Domain 5: Identity and Access Management Flashcards

1
Q

Authentication Methods

A

Type 1- Something you know (Password, Pin)

Type 2- Something you have (Token, phone)

Type 3- Something you are

Type 4- Some place you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Credential Set

A

Term used for the combination of both the identification and authentication of a user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Type 1 Authentication

A

.Dynamic Passwords change at regular intervals

.Strong authentication = multifactor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Dictionary attack

A

.Uses a word list: a predefined list of words

.Fast but least effective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Rainbow Table

A

.Acts as a database that contains the precomputed hashed output for most or all words

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Hybrid attack

A

Appends or prepends or changes the characters in words in a dictionary before hashing to attempt the fasted crack of complex words

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Type 2 Authentication

A

. Requires the user to possess something

.Token, card, phone, etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Synchronous Dynamic Token

A

synchronized with a central server

.Challenge-response token most common

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

False Reject Rate (FRR)

A

.When authorized subject is rejected by the biometric system.

Type 1 error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

False Accept Rate (FAR)

A

.When an unauthorized subjects is accepted as valid by a biometric system

.Type 2 error

.Worse

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Asynchronous Dynamic Tokens

A

.Not synchronized with a central server

.Challenge-response token most common

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Crossover Error Rate (CER)

A

.Describes the point where the FRR and the FAR are equal

.Also know as the Equal Error Rate (ERR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Retina Scans

A

.Can seem intrusive due to privacy concerns

.Can identify health condition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Centralized Access Control

A

One logical point

.Can be used for Single Sign On (SSO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Decentralized Access Control

A

Allow IT administration to occur closer to the mission and operation of the organization

.Provides more local power.

.Each site has control over its data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Single Sign On (SSO)

A

.Allows multiple systems to use a centralize authentication server.

Users authenticate once and then access multiple systems

.Improves user productivity

.Improves developer productivity

.Simplifies administration

17
Q

Federated Identity Access (FIdM)

A

.SSO across organizations

.Trusted authority for digital identities across multiple organizations

.SAML Oauth, OpenID

18
Q

LDAP

A

Lightweight Directory Access Protocol

.TCP/UPD Port 389

.LDAPS (LDAP over TLS) TCP 636 and 3269

19
Q

Kerberos

A

.network authentication systems for use on physically insecure networks

.allows entities to communicating over networks to prove their identity to each other while preventing eavesdropping

.proved data stream integrity and secrecy use cryptographic systems

.Uses secret key encryption

.Provides mutual authentication of both clients and servers

.mitigates replay attacks via the use of timestamps

.KDC stores plaintext keys of all principals

20
Q

Kerberos Components

A
  1. Principal: Any server or client that can be assigned a ticket.
  2. Authentication Server (AS): Server that authorizes the principal and connects them to the ticket granting server.
  3. Ticket Granting Server (TGS): Issues tickets.
  4. Key Distribution Center (KDC): Server that provides the initial ticket and handles TGS requests.
  5. Realm: A boundary within an organization. Each realm has its own AS and TGS.
  6. Ticket Granting Ticket (TGT): Ticket that is granted during the authentication process.
  7. Ticket: Used to authenticate. Contains the identity of the client, the session key, the timestamp, and the checksum. Encrypted with the servers key.
  8. Session Key: Temporary encryption key.
21
Q

SESAME

A

.addresses Kerberos plaintext storage of symmetric key

.Uses Privilege Attribute Certificates (PAC) in place of Kerberos tickets

22
Q

Radius

A

FRC 2865 and 2866

UDP ports:

1812 (authentication)

1813 (accounting)

23
Q

Diameter

A

.Radius successor

.Designed to improve AAA framework

Uses single serve to manage the policies for many servers

TCP protocol makes more reliable

24
Q

TACACS+

A

TACACS: UDP Port 49

TACACS+: TCP Port 49

25
Q

Discretionary Access Control (DAC)

A

System-enforced access control based on subject’s clearance and objects labels

.Expensive and difficult to implement

26
Q

SPML

A

Service Provisioning Markup Language

.allows the exchange of provisioning data between applications.

.could reside in one organization or many

27
Q

SAML

A

Security Assertions Markup Language

.Provides the authentication pieces to federated identity management systems.

28
Q

XACML

A

eXtensible Access Control Markup Language

.used to express security policies and access rights to assets provided through web services and other enterprise applications

29
Q

Risk-based access control

A

Risk-based access control is relatively new, and the implementation can be quite complex. The model attempts to evaluate risk by considering several different elements, such as:

The environment

The situation

Security policies

.Multifactor Authentication The system will deny access to users logging on with just one factor of authentication.

.Compliant Mobile Devices The policy may require that smartphones and tablets meet specific security requirements, such as an up-to-date operating system and device encryption.