CCNA Access Controls Questions

66 questions · Access Controls · All types, answers revealed

1
MCQeasy

In which access control model does the owner of a resource have full discretion over who can access it and with what permissions?

A.Attribute-Based Access Control (ABAC)
B.Discretionary Access Control (DAC)
C.Role-Based Access Control (RBAC)
D.Mandatory Access Control (MAC)
AnswerB

DAC allows data owners to grant or deny access based on their discretion, making it the correct model.

Why this answer

Discretionary Access Control (DAC) is the model where the resource owner has full authority to grant or deny access to other subjects and to set the permissions (e.g., read, write, execute) on the object. This is typically implemented through Access Control Lists (ACLs) on files or objects, as seen in Windows NTFS or Linux file permissions, where the owner can change permissions using commands like `chmod` or through GUI properties.

Exam trap

The trap here is that candidates often confuse DAC with RBAC because both involve user-based permissions, but the key distinction is that DAC gives the resource owner full discretion, whereas RBAC enforces access based on organizational roles, not individual owner decisions.

How to eliminate wrong answers

Option A (ABAC) is wrong because ABAC evaluates access based on attributes of the subject, object, and environment (e.g., time of day, location) using policy rules, not by owner discretion. Option C (RBAC) is wrong because RBAC assigns permissions based on predefined roles within an organization, and the owner does not have full discretion; access is determined by role membership, not individual owner decisions. Option D (MAC) is wrong because MAC enforces access decisions based on system-wide security labels (e.g., classification levels like Top Secret) and the owner cannot override these; labels are set by the system or security administrator, not the resource owner.

2
MCQhard

A large financial institution has deployed a new web application for customer account management. The application uses role-based access control (RBAC) with roles such as Customer, Teller, Manager, and Admin. Recently, an audit revealed that a Teller was able to view and modify account details belonging to customers outside their assigned branch. The application authenticates users via the corporate Active Directory and uses AD groups for role mapping. The Teller's AD group membership was verified to be correct. The security team suspects a flaw in the authorization logic. Which of the following is the MOST likely root cause?

A.The application's role-to-permission mapping is based on group SID rather than group name.
B.The application does not perform proper session management.
C.The application fails to validate the user's branch attribute after authentication.
D.The application uses a horizontal privilege escalation vulnerability.
AnswerC

The application likely uses the Teller role correctly but does not check the user's branch attribute to restrict access to only customers from the same branch, allowing cross-branch access.

Why this answer

The Teller's AD group membership was verified correct, so the role mapping (RBAC) is functioning. However, the Teller could access accounts outside their assigned branch, indicating the application lacks a post-authentication check of the user's branch attribute. This is a classic failure of attribute-based access control (ABAC) within an RBAC framework, where the application must validate the user's branch (e.g., from an AD attribute like 'physicalDeliveryOfficeName' or a custom attribute) against the account's branch before allowing read/write operations.

Exam trap

The trap here is that candidates confuse the symptom (horizontal privilege escalation) with the root cause (missing attribute validation), or they incorrectly assume that correct AD group membership guarantees proper authorization without considering contextual attributes like branch.

How to eliminate wrong answers

Option A is wrong because group SID and group name are both unique identifiers; using either would not cause a branch-level authorization failure if the group membership is correct. Option B is wrong because session management issues (e.g., session fixation, hijacking) would allow unauthorized access across users, not specifically to accounts in other branches while maintaining the correct role. Option D is wrong because horizontal privilege escalation refers to accessing another user's data at the same privilege level, which is exactly what happened, but it is a symptom, not the root cause; the root cause is the missing branch validation.

3
MCQeasy

A small company with 50 employees uses a local file server for sharing documents. Each employee has a username and password for authentication. The company wants to implement an additional layer of security to protect sensitive data without incurring high costs. They are considering using smart cards or biometric scanners. However, the budget is limited, and employees often work remotely. Which of the following is the most cost-effective and practical approach to strengthen authentication?

A.Implement a one-time password (OTP) system via a mobile app.
B.Increase password complexity requirements and enforce periodic changes.
C.Issue USB tokens to all employees.
D.Use Windows Hello facial recognition on company laptops.
AnswerA

OTP via mobile app is a low-cost, easy-to-deploy second factor that works with employees' own smartphones, regardless of location.

Why this answer

One-time password (OTP) via a mobile app is low-cost, does not require additional hardware, and works well for remote employees by providing a second factor without relying on location-specific devices. Smart cards or USB tokens require hardware purchase and distribution. Biometrics like Windows Hello require compatible hardware and may not be available on all remote devices.

Increasing password complexity is not multi-factor authentication and does not add a second factor.

4
MCQhard

A multinational corporation is migrating its on-premises applications to a cloud provider. The identity management infrastructure must support single sign-on (SSO) across multiple cloud services and maintain on-premises Active Directory as the authoritative identity source. The security team is concerned about credential stuffing attacks and password spray attacks. They want to implement a risk-based access policy that requires additional verification when logins originate from unusual locations or devices. Additionally, they need to ensure that user accounts are provisioned and deprovisioned in the cloud in near real-time based on AD changes. Which of the following solutions BEST meets these requirements?

A.Deploy a VPN that requires smart card authentication for all cloud access.
B.Implement a SAML-based federation with AD FS and integrate with Azure AD Conditional Access policies.
C.Use OAuth 2.0 with client credentials grant for all applications.
D.Set up a separate cloud identity store and synchronize passwords using a directory sync tool.
AnswerB

AD FS federates on-premises AD with Azure AD, enabling SSO. Azure AD Conditional Access provides risk-based policies. Azure AD Connect synchronizes directory changes near real-time.

Why this answer

SAML-based federation with AD FS and Azure AD Conditional Access provides SSO, risk-based policies (Conditional Access uses real-time signals like location and device), and near-real-time provisioning via Azure AD Connect. VPN with smart cards does not provide SSO or risk-based policies. OAuth 2.0 with client credentials is not for user authentication.

A separate cloud identity store with password sync introduces delays and does not support risk-based access.

5
MCQmedium

A user reports that they cannot access a network share. The administrator checks the share permissions and NTFS permissions. The share permission allows Everyone: Read, and the NTFS permission allows the user: Full Control. What is the user's effective access?

A.Read
B.Full Control
C.No access
D.Modify
AnswerA

The effective permission is the most restrictive: share Read vs NTFS Full Control, so Read.

Why this answer

When accessing a network share, the effective permissions are the most restrictive of the share permissions and the NTFS permissions. Here, the share permission is Read and the NTFS permission is Full Control. The most restrictive permission is Read, so the user's effective access is Read.

Exam trap

The trap here is that candidates often assume the user gets the higher of the two permissions (Full Control) rather than the most restrictive, leading them to incorrectly select Full Control.

How to eliminate wrong answers

Option B is wrong because Full Control is not the effective access; the share permission restricts it to Read, as the effective permission is the most restrictive of the two sets. Option C is wrong because the user does have access—specifically Read access—since neither permission denies access outright. Option D is wrong because Modify is a higher permission than Read and is not granted; the share permission explicitly limits access to Read only.

6
Multi-Selecteasy

Which TWO are components of the AAA framework? (Choose two.)

Select 2 answers
A.Authorization
B.Auditing
C.Accounting
D.Administration
E.Authentication
AnswersA, E

Authorization determines access rights.

Why this answer

Authorization (A) and Authentication (E) are two of the three core components of the AAA framework, as defined by Cisco and the IETF in RFC 2903 and RFC 2904. Authentication verifies the identity of a user or device (e.g., using RADIUS or TACACS+), while Authorization determines what resources or actions that authenticated entity is permitted to access. Together with Accounting, these three form the AAA triad used in network access control and security policy enforcement.

Exam trap

ISC2 often tests the AAA framework by including 'Auditing' as a distractor, leading candidates to confuse it with 'Accounting' because both involve logging, but Accounting is the correct term for tracking resource consumption in AAA.

7
MCQeasy

A security policy requires that all access to sensitive data be logged. Which access control function does this support?

A.Authentication
B.Authorization
C.Accounting
D.Provisioning
AnswerC

Accounting tracks and logs user actions for auditing.

Why this answer

The requirement to log all access to sensitive data directly supports the Accounting (auditing) function of access controls. Accounting tracks user activities and resource usage, providing an audit trail that can be reviewed for compliance, security incidents, and policy enforcement. This is distinct from Authentication (verifying identity) and Authorization (granting permissions), which do not inherently produce logs of access events.

Exam trap

The trap here is that candidates confuse Authorization (which controls access) with Accounting (which records access), mistakenly thinking that setting permissions automatically logs access, when in fact logging requires a separate audit configuration.

How to eliminate wrong answers

Option A is wrong because Authentication is the process of verifying a user's identity (e.g., via passwords, biometrics, or certificates) and does not inherently generate logs of access to sensitive data; logging is an Accounting function. Option B is wrong because Authorization determines what an authenticated user is allowed to do (e.g., via ACLs or RBAC) but does not itself record access events; that recording is the role of Accounting. Option D is wrong because Provisioning refers to the creation, modification, or removal of user accounts and access rights (e.g., via identity management systems) and does not include logging of access to data.

8
MCQmedium

An administrator configures a Kerberos authentication system. After implementation, users are able to authenticate but cannot access network resources. The administrator verifies that the client time is synchronized with the KDC. What is the most likely cause?

A.The service principal name (SPN) is not registered
B.The user’s password is expired
C.The firewall blocks port 88
D.The TGT lifetime has expired
AnswerA

Without a proper SPN, the KDC cannot issue a service ticket.

Why this answer

The most likely cause is that the service principal name (SPN) is not registered. In Kerberos, the SPN uniquely identifies a network service instance and is required for the KDC to issue a service ticket. Even though users can authenticate (obtain a TGT), without a properly registered SPN, the KDC cannot grant a ticket for the target service, preventing access to network resources.

Exam trap

ISC2 often tests the distinction between authentication (TGT acquisition) and authorization (service ticket issuance), leading candidates to incorrectly focus on firewall rules or password expiration instead of the missing SPN.

How to eliminate wrong answers

Option B is wrong because an expired user password would prevent initial authentication (TGT acquisition), but the scenario states users can authenticate. Option C is wrong because port 88 is used for Kerberos authentication traffic; if it were blocked, users would not be able to authenticate at all. Option D is wrong because an expired TGT lifetime would prevent access only after the TGT expires, but users are currently able to authenticate and the issue is immediate access to network resources.

9
MCQmedium

A military system uses mandatory access control with classifications Unclassified, Confidential, Secret, and Top Secret. A user with Secret clearance attempts to read a file labeled Top Secret. What will occur?

A.Access is denied because the subject's clearance is lower than the object's classification
B.Access is granted because the user has write permission
C.Access is granted if the user is the owner of the file
D.Access is granted because the user has a need-to-know
AnswerA

MAC enforces that a subject can only read objects with a classification equal to or lower than their clearance (no read up).

Why this answer

In a mandatory access control (MAC) system, access decisions are based on comparing the subject's clearance level with the object's classification label. Since the user has a Secret clearance and the file is classified Top Secret, the subject's clearance is lower than the object's classification, so read access is denied per the Bell-LaPadula model's Simple Security Property (no read up).

Exam trap

The trap here is that candidates often confuse mandatory access control with discretionary access control, assuming that ownership or need-to-know can override classification labels, but in MAC, clearance level is the primary and non-negotiable gate for read access.

How to eliminate wrong answers

Option B is wrong because write permission is irrelevant in a MAC read operation; the Bell-LaPadula model enforces the *-property (no write down) for write, but read access is governed solely by clearance vs. classification. Option C is wrong because MAC overrides discretionary ownership; even if the user owns the file, the system enforces the classification label, so ownership does not grant read access when clearance is insufficient. Option D is wrong because need-to-know is a separate discretionary control (e.g., via compartments or roles) and does not override the mandatory clearance requirement; without the proper clearance level, need-to-know cannot grant access.

10
MCQhard

An organization uses mandatory access control (MAC) with the Bell-LaPadula model. A subject has a clearance of 'Secret' and an object has a classification of 'Top Secret'. What is the result if the subject attempts to read the object?

A.Write denied
B.Write allowed
C.Read denied
D.Read allowed
AnswerC

The subject's clearance is lower than the object's classification, so read is denied under the simple security property.

Why this answer

In the Bell-LaPadula model, the Simple Security Property (no read up) prohibits a subject from reading an object with a higher classification. Since the subject has a clearance of 'Secret' and the object is classified as 'Top Secret', the read attempt is denied. This enforces mandatory access control (MAC) by preventing information flow from higher to lower security levels.

Exam trap

The trap here is that candidates often confuse the Bell-LaPadula model with the Biba model (which focuses on integrity) or misapply the *-property to read operations, leading them to incorrectly select 'Read allowed' or 'Write allowed' when the actual rule is 'no read up'.

How to eliminate wrong answers

Option A is wrong because the operation in question is a read, not a write, and the Bell-LaPadula model's *-property (no write down) applies to write operations, not reads. Option B is wrong because write operations are not being attempted, and even if they were, a write from a Secret subject to a Top Secret object would be allowed under the *-property (write up), but the question asks about a read. Option D is wrong because the Simple Security Property explicitly forbids reading an object with a higher classification (Top Secret) than the subject's clearance (Secret), so read allowed is incorrect.

11
MCQmedium

Refer to the exhibit. A user reports being unable to remote desktop (RDP) into a Windows server. Given the event log, what is the most likely cause?

A.The user does not have the 'Allow log on through Remote Desktop Services' user right
B.The user account is locked out
C.The server is not a member of the domain
D.The user's Kerberos ticket has expired
AnswerA

The failure reason clearly states the logon type is not granted; this user right is required for RDP access.

Why this answer

The event log shows an 'An account failed to log on' event (ID 4625) with a failure reason indicating 'The user has not been granted the requested logon type at this machine.' For Remote Desktop connections, the required logon type is 'Remote Interactive' (logon type 10). This specific error means the user lacks the 'Allow log on through Remote Desktop Services' user right, which is assigned via Local Security Policy or Group Policy. Without this right, the RDP session is denied at the authentication stage, even if the username and password are correct.

Exam trap

The trap here is that candidates often assume RDP failures are due to network issues, firewall rules, or account lockouts, when the event log's specific failure reason (logon type denial) directly points to a missing user right assignment.

How to eliminate wrong answers

Option B is wrong because a locked-out account would produce a different failure reason, such as 'Account locked out' (sub-status 0xC0000234), not a logon type denial. Option C is wrong because domain membership is not required for RDP; a standalone server can accept RDP connections if the user has local credentials and the appropriate user right. Option D is wrong because an expired Kerberos ticket would cause a specific Kerberos-related error (e.g., 0xC0000381 or 0xC000006D), not a logon type restriction, and Windows would typically fall back to NTLM if Kerberos fails.

12
MCQmedium

A cloud application uses OAuth 2.0 to authorize a third-party app to access user data. What is the primary purpose of the access token issued by the authorization server?

A.To revoke the user's access to the client application
B.To encrypt data exchanged between client and resource server
C.To grant the client application limited access to user's resources
D.To authenticate the user to the resource server
AnswerC

The access token contains scopes and is presented to the resource server to obtain access to protected resources.

Why this answer

In OAuth 2.0, the access token is a credential that represents the authorization granted to the client application by the resource owner. Its primary purpose is to allow the client to access specific, scoped resources on the resource server on behalf of the user, without exposing the user's credentials. This is defined in RFC 6749, where the token encapsulates the granted permissions and scope.

Exam trap

The trap here is that candidates often confuse authentication with authorization, mistakenly believing the access token authenticates the user to the resource server, when in fact it only authorizes the client to access resources on behalf of the user.

How to eliminate wrong answers

Option A is wrong because revoking the user's access to the client application is not a function of the access token; revocation is handled via token revocation endpoints or by the authorization server invalidating the token, not by the token itself. Option B is wrong because the access token does not encrypt data; it is a bearer token that is passed in HTTP headers, and encryption of data in transit is typically handled by TLS, not by the token. Option D is wrong because the access token is not used to authenticate the user to the resource server; authentication is performed by the authorization server during the authorization grant flow, and the token only authorizes access to resources, it does not prove the user's identity.

13
MCQhard

An organization is implementing an access control system where access decisions are based on the sensitivity of the resource and the clearance of the user. Which model is being used?

A.Discretionary Access Control (DAC)
B.Attribute-Based Access Control (ABAC)
C.Role-Based Access Control (RBAC)
D.Mandatory Access Control (MAC)
AnswerD

MAC uses security labels to enforce access based on classification and clearance.

Why this answer

Mandatory Access Control (MAC) enforces access decisions based on comparing the sensitivity label (e.g., classification level) of the resource with the clearance level of the user. This model is non-discretionary, meaning users cannot override or delegate permissions; the system centrally controls all access according to a security policy, such as Bell-LaPadula or Biba.

Exam trap

The trap here is that candidates often confuse MAC with RBAC because both involve centralized control, but MAC uniquely relies on mandatory sensitivity labels and user clearances, not roles or user-defined permissions.

How to eliminate wrong answers

Option A is wrong because Discretionary Access Control (DAC) allows resource owners to set permissions at their discretion, not based on fixed sensitivity labels and user clearances. Option B is wrong because Attribute-Based Access Control (ABAC) evaluates policies using multiple attributes (user, resource, environment) but does not inherently require hierarchical sensitivity labels and clearances as the primary decision factor. Option C is wrong because Role-Based Access Control (RBAC) grants access based on job roles, not on the sensitivity of the resource or the clearance of the user.

14
MCQmedium

A security analyst notices that a user’s account has been used to access sensitive files at 3:00 AM from an IP address outside the company’s country. The analyst suspects a compromised account. Which action should be taken FIRST?

A.Block the external IP address in the firewall
B.Disable the user account immediately
C.Reset the user’s password and force a logout
D.Contact the user to verify if they were working late
AnswerB

Disabling the account stops all access from any source.

Why this answer

The first step in incident response is to isolate the threat. Disabling the account prevents further unauthorized access while the investigation proceeds.

15
Multi-Selectmedium

Which two components are integral to a Kerberos authentication system? (Select TWO)

Select 2 answers
A.Authentication Server (AS)
B.Key Distribution Center (KDC)
C.Ticket Granting Ticket (TGT)
D.Certificate Authority (CA)
E.Security Assertion Markup Language (SAML)
AnswersB, C

The KDC is the central component that authenticates users and issues tickets.

Why this answer

The Key Distribution Center (KDC) is the core component of a Kerberos authentication system, responsible for issuing tickets and managing session keys. The Ticket Granting Ticket (TGT) is a temporary credential obtained from the Authentication Server (AS) within the KDC, used to request service tickets without re-entering credentials. Both are integral to the Kerberos protocol (RFC 4120) for secure, ticket-based authentication.

Exam trap

The trap here is that candidates often select 'Authentication Server (AS)' as a separate component, not realizing it is a subcomponent of the KDC, and thus fail to recognize that the KDC and TGT are the two integral components tested.

16
MCQhard

An organization implements an attribute-based access control (ABAC) system with the following policy: if user.role == 'doctor' and resource.type == 'patient_record' and environment.time between 08:00-18:00 then permit. A doctor tries to access a patient record at 20:00. What is the result?

A.Permit
B.Indeterminate
C.Not applicable
D.Deny
AnswerD

Since the time condition is not satisfied, the policy does not grant access, and the default deny rule applies.

Why this answer

The ABAC policy requires the environment.time to be between 08:00 and 18:00 for access to be permitted. Since the doctor attempts access at 20:00, which falls outside this time window, the condition is not met, and the policy evaluates to 'deny' by default in a closed-system ABAC model. The correct result is Deny (option D).

Exam trap

ISC2 often tests the default deny principle in ABAC, where candidates mistakenly assume a missing explicit 'deny' rule means 'permit' or 'not applicable', but the absence of a matching permit condition results in an implicit deny.

How to eliminate wrong answers

Option A is wrong because 'permit' would only occur if all conditions in the policy are satisfied, but the time condition (08:00-18:00) is false at 20:00. Option B is wrong because 'indeterminate' typically arises from missing attributes or policy evaluation errors, not from a clear false condition; here, all attributes are present and the time is explicitly outside the allowed range. Option C is wrong because 'not applicable' would mean the policy does not match the request at all, but the user role and resource type do match; the policy applies, but the time condition fails, leading to a deny.

17
MCQhard

A Linux server administrator configures SSH key-based authentication for user 'admin'. The authentication fails with the error 'Authentication refused: bad permissions' in the logs. What is the most likely cause?

A.The SSH service is not running
B.The private key file has permissions set to 644 (world-readable)
C.The public key is not in the ~/.ssh/authorized_keys file
D.The passphrase on the private key is incorrect
AnswerB

SSH daemon checks private key permissions; if too permissive, it refuses authentication for security.

Why this answer

Option B is correct because SSH key-based authentication requires the private key file to have restrictive permissions (typically 600 or 640) to prevent unauthorized access. When the private key is world-readable (e.g., 644), the SSH daemon refuses to use it for security reasons, logging 'Authentication refused: bad permissions'. This is a direct check performed by OpenSSH to protect against key disclosure.

Exam trap

ISC2 often tests the distinction between file permission errors and other authentication failures, trapping candidates who confuse 'bad permissions' with missing keys or incorrect passphrases.

How to eliminate wrong answers

Option A is wrong because if the SSH service were not running, the error would be a connection timeout or 'Connection refused', not an authentication-specific permission error. Option C is wrong because a missing public key in authorized_keys would result in 'Permission denied (publickey)' or 'No supported authentication methods available', not a 'bad permissions' error. Option D is wrong because an incorrect passphrase would prompt for the passphrase again or fail with 'Permission denied', but the error 'bad permissions' specifically refers to file permission checks, not passphrase validation.

18
MCQhard

An organization wants to implement a centralized authentication system that supports single sign-on and uses tickets. Which technology should they choose?

A.LDAP
B.Kerberos
C.SAML
D.RADIUS
AnswerB

Kerberos uses a ticket-granting system for SSO.

Why this answer

Kerberos is the correct choice because it is a ticket-based authentication protocol that provides single sign-on (SSO) capabilities. It uses a trusted third-party Key Distribution Center (KDC) to issue time-limited tickets, allowing users to authenticate once and access multiple services without re-entering credentials.

Exam trap

The trap here is that candidates often confuse LDAP (a directory protocol) with authentication, or assume SAML's SSO capability uses tickets, when in fact Kerberos is the only option that explicitly uses tickets as its core mechanism.

How to eliminate wrong answers

Option A (LDAP) is wrong because LDAP is a directory access protocol used for querying and modifying directory services, not a ticket-based authentication system; it does not inherently support SSO via tickets. Option C (SAML) is wrong because SAML is an XML-based federated identity standard that uses assertions (not tickets) for SSO across domains, but it relies on browser redirects and does not use a ticket-granting ticket model like Kerberos. Option D (RADIUS) is wrong because RADIUS is a network access protocol for AAA (Authentication, Authorization, Accounting) typically used for dial-up or VPN connections, and it does not provide ticket-based SSO; it uses shared secrets and is not designed for centralized ticket management.

19
MCQhard

An organization uses attribute-based access control (ABAC) for its cloud storage. The policy states that a user can read a document only if the user’s department attribute matches the document’s department attribute AND the current time is within business hours (9AM-5PM). A user from Engineering tries to read a document classified for Engineering at 8:55 AM. What is the expected result?

A.Access granted because the department matches
B.Access denied because the department does not match
C.Access granted because the user is in Engineering
D.Access denied because the time is outside business hours
AnswerD

8:55 AM is before 9 AM, so the time condition fails.

Why this answer

The ABAC policy requires both conditions to be true: department match AND time within business hours (9AM-5PM). At 8:55 AM, the time condition is false, so access is denied regardless of the department match. This is a classic example of a conjunctive (AND) policy in ABAC where all attributes must satisfy the rules.

Exam trap

The trap here is that candidates focus on the department match and overlook the conjunctive AND logic, assuming a single matching attribute is sufficient for access.

How to eliminate wrong answers

Option A is wrong because it ignores the time condition; ABAC policies with AND require all attributes to match, not just one. Option B is wrong because the department does match (both Engineering), but the denial is due to time, not department mismatch. Option C is wrong because being in Engineering alone does not satisfy the policy; the time attribute must also be within business hours.

20
MCQhard

A company uses a federated identity system where partner employees access internal applications via SAML assertions. Recently, a partner employee who should have been terminated was still able to log in. Which missing control is the most likely root cause?

A.Just-in-time provisioning
B.Identity proofing
C.Session timeout
D.Single sign-on logout
AnswerA

JIT provisioning ensures accounts are created only when needed and removed when no longer necessary; missing this control leads to orphaned accounts.

Why this answer

Just-in-time (JIT) provisioning is the missing control because it ensures that user accounts are created and, more critically, disabled or removed in real-time based on the identity provider's (IdP) authoritative directory. Without JIT provisioning, the partner employee's account in the service provider (SP) remains active even after termination in the IdP, allowing continued access via valid SAML assertions. JIT provisioning would synchronize the account lifecycle by checking the IdP's user status at each authentication attempt and disabling the local account when the user is deactivated.

Exam trap

The trap here is that candidates confuse session management (session timeout or SSO logout) with account lifecycle management, assuming that ending a session or requiring re-authentication would prevent a terminated user from logging in again, when in fact the underlying account remains active in the SP.

How to eliminate wrong answers

Option B is wrong because identity proofing is the process of verifying a user's claimed identity during initial registration, which is unrelated to the ongoing lifecycle management of an existing user who should have been terminated. Option C is wrong because session timeout controls the duration of an active session after login, but it does not prevent a terminated user from initiating a new login session with a valid SAML assertion. Option D is wrong because single sign-on logout only terminates the current session across federated applications; it does not prevent a terminated user from authenticating again with a new SAML assertion if their account is still active in the SP.

21
MCQhard

During an audit, it is discovered that a contractor’s account has read access to a financial database even though the contractor’s project ended six months ago. Which type of access control failure is this?

A.Inadequate authorization
B.Insufficient authentication
C.Weak password policy
D.Poor account management
AnswerD

Accounts must be disabled when no longer needed.

Why this answer

The correct answer is D because the contractor's account retained access privileges after the project ended, which is a failure of the account lifecycle management process. Proper account management requires disabling or removing accounts when a user's role or affiliation changes, such as when a contract terminates. This is not an authorization or authentication issue, as the access was originally granted correctly but was not revoked in a timely manner.

Exam trap

The trap here is that candidates confuse 'inadequate authorization' (which is about granting excessive permissions) with 'poor account management' (which is about failing to revoke access when it is no longer needed), even though the original authorization was correct.

How to eliminate wrong answers

Option A is wrong because inadequate authorization refers to granting permissions that are too broad or inappropriate for a role, whereas here the access was appropriate during the project but not revoked afterward. Option B is wrong because insufficient authentication deals with verifying identity (e.g., weak MFA or passwordless login), not with the ongoing validity of an account after its purpose ends. Option C is wrong because a weak password policy concerns password complexity, length, or rotation rules, not the failure to deprovision an account after a project concludes.

22
MCQeasy

Which access control model is best suited for a military environment where data classification (Unclassified, Confidential, Secret, Top Secret) and subject clearance levels are the primary factors for access decisions?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerB

MAC uses labels and clearance levels to enforce access, making it ideal for military and classified environments.

Why this answer

Mandatory Access Control (MAC) enforces access based on labels (classification and clearance) and is used in military and government settings. Option B is correct. Option A (DAC) allows owners to set permissions, which is unsuitable for classified environments.

Option C (RBAC) uses roles, not classification levels. Option D (ABAC) is flexible but not the traditional model for military-grade security.

23
MCQeasy

A help desk technician needs to reset a user's password but should not be able to modify other user attributes. Which access control principle should be applied to enforce this restriction?

A.Need-to-know
B.Least privilege
C.Separation of duties
D.Mandatory access control
AnswerB

Least privilege grants only the minimal permissions required to perform a job, which directly applies to restricting the technician to password reset only.

Why this answer

Least privilege ensures that a user or process is granted only the minimum permissions necessary to perform their job function. In this scenario, the help desk technician needs the ability to reset passwords but must be restricted from modifying other user attributes, such as group membership or account expiration. By applying least privilege, the technician's account is assigned a role or permission set that specifically allows password reset operations (e.g., via Active Directory delegated permissions or a custom RBAC role) while explicitly denying write access to other user object properties.

Exam trap

ISC2 often tests least privilege by presenting a scenario where a user needs a specific action (like password reset) and candidates confuse it with separation of duties, which focuses on splitting tasks across multiple people rather than limiting the scope of a single user's permissions.

How to eliminate wrong answers

Option A is wrong because need-to-know is a confidentiality principle that restricts access to data based on the user's requirement to know that information to perform their duties, not a mechanism for limiting modification permissions on specific attributes. Option C is wrong because separation of duties divides critical tasks among multiple individuals to prevent fraud or error (e.g., one person requests a password reset and another approves it), but it does not directly limit the scope of permissions for a single technician. Option D is wrong because mandatory access control (MAC) enforces system-wide policies based on labels and clearances (e.g., Bell-LaPadula model), which is too rigid and not designed for granular attribute-level restrictions within a single user object.

24
MCQmedium

Refer to the exhibit. A security analyst reviews this AWS IAM policy and notices that delete operations on objects in the corporate-bucket are being denied unexpectedly. What is the most likely issue?

A.The Deny statement requires objects to be encrypted with AES256 for delete operations
B.The Allow statement is being overridden by the Deny, but the cause is the encryption requirement
C.The condition on the Deny statement is not matching any objects
D.The policy has a syntax error in the Condition element
AnswerA

The Deny uses a condition that denies delete if the object is NOT encrypted with AES256, effectively requiring encryption for deletion.

Why this answer

Option A is correct because the Deny statement includes a condition that requires objects to be encrypted with AES256 for all operations, including delete. Since the condition is not limited to specific actions, any delete request on an object that is not encrypted with AES256 will be denied, even if the Allow statement grants s3:DeleteObject permissions. This is a common misconfiguration where encryption requirements inadvertently block operations that do not involve encryption checks.

Exam trap

ISC2 often tests the nuance that a Deny statement with a condition can block operations that are not logically related to the condition (like delete being blocked by an encryption requirement), causing candidates to overlook that the condition applies to all actions in the Deny statement.

How to eliminate wrong answers

Option B is wrong because the Deny statement does not override the Allow statement due to encryption requirement; rather, the Deny explicitly denies all actions when the condition (encryption not AES256) is met, which is a valid policy evaluation. Option C is wrong because the condition on the Deny statement is matching objects that are not encrypted with AES256, which is the intended behavior; if it were not matching, the Deny would not apply and delete operations would succeed. Option D is wrong because the policy does not have a syntax error in the Condition element; the condition 'StringNotEquals' with 's3:x-amz-server-side-encryption' is syntactically correct and commonly used.

25
MCQeasy

Based on the exhibit, what type of attack is most likely occurring?

A.Brute-force attack
B.Pass-the-hash attack
C.Dictionary attack
D.Password spraying attack
AnswerD

Password spraying attempts one or a few common passwords across many accounts, matching the pattern.

Why this answer

The exhibit shows a single username being targeted with multiple passwords from a list, which is characteristic of a dictionary attack. However, the correct answer is password spraying attack because the scenario likely involves trying a single common password against many usernames, not many passwords against one user. In password spraying, the attacker uses a small set of common passwords across many accounts to avoid account lockout thresholds, which matches the exhibit's pattern of low-and-slow attempts.

Exam trap

The trap here is confusing dictionary attacks (many passwords, one user) with password spraying (one password, many users), as both use a wordlist but differ in the attack vector and lockout avoidance strategy.

How to eliminate wrong answers

Option A is wrong because a brute-force attack tries all possible character combinations systematically, not a curated list of likely passwords, and would generate far more attempts than shown. Option B is wrong because a pass-the-hash attack uses captured NTLM or Kerberos hashes to authenticate without knowing the plaintext password, which is unrelated to trying passwords from a list. Option C is wrong because a dictionary attack focuses on many passwords against a single username, whereas the exhibit shows a single password attempt across multiple usernames, which is the hallmark of password spraying.

26
MCQhard

You are the security administrator for a mid-sized financial services company. The company uses Active Directory (AD) for identity management and has implemented role-based access control (RBAC) for its core banking application. Recently, the company acquired a smaller firm and is integrating its employees into AD. During the integration, you notice that many of the new employees have been assigned multiple roles that grant them access to sensitive financial data, despite their job descriptions indicating they need only limited access. Additionally, some users who left the acquired company have not been disabled in AD. The company's security policy mandates the principle of least privilege and requires that access reviews be conducted quarterly, but no review has been performed in the past year. You have been tasked with remediating these issues. Which of the following approaches is the MOST effective initial step to address the immediate risk of excessive access?

A.Conduct a comprehensive access recertification review for all users in the acquired company.
B.Implement multifactor authentication (MFA) for all users in the acquired company.
C.Roll back all user permissions to the default role and then re-add each user based on their job function.
D.Immediately disable all user accounts from the acquired company that have not been logged in within the last 90 days.
AnswerD

This quickly removes dormant accounts that may have excessive privileges.

Why this answer

Option D is the most effective initial step because it immediately reduces the attack surface by disabling accounts that are likely orphaned (no login in 90 days), directly addressing the immediate risk of excessive access from former employees. This aligns with the principle of least privilege and is a quick, high-impact remediation that can be performed before a full access review or recertification.

Exam trap

The trap here is that candidates often choose a comprehensive review (Option A) as the 'best practice' without recognizing that immediate risk mitigation (disabling orphaned accounts) must precede a full recertification to prevent further exposure during the review process.

How to eliminate wrong answers

Option A is wrong because conducting a comprehensive access recertification review is a longer-term process that does not address the immediate risk of orphaned accounts or excessive permissions; it should follow initial containment. Option B is wrong because implementing MFA strengthens authentication but does not reduce excessive access or remove orphaned accounts; it addresses a different risk (unauthorized access via compromised credentials) rather than the immediate risk of already-assigned excessive permissions. Option C is wrong because rolling back all user permissions to a default role and re-adding them is disruptive, time-consuming, and may cause business interruption; it also assumes a clean baseline that may not exist and does not prioritize the highest-risk accounts (orphaned ones) first.

27
Multi-Selectmedium

Which TWO are valid reasons to revoke a user's access? (Choose two.)

Select 2 answers
A.User is terminated
B.User changes job roles
C.User password expires
D.User completes quarterly training
E.User updates personal information
AnswersA, B

Termination requires immediate revocation of all access.

Why this answer

Option A is correct because when a user is terminated, their access must be immediately revoked to prevent unauthorized access to systems and data. This is a fundamental principle of access control, ensuring that former employees cannot exploit their credentials. Revocation typically involves disabling the user account, removing group memberships, and invalidating any active sessions or tokens.

Exam trap

The trap here is that candidates confuse password expiration (a temporary lockout that can be resolved) with revocation (a permanent or indefinite removal of access rights), and they may think that completing training or updating personal info could justify revocation, but these are normal user lifecycle events that do not indicate a security risk.

28
Multi-Selecthard

Which three statements are true regarding mandatory access control (MAC) systems? (Select THREE)

Select 3 answers
A.Multilevel security is enforced
B.Subjects have clearance levels
C.Access decisions are based on security labels
D.The owner of an object can change its security label
E.Users can grant permissions to other users
AnswersA, B, C

MAC systems are designed to enforce multilevel security, allowing information at different classifications to be processed on the same system.

Why this answer

Mandatory Access Control (MAC) enforces system-wide policy based on security labels assigned to subjects and objects. Multilevel security (MLS) is a core MAC property where data at different classification levels (e.g., Secret, Top Secret) is isolated and access is governed by the system, not users. Subjects (users/processes) are assigned clearance levels, and objects have security labels; access decisions compare these labels using rules like the Bell-LaPadula model (no read up, no write down).

Exam trap

The trap here is that candidates confuse MAC with Discretionary Access Control (DAC), where owners can change permissions and grant access, leading them to incorrectly select options D or E as true for MAC.

29
MCQhard

You are the security administrator for a healthcare organization that uses a Windows Active Directory domain. The organization has recently implemented a new electronic health record (EHR) system that requires users to authenticate before accessing patient data. The EHR system uses Kerberos for authentication. Users report that they can access the EHR system from their office workstations, but when they attempt to access it remotely via VPN, they receive an 'Access Denied' error. The VPN uses RADIUS for authentication and assigns IP addresses from a separate subnet. The EHR server is in the same domain as the workstations. You verify that the users are able to connect to the VPN successfully and can access other internal resources. What is the most likely cause of the issue?

A.The EHR server is not joined to the domain.
B.The VPN does not forward Kerberos traffic to the domain controller.
C.The remote user's system clock is not synchronized with the domain controller.
D.The user's account is not in the EHR application's access group.
AnswerC

Kerberos requires time sync; VPN issues often corrupt time sync.

Why this answer

Kerberos authentication is highly sensitive to time skew; the default maximum tolerance is 5 minutes (RFC 4120). When users connect via VPN, their system clocks may drift from the domain controller's time, especially if they are not synchronized with the domain's time source. This time difference causes Kerberos to reject the ticket request, resulting in an 'Access Denied' error even though the VPN connection itself is successful.

Exam trap

The trap here is that candidates focus on network connectivity or VPN configuration (like port forwarding) rather than the time synchronization requirement of Kerberos, assuming that successful VPN connection implies all authentication protocols will work seamlessly.

How to eliminate wrong answers

Option A is wrong because the EHR server is explicitly stated to be in the same domain as the workstations, and users can access it from office workstations, confirming domain membership. Option B is wrong because the VPN successfully forwards other traffic (users can access other internal resources), and Kerberos traffic uses UDP/TCP port 88, which is typically allowed through VPN tunnels; the issue is not traffic forwarding but authentication failure. Option D is wrong because the error occurs during authentication, not authorization; if the user were not in the EHR application's access group, they would likely receive a different error (e.g., 'Access Denied' after successful authentication) or be prompted for credentials again, not fail at the Kerberos ticket-granting step.

30
MCQmedium

A hospital is implementing an access control system for its electronic health record (EHR) system. The system must comply with HIPAA regulations, which require that access to patient records is limited to personnel who need it to perform their job duties. The hospital has many roles: doctors, nurses, lab technicians, and administrative staff. Each role can access different types of records. The system currently uses a DAC model where each user sets permissions on their own files. However, a recent risk assessment identified that some nurses have been sharing their accounts with each other to access records outside their unit. The hospital wants to implement a more restrictive model that enforces access based on job roles and prevents sharing of accounts. Which access control model should the hospital adopt?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC) with clearance labels
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC) with mandatory account uniqueness
AnswerD

RBAC restricts access based on roles, and requiring unique accounts ensures no sharing; this combination directly addresses the problem.

Why this answer

Option D is correct because Role-Based Access Control (RBAC) enforces access permissions based on job roles, directly aligning with HIPAA's need-to-know principle. Mandatory account uniqueness prevents account sharing by requiring each user to have a unique identifier, eliminating the ability to share credentials. This combination provides a more restrictive, policy-driven model than DAC, which allowed users to set their own permissions and led to unauthorized access.

Exam trap

The trap here is that candidates may choose ABAC (Option A) because it seems more flexible and modern, but they overlook that RBAC with mandatory account uniqueness directly addresses the account-sharing issue and is the simplest, most compliant model for role-based healthcare access under HIPAA.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) uses attributes (e.g., time, location, patient relationship) to grant access, which is more granular than needed and does not inherently enforce mandatory account uniqueness to prevent sharing. Option B is wrong because Mandatory Access Control (MAC) with clearance labels is designed for classified environments (e.g., military) using security labels and clearances, not for healthcare roles; it would require labeling all patients and users, which is impractical and does not directly address account sharing. Option C is wrong because Discretionary Access Control (DAC) is the current model that allows users to set permissions on their own files, which led to the account-sharing problem; it is the opposite of the restrictive model needed.

31
MCQmedium

The security team discovers that a user in the finance department can read files in the human resources share. The share permissions on the HR folder are set to deny all except the HR group, and the user is not a member of HR. What is the most likely cause?

A.The user is logging on locally to the server where the files are stored
B.The user is an administrator on the file server
C.The user is using a different file server for HR files
D.The user's token includes a group that has been explicitly denied
AnswerA

Share permissions only apply to network access; local access is governed by NTFS permissions alone, which may allow the user.

Why this answer

When a user logs on locally to the file server, Windows evaluates NTFS permissions directly, bypassing share permissions entirely. Share permissions only apply to network access via SMB, so a local logon allows the user to read files if NTFS permissions grant access, even if share permissions deny all except the HR group.

Exam trap

ISC2 often tests the distinction between share permissions and NTFS permissions, specifically that share permissions only apply to network access, not local logons, leading candidates to overlook the local logon scenario.

How to eliminate wrong answers

Option B is wrong because being an administrator on the file server does not automatically grant read access to files if the NTFS permissions explicitly deny the user or their groups; administrators can take ownership or override permissions, but the most likely cause in this scenario is local logon, not administrative privilege. Option C is wrong because using a different file server would not grant access to files on the original HR share; the user would need appropriate permissions on that specific server. Option D is wrong because if the user's token included a group explicitly denied, that deny would block access, not allow it; the scenario describes the user being able to read files despite not being in the HR group.

32
MCQmedium

An organization wants to implement an access control model where data owners decide who can access resources. Which model should they choose?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Role-Based Access Control (RBAC)
D.Discretionary Access Control (DAC)
AnswerD

DAC allows data owners to grant access to others at their discretion.

Why this answer

Discretionary Access Control (DAC) is the correct model because it allows data owners (the users who create or own the resource) to decide who can access their resources. In DAC, the owner sets permissions (e.g., read, write, execute) on objects like files or directories, typically using Access Control Lists (ACLs). This directly matches the requirement where data owners control access decisions.

Exam trap

ISC2 often tests the misconception that 'data owners decide' implies a role-based or attribute-based model, but the key distinction is that DAC explicitly grants ownership-based control, while RBAC and ABAC centralize decisions with administrators or policies.

How to eliminate wrong answers

Option A is wrong because Attribute-Based Access Control (ABAC) uses policies based on attributes (e.g., user role, time, location) evaluated by a central policy engine, not by the data owner. Option B is wrong because Mandatory Access Control (MAC) enforces system-wide policies set by a central authority (e.g., security labels like Top Secret), and users (including data owners) cannot override these rules. Option C is wrong because Role-Based Access Control (RBAC) assigns permissions based on predefined roles (e.g., 'Manager'), and access decisions are made by administrators, not by the data owner.

33
MCQeasy

An organization uses smart cards combined with a PIN to access secure facilities. This is an example of which type of authentication factor?

A.Token-based authentication
B.Single-factor authentication
C.Two-factor authentication
D.Biometric authentication
AnswerC

Combining something you have (smart card) with something you know (PIN) is a classic definition of two-factor authentication.

Why this answer

Smart cards are a possession factor (something you have), and the PIN is a knowledge factor (something you know). Combining both satisfies the requirement for two distinct authentication factors, making this a textbook example of two-factor authentication (2FA). This is not single-factor because two separate categories of credentials are used, and it is not biometric because no physical characteristic is measured.

Exam trap

The trap here is that candidates often confuse 'something you have' (possession factor) with 'something you know' (knowledge factor) and mistakenly classify the combination as single-factor because they think the smart card alone is the authentication, ignoring that the PIN adds a second distinct factor.

How to eliminate wrong answers

Option A is wrong because token-based authentication typically refers to a device that generates a one-time password (OTP) or cryptographic token, not a smart card with a PIN; while a smart card can be considered a token, the combination with a PIN specifically makes it two-factor, not merely token-based. Option B is wrong because single-factor authentication uses only one category of credential (e.g., just a password or just a smart card), but here both a smart card (possession) and a PIN (knowledge) are required, so it is multi-factor. Option D is wrong because biometric authentication relies on unique physical traits such as fingerprints, iris patterns, or voice recognition, not on a smart card and PIN combination.

34
MCQeasy

A system administrator needs to assign permissions to a new employee who will be performing database backups. The employee should only be able to execute the backup command but not read or modify the data. Which access control principle should be applied?

A.Need to know
B.Least privilege
C.Separation of duties
D.Defense in depth
AnswerB

Least privilege grants only the permissions required to perform the job.

Why this answer

The least privilege principle dictates that a user should be granted only the minimum permissions necessary to perform their job function. In this scenario, the employee needs only the ability to execute the backup command (e.g., using a tool like `pg_dump` or `mysqldump` with a read-only snapshot), not read or modify the underlying data files. Applying least privilege ensures the backup process can run without granting broader SELECT or FILE privileges that would allow data access or alteration.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'need to know' because both limit access, but least privilege focuses on the minimum permissions to perform an action (execute a command), while need to know focuses on whether the user requires access to specific data content.

How to eliminate wrong answers

Option A is wrong because 'need to know' is a confidentiality principle that restricts access to information based on whether the user requires that specific data to perform their duties, not the minimum permissions to execute a command; it does not address the granularity of execute-only versus read/modify. Option C is wrong because separation of duties divides critical tasks among multiple people to prevent fraud (e.g., the backup operator cannot also restore), but the question is about limiting the backup operator's own permissions, not splitting tasks. Option D is wrong because defense in depth is a layered security strategy using multiple controls (firewalls, IDS, encryption), not a principle for assigning a single user's permissions to a specific command.

35
MCQeasy

A small business wants to implement an access control system where employees can access files based on their department (e.g., HR, Finance). They want simplicity and ease of administration. Which access control model is BEST suited?

A.Mandatory Access Control (MAC)
B.Attribute-Based Access Control (ABAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerD

RBAC assigns permissions to roles, and users are assigned roles based on their department, providing a straightforward and manageable solution.

Why this answer

Role-Based Access Control (RBAC) is best suited because it maps access permissions directly to job functions (roles) such as HR or Finance, rather than to individual users. This simplifies administration: when an employee changes departments, the administrator simply updates their role assignment, and all associated permissions are automatically applied or revoked. RBAC is designed for environments where access decisions are based on organizational roles, providing a balance of security and ease of management.

Exam trap

The trap here is that candidates often confuse RBAC with DAC because both involve user-based permissions, but RBAC centralizes control through roles while DAC delegates control to individual resource owners, making RBAC the correct choice for department-based access.

How to eliminate wrong answers

Option A is wrong because Mandatory Access Control (MAC) uses system-enforced labels (e.g., security classifications like Top Secret) and is typically used in military or high-security environments, not for simple department-based access in a small business. Option B is wrong because Attribute-Based Access Control (ABAC) evaluates multiple attributes (e.g., time, location, resource type) using policy rules, which adds complexity and administrative overhead beyond what is needed for straightforward department-based access. Option C is wrong because Discretionary Access Control (DAC) allows individual users to control access to their own files (e.g., via file permissions), which does not scale well for department-wide access and can lead to inconsistent enforcement.

36
Matchingmedium

Match each authentication factor to its category.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Something you know

Something you have

Something you are

Something you do

Why these pairings

These are the four main authentication factor categories.

37
Multi-Selecthard

Which THREE are required components of a core role-based access control (RBAC) system according to NIST? (Choose three.)

Select 3 answers
A.Constraints
B.Users
C.Permissions
D.Sessions
E.Roles
AnswersB, C, E

Users are the subjects that are assigned to roles.

Why this answer

Option B (Users) is correct because in NIST's RBAC model (INCITS 359-2012), users are the human actors who are assigned to roles. The core components of RBAC are users, roles, and permissions; users are the subjects that ultimately receive permissions through their role membership. Without users, there is no entity to which roles and permissions can be assigned.

Exam trap

ISC2 often tests the distinction between core and advanced RBAC components, and the trap here is that candidates mistakenly include constraints or sessions as mandatory because they are commonly discussed in security policies, but NIST explicitly defines them as optional extensions to the core model.

38
MCQhard

Based on the exhibit, if the user attempts to upload (put) a file to the S3 bucket corporate-data, what is the result?

A.Allowed because the bucket policy likely allows public puts
B.Denied because the explicit deny overrides any allow
C.Denied because PutObject is not explicitly allowed
D.Allowed because the policy also allows GetObject
AnswerB

The explicit deny for PutObject overrides any potential allows, so the request is denied.

Why this answer

The correct answer is B because the bucket policy includes an explicit deny statement that denies s3:PutObject for the user's principal. In AWS IAM and resource-based policies, an explicit deny always overrides any allow, regardless of other permissions. Therefore, even if other statements allow PutObject, the explicit deny blocks the upload.

Exam trap

The trap here is that candidates often assume an explicit allow for PutObject would override a deny, but AWS's explicit deny always wins, making the presence of any deny statement the decisive factor.

How to eliminate wrong answers

Option A is wrong because the bucket policy does not allow public puts; it contains an explicit deny that overrides any potential allow. Option C is wrong because the issue is not the absence of an explicit allow but the presence of an explicit deny, which takes precedence. Option D is wrong because GetObject permission is irrelevant to PutObject; each action is evaluated independently, and the explicit deny for PutObject still applies.

39
Multi-Selectmedium

Which TWO of the following are characteristics of a Mandatory Access Control (MAC) system?

Select 2 answers
A.Access decisions are based on security labels.
B.Access is determined by the owner of the object.
C.It uses roles to assign permissions.
D.Users can change permissions on their own objects.
E.It is commonly used in military environments.
AnswersA, E

MAC relies on labels assigned to subjects and objects to determine access.

Why this answer

Option A is correct because Mandatory Access Control (MAC) systems use security labels (e.g., classifications like Top Secret, Secret, Confidential) attached to subjects and objects. The operating system or reference monitor enforces access decisions based on these labels and a set of rules (e.g., the Bell-LaPadula model's simple security property and *-property), not at the discretion of users or owners. This ensures that access is determined by a central policy, typically implemented via labels in systems like SELinux or Trusted Solaris.

Exam trap

The trap here is that candidates often confuse MAC with DAC or RBAC, mistakenly thinking that owners or roles can override label-based policies, when in fact MAC strictly enforces system-wide rules that neither users nor owners can modify.

40
MCQmedium

You are a security analyst at a financial institution. The company uses a role-based access control (RBAC) system for its internal banking application. Recently, the compliance team discovered that a teller, who should only have access to customer account information for their branch, was able to view account details for customers in other branches. The RBAC system assigns roles based on job titles. You review the configuration and find that the 'Teller' role has a permission that allows viewing all customer accounts, regardless of branch. The company wants to enforce branch-level restrictions. Which of the following is the best approach to address this issue?

A.Implement attribute-based access control (ABAC) to incorporate branch location as an attribute.
B.Use mandatory access control (MAC) with labels for each customer account.
C.Create separate roles for each branch, such as 'Teller_Branch1', 'Teller_Branch2', etc.
D.Modify the 'Teller' role to remove the permission to view all accounts.
AnswerA

ABAC adds context like branch to RBAC, providing necessary restrictions.

Why this answer

Adding an attribute for branch location and using ABAC in conjunction with RBAC allows fine-grained control. Option A is correct. B would create many roles, C is not granular, and D is not relevant.

41
MCQmedium

A healthcare organization is implementing an access control system to ensure that employees can only access patient records necessary for their job functions. Which model best enforces this principle?

A.Role-Based Access Control (RBAC)
B.Rule-Based Access Control (RuBAC)
C.Discretionary Access Control (DAC)
D.Mandatory Access Control (MAC)
AnswerA

RBAC assigns permissions to roles based on job functions, and users are assigned to roles, effectively enforcing least privilege.

Why this answer

Role-Based Access Control (RBAC) is the correct model because it assigns permissions based on job roles, ensuring employees only access patient records necessary for their duties. In healthcare, RBAC aligns with the principle of least privilege by mapping roles (e.g., nurse, doctor, billing) to specific data access, as defined in standards like NIST SP 800-53. This directly enforces the requirement that access is tied to job functions, not individual discretion or system-wide rules.

Exam trap

ISC2 often tests the distinction between RBAC and Rule-Based Access Control, where candidates mistakenly choose RuBAC because they confuse 'rules' with 'roles,' not realizing RuBAC applies static conditions to all users rather than dynamic role assignments.

How to eliminate wrong answers

Option B (Rule-Based Access Control) is wrong because it uses global rules (e.g., time-of-day or IP-based conditions) applied uniformly to all users, not role-specific job functions, making it too coarse for granular patient record access. Option C (Discretionary Access Control) is wrong because it allows data owners to grant access at their discretion, violating the mandatory job-function restriction and risking unauthorized sharing of patient records. Option D (Mandatory Access Control) is wrong because it enforces system-wide labels (e.g., classification levels like 'Confidential') rather than job roles, which is overly rigid and does not map to specific healthcare job functions.

42
MCQeasy

An administrator wants to ensure that users cannot share passwords. Which control is most effective at reducing the risk of password sharing?

A.Account lockout policies
B.Multifactor authentication
C.Password complexity
D.Password history
AnswerB

MFA requires a second factor that is often physical or biometric, making it difficult to share credentials.

Why this answer

Multifactor authentication (MFA) is the most effective control because it requires users to present two or more distinct factors (e.g., something you know, something you have, something you are) to authenticate. Even if a user shares their password (something you know), an attacker cannot authenticate without the second factor (e.g., a one-time passcode from a hardware token or biometric). This directly reduces the risk of password sharing by making the shared credential insufficient for access.

Exam trap

The trap here is that candidates often choose password complexity or account lockout policies because they associate them with 'stronger security,' but they fail to recognize that these controls do not address the specific threat of voluntary password sharing, which MFA directly mitigates by adding an independent authentication factor.

How to eliminate wrong answers

Option A is wrong because account lockout policies (e.g., locking after 5 failed attempts) are designed to prevent brute-force attacks, not to prevent users from voluntarily sharing their passwords; a shared password still works until the account is locked. Option C is wrong because password complexity (e.g., requiring uppercase, numbers, symbols) only makes passwords harder to guess or crack, but does nothing to stop a user from sharing that complex password with another person. Option D is wrong because password history (e.g., remembering the last 10 passwords) prevents users from reusing old passwords, but it has no effect on sharing the current password with others.

43
MCQmedium

Which access control mechanism most likely failed to prevent this unauthorized privilege escalation?

A.Sudoers configuration
B.Account lockout policy
C.Password policy
D.SELinux
AnswerB

An account lockout policy would have locked the account after a threshold of failed attempts, preventing the eventual successful login.

Why this answer

An account lockout policy is designed to prevent brute-force attacks by locking an account after a specified number of failed login attempts. In the context of unauthorized privilege escalation, a lockout policy would not prevent a user who already has valid credentials from escalating privileges through other means, such as exploiting a misconfigured sudoers file or a kernel vulnerability. Therefore, the failure of the account lockout policy is the most likely mechanism that allowed the escalation, as it does not control what an authenticated user can do after login.

Exam trap

ISC2 often tests the misconception that account lockout policies are a catch-all defense against unauthorized access, when in fact they only prevent brute-force login attempts and do not control actions taken by an already authenticated user.

How to eliminate wrong answers

Option A is wrong because the sudoers configuration directly controls which users can execute commands with elevated privileges; if it were misconfigured (e.g., allowing a user to run all commands as root without a password), it could be the mechanism that failed, but the question asks which mechanism most likely failed to prevent the escalation, and a lockout policy is unrelated to post-authentication privilege escalation. Option C is wrong because a password policy (e.g., complexity, length, history) only affects the strength of user passwords and does not prevent an authorized user from escalating privileges after successful authentication. Option D is wrong because SELinux is a mandatory access control (MAC) system that enforces security policies at the kernel level, and while it can limit privilege escalation, its failure would be due to misconfiguration or being in permissive mode, not because of a lockout policy; the lockout policy is the least relevant to the escalation event.

44
Multi-Selecthard

Which THREE of the following are common methods for implementing multifactor authentication (MFA)?

Select 3 answers
A.Retina scan and facial recognition
B.Password and SMS code
C.Smart card and PIN
D.Password and security question
E.Fingerprint and smart card
AnswersB, C, E

Something you know (password) + something you have (phone for SMS).

Why this answer

Option B is correct because it combines something you know (password) with something you have (SMS code sent to a registered device). This satisfies the MFA requirement of using at least two distinct authentication factors, making it significantly more secure than single-factor password-only authentication.

Exam trap

ISC2 often tests the distinction between using multiple instances of the same factor (e.g., two biometrics or two passwords) versus using factors from different categories, which is the core requirement for true MFA.

45
MCQeasy

An organization uses role-based access control (RBAC). An employee transfers from the Sales department to the Marketing department. What is the most secure way to update the employee's access?

A.Remove the Sales role and then add the Marketing role
B.Add the Marketing role and remove the Sales role after 30 days
C.Modify the Sales role to include Marketing permissions
D.Create a new custom role with combined permissions
AnswerA

This ensures no overlapping permissions.

Why this answer

In RBAC, access is determined by the roles assigned to a user. The most secure method is to remove the old role (Sales) first to eliminate any residual permissions, then add the new role (Marketing). This ensures the employee does not retain access to Sales resources during the transition, adhering to the principle of least privilege.

Exam trap

The trap here is that candidates may think adding the new role first ensures continuity of access, but the most secure approach is to remove the old role first to prevent any period of dual access.

How to eliminate wrong answers

Option B is wrong because adding the Marketing role before removing the Sales role creates a 30-day window where the employee has permissions from both departments, violating least privilege and increasing the risk of unauthorized access. Option C is wrong because modifying the Sales role to include Marketing permissions would grant those permissions to all Sales users, not just the transferring employee, leading to privilege creep and potential data leakage. Option D is wrong because creating a new custom role with combined permissions is unnecessary and inefficient; it complicates role management and may inadvertently grant the employee access to both departments' resources if the Sales role is not removed.

46
MCQmedium

A company uses role-based access control (RBAC). A user is assigned to the 'Sales' role, which grants access to CRM and reporting, and also to the 'Sales Manager' role, which grants additional access to team reports. However, the user cannot access team reports. What is the most likely cause?

A.An access control list on the report folder explicitly denies the 'Sales' role
B.The user account has been disabled
C.RBAC role hierarchy is not configured
D.The user's session is not properly managed
AnswerC

Without a hierarchy, the user's permissions are the union of both roles; if the system only uses the first role's permissions, team reports are inaccessible.

Why this answer

In RBAC, role hierarchy allows roles to inherit permissions from other roles. Without a configured hierarchy, the 'Sales Manager' role does not automatically inherit permissions from the 'Sales' role, and the user may not have direct permission to access team reports if that permission is only assigned to the 'Sales Manager' role but the user's effective permissions are not properly combined. The most likely cause is that the RBAC role hierarchy is not configured, so the user's membership in both roles does not result in the union of their permissions.

Exam trap

The trap here is that candidates assume assigning a user to multiple roles automatically grants the combined permissions of all roles, but without a configured role hierarchy or permission aggregation, the user may only have permissions from the primary role or the system may require explicit inheritance.

How to eliminate wrong answers

Option A is wrong because an explicit deny on the report folder would block access regardless of role membership, but the scenario states the user cannot access team reports despite being assigned the 'Sales Manager' role, which suggests the issue is with permission inheritance, not an explicit deny. Option B is wrong because if the user account were disabled, the user would not be able to access any resources, not just team reports, and the question implies the user can access CRM and reporting. Option D is wrong because session management issues would typically cause authentication or authorization failures across all resources, not a specific permission problem with team reports, and RBAC permissions are evaluated at the time of access request, not tied to session state.

47
Multi-Selectmedium

Which TWO of the following are best practices for password management?

Select 2 answers
A.Implement account lockout after a few failed attempts
B.Allow reuse of the last 5 passwords
C.Store passwords in plaintext for quick recovery
D.Share passwords via email for convenience
E.Enforce password complexity requirements
AnswersA, E

Lockout mitigates brute-force attacks.

Why this answer

Password complexity and account lockout are standard best practices. Storing passwords in plaintext and reusing passwords are poor practices.

48
MCQmedium

A user reports they can now access files in a shared drive that were previously denied. Upon investigation, the IT team discovers the user was added to a new group that has read/write permissions to the drive. This situation is best described as:

A.Separation of duties violation
B.Inconsistent access control list
C.Role explosion
D.Privilege creep
AnswerD

The user gained additional permissions through group membership, which is a classic example of privilege creep.

Why this answer

Privilege creep occurs when users accumulate more permissions over time than they need for their current role, often through group memberships. In this scenario, the user was added to a new group that granted read/write access to a shared drive, resulting in unintended elevated access. This is a classic example of privilege creep because the user's access rights expanded beyond what was originally authorized, violating the principle of least privilege.

Exam trap

The trap here is confusing privilege creep with role explosion, but privilege creep focuses on individual permission accumulation over time, while role explosion is about an excessive number of roles in the system design.

How to eliminate wrong answers

Option A is wrong because separation of duties is a control designed to prevent fraud or error by requiring multiple individuals to complete a sensitive task, not a situation where a user gains unintended access. Option B is wrong because an inconsistent access control list would imply conflicting or erroneous permissions on the resource itself, whereas here the permissions are consistent but the user was added to a group that legitimately has those permissions. Option C is wrong because role explosion refers to the proliferation of too many roles in an RBAC system, making management complex, not the gradual accumulation of permissions by a single user.

49
Multi-Selectmedium

Which TWO of the following are examples of biometric authentication? (Choose two.)

Select 2 answers
A.Smart card
B.Retina scan
C.PIN
D.Fingerprint
E.Password
AnswersB, D

Retina scan is a biometric trait.

Why this answer

Retina scan is a biometric authentication method because it uses unique physiological characteristics of the eye's retinal blood vessel pattern to verify identity. Biometric authentication relies on measurable biological traits, and the retina's pattern is highly distinctive and difficult to replicate, making it a strong form of authentication.

Exam trap

ISC2 often tests the distinction between authentication factors (something you know, have, or are) and tricks candidates into selecting smart cards or PINs as biometrics because they are commonly associated with security, but they are not based on biological traits.

50
Drag & Dropmedium

Drag and drop the steps for configuring a Windows Firewall rule to allow inbound RDP traffic into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Windows Firewall: create inbound rule for port 3389, allow connection, select profiles, name it.

51
Multi-Selectmedium

Which TWO of the following are characteristics of mandatory access control (MAC)?

Select 2 answers
A.The system enforces access decisions based on policies
B.Security labels are assigned to subjects and objects
C.Access decisions are based on the user’s discretion
D.It is commonly used in commercial environments
E.Users can grant access to other users
AnswersA, B

MAC is system-enforced, not user-controlled.

Why this answer

Mandatory access control (MAC) enforces access decisions based on centrally defined policies, not at the discretion of individual users. The system compares security labels assigned to subjects (e.g., users, processes) and objects (e.g., files, resources) to determine if access is allowed. This ensures that even the owner of an object cannot override the policy, which is a core characteristic of MAC.

Exam trap

The trap here is that candidates often confuse MAC with DAC, mistakenly thinking that MAC allows users to set permissions or that it is common in commercial environments, when in fact MAC is policy-driven and used in high-security contexts.

52
MCQhard

An organization implements a policy that the same individual cannot both create a purchase order and approve it in the financial system. Which security principle does this control primarily enforce?

A.Job rotation
B.Least privilege
C.Need-to-know
D.Separation of duties
AnswerD

Separation of duties divides critical functions among multiple users to prevent fraud and errors.

Why this answer

Separation of duties (SoD) is the security principle that prevents a single individual from performing conflicting tasks, such as creating and approving a purchase order. By splitting these responsibilities, the organization reduces the risk of fraud, errors, and unauthorized transactions, ensuring that no single person has unchecked control over a critical financial process.

Exam trap

The trap here is that candidates confuse separation of duties with least privilege, but least privilege only limits permissions to the minimum needed, whereas separation of duties specifically prevents a single user from executing two conflicting functions that could enable fraud or error.

How to eliminate wrong answers

Option A is wrong because job rotation is a practice where employees periodically switch roles to cross-train and reduce monotony, not a control that enforces dual-authority over a single transaction. Option B is wrong because least privilege limits users to only the permissions necessary for their job, but it does not inherently prevent the same person from both creating and approving a purchase order if both actions fall within their role. Option C is wrong because need-to-know restricts access to information based on job necessity, not the segregation of conflicting duties within a process.

53
MCQhard

Refer to the exhibit. User bob, a member of the projectdev group, attempts to create a new file in /data/project but gets 'Permission denied'. What is the most likely reason?

A.The group permission (r-x) and the mask (rwx) combine to limit bob to read and execute only
B.Bob is not the owner of the directory
C.Bob's effective permissions are limited by the user:alice entry
D.The 'other' permission is '---', blocking all access for users not in the file's user or group
AnswerA

The effective group permission is determined by the ACL group entry (r-x) and the mask (rwx) – the more restrictive is applied, resulting in r-x, which lacks write.

Why this answer

The directory /data/project has group permissions set to r-x (read and execute) for the projectdev group, and the umask is set to rwx (000), meaning no bits are masked. However, the group permission explicitly denies write access. Since bob is a member of projectdev, his effective permissions are limited to read and execute, preventing file creation.

Exam trap

ISC2 often tests the misconception that the 'other' permission applies to group members, when in fact group permissions take precedence for users in the group, and the umask only affects newly created files, not the directory's existing permissions.

How to eliminate wrong answers

Option B is wrong because ownership of the directory is irrelevant; bob's group membership grants him group-level permissions, which are the limiting factor. Option C is wrong because the user:alice entry is an ACL that applies specifically to user alice, not to bob, and does not affect bob's permissions. Option D is wrong because the 'other' permission applies only to users who are not the owner and not in the group; bob is in the projectdev group, so group permissions apply, not 'other'.

54
MCQmedium

A company implements mandatory access control (MAC) on its classified document system. A user with a security clearance of Secret attempts to read a document labeled Top Secret. What happens?

A.The user is prompted to request a temporary upgrade
B.The access is denied by the system
C.The document is downgraded to Secret for the user
D.The user can read the document because they have a valid clearance
AnswerB

MAC denies any access that violates the lattice.

Why this answer

In a mandatory access control (MAC) system, access decisions are based on comparing the user's security clearance (Secret) with the document's classification label (Top Secret). Since the clearance level is lower than the document's classification, the system automatically denies the read operation. This is a fundamental property of MAC, where the system enforces the Bell-LaPadula model's simple security property (no read up).

Exam trap

The trap here is that candidates confuse MAC with discretionary access control (DAC), where a user might be able to request temporary access or have permissions changed by the owner, but in MAC, all access decisions are system-enforced and cannot be overridden by users.

How to eliminate wrong answers

Option A is wrong because MAC does not support user-initiated temporary upgrades; clearance changes require administrative action and are not prompted by the system. Option C is wrong because MAC never automatically downgrades a document's classification label to match a user's clearance; labels are immutable and set by the security administrator. Option D is wrong because having a valid clearance is insufficient; the clearance must equal or exceed the document's classification level for read access.

55
MCQmedium

A company needs to ensure that when an employee leaves the organization, their accounts are disabled promptly to prevent unauthorized access. Which approach is MOST effective for timely account deactivation?

A.Conduct quarterly access reviews to identify and disable unused accounts.
B.Require managers to report departures via a ticketing system.
C.Implement a self-service password reset system to empower users.
D.Automatically synchronize with the HR system to disable accounts upon termination.
AnswerD

Automated synchronization with HR ensures near-instant deactivation when HR records a termination, significantly reducing the window of unauthorized access.

Why this answer

Option D is correct because automatically synchronizing with the HR system ensures that account deactivation occurs immediately upon termination, eliminating human delay or error. This approach leverages identity lifecycle management (ILM) to enforce the principle of least privilege and prevent unauthorized access through orphaned accounts.

Exam trap

The trap here is that candidates may choose option B because it seems proactive, but they overlook the inherent delay and unreliability of manual reporting compared to automated synchronization, which is the only option guaranteeing timely deactivation.

How to eliminate wrong answers

Option A is wrong because quarterly reviews are too infrequent to meet the requirement for timely deactivation, leaving accounts active for up to 90 days after departure. Option B is wrong because relying on managers to report departures via a ticketing system introduces manual latency and the risk of forgotten or delayed reports, which fails to guarantee prompt deactivation. Option C is wrong because a self-service password reset system does not disable accounts; it only allows users to reset their own passwords, which is irrelevant to deactivating a terminated employee's account.

56
MCQhard

A Windows workstation is unable to authenticate to a Kerberos-based application. The time on the workstation is 5 minutes ahead of the domain controller. What is the impact?

A.The user would be prompted for credentials but authentication would proceed
B.Authentication will fail because the time difference exceeds the default Kerberos clock skew limit
C.Only NTLM authentication would be affected
D.No impact; Kerberos can tolerate up to 10 minutes of skew
AnswerB

Kerberos allows a maximum skew of 5 minutes by default; a 5-minute difference may cause rejection or succeed only if within tolerance.

Why this answer

Kerberos authentication relies on timestamps to prevent replay attacks. The default maximum clock skew allowed between a client and a domain controller is 5 minutes (as defined in RFC 4120). Since the workstation is exactly 5 minutes ahead, it meets the threshold, but any additional delay or network latency can cause the timestamp to exceed the limit, resulting in authentication failure.

Therefore, the user will be unable to authenticate.

Exam trap

The trap here is that candidates often assume the default clock skew is 10 minutes (as in some older implementations) or that a 5-minute difference is acceptable, but the SSCP exam expects you to know the exact default value of 5 minutes and that reaching that limit causes authentication to fail.

How to eliminate wrong answers

Option A is wrong because Kerberos does not prompt for credentials and proceed when the clock skew exceeds the limit; it returns a KRB_AP_ERR_SKEW error and authentication fails. Option C is wrong because the question specifies a Kerberos-based application, and NTLM is a separate protocol that is not directly affected by Kerberos clock skew; the impact is on Kerberos, not NTLM. Option D is wrong because the default Kerberos clock skew limit is 5 minutes, not 10 minutes; a skew of exactly 5 minutes is at the boundary and typically causes failure, especially with real-world network delays.

57
Multi-Selecthard

Which THREE are appropriate controls to prevent unauthorized access to a data center? (Choose three.)

Select 3 answers
A.Biometric scanner
B.Firewall
C.Mantrap
D.Security guards
E.Encryption
AnswersA, C, D

Biometric scanner authenticates individuals for physical access.

Why this answer

A biometric scanner is a physical access control that authenticates individuals based on unique physiological characteristics (e.g., fingerprints, iris patterns). It directly prevents unauthorized entry by verifying identity at the data center perimeter, making it an appropriate control for physical security.

Exam trap

ISC2 often tests the distinction between physical access controls (e.g., biometrics, mantrap, guards) and logical/technical controls (e.g., firewall, encryption), leading candidates to mistakenly select network or data protection mechanisms for a physical security question.

58
MCQmedium

A company uses an identity management system that requires users to authenticate using a smart card and a PIN. This is an example of:

A.Single sign-on (SSO)
B.Biometric authentication
C.Two-factor authentication
D.Multi-factor authentication
AnswerC

Smart card (possession) and PIN (knowledge) constitute two-factor authentication.

Why this answer

Two-factor authentication (2FA) requires two distinct factors from different categories: something you have (the smart card) and something you know (the PIN). This combination provides stronger assurance than a single factor because an attacker would need both physical possession of the card and knowledge of the PIN to authenticate.

Exam trap

The trap here is that candidates often confuse multi-factor authentication (MFA) with two-factor authentication (2FA), but the SSCP exam expects you to recognize that when exactly two distinct factors are used, 'two-factor authentication' is the precise and correct term, not the broader 'multi-factor authentication'.

How to eliminate wrong answers

Option A is wrong because single sign-on (SSO) allows a user to authenticate once and access multiple systems without re-entering credentials; it does not inherently involve multiple authentication factors. Option B is wrong because biometric authentication relies on something you are (e.g., fingerprint, iris scan), not a smart card and PIN combination. Option D is wrong because multi-factor authentication (MFA) requires two or more factors, but the question specifically describes exactly two factors (smart card and PIN), making two-factor authentication the more precise term; MFA is a broader category that includes 2FA, but 2FA is the correct specific answer here.

59
Multi-Selecteasy

Which TWO of the following are examples of multifactor authentication? (Choose two.)

Select 2 answers
A.Smart card and PIN
B.SMS code and password
C.Password and security question
D.Voice recognition and iris scan
E.Fingerprint and smart card
AnswersA, E

Smart card (something you have) and PIN (something you know) are two different factors.

Why this answer

Multifactor authentication (MFA) requires at least two distinct factors from different categories: something you know, something you have, and something you are. A smart card is 'something you have,' and a PIN is 'something you know,' so combining them satisfies MFA requirements. This is a classic example used in access control systems like Common Access Cards (CAC) or Personal Identity Verification (PIV) cards.

Exam trap

The trap here is that candidates often confuse 'something you have' (like a smart card) with 'something you know' (like a PIN) and incorrectly think that two different instances of the same factor (e.g., password and security question) count as MFA, or they mistakenly treat an SMS code as a possession factor when it is actually a knowledge-based OTP delivered via a possession channel.

60
MCQeasy

An administrator notices that a terminated employee's account is still active. Which access control process was likely skipped?

A.Authorization
B.Authentication
C.Provisioning
D.Accounting
AnswerC

Provisioning includes creating and disabling accounts; the termination process should have disabled the account.

Why this answer

Provisioning is the access control process that includes creating, modifying, and disabling user accounts and their associated privileges. When a terminated employee's account remains active, the de-provisioning step—specifically account revocation—was likely skipped, leaving the account enabled and accessible.

Exam trap

The trap here is that candidates confuse provisioning with authorization or authentication, thinking that account termination is about setting permissions (authorization) rather than the account lifecycle itself.

How to eliminate wrong answers

Option A is wrong because authorization determines what an authenticated user is allowed to do (e.g., read, write), not whether the account itself exists or is active. Option B is wrong because authentication verifies a user's identity (e.g., via password or certificate), not the lifecycle management of the account. Option D is wrong because accounting tracks user actions and resource usage (e.g., via logs or RADIUS accounting), not the creation or removal of accounts.

61
Multi-Selectmedium

Which two commands can be used to modify existing file permissions on a Linux system? (Select TWO)

Select 2 answers
A.chattr
B.setfacl
C.umask
D.chown
E.chmod
AnswersB, E

setfacl sets or modifies Access Control Lists (ACLs) that can define permissions for specific users or groups.

Why this answer

B is correct because `setfacl` is used to modify Access Control Lists (ACLs) on a file or directory, which are an extended mechanism for setting permissions beyond the standard owner/group/others model. E is correct because `chmod` is the standard command for changing the read, write, and execute permissions for the file owner, group, and others using symbolic or octal notation.

Exam trap

ISC2 often tests the distinction between commands that modify existing permissions (`chmod`, `setfacl`) versus commands that set defaults for new files (`umask`) or change file ownership (`chown`), leading candidates to mistakenly select `umask` or `chown` as tools for altering current permissions.

62
MCQmedium

A database audit log shows that a user ran a query retrieving all customer records. The user's job role only requires access to view their own assigned customers. Which access control concept has been violated?

A.Job rotation
B.Need-to-know
C.Separation of duties
D.Least privilege
AnswerB

Need-to-know restricts access to data required for job functions; the user accessed data outside their need.

Why this answer

The need-to-know principle restricts data access to only the information necessary for a user to perform their job duties. In this case, the user retrieved all customer records, but their role only requires access to their own assigned customers, meaning they accessed data beyond what is necessary. This directly violates the need-to-know concept, which is a subset of access control that limits access to specific data elements rather than entire datasets.

Exam trap

The trap here is that candidates often confuse 'least privilege' with 'need-to-know,' but least privilege governs the level of permissions (e.g., read vs. write), while need-to-know governs the scope of data accessible (e.g., which specific records), and the question specifically describes a scope violation, not a permission level violation.

How to eliminate wrong answers

Option A is wrong because job rotation is a security practice where users periodically change roles to reduce fraud risk and detect malicious activity, not an access control principle that limits data access. Option C is wrong because separation of duties ensures that no single individual has complete control over a critical process by dividing tasks among multiple users, which is unrelated to a user accessing more data than their role requires. Option D is wrong because least privilege limits a user's permissions to the minimum necessary to perform their job, but the violation here is specifically about accessing data beyond what is needed for their role, which is the definition of need-to-know; least privilege focuses on the level of access (e.g., read vs. write), while need-to-know focuses on the scope of data (e.g., which records).

63
MCQeasy

A company wants to implement a policy where no single individual can approve a purchase order and also receive the goods. Which access control principle does this enforce?

A.Rotation of duties
B.Separation of duties
C.Need to know
D.Least privilege
AnswerB

This principle splits critical functions among different individuals.

Why this answer

This policy enforces separation of duties by ensuring that no single individual has the authority to both approve a purchase order and receive the goods. This control prevents fraud and errors by requiring two different people to complete related but conflicting tasks, which is a fundamental access control principle in financial and operational systems.

Exam trap

The trap here is that candidates often confuse separation of duties with least privilege, but least privilege focuses on minimizing permissions per role, whereas separation of duties mandates that conflicting tasks be split across multiple roles to prevent fraud or error.

How to eliminate wrong answers

Option A is wrong because rotation of duties involves periodically moving personnel between different roles to reduce the risk of collusion or skill stagnation, not preventing a single person from performing two conflicting tasks. Option C is wrong because need to know restricts access to information based on job requirements, not the segregation of conflicting operational steps. Option D is wrong because least privilege limits users to the minimum permissions necessary for their job functions, but does not specifically address the requirement that two separate individuals must handle approval and receipt of goods.

64
MCQhard

During a security audit, it is discovered that a developer has direct access to production databases. The policy requires that changes be reviewed and deployed by a separate team. Which control is being violated?

A.Need-to-know
B.Job rotation
C.Least privilege
D.Separation of duties
AnswerD

The developer should not have direct production access; changes should go through a separate deployment team.

Why this answer

The scenario describes a direct violation of separation of duties (SoD), a core access control principle that requires critical tasks to be divided among multiple individuals to prevent fraud or error. In this case, the developer both writes code and has direct access to production databases, bypassing the required review and deployment by a separate team. SoD ensures no single person has end-to-end control over a sensitive process, which is essential for maintaining integrity and accountability in production environments.

Exam trap

The trap here is that candidates confuse 'least privilege' with 'separation of duties' because both limit access, but least privilege focuses on the amount of access while separation of duties focuses on the division of conflicting responsibilities.

How to eliminate wrong answers

Option A is wrong because need-to-know restricts access to only the information necessary for a user's job role, but the violation here is about the process of change management, not about the developer having access to specific data they don't need. Option B is wrong because job rotation is a control that periodically moves employees between roles to reduce risk of collusion or monotony, but the issue is not about rotating roles; it's about the developer performing both development and production deployment tasks. Option C is wrong because least privilege limits users to the minimum permissions required for their duties, but the developer may have exactly the permissions needed for their job; the violation is that they are performing two conflicting duties (development and production deployment) that should be separated.

65
MCQhard

A healthcare organization must comply with HIPAA and requires that access to electronic protected health information (ePHI) be logged and audited. They consider using an identity management system that supports single sign-on (SSO). What is the PRIMARY security concern with SSO in this environment?

A.Single credential compromise leads to broad access
B.Increased complexity of password policies
C.Lack of detailed audit logs for each application
D.User inconvenience due to multiple logins
AnswerA

SSO means one password grants access to all systems.

Why this answer

In a healthcare environment subject to HIPAA, the primary security concern with SSO is that a single compromised credential (e.g., a password or smart card PIN) grants an attacker immediate access to all applications and ePHI systems that the user is authorized to use. This creates a single point of failure, dramatically increasing the blast radius of a credential theft incident. Unlike separate per-application credentials, SSO eliminates the need for repeated authentication, so an attacker who obtains the SSO token or password can move laterally across the entire application portfolio without additional authentication barriers.

Exam trap

ISC2 often tests the misconception that SSO inherently reduces audit capabilities, when in fact the primary risk is the amplified impact of a single credential compromise — candidates may incorrectly choose 'lack of detailed audit logs' because they assume SSO bypasses application-level logging, but proper SSO implementations log at the IdP and can integrate with SIEM systems.

How to eliminate wrong answers

Option B is wrong because SSO typically reduces the number of passwords a user must remember, which can simplify password policies rather than increase their complexity; the real concern is not policy complexity but the amplified risk from a single credential compromise. Option C is wrong because modern SSO systems (e.g., SAML 2.0, OAuth 2.0, OpenID Connect) can and do generate detailed audit logs at the identity provider (IdP) level, often including timestamp, user ID, application accessed, and session duration — the lack of logs is not an inherent SSO limitation. Option D is wrong because SSO is designed to eliminate multiple logins, providing user convenience; the question asks for the primary security concern, not a usability issue.

66
MCQeasy

A system administrator needs to implement a control that ensures users can only access files necessary for their job functions. Which principle is being applied?

A.Need-to-know
B.Separation of duties
C.Job rotation
D.Least privilege
AnswerD

Least privilege ensures users have only the permissions necessary to perform their job.

Why this answer

The principle of least privilege ensures that users are granted only the permissions necessary to perform their job functions, minimizing the attack surface and potential damage from accidental or malicious actions. In this scenario, restricting file access to only what is needed for job duties directly implements least privilege, as it limits access rights to the minimum required. This is distinct from need-to-know, which focuses on information disclosure rather than access permissions.

Exam trap

The trap here is that candidates often confuse 'need-to-know' with 'least privilege' because both involve limiting access, but need-to-know is specifically about information confidentiality (e.g., classified data), while least privilege is a broader principle covering all access rights and permissions.

How to eliminate wrong answers

Option A is wrong because need-to-know is a subset of least privilege that specifically controls access to sensitive information based on a user's requirement to know that information to perform their duties, but the question broadly addresses file access necessary for job functions, which is the core of least privilege. Option B is wrong because separation of duties divides critical tasks among multiple users to prevent fraud or error, not to limit individual file access to job-necessary files. Option C is wrong because job rotation is a security practice that moves users between roles to reduce monotony and detect irregularities, not a principle for restricting file access based on job functions.

Ready to test yourself?

Try a timed practice session using only Access Controls questions.