Domain 5: Identification and Authentication

Question 1

Subject

Answer 1

Active Entity

Question 2

Object

Answer 2

Passive Entity

Question 3

Three Primary Control Types of Access Controls

Answer 3

Preventative, Detective, and Corrective

Question 4

4 “Other” Control Types of Access Controls

Answer 4

Deterrent, Recovery, Directive, Compensating

Question 5

Preventative Controls

Answer 5

attempts to stop and unwanted activity

Question 6

Detective Controls

Answer 6

discover activity after the fact

Question 7

Corrective Controls

Answer 7

modify environment to return to normal

Question 8

Deterrent Controls

Answer 8

discourage unwanted activity

Question 9

Recovery Controls

Answer 9

repair or restore resources, more complex than corrective

Question 10

Directive Controls

Answer 10

direct the actions of subjects to force compliance

Question 11

Compensating Controls

Answer 11

alternative when the primary control doesn’t work

Question 12

Three Types Of Controls (based on how they are implemented)

Answer 12

Administrative, Logical/Technical, Physical

Question 13

Identification

Answer 13

process of a subject claiming an identitiy

Question 14

Authentication

Answer 14

verifies the identity of the sybject

Question 15

Authorization

Answer 15

Subjects are granted access to objects based on idenitity

Question 16

Accountability

Answer 16

provided through auditing

Question 17

Type 1 Authentication Factor

Answer 17

Something you know

Question 18

Type 2 Authentication Factor

Answer 18

Something you have

Question 19

Type 3 Authentication Factor

Answer 19

Something you are or do

Question 20

Cognitive Password

Answer 20

Series of questions

Question 21

Synchronous vs Asynchronous Dynamic Password

Answer 21

Synchronous is time based (changes every 60 seconds(, Asynchronous changes after it is used

Question 22

Type 1 Error

Answer 22

valid subject is not authenticated, false rejection

Question 23

Type 2 Error

Answer 23

invalid subject is authenticated, false acceptance

Question 24

Centralized Access Control

Answer 24

all authorization verification is performed by a single entity within a system

Question 25

Decentralized Access Control

Answer 25

various entities perform authentication verification

Question 26

SSO

Answer 26

a centralized access control technique that allows a subject to be authenticated only once on a system and access multiple resources

Question 27

LDAP

Answer 27

centralized access control system, directory service for network services and assets

Question 28

Most commons and well-known ticket system

Answer 28

Kerberos

Question 29

Kerberos Architecture

Answer 29

Key Distribution Center, Kerberos Authentication Server, Ticket-Granting Ticket.

Question 30

Permissions

Answer 30

access granted for an object and determines what you can do with it

Question 31

Rights

Answer 31

the ability to take an action on an object

Question 32

Privileges

Answer 32

combination of rights and permissions

Question 33

Implicit Deny

Answer 33

access to an object is denied unless explicitly granted

Question 34

Access Control Matrix

Answer 34

table that includes subjects, objects, and assigned privileges

Question 35

Capability Tables

Answer 35

identify privileges assigned to subjects

Question 36

Constrained Interface

Answer 36

restricts what users can do or see based on privileges (disabled capabilities may be grayed out)

Question 37

Context-Dependent Control

Answer 37

requires specific activities before granting user access - ex: data flow for online transactions

Question 38

Content-Dependent Control

Answer 38

restrict access based on the content within an object (database view)

Question 39

DAC

Answer 39

allows data owner, creator, or custodian of an object to control access to it

Question 40

RBAC

Answer 40

define a subject’s ability to access an object based on their role

Question 41

TBAC

Answer 41

each user is assigned an array of tasks

Question 42

RuBAC

Answer 42

uses a set of rules to determine access (global rules)

Question 43

ABAC

Answer 43

Attribute based, uses multiple attributes for rules

Question 44

MAC

Answer 44

relies on classification lables

Question 45

Hierarchical Environment

Answer 45

ordered structure of classifications: TS, S, UC

Question 46

Compartmentalized Environment

Answer 46

no relationship between domains

Question 47

Hybrid Environment

Answer 47

Clearance + need to know

Question 48

What are the key steps in a risk management process?

Answer 48

Identifying assets, threats, and vulnerabilities

Question 49

Threat Modeling

Answer 49

identifying, understanding, and categorizing threats

Question 50

Three Threat Modeling Approaches

Answer 50

Focus on Assets, Focus on Attackers, Focus on Software

Question 51

Advanced Persistent Threat

Answer 51

group of attackers working together, advanced skills and motivation

Question 52

Access-Aggregation

Answer 52

collecting multiple pieces of nonsensitive information and combining to learn sensitive info

Question 53

Dictionary Attack

Answer 53

use every possible password in a predefined database

Question 54

Birthday Attack

Answer 54

focuses on finding collusion

Question 55

Rainbow Table Attack

Answer 55

uses large databases of precomputed hashes

Question 56

Sniffing

Answer 56

captures packets sent over a network

Question 57

Spoofing

Answer 57

pretending to be something else