Access Control & Identity Management Flashcards
What is the main drawback of most interesting detection systems?
A large number false alarm scanner curb because of abnormal weather conditions animals or in proper calibration.
Name the five intrusion detection system technologies
- Proximity detector – senses changes in the electromagnetic field that surrounds a small area or object.
- Motion detector – detects motion in a certain area.
- Photoelectric detector – senses changes in light patterns that indicates someone is in the area.
- Infrared detector- senses changes in the heat patterns of an area that indicate the presence of an intruder.
- Sound detector – senses sound and vibration and can detect changes in the noise level in an area.
What is read permissions?
You can read the contents of a file or directory.
What is view permissions?
View the contents of a directory ;users can see that a file exists this they won’t necessarily have permissions to read the contents of that file.
Write permissions?
Create and save a new file or write to an existing file.
Print permissions?
Print a file.
Copy permissions?
Copy a file from one location to another. The write permission would also be required in the destination directory.
Delete permissions?
Delete a file or directory.
Execute permissions?
Execute a program file or script.
Modify permissions?
Modify the attributes of a file or directory.
Move permissions?
Move a file from one location to another. The write permission would be required in the destination directory. The delete permission would be required to remove the file after the move is completed.
Name the three different security roles?
- Group
- User
- Role
What is a man-trap?
A man-trap describes a two tier physical access control method with two physical barriers such as doors between the person and the resource he is trying to access.
What is the difference between a smart card and a proximity reader question
A smart card must be swiped or inserted into a card reader a proximity reader is just passed in front of the card reader
What type of smartcard does DoD use?
DoD uses a common access card [CAC].
What is a mandatory access control model?
MAC is where the OS of the network is in control of access to data.
What is a discretionary access control model?
DAC allows the data owners to specify what users can access certain data.
What is role-based access control?
RBAC allows access to be based on the role the user holds within an organization.
What is Rule-based access control based on?
Rule-based access control is based on ACLs [access control list] else and is not necessarily tied to the identity of a user it provides access rules that are applied to all users in the organization.
Your organization has implemented a self-service password reset system. What does this provide?
(A) Password policy
(B) Certificate reset
(C) Password recovery
C - A self-service password reset system allows users to recover passwords without administrative intervention.
You are defining your overall access control model for the new network. To provide a strong default access policy, you want to make sure that users are given the absolute minimum access rights they need to perform their job function. Which access control principle does this follow? A. Implicit deny. B. Separation of duties C. Least privilege D. Role-based access control
Least privileged concept ensures that a user has only the access rights they need to perform their job functions.
You are creating access control model that will allow you to base specific access policies depending on which network a user is on, and not necessarily the actual identity of the specific user. Which privilege management access control model would you use? A. Rule-based access control B. discretionary access control C. Role-based access control D. Mandatory access control
Rule-based access control is defined with an access control list ACL which specifies a set of rules that must be followed before access is granted.
You must create an access control mechanism for your server and network room, which houses all your organization's servers and primary networking equipment. Which methods would be most secure? A. access list B. smart card access C. ID badge D. video surveillance
Smart card access would provide the most security the server room door will not unlock and unless a user inserts her smartcard and has the proper authorization to enter the room.
You are designing file security for a new file server for your sales department. Each user will have his own private and secure directory, and a shared group directory. Which of the following should be the initial default access level? A. Full access B. Read and write access C. No access D. Only read access
No access – you should use the principle of implicit deny.
You have recently had several laptops stolen after hours when employees have unattended laptops on their desk after they leave work which of the following policy should you implement?
A. Enforce the use of cable locks
B. Make sure users are logged out of laptops before they leave
C. Set a hardware password
D. Lock all unattended laptops in a cabinet after hours
D lock all unattended laptops in the cabinet after hours if they are not going to take them home.
Which of the following best practices discourages corruption by insuring that users do not have the same amount of access and privileges for too long a time? A. least privilege B. separation of duties C. job rotation D. implicit deny
Job rotation ensures greater security as no single employee retains the same amount of access control for a particular area for an extended period of time.
Your company has defined working hours for a call center department. There have been several instances of employees using company resources for downloading Internet content after hours. Which of the following can you implement to improve security?
A. use Mac address filtering
B. set access time restrictions
C. shut down all computers after work hours
D. Implement job rotation
Set access time restrictions, you prevent employees from being able to log in and access the network after working hours are complete.
You have had a rash of hacking instance where weak employee passwords are being hacked through brute force methods and unauthorize users are gaining access to the network. Which security policy should be implemented?
A. password rotation
B. password length and complexity restrictions C. password expiration
D. Limiting logon attempts
Brute force attacks can most efficiently be stop by limiting the number of attempted logons.
You have already implemented a password expiration and rotation policy that forces your users to change their password every 60 days. However you find many users are simply using their same password again what security should you implement? A. password history B password complexity C. limiting logon attempts D. password expiry
Password history-the system can remember a user’s former passwords and when the current user password expires the system forces the user to use a new password that is not the same as the previous passwords.
Military building uses strict access control when where a user must use a smartcard access to enter the main door the facility. Then he must meet a security guard at the second door to present an ID badge and enter his pin number. What security features used in this access mechanism A. mandatory access control B. implicit deny C. three-tier access control D. man trap
D mantrap - a user must be authenticated to be able to enter the first door of a facility. When he has entered the first door, it is closed, and the user is physically trapped between the first and second doors. The user must pass an additional round of authentication to gain access through the second door.
What protocol stores passwords less than 15 characters long as two strings of seven characters after converting all characters to upper case?
LANMAN
What can an organization issue to employees that uses a rolling password for authentication?
RSA token
United States federal agency employees use a specialized type of smart card that includes photo identification and provides confidentiality, integrity, and authentication. What is this?
A personal identity verification (PIV) card.
What is a central authentication system that uses a federated user database?
Single sign-on (SSO)
Where you implement Group Policy for multiple users in a domain?
Domain controller
What remote access protocol is used to authenticate Microsoft clients and includes mutual authentication?
MS-CHAPv2
Compare TACACS+ and RADIUS. Which protocol encrypts the entire authentication process and uses multiple challenges and responses?
TACACS+
Compare TACACS+ and RADIUS. Which protocol uses UDP?
RADIUS
Which access control model uses group based privileges?
Role-based access control (RBAC)
Which access control model is used by Microsoft’s NTFS?
Discretionary access control (DAC)
Which access control model is used by trusted operating systems (such as SELinux) to prevent malware from executing?
Mandatory access control (MAC)
What should door access systems using cipher locks or proximity cards do in the case of fire?
Fail open so people can leave without identification
A user creates a file and the operating system grants only the user full access to the file. What principle is the operating system enforcing?
Principle of least privilege
Of the following protocols, which one does not encrypt the entire authentication process, but instead, only encrypts the password in traffic between the client and server? (A) RADIUS (B) TACACS+ (C) XTACACS (D) Token
Remote Authentication Dial-In User Service (RADIUS) will encrypt the password packets between a client and a server, but it does not encrypt the entire authentication process.
What is used for authentication in a Microsoft Active Directory domain?
(A) RADIUS
(B) TACACS+
(C) Kerberos
(D) NID
Kerberos is used as a network authentication protocol in Microsoft Active Directory domains, and in UNIX realms. Kerberos uses tickets issued by a Key Distribution Center (KDC). It prevent Man-in-the-middle attacks.
Which one of the following AAA protocols uses multiple challenges and responses? (A) CHAP (B) RADIUS (C) TACACS (D) TACACS+
TACACS+ uses multiple challenges and responses and is an authentication, authorization, and accounting (AAA) protocol.
What is completed when a users password has been verified? (A) Identification (B) Authentication (C) Authorization (D) Access verification
Authentication
An administrator is assigning access to users in different departments based on their job functions. What access control model is the administrator using? (A) DAC (B) MAC (C) RBAC (D) CAC
In a role based access control (RBAC) model, roles are used to define rights and permissions for users.
You manage user accounts for a sales department. You have created a sales user account template to comply with the principle of least privilege. What access control model are you following? (A) DAC (B) MAC (C) RBAC (D) DACL
The role based access control (RBAC) model can use groups (as roles) with a user account template assigned to a group to ensure new users are granted access to only what they need and no more.
Windows systems protect files and folders with New Technology File System (NTFS). What access control model does NTFS use? (A) Mandatory Access Control (MAC) (B) Discretionary Access Control (DAC) (C) Rule-based Access Control (RBAC) (D) Implicit allow
Discretionary Access Control (DAC)
Which of the following formulas represent the complexity of a password policy that requires users to use only upper and lower case letters with a length of eight characters? (A) 52^8 (B) 26^8 (C) 8^52 (D) 8^26
(A) 52^8
Your password policy includes a password history. What else should be configured to ensure that users aren't able to easily reuse the same password? (A) Maximum age (B) Minimum age (C) Password masking (D) Password complexity
The minimum password age prevents users from changing the password again until some time has passed, such as one day.
You want to ensure the data is only viewed by authorized users. What security principle are you trying to enforce? A confidentiality B integrity C availability D authentication
Confidentiality – ensures that data is only viewable by authorize users and can be insured with access controls and encryption.
How can integrity be enforced?
Integrity can be enforced with hashing.
How can availability be insured?
Power Systems
cooling systems
Various fault tolerance techniques
Redundancy techniques
Does authentication provide confidentiality?
False, authentication proves a person’s identity and is the first step in axis control but by itself does not provide confidentiality
What is the best way to protect the confidentiality of data? A authentication B encryption C hashing D P a a S
Encryption protects the confidentiality of data you can encrypt any type of data including sensitive data stored on a server a desktop a mobile device or within a database.
You want to ensure that the data has not been changed between the time when it was sent and the time it arrived at its destination. What provides this assurance? A confidentiality B integrity C availability D authentication
Integrity provides assurance the data has not been modified and is enforced with hashing.
A database administrator is tasked with increasing the retail prices of all products in a database by 10 percent. The administrator rights a script performing a bulk update on the database and executed. however, all retail prices are double, increased by 100% instead of 10% . What has been lost? A confidentiality B integrity C hashing D authentication
The databases lost integrity through an unintended change.
Your organization is the dressing single point of failure as potential a risk to security. What are they addressing? A confidentiality B integrity C availability D authentication
Availability
An organization post several days of servers used to support a large online e-commerce business. Which one of the following choices would increase the availability of the data center? A encryption B hashing C generators D integrity
Generators
You are planning to host a free online forum for users to share IT security-related information with each other. Any user can anonymously view data. Users can post messages after logging in, but you do not want users to be able to modify other users posts. What levels of confidentiality integrity and availability should you seek?
A low confidentiality, low integrity, and low availability
B medium confidential, low integrity, and high-availability
C high confidentiality, low integrity, and low availability
D no confidentiality, medium integrity, and medium availability
D - data can be viewed anonymously, so low confidentiality is acceptable. You do not want users to modify other users post, so integrity is medium. The site is free that you do want users to be able to access it when needed, so availability is medium.
What is the purpose of risk mitigation?
A reduce the chances that a threat will exploit a vulnerability
B reduce the chances that a vulnerability will exploit a threat
C eliminate risk
D eliminate threats
A - risk mitigation reduces the chances that a threat will exploit a vulnerability. Risk is the likelihood that a threat such as the attacker, will exploit a vulnerability.
What security methods does confidentiality use?
It uses authentication combine with access controls and cryptography
What are the two key concepts related to confidentiality?
1 confidentiality ensures the data is only viewed by authorized users. Unauthorized personnel are not able to access this information.
2 encryption also enforces confidentiality. You can use various encryption algorithms to encrypt or cipher the data to make it ureadable.
Name two key concepts relating to integrity.
1 integrity provides assurances the data has not been modified, tampered with, or corrupted. Loss of integrity indicates that it is different. Unauthorized users can change data, or changes can occur through system or human errors.
2 hashing verifies integrity. A hashing is a simple numeric value created by executing a hashing algorithm against a message or a file.
Which of the following options makes use of a token? A. Smart card B. Mantrap C. DNA scanner D. Retinal scanner
A. Smart card
Which device is a smart card deployed by the DoD? A. Mantrap B.CCTV C. CAC D. Bollard
C. CAC (Common Access Card)
Which examples implement the principles of the AIC triad?
A. Data classification to ensure information is available on a need-to-know basis
B. Unencrypted data that can be accessed by the general public
C. Secure update programs that limit access of information to specific authorized users
D. An active malicious code system that protects organizations from DoS attacks.
E. Data that is transferred by word of mouth to ensure integrity.
A, C, D
Stored and transferred info should be secured in relation to 3 principles (AIC Triad)
What do access control systems implement?
Identification, authentication, authorization and accounting processes
What does AIC Triad stand for?
Availability
Integrity
Confidentiality
Name the 4 main processes that make up an Access Control System
Identification - unique identifier for a person
Authentication - you are who you identification says you are
Authorization - you have permissions
Accounting - monitor resource and who accesses it
List the 4 types of authorization models
- Discretionary access control (DAC) owners
- Role-based access control (RBAC) user has a role
- Mandatory access control (MAC) - clearance level based on rules.
- Rule-based access control - Ex RBAC and MAC
Rule-based access control
is any sort of access control with rules that are governed by the system. RBAC and MAC.
Referred to as non-discretionary because no matter who the user maybe, their access is restricted to help protect the system from configuration errors.
List the principles that govern RBAC and MAC
implicit deny - when a subject requests access to a resource, the request should always be denied unless a rule specified otherwise.
Least privilege - only give access to only resources they need to perform their job.
What is Kerberos
It is a network authentication protocol within MS Active Directory domain or UNIX realm. It uses a database of objects (ex AD) and a Key Distribution Center (KDC) to issue time-stamped tickets that expire after a certain period. It requires internal time synchronization and uses port 88.
How does Kerberos help prevent replay attacks?
A replay attack a 3rd party attempts to impersonate a client after intercepting a ticket, the time stamp limits the amount of time an attacker can use the ticket.
Which type of cryptology does Kerberos use?
A. Asymmetric
B. Symmetric
B
Explain mutual authentication
when both parties in a session (client/server) authenticate with each other prior to exchanging data.
MS-CHAPv2 and MS-CHAP use mutual authentication.
Which access control model uses security labels for each resource?
Mandatory Access Control (MAC)
If the user is NOT prompted for credentials when connected to a Network Access Control (NAC) server, what is the user’s computer missing?
Authentication agent
Which type of access control associates roles with each user?
Role-Based Access Control (RBAC)
Which type of access control was originally developed for military use?
Mandatory Access Control (MAC)
What is the purpose of Remote Access Dial-In User Service (RADIUS)?
It enables remote access users to log on to a network through a shared authentication database.
Which access control model requires assigning security clearance levels to users, such as secret, top-secret, and confidential?
Mandatory Access Control (MAC)
What is the purpose of technical controls?
Restrict access to objects and protect availability, confidentiality, and integrity
What is the term for a device that acts as a concentrator for a wireless LAN?
Wireless Access Point (WAP)
What is the purpose of Network Access Control (NAC)?
It ensures that the computer on the network meets an organization’s security policies.
What is the purpose of a sandbox in a Java applet?
It prevents Java applets from accessing unauthorized areas on a user’s computer.
Which Ethernet standard uses a wireless access point with a Remote Authentication Dial-In User Service (RADIUS) server to authenticate wireless users?
802.1x
Which type of controls includes controlling access to different parts of a building, implementing locking systems, installing fencing, implementing environmental controls, and protecting the facility perimeter?
Physical Controls
Who can change a resource’s category in a mandatory access control environment?
Administrators only
Which function does a single sign-on (SSO) system provide?
It allows a user to present authentication credentials once and gain access to all computers within the SSO system.
Which access control model has the lowest cost?
Role-Based Access Control (RBAC)
Which audit category tracks access to all objects outside Active Directory?
Audit Object Access
Define the acronym DAC?
Discretionary Access Control
What is the purpose of physical controls?
Work with administrative and technical
controls to enforce physical access control
What is the purpose of MAC filtering?
Restrict the clients that can access a wireless network
Is the Triple-DES algorithm symmetric or asymmetric?
Symmetric