Chapter 13- Managing Identity and Authentication (IAM)

Question 1

1. What is a subject?

Answer 1

Subject is an active entity that accesses a passive object to receive information from or data about an object.

Question 2

2. Subject can be:

Answer 2

users, programs, processes, services, computers or anything that can access a resource

Question 3

3. List company assets:

Answer 3

information (data), systems (IT e.g. fileserver), devices (servers, laptops), facilities (building) and personnel (staff)

Question 4

4. What is an object?

Answer 4

Object is a passive entity that provides information to active subjects.

Question 5

5. Examples of objects are:

Answer 5

files databases, computers, programs, processes, services, printers and storage media.

Question 6

6. What is the primary reason why organizations implement access control mechanisms?

Answer 6

to prevent losses.

Question 7

7. There are 3 categories of IT losses:

Answer 7

Loss of confidentiality, Integrity and Availability

Question 8

8. List security Triad (aka AIC triad, CIA Triad):

Answer 8

Confidentiality, Integrity and Availability.

Question 9

9. What is confidentiality?

Answer 9

Access Controls help ensure that only authorised subjects can access objects.

Question 10

10. What is integrity?

Answer 10

Integrity ensures that data or system configurations are not modified without authorization or that is authorized changes occur security controls detect the changes.

Question 11

11. What is availability?

Answer 11

Availability means that authorised requests for objects must be granted to subjects within a reasonable amount of time.

Question 12

12. Types of access control:

Answer 12

corrective, preventive and detective.

Question 13

13. What is Access Control?

Answer 13

Access Control is any hardware, software, administrative policy or procedure that controls access to resources.

Question 14

a

Answer 14

a

Question 15

15. List 4 other types of control

Answer 15

a

Question 16

16. What is Preventive Control:

Answer 16

Preventive Control attempts to thwart or stop unwanted or unauthorised activity from occurring

Question 17

17. What is Detective Access Control?

Answer 17

Detective attempts to discover or detect unwanted or unauthorised activity.

Question 18

18. What is Corrective Access Control:

Answer 18

Corrective Control modifies the environment to return the systems to normal after an unwanted or unauthorised activity has occurred.

Question 19

19. What are Deterrent Control?

Answer 19

Deterrent Access Control attempts to discourage security policy violations. it is very similar to preventive controls but depends on individuals deciding not to take unwanted action.

Question 20

20. What is Recovery Access Control?

Answer 20

Recovery Access Control attempts to repair or restore resources, functions and capabilities after a security policy violation.

Question 21

21. What is Directive Access Control?

Answer 21

Directive Access Control attempts to direct, confine or control the actions of subjects to force or encourage compliance with security policies.

Question 22

22. What are Compensating Access Control

Answer 22

A compensating Access Control provides an alternative when it is not possible to use a primary control. or when necessary to increase the effectiveness of a primary control.

Question 23

23. List access control types based on implementations:

Answer 23

physical, technical and administrative

Question 24

24. What are Administrative Access Controls?

Answer 24

Administrative Access controls are policies and procedures defined by an organisation’s security policy and other regulations or requirements. They are sometimes referred to as management controls.

Question 25

25. What is Logical or Technical Access Control?

Answer 25

Logical Access Control are the hardware or software mechanisms used to manage access and to provide protection for resources and systems. e.g. authentication methods, encryption, access control lists

Question 26

26. What is Physical Control?

Answer 26

Physical Access Control are item that you physically touch. They include physical mechanisms deployed to prevent, monitor or detect direct contact with systems or areas within a facility. e.g. mantraps, motion detectors, badges etc.

Question 27

27. What is Identification?

Answer 27

Identification is the process of a subject claiming or professing an identity. e.g. typing a user name, swiping a smartcard

Question 28

28. What is Authentication?

Answer 28

1. Authentication verifies the identity of the subject by comparing one or more factors against a database of valid identities.

Question 29

29. What is a single two step process?

Answer 29

A single two-step process occurs when identification and authentication occur together. Without both, a subject cannot gain access to a system.

Question 30

30. What is Authorization?

Answer 30

Authorization is a process where subjects are granted access to objects based on proven identities

Question 31

What is accountability?

Answer 31

Accountability means that Users and other data subjects can be held accountable for their actions when auditing is implemented.

Question 32

32. Audit logs provide________:

Answer 32

Non Repudiation

Question 33

33. List all or nothing aspects of access control:

Answer 33

identification and authentication because you either pass or fail with this.

Question 34

34. Auditing, logging and monitoring provide ________:

Answer 34

Accountability.

Question 35

35. List 3 authentication factors:

Answer 35

• Type 1 (weak): Something you know e.g. pin
• Type 2: Something you have e.g. smartcard, token
• Type 3 (stronger): Something you are or do e.g. fingerprints, keystroke dynamics i.e. behavioural biometrics.
• *Somewhere you are- identifies subject’s location.

Question 36

36. Describe Context-Aware Authentication.

Answer 36

. Mobile Device Management (MDM) systems use context-aware authentication to identify mobile device users. It can identify multiple elements such as the location of the user, the time of day, and the mobile device. If the user meets all the requirements (location, time, and type of device in this example), it allows the user to log on using the other methods such as with a username and password.

Question 37

37. What is Cognitive Password?

Answer 37

Cognitive Password is a series of challenge questions about facts or predefined responses that only the subject should know. e.g. What is your mother’s maiden name?

Question 38

38. Describe smartcards:

Answer 38

Smartcards is a credit-card sized ID or badge and has integrated circuit chip embedded in it. It is used for identification and authentication purposes.
• Most current smartcards include a microprocessor and one or more certificates.

Question 39

39. What are hardware tokens?

Answer 39

Hardware tokens are password generating devices that users carry with them.

Question 40

40. List 2 types of tokens:

Answer 40

Hardware tokens are password generating devices that users carry with them.

Question 41

41. What are Synchronous Dynamic Password Tokens?

Answer 41

Synchronous Dynamic passwords are time based and synchronized with an authentication server

Question 42

42. What are Asynchronous Dynamic Password Token?

Answer 42

Asynchronous Dynamic Password Tokens generates passwords based on an algorithm and an incrementing counter.

Question 43

43. What are hardware token problems:

Answer 43

if the token or hardware breaks users will not be able to gain access.

Question 44

44. List the standards that 2 step authorization use:

Answer 44

Hash Message Authentication Code (HMAC) One-Time Password (HOTP)
• Time-based One Time Passwords (TOTP)

Question 45

45. What is Hashed Message Authentication Code One-Time Passwords (HOTP)?

Answer 45

Hashed Message Authentication Code (HMAC) use HMAC-One Time Passwords to create onetime passwords. HOTP remains valid until used.

Question 46

46. What are Time One Time Passwords (TOTP)?

Answer 46

Timed One Time Passwords are valid for a certain timeframe and expires if not used.

Question 47

47. What is the difference between Retina Scans and Iris scans?

Answer 47

Retina scans focus on the pattern of blood vessels at the back of the eyes while IRIS scans focus on the coloured area of the eyes.

Question 48

48. What is False rejection?

Answer 48

False Rejection occurs when a valid user is not authenticated. This also called False Negative.

Question 49

49. What is False Acceptance Rate?

Answer 49

False Acceptance occurs when an invalid subject is authenticated. This also known as false positive or Type II error.

Question 50

50. What is False Rejection Rate (FRR):

Answer 50

False Rejection Rate (FRR) is the ratio of false rejections to valid authentications.

Question 51

51. What is False Acceptance Rate?

Answer 51

False Acceptance Rate (FAR) is the ratio of false positives to valid authentications.

Question 52

52. What is Enrolment (Registration) of biometrics?

Answer 52

Enrolment or Registration allows a biometric device to work as an identification and authentication mechanism

Question 53

53. What is Reference Profile?

Answer 53

Reference Profile or Template is the stored sample of a biometric factor.

Question 54

54. What is the throughput rate for biometrics?

Answer 54

The throughput rate is the amount of time the system requires to scan a subject and approve or deny access.

Question 55

55. What is multi-factor authentication?

Answer 55

this is any authentication using 2 or more factors

Question 56

56. What is Centralised Access Control?

Answer 56

Centralised Access Control implies that all authorisation verification is performed by a single entity within the system.

Question 57

57. What is decentralised Access Control

Answer 57

Decentralised Access control implies that various entities throughout a system perform authorization verification. (Distributed Access Control).

Question 58

58. What is Single Sign On (SSO)?

Answer 58

Single Sign On is a centralised access control technique that allows a subject to be authenticated once on a system and to access multiple systems without authenticating again

Question 59

59. Disadvantage of Single Sign On (SSO)?

Answer 59

Once an account is compromised an attacker gains unrestricted access to all other authorised resources

Question 60

60. Public-Key Infrastructure (PKI) uses ______ when integrating digital certificates into transmission.

Answer 60

Lightweight Directory Access Protocol (LDAP)

Question 61

61. What is Public Key Infrastructure?

Answer 61

This is a group of technologies used to manage digital certificates during a certificate lifecycle

Question 62

62. ________ and __________ can be used to support single sign on capabilities:

Answer 62

Lightweight Directory Access Control (LDAP) and Centralised access control systems.

Question 63

63. what is ticket Authentication?

Answer 63

Ticket Authentication is a mechanism that employs third party entity to prove identification and provide authentication. the most common ticket system is Kerberos.

Question 64

64. What is Kerberos?

Answer 64

Kerberos is a single sign on solution for users and provides protection for log on credentials.
• Kerberos provides confidentiality and integrity for authentication traffic.
• it helps protect against eavesdropping and replay attacks.

Question 65

65. List 5 key elements of Kerberos:

Answer 65

Key Distribution Center
•	Kerberos Distribution Center (KDC)
•	Kerberos Authentication Server
•	Ticket-Granting Ticket (TGT)
•	Ticket

Question 66

66. What is Key Distribution Center (KDC)?

Answer 66

Key Distribution Center is a trusted third party that provide authentication services. Uses symmetric cryptography.

Question 67

67. What is Kerberos Authentication Server?

Answer 67

Kerberos Authentication Server hosts the function of the key Distribution Center (KDC): a Ticket Granting Service (TGS) and Authentication Service (AS)

Question 68

68. What is Ticket Granting Ticket (TGT):

Answer 68

a Ticket Granting Ticket (TGT) provides proof that a subject has authenticated through a Key Distribution Center (KDC) and is authorised o request tickets to access other objects.

Question 69

69. What is a ticket?

Answer 69

A ticket is an encrypted message that provides proof that a subject is authorised to access an object.

Question 70

70. Disadvantage of using Kerberos?

Answer 70

Single Line of Failure if it stops working.

Question 71

71. What is Security Assertion Markup Language (SAML)?

Answer 71

Security Assertion Markup Language (SAML) is an XML based language that is used to exchange authentication and authorisation between federated organisations. it is used to provide SSO for browser access.

Question 72

72. What are Credential Management Systems?

Answer 72

Credential Management System provides a storage space for users to keep their credentials when Single Sign On is not available.

Question 73

73. What is Identity as a Service (IDaaS)?

Answer 73

Identity as a Service or Identity and access as a service (IDaaS) is a third party service that provides identity and access management.
• IDaaS effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based software as a service (SaaS) applications. e.g. google, Office 365

Question 74

74. What are AAA Protocols?

Answer 74

Protocols that provide Authentication, Authorisation and Accounting are referred to as AAA Protocols.
• These provide centralized access control with remote access systems such as virtual private networks (VPNs) and other types of network access servers.

Question 75

75. What is Remote Authentication Dial-in User Service (RADIUS)?

Answer 75

Remote Authentication Dial-in User Service centralizes authentication for remote connections. Many internet service providers (ISPs) use RADIUS for authentication.
• RADIUS uses the User Datagram Protocol (UDP).

Question 76

76. What is Terminal Access Controller Access Control Systems (TACACS+)?

Answer 76

Terminal Access Controller Access Control Systems was introduced as an alternative to RADIUS.
• It separates authentication, authorization, and accounting into separate processes, which can be hosted on three separate servers if desired.
• TACACS+ encrypts all of the authentication information.
• TACACS and XTACACS use UDP port 49
• TACACS+ uses Transmission Control Protocol (TCP) port 49.

Question 77

77. What is Diameter?

Answer 77

It supports a wide range of protocols, including traditional IP, Mobile IP, and Voice over IP (VoIP).
• Diameter uses TCP port 3868 or Stream Control Transmission Protocol (SCTP) port 3868
• It also supports Internet Protocol security (IPsec) and Transport Layer Security (TLS) for encryption.

Question 78

78. What is excessive privilege?

Answer 78

excessive privilege occurs when users have more privileges than their work tasks dictate. Unnecessary privileges should be revoked.

Question 79

79. What are creeping privileges?

Answer 79

Creeping privileges (privilege creep involves a user account accumulating privileges over time as job roles and assigned tasks change but unnecessary privileges are never removed.

Question 80

80. What is the principle of Least Privilege?

Answer 80

The principle of least privilege ensure that subjects are granted only the privileges that they need to perform their wok tasks and job functions but no more.

Question 81

a

Answer 81

a

Question 82

a

Answer 82

a

Question 83

a

Answer 83

a

Question 84

a

Answer 84

a

Question 85

a

Answer 85

a