37. In electronic authentication, after a credential has been created, which of the following is responsible for maintaining the credential in storage?
a. Verifier
b. Relying party
c. Credential service provider
d. Registration authority
38. Which of the following is the correct definition of privilege management?
a. Privilege management = Entity attributes + Entity policies
b. Privilege management = Attribute management + Policy management
c. Privilege management = Resource attributes + Resource policies
d. Privilege management = Environment attributes + Environment policies
38. b Privilege management is defined as a process that creates, manages, and stores the attributes and policies needed to establish criteria that can be used to decide whether an authenticated entity’s request for access to some resource should be granted. Privilege management is conceptually split into two parts: attribute management and policy management. The attribute management is further defined in terms of entity attributes, resource attributes, and environment attributes. Similarly, the policy management is further defined in terms of entity policies, resource policies, and environment policies.
39. The extensible access control markup language (XACML) does
a. Trust management
b. Privilege management
c. Policy language
d. Query language
40. For intrusion detection and prevention system (IDPS) security capabilities, which of the following prevention actions should be performed first to reduce the risk of inadvertently blocking benign activity?
1. Alert enabling capability.
2. Alert disabling capability.
3. Sensor learning mode ability.
4. Sensor simulation mode ability.
a. 1 and 2
b. 1 and 3
c. 2 and 4
d. 3 and 4
41. In the electronic authentication process, which of the following is weakly resistant to man-in-the-middle (MitM) attacks?
a. Account lockout mechanism
b. Random data
c. Sending a password over server authenticated TLS
d. Nonce
An account lockout mechanism is implemented on the verifier to prevent online guessing of passwords by an attacker who tries to authenticate as a legitimate claimant. Random data and nonce can be used to disguise the real data.