CISSP ch 13 Flashcards
IAM
Identity and Access Management
Identification
the process of a subject claiming or professing an identity
Authentication
verifying a subject’s identity by comparing one or more factors against a database of valid identities, such as user accounts
KBA
Knowledge based authentication
Cognitive password
security questions
authorization
indicates who is trusted to perform specific operations = subjects are granted access to objects based on proven identities, for example, administrators grant users access to files based on the user’s proven identity
accountability
users and other subjects can be held accountable for their actions when auditing is implemented; auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs
Synchronous Dynamic Password Tokens
time based and synchronized with an authentication server
Asynchronous Dynamic Password Tokens
does not use a clock, instead, PIN is generated based on an algorithm and an incrementing counter – typically, authentication server will send user a nonce which the user will enter into their hardware token
FRR / Type I error
False rejection rate = Type I error = false negative
When an authentication system does not authenticate a valid user
FAR / Type II error
False acceptance rate = Type II error = false positive
When an authentication system authenticates someone incorrectly
CER / ERR
Crossover error rate = Equal error rate (ERR)
Point in authentication sensitivity where the FRR and FAR percentages are equal
Devices with lower CERs are more accurate than devices with higher CERs
Reference profile / reference template
store sample of a biometric factor upon registration
Throughput rate
amount of time the system requires to scan a subject and approve or deny access
HOTP (two step authentication standards)
HMAC-based One-Time Password
HMAC = hash message authentication code
Hash function used to create values of six to eight number
TOTP (two step authentication standards)
Time-based One-Time Password
Uses a timestamp and remains valid for a certain time frame
IdM
Identity management
Centralized Access control (identity management)
a single entity within a system performs all authorization verification
Decentralized/distributed Access control (identity management)
various entities located throughout a system perform authorization verification
SSO
Single sign-on
A centralized access control technique that allows a subject to be authenticated once on a system and access multiple resources without authenticating again
SSO is a benefit of identity management, not a type of identity management
Directory service
a centralized database that includes information about subjects and objects, including authentication data
LDAP
Lightweight Directory Access Protocol = used by many directory services
AD DS
Microsoft Active Directory Domain Services = LDAP based directory service
Security domain
a collection of subjects and objects that share a common security policy, and individual domains can operate separately from other domains
Trusts
established between the domains to create a security bridge and allow users from one domain to access another domain’s resources; can be one way or two way
FIM
Federated identity management = a form of SSO that extends beyond a single organization
JIT provisioning
just-in-time provisioning = solutions that automatically create the relationship between two entities so that new users can access resources without any administrator intervention
IDaaS
Identity as a service
scripted Access / logon scripts
establish communication links by providing an automated process to transmit login credentials at the start of a login session
OWASP
Open Web Application Security Project = publishes many different cheat sheets that provide application developers specific recommendations