CCT 041: CISSP Exam Questions (Domain 5)

Speaker 1: Welcome to the CISSP Cyber Training Podcast, where we provide you the training and tools you need to pass the CISSP exam the first time. 

Speaker 1: Hi, my name is Sean Gerber and I'm your host for this action-packed, informative podcast. Join me each week as I provide the information you need to pass the CISSP exam and grow your cybersecurity knowledge. All right, let's get started. Hey, all this is Sean Gerber with CISSP Cyber Training Podcast, and we are today going to be talking about CISSP exam questions. Yes, today is CISSP exam question Thursday, and so we're going to get into some fun, exciting CISSP questions around domain five of identity and access management. This is the complement of the one that occurred on Monday, which we talked about identity and access management. If you're not connected with the podcast, i provide two podcasts each and every week, and each week you will have on Mondays, you will get a topic And then on Thursdays, you will get the CISSP exam questions that go with that specific topic. The goal is to create a product that you have to be able to pass your CISSP the first time, and if you go to CISSPcybertrainingcom, you can see my site. You can have access to various test questions And bottom line is I'm here to help you pass the darn thing. I failed it the first time. I did terribly, and you know what? Yeah, it's just, i don't want that to happen to you because it's expensive and it's painful and it's actually quite depressing. So we don't want that. We want positive, uplifting, good thoughts, right? No negative, depressing thoughts, right. 

Speaker 1: So we're going to get into what we call the identity and access management questions for the CISSP, and I've got various questions that you're going to. We're going to go through. You can see these questions also on video on my site, cissp cyber training. You can join the membership that I have there and gain access to these sites as well. I'm in the process of creating a blueprint, which is going to be awesome, which will walk you through, step by step, each and everything you need to do to pass the test. One thing I hated was the fact that it's like you got to go study it on your own and then how do I do that? I'm going to walk you through it, okay, point by point. If you follow the plan, you follow the overall goal And again, it's up to you. You still got to do the work, but if you follow the plan, you will pass this darn test. Okay, wrong team, okay. So we're going to get into question one. 

Speaker 1: What is the primary benefit of using single sign on systems within an organization? Okay, what is the primary benefit of using single sign on systems within an organization? A reduces the authentication overhead. B increases network availability. C improved access and management. Or G greater accountability. Okay, what's the primary benefit, again, when you're taking the test? primary benefit, all of these could be a benefit, but what is the primary benefit of single sign on? A reduced authentication overhead. B increased network availability. C improved session management. D greater accountability. So all of those we talked about network availability? we didn't talk about that. So you can throw that one out, boom gone. But we talked about authentication overhead, session management and accountability in the last podcast. So the answer is A reduced authentication overhead Through the use of SSO. You only need to authenticate once, so therefore multiple applications can use that same system. That's why it increases. It makes it much more efficient, it's much more effective for people and it reduces the waste and the risks to your organization. 

Speaker 1: Question number two What is the purpose of session management? to identify access management For identity and access management, sorry. A to ensure that user sessions are always encrypted, to prevent unauthorized access to user sessions, to provide real time visibility into user activity or to simplify user access and reduce the need for re-authentication. Okay, so what is the purpose of session management? Ensure the sessions are always encrypted, prevent unauthorized access, provide real time visibility, or to simplify user access and reduce the need for re-authentication? The answer is B to prevent unauthorized access to user sessions. Session management this is what we deal with when creating and maintaining secure user sessions. Where they connect to it through HTTPS, they have a secure session. Then, in turn, the session is terminated securely. All of those aspects are put in place to help detect and prevent session hijacking. 

Speaker 1: Question number three What is the primary advantage of using multi-factor authentication over single-factor authentication? A Increased system availability. B Greater ease of use. C Enhanced security against credential theft or phishing attacks. Or D Simplified password management for administrators. Again, look at the terms Primary advantage. All of those are relatively good, right, but which one is the primary advantage for that? If you're looking at that, it's increased system availability is. A Greater use for use of users. B Enhanced security against credential theft. C. And then D is simplified password management for administrators. The answer is C Enhanced security against credential theft and phishing attacks. It does require multiple forms of authentication when you're dealing with MFA, and so therefore, it does take allow for that out of band. That doesn't mean the bad guys aren't smart in trying to figure ways around that, which they do, but it's also a great way to help you minimize those types of attacks. Okay, so this one we didn't talk about in the podcast. We kind of briefly talked about it, but it's something you'll see on your test. 

Speaker 1: What is the difference between role-based access controls RBAC as Romeo Bravo, alpha Charlie and attribute-based access control, which is ABAC Alpha Bravo, alpha Charlie? So we'll go A. Rbac is used to use uses user attributes to determine access privileges, while ABAC uses roles. Rbac is typically used for cloud-based applications, while ABAC is used for on-prem type situations. Rbac is a static access control model, while ABAC is a dynamic access control model. And then RBAC is simpler to implement than ABAC. Okay, so, if we look at the differences between role-based access controls and attribute-based I'm not going to go back through each of those questions because it's a mouthful, but the bottom line that you want to look at is what is the differences between them? C is the correct answer. Rbac is a static access control model and whereas ABAC is used is a dynamic access control model. Rbac assigns privileges based on their predefined roles, while ABAC is a value-based user attributes and the environmental factors in real time to determine access rights. So, rbac, you set it and then you have to modify it if you need to, but at the end of the day, it's pretty static. 

Speaker 1: Okay, what is the purpose of a federate identity management? What is the purpose of it? A, fim To centralize. A to centralize management of user identities across multiple systems. B to provide a single sign-on capability for cloud-based applications Again, the purpose To implement multi-factor authentication for external users. At C And then D, to ensure compliance with privacy regulations such as GDPR and CCPA Again, the purpose. We want to look at the purpose. Many of those is a use of FIM, but the actual purpose of FIM is A to centralize the management of user identities across multiple systems and organizations. Okay, so that's the purpose. Focus on those key words because it's really easy to glob on all of them. Well, yeah, maybe it's that one that they all have a capability inside of FIM. But A to centralize the management is a key factor. 

Speaker 1: Okay, six, what is the following as an example of just-in-time authentication. Now, we didn't talk about just-in-time authentication. What is it? So? this requires users to enter a one-time code sent to their phone before accessing the application. Just in time, that's. A. Okay, is that what just-in-time is? I don't know. 

Speaker 1: B requiring users to authenticate using a smart card before accessing a secure facility. I don't think that's just in time. C allowing users to authenticate using their existing social media accounts when accessing a website. That's not just in time, it's not. That's a different thing. D requiring users to re-authenticate after a certain period of inactivity basically session management. That is not right. So just in time basically means it requires users to enter a one-time code sent to their phone before accessing the application. A that's just in time authentication. Now, sending codes to your phone via SMS text. You know, not so secure, but it's better than nothing. A lot of banks use that because they can automate it, but it's not the most secure situation out there. Better to use some out of band solution like Google Authenticator. Okay, question seven Which of the following best describes a benefit of implementing multi-factor authentication within your organization? 

Speaker 1: A increases the overall security of the network, eliminating the need for usernames and passwords. B it reduces the risk of a data breach by requiring users to provide more than one form of identification. C it simplifies the login process for users by requiring only one authentication factor. And then D it is a cost-effective alternative to traditional authentication methods. Okay, so the question again which of the following best describes the benefit of implementing multi-factor authentication in an organization? I'm not going to go through all those again, but the answer is B. Okay, b, multi-factor reduces the risk of a data breach by requiring users to provide more than one form of identification. Okay so we talked about MFA and it allows multiple forms. So by requiring these multiple forms, it does reduce this unauthorized access and risk of security incidents dramatically, does not eliminate it, but it does reduce it. All right, that's all I have for today. 

Speaker 1: If you want to get access to these questions, go to CISSP Cyber Training. We have them within our community And there's other questions that I have out there on the site that are free. There's other free resources that are available through CISSP Cyber Training as well. The bottom line is we're here to help you pass the CISSP. Whether you've done this for your brand new to the CISSP world, or you've been doing it a long time, we're here to help you pass this doggone test and move on with your cybersecurity career. All right, have a wonderful day and we'll catch you on the flip side, see you.