Domain 5 - Identity and Access Management (IAM)

Question 1

For our new startup, we are looking at different types of identity and access management. Which of these are COMMON types of that? (Select all that apply).
A: TRAC (trust access control)
B: RUBAC (rule based access control)
C: MAC (mandatory access control)
D: RBAC (role based access control)
E: DAC (discretionary access control)

Answer 1

C and E

In Identity and Access Management we can use DAC (Discretionary Access Control), which is often used when Availability is most important. Access to an object is assigned at the discretion of the object owner. MAC (Mandatory Access Control): Often used when Confidentiality is most important. Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important. RBAC (Role Based Access Control): Often used when Integrity is most important. Policy neutral access control mechanism defined around roles and privileges. A role is assigned permissions, and subjects in that role are added to the group, if they move to another position they are moved to the permissions group for that position. RUBAC is based on IF/THEN statements (think older firewalls), and is not a type of Identity and Access Management. TRAC is .. well nothing, I made it up 0_o

Question 2

In Identity and Access Management you would primarily use MAC (Mandatory Access Control) for?
A: availability
B: integrity
C: confidentiality

Answer 2

C: confidentiality

Question 3

In Identity and Access Management you would primarily use MAC (Mandatory Access Control) for?
A: availability
B: integrity
C: confidentiality

Answer 3

C: confidentiality

Question 4

In Identity and Access Management you would primarily use RBAC (Role Based Access Control) for?
A: availability
B: integrity
C: confidentiality

Answer 4

B: Integrity

Question 5

is RUBAC Identity and access management

Answer 5

No, Rule based access control (RUBAC) is based on IF/THEN statements (think older firewalls),

Question 6

what is HMAC

Answer 6

HMAC (Hash-based Message Authentication Code) is a type of a message authentication code (MAC) that is acquired by executing a cryptographic hash function on the data (that is) to be authenticated and a secret shared key. Like any of the MAC, it is used for both data integrity and authentication

Question 7

A HMAC-based one-time password (HOTP) is an example of which type of authentication method?
A: something you know
B: something you are
C: somewhere you are
D: something you have

Answer 7

D: something you have

Explanation
Something you have - Type 2 Authentication: HOTP (HMAC-based one-time password): Shared secret and incremental counter, generate code when asked, valid till used.

Question 8

Which of these countermeasures would be the LEAST effective against brute force attacks?
A: strong password requirements
B: salting
C: Key stretching
D: limited number of wrong logins

Answer 8

B: salting
Explanation
Salting is adding random characters to passwords before hashing, it does nothing against brute force attacks. Key stretching and limited login attempts are good countermeasures, complex passwords can help, but will eventually be broken.

Question 9

Which security issue in Kerberos was addressed in SESAME with Public Key Infrastructure (PKI)?
A: symmetric plain text key storage
B: never sending the password over the internet
C: PKI
D: asymmetric plaintext key storage

Answer 9

A: symmetric plaintext key storage
Explanation
SESAME (Secure European System for Applications in a Multi-vendor Environment): Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos’ tickets. It uses PKI encryption (asymmetric), which fixed the Kerberos the plaintext storage of symmetric keys issue.

Question 10

We are adding random data to our password hashes, to prevent attackers from successfully using rainbow table and dictionary attacks. What are we adding to the hash function?

Answer 10

salting
Explanation
Salting is random data that is used as an additional input to a one-way function that hashes a password or passphrase.

Question 11

Which of these is the WEAKEST form of authentication we can implement?
A: something you know
B: biometrics
C: something you have 
D: something you are

Answer 11

A: something you know
Explanation
Something you know - Type 1 Authentication: Passwords, pass phrase, PIN etc., also called Knowledge factors. It is the weakest form of authentication, and can easily be compromised.

Question 12

When we look at using type 3 authentication, we would talk about all these terms EXCEPT which?
A: FAR
B: CER
C: FRR
D: CRR

Answer 12

D: CRR
Explanation
Something you are - Type 3 Authentication (Biometrics), uses Errors for Biometric Authentication: FRR (False rejection rate), FAR (False accept rate) and CER (Crossover Error Rate).

Question 13

We have found some older systems on our network using CHAP. What could be a reason we would want to migrate away from using CHAP?
A: it uses PPP
B: it uses SSL
C: it stores client passwords on the server, they are never sent over the internet
D: credentials are sent plaintext over the network

Answer 13

C:
Explanation
The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it.

Question 14

Jane is looking at the Kerberos implementation we have in place and is working on the Key Distribution Center (KDC). Which of these is part of the KDC?
A: TGT
B: SWG
C: BGP
D: TGS

Answer 14

D: TGS
Explanation
The KDC (Key Distribution Center) consists of the AS (Authentication Server) and the TGS (Ticket Granting Server).

Question 15

An administrator notices a user’s account is being used from across the world and at 0300 in the morning. They know the employee is not out of the country. What is the FIRST thing they should do?

Answer 15

Explanation
The administrator should lock the account, then if deemed appropriate call the user. We would assume the credentials are compromised and we don’t want the attacker to stay on our network.

Question 16

We have been using Kerberos for some years. Bob is explaining the traffic flow to a new colleague. What does the client send to the TGS?
A: session key
B: authenticator
C: user ID
D: plaintext password

Answer 16

B: authenticator
Explanation
When requesting services, the client sends the following messages to the TGS: #1 The TGT and the ID of the requested service. #2 Authenticator (which is composed of the client ID and the timestamp), encrypted using the Client/TGS Session Key

Question 17

what is kerberos 
A. authentication
B. encryption
C. one way hash
D. data security

Answer 17

answer: A. Authentication

Question 18

what is PKI

Answer 18

answer:
Public key infrastructure (PKI) is a catch-all term for everything used to establish and manage public key encryption, one of the most common forms of internet encryption

Question 19

what does kerberos try to solve

Answer 19

It is primarily focused on verifying the identity of the users over an insecure network connection. It is symmetric authentication

Question 20

what service does kerberos use to verify the identity of users

Answer 20

• Kerberos protocol uses KDC (key distribution center) to verify the identity of a certain user over an insecure network.

Question 21

3 basic steps a client takes during authentication with kerberos

Answer 21

1. a client (generally either a user or a service) sends a request for a ticket granting ticket to the Key Distribution Center (KDC) sending a plaintext user ID
2. KDC creates a ticket-granting ticket (TGT) for the client, encrypts it using the client’s password as the key
3. sends the encrypted TGT back to the client.

Question 22

the 3 primary pieces (functions) of kerberos are

Answer 22

1. A ticket-granting server (TGS) that connects the user with the service server (SS)
2. A Kerberos database that stores the password and identification of all verified users
3. An authentication server (AS) that performs the initial authentication

Question 23

what did MS user prior to kerberos

Answer 23

NTLM (NT Lan Manager)

Question 24

authentication protocols (3) supported by MS AD

Answer 24

Microsoft Active Directory supports
.. Rivest Cipher 4 (RC4)
.. Advanced Encryption Standard 128-bit (AES-128)
.. Advanced Encryption Standard 256-bit (AES-256)
..Data Encryption Standard (DES) encryption

Question 25

what is a cipher

Answer 25

a cipher is an algorithm for encrypting and decrypting data

Question 26

is LDAP encrypted

Answer 26

by default LDAP communications between client and server applications are not encrypted

Question 27

LDAPS is what

Answer 27

light weight Directory Protocol over TLS

Question 28

Which of the following has the correct term-to-definition mapping?

i. Brute-force attacks: Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.
ii. Dictionary attacks: Files of thousands of words are compared to the user’s password until a match is found.
iii. Social engineering: An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.
iv. Rainbow table: An attacker uses a table that contains all possible passwords already in a hash format.

A. i, ii
B. i, ii, iv
C. i, ii, iii, iv
D. i, ii, iii

Answer 28

answer is C:

The list has all the correct term-to-definition mappings.

Question 29

what are the 7 security controls - not security categories

Answer 29

1. Preventive
2. Compensating
3. Corrective
4. Deterrent
5. Detective
6. Directive
7. Recovery

Question 30

there are 7 security controls. what are the 3 primary

this is not a question about the 3 security categories

Answer 30

• preventative
• detective
• corrective

Question 31

what are TTPs

Answer 31

• Tactics
• Techniquest
• Procedures

** describe the behaviors, processes, actions, and strategies used by a threat actor to develop threats and engage in cyberattacks **

Question 32

Microsoft AD uses both Kerberos and LDAP. What is the authorization and what is the Authentication

Answer 32

Kerberos is the Authentication
LDAP is the authorization

Question 33

kerberos attributes snippet

Answer 33

• uses udp port 88
• uses symmetric keys and requires a trusted 3rd party
• K5 use symmetric AES 256
• provides confidentiality and integrity
• using end to end security
• CAN use PKI during CERTAIN phases of the authentication (private public keys)
• if bad actor gets access to KDC they have access to everything with a single password

Question 34

What is constrained interface

Answer 34

• It’s basically restricting what the user can do.
• You are giving them a restricted version of that interface so that they do not have advanced capabilities to for example break your application

Question 35

Radius attributes

Answer 35

• it uses UDP compared to tacacs+ that uses TCP
• password is encryped but most of the information is unencrpted
• udp ports 1812 and 1813
• can set it to use TCP, you can then use TLS for security
• Central authentication Service
• 802.1x standard
• open standard
• not as strong of encryption with the initial handshake compared to Tacacs+

Question 36

OAuth 2.0 attributes

Answer 36

• rfc 6749 describes OAuth 2.0
• OAuth shares password information securely with third party applications
• exchanges information using API
• an app obtains an access token from an identity provider
• later, the app includes the access token for authorization
• often used in web applications
• • OpenID connect adds authentication functions to OAuth that only does authorization
• in OIDC the user is presented an option of identity providers (IdPs)
• OIDC adds SSO type functionality to OAuth

Question 37

A software developer created an application and wants to protect it with DRM technologies. Which of the following is she most likely to include? (Choose three.)

1. virtual licensing
2. persistent online authentication
3. automatic expiration
4. continous audit trail

Answer 37

2,3,4
Answer: Persistent online authentication, automatic expiration, and a continuous audit trail are all methods used with digital rights management (DRM) technologies. Virtual licensing isn’t a valid term within DRM.

Question 38

A company maintains an e-commerce server used to sell digital products via the internet. When a customer makes a purchase, the server stores the following information on the buyer: name, physical address, email address, and credit card data. You’re hired as an outside consultant and advise them to change their practices. Which of the following can the company implement to avoid an apparent vulnerability?

A. Anonymization
B. Pseudonymization
C. Move the company location
D. Collection limitation

Answer 38

D. Collection limitation

Answer: The company can implement a data collection policy of minimization to minimize the amount of data they collect and store. If they are selling digital products, they don’t need the physical address. If they are reselling products to the same customers, they can use tokenization to save tokens that match the credit card data, instead of saving and storing credit card data. Anonymization techniques remove all personal data and make the data unusable for reuse on the website. Pseudonymization replaces data with pseudonyms. Although the process can be reversed, it is not necessary.

Question 39

Pseudonymization
1. what is it
2. is it reversible

Answer 39

1. Pseudonymization replaces data with pseudonyms
2. the process can be reversed

Question 40

An administrator is planning to deploy a database server and wants to ensure it is secure. She reviews a list of baseline security controls and identifies the security controls that apply to this database server. What is this called?
A. Tokenization
B. Scoping
C. Standards selection
D. Imaging

Answer 40

B. Scoping

Question 41

A cloud-based provider has implemented an SSO technology using JSON Web Tokens. The tokens provide authentication information and include user profiles. Which of the following best identifies this technology?
A. OIDC
B. OAuth
C. SAML
D. OpenID

Answer 41

A. OIDC

Explaination: OpenID Connect (OIDC) uses a JavaScript Object Notation (JSON) Web Token (JWT) that provides both authentication and profile information for internet-based single sign-on (SSO). None of the other answers use tokens. OIDC is built on the OAuth 2.0 framework. OpenID provides authentication but doesn’t include profile information.

Question 42

Which of the following best expresses the primary goal when controlling access to assets?
A. Preserve confidentiality, integrity, and availability of systems and data.
B. Ensure that only valid objects can authenticate on a system.
C. Prevent unauthorized access to subjects.
D. Ensure that all subjects are authenticated.

Answer 42

A. Preserve confidentiality, integrity, and availability of systems and data.

explaination: A primary goal when controlling access to assets is to protect against losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system, but objects do not authenticate. Subjects access objects, but objects do not access subjects. Identification and authentication are important as the first step in access control, but much more is needed to protect assets.

Question 43

sesame attributes

Answer 43

• called the successor to kerberos
• use PKI/asymmetric (public private keys)
• no plaintext storage
• not widely used since Kerberos is native in most OS’s

Question 44

TACACS

Answer 44

• this is no longer used
• only encrypted password
• used tcp/udp port 49
• used reusable passwords
• replaced with TACACS+ or radius

Question 45

TACACS+ attributes

Answer 45

• developed by cisco (proprietary)
• uses TCP not UDP
• uses 2FA
• tcp port 49 for authentication with the TACACS+ server
• encrypts the entire data packet, not just the password

Question 46

chap (challenge handshake authentication protocol)

Answer 46

• requires the client and server to know the plaintext of the shared secret, but its never sent of the network
• better than PAP at security (PAP did not encrypt username or password)
• password is hashed via the challenge process
• still considered and acceptable technology for use in modern applications (not ms-chap or ms-chapv2, they are both broke)

Question 47

what access controls are used when integrity is important

Answer 47

• role based
• attribute base

Question 48

what access controls are used when availability is important

Answer 48

DAC (discretionary access based)

Question 49

what access controls are used when confidentiality is important

Answer 49

MAC (mandatory access control)

Question 50

mandatory access attributes

Answer 50

• objects have labels
• subjects have clearance
• clearance must dominate the objects label (higher or equal to)
• is it possible to have subjects using labels but that is not the normal implentation

Question 51

chap steps

Answer 51

• once client and server establish a link
• server sends a random value (challenge) to client
• client combines the value with the shared secret creating a hash and sends to server (response)
• server stores the response in memory, computes its own hash value using the same hash function on the challenge and using the shared secret they both know
• if value of hash is the same - server know the client knows the correct shared secret and authenticates the client without sending the secret across over the network

Question 52

kerberos ldap ports

Answer 52

• keberos TCP 88
• LDAP use TCP 389
• secure LDAP TCP 636

Question 53

OpenID Connect (OIDC)

related protocols that provide different sevices

Answer 53

• is an authentication layer using OAuth 2.0
• it builds on the OpenID authentication standard
• it provieds both authentication and aurhtorization
• it builds on OpenID but uses JSON Web Token
• and federates identity management to provide users with an authentication experience similar to SSO
• the identity and authentication provider that help users prove their identity to other services

Question 54

accountability has 2 prerequisits

Answer 54

1. identification - must have unique identifiers, like usernames and must not allowed shared, departmental or generic accounts
2. authentication - must be protected by strong authorization the provent unauthorized uses from gaining access

tracking (logging, auditing) must be done to enforce accountability - centeralized log servers that is locked down and admin are not even able to purge, to prevent unauthorized changes to the logs.

Question 55

capabilites access control

Answer 55

List access controls and privileges assigned to a subject.
* ACLs focus on objects whereas capability lists focus on
subjects.

Question 56

TCB access, capabilites table, ACL, Mandatory, Discretionary

Answer 56

image below

Question 57

reference monitor concept

Answer 57

image below

Question 58

access control matrix, capabilities, ACL diagram

Answer 58

image below

Question 59

Capability Tables

Answer 59

• Each row of an access control matrix is a capability list. A capability list is tied to the subject; it lists valid actions that can be taken on each object.
• List access controls and privileges assigned to a subject.
• ACLs focus on objects whereas capability lists focus on subjects.

Question 60

TCB access control

Answer 60

Question 61

MAC (mandatory access control) attributes

Answer 61

• most stringent access control
• static and hierarchical approach to control
• the operating system itself restrict permissions to subjects
• user are not able to modify permissions
• security labels to subjects and objects
• normally implemented as a rule based access control system
• users and resources have labels, the OS makes access control decisions by comparing the labels.
• OS that uses this is SElinux

Question 62

pharming

Answer 62

• beging with phishing messages
• they create a fake website that looks legit and sending users a link to that site. they might use typosquating to make the fake site look similar to the real site, and copy the look at feel of the real site (also part of credential harvesting)
• it could also use dns poisoning to redirect the user to the fake site

Question 63

smishing

Answer 63

• sms
• IM

Question 64

what is session sidejacking

Answer 64

sniffing the same network the victim is on and stealing the session cookies to then impersonate the victim

Question 65

what is cms (credential management system)

Answer 65

1. provides tools to provision, manage, audit, and deprovision credentials.
   * password managers are a common example
   * RAs and CAs are examples
   * RA - functions as identity proofing
   * CA - fuctions to verify authenticity

Question 66

what federated solutions can IDaas use

Answer 66

• SAML
• OAuth

Question 67

LDAP is considereed an on prem?

Answer 67

Identity and access manager (IAM)

Question 68

Why is OpenID Connect important?

Answer 68

• Identity is the key to any cloud strategy. At the core of modern authorization is OAuth 2.0, but OAuth 2.0 lacks an authentication component. Implementing OpenID Connect on top of OAuth 2.0 completes an IAM strategy. As more and more companies need to interoperate and more identities are being populated on the internet the demand to be able to re-use these identities will also increase thus, to serve the demand of digital customers it is crucial that identity and authentication be a part of your strategy not only authorization.

Question 69

oauth 4 roles

Answer 69

1. resource owner - (you)
2. client - (the application that wants to access data or perform an action on your behalf (the resource owner))
3. authorization server - (the one that knows the resource owner, google, facebook, where you already have an account)
4. resource server - any server hosting the protected resources wich accepts and responds to access request

authorization server and resource server, might be the same server, sometiems it not even part of the same organization. sometimes its just a authorization server that the resource server trusts

Question 70

SAML process example

Answer 70

1. The user opens their browser and navigates to the service provider’s web application, which uses an identity provider for authentication.
2. The web application responds with a SAML request.
3. The browser passes SAML request to the identity provider.
4. The identity provider parses the SAML request.
5. The identity provider authenticates the user by prompting for a username and password or some other authentication factor. NOTE: The identity provider will skip this step if the user is already authenticated.
6. The identity provider generates the SAML response and returns it to the user’s browser.
7. The browser sends the generated SAML response to the service provider’s web application which verifies it.
8. If the verification succeeds, the web application grants the user access.

Question 71

SAML attributes and roles

Answer 71

• is an oasis standard 2005
• xml based
• provides authentication and authorization and attribute information on principal

Question 72

kerberos attributes

Answer 72

• one of the earliest models of SSO
• provides authentication
• database stores password and identification of all verified users
• kerberos realm ( principlals, KDC, authentication server (AS), Ticket granting server (TGS))

Question 73

3 (MAC) mandatory access control models/environments

Answer 73

1. hierarchical environment - relates various classification labels in an ordered structure from low to medium to high, such as confidential, secret and top secret.
2. compartmentalized environment - no relationship between one security domain and another. each domain represents a seperate isolated compartment. the subject must have specific clearance to gain access to an object
3. Hybrid environment - each hierarchical level may contain numberous subdivisions that are isolated from teh rest of the security domain. a subject must have the correct clearans and the need to know data within a specific compartment to gain access to the compartementalized object.

Question 74

OpenID

Answer 74

• authentication standard
• maintained by OpenID foundation
• an OpenID provider provides decentralized authentication
• user enter their Open ID identifier (such as bobsmith1234.myopenid.com) on a site and the OpenID provider verifies the identifier

Question 75

pass the hash is an attack on what

Answer 75

• While Pass-the-Hash attacks can occur on Linux, Unix, and other platforms, they are most prevalent on Windows systems. In Windows, PtH exploits Single Sign-On (SS0) through NT Lan Manager (NTLM), Kerberos, and other authentication protocols.
• When a password is created in Windows, it is hashed and stored in the Security Accounts Manager (SAM), Local Security Authority Subsystem (LSASS) process memory, the Credential Manager (CredMan) store, a ntds.dit database in Active Directory, or elsewhere. When a user logs onto a Windows workstation or server, they essentially leave behind their password credentials.

Question 76

what can enabling kerberos preauthentication help to prevent

Answer 76

• password guessing attacks
• ASREPRoast identifies users that do not hve it enabled

Question 77

kerberoasting is what

Answer 77

• attacker collects encrypted ticket granting service tickets (user accounts used by services)
• attempts to crack these collected tickets offline

Question 78

HOTP

Answer 78

• The “H” in HOTP stands for Hash-based Message Authentication Code (HMAC).
• includes a hash function
• 6-8 numbers
• valid until used