Domain 5: Identity and Access Management Flashcards

1
Q

Identity and Access Management

A

Focus on harmonizing the provisioning of users and managing their access across multiple systems with different native access control systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identity Management

A

Controls the life cycle of all accounts in a system

Verifies someone is who they say they are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Management

A

Controls the assignment of rights/privileges to those accounts
Verifies someone has the right accesses to do what is requested

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identity Proofing

A

Precedes creation of a user account
Not the same as authentication
Requires the prospective employee to prove their identity to the employer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Provisioning/Deprovisioning Identities

A

Traditionally different cloud vendors used non-standard provisioning APIs
Enterprises to develop and maintain proprietary connectors to integrate with multiple SaaS providers
Alternatively can be made easier, cloud, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Type 1 Authentication

A

Something you know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Type 2 Authentication

A

Something you have

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Type 3 Authentication

A

Something you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Multifactor

A

combination of the 3 types of authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Mutual Authentication

A

Both parties authenticate to each other

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Token

A

A one time use passcode from device that synchs with authentication server, or time based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Physiological traits for Authentication

A

Fingerprint, hand geometry, iris, retina

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Behavior based traits for authentication

A

voice, gait, signature, keyboard cadence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Type I Error

A

False Rejection - legitimate user is barred from access. caused by identifying too much information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Type II Error

A

False Acceptance - an impostor is allowed access. Security threat and a system that doesn’t have enough info

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

CER Crossover Error Rate

A

Where Type I and Type II errors intersect on a graph. Goal is to have a low number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Biometrics concerns

A
User acceptance
Intrusive (Retina scans can reveal health information)
Time for enrollment and verification
Cost/benefit
Cannot revoke biometrics
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Single Sign-on (SSO)

A

Allows a user to provide credentials to an authentication server and receive accessed to interconnected or disparate systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Kerberos

A

Network authentication protocol designed from MITs project Athena. Tries to ensure authentication security in an insecure environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Kerberos password Transmission

A

Does not transmit password over the network

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Kerberos Authentication Server (AS)

A

Allows authentication of the user and issues to a Ticket Granting Ticket (TGT)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Kerberos Ticket Granting Service (TGS)

A

After receiving the TGT from the user, the TGS issues a ticket for a particular user to access a particular service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Kerberos Key Distribution Center (KDC)

A

system which runs the Ticket Granting Service (TGS) and Authentication Service (AS)

24
Q

Kerberos Ticket

A

Means of distributing session keys

25
Q

Kerberos Carnival comparison

A

Receive wrist band entering carnival at admissions - Receive encrypted TGT From AS
Wrist band needed for tickets - TGT ticket goes to TGS to distribute keys
Tickets get you access to rides -

26
Q

Kerberos Ticket Granting Ticket (TGT)

A

Ticket that gives access that is encrypted with your password, similar to wrist band

27
Q

Kerberos synchronization

A

must be within 5 minutes of each other

28
Q

Service Provisioning Markup Language (SPML)

A

Used to exchange account info between systems for federated SSO and account provisioning

29
Q

System Cross-Domain Identity Management (SCIM)

A

Used to exchange account info between systems for federated SSO and account provisioning

30
Q

Security Assertion Markup Language (SAML)

A

Another markup language utilized for SSO and Federated accounts

31
Q

OpenID Connect

A

Alternative to SAML

32
Q

OAuth 2.0

A

Not designed for SSO - links accounts (Spotify to Facebook, etc) and does a job on your behalf.

33
Q

Role Based Access Control (RBAC)

A

Good solution to mitigate privilege creep and provides strongest constraint of user access
Well suited for environments with high turnover
Groups of users are assigned roles to have different permissions

34
Q

Discretionary Access Control (DAC)

A

Security of an object is at the owners discretion
Access is granted through an ACL
Identity based

35
Q

Mandatory Access Control (MAC)

A

Used where classification and confidentiality is of utmost importance
Generally you have to buy a specific MAC system (SELinux, Trusted Solaris)
All objects have a security label

36
Q

Attribute Based Access Control (ABAC)

A

Permissions or privilege granted based on attributes of object (location, role, tenure, any other attribute)

37
Q

Audits

A

Ensure compliance with policy and standards

38
Q

Service Organizational Control (SOC) Report 1

A

Pertains to financial controls

39
Q

Service Organizational Control (SOC) Report 2

A

Pertains to trust services (Security, Availability, Confidentiality, Process Integrity and Privacy)
For existing customers

40
Q

Service Organizational Control (SOC) Report 3

A

Also pertains to trust services (Security, Availability, Confidentiality, Process Integrity and Privacy)
For new customers, Publicly Available Information

41
Q

Personnel Vulnerability Testing

A

Includes reviewing employee tasks and identifying vulnerabilities in the standard practices and procedures

42
Q

Physical Vulnerability Testing

A

Includes reviewing the facility and perimeter protection mechanisms

43
Q

System and Network Vulnerability Testing

A

Automated scanning product identifies known system vulnerabilities

44
Q

Vulnerability Scans

A

Probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker

45
Q

Network Discovery SCanning

A

Scan a range of IP addresses, searching for systems with open network ports

46
Q

TCP SYN Scanning

A

Sends a single packet to each scanned port with the SYN flag set

47
Q

TCP Connect Scanning

A

Opens a full connection to the remote system on the specified port

48
Q

TCP ACK Scanning

A

Sends a packet with the ACK flag set, indicating that it is part of an open connection

49
Q

NMAP

A

tool used for network discovery

50
Q

Penetration Testing Steps

A

Discovery - Footprinting and gathering information about the target
Enumeration - Performing port scans and resource identification methods
Vulnerability Mapping - Identifying vulnerabilities in identified systems and resources
Exploitation - Attempting to gain unauthorized access by exploiting vulnerabilities
Report to Management - Deliver management documentation of findings and suggested countermeasures

51
Q

Remote Logging

A

Putting the log files on a separate box will require the attackers to target that box too, which at the very least buys you time to notice the intrusion

52
Q

Simplex Communication

A

Use one way communication between the reporting devices and the central log repository

53
Q

Replication

A

Making multiple copies and keeping them in different locations

54
Q

Write-once media

A

Create a back up of log files that can be written to only once, preventing tampering

55
Q

Cryptographic hash chaining

A

Let you know if files have changed

56
Q

Signature Based Analysis Engine

A

Network attacks have distinct signatures that is data that is passed between attacker and victim. These signatures are stored in a database and network traffic is compared to this database.

57
Q

Profile Matching Analysis Engine

A

Anomaly based. Works off a baseline of normal behavior and looks for anomalous network behavior outside of accepted norms. Prone to false positives.