Text preview & study summary

CompTIA Security+ - Identity and Access Management

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

?? Multiple Choice (Hard)

Which attack exploits the implicit trust in Single Sign-On by stealing a valid authentication token?

Answer choices

  • A. Credential stuffing

  • B. Pass-the-ticket / Golden Ticket attack (Correct)

  • C. Privilege escalation

  • D. SQL injection for credential harvesting

Explanation

In Active Directory environments using Kerberos, a Golden Ticket attack forges Kerberos TGTs using the KRBTGT account hash (extracted from a Domain Controller). With a Golden Ticket, attackers can impersonate any user with any privileges for up to 10 years. Mitigation: regularly rotate KRBTGT password, monitor for unusual Kerberos tickets.

Question 2

?? Multiple Choice (Medium)

What is federation in the context of identity management?

Answer choices

  • A. Combining multiple user directories into one unified database

  • B. Establishing trust relationships between identity providers across different organizations (Correct)

  • C. Federating all authentication to a single cloud provider

  • D. Merging user accounts after corporate acquisitions

Explanation

Identity federation allows users to use credentials from one organization (identity provider) to access resources in another organization (service provider/relying party). Protocols: SAML 2.0 (enterprise federation), OpenID Connect (consumer), WS-Federation. Example: using your university credentials to access a partner organization's resources.

Question 3

?? True/False (Medium)

Time-based One-Time Passwords (TOTP) rely on a shared secret and the current time to generate authentication codes valid for about 30 seconds.

Answer choices

  • A. True (Correct)

  • B. False

Explanation

TOTP (RFC 6238) generates a 6-digit code based on: shared secret + current Unix time (rounded to 30-second window). Both client app (Google Authenticator, Authy) and server compute the same code independently. Codes expire every 30 seconds. TOTP is a "something you have" factor (authenticator app on phone).

Question 4

?? Fill in the Blank (Easy)

The principle of [[blank1]] access ensures that users are only granted the minimum permissions necessary to perform their job functions.

Explanation

Least privilege (also called minimum necessary access) is a core security principle. Users, processes, and systems should have only the permissions required for their specific tasks. This limits the damage from compromised accounts, insider threats, and malware. Combined with need-to-know (access to information required for job), it minimizes attack surface.

Question 5

?? True/False (Hard)

Separation of duties requires that no single individual has complete control over any critical process or transaction.

Answer choices

  • A. True (Correct)

  • B. False

Explanation

Separation of duties (SoD) prevents fraud and errors by dividing critical tasks among multiple people. Example: the person who creates vendor accounts cannot also process payments. In IT: developers cannot deploy directly to production; no single admin has both backup and restore rights. This limits insider threat risk and enforces accountability.