4.6

Question 1

IAM stands for

Answer 1

Identity and Access Management

Question 2

Giving the right permissions to the right people at the right time is known as

Answer 2

IAM

Question 3

Software that is used for:

Access control

Authentication and authorization

Identity governance (provisioning/deprovisioning user accounts)

Answer 3

IAM

Question 4

IAM utilizes ____ access control. That means if a user creates a file, that file is private to that user, even if another user logs into that same device.

Answer 4

Mandatory

Question 5

The formal process of verifying that a user really is who they say they are. Used by IAM solutions.

Answer 5

Identity proofing

Question 6

An identity proofing process where the user verifies their identity via government documents, answering questions about previous addresses or purchases, or an in-person meeting.

Answer 6

Verification/attestation

Question 7

An identity proofing process where the user verifies their identity by sending credentials (username/password) and may answer security questions. This is an information gathering process.

Answer 7

Validation

Question 8

An identity proofing process where the IAM system gathers information about a user to verify that the user is who they say they are.

Answer 8

Resolution

Question 9

SSO stands for

Answer 9

Single Sign-On

Question 10

An authentication solution where the user has to validate their identity only once to access all of the resources in a network.

This is usually limited by time. Ex. You will only be authenticated for 24 hours, after which you will have to authenticate again.

Answer 10

SSO

Question 11

LDAP stands for

Answer 11

Lightweight Directory Access Protocol

Question 12

The protocol used to query and update an X.500 directory.

It is also often used for authentication/authorization, typically SSO.

Answer 12

LDAP

Question 13

A global directory service that organizes components to manage information.

It follows the format of:
attribute=value

Answer 13

X.500

Question 14

SAML stands for

Answer 14

Security Assertion Markup Language

Question 15

An open-source standard protocol for authentication and authorization with which you can authenticate through a third-party database.

That way, instead of creating/managing your own identity management database for your organization, you can use one that exists elsewhere.

However, this protocol was not created to work with mobile devices, so its use is limited in modern day.

Answer 15

SAML

Question 16

An authentication protocol that can authenticate users through a third-party authentication database

Answer 16

SAML

Question 17

Describe how SAML authentication works

Answer 17

User attempts to access Resource Server

Resource Server redirects user to third-party Authorization Server through an encrypted SAML request

User logs in

Authorization Server redirects the user back to the Resource Server with a SAML token

Resource Server verifies the SAML token and grants access to the user

Question 18

An authorization framework that allows applications to access resources on a user’s behalf

Answer 18

OAUTH

Question 19

When you see a message such as:

“[3rd Party App] wants to access your Google Account
This will allow [3rd Party App] to:
See, edit, create, and delete all of your Google Drive files”

What authorization protocol is being used?

Answer 19

OAUTH

Question 19

When you see a message such as:

“Sign in through Facebook
Sign in through Twitter
Sign in through Instagram”

What authentication method is being used?

Answer 19

Federation / federation authentication

Question 20

Because OAUTH is an authorization protocol and NOT an authentication protocol, what service is used in conjunction with it? This service provides SSO authentication.

Answer 20

OpenID

Question 21

An authentication method that allows network access without using a local authentication database.

It allows you login to a resource without having to create a new account specifically for that resource.

It can allow you to sign in through an existing trusted third-party organization with which the two organizations have a trust relationship.

Answer 21

Federation

Question 22

What is the main thing to consider when determining which type of IAM services to use

Answer 22

Interoperability

Some apps may be compatible with the method you choose; others will need to implement some kind of API or other interoperability measures to make it work.

Question 23

The process of enforcing policies that would allow/disallow users/devices access to resources

Answer 23

Access control

Question 24

An access control model that allows users/devices the bare minimum of access to perform their job.

Answer 24

Least privilege

Question 25

An access control model that is based on security clearance levels. Every file or object gets a label with the security clearance required to access it.

The administrator of the system defines the security clearance that a user/device has.

Answer 25

Mandatory Access Control

Question 26

An access control model that allows the user who created the data to determine who else can access the data, and what they can do to modify it.

Very flexible, but very weak security.

Answer 26

DAC

Question 27

An access control model that is based on account roles (manager, director, team lead, project manager, etc.).

Administrators provide access based on the role of the user. Rights are gained implicitly instead of explicitly.

Answer 27

RBAC

Question 28

RBAC stands for

Answer 28

Role-Based Access Control

Question 29

What does it mean when rights/permissions are gained implicitly instead of explicitly?

Answer 29

It means that the rights are assigned due to a user’s role or attribute rather than assigned individually to that user.

Question 30

An access control model that grants rights and permissions according to system-enforced rules. The administrator configures these rules, and attaches them to files. These rules are then enforced once a user attempts to access the resource.

Ex:
Lab network access is only available between 9am-5pm
Only Chrome browsers can complete this web form

Answer 30

RuBAC

Question 31

ABAC stands for

Answer 31

Attribute-Based Access Control

Question 32

An access control model that develops a complex ruleset to determine whether someone has or doesn’t have access to a resource.

It can examine attributes that are be unique to the user. Seniority, current projects, security clearance level, work status, attempted action to take, etc.
It will also consider external factors like time of day and browser type.

It considers many different parameters, including context. It can evaluate the source IP address, time of day, desired action, and relationship the user has to the data.
All of these criteria are combined to determine whether to grant access.

It is a “next generation” authorization model.

Answer 32

ABAC

Question 33

Difference between RuBAC and ABAC

Answer 33

RuBAC focuses on rules, related to external factors. Time of day, working hours, schedules, specific devices.

ABAC focuses on attributes that can rely on personal information like active projects, work status, security clearance, seniority, attempted action, etc.

Question 34

RuBAC stands for

Answer 34

Rule-Based Access Control

Question 35

An access control model that restricts access during certain times or days of the week.

This model is typically not used on its own.

Answer 35

Time-of-day restrictions

Question 36

4 factors used in MFA

Answer 36

Something you know
Something you have
Something you are
Somewhere you are

Question 37

3 examples of “something you know”

Answer 37

Password
PIN
Pattern

Question 38

4 examples of “something you have”

Answer 38

Smart card

USB security key (contains certificate specific to you)

Hardware/software token (RNG)

Your phone (SMS code)

Question 39

1 example of “something you are”

Answer 39

Biometric authentication

Fingerprint, iris scan, voice print

Question 40

2 examples of “somewhere you are”

Answer 40

IP address
Mobile device location services (GPS)

Question 41

What is password entropy?

Answer 41

Unpredictability

Question 42

Software that can remember all of your different passwords for you. It stores your password in one database that has been encrypted.

To use this service, you may need to provide multifactor tokens.

Answer 42

Password manager

Question 43

A method of authentication that uses facial recognition, security keys, or PINs instead of using passwords.

This is often used in conjunction with (NOT instead of) passwords or other authentication measures.

Answer 43

Password authentication

Question 44

An authentication/authorization measure that gives a technician a temporary set of credentials. These credentials give administrator access for a limited amount of time - just enough time to solve a problem or adjust a configuration.

This prevents attackers from gaining elevated account rights.

Answer 44

Just-in-time permissions

Question 45

The entity responsible for allowing or disallowing access based upon a predetermined set of security policies. Used for giving just-in-time permissions to users.

Answer 45

Central clearinghouse

AKA password vault

Question 46

Central clearinghouse is AKA

Answer 46

Password vault

Question 47

Explain the process of gaining and using just-in-time permissions

Answer 47

User requests access from a central clearinghouse/password vault

The central clearinghouse/password vault contains primary credentials. It creates ephemeral credentials based on those primary credentials and supplies them to the user. The primary credentials are never released.

The ephemeral credentials are used for one session and then deleted.