CCNA Sscp Access Controls Questions

75 of 81 questions · Page 1/2 · Sscp Access Controls topic · Answers revealed

1
MCQhard

An organization uses smart cards with PKI certificates for authentication. Users must insert the card and enter a PIN. This is an example of which authentication method?

A.Three-factor authentication
B.Single-factor authentication
D.Biometric authentication
AnswerC

Card (possession) and PIN (knowledge) are two factors.

Why this answer

Something you have (smart card) and something you know (PIN) constitute multi-factor authentication (MFA).

2
MCQmedium

A company is implementing a Single Sign-On (SSO) solution that uses XML-based assertions to exchange authentication and authorization data between an identity provider and a service provider. Which protocol is being used?

A.Kerberos
B.SAML
C.OAuth 2.0
D.OpenID Connect
AnswerB

SAML uses XML assertions for federated identity.

Why this answer

SAML (Security Assertion Markup Language) is an XML-based standard for exchanging authentication and authorization data between an Identity Provider (IdP) and a Service Provider (SP).

3
MCQhard

A company implements a password policy requiring a minimum length of 12 characters, including uppercase, lowercase, digits, and special characters. Passwords must be changed every 90 days, and the last 10 passwords cannot be reused. After a brute-force attack, several accounts were compromised despite the policy. Which additional control would most effectively mitigate such attacks?

A.Use a password blacklist
B.Increase minimum password length to 16 characters
C.Implement account lockout after 5 failed attempts
D.Require password change every 30 days
AnswerC

Lockout thwarts brute-force by blocking further attempts.

Why this answer

Account lockout after a number of failed attempts prevents brute-force attacks by limiting the number of guesses an attacker can make.

4
MCQhard

An organization uses ABAC to control access to a document. Which attribute combination would be used to allow access only during business hours from a managed device?

A.User department and document creation date
B.User identity, time of day, and device compliance status
C.User role and document classification
D.Document owner and file size
AnswerB

These attributes (subject, environment, subject) can enforce the policy.

Why this answer

ABAC policies can combine subject (user), object (document), and environment (time, device management status) attributes to make access decisions.

5
Multi-Selectmedium

An organization is implementing multi-factor authentication (MFA). Which TWO of the following are examples of something you have?

Select 2 answers
A.Smart card
B.PIN
C.Retina scan
D.Hardware token (e.g., YubiKey)
E.Fingerprint
AnswersA, D

A smart card is a physical device, thus something you have.

Why this answer

Something you have includes physical tokens like smart cards and hardware tokens. Biometrics are something you are, and passwords are something you know.

6
Multi-Selecthard

During an access control audit, you find that a user has been assigned to two mutually exclusive roles. Which TWO principles are most likely violated?

Select 2 answers
A.Role hierarchy
B.Least privilege
C.Separation of duties
D.Mandatory access control
E.Accountability
AnswersB, C

Assigning roles that are not needed violates least privilege.

Why this answer

Separation of duties is violated when a user has roles that could allow fraud; least privilege is violated if the user has more permissions than necessary.

7
MCQeasy

Which access control model allows the owner of a resource to grant permissions to others?

A.Discretionary Access Control (DAC)
B.Attribute-Based Access Control (ABAC)
C.Mandatory Access Control (MAC)
D.Role-Based Access Control (RBAC)
AnswerA

DAC enables the resource owner to grant access to others.

Why this answer

DAC (Discretionary Access Control) allows the resource owner to decide who can access the resource and with what permissions.

8
MCQhard

An organization uses an ABAC system to control access to documents. Policies are defined using attributes such as user department, document classification, and time of day. Which of the following is an example of an ABAC policy rule?

A.The owner of a document can grant read access to any other user.
B.Users in the 'HR' role can read documents classified as 'Confidential'.
C.All users with security clearance 'Secret' can read documents labeled 'Secret'.
D.If user.department == 'HR' AND doc.classification == 'Confidential' AND time.business_hours == true then permit read.
AnswerD

This uses subject attribute (department), object attribute (classification), and environment attribute (time).

Why this answer

ABAC policies use conditions based on subject, object, and environment attributes. The rule combines department, classification, and time.

9
Multi-Selectmedium

An organization is reviewing its account lifecycle management process. Which TWO activities are part of the provisioning phase? (Select TWO.)

Select 2 answers
A.Creating user accounts in the identity store
B.Modifying user roles due to job change
C.Archiving user data for compliance
D.Assigning initial role memberships and permissions
E.Disabling accounts upon termination
AnswersA, D

This is the core of provisioning new users.

Why this answer

Provisioning involves creating accounts and assigning initial roles/permissions upon onboarding. Modifying roles is a change, not initial provisioning. Disabling is deprovisioning.

10
MCQmedium

In a Kerberos environment, what is the primary function of the Ticket Granting Ticket (TGT)?

A.To store the user's password hash securely
B.To request service tickets from the Ticket Granting Service (TGS)
C.To provide a session key for encrypting communications
D.To authenticate the user to the Key Distribution Center (KDC)
AnswerB

The TGT is presented to the TGS to obtain service tickets for resources.

Why this answer

The TGT is obtained after initial authentication and is used to request service tickets for various resources without re-authenticating.

11
MCQhard

A security analyst notices that a user's account was used to access sensitive files after the user had left the company. Which access control principle was most likely violated?

A.Identification
B.Least privilege
C.Accountability
D.Separation of duties
AnswerC

Accountability requires that activities can be traced to individuals; an active account of a former employee undermines this.

Why this answer

Accountability requires that actions be traced to individuals. If an account is not disabled promptly, actions cannot be reliably attributed.

12
MCQmedium

An organization implements RBAC to enforce separation of duties. Which of the following is a key benefit of using role-based access control in this context?

A.Users can share accounts to simplify management
B.It prevents users from having conflicting roles that could lead to fraud
C.It allows users to define their own permissions
D.It uses system-wide labels to control access
AnswerB

Correct. RBAC helps enforce separation of duties.

Why this answer

RBAC naturally supports separation of duties by assigning permissions to roles and ensuring that conflicting roles (e.g., approving and executing payments) are not assigned to the same user. This reduces fraud risk.

13
MCQmedium

An organization uses OAuth 2.0 for delegated access to a cloud storage API. A third-party application requests an access token to read user files. What is the primary purpose of the access token in OAuth?

A.To encrypt the user's data in transit
B.To store the user's credentials in the client application
C.To authorize the client to access the resource server on behalf of the user
D.To authenticate the user to the authorization server
AnswerC

Correct. The access token conveys authorization.

Why this answer

The access token represents the authorized scope of access granted by the resource owner (user). It is used by the client to access the protected resource (e.g., API) without exposing user credentials.

14
Multi-Selectmedium

A company wants to implement multi-factor authentication (MFA) for remote access. Which TWO of the following are examples of different authentication factors? (Choose TWO.)

Select 2 answers
A.Hardware token and fingerprint
B.Retina scan and iris scan
C.Smart card and PIN
D.Password and security question
E.Password and one-time passcode from a token
AnswersA, E

Token (possession) and fingerprint (inherence) are different factors.

Why this answer

MFA requires at least two distinct factors: password (knowledge), hardware token (possession), and fingerprint (inherence). Options A, D, and E are valid factors but only two need to be selected.

15
Multi-Selecthard

A security engineer is designing a federated identity solution for cross-domain authentication. Which THREE of the following technologies are commonly used?

Select 3 answers
A.Kerberos
B.Lightweight Directory Access Protocol (LDAP)
C.OpenID Connect (OIDC)
D.Security Assertion Markup Language (SAML)
E.Active Directory forest trusts
AnswersC, D, E

OIDC is an authentication layer on top of OAuth 2.0 for federated identity.

Why this answer

Federated identity relies on standards like SAML, OAuth/OIDC, and Active Directory forest trusts to enable authentication across domains.

16
MCQmedium

A security administrator is configuring a system to enforce separation of duties. In which access control model is this principle most directly implemented?

A.RBAC
B.MAC
C.ABAC
D.DAC
AnswerA

RBAC enforces separation of duties through role constraints.

Why this answer

RBAC commonly enforces separation of duties by ensuring that conflicting roles are not assigned to the same user.

17
MCQmedium

A security analyst is reviewing access controls for a database server. The database administrator has granted all users in the 'sales' role SELECT, INSERT, UPDATE, and DELETE permissions on the 'orders' table. Which access control principle is being violated?

A.Accountability
B.Separation of duties
C.Need to know
D.Least privilege
AnswerD

Granting DELETE to all sales users gives more privilege than necessary.

Why this answer

Least privilege means users should have only the minimum permissions necessary to perform their job. Sales staff likely need to read and perhaps insert orders, but not delete them.

18
MCQmedium

A biometric system has a high false rejection rate (FRR). Which of the following is a likely consequence?

A.The system will require less frequent calibration
B.Unauthorized users are more likely to gain access
C.Legitimate users may be denied access, leading to frustration
D.The system's crossover error rate (CER) will be very low
AnswerC

Correct. High FRR means many false rejections.

Why this answer

False rejection means legitimate users are denied access, causing inconvenience. This is often a trade-off when trying to lower false acceptance rate (FAR).

19
MCQhard

During a security audit, it is discovered that a service account has been used to log in interactively to a server. The account was originally provisioned only for running a background service. Which PAM (Privileged Access Management) control would best prevent such misuse in the future?

A.Password vaulting with automatic rotation
B.Requiring multi-factor authentication for the service account
C.Just-in-time (JIT) provisioning of the service account
D.Session recording and monitoring
AnswerC

Correct. JIT ensures the account is only active when needed, reducing exposure.

Why this answer

Just-in-time (JIT) provisioning grants temporary privileges only when needed, and password vaulting stores credentials securely with automatic rotation. Session recording monitors activity but doesn't prevent misuse. MFA adds a layer but service accounts often can't use MFA interactively.

The best preventive control is to restrict interactive logon via policy, but among PAM controls, JIT provisioning ensures the account is not available for interactive use continuously.

20
MCQeasy

Which term describes the process of verifying the identity of a user, system, or entity?

A.Authorization
B.Authentication
C.Identification
D.Accountability
AnswerB

Authentication verifies the identity claim.

Why this answer

Authentication is the process of verifying that a claimed identity is valid, typically using factors like passwords, biometrics, or tokens.

21
MCQeasy

Which access control model enforces the principle of least privilege by granting permissions based on job functions and requires separation of duties?

A.Attribute-Based Access Control (ABAC)
B.Role-Based Access Control (RBAC)
C.Mandatory Access Control (MAC)
D.Discretionary Access Control (DAC)
AnswerB

RBAC is designed to support least privilege and separation of duties.

Why this answer

RBAC assigns permissions to roles, and users are assigned to roles, enabling least privilege and separation of duties through role design.

22
MCQmedium

A security administrator needs to implement an access control model that grants access based on attributes of the user, resource, and environment, using policy rules. Which model is most appropriate?

A.Attribute-Based Access Control (ABAC)
B.Mandatory Access Control (MAC)
C.Discretionary Access Control (DAC)
D.Role-Based Access Control (RBAC)
AnswerA

ABAC uses attributes and policies for access decisions.

Why this answer

Attribute-Based Access Control (ABAC) uses policies that evaluate attributes of the subject, object, and environment to make access decisions, offering fine-grained and dynamic control.

23
MCQeasy

Which of the following is a common method for implementing multi-factor authentication (MFA) using something you have and something you know?

A.Fingerprint and retina scan
B.Smart card and PIN
C.Password and security question
D.Username and password
AnswerB

Smart card is something you have; PIN is something you know.

Why this answer

A smart card (something you have) combined with a PIN (something you know) is a classic MFA implementation.

24
MCQmedium

In the Bell-LaPadula model, which property prevents a subject from reading an object at a higher classification level?

A.The *-property (no write down)
B.The Discretionary Security Property
C.The Simple Security Property (no read up)
D.The Lattice Security Property
AnswerC

This property prevents reading higher-level objects.

Why this answer

The Simple Security Property (no read up) ensures subjects cannot access objects above their clearance level, protecting confidentiality.

25
Multi-Selecthard

A security analyst is investigating an account compromise. The organization uses Kerberos for single sign-on. Which TWO of the following would help in tracking the source of the compromise?

Select 2 answers
A.Password hash history
B.Ticket-Granting Ticket (TGT) expiration time
C.Authentication service (AS) logs with timestamps and IP addresses
D.Logs from the Key Distribution Center (KDC) showing TGT requests
E.Service ticket session keys
AnswersC, D

AS logs show initial authentication attempts with source IPs.

Why this answer

Kerberos logs ticket requests and TGT usage, which can trace authentication events. TGT expiration and session key details are part of the protocol but less directly useful for source identification.

26
MCQmedium

An organization wants to implement multi-factor authentication (MFA) for remote access. Which combination represents something you have and something you are?

A.Password and security question
B.Smart card and PIN
C.Password and one-time passcode (OTP)
D.Smart card and fingerprint
AnswerD

Smart card (something you have) and fingerprint (something you are) provide MFA.

Why this answer

Something you have (smart card) plus something you are (fingerprint) constitutes MFA using two different factors.

27
MCQhard

In an OAuth 2.0 authorization flow, a client application receives an access token. This token is used to:

A.Encrypt data between client and resource server
B.Identify the user across different applications
C.Authorize access to protected resources at the resource server
D.Authenticate the user to the authorization server
AnswerC

The access token grants authorized access.

Why this answer

The access token is sent to the resource server to authorize access to protected resources on behalf of the user.

28
MCQhard

In a biometric system, the point at which the false rejection rate (FRR) equals the false acceptance rate (FAR) is known as the:

A.False acceptance rate (FAR)
B.Crossover error rate (CER)
C.Failure to enroll rate
D.False rejection rate (FRR)
AnswerB

CER is the point where FAR equals FRR.

Why this answer

The crossover error rate (CER), also called the equal error rate (EER), is where FAR and FRR are equal, indicating overall accuracy.

29
MCQmedium

A security analyst is evaluating a biometric system. The system currently has a high number of false rejections. Which metric is most directly related to this issue?

A.False Acceptance Rate (FAR)
B.Equal Error Rate (EER)
C.Crossover Error Rate (CER)
D.False Rejection Rate (FRR)
AnswerD

FRR directly measures false rejections.

Why this answer

False Rejection Rate (FRR) measures the likelihood that an authorized user is incorrectly denied access. A high FRR indicates many false rejections.

30
MCQeasy

Which access control model enforces security based on classification labels assigned to subjects and objects, commonly used for confidentiality?

A.Clark-Wilson
B.Brewer-Nash
C.Bell-LaPadula
D.Biba
AnswerC

Bell-LaPadula enforces confidentiality.

Why this answer

Bell-LaPadula is a MAC model that enforces confidentiality via labels, preventing read-up and write-down.

31
MCQmedium

In Role-Based Access Control (RBAC), what is the purpose of role hierarchy?

A.To inherit permissions from higher-level roles
B.To enforce separation of duties
C.To allow users to have multiple roles
D.To reduce the number of roles
AnswerA

Role hierarchy enables inheritance; higher roles get permissions of lower roles.

Why this answer

Role hierarchy allows senior roles to inherit permissions from junior roles, simplifying permission management and reflecting organizational structure.

32
MCQmedium

An organization implements a policy requiring passwords to be at least 12 characters, include uppercase, lowercase, digits, and special characters, and be changed every 60 days. Which password policy elements are being enforced?

A.Complexity, expiry, and lockout
B.Length, complexity, and history
C.Length, complexity, and expiry
D.Length, complexity, and lockout
AnswerC

These three are explicitly stated.

Why this answer

The policy specifies length, complexity (character types), and expiry (change interval). History and lockout are not mentioned.

33
MCQmedium

A security administrator is configuring password policies to meet compliance. Which combination of settings provides the strongest protection against brute-force attacks?

A.Minimum 10 characters, no complexity, lockout after 3 attempts, history of 1
B.Minimum 6 characters, complexity required, lockout after 10 attempts, history of 5
C.Minimum 8 characters, no complexity, no lockout, password history of 3
D.Minimum 12 characters, complexity required, lockout after 5 attempts, history of 10
AnswerD

Correct. Longer length, complexity, lockout, and history provide strong protection.

Why this answer

Longer passwords with complexity and account lockout significantly increase the time required for brute-force attacks, while history prevents reuse. Short expiry (e.g., 30 days) also helps, but length and lockout are most effective.

34
MCQmedium

A security administrator is configuring a new system and wants to enforce a mandatory access control model to ensure confidentiality of classified data. Which access control model should the administrator implement?

A.Discretionary Access Control (DAC)
B.Biba
C.Role-Based Access Control (RBAC)
D.Bell-LaPadula
AnswerD

Bell-LaPadula enforces confidentiality through mandatory labels and the simple security property and *-property.

Why this answer

Bell-LaPadula is a mandatory access control model that focuses on confidentiality by preventing read-up and write-down.

35
MCQmedium

An organization wants to ensure that privileged accounts are used only when needed and that all activities are recorded. Which Privileged Access Management (PAM) control should be implemented?

A.Password vaulting
B.Role-based access control
D.Just-in-Time (JIT) provisioning with session recording
AnswerD

JIT provides temporary access and session recording logs activities.

Why this answer

Just-in-Time (JIT) provisioning grants temporary elevated privileges for specific tasks, reducing the attack surface. Session recording captures all actions for auditing.

36
MCQmedium

What is the primary risk associated with service accounts in an enterprise?

A.They are used by multiple users simultaneously
B.They are difficult to create
C.They often have excessive privileges and infrequent password changes
D.They are always tied to a specific user
AnswerC

Service accounts are often overlooked, with standing privileges and unchanged passwords.

Why this answer

Service accounts often have high privileges and are rarely changed, making them prime targets for attackers if compromised.

37
Multi-Selecthard

A security auditor is reviewing the account lifecycle process. Which TWO of the following are mandatory steps during the deprovisioning (offboarding) process?

Select 2 answers
A.Preserve evidence for potential investigation
B.Change the user's password to a default
C.Immediately disable the account
D.Notify the user that their account will be removed
E.Delete the account and all associated data
AnswersA, C

Evidence must be preserved.

Why this answer

Immediate disabling prevents unauthorized access, and preserving evidence (logs, files) is essential for potential investigations. Deleting accounts immediately may hinder forensics, and notifying users is not required (they are leaving).

38
MCQeasy

Which authentication method generates a one-time password that is valid for only a short time window?

A.Biometric scan
B.HMAC-based One-Time Password (HOTP)
C.Static password
D.Time-based One-Time Password (TOTP)
AnswerD

TOTP uses time as a variable, changing codes periodically.

Why this answer

Time-based One-Time Password (TOTP) uses the current time to generate a code that expires after a short interval (e.g., 30 seconds).

39
MCQhard

In a Bell-LaPadula model implementation, a user with a Secret clearance attempts to read a document classified as Top Secret. Additionally, they try to write to a document classified as Unclassified. What are the results of these actions?

A.Read denied, write allowed
B.Read allowed, write allowed
C.Read denied, write denied
D.Read allowed, write denied
AnswerC

Correct. Both actions are denied.

Why this answer

Bell-LaPadula enforces *no read up* (simple security property) and *no write down* (*-property). Thus reading Top Secret is denied, and writing to Unclassified is also denied to prevent leakage.

40
MCQeasy

A security administrator is implementing an access control model that assigns permissions based on the clearance of the subject and the classification of the object. Which model is being implemented?

A.Role-Based Access Control (RBAC)
B.Discretionary Access Control (DAC)
C.Attribute-Based Access Control (ABAC)
D.Mandatory Access Control (MAC)
AnswerD

MAC uses clearance and classification labels.

Why this answer

Mandatory Access Control (MAC) uses labels for subjects (clearance) and objects (classification) to enforce access decisions, commonly used in government and military environments.

41
MCQeasy

Which access control model allows the owner of a resource to grant access permissions to other users?

A.RBAC (Role-Based Access Control)
B.DAC (Discretionary Access Control)
C.MAC (Mandatory Access Control)
D.ABAC (Attribute-Based Access Control)
AnswerB

Correct. DAC allows the resource owner to control access.

Why this answer

In DAC (Discretionary Access Control), the resource owner has discretion over who can access the resource. This contrasts with MAC, where access is based on labels, and RBAC/ABAC, where access is based on roles or attributes.

42
MCQeasy

What is the primary purpose of a Privileged Access Management (PAM) solution?

A.Controlling and monitoring access to privileged accounts
B.Managing user password resets
C.Implementing single sign-on for all applications
D.Enforcing password complexity policies
AnswerA

PAM provides vaulting, session recording, and just-in-time access for privileged accounts.

Why this answer

PAM solutions focus on securing, managing, and monitoring privileged accounts to reduce the risk of misuse.

43
MCQeasy

What is the primary purpose of account deprovisioning?

A.To revoke access and disable accounts when no longer needed
B.To create new user accounts
C.To audit user activity
D.To modify user roles
AnswerA

Deprovisioning removes access rights and disables accounts.

Why this answer

Deprovisioning ensures that when an employee leaves or changes roles, access is removed promptly to prevent unauthorized use.

44
MCQeasy

What is the primary purpose of account deprovisioning in the account lifecycle?

A.To modify user roles and permissions
B.To immediately disable accounts and preserve evidence
C.To enforce password policies
D.To create new user accounts
AnswerB

Deprovisioning involves disabling and preserving data.

Why this answer

Deprovisioning ensures that when an employee leaves, access is revoked immediately to prevent unauthorized use, and evidence is preserved for investigations.

45
MCQeasy

An organization requires users to authenticate using a password and a one-time code from a mobile app. Which authentication method is being used?

A.Time-based One-Time Password (TOTP)
B.Smart card
C.Hardware token
D.Biometrics
AnswerA

TOTP is a common OTP method using time synchronization.

Why this answer

Time-based One-Time Password (TOTP) generates a temporary code that changes every 30-60 seconds, commonly used with mobile apps like Google Authenticator.

46
Multi-Selectmedium

A security administrator is designing an identity federation solution. Which THREE of the following are commonly used federation standards?

Select 3 answers
A.LDAP
B.Kerberos
C.SAML
E.OAuth / OpenID Connect
AnswersB, C, E

Kerberos can be used in federated environments (e.g., cross-realm).

Why this answer

SAML, OAuth/OIDC, and Kerberos (with extensions) are used for federation. LDAP is a directory protocol, not a federation standard.

47
Multi-Selectmedium

A company is implementing single sign-on (SSO) for its internal applications. Which TWO of the following protocols are commonly used for SSO?

Select 2 answers
A.Kerberos
B.OAuth
C.LDAP
E.SAML
AnswersA, E

Kerberos provides SSO within a domain.

Why this answer

Kerberos and SAML are both widely used for SSO. Kerberos is common in Windows domains, while SAML is used for web-based federated SSO. LDAP is a directory protocol, OAuth is for authorization (though OIDC adds authentication), and RADIUS is for network access.

48
Multi-Selectmedium

An organization wants to implement separation of duties to reduce the risk of fraud. Which THREE of the following are common techniques used to enforce separation of duties?

Select 3 answers
A.Audit logging and monitoring of privileged actions
B.Role-based access control with mutually exclusive roles
C.Enforcing complex password policies
D.Using biometric authentication
E.Requiring two or more people to approve a transaction
AnswersA, B, E

Logging provides accountability, a key component of separation of duties.

Why this answer

Separation of duties is enforced through role-based access control (assigning conflicting roles to different users), requiring dual authorization for critical actions, and audit logging for accountability. Password complexity and biometrics are authentication, not separation of duties.

49
MCQmedium

A security administrator is implementing an access control system that uses sensitivity labels on subjects and objects. The policy dictates that a subject can only read objects with a label equal to or lower than the subject's clearance, and can only write to objects with a label equal to or higher than the subject's clearance. Which access control model and principle is being enforced?

A.MAC with Bell-LaPadula model
B.MAC with Biba model
C.DAC with owner-based permissions
D.RBAC with role hierarchy
AnswerA

Bell-LaPadula uses mandatory labels and enforces no read up and no write down for confidentiality.

Why this answer

Bell-LaPadula model enforces confidentiality through the simple security property (no read up) and the *-property (no write down). The described rules match Bell-LaPadula's restrictions.

50
MCQhard

During a user offboarding process, the security team must ensure that the former employee's access is revoked immediately. However, the user's manager requests that the account remain active for a week to review files. What is the BEST practice?

A.Change the account to a service account and keep it active
B.Disable the account immediately and transfer ownership of files to the manager
C.Keep the account active but change the password and share it with the manager
D.Leave the account as-is and monitor activity for the week
AnswerB

Correct. This balances security with business needs.

Why this answer

Best practice is to disable the account immediately to prevent unauthorized access, then transfer ownership of necessary files to another user for review. Keeping the account active poses a security risk.

51
MCQhard

A security engineer is designing a system that must ensure data integrity at all costs, even if it means sacrificing availability. Which access control model and corresponding principle should be applied?

A.Bell-LaPadula with no read-down
B.Biba with no read-up
C.Biba with no write-up and no read-down
D.Bell-LaPadula with no write-up
AnswerC

Biba enforces no write-up (to protect higher integrity) and no read-down (to prevent corruption). This prioritizes integrity over availability.

Why this answer

Biba is a MAC model that focuses on integrity, preventing subjects from writing to higher integrity levels (no write-up) and preventing subjects from reading lower integrity levels (no read-down). This can impact availability.

52
Multi-Selectmedium

Which TWO of the following are characteristics of the Biba integrity model? (Choose TWO.)

Select 2 answers
A.No write-up
B.No write-down
C.No read-up
D.Discretionary access
E.No read-down
AnswersA, E

Subjects cannot write to higher integrity levels.

Why this answer

Biba is a MAC model for integrity with rules: no write-up (integrity levels) and no read-down (to prevent corruption).

53
Multi-Selecteasy

A company is adopting a role-based access control (RBAC) model. Which TWO principles are fundamental to RBAC?

Select 2 answers
A.Roles can be organized in a hierarchy to inherit permissions
B.Users are assigned to roles based on their job functions
C.Access is controlled by the data owner
D.Permissions are assigned directly to users
E.Access decisions are based on subject and object attributes
AnswersA, B

Role hierarchy allows senior roles to inherit permissions from junior roles.

Why this answer

RBAC assigns permissions to roles, and users are members of roles. Least privilege and separation of duties are enforced through role design.

54
MCQmedium

A company is implementing a biometric authentication system for physical access to a data center. The system must minimize false acceptances. Which metric is most directly related to false acceptance rate (FAR)?

A.Crossover error rate (CER)
B.Equal error rate (EER)
C.False rejection rate (FRR)
D.Threshold setting
AnswerD

The threshold determines how closely a biometric sample must match the stored template; a stricter threshold lowers FAR.

Why this answer

FAR is the rate at which an unauthorized person is incorrectly accepted. The threshold setting directly impacts FAR; a lower threshold reduces FAR but may increase FRR.

55
MCQmedium

An Identity Provider (IdP) sends an XML-based assertion to a Service Provider (SP) to grant access. Which federated identity standard is being used?

A.OAuth 2.0
B.Security Assertion Markup Language (SAML)
C.OpenID Connect (OIDC)
D.Kerberos
AnswerB

SAML uses XML-based assertions for federated identity.

Why this answer

SAML uses XML assertions to exchange authentication and authorization data between an IdP and an SP.

56
Multi-Selecthard

A company is migrating to a cloud-based SaaS application and wants to implement federated identity. Users will authenticate using their existing corporate Active Directory credentials. Which THREE components are essential for a SAML-based federation? (Select THREE.)

Select 3 answers
A.Identity Provider (IdP)
B.Trust relationship between IdP and SP
C.Ticket Granting Ticket (TGT)
D.Attribute Authority (AA)
E.Service Provider (SP)
AnswersA, B, E

IdP authenticates users and issues SAML assertions.

Why this answer

SAML federation requires an Identity Provider (IdP), a Service Provider (SP), and trust between them. The IdP authenticates the user and sends an assertion to the SP via an HTTP redirect.

57
MCQhard

In a federated identity scenario, a user authenticates to their home domain and accesses a resource in a partner domain. The partner domain trusts the authentication performed by the home domain. What is the home domain's role in this trust relationship?

A.Relying Party
B.Identity Provider (IdP)
C.Service Provider (SP)
D.Kerberos Distribution Center (KDC)
AnswerB

The IdP authenticates users and provides identity information.

Why this answer

In federated identity, the Identity Provider (IdP) is the home domain that authenticates the user and issues assertions. The Service Provider (SP) trusts the IdP's authentication.

58
MCQmedium

An organization uses Kerberos for single sign-on (SSO) within its Windows domain. Which component issues ticket-granting tickets (TGTs) after verifying user credentials?

A.Ticket Granting Service (TGS)
B.Key Distribution Center (KDC)
C.Authentication Service (AS)
D.Domain Controller
AnswerC

AS authenticates and issues TGTs.

Why this answer

In Kerberos, the Authentication Service (AS) within the Key Distribution Center (KDC) authenticates users and issues TGTs. The Ticket Granting Service (TGS) issues service tickets later.

59
MCQmedium

An organization has implemented a PAM solution for managing privileged accounts. Which feature allows administrators to request temporary elevated access for a specific task?

A.Session recording
B.Just-in-time provisioning
C.Password vaulting
D.Role-based access control
AnswerB

JIT grants temporary privileges as needed.

Why this answer

Just-in-time (JIT) provisioning grants temporary privileges as needed, reducing the risk of standing privileges.

60
MCQhard

An organization is implementing a federated identity system to allow employees to access a partner's cloud application using their corporate credentials. The solution must support single sign-on and use XML-based assertions. Which technology should be used?

A.Kerberos
B.SAML
C.OAuth 2.0
D.OpenID Connect
AnswerB

SAML (Security Assertion Markup Language) uses XML assertions for federated SSO.

Why this answer

SAML uses XML-based assertions to exchange authentication and authorization data between an identity provider and a service provider.

61
Multi-Selectmedium

An organization is planning to implement a Single Sign-On (SSO) solution. Which THREE of the following are commonly associated with SSO technologies?

Select 3 answers
A.Kerberos
B.Biometrics
C.Public Key Infrastructure (PKI)
D.OAuth 2.0
E.SAML
AnswersA, D, E

Kerberos is a ticket-based SSO protocol.

Why this answer

Kerberos uses tickets for SSO, SAML provides federated SSO with XML assertions, and OAuth 2.0 is an authorization framework often used for SSO. Biometrics and PKI are not SSO technologies themselves.

62
Multi-Selecteasy

An organization is planning to implement multi-factor authentication. Which TWO of the following are valid authentication factors?

Select 2 answers
A.Security question
B.Fingerprint
C.Password
D.Smart card
E.IP address
AnswersB, D

Biometric is something you are.

Why this answer

The three categories are something you know, something you have, and something you are. Fingerprint (something you are) and smart card (something you have) are valid factors.

63
MCQmedium

An organization uses Kerberos for SSO. A user reports that after entering their password, they receive a 'ticket expired' error when trying to access a network share. The system administrator checks the Kerberos configuration. Which ticket is most likely expired?

A.Session key
B.Ticket-Granting Ticket (TGT)
C.Service ticket
D.Authentication Server (AS) reply
AnswerB

TGT expiration requires the user to re-authenticate to the KDC to obtain a new TGT.

Why this answer

The Ticket-Granting Ticket (TGT) has a limited lifetime (typically 8-10 hours). When it expires, the user must re-authenticate to get a new TGT.

64
MCQmedium

A security analyst notices that a service account has been granted domain administrator privileges. Which principle of access control is being violated?

A.Need-to-know
B.Separation of duties
C.Least privilege
D.Accountability
AnswerC

Service accounts should have minimal permissions.

Why this answer

Least privilege means users and accounts should have only the minimum permissions necessary. Service accounts rarely need domain admin rights.

65
MCQhard

An organization is implementing a password policy that requires passwords to be at least 12 characters, include uppercase, lowercase, digits, and special characters, and be changed every 90 days. Additionally, users cannot reuse any of the last 10 passwords. Which password policy element does the last requirement address?

A.Password expiry
B.Password length
C.Password history
D.Password complexity
AnswerC

Password history prevents reuse of previous passwords.

Why this answer

Password history prevents users from reusing previous passwords, enforcing password uniqueness over time.

66
MCQmedium

A user claims to be 'jsmith' and provides a password. What is the term for the step where the system verifies that the password matches the one on file for 'jsmith'?

A.Authorization
B.Identification
C.Authentication
D.Accountability
AnswerC

Authentication verifies the identity claim.

Why this answer

Authentication is the process of verifying the identity claimed by a user. Identification is the claim (e.g., username), and authentication is the verification (e.g., password).

67
MCQeasy

Which of the following is the correct order of the access control process?

A.Identification, authentication, authorization, accountability
B.Identification, authorization, authentication, accountability
C.Authorization, authentication, identification, accountability
D.Authentication, identification, authorization, accountability
AnswerA

Correct. This is the logical order.

Why this answer

The sequence is: identification (user claims identity), authentication (verifies claim), authorization (determines access rights), and accountability (tracks actions).

68
MCQmedium

Which access control model allows the owner of a resource to determine who can access it and what permissions they have?

A.Mandatory Access Control (MAC)
B.Discretionary Access Control (DAC)
C.Attribute-Based Access Control (ABAC)
D.Role-Based Access Control (RBAC)
AnswerB

DAC allows owners to set permissions.

Why this answer

Discretionary Access Control (DAC) gives resource owners discretion to grant or deny access to others.

69
MCQhard

In a federated identity environment using SAML, what is the role of the Identity Provider (IdP) when a user requests access to a service provider (SP)?

A.The IdP hosts the application and enforces access control policies
B.The IdP validates the user's OTP token
C.The IdP generates a Kerberos ticket for the user
D.The IdP authenticates the user and issues a SAML assertion to the SP
AnswerD

Correct. The IdP provides authentication and assertion.

Why this answer

The IdP authenticates the user and issues a SAML assertion containing identity attributes and authorization claims. The SP trusts this assertion to grant access without re-authenticating the user.

70
Multi-Selecthard

An organization is designing an access control policy for a new system. Which THREE of the following are fundamental principles that should be incorporated? (Choose THREE.)

Select 3 answers
A.Fail-open
B.Least privilege
C.Need-to-know
D.Separation of duties
E.Defense in depth
AnswersB, C, D

Users get minimum necessary permissions.

Why this answer

Least privilege, separation of duties, and need-to-know are core access control principles. Defense in depth is a security strategy, not a principle of access control itself.

71
MCQmedium

An IT administrator needs to deprovision a user who has been terminated. Which of the following actions should be performed first to ensure security?

A.Remove the user from all groups
B.Delete the user account
C.Disable the user account
D.Change the user's password
AnswerC

Disabling immediately revokes access while retaining the account for investigation.

Why this answer

Immediately disabling the account prevents any further access. Evidence preservation can be done afterward, and deletion should be delayed until necessary.

72
MCQmedium

An organization uses Kerberos for single sign-on. When a user logs in, they receive a Ticket Granting Ticket (TGT). What is the primary purpose of the TGT?

A.To encrypt all network traffic
B.To obtain service tickets for accessing resources
C.To provide a digital signature for emails
D.To authenticate the user to the network
AnswerB

The TGT is presented to the TGS to get service tickets for specific services.

Why this answer

The TGT is obtained from the Authentication Server (AS) and is used to request service tickets from the Ticket Granting Server (TGS) without re-entering credentials, enabling SSO.

73
MCQmedium

Which of the following best describes the concept of accountability in access controls?

A.Users must present multiple factors to gain access
B.Users must be uniquely identified and their actions logged
C.The system must verify the user's identity before granting access
D.The resource owner can delegate access to others
AnswerB

Correct. Accountability requires unique identification and logging.

Why this answer

Accountability ensures that actions can be traced back to a specific user, typically through logging and audit trails. This relies on identification and authentication to uniquely identify users.

74
MCQeasy

Which authentication method uses a time-based one-time password (TOTP) generated by a hardware or software token?

A.Time-based One-Time Password (TOTP)
B.Kerberos ticket
C.Biometric fingerprint reader
D.Smart card with PKI certificate
AnswerA

Correct. TOTP generates time-limited codes.

Why this answer

TOTP (Time-based One-Time Password) is defined in RFC 6238 and generates codes based on the current time. It is commonly used with authenticator apps or hardware tokens.

75
Multi-Selectmedium

A security architect is designing an access control system for a healthcare application. The system must ensure that a nurse can view patient records but cannot modify them, and that a doctor can both view and update records. Additionally, the system must prevent a single user from both ordering a medication and approving its administration. Which TWO access control principles are being applied? (Select TWO.)

Select 2 answers
A.Discretionary access control
B.Separation of duties
C.Need to know
D.Mandatory access control
E.Least privilege
AnswersB, E

Ordering and approving medications are separated to prevent fraud or error.

Why this answer

Least privilege ensures users have only the permissions needed (nurse view, doctor view/update). Separation of duties prevents a single user from performing conflicting actions (order and approve).

Page 1 of 2 · 81 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Sscp Access Controls questions.

CCNA Sscp Access Controls Questions — Page 1 of 2 | Courseiva