4.0 Identity and Access Management

Question 1

Standards, best practices, and guidelines for effective security risk management. Some frameworks are general in nature, while others are specific to industry or technology types.

Answer 1

cybersecurity frameworks (CSF)

Question 2

Develops computer security standards used by US federal agencies and publishes cybersecurity best practice guides and research.

Answer 2

National Institute of Standards and Technology (NIST)

Question 3

A technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

Answer 3

security controls

Question 4

An analysis that measures the difference between the current and desired states in order to help assess the scope of work included in a project.

Answer 4

Gap analysis

Question 5

The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.

Answer 5

Identification

Question 6

A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.

Answer 6

identity and access management (IAM)

Question 7

A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.

Answer 7

authentication, authorization, and accounting (AAA)

Question 8

In zero trust architecture, functions that define policy and determine access decisions.

Answer 8

control plane

Question 9

Security settings that control access to objects including file system items and network resources.

Answer 9

permissions

Question 10

An access control model where each resource is protected by an access control list (ACL) managed by the resource’s owner (or owners).

Answer 10

Discretionary access control (DAC)

Question 11

An access control model where resources are protected by inflexible, system-defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).

Answer 11

Mandatory access control (MAC)

Question 12

An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.

Answer 12

Role-based access control (RBAC)

Question 13

A group account is a collection of user accounts that is useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be established containing all the relevant users.

Answer 13

group account

Question 14

An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.

Answer 14

Attribute-based access control (ABAC)

Question 15

A nondiscretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.

Answer 15

Rule-based access control

Question 16

A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Answer 16

Least privilege

Question 17

The process of deploying an account, host, or application to a target production environment. This involves proving the identity or integrity of the resource, and issuing it with credentials and access permissions.

Answer 17

Provisioning

Question 18

The process of removing an account, host, or application from the production environment. This requires revoking any privileged access that had been assigned to the object.

Answer 18

Deprovisioning

Question 19

The value assigned to an account by Windows and that is used by the operating system to identify that account.

Answer 19

security identifier (SID)

Question 20

On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.

Answer 20

group policy objects (GPOs)

Question 21

The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.

Answer 21

geolocation

Question 22

Policies or configuration settings that limit a user’s access to resources.

Answer 22

time-of-day restrictions policy

Question 23

Authentication token generated by a cryptoprocessor on a dedicated hardware device. As the token is never transmitted directly, this implements an ownership factor within a multi-factor authentication scheme.

Answer 23

Hard authentication token

Question 24

A security device similar to a credit card that can store authentication information, such as a user’s private key, on an embedded cryptoprocessor.

Answer 24

Smart cards

Question 25

Portable HSM with a computer interface, such as USB or NFC, used for multi-factor authentication.

Answer 25

Security key

Question 26

OTP sent to a registered number or email account or generated by an authenticator app as a means of two-step verification when authenticating account access.

Answer 26

Soft authentication token

Question 27

Multi- factor authentication scheme that uses ownership and biometric factors, but not knowledge factors.

Answer 27

Passwordless

Question 28

A challenge-response authentication protocol created by Microsoft for use in its products.

Answer 28

NT LAN Manager (NTLM) authentication

Question 29

Capability of an authenticator or other cryptographic module to prove that it is a root of trust and can provide reliable reporting to prove that a device or computer is a trustworthy platform.

Answer 29

Attestation

Question 30

A framework for implementing authentication providers in Linux.

Answer 30

Pluggable authentication module (PAM)

Question 31

A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.

Answer 31

Directory service

Question 32

Protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.

Answer 32

Lightweight Directory Access Protocol (LDAP)

Question 33

A collection of attributes that define a unique identifier for any given resource within an X.500-like directory.

Answer 33

Distinguished name (DN)

Question 34

Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

Answer 34

Single sign-on (SSO)

Question 35

A single sign-on authentication and authorization service that is based on a time-sensitive, ticket-granting system.

Answer 35

Kerberos

Question 36

A component of Kerberos that authenticates users and issues tickets (tokens).

Answer 36

Key distribution center (KDC)

Question 37

In Kerberos, a token issued to an authenticated account to allow access to authorized application servers.

Answer 37

Ticket Granting Ticket (TGT)

Question 38

A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.

Answer 38

Federation

Question 39

In a federated network, the service that holds the user account and performs authentication.

Answer 39

Identity provider (IdP)

Question 40

An XML-based data format used to exchange authentication information between a client and a service.

Answer 40

Security Assertion Markup Language (SAML)

Question 41

An XML-based web services protocol that is used to exchange messages.

Answer 41

Simple Object Access Protocol (SOAP)

Question 42

A standardized, stateless architectural style used by web applications for communication and integration.

Answer 42

Representational State Transfer (REST)

Question 43

A standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.

Answer 43

Open Authorization (OAuth)

Question 44

A file format that uses attribute-value pairs to define configurations in a structure that is easy for both humans and machines to read and consume.

Answer 44

JavaScript Object Notation (JSON)

Question 45

An authentication mechanism that allows a user to perform a biometric scan to operate an entry or access system. Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, fingerprint pattern, and signature recognition.

Answer 45

Biometric authentication

Question 46

A biometric assessment metric that measures the number of valid subjects who are denied access.

Answer 46

False Rejection Rate (FRR)

Question 47

A biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.

Answer 47

False Acceptance Rate (FAR)

Question 48

A biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.

Answer 48

Crossover Error Rate (CER)

Question 48

Granting a user on the computer system the right to use a resource.

Answer 48

Authorization

Question 49

A collection of access control entries that determines which users are allowed or denied access to an object and the privileges given to that user.

Answer 49

Access control list (ACL)

Question 50

Access rights are cumulative, giving the user combined permissions from multiple groups.

Answer 50

Effective permissions

Question 51

Always override Allow permissions.

Answer 51

Deny permissions

Question 52

A domain is an administratively defined collection of network resources that share a common directory database and security policies. The domain is the basic administrative unit of an Active Directory structure.

Answer 52

Domain

Question 53

A tree is a group of related domains that share the same contiguous DNS namespace.

Answer 53

Tree

Question 54

A forest is a collection of related domain trees. The forest establishes the relationship between trees that have different DNS namespaces.

Answer 54

Forest

Question 55

An organizational unit is similar to a folder. It subdivides and organizes network resources within a domain.

Answer 55

Organizational unit (OU)

Question 56

Each resource within Active Directory is identified as an object.

Answer 56

Object

Question 57

A domain controller is a server that holds a copy of the Active Directory database. It is also the copy of the Active Directory database on a domain controller that can be written to.

Answer 57

Domain controller

Question 58

Replication is the process of copying changes to Active Directory on the domain controllers.

Answer 58

Replication

Question 59

Member servers are servers in the domain that do not have the Active Directory database.

Answer 59

Member servers

Question 60

A policy is a set of configuration settings applied to users or computers.

Answer 60

Policy

Question 61

The process of accessing a smart card’s chip surface directly to observe, manipulate, and interfere with the circuit.

Answer 61

Microprobing

Question 62

The wireless, non-contact use of radio frequency waves to transfer data.

Answer 62

Radio frequency identification (RFID)

Question 63

AAA protocol used to manage remote and wireless authentication infrastructures.

Answer 63

Remote Authentication Dial-in User Service (RADIUS)

Question 64

a network security protocol that provides centralized authentication, authorization, and accounting (AAA) services for users attempting to access network resources.

Answer 64

Terminal Access Controller Access-Control System Plus (TACACS+)