Domain 5: Identity and Access Management

Question 1

Authentication Methods

Answer 1

Type 1- Something you know (Password, Pin)

Type 2- Something you have (Token, phone)

Type 3- Something you are

Type 4- Some place you are

Question 2

Credential Set

Answer 2

Term used for the combination of both the identification and authentication of a user

Question 3

Type 1 Authentication

Answer 3

.Dynamic Passwords change at regular intervals

.Strong authentication = multifactor

Question 4

Dictionary attack

Answer 4

.Uses a word list: a predefined list of words

.Fast but least effective

Question 5

Rainbow Table

Answer 5

.Acts as a database that contains the precomputed hashed output for most or all words

Question 6

Hybrid attack

Answer 6

Appends or prepends or changes the characters in words in a dictionary before hashing to attempt the fasted crack of complex words

Question 7

Type 2 Authentication

Answer 7

. Requires the user to possess something

.Token, card, phone, etc

Question 8

Synchronous Dynamic Token

Answer 8

synchronized with a central server

.Challenge-response token most common

Question 9

False Reject Rate (FRR)

Answer 9

.When authorized subject is rejected by the biometric system.

Type 1 error

Question 10

False Accept Rate (FAR)

Answer 10

.When an unauthorized subjects is accepted as valid by a biometric system

.Type 2 error

.Worse

Question 11

Asynchronous Dynamic Tokens

Answer 11

.Not synchronized with a central server

.Challenge-response token most common

Question 12

Crossover Error Rate (CER)

Answer 12

.Describes the point where the FRR and the FAR are equal

.Also know as the Equal Error Rate (ERR)

Question 13

Retina Scans

Answer 13

.Can seem intrusive due to privacy concerns

.Can identify health condition

Question 14

Centralized Access Control

Answer 14

One logical point

.Can be used for Single Sign On (SSO)

Question 15

Decentralized Access Control

Answer 15

Allow IT administration to occur closer to the mission and operation of the organization

.Provides more local power.

.Each site has control over its data

Question 16

Single Sign On (SSO)

Answer 16

.Allows multiple systems to use a centralize authentication server.

Users authenticate once and then access multiple systems

.Improves user productivity

.Improves developer productivity

.Simplifies administration

Question 17

Federated Identity Access (FIdM)

Answer 17

.SSO across organizations

.Trusted authority for digital identities across multiple organizations

.SAML Oauth, OpenID

Question 18

LDAP

Answer 18

Lightweight Directory Access Protocol

.TCP/UPD Port 389

.LDAPS (LDAP over TLS) TCP 636 and 3269

Question 19

Kerberos

Answer 19

.network authentication systems for use on physically insecure networks

.allows entities to communicating over networks to prove their identity to each other while preventing eavesdropping

.proved data stream integrity and secrecy use cryptographic systems

.Uses secret key encryption

.Provides mutual authentication of both clients and servers

.mitigates replay attacks via the use of timestamps

.KDC stores plaintext keys of all principals

Question 20

Kerberos Components

Answer 20

1. Principal: Any server or client that can be assigned a ticket.
2. Authentication Server (AS): Server that authorizes the principal and connects them to the ticket granting server.
3. Ticket Granting Server (TGS): Issues tickets.
4. Key Distribution Center (KDC): Server that provides the initial ticket and handles TGS requests.
5. Realm: A boundary within an organization. Each realm has its own AS and TGS.
6. Ticket Granting Ticket (TGT): Ticket that is granted during the authentication process.
7. Ticket: Used to authenticate. Contains the identity of the client, the session key, the timestamp, and the checksum. Encrypted with the servers key.
8. Session Key: Temporary encryption key.

Question 21

SESAME

Answer 21

.addresses Kerberos plaintext storage of symmetric key

.Uses Privilege Attribute Certificates (PAC) in place of Kerberos tickets

Question 22

Radius

Answer 22

FRC 2865 and 2866

UDP ports:

1812 (authentication)

1813 (accounting)

Question 23

Diameter

Answer 23

.Radius successor

.Designed to improve AAA framework

Uses single serve to manage the policies for many servers

TCP protocol makes more reliable

Question 24

TACACS+

Answer 24

TACACS: UDP Port 49

TACACS+: TCP Port 49

Question 25

Discretionary Access Control (DAC)

Answer 25

System-enforced access control based on subject’s clearance and objects labels

.Expensive and difficult to implement

Question 26

SPML

Answer 26

Service Provisioning Markup Language

.allows the exchange of provisioning data between applications.

.could reside in one organization or many

Question 27

SAML

Answer 27

Security Assertions Markup Language

.Provides the authentication pieces to federated identity management systems.

Question 28

XACML

Answer 28

eXtensible Access Control Markup Language

.used to express security policies and access rights to assets provided through web services and other enterprise applications

Question 29

Risk-based access control

Answer 29

Risk-based access control is relatively new, and the implementation can be quite complex. The model attempts to evaluate risk by considering several different elements, such as:

The environment

The situation

Security policies

.Multifactor Authentication The system will deny access to users logging on with just one factor of authentication.

.Compliant Mobile Devices The policy may require that smartphones and tablets meet specific security requirements, such as an up-to-date operating system and device encryption.