SAML and OIDC are commonly found in federated authentication. Which of the following statements about federated authentication is not true?
A. SAML assertions can be viewed as equivalent to OIDC claims.
B. The access token of a subject is trusted and passed across security domains.
C. A user registers only one account in the federated domains to fulfill single sign-on (SSO).
D. The relying party refers to the service provider in SAML or the OAuth2 client using OIDC.
Mandatory Access Control (MAC) and Discretionary Access Control (DAC) are well-known authorization mechanisms introduced in the Trusted Computer System Evaluation Criteria (TCSEC). Which of the following statements about the authorization mechanisms is not true?
A. MAC can exist alone without DAC
B. Privileges granted by the data owner can be reauthorized to others in DAC.
C. A subject with mere security clearance gets no access to objects.
D. MAC mediates the data flow between classification levels.
Which of the following is least likely done by the data owner?
A. Identify, locate, and take an inventory of data
B. Evaluate the business value of data
C. Determine the protection mechanisms of data
D. Be accountable for the data breach
You are conducting the risk assessment and have identified several risks. Which of the following best describes the risk in your risk register?
A. Natural hazards like earthquakes, floods, etc.
B. Script kiddies using open source tools to play SQL injections against web sites
C. Employees carelessly attending training may result in frequent violations of security policy
D. Human life losses
Which of the following is least likely used to authenticate devices to prevent unauthorized ones from connecting to your wireless network?
A. 802.1X
B. Whitelist
C. Kerberos
D. Extensible Authentication Protocol (EAP)
You registered a new user account, activated through confirming a short message sent to your mobile phone on a website. Whenever you are signing in, the website will send an authentication code to your mobile phone after receiving the username and password and verify your response to complete the sign-in process. Which of the following best describes the authentication mechanism?
A. Zero-knowledge proof
B. One-factor authentication
C. Two-factor authentication
D. Challenge-Handshake Authentication Protocol (CHAP)
You are evaluating alternatives to the physical access control system of the computer room. Which of the following provides the highest level of security?
A. Press PIN code on the keypad
B. Input Employee ID and password to the keypad
C. Swipe a contact ID card and input the PIN code
D. Input Employee ID first, then scan the fingerprint
You are a member of the software development team following the waterfall model. The customer has signed off the user requirements specification. Your team has finished and is reviewing the architectural and detailed designs. To identify security flaws, which of the following is the best vehicle?
A. Common Weakness Enumeration (CWE)
B. Security Content Automation Protocol (SCAP)
C. Common Vulnerabilities and Exposures (CVE)
D. Common Vulnerability Scoring System (CVSS)
Your company has 400 employees. One-fourth of them are assembly workers; Alice is responsible for calculating their wages and storing them in the relational database table, Payrolls, which contains all the employees’ salaries. Alice learned that she received the lowest salary among all employees by submitting the SQL query, SELECT MIN(Salary) FROM Payrolls. She is complaining about this to her boss. Which of the following is the primary cause of the confidentiality issue?
A. Inference
B. Partitioning
C. Aggregation
D. Improper database normalization
Your web application received a token from a subject, Alice@WentzWu.com, issued by a SAML-like ID provider. Which of the following is an assertion that best supports attribute-based access control?
A. Role
B. XACML
C. MaritalStatus=False
D. Alice@WentzWu.com