CISSP ch 13

Question 1

IAM

Answer 1

Identity and Access Management

Question 2

Identification

Answer 2

the process of a subject claiming or professing an identity

Question 3

Authentication

Answer 3

verifying a subject’s identity by comparing one or more factors against a database of valid identities, such as user accounts

Question 4

KBA

Answer 4

Knowledge based authentication

Question 5

Cognitive password

Answer 5

security questions

Question 6

authorization

Answer 6

indicates who is trusted to perform specific operations = subjects are granted access to objects based on proven identities, for example, administrators grant users access to files based on the user’s proven identity

Question 7

accountability

Answer 7

users and other subjects can be held accountable for their actions when auditing is implemented; auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs

Question 8

Synchronous Dynamic Password Tokens

Answer 8

time based and synchronized with an authentication server

Question 9

Asynchronous Dynamic Password Tokens

Answer 9

does not use a clock, instead, PIN is generated based on an algorithm and an incrementing counter – typically, authentication server will send user a nonce which the user will enter into their hardware token

Question 10

FRR / Type I error

Answer 10

False rejection rate = Type I error = false negative

When an authentication system does not authenticate a valid user

Question 11

FAR / Type II error

Answer 11

False acceptance rate = Type II error = false positive

When an authentication system authenticates someone incorrectly

Question 12

CER / ERR

Answer 12

Crossover error rate = Equal error rate (ERR)

Point in authentication sensitivity where the FRR and FAR percentages are equal

Devices with lower CERs are more accurate than devices with higher CERs

Question 13

Reference profile / reference template

Answer 13

store sample of a biometric factor upon registration

Question 14

Throughput rate

Answer 14

amount of time the system requires to scan a subject and approve or deny access

Question 15

HOTP (two step authentication standards)

Answer 15

HMAC-based One-Time Password

HMAC = hash message authentication code

Hash function used to create values of six to eight number

Question 16

TOTP (two step authentication standards)

Answer 16

Time-based One-Time Password

Uses a timestamp and remains valid for a certain time frame

Question 17

IdM

Answer 17

Identity management

Question 18

Centralized Access control (identity management)

Answer 18

a single entity within a system performs all authorization verification

Question 19

Decentralized/distributed Access control (identity management)

Answer 19

various entities located throughout a system perform authorization verification

Question 20

SSO

Answer 20

Single sign-on

A centralized access control technique that allows a subject to be authenticated once on a system and access multiple resources without authenticating again

SSO is a benefit of identity management, not a type of identity management

Question 21

Directory service

Answer 21

a centralized database that includes information about subjects and objects, including authentication data

Question 22

LDAP

Answer 22

Lightweight Directory Access Protocol = used by many directory services

Question 23

AD DS

Answer 23

Microsoft Active Directory Domain Services = LDAP based directory service

Question 24

Security domain

Answer 24

a collection of subjects and objects that share a common security policy, and individual domains can operate separately from other domains

Question 25

Trusts

Answer 25

established between the domains to create a security bridge and allow users from one domain to access another domain’s resources; can be one way or two way

Question 26

FIM

Answer 26

Federated identity management = a form of SSO that extends beyond a single organization

Question 27

JIT provisioning

Answer 27

just-in-time provisioning = solutions that automatically create the relationship between two entities so that new users can access resources without any administrator intervention

Question 28

IDaaS

Answer 28

Identity as a service

Question 29

scripted Access / logon scripts

Answer 29

establish communication links by providing an automated process to transmit login credentials at the start of a login session

Question 30

OWASP

Answer 30

Open Web Application Security Project = publishes many different cheat sheets that provide application developers specific recommendations