Domain 5: Identity and Access Management Flashcards

1
Q

What has both a public and private key, and is usually issued by a CA in a PKI?

A

Digital Certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a client to a RADIUS server, and the RADIUS server provides AAA services?

A

Network Access Server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What uses UDP and encrypts the password only and is common in remote access systems?

A

RADIUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What uses TCP and encrypts the entire session and is common in admin access to network devices?

A

TACACS+

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is based on RADIUS and improves many of the weaknesses of RADIUS, but is not compatible to RADIUS?

A

Diameter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What feature forces on authentication, confidentiality, and integrity using symmetric key encryption but does not include logging capabilities.

A

Kerberos

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are some common Kerberos attacks?

A

Replay
Pass-the-ticket
Golden ticket
Kerberoasting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is a more granular approach to least privilege and allows temporary elevation of privilege, and is sometimes implemented through ephemeral accounts or a broker and remove access strategy?

A

Just-in-Time
JIT

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What does FAR stand for?

A

False acceptance rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does FRR stand for?

A

False rejection rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are some common single sign on methods/standards?

A

SAML
SESAME
Kryptoknight
OAuth
OpenID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is an XML-based open-standard data format for exchanging authentication and authorization data between an identity provider and a service provider?

A

Security Assertion Markup Language
SAML

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is an open standard for authorization and is commonly used for user to log into third party sites like Google and Facebook without exposing their password.

A

OAuth 2.0

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is an open standard that provides a decentralized authentication, allowing users to log into multiple unrelated sites with one set of credentials maintained by a third-party.

A

OpenID

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What model works where every object has an owner, and the owner can grant or deny access to any other objects?

A

Discretionary Access Control
DAC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What access control model uses roles or groups to assign permissions to multiple users in roles, usually mapped to job roles.

A

Role Based Access Control
RBAC

17
Q

What access control model applies global rules that apply to all subjects and rules within the model are sometimes referred to as restrictions or filters?

A

Rule-based Access Control

18
Q

What access control model uses rules that can include multiple attributes and allows it to be much more flexible than a rule-based access control model.

A

Attribute Based Access Control

19
Q

What access control model uses labels applied to both subjects and objects and is referred to as a lattice-based model?

A

Mandatory Access Control

20
Q

What are some examples of preventative controls?

A

Job rotation, data classification, penetration testing, and access control methods

21
Q

What are some examples of detective controls?

A

Job rotation, mandatory vacations, audit trails, violation reports, honey pots, and incident investigations

22
Q

What are some examples of corrective controls?

A

Intrusion detective systems, antivirus solutions, alarms, business continuity planning, security policies

23
Q

What type of access control attack uses all dictionary words to find the correct password?

A

Dictionary Attack

24
Q

What type of attack is attempting to break the password by trying all possible words?

A

Brute Force Attack

25
Q

What attack implements a fake logon screen, and when a user attempts to login, the logon screen will send the username and password to the hacker?

A

Spoofed logon Screen

26
Q

What type of attack is where an attacker uses a packet-capturing tool to capture, analyze, and read data sent over a network?

A

Sniffer Attacks

27
Q

What stops sniffer attacks?

A

Encrypting data in transit

28
Q

What attack is pretending to be something or someone else, and it is used in many types of attacks?

A

Spoofing Attacks

29
Q

What is the best defense against social engineering?

A

Security Awareness Training

30
Q

What attack targets specific groups of users?

A

Spear Phishing

31
Q

What techniques can prevent access control attacks?

A

Ensuring passwords are long, complex, and changed periodically
Strong password policy
Enforcing account lockouts, # of logon attempts, etc

32
Q

How to prevent spoofed logon screen attacks?

A

Secure endpoints

33
Q

What attack allows the electronic emanations that every monitors produces to be read from a distance and is effective on CRT monitors?

A

Tempest

34
Q

What attack broadcasts false traffic at all times to mask and hide the presence of real emanations?

A

White Noise