Your company decides to implement fine-grained attribute-based access control (ABAC) that entails access to identity repositories. Which of the following is the best to inform the policy decision point (PDP) with the subject’s attributes? (Source: Wentz QOTD) A. X.500 B. X.509 C. LDAP D. SAMBA
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
Your company decides to implement fine-grained attribute-based access control (ABAC) and separate data and resources into micro-segments. Which of the following best describes this initiative in terms of risk treatment? A. Risk avoidance B. Risk share C. Risk modification D. Risk retention
Zero Trust has emerged for ten years. There are numerous posts and definitions if you google it. After digesting perspectives of Kindervag, CSA, Gartner, and NIST, Access Control 2.0 is the most effective terminology I can think of, to convey the idea of Zero Trust.
Access Control 2.0
Zero Trust is a cybersecurity paradigm for access control featuring data-centric, fine-grained, dynamic, and with Visibility.
Software-defined perimeter over network perimeter.
Data-centric micro-segments over network-based segments.
Identity-based context and attribute-based access control for fine-grained control and policy dynamics.
Logging and observing for visibility.
Compliancewith need-to-know, least privileges, and complete mediation.
Which of the following is not specified in GDPR? A. Rights of the data subject B. General obligations of controller and processor C. Common privacy control baseline D. General principle for transfers of personal data to third countries
Mutual authentication or bidirectional authentication refers to two parties involved in a transaction verifying each other. Which of the following is least likely to employ mutual authentication? A. A client and server exchange their certificates issued by a trusted certificate authority B. A web server sends its certificate to the user, who then signs in using his password C. A 802.1X supplicant sends a user’s credential to the authenticator using EAP-MD5 D. An administrator connects to a remote server through the SSH default authentication
As a marketing manager, Alice called the IT help desk for the failure of logging into the mail server. Because of the heavy workload, she intends to give her username and password to the IT support staff and ask for returning a phone call if they have fixed the problem. Which of the following attacks is Alice most likely to suffer from if she does so? A. Phishing B. Identity theft C. Social engineering D. Security awareness training
You are concerned with stealthy threat actors, who can be a nation-state or sponsored groups, gain unauthorized access to organizational networks and remain undetected for an extended period to conduct large-scale targeted intrusions for specific goals. Which of the following is the best to discover and hunt this type of attack? A. Have security analysts conduct analysis with data from various sources B. Create microsegments and establish a software-defined perimeter C. Implement an anomaly-based intrusion prevention system D. Install a hardened padded cell with anonymized data to observe attackers