Chap 3 - Identity Access Mgmt

Question 1

what is access control

Answer 1

means to ensure that access to assets is authorized and restricted based on business and security requirements

Question 2

what is a subject

Answer 2

any person, process, device or entity that wants to access and object (data)

Question 3

what is an object

Answer 3

information assets or systems resources

Question 4

what is Identity lifecycle (IAM)

Answer 4

1. new ID request
2. ID provisioning - establishing access
3. authentication (per attempt)
4. authorization
5. accounting (track during access/after)
6. User behavior review
7. disable and deprovision OR job/duty change review

Question 5

who grant access to data

Answer 5

DATA OWNER, asset owner reviews the request and provides access approval or rejection to the data custodian that implements it

Question 6

what is authentication

Answer 6

the verification of a claim of identity by a user, process, device

Question 7

what is authorization

Answer 7

a. initial decision to grant access/ permission to an ID

b. real-time confirmation that a request to perform an action by a subject towards a given object

Question 8

what is accounting/accountability

Answer 8

ID mgmt function that tracks every action involving every identity defined in the system

in form form of logs, these are store/analized using tech e.g., SIEM

Question 9

what is user behavior review

Answer 9

organization should define sets or patterns of user behaviors that are acceptable and expected in most circumstance to detect extra-ordinary activities

Question 10

what is “privilege creep”

Answer 10

do not relinquish permissions that are not needed

Question 11

ID access disable and deprovision

Answer 11

deactivation of permissions throughout the systems.

Accounts are not deleted but disabled.

the data custodian or other IAM administrators perform these tasks

Question 12

common issue identifiable when conducting account access review

Answer 12

1. inactive accounts not revoked
2. user accounts with excessive permissions
3. user accounts without permissions

Question 13

Security identifiers defaults accounts in Microsoft windows

Answer 13

1. Administrator
2. default account
3. guest
4. domain administrator

Question 14

how to reduce risk of credential misuse

Answer 14

Multi-factor authentication (MFA)

Question 15

types of privilege escalation attacks

Answer 15

1. vertical privilege escalation
2. horizontal privilege escalation

Question 16

what is IAAA

Answer 16

Identification
Authentication
Authorization
Accountability

Question 17

what is CIANA+PS

Answer 17

Confidentiality
Integrity
Availability
Non-repudiation
Accountability
Privacy
Safety

Question 18

Bell-LaPadula security model

Answer 18

1. Subject cannot read/access object of higher classification
2. subject can only save an object at same or higher classification (no write down)
3. Subject can on write/edit at same classification level

Question 19

Biba security model

Answer 19

1. subject cannot read/observe an object of lower integrity (no read down)
2. subject cannot modify an object of higher integrity (no write up)
3. subject can only request access to same or lower integrity level

Question 20

which security model is known for preventing conflict or interest (Ethical Waals)

Answer 20

Brewer and Nash

Question 21

which security model improved Biba by addressing the integrity at the transaction level

Answer 21

Clark-Wilson

Question 22

Graham-Denning security model

Answer 22

Focus on HOW subject and objects are created

Question 23

2 key modern security model - access control models (AC)

Answer 23

1. Discretionary access control (DAC)
2. Mandatory access control (MAC)

Question 24

types of access control models (AC)

Answer 24

1. Discretionary access control (DAC)
2. Mandatory access control (MAC)
3. Non-discretionary access control (NDAC) -> most common (central authority making policies)
4. Role-based access control (RBAC)
5. Rule-based access control (RuBAC)
6. Attribute-based access control (ABAC)

Question 25

Common type of privileged accounts mgmt

Answer 25

1. system admin
2. Help desk or IT support
3. security analyst
4. others

Question 26

type of IAM administration choices/implementation

Answer 26

1. CENTRALIZED: one function is responsible for configurating the ACs
2. DECENTRALIZED or DISTRIBUTED: ACs are controlled by owners or creators of the files
3. HYBRID: Centralized control exercised for some information and decentralized control allowed for other information (less sensitive)

Question 27

what are logical access control systems

Answer 27

Logical access control systems as automated systems that
- authorize or deny use to user
- authorize or permit user
- identity registered and approved in system

Question 28

what is a credential management system

Answer 28

software that issue and manage credentials

CMS software can be used as part of public key infrastructure (PKI) systems, as well as issuing 2-factor-authentication (2FA)

Question 29

what are the key identity credential access mgmt rules for building a sound credential architecture in Fed ageny

Answer 29

1. sponsorship
2. enrollment
3. credential production
4. issuance
5. credential lifecycle mgmt

Question 30

authentication: what are the standard evidence for being allowed access -> 3 types of primary factors/evidence

Answer 30

1. Something you know -> e.g., password
2. Something you have -> e.g., token, smart card
3. something you are/do -> e.g., biometric or fingerprint

Question 31

Single-Factor VS. Multi-Factor authentication

Answer 31

1. Single: only 1x type of authentication evidence required (eg password)
2. Multi: more than 1x factor to authenticate (eg. password & SMS token/RSA token)

Question 32

what are the two type of access control tokens

Answer 32

1. Physical security token: address the “something you have” part of MFA challenge
2. logical access token: data package generated by AC system for authentication of user that contain info about ID, privilege granted and other

Question 33

what is an identity assurance level (IAL)

Answer 33

refers to the identity proofing process –> convey the degree of confidence that the applicant claim ID is real

Question 34

what are the 3 identity insurance levels (IAL)

Answer 34

IAL1 - attributes are self-asserted
IAL2 - verified in person or remotely (min SP 800-63A)
IAL3 - in person ID proofing required (physical docs)

AAL - authenticator assurance level
FAL - Federation assurance level

Question 35

what is a single sign-on (SSO)

Answer 35

centralized repository of user credentials, such as user IDs and password, associated with a suite of application

Question 36

what are key SSO imitations, risks and challenges

Answer 36

1. Legacy systems
2. single point of failure
3. password synchronization

Question 37

type of errors in access control

Answer 37

Type 1 or FRR -> False rejection rate

Type 2 or FAR -> False acceptance rate (most DANGEROUS)

the optimal point where they crossover is –> Crossover error rate (CER)

Question 38

what is Just-In-Time identity (JIT)

Answer 38

provides on-demand real-time creation and provisioning user ID, privileges escalation and de-escalation, -> full ID lifecycle (incl. deprovision and termination)

Question 39

what are some key use case of Just-In-Time identity (JIT)

Answer 39

1. PAM -> privilege account mgmt
2. privilege session mgmt
3. endpoint privilege mgmt
4. remote help desk

Question 40

what is Kerberos and essential goal

Answer 40

kerberos is based on symmetric encryption and a secret key shared among the participants (key are on the network)

primary goal of kerberos is to ensure private communications between systems over a network

Question 41

What is the Kerberos ticket exchange process

Answer 41

1. user ping kerberos -> request for ticket
2. kerberos provide authentication ticket (TGT)
3. user send TGT to kerberos to get service ticket
4. kerberos provide service ticket
5. user share service ticket to server to authenticate

Question 42

issues with Kerberos

Answer 42

1. single point of failure
2. length of key

Question 43

what is security assertion markup language (SAML)

Answer 43

tip: same as telecommunication authentication

3 roles: IdP / SP/RP / user agent

Question 44

SAML 4 primary components

Answer 44

1. assertion
2. binding
3. protocols –> SOAP and HTTP
4. profiles

Question 45

what is Open Authorization (OAuth)

Answer 45

Tip: think about OKTA

enables 3rd party application to obtain limited access to an HTTP service on behalf of a resource

Question 46

what are the 4 roles of OAuth standard

Answer 46

1. resource owner
2. resource server
3. client application
4. authorization server

Question 47

The Acme Widgets Company is putting new controls in place for its accounting department. Management is concerned that a rogue accountant may be able to create a new false vendor and then issue checks to that vendor as payment for services that were never rendered. What security control can best help prevent this situation?

Answer 47

Separation of duties

Question 48

An accounting employee at Doolitte Industries was recently arrested for participation in an embezzlement scheme. The employee transferred money to a personal account and then shifted funds around between other accounts every day to disguise the fraud for months. Which one of the following controls might have best allowed the earlier detection of this fraud?

Answer 48

Mandatory vacation

Question 49

Sally is blocked from reading the file due to the Biba integrity model. Sally has a Secret security clearance and the file has a Confidential classification. What principle of the Biba model is being enforced?

Answer 49

Simple Integrity Property

The Simple Integrity Property states that an individual may not read a file classified at a lower security level than the individual’s security clearance

Question 50

Harry’s request to write to the data file is blocked. Harry has a Secret security clearance and the data file has a Confidential classification. What principle of the Bell-LaPadula model blocked this request?

Answer 50

*-Security Property

The *-Security Property states that an individual may not write to a file at a lower classification level than that of the individual. This is also known as the confinement property.

Question 51

Sally is blocked from writing to the data file by the Biba integrity model. Sally has a Secret security clearance and the file is classified Top Secret. What principle is preventing her from writing to the file?

Answer 51

*-Integrity Property

The *-Integrity Property states that a subject cannot modify an object at a higher security level than that possessed by the subject

Question 52

The Bell-LaPadula and Biba models implement state machines in a fashion that uses what specific state machine model?

Answer 52

Information flow

Question 53

what type of threats does the Biba model of access control address

Answer 53

It focuses on protecting objects from external threats.

Question 54

Which of the following is best described as an access control model that focuses on subjects and identifies the objects that each subject can access?

Answer 54

A. An access control list
B. An implicit denial list
C. A capability table –> correct answer
D. A rights management matrix

Question 55

Jim’s organization-wide implementation of IDaaS offers broad support for cloudbased applications. The existing infrastructure for Jim’s company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company’s onsite identity needs?

Answer 55

Use an on-premise third-party identity service.

Question 56

what are the type of authentication factor?

Answer 56

Type 1 factors are “something you know,”

Type 2 factors are “something you have.”

type 3 factors are “something you are,”

Question 57

What type of attack can be prevented by using a trusted path?

Answer 57

Login spoofing

Question 58

Callback to a home phone number is an example of what type of factor?

Answer 58

Somewhere you are

Question 59

Which of the following AAA protocols is the most commonly used?

Answer 59

TACACS+

Question 60

what protocol use single sign-on implementation?

Answer 60

Kerberos,

Active Directory Federation Services (ADFS),

Central Authentication Services (CAS)

Question 61

What type of access controls allow the owner of a file to grant other users access to it using an access control list?

Answer 61

Discretionary

Note: Non-discretionary access controls apply a fixed set of rules to an environment to manage access

Question 62

Jacob is planning his organization’s biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?

Answer 62

Retina scans can reveal information about medical conditions.

HIPPA compliance

Question 63

Mandatory access control is based on what type of model?

Answer 63

Lattice based

Question 64

what is RADIUS

Answer 64

an authentication protocol commonly used for backend services

Question 65

what is TACACS+

Answer 65

Is an AAA protocol
only TACAC protocol used today

Question 66

what is implicit denial

Answer 66

all action that is not explicitly authorized for a subject should be denied

Question 67

what is Access Control List (ACLs)

Answer 67

listing of subjects and their permissions on objects and group of objects

Question 68

what is Discretionary Access Control (DAC)

Answer 68

systems allow the owners of objects to modify the permissions that other users have on those objects

Question 69

what is a Mandatory Access Control (MAC)

Answer 69

systems enforce predefined policies that users may not modify

Question 70

what is role-based access control

Answer 70

assign permissions to individuals users based on their role in the organization

Question 71

what is a rainbow table attack

Answer 71

precompute hash values for use in comparison