Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

2_Security+ Study Guide book > 8: Identity and Access Management > Flashcards

8: Identity and Access Management Flashcards

1
Q
A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What does AAA stand for in security concepts?

A

Authentication, Authorization, and Accounting

AAA is a framework for controlling access to computer resources, enforcing policies, and auditing usage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is the purpose of mitigation techniques in security?

A

To secure the enterprise

Mitigation techniques help reduce vulnerabilities and protect against potential threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is an Access Control List (ACL)?

A

A list that defines permissions for users and groups regarding resources

ACLs specify which users or systems have access to specific resources and what actions they can perform.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is provisioning in the context of identity management?

A

The process of creating user accounts and granting access rights

Provisioning ensures that users have the necessary access to perform their job functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What does identity proofing entail?

A

Verifying the identity of a user before granting access

Identity proofing is crucial for ensuring that the user is who they claim to be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is Single Sign-On (SSO)?

A

A user authentication process that allows a user to access multiple applications with one set of login credentials

SSO improves user experience and reduces password fatigue.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the factors involved in multifactor authentication?

A
  • Something you know
  • Something you have
  • Something you are
  • Somewhere you are

Multifactor authentication enhances security by requiring multiple forms of verification.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the types of access controls?

A
  • Mandatory
  • Discretionary
  • Role-based
  • Rule-based
  • Attribute-based
  • Time-of-day restrictions
  • Least privilege

Different models of access control can be applied based on organizational needs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is the significance of privileged access management tools?

A

They ensure proper controls and monitoring for superusers and privileged accounts

Tools like just-in-time permissions and password vaulting help manage high-level access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are password best practices?

A
  • Length
  • Complexity
  • Reuse
  • Expiration
  • Age

Following these practices can significantly enhance password security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is the concept of interoperability in identity management?

A

The ability of different authentication and authorization services to work together

Interoperability ensures seamless access across systems and applications.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Fill in the blank: Identities are one of the most important _______ in modern organizations.

A

security layers

Managing identities effectively is critical for organizational security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the role of accounting in AAA?

A

Tracking user actions and resource usage

Accounting provides a record of who accessed what resources and when.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does the term ‘authentication’ refer to?

A

The process of verifying the identity of a user or system

Authentication ensures that users are who they claim to be.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of implementing identity and access management?

A

To control access to systems and services, and manage user rights

Effective identity and access management is vital for organizational security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are identities?

A

Sets of claims made about a subject

Subjects can include people, applications, devices, systems, or organizations, with the most common application being individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What type of information is typically linked to identities?

A

Attributes or information about the subject

This includes details important for the use of their identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the difference between attributes and traits?

A

Attributes are changeable; traits are inherent

Examples: attributes can include title or address; traits include height or eye color.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the most commonly used means of claiming an identity?

A

Usernames

Usernames are associated with an identity but are not authentication factors themselves.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are certificates in the context of identity?

A

Stored on a system or paired with a device to identify systems or individuals

Certificates can be used for both devices and individual identities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are tokens?

A

Physical devices that present a certificate or information

Tokens may generate a code or connect via USB/Bluetooth.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are SSH keys?

A

Cryptographic representations of identity replacing a username and password

SSH keys enhance security by eliminating the need for traditional credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What do smartcards use for identity verification?

A

An embedded chip

Smartcards can be contactless or require a physical chip reader and often generate key pairs on the card.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
What is a common issue with key pairs?
Exposed or lost key pairs can create security hassles ## Footnote Common problems include uploading private keys to public repositories.
26
What is a common poor practice related to key pairs?
Poor passphrase management or using a blank passphrase ## Footnote This is particularly concerning for SSH keys.
27
How do cloud service providers handle key pair security?
They monitor for uploads to third-party services and subsequent exploits ## Footnote Training developers and administrators on proper handling is crucial.
28
What is critical for the security of smartcards?
The security of the card and its key generation/storage ## Footnote Well-designed smartcards generate key pairs on the card to prevent unauthorized copies.
29
What is the purpose of authentication?
To prove that a subject's identity is theirs.
30
What does authorization verify?
What you have access to.
31
What are the two main functions of authentication and authorization combined?
* Verify who you are * Allow access to resources based on authorization
32
What does SSO stand for?
Single Sign-On
33
List three authentication protocols mentioned in the text.
* EAP * CHAP * RADIUS
34
What is the Extensible Authentication Protocol (EAP) commonly used for?
Wireless network authentication.
35
What is the Challenge Handshake Authentication Protocol (CHAP) designed to provide?
More security than earlier protocols like PAP.
36
What standard does 802.1X represent?
Network access control (NAC).
37
What is RADIUS used for?
Authentication, authorization, and accounting (AAA) for network devices.
38
True or False: RADIUS operates in a client-server model.
True.
39
What does TACACS+ provide in addition to authentication?
Authorization and accounting services.
40
What are the three main elements of Kerberos users?
* Primary * Instance * Realms
41
Fill in the blank: Single sign-on systems allow a user to log in with a single identity and then use multiple systems or services without _______.
reauthenticating
42
What is the Lightweight Directory Access Protocol (LDAP) commonly used for?
Identity management infrastructure and organizational directory.
43
What is the Security Assertion Markup Language (SAML)?
An XML-based open standard for exchanging authentication and authorization information.
44
What is OpenID used for?
Decentralized authentication.
45
What does OAuth allow users to do?
Determine what information to provide to third-party applications without sharing credentials.
46
What is the role of an identity provider (IdP) in federated identity deployments?
Manage the life cycle of digital identities and provide authentication services.
47
What is attestation?
A formal verification that something is true.
48
What is a relying party (RP)?
A party that requires authentication and identity claims from an IdP.
49
What is interoperability in the context of identity management?
The ability to connect different organizations together using standards-based technologies.
50
List two technologies used for federated authentication.
* OpenID Connect * SAML
51
What is a common use case for cloud service providers regarding identity management?
Support some form of identity federation.
52
What is the purpose of authentication?
To prove that a subject's identity is theirs.
53
What does authorization verify?
What you have access to.
54
What are the two main functions of authentication and authorization combined?
* Verify who you are * Allow access to resources based on authorization
55
What does SSO stand for?
Single Sign-On
56
List three authentication protocols mentioned in the text.
* EAP * CHAP * RADIUS
57
What is the Extensible Authentication Protocol (EAP) commonly used for?
Wireless network authentication.
58
What is the Challenge Handshake Authentication Protocol (CHAP) designed to provide?
More security than earlier protocols like PAP.
59
What standard does 802.1X represent?
Network access control (NAC).
60
What is RADIUS used for?
Authentication, authorization, and accounting (AAA) for network devices.
61
True or False: RADIUS operates in a client-server model.
True.
62
What does TACACS+ provide in addition to authentication?
Authorization and accounting services.
63
What are the three main elements of Kerberos users?
* Primary * Instance * Realms
64
Fill in the blank: Single sign-on systems allow a user to log in with a single identity and then use multiple systems or services without _______.
reauthenticating
65
What is the Lightweight Directory Access Protocol (LDAP) commonly used for?
Identity management infrastructure and organizational directory.
66
What is the Security Assertion Markup Language (SAML)?
An XML-based open standard for exchanging authentication and authorization information.
67
What is OpenID used for?
Decentralized authentication.
68
What does OAuth allow users to do?
Determine what information to provide to third-party applications without sharing credentials.
69
What is the role of an identity provider (IdP) in federated identity deployments?
Manage the life cycle of digital identities and provide authentication services.
70
What is attestation?
A formal verification that something is true.
71
What is a relying party (RP)?
A party that requires authentication and identity claims from an IdP.
72
What is interoperability in the context of identity management?
The ability to connect different organizations together using standards-based technologies.
73
List two technologies used for federated authentication.
* OpenID Connect * SAML
74
What is a common use case for cloud service providers regarding identity management?
Support some form of identity federation.
75
What is the core of the authentication process?
Proving that the claimed identity belongs to the user.
76
What is the most common means of authentication?
Using a password.
77
What are two major flaws of passwords?
* Can be stolen and used by third parties * Susceptible to brute-force attacks.
78
What is multifactor authentication (MFA)?
A security process that requires multiple forms of verification.
79
What are the password best practices recommended by NIST?
* Use Show Password to prevent typos * Use password managers * Store secrets securely using salting and secure hashing * Lock accounts after multiple attempts * Employ multifactor authentication.
80
Fill in the blank: Passwords should be stored securely using _______.
salting and secure hashing methods.
81
What does NIST recommend regarding password complexity?
Reduce complexity requirements and emphasize length.
82
What is one of the primary benefits of using a password manager?
Reduction in password reuse.
83
What happens when a password manager is breached?
User secrets, such as master passwords and MFA seeds, may be exposed.
84
What is passwordless authentication?
Authentication relying on something you have or are, rather than a password.
85
What are some factors that can be used in passwordless authentication?
* Security tokens * One-time password applications * Biometric factors.
86
True or False: Multifactor authentication can help reduce risks associated with compromised passwords.
True.
87
What are the four factors defined by the Security+ exam outline for MFA?
* Something you know * Something you have * Something you are * Somewhere you are.
88
What is a one-time password (OTP)?
A password that is usable only once.
89
What are the two primary models for generating one-time passwords?
* Time-based one-time passwords (TOTP) * HMAC-based one-time passwords (HOTP).
90
How can TOTP passwords be generated?
Using an algorithm that derives a one-time password based on the current time.
91
What is a common attack against one-time passwords?
Tricking users into providing their OTP.
92
What does the acronym HMAC stand for?
Hash-based Message Authentication Codes.
93
What are some common biometric technologies?
* Fingerprints * Retina scans * Voice prints.
94
Fill in the blank: The FIDO2 standard supports both the W3C Web Authentication specification and the _______.
Client to Authenticator Protocol (CTAP).
95
What are the risks associated with using SMS for OTP?
Can be redirected using a cloned SIM or compromised VoIP systems.
96
What is the purpose of password expiration dates?
To ensure passwords are not used for extended periods of time.
97
True or False: Password managers are only available as third-party applications.
False.
98
What are static codes in the context of one-time passwords?
Pre-generated codes that do not require a device or connectivity.
99
What are biometric factors?
They rely on the unique physiology of the user to validate their identity. ## Footnote Examples include voice prints and gait.
100
Name three common biometric technologies.
* Fingerprints * Retina scanning * Iris recognition
101
What is the purpose of fingerprint scanning?
To check the unique patterns of ridges and valleys on fingertips using scanners. ## Footnote Used in devices like Windows laptops and mobile devices.
102
How does retina scanning identify users?
It uses the unique patterns of blood vessels in the retina. ## Footnote This method is distinct from iris recognition.
103
What is the difference between iris recognition and retina scanning?
Iris recognition uses pattern recognition and infrared imaging, while retina scanning uses blood vessel patterns. ## Footnote Iris recognition can be performed from a greater distance.
104
What technology is used for facial recognition?
It matches specific features to an original image in a database. ## Footnote Widely used in Apple iPhone for Face ID.
105
Describe voice recognition systems.
They rely on patterns, rhythms, and sounds of a user's voice to recognize the user.
106
What is vein recognition?
It uses scanners to see the pattern of veins in a user's finger or arm. ## Footnote Unlike fingerprint scanners, vein scanners do not require contact.
107
What does gait analysis measure?
It measures how a person walks to identify them.
108
Define Type I errors in biometric systems.
False rejection rate (FRR), where a legitimate biometric measure is presented but rejected.
109
What are Type II errors in biometric systems?
False acceptance errors, measured as the false acceptance rate (FAR), where an unauthorized biometric factor is accepted.
110
What does the receiver operating characteristic (ROC) compare?
It compares the FRR against the FAR of a system.
111
What is the FIDO Alliance's FRR threshold for certification?
3 percent of attempts for FRR and .01 percent for FAR for their basic BioLevel1 requirement.
112
What is the Imposter Attack Presentation Match Rate (IAPMR)?
It measures how often an attack will succeed against a biometric system.
113
Why did retina scanners fail to gain popularity?
Most people do not want to bend over and peer into a retina scanner.
114
What challenges have early fingerprint scanners faced?
They struggled to scan many fingerprints, especially from users with worn fingerprints. ## Footnote This can be due to manual labor or chemical exposure.
115
What is a consideration when deploying biometric systems?
User acceptance must be assessed, and backup methods should be available for some users.
116
True or False: Biometric systems are always easy to deploy.
False
117
What shows the successful implementation of biometric factors?
The broad usage of Apple's Face ID and Touch ID, along with Android's fingerprint readers.
118
What is required to claim an identity and access a system or service?
An account ## Footnote Accounts contain information about a user, including rights and permissions.
119
What are the basic account types?
* User accounts * Privileged or administrative accounts * Shared and generic accounts * Guest accounts * Service accounts ## Footnote These account types vary in their permissions and intended use.
120
What is a user account?
An account that ranges from basic access to systems to power users with broad rights ## Footnote Example: Windows Standard User account.
121
What defines privileged or administrative accounts?
Accounts like the root account on Linux, Unix systems, and the Windows Administrator account ## Footnote These accounts have elevated permissions.
122
What are shared and generic accounts?
Accounts often prohibited by security policies, useful but problematic for tracking actions ## Footnote Organizations may use delegation to avoid shared account issues.
123
What are guest accounts?
Accounts for temporary users with limited privileges and minimal user information ## Footnote They typically have very restricted access.
124
What are service accounts?
Accounts associated with applications and services, not for interactive logins ## Footnote Organizations enforce security policies for service accounts.
125
What are the two most important phases in the user account life cycle?
* Provisioning (creation) * Deprovisioning (termination) ## Footnote These phases are critical for account management.
126
What occurs during account provisioning?
Creation of the account and setting of resources, permissions, and attributes ## Footnote May involve identity proofing.
127
What is identity proofing?
The process of verifying the identity of the person claiming the account ## Footnote Commonly involves government IDs and personal information.
128
What is the concept of least privilege?
The practice of granting users only the minimum permissions necessary for their roles ## Footnote A key aspect of permission management.
129
What is permission creep?
The accumulation of excessive permissions by users over time ## Footnote Often occurs when users take on new roles without proper permission review.
130
What is the preferred method of account termination?
Complete removal of the account ## Footnote This reduces the risk of dormant accounts being compromised.
131
What is privileged access management (PAM)?
Tools used to manage administrative and privileged accounts ## Footnote Focus on maintaining least privilege and providing granular controls.
132
What are just-in-time (JIT) permissions?
Permissions granted and revoked only when needed ## Footnote Helps prevent ongoing access when not necessary.
133
What is password vaulting?
A method to access privileged accounts without knowing the password ## Footnote Allows for logged, auditable events related to credential use.
134
What are ephemeral accounts?
Temporary accounts with limited lifespans ## Footnote Used for specific purposes or guests, requiring proper deprovisioning.
135
What is the purpose of access control schemes?
To determine which users, services, and programs can access various files or other objects.
136
What does Mandatory Access Control (MAC) rely on?
The operating system to enforce control as set by a security policy administrator.
137
True or False: In a MAC implementation, users can change the security policies set centrally.
False.
138
Where are MAC implementations commonly found?
In high-security systems like SELinux and Windows as Mandatory Integrity Control (MIC).
139
What is Discretionary Access Control (DAC)?
An access control scheme that allows owners to delegate rights and permissions to objects.
140
Fill in the blank: The owner of a file in DAC can set permissions for the ______, group, or world.
[owner]
141
What is the main principle behind Role-Based Access Control (RBAC)?
Roles are matched with privileges assigned to those roles.
142
List the three primary rules of RBAC.
* Role assignment * Role authorization * Permission authorization
143
True or False: RBAC systems allow subjects to have multiple roles.
True.
144
What is Rule-Based Access Control (RuBAC)?
An access control method applied using a set of rules or access control lists (ACLs).
145
What is an example of Rule-Based Access Control?
A firewall ruleset.
146
What does Attribute-Based Access Control (ABAC) rely on?
Policies driven by attributes of the users.
147
What is a key advantage of ABAC systems?
Flexibility due to complex rulesets based on combinations of attributes.
148
What is a downside of ABAC policies?
They can be complex to manage well.
149
What do time-of-day restrictions limit?
When activities can occur.
150
Fill in the blank: The concept of _______ states that accounts should only be given the minimum permissions necessary.
[least privilege]
151
What do filesystem controls determine?
Which accounts, users, groups, or services can perform actions like reading, writing, and executing files.
152
What does the Linux permission string 'drwxrwxrwx' indicate?
It shows the type of file and user, group, and world permissions.
153
How can Windows file permissions be set?
Using the command line or the GUI.
154
What does the 'Modify' permission in Windows allow?
Viewing as well as changing files or folders.
155
What is a common attack that exploits weak filesystem permissions?
Directory traversal attacks.
156
What is the purpose of access control schemes?
To determine which users, services, and programs can access various files or other objects.
157
What does Mandatory Access Control (MAC) rely on?
The operating system to enforce control as set by a security policy administrator.
158
True or False: In a MAC implementation, users can change the security policies set centrally.
False.
159
Where are MAC implementations commonly found?
In high-security systems like SELinux and Windows as Mandatory Integrity Control (MIC).
160
What is Discretionary Access Control (DAC)?
An access control scheme that allows owners to delegate rights and permissions to objects.
161
Fill in the blank: The owner of a file in DAC can set permissions for the ______, group, or world.
[owner]
162
What is the main principle behind Role-Based Access Control (RBAC)?
Roles are matched with privileges assigned to those roles.
163
List the three primary rules of RBAC.
* Role assignment * Role authorization * Permission authorization
164
True or False: RBAC systems allow subjects to have multiple roles.
True.
165
What is Rule-Based Access Control (RuBAC)?
An access control method applied using a set of rules or access control lists (ACLs).
166
What is an example of Rule-Based Access Control?
A firewall ruleset.
167
What does Attribute-Based Access Control (ABAC) rely on?
Policies driven by attributes of the users.
168
What is a key advantage of ABAC systems?
Flexibility due to complex rulesets based on combinations of attributes.
169
What is a downside of ABAC policies?
They can be complex to manage well.
170
What do time-of-day restrictions limit?
When activities can occur.
171
Fill in the blank: The concept of _______ states that accounts should only be given the minimum permissions necessary.
[least privilege]
172
What do filesystem controls determine?
Which accounts, users, groups, or services can perform actions like reading, writing, and executing files.
173
What does the Linux permission string 'drwxrwxrwx' indicate?
It shows the type of file and user, group, and world permissions.
174
How can Windows file permissions be set?
Using the command line or the GUI.
175
What does the 'Modify' permission in Windows allow?
Viewing as well as changing files or folders.
176
What is a common attack that exploits weak filesystem permissions?
Directory traversal attacks.
177
What is identity and access management?
A key element in organizational security.
178
What is authentication?
The process of proving your claim to an identity by providing one or more factors.
179
What are the factors involved in authentication?
They include: * Something you know * Something you have * Something you are * Somewhere you are
180
What does authorization provide to authenticated users?
Privileges and rights needed to accomplish their roles.
181
What types of user accounts exist?
They range from: * Guest users * Normal users * Service accounts * Privileged administrative accounts
182
What do account policies shape?
Details and requirements for each account, including when accounts should be locked out or disabled.
183
Name some common authentication methods and technologies.
Examples include: * RADIUS * LDAP * EAP * CHAP * OAuth * OpenID * SAML
184
What is the purpose of single sign-on (SSO)?
Allows users to log in once and use their identities throughout many systems.
185
What is federation in identity management?
Uses identity providers to authenticate users for various service providers without needing a distinct identity.
186
What enables interoperability between identity and authorization systems?
Standards and shared protocols.
187
What is attestation in the context of identity management?
Validation that a user or identity belongs to the user claiming it.
188
How has multifactor authentication impacted password security?
It has limited problems such as password theft, reuse, and brute-force attacks.
189
What is biometric authentication?
Uses physical traits such as fingerprint, retina print, or facial recognition.
190
What is critical to know about biometric authentication?
How often it incorrectly allows the wrong person in or rejects a legitimate user.
191
What types of authentication tokens are commonly used?
Both hardware- and software-based authentication tokens.
192
What are hardware security keys?
Increasingly common authentication tokens.
193
What do password vaults provide?
Cryptographically secured storage to keep passwords secure.
194
What has changed regarding password best practices?
Focus has shifted to length as the primary control to avoid brute forcing.
195
What is passwordless authentication?
Replacing passwords with secure tokens or applications.
196
Name some access control schemes.
They include: * Attribute-based access control * Discretionary access control * Mandatory access control * Role-based access control
197
What does privileged access management ensure?
That administrative users are well managed.
198
What are just-in-time permissions?
A technique used in privileged access management systems.
199
What are ephemeral accounts?
Temporary accounts used in privileged access management.
200
Linux file permissions
A. Linux file permissions are read left to right, with the first three characters indicating read, write, and execute permissions (rwx) for the owner of the file, the second three apply to the group, and the last three to all other users. Any indicated with a – are not allowed for that set.
201
Windows

2_Security+ Study Guide book (17 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions