Domain 5: Access Control Technologies

Question 1

Concentrates access control in one logical point for a system or organization

Answer 1

Centralized Access Control

Question 2

• Access control where local sites support and maintain independent systems, access control databases and data
• Each sites may have different models, policies and level of security

Answer 2

Decentralized Access Control

Question 3

Allows users to authenticate once and have access to multiple different systems

Answer 3

Single sign-on (SSO)

Question 4

Occurs when individual users gain more access to more systems

Answer 4

Access Aggregation

Question 5

Participating organizations share identity attributes allowing for a user to authenticate with one member then having access to all other members

Answer 5

Federated system

Question 6

• XML-based language used to send authentication and authorization data between identity providers and service providers
• Frequently used to enable single sign-on for web applications and services

Answer 6

SAML

Question 7

• Relies on access tokens which are issued by an authorization server and then presented to resource servers like third-party web applications
• Used by Google, Microsoft, Facebook and other sites to allow users to share elements of their identity or account information while authenticating via the original identity provider

Answer 7

OAuth

Question 8

• An open-source standard for decentralized authentication

- Users create credentials with an identity provider like Google then sites (relying parties) use that identity

Answer 8

OpenID

Question 9

Combines the OpenID authentication and OAuth authorization into a single protocol

Answer 9

OpenID Connect

Question 10

• OAuth Component

- The user authenticating

Answer 10

Resource Owner

Question 11

• OAuth Component

- Applications that users want to use

Answer 11

Client

Question 12

• OAuth Component
• Servers owned by the identity provider
• Authenticates the resource owner

Answer 12

Authorization Server

Question 13

• OAuth Component

- The server the client wants to access in behalf of the resource owner

Answer 13

Resource Server

Question 14

Allows an organization to leverage a cloud service for identity management

Answer 14

Identity as a service (IDaaS)

Question 15

• Protocol used for interfacing and querying directory service information
• Uses TCP/UDP port 389
• Queries transmitted in cleartext

Answer 15

Lightweight directory access protocol (LDAP)

Question 16

• Third party authentication service
• Uses AES symmetric encryption and mutual authentication of both clients and servers
• Protects against network sniffing and replay attacks
• Most common single sign-on method used in organizations

Answer 16

Kerberos

Question 17

• Kerberos term
• A unique identity
• i.e. user and/or service

Answer 17

Principal

Question 18

• Kerberos term

- The group of systems (domain) Kerberos has authority over

Answer 18

Realm

Question 19

• Kerberos term
• Encrypted message that provides proof that a subject is authorized to access an object
• Contains client identity, service ID and etc.

Answer 19

Ticket

Question 20

• Kerberos term

- The heart of Kerberos where tickets and access is granted

Answer 20

Key Distribution Center (KDC)

Question 21

The Key Distribution Center (KDC) consists of what two servers?

Answer 21

Authentication Server (AS) and Ticket Granting Server (TGS)

Question 22

• Kerberos term

- Confirms that a known user is making access request to a known service and issues a service ticket

Answer 22

Ticket Granting Server (TGS)

Question 23

• Kerberos term

- Confirms that the user is making the access request and issues out a Ticket Granting Ticket (TGT)

Answer 23

Authentication Server (AS)

Question 24

• Kerberos term
• Provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other objects

Answer 24

Ticket Granting Ticket (TGT)

Question 25

• Kerberos Process Step

- The client sends its TGT back to the KDC with a request for access to the resource.

Answer 25

Kerberos Process Step 1

Question 26

• Kerberos Process Step
• The KDC verifies that the TGT is valid and checks its access control matrix to verify that the user has sufficient privileges to access the requested resource.

Answer 26

Kerberos Process Step 2

Question 27

• Kerberos Process Step

- The KDC generates a service ticket and sends it to the client.

Answer 27

Kerberos Process Step 3

Question 28

• Kerberos Process Step

- The client sends the ticket to the server or service hosting the resource.

Answer 28

Kerberos Process Step 4

Question 29

• Kerberos Process Step

- The server or service hosting the resource verifies the validity of the ticket with the KDC.

Answer 29

Kerberos Process Step 5

Question 30

• Kerberos Process Step
• Once identity and authorization is verified, Kerberos activity is complete. The server or service host then opens a session with the client and begins communications or data transmission.

Answer 30

Kerberos Process Step 6

Question 31

• Sequel to Kerberos
• Asymmetric encryption
• Uses privilege attribute certificates (PACs)

Answer 31

SESAME (secure European system for applications in a multivendor environment)

Question 32

• Authentication system
• Uses UDP ports 1812 (authentication) and 1813 (accounting)
• Authorizes users by allowing specific users to access specific data objects

Answer 32

RADIUS

Question 33

• Authentication system

- Designed to be RADIUS successor

Answer 33

Diameter

Question 34

• Authentication system
• Centralized access control system that requires users to send an ID and static (reusable) password for authentication.
• Uses UDP port 49

Answer 34

TACACS

Question 35

• Authentication system
• Provides better password protection by allowing two-factor authentication
• Uses TCP port 49

Answer 35

TACACS+

Question 36

• Used in WAN authentication

- Password is sent across the network in cleartext

Answer 36

Password Authentication Protocol (PAP)

Question 37

• Used in WAN authentication

- Depends upon a ‘secret’ known only to the authenticator and the peer. The secret is not sent over the link.

Answer 37

Challenge-handshake Authentication Protocol (CHAP)

Question 38

• Subjects are given full control of objects they have created or have been given access to, including sharing the objects with other subjects.
• All objects have owners, and access is based on the discretion or decision of the owner.

Answer 38

Discretionary Access Control (DAC)

Question 39

• System-enforced access control based on subject’s clearance and object’s labels
• Subject may access an object only if the subject’s clearance is equal to or greater than the object’s label

Answer 39

Mandatory Access Control (MAC)

Question 40

• Subjects are grouped into roles, and each defined role has permissions based upon the group, not the individual
• Non Discretionary access control

Answer 40

Role-based access control (RBAC)

Question 41

• Access control based on the responsibilities each subject must perform
• i.e. writing prescriptions, restoring data from a backup tape etc.
• Non Discretionary access control

Answer 41

Task-based access control

Question 42

• Access control that system uses a series of defined rules, restrictions, and filters for accessing objects within a system
• i.e. rules are “if/then” statements

Answer 42

Rule-based access control

Question 43

• Access control restricts access to data based on the content within an object
• i.e. all employees have access to the HR database but cannot view the CIO HR record (database view)

Answer 43

Content-dependent access control

Question 44

• Access control that provides access based on a certain parameter i.e. location, time, sequence of responses, access history etc..
• i.e. employee has network access from 9 - 5pm but denied access on Sunday at 1am

Answer 44

Context-dependent access control

Question 45

Admins centrally administer access and can make changes that affect the whole environment

Answer 45

Nondiscretionary Access Controls

Question 46

• Access control that uses policy rules that include multiple attributes (i.e. characteristics of users, the network, and devices on the network)
• i.e. SDN “Allow Managers to access the WAN using tablets or smartphones.”

Answer 46

Attribute Based Access Control (ABAC)

Question 47

• Classification within the Mandatory Access Control (MAC) model
• Relates various classification labels in an ordered structure from low security to medium security to high security
• i.e. Confidential, Secret, and Top Secret, respectively

Answer 47

Hierarchical Environment

Question 48

• Classification within the Mandatory Access Control (MAC) model
• There is no relationship between one security domain and another

Answer 48

Compartmentalized Environment

Question 49

• Classification within the Mandatory Access Control (MAC) model
• Combination of other two environments
• i.e. Hierarchical level may contain numerous subdivisions that are isolated from the rest of the security domain

Answer 49

Hybrid Environment