Domain 4: Security Operations Review — 50 of 61

Domain 4 – Section C Review: Identity and Response

Security+ Domain 4 — Security Operations Section C — Identity and Response Review 10 Questions

This section integrates:

  • Identity and Access Management (IAM)
  • Authentication Methods and MFA
  • Security Automation and Orchestration
  • Incident Response and Digital Forensics

Security+ expects you to manage identities, implement strong authentication, leverage automation, and respond to incidents following proper forensic procedures.

1. Identity and Access Management

IAM controls who can access what, and under what conditions:

Identity is the new perimeter.
If you control identity, you control access.
  • SSO (Single Sign-On) — one authentication grants access to multiple systems.
  • Federation — trust relationships between identity providers across organizations.
  • RBAC (Role-Based Access Control) — permissions assigned by role, not individual.
  • Attribute-Based Access Control (ABAC) — permissions based on user attributes, resource attributes, and environmental conditions.
  • Privileged Access Management (PAM) — securing and monitoring accounts with elevated permissions.

Access reviews and recertification ensure that permissions remain appropriate as roles change.

2. Authentication and Multi-Factor Authentication

Authentication factors fall into three categories:

  • Something you know — passwords, PINs, security questions.
  • Something you have — smart cards, hardware tokens, authenticator apps.
  • Something you are — biometrics (fingerprint, facial recognition, retina scan).
MFA requires two or more different factor types.
Two passwords is not MFA — both are something you know.

Passwordless authentication (FIDO2, passkeys) eliminates password-based attacks entirely by replacing passwords with cryptographic credentials.

3. Security Automation and Orchestration

Automation reduces response time and human error:

  • SOAR (Security Orchestration, Automation, and Response) — automates incident response workflows.
  • Playbooks — predefined response procedures triggered by specific events.
  • Scripting — automating repetitive security tasks (log analysis, user provisioning).
  • API integration — connecting security tools for coordinated response.

Automation handles volume and speed. Human judgment handles complexity and context.

4. Incident Response and Forensics

Incident response follows a structured lifecycle:

  1. Preparation — plans, tools, training, and communication channels.
  2. Detection and Analysis — identifying and confirming the incident.
  3. Containment — limiting the scope and preventing further damage.
  4. Eradication — removing the threat from the environment.
  5. Recovery — restoring systems to normal operations.
  6. Lessons Learned — documenting findings and improving processes.
Containment before eradication. Evidence before cleanup.
Chain of custody preserves evidence admissibility.

Digital forensics requires preserving evidence integrity through proper imaging, hashing, and chain of custody documentation.

Section C Decision Pattern

When unsure in Domain 4 Section C:

  1. True MFA requires different factor types, not multiple instances of the same type.
  2. Follow the incident response lifecycle in order — do not skip containment.
  3. Preserve evidence before remediation in forensic scenarios.
  4. Use RBAC for role-based permission questions; ABAC for conditional/contextual access.
  5. Automation handles speed; humans handle judgment calls.

Section C – Practice Questions

Question 1

A user logs into a corporate portal and can access email, file sharing, and the HR system without re-authenticating. What technology enables this?

A. SSO
B. MFA
C. RBAC
D. Federation

Answer & reasoning

Correct: A

Single Sign-On (SSO) allows a user to authenticate once and access multiple applications without re-entering credentials. SSO improves user experience and reduces password fatigue while centralizing authentication management.

Question 2

An organization requires employees to use a password and a fingerprint scan to access the data center. What type of authentication is this?

A. Single-factor authentication
B. Two-step verification
C. Multi-factor authentication
D. Biometric authentication only

Answer & reasoning

Correct: C

This is multi-factor authentication because it combines something you know (password) with something you are (fingerprint). Two different factor categories are required, which is the definition of MFA.

Question 3

During a ransomware incident, the security team identifies the infected systems. What is the NEXT step in the incident response process?

A. Eradicate the malware
B. Conduct lessons learned
C. Restore from backups
D. Contain the infected systems

Answer & reasoning

Correct: D

After detection and analysis (identifying the infected systems), the next step is containment. Isolating infected systems prevents the ransomware from spreading further. Eradication and recovery come after containment. Lessons learned is the final phase.

Question 4

A forensic investigator needs to examine a compromised server's hard drive. What should be done FIRST?

A. Create a forensic image and hash it for integrity verification
B. Run antivirus to clean the drive
C. Boot the server and check the logs
D. Reformat the drive and restore from backup

Answer & reasoning

Correct: A

The first step in digital forensics is creating a forensic image (bit-for-bit copy) and generating a hash to verify integrity. Working on the original evidence risks modifying it. All analysis should be performed on the forensic copy, and the chain of custody must be documented.

Question 5

An organization uses RBAC. When an employee transfers from the finance department to marketing, what should happen to their access?

A. Add marketing permissions while keeping finance permissions
B. Disable the account until the transfer is complete
C. Remove finance permissions and assign marketing permissions
D. Keep all existing permissions and add a note in the file

Answer & reasoning

Correct: C

When a role changes, the previous role's permissions must be removed and new role permissions assigned. Keeping old permissions creates privilege accumulation (permission creep), violating the principle of least privilege. Access should always match the current role.

Question 6

A SOAR platform automatically disables a user account when the SIEM detects 50 failed login attempts in one minute. What benefit does this provide?

A. Eliminates the need for an incident response team
B. Prevents all brute force attacks permanently
C. Replaces the need for MFA
D. Reduces response time from minutes to seconds

Answer & reasoning

Correct: D

SOAR automation reduces the time between detection and response from minutes (or hours with manual processes) to seconds. It does not eliminate the need for human teams, replace other controls like MFA, or permanently prevent all attacks. It accelerates the response to known attack patterns.

Question 7

An employee uses a password and a PIN to access a system. Is this multi-factor authentication?

A. Yes — two credentials were provided
B. No — both are something you know
C. Yes — the PIN is something you have
D. No — PINs are not authentication factors

Answer & reasoning

Correct: B

Both a password and a PIN are something you know. Multi-factor authentication requires factors from different categories (know, have, are). Using two factors from the same category is multi-step authentication, not multi-factor authentication.

Question 8

After containing and eradicating a malware infection, the security team restores affected systems from clean backups. What incident response phase are they in?

A. Preparation
B. Containment
C. Recovery
D. Lessons learned

Answer & reasoning

Correct: C

Recovery involves restoring systems to normal operations after the threat has been contained and eradicated. This includes restoring from backups, rebuilding systems, verifying functionality, and monitoring for re-infection.

Question 9

A contractor needs temporary access to a specific project folder. The access should automatically expire in 30 days. What IAM concept supports this?

A. Time-based access policies
B. Role-based access control
C. Mandatory access control
D. Discretionary access control

Answer & reasoning

Correct: A

Time-based access policies automatically expire access after a defined period. This is essential for temporary workers, contractors, and project-based access. It prevents lingering permissions that could be exploited after the business need ends.

Question 10

During a forensic investigation, an analyst discovers that a key piece of evidence was handled without documentation. What forensic principle was violated?

A. Data classification
B. Chain of custody
C. Non-repudiation
D. Least privilege

Answer & reasoning

Correct: B

Chain of custody documents every person who handled evidence, when they handled it, and what they did with it. Without proper chain of custody documentation, evidence may be inadmissible in legal proceedings because its integrity cannot be verified.

Domain 4 Capstone Capstone Review: SECURITY OPERATIONS