail to address the frequency of resets.

Exam trap

The trap here is that candidates often choose SSO (Option C) thinking it eliminates all password-related issues, but they overlook that SSO still requires a primary password and does not address forgotten-password requests for that single credential.

How to eliminate wrong answers

Option B is wrong because increasing the password expiration period to 180 days reduces the frequency of forced changes but does nothing to help users who forget their current password; it may even increase the risk of forgotten passwords due to longer intervals between use. Option C is wrong because single sign-on (SSO) reduces the number of passwords a user must remember but does not eliminate the need for the primary password; if that password is forgotten, the help desk still receives requests, and SSO introduces a single point of failure. Option D is wrong because reducing password complexity requirements weakens security by making passwords easier to guess or brute-force, violating the principle of defense in depth and increasing the risk of unauthorized access.

44
MCQmedium

A company uses Role-Based Access Control (RBAC) for its ERP system. A user in the 'Accounts Payable' role needs to temporarily approve purchase orders up to $10,000 while the 'Purchasing Manager' is on leave. What is the BEST way to grant this access?

A.Share the Purchasing Manager's account credentials with the user
B.Temporarily assign the 'Purchasing Approver' role to the user with an expiration date
C.Modify the 'Accounts Payable' role to include purchase order approval permissions
D.Create a new role with the exact permissions needed and assign it to the user
AnswerB

This grants needed access for a limited time, maintaining least privilege.

Why this answer

Option B is correct because it follows the principle of least privilege by temporarily assigning the 'Purchasing Approver' role to the user with an expiration date, ensuring that the elevated permissions are automatically revoked after the leave period. This approach maintains RBAC integrity without permanently altering role definitions or sharing credentials.

Exam trap

The trap here is that candidates often choose Option D (creating a new role) because they think it follows least privilege, but they overlook that RBAC best practice is to reuse existing roles with temporary assignments rather than proliferating roles, which violates role-mining principles and adds administrative overhead.

How to eliminate wrong answers

Option A is wrong because sharing the Purchasing Manager's account credentials violates the principle of non-repudiation and accountability, as actions cannot be attributed to the correct user, and it bypasses RBAC entirely. Option C is wrong because modifying the 'Accounts Payable' role to include purchase order approval permissions would permanently grant those rights to all users in that role, violating least privilege and potentially creating a segregation of duties conflict. Option D is wrong because creating a new role with exact permissions is unnecessarily complex and violates RBAC role-mining best practices; it is better to reuse an existing role (Purchasing Approver) with a temporary assignment than to proliferate roles.

45
MCQhard

Refer to the exhibit. A user 'jdoe' is a member of the Domain Users group but not of the Administrators or Remote Desktop Users groups. The user reports they cannot log on locally to a domain-joined Windows server, but they can log on via RDP. Based on the GPO results, what is the MOST likely reason?

A.The user is a member of the Remote Desktop Users group
B.The user is not a member of the local Users group or Administrators group
C.The user is a member of a group that is denied local logon
D.The user is denied logon through Remote Desktop Services
AnswerB

Domain Users are not in the local Users group; local logon is only allowed for Administrators and local Users.

Why this answer

The user 'jdoe' can log on via RDP but not locally because the default security policy on a domain-joined Windows server grants the 'Allow log on locally' right only to the local Administrators group and the local Users group. Since 'jdoe' is a member of Domain Users, which is mapped to the local Users group on a domain-joined server, the user should normally have local logon rights. However, the exhibit shows GPO results that likely indicate the local Users group has been removed from the 'Allow log on locally' policy, or the user is not actually a member of the local Users group (e.g., the server is configured to not map Domain Users to the local Users group).

The most direct reason is that the user is not a member of either the local Users group or the local Administrators group, which are the only groups granted local logon by default.

Exam trap

The trap here is that candidates assume Domain Users automatically have local logon rights on all domain-joined servers, but a GPO can explicitly remove the local Users group from the 'Allow log on locally' policy, effectively blocking all standard domain users from interactive logon.

How to eliminate wrong answers

Option A is wrong because the user can log on via RDP, which requires membership in the Remote Desktop Users group (or having the 'Allow log on through Remote Desktop Services' right); if the user were a member of that group, it would not prevent local logon. Option C is wrong because there is no evidence in the scenario that the user is a member of a group explicitly denied local logon via the 'Deny log on locally' policy; the GPO results would show such a denial if it existed. Option D is wrong because the user can log on via RDP, so they are not denied logon through Remote Desktop Services; the issue is specifically with local logon, not remote logon.

46
MCQeasy

A user calls the help desk because they cannot log in. The help desk technician confirms the user's identity by asking for their employee ID and mother's maiden name. Which of the following is the MOST significant security issue with this practice?

A.The user's mother's maiden name is not stored in the HR system.
B.The technician is using shared secrets that are not effective for strong authentication.
C.The help desk should be using multi-factor authentication.
D.The user's identity is being verified using information that is not unique to the user.
AnswerB

Mother's maiden name is a shared secret that can be easily obtained through social engineering.

Why this answer

Option A is correct because relying on shared secrets like mother's maiden name is weak authentication. Option B is incorrect because the information may be unique but is not secret. Option C is incorrect, while MFA is better, the most significant issue is the use of weak shared secrets.

Option D is incorrect; the information may still be stored.

47
MCQmedium

A security engineer is troubleshooting an issue where users are unable to access a web application after being authenticated via OAuth 2.0. The users receive a 403 Forbidden error. The application logs show that the access token is valid but does not contain the required scope. What is the most likely cause?

A.The resource server is configured to expect a different token type.
B.The client application is not using HTTPS to transmit the token.
C.The access token expired before being presented to the resource server.
D.The authorization server did not grant the requested scope due to user consent settings.
AnswerD

The token lacks the required scope, so the resource server denies access.

Why this answer

The 403 Forbidden error indicates the resource server received a valid access token but denied access because the token lacks the necessary scope. In OAuth 2.0, the authorization server issues tokens based on the scope granted by the user during consent. If the user did not consent to the required scope (e.g., 'write' instead of 'read'), the token will not include it, causing the resource server to reject the request despite the token being valid.

Exam trap

The trap here is confusing token validity (which is about signature, expiration, and issuer) with token authorization (which is about scope); candidates often assume a valid token guarantees access, but OAuth 2.0 separates authentication from authorization, and scope is the key authorization attribute.

How to eliminate wrong answers

Option A is wrong because the resource server validates the token type (e.g., Bearer) via the token's 'typ' header or introspection endpoint; a mismatch would cause a different error (e.g., 401 Unauthorized), not a scope-related 403. Option B is wrong because HTTPS is a transport-layer security requirement; transmitting the token over HTTP could lead to interception but does not affect the token's scope content, and the error is specifically about missing scope, not token theft. Option C is wrong because an expired token would result in a 401 Unauthorized error (or a token refresh request), not a 403 Forbidden; the logs explicitly state the token is valid, ruling out expiration.

48
Drag & Dropmedium

Drag and drop the steps for implementing a digital signature using asymmetric cryptography in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Digital signatures involve hashing the message, encrypting the hash with the private key, attaching, then verifying with the public key.

49
MCQhard

Refer to the exhibit. The PAM configuration shows pam_tally2.so with deny=5 and unlock_time=300. What is the effect of this configuration?

A.The account is disabled after 5 successful logins
B.Passwords must be changed every 5 days
C.Users are locked out after 5 failed login attempts, and automatically unlocked after 5 minutes
D.Users are locked out after 5 failed attempts until manually unlocked
AnswerC

deny=5 means lock after 5 failures; unlock_time=300 means 300 seconds (5 minutes).

Why this answer

Option C is correct because pam_tally2.so with deny=5 locks the user account after 5 failed authentication attempts, and unlock_time=300 sets the automatic unlock period to 300 seconds (5 minutes). This is a standard PAM (Pluggable Authentication Modules) configuration for account lockout policies, commonly used on Linux systems to mitigate brute-force attacks.

Exam trap

The trap here is that candidates confuse pam_tally2.so with password aging or account disablement features, or assume that unlock_time=300 means manual unlock is required, when in fact it specifies automatic unlock after 300 seconds.

How to eliminate wrong answers

Option A is wrong because pam_tally2.so tracks failed logins, not successful logins; disabling after successful logins would be a different mechanism (e.g., account expiration). Option B is wrong because password aging (e.g., 5-day change interval) is configured via pam_unix.so or pam_cracklib.so, not pam_tally2.so. Option D is wrong because unlock_time=300 specifies automatic unlocking after 300 seconds, not manual intervention; manual unlock would require a separate configuration (e.g., pam_tally2.so without unlock_time or with a very high value).

50
MCQmedium

Refer to the exhibit. A user in the 10.1.0.0/16 range attempts to retrieve the object s3://example-bucket/secret/top_secret.pdf. What will be the result?

A.The request is denied because the first statement allows but the second denies.
B.The request is allowed because the Deny statement only applies to the secret prefix, and the IP condition is satisfied for the user in 10.1.0.0/16.
C.The request is allowed because the first statement matches and allows.
D.The request is denied because the condition in the first statement does not match the IP range.
AnswerD

The Allow is not triggered, and the Deny applies.

Why this answer

Option D is correct because the first statement in the policy has a condition that restricts access to requests originating from the IP range 10.2.0.0/16. Since the user is in the 10.1.0.0/16 range, the condition is not satisfied, so the first statement does not apply. Without an explicit Allow that matches the request, the default implicit Deny takes effect, resulting in the request being denied.

Exam trap

The trap here is that candidates assume the first statement's Allow applies globally without checking the IP condition, leading them to think the Deny in the second statement is the deciding factor, when in fact the Allow never matched due to the condition failure.

How to eliminate wrong answers

Option A is wrong because it misinterprets the policy evaluation logic: the first statement does not apply due to the IP condition mismatch, so there is no Allow to override; the Deny in the second statement is irrelevant because the request is already denied by default. Option B is wrong because it incorrectly assumes the Deny statement applies only to the secret prefix, but the Deny is unconditional for s3://example-bucket/secret/*; however, the request is denied earlier due to the lack of a matching Allow. Option C is wrong because the first statement does not match the request since the IP condition requires the source to be in 10.2.0.0/16, not 10.1.0.0/16.

51
MCQmedium

A hospital is implementing an access control system for its electronic health record (EHR) application. The system must ensure that only authorized healthcare providers can access patient records based on their role (doctor, nurse, administrator), department (cardiology, oncology, etc.), and patient consent status. The hospital also needs to support break-the-glass access for emergencies. The current solution uses static role-based access control (RBAC) but fails to enforce department-level restrictions and consent checks. What is the most appropriate access control model to address these requirements?

A.Enhance the existing RBAC model with more granular roles for each department
B.Use mandatory access control (MAC) with security labels per patient record
C.Implement an attribute-based access control (ABAC) system
D.Apply discretionary access control (DAC) allowing providers to set access permissions
AnswerC

ABAC can evaluate multiple attributes and support dynamic policies like consent and emergency access.

Why this answer

Attribute-based access control (ABAC) is the correct choice because it can dynamically evaluate multiple attributes—such as user role, department, patient consent status, and emergency context—to grant or deny access. Unlike static RBAC, ABAC supports fine-grained, context-aware policies that can enforce department-level restrictions and consent checks, and it can incorporate break-the-glass rules by evaluating an emergency attribute or time-based condition.

Exam trap

The trap here is that candidates often assume RBAC can be extended with more roles to cover all requirements, but they miss that RBAC cannot dynamically evaluate multi-attribute conditions like consent status or emergency context without becoming unmanageable, whereas ABAC is designed for exactly such fine-grained, attribute-driven policies.

How to eliminate wrong answers

Option A is wrong because simply adding more granular roles to RBAC would still result in a static, role-based model that cannot evaluate dynamic attributes like patient consent status or emergency context; it would require an explosion of roles (e.g., 'Cardiology-Nurse-ConsentYes') that is impractical and does not support break-the-glass. Option B is wrong because MAC uses fixed security labels (e.g., classification levels) assigned by a central authority and cannot dynamically enforce consent status or department-specific rules based on user attributes; it is designed for confidentiality hierarchies, not fine-grained, multi-attribute policies. Option D is wrong because DAC allows data owners (e.g., individual providers) to set permissions, which violates the hospital's need for centralized, policy-driven enforcement of department and consent restrictions and would introduce security inconsistencies and potential unauthorized sharing.

52
MCQhard

An organization uses a federated identity system with SAML. A new service provider (SP) is added, but users cannot authenticate. The identity provider (IdP) logs show that the SAML response is signed correctly, but the SP rejects it. What is the most likely issue?

A.The SP does not support HTTP-POST binding
B.The IdP's clock is skewed
C.The SAML assertion is not encrypted
D.The user's browser cookies are blocked
E.The SP's metadata is missing the IdP's certificate
AnswerE

Without the IdP's certificate, the SP cannot validate the signature, so it rejects.

Why this answer

Option E is correct because the SP must have the IdP's signing certificate in its metadata to validate the SAML response signature. If the SP's metadata is missing the IdP's certificate, the SP cannot verify the signature, causing it to reject the response even though the IdP logs show it was signed correctly.

Exam trap

The trap here is that candidates confuse signature validation with encryption or assume clock skew is the default issue, but the core problem is missing trust material in the SP's metadata, not cryptographic failures or transport issues.

How to eliminate wrong answers

Option A is wrong because HTTP-POST binding is widely supported and the SP would typically reject the initial request, not a signed response, if it lacked support. Option B is wrong because clock skew would cause the SP to reject the SAML response due to invalid timestamps (NotBefore/NotOnOrAfter), not because of a missing certificate. Option C is wrong because SAML assertion encryption is optional and not required for authentication; the SP can reject a response for missing encryption only if it explicitly requires it, but the question states the response is signed correctly, pointing to a trust issue.

Option D is wrong because blocked browser cookies would prevent session management after authentication, not the initial SAML response validation at the SP.

53
MCQhard

A multinational corporation deploys a single sign-on (SSO) solution using SAML 2.0 across all subsidiaries. Recently, users in one subsidiary report being unable to access an internal application. The identity provider (IdP) logs show successful authentication, but the service provider (SP) logs indicate assertion validation failures. Which of the following is the MOST likely cause?

A.The system clocks on the IdP and SP are significantly out of sync
B.The SP is configured to require a specific SAML attribute not present in the assertion
C.The IdP server for the subsidiary is temporarily unreachable
D.The SAML certificate used by the SP has expired
AnswerA

SAML assertions include timestamps; clock skew leads to validation failure.

Why this answer

SAML 2.0 relies on timestamps (NotBefore and NotOnOrAfter) within the assertion for validity. If the system clocks on the identity provider (IdP) and service provider (SP) are significantly out of sync, the SP will reject the assertion as expired or not yet valid, even though the IdP logs show successful authentication. This is the most common cause of assertion validation failures in cross-domain SSO deployments.

Exam trap

The trap here is that candidates confuse assertion validation failures (which involve timestamps, signatures, or conditions) with authentication failures (which involve credentials or IdP reachability), leading them to incorrectly select options like IdP unreachability or certificate expiration.

How to eliminate wrong answers

Option B is wrong because a missing required SAML attribute would cause an authorization failure or attribute mismatch error, not an assertion validation failure; the SP would still validate the assertion's signature and timestamps first. Option C is wrong because if the IdP server were unreachable, the user would not be able to authenticate at all, and the IdP logs would not show successful authentication. Option D is wrong because an expired SAML certificate would cause a signature validation failure, not a generic assertion validation failure; the SP would log a certificate-related error, not a timestamp or validity period issue.

54
MCQhard

A financial services company with 5000 employees uses a hybrid identity model with on-premises Active Directory (AD) synchronized to Azure AD via Azure AD Connect. The company has recently deployed Microsoft 365 and uses it for email and file sharing. Users authenticate to Azure AD using password hash synchronization (PHS) with Seamless Single Sign-On (SSO). The security team has implemented Conditional Access policies to require multi-factor authentication (MFA) for all external access and for access to sensitive financial applications. Recently, the help desk has received numerous complaints from users working remotely that they are frequently prompted for MFA, even multiple times during a single work session, causing frustration and productivity loss. Additionally, some users report that they are unable to access certain financial applications despite being in the correct group membership. An investigation reveals that Azure AD Connect synchronization is occurring successfully and that MFA configurations appear correct. The security team suspects that the issue may be related to the Conditional Access session settings or token lifetimes. What is the BEST course of action to diagnose and resolve the primary issue of excessive MFA prompts while maintaining security?

A.Implement a privileged identity management (PIM) solution to manage access to the financial applications.
B.Increase the sign-in frequency and session timeout values in the Conditional Access policies for all users to 24 hours.
C.Review the Conditional Access policy for the financial applications to ensure that the 'Session' controls are configured to 'Use app enforced restrictions' and adjust MFA trust settings.
D.Disable Seamless SSO and require users to enter passwords each time to ensure token freshness.
AnswerC

Session controls can configure MFA reauthentication frequency and improve user experience.

Why this answer

Option C is correct because the issue of excessive MFA prompts while maintaining security is best resolved by reviewing the Conditional Access session controls. Specifically, the 'Sign-in frequency' and 'Persistent browser session' settings in the session controls determine how often users are re-prompted for MFA. By adjusting these settings (e.g., setting sign-in frequency to a longer duration like 24 hours) and ensuring MFA trust settings are configured to allow trusted devices or locations, the security team can reduce unnecessary prompts without weakening security.

This directly addresses the user complaints while keeping Conditional Access policies intact.

Exam trap

The trap here is that candidates may confuse session controls with authentication methods or assume that increasing token lifetimes globally (Option B) is the solution, when in fact the issue is about Conditional Access session settings that control MFA re-prompt behavior, not about overall token expiration.

How to eliminate wrong answers

Option A is wrong because Privileged Identity Management (PIM) is designed for just-in-time privileged access management, not for controlling MFA prompt frequency for general users accessing financial applications. Option B is wrong because blindly increasing sign-in frequency and session timeout values to 24 hours for all users could weaken security by allowing prolonged access without re-authentication, and it does not address the specific session control misconfiguration that causes excessive prompts. Option D is wrong because disabling Seamless SSO would force users to re-enter passwords frequently, increasing friction and not resolving the MFA prompt issue; token freshness is already managed by token lifetimes and session settings, not by disabling SSO.

55
MCQmedium

Refer to the exhibit. A RADIUS server log shows multiple successful authentications for the same user followed by failures. What is the most likely cause?

A.The user's account is locked due to multiple failed attempts
B.The user's password has expired
C.The RADIUS server is misconfigured with a wrong secret
D.The user is a victim of credential stuffing
AnswerA

After several failed attempts, the account lockout policy triggers, causing subsequent failures. The earlier successes may be from another session or before lockout.

Why this answer

The RADIUS log shows successful authentications followed by failures for the same user. This pattern indicates that the user's password was correct initially, but subsequent failures triggered an account lockout policy. Account lockout is a common security control that disables an account after a threshold of failed attempts, preventing further authentication even with the correct password.

Exam trap

The trap here is that candidates may confuse account lockout with password expiry or credential stuffing, but the specific sequence of successes followed by failures uniquely points to lockout, not a global authentication failure.

How to eliminate wrong answers

Option B is wrong because a password expiry would cause failures for all attempts after expiry, not a mix of successes and failures. Option C is wrong because a misconfigured RADIUS secret would cause all authentication attempts to fail, not just some. Option D is wrong because credential stuffing typically results in a burst of failures from different IP addresses or user agents, not a pattern of successes followed by failures for the same user.

56
Multi-Selecteasy

An organization plans to allow employees to access third-party SaaS applications using their corporate credentials. Which THREE are necessary components for implementing SAML-based identity federation?

Select 3 answers
A.Service Provider (SP)
B.Bcrypt password hashing
C.Identity Provider (IdP)
D.RADIUS server
E.XML digital signatures
AnswersA, C, E

The SP consumes SAML assertions to grant access to the application.

Why this answer

Option A is correct because the Service Provider (SP) is the entity that hosts the SaaS application and relies on the Identity Provider (IdP) to authenticate users. In SAML-based identity federation, the SP receives a SAML assertion from the IdP and uses it to grant access, making it a necessary component of the trust relationship.

Exam trap

The trap here is that candidates confuse authentication protocols (like RADIUS or password hashing) with federation components, forgetting that SAML is an XML-based assertion framework that requires an IdP, SP, and digital signatures, not network-level or storage mechanisms.

57
MCQmedium

A multinational corporation has experienced several security incidents where terminated employees retained access to internal systems for weeks after their departure. The HR department manually terminates accounts by sending notifications to IT, but the process is often delayed or missed. The company uses an identity management system (IDM) that supports automated provisioning and deprovisioning. The security team is tasked with reducing the risk of unauthorized access by former employees. Which of the following is the most effective course of action?

A.Integrate the HR system with the identity management system for automated deprovisioning
B.Require terminated employees to change their passwords upon exit
C.Increase frequency of access reviews and audits to identify stale accounts
D.Implement a user self-service portal for managers to disable accounts
AnswerA

Automated deprovisioning ensures accounts are disabled immediately when an employee is terminated.

Why this answer

Integrating HR systems with the IDM enables automated deprovisioning immediately upon termination. Increasing audits (B) only detects problems after the fact. Implementing user self-service (C) does not address timely deprovisioning.

Requiring strong passwords (D) is irrelevant to the issue of account removal.

58
Matchingmedium

Match each access control type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Owner controls access permissions

System-enforced based on labels

Access based on job roles

Access based on rules and policies

Why these pairings

These are the main access control models.

59
Multi-Selecthard

Which THREE access control models support the principle of least privilege?

Select 3 answers
A.Role-Based Access Control (RBAC)
B.Attribute-Based Access Control (ABAC)
C.Rule-Based Access Control (RuBAC)
D.Discretionary Access Control (DAC)
E.Mandatory Access Control (MAC)
AnswersA, B, E

RBAC assigns permissions to roles, which can be scoped to minimum necessary.

Why this answer

Role-Based Access Control (RBAC) supports least privilege by assigning permissions to roles rather than individuals, and users are granted only the permissions necessary for their job functions. This aligns with the principle because roles can be scoped to the minimum required access, and users cannot exceed the permissions of their assigned roles.

Exam trap

The trap here is that candidates often confuse Rule-Based Access Control (RuBAC) with RBAC, or assume that DAC inherently supports least privilege because owners can limit access, but DAC lacks centralized enforcement and allows users to delegate permissions arbitrarily, leading to privilege escalation.

60
MCQhard

An organization is implementing federated identity to allow partners to access its web application. The solution must support single logout and attribute exchange. Which protocol is most appropriate?

A.SAML 2.0
B.OpenID Connect
C.LDAP
D.OAuth 2.0
AnswerA

SAML 2.0 is a mature protocol with built-in single logout and attribute query capabilities.

Why this answer

SAML 2.0 is the most appropriate protocol because it natively supports both single logout (SLO) and attribute exchange as core features. It uses XML-based assertions to transfer identity and attribute data between an identity provider (IdP) and a service provider (SP), and its SLO mechanism ensures that when a user logs out from one application, all sessions across participating services are terminated simultaneously.

Exam trap

The trap here is that candidates often confuse OAuth 2.0 with OpenID Connect or assume that OAuth 2.0 alone can handle authentication and logout, but OAuth 2.0 is strictly an authorization protocol and lacks the session management and attribute exchange features required for federated identity.

How to eliminate wrong answers

Option B (OpenID Connect) is wrong because, while it supports single logout via RP-initiated logout, it does not natively support attribute exchange in the same structured manner as SAML; it relies on scopes and claims, which are less suited for complex enterprise attribute sharing. Option C (LDAP) is wrong because it is a directory access protocol for querying and modifying directory services, not a federated identity protocol; it lacks built-in support for single logout and cross-domain attribute exchange. Option D (OAuth 2.0) is wrong because it is an authorization framework, not an authentication protocol; it does not provide single logout or attribute exchange—those are handled by OpenID Connect when layered on top, but OAuth 2.0 alone is insufficient.

61
MCQhard

During an audit, it is discovered that several users have inherited permissions through nested group memberships that violate least privilege. What is the best approach to correct this?

A.Implement periodic access reviews and attestation
B.Re-certify group memberships quarterly
C.Provide training on least privilege
D.Revoke all group memberships and assign individually
AnswerA

Access reviews allow managers to validate and revoke excessive permissions, including inherited ones.

Why this answer

Periodic access reviews and attestation (Option A) are the best approach because they establish a continuous governance process where data owners or managers formally confirm that inherited permissions from nested group memberships remain appropriate. This directly addresses the root cause—unchecked group nesting—by enforcing regular validation of access rights against the principle of least privilege, rather than relying on a one-time fix or training.

Exam trap

The trap here is that candidates often choose a one-time technical fix (like revoking all memberships) or a generic training option, failing to recognize that the CISSP exam emphasizes governance processes like periodic attestation as the sustainable solution for ongoing compliance with least privilege.

How to eliminate wrong answers

Option B is wrong because re-certifying group memberships quarterly is a subset of periodic access reviews but lacks the attestation component; attestation requires explicit confirmation of necessity, whereas re-certification may only verify membership without evaluating the underlying permissions inherited through nesting. Option C is wrong because training on least privilege, while valuable for awareness, does not correct existing misconfigurations or remove inherited permissions that violate the principle; it is a preventive measure, not a corrective one. Option D is wrong because revoking all group memberships and assigning individually is overly disruptive, ignores the legitimate need for group-based access management, and violates the principle of manageability; it also fails to address the underlying issue of nested group inheritance, which would require re-engineering the group structure rather than a blanket revocation.

62
MCQhard

Refer to the exhibit. A SAML response is received by the service provider. Which security issue is present?

A.The NameID format is incorrect
B.The assertion is not signed
C.The validity window is too short
D.The subject confirmation method is insecure
AnswerB

Without a signature, the assertion could be tampered with during transmission.

Why this answer

The SAML response shown in the exhibit lacks a digital signature on the assertion itself. Without the assertion being signed, a man-in-the-middle attacker could modify the assertion content (e.g., change the user identifier or attributes) after the response leaves the identity provider but before it reaches the service provider. SAML Core specification (OASIS SAML 2.0) requires that either the entire response or the individual assertion be signed to ensure integrity and non-repudiation; here, neither is signed, making the assertion vulnerable to tampering.

Exam trap

The trap here is that candidates often assume the 'bearer' subject confirmation method is the security flaw, but the real issue is the absence of a digital signature on the assertion, which is a distinct and critical integrity control.

How to eliminate wrong answers

Option A is wrong because the NameID format (e.g., 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress') is syntactically correct and commonly used; there is no indication of an incorrect format in the exhibit. Option C is wrong because the validity window (NotBefore and NotOnOrAfter) appears reasonable (e.g., a 5-minute window) and is not inherently insecure; a short window actually reduces risk, not introduces it. Option D is wrong because the subject confirmation method (e.g., 'bearer') is standard for Web SSO and is not inherently insecure; the issue is the lack of signing, not the confirmation method itself.

63
MCQhard

A security engineer is troubleshooting an authentication failure for a Windows domain user. The user receives 'Access denied' when trying to access a file server. The Kerberos ticket-granting ticket was successfully obtained. What is the most likely issue?

A.The file server is not trusted for delegation
B.The user does not have permission to the file server resource
C.The user account is locked out
D.Time skew between client and domain controller
AnswerB

After getting a service ticket, the file server checks ACLs; if denied, it returns 'Access denied'.

Why this answer

Since the Kerberos ticket-granting ticket (TGT) was successfully obtained, the user has authenticated to the domain and the Kerberos authentication process is functioning correctly. The 'Access denied' error at the file server indicates that the user lacks the necessary permissions on the specific resource (share or NTFS), which is a separate authorization step after successful authentication.

Exam trap

The trap here is that candidates confuse authentication (Kerberos TGT success) with authorization (resource permissions), assuming a successful TGT implies full access, when in fact Kerberos only proves identity and does not grant resource-level rights.

How to eliminate wrong answers

Option A is wrong because 'trusted for delegation' is a Kerberos extension used for service impersonation (e.g., when a service needs to act on behalf of a user to access another resource), not for basic file server access; a file server does not need to be trusted for delegation to grant or deny resource permissions. Option C is wrong because if the user account were locked out, the TGT request would fail with a specific Kerberos error (e.g., KDC_ERR_CLIENT_REVOKED), and the user would not have obtained a TGT. Option D is wrong because time skew between client and domain controller would prevent TGT acquisition entirely (Kerberos requires clock synchronization within 5 minutes by default, per RFC 4120), so a successful TGT proves time is synchronized.

64
Multi-Selecteasy

Which TWO of the following are types of access control models?

Select 2 answers
A.Discretionary Access Control (DAC)
B.SAML
C.Kerberos
D.Role-Based Access Control (RBAC)
E.LDAP
AnswersA, D

An access control model.

Why this answer

Discretionary Access Control (DAC) is an access control model where the owner of a resource (e.g., a file or object) has the authority to grant or deny access to other subjects. This is typically implemented using Access Control Lists (ACLs) on objects, allowing the owner to set permissions (e.g., read, write, execute) for specific users or groups. DAC is defined in the Trusted Computer System Evaluation Criteria (TCSEC) as a fundamental model for controlling access based on the identity of subjects and/or the groups to which they belong.

Exam trap

The trap here is that candidates confuse authentication and authorization protocols (SAML, Kerberos, LDAP) with access control models, which are abstract frameworks for defining how access decisions are made, not the mechanisms that implement them.

65
Multi-Selecthard

A security analyst is reviewing an organization's password policy. Which THREE of the following are considered best practices for password security according to current NIST guidelines? (Select three.)

Select 3 answers
A.Enforce password history of 10
B.Require password changes every 30 days
C.Allow password hints
E.Use a minimum password length of 8
AnswersA, D, E

Password history prevents reuse of recent passwords.

Why this answer

Option A is correct because NIST SP 800-63B recommends enforcing a password history to prevent users from reusing recent passwords, with a typical value of 10-24 previous passwords. This reduces the risk of password recycling attacks where compromised credentials are reused. Option D is correct because multi-factor authentication (MFA) is a core NIST recommendation to add an additional layer of security beyond passwords, mitigating credential theft.

Option E is correct because NIST now advises a minimum password length of 8 characters (or more) as a primary defense against brute-force attacks, rather than relying on complexity rules.

Exam trap

ISC2 often tests the outdated NIST recommendation of mandatory password changes every 30-90 days, which is now explicitly discouraged in current guidelines, causing candidates to select option B incorrectly.

66
MCQeasy

An auditor finds that a system uses the same service account for multiple applications. Which risk does this pose?

A.Increased attack surface due to multiple passwords
B.Difficulty in auditing because all applications share one account
C.Inability to rotate passwords without affecting all applications
D.Single point of failure for authentication
AnswerC

Password rotation requires coordinating all dependent applications.

Why this answer

Option B is correct because changing the password of the shared service account would break all applications that depend on it without coordinated effort. Option A is wrong because there is only one account, not multiple. Option C is wrong because single point of failure is about availability, not credential management.

Option D is wrong because it does not increase attack surface directly. Option E is wrong because it simplifies management but introduces risk.

67
MCQmedium

A healthcare organization implements a policy requiring all employees to use biometric fingerprint scanners to access patient records. Which of the following is the MOST significant risk associated with this authentication method?

A.Biometric data cannot be revoked or changed if compromised
B.High false acceptance rate leading to unauthorized access
C.Low user acceptance due to privacy concerns
D.Increased login time compared to password authentication
AnswerA

Biometric traits are permanent; once stolen, they cannot be replaced.

Why this answer

Biometric data, such as fingerprint templates, is immutable and permanently tied to the individual. Once compromised, the user cannot simply 'reset' their fingerprint like a password, rendering the authentication factor permanently insecure for that user across all systems where it is used. This non-repudiation and revocation failure represents the most significant long-term risk to the organization's identity management infrastructure.

Exam trap

The trap here is that candidates focus on the immediate operational risks (FAR, user acceptance, or speed) rather than the fundamental, long-term security property of biometrics: the inability to revoke or change the credential, which is the most critical risk in identity and access management.

How to eliminate wrong answers

Option B is wrong because modern fingerprint scanners (e.g., capacitive or ultrasonic) have very low false acceptance rates (FAR), typically below 0.001%, making unauthorized access via FAR a less significant risk than the permanent compromise of biometric data. Option C is wrong because while privacy concerns may affect user acceptance, they are a secondary operational issue, not the most significant security risk; the primary risk is the irreversible loss of the authentication factor itself. Option D is wrong because increased login time is a usability inconvenience, not a security risk, and modern scanners authenticate in under one second, making this negligible compared to the revocation problem.

68
MCQmedium

An organization's security policy requires that privileged accounts have their passwords changed every 30 days and be monitored. Which solution effectively manages these requirements?

A.Role-based access control
B.Enterprise password manager
C.Privileged Access Management (PAM) solution
D.Single sign-on for administrators
AnswerC

PAM provides password rotation, vaulting, session monitoring, and audit trails.

Why this answer

A Privileged Access Management (PAM) solution is specifically designed to manage privileged accounts, enforce password rotation policies (e.g., every 30 days), and provide detailed monitoring and auditing of privileged sessions. It automates password changes, vaults credentials, and logs all access, directly meeting the policy requirements for privileged accounts.

Exam trap

The trap here is that candidates confuse a general password manager (Option B) with a PAM solution, overlooking that PAM adds session monitoring, auditing, and just-in-time access for privileged accounts, which are critical for compliance.

How to eliminate wrong answers

Option A is wrong because Role-Based Access Control (RBAC) manages access rights based on roles, not password lifecycle or monitoring of privileged accounts. Option B is wrong because an enterprise password manager typically stores and rotates passwords for general users, but lacks the session monitoring, auditing, and just-in-time access controls required for privileged accounts. Option D is wrong because Single Sign-On (SSO) for administrators simplifies authentication but does not enforce password rotation or provide the granular monitoring and vaulting needed for privileged accounts.

Ready to test yourself?

Try a timed practice session using only IAM questions.