Domain 5: Identity and Access Management Flashcards
MAC
Mandatory Access Control
Uses classifications and labels to define user access.
Used in very strict environments.
The Operating System enforces MAC (when used in a digital format).
DAC
Discretionary Access Control
Discretionary Access Control (DAC) allows the Data Owner to control and define access to objects.
ABAC
Attribute Access Control
Attribute-Based Access Control (ABAC) makes decisions based on attributes for either the subject, object, or actions.
RBAC
Role-based Access Control
Role-Based Access Control (RBAC) maps a subject’s role with their needed operations and tasks.
Type 1 authentication factor
Something you know: password, PIN
Type 2 Authentication factor
Something you have: Smartcard, MFA app on phone
Type 3 Authentication factor
Something you are: Fingerprint, voice id, face id
CER
Cross-over Error Rate: Defines the point where false rejection rates are equal to false acceptance rates.
Type 1 Error
Falsely rejected Authentication (user should have access but is denied)
Type 2 Error
False acceptance (User should NOT have access but is granted access.)
Registration (biometrics)
Registration is the capturing of an individuals biometric data.
(is this capturing of any type of identifiable data?)
Hybrid Federation
Related to a type of authentication infrastructure:
Authentication occurs on-premise, not in the cloud. Grants access to resources outside of just on-premise.
Cloud based federation
Uses a third party for shared federated identities. i.e. okta or duo
On-premise federation
Federation is hosted on premises for access to on-premises resources.
Relationship of federated identities and SSO
SSO provides single sign on to one organization.
Multiple SSO systems that agree to share information and access create a FEDERATION.
Two basic components of PKI
CA and RA - certificate authority and registration authority.
Public Key Infrastructure (PKI) uses a central authority to store encryption keys or certificates in order to establish the identity or digital signature of a user. PKI systems use certificate authorities (CAs) and registration authorities (RAs).
OAuth Connect pairs with _____ to perform identity verification, and obtain user profile information
Open ID Connect
Audit Trail
Log that provides play by play record of actions.
The audit trail allows an administrator to review events and users linked to those events. It can be used to review employee misconduct or provide a log of events leading to system failure. An audit trail is required for some security standards, including the Health Insurance Portability and Accountability Act (HIPAA).
Smart Card
Smart cards are credit card-sized devices that contain a microprocessor. A smart card typically contains an encrypted private key issued through a public key infrastructure (PKI) system that the authenticating environment trusts. When the smart card is inserted into a reader, the user must enter a PIN before the smart card releases the private key. Smart cards can be programmed to wipe themselves if a PIN is entered incorrectly too many times.
Identification device with the best tamper resistance
Smart Card
Access Control Matrix
Table that list objects, subjects, and their privileges.
SPML
Service Provisioning Markup Language
Used to provision users, resources, and services.
Is Non-Discretionary Access Model a thing?
Yes
The Non-Discretionary Access Control model uses a central administration element to govern access. Mandatory Access Control models employ data classification labels to control access.
CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 681-690.
OpenID Provider
OpenID Provider or Identity Provider or IdP) performs user authentication, user consent, and token issuance
OpenID Relying Party
The resource or server the end-user is trying to access. This resource will relay authentication request to the open id provider
OpenID End-User
The user attempting to log in
asynchronous token device
An asynchronous token device generates a one-time password using a challenge/response mechanism. An example of this could be if a workstation displayed a numerical challenge value.
Data Owner
Typically C-Suite.
In smaller orgs, may also be a System Owner
the entity that collects/creates the PII and is legally responsible and accountable for protecting it and educating others about how to protect the data through dissemination of intellectual property rights documentation, policies and regulatory requirements, specific protective measures that are expected of custodians, and compliance requirements.
System Owner
System owner could also be a SME/Program Manager for a particular application/service
Sometimes also the Data Owner.
Sometimes also the Custodian.
Data Custodian
Person actually doing the day to day things.
Synchronous Token
i.e. microsoft authenticator, google authenticator, okta authenticator
Asynchronous Token
Out of band, one time token.
Mutual Authentication
Form of identifying the server or service you’re connecting to. They authenticate you, you authenticate them.
i.e. SSL cert on the VPN server you remote into for work.
What is required for Accountability to work?
Identification and Authentication:
Accountability relies on the effectiveness of identification and authentication, but it does not require effective authorization.
Oauth provides ___ NOT ___
Authorization, NOT Authentication.
Diameter
Diameter was developed after and inspired by RADIUS to overcome the limitations associated with compatibility among other authentication mechanisms. Additionally, Diameter is able to separate authentication, authorization, and accounting services.
Rainbow Table
A rainbow table is usually a large file with a list of pre-computed hashes and corresponding passwords.
NOTE - passwords are pre-hashed, saving time in a brute force attack.
Are Smart Cards a combination of Type 1 and Type 2 access controls?
YES!
Smart Cards will prompt a user for a PIN or password after scanned.
Compartmentalized Environment
Type of MAC control.
In a compartmentalized environment, there is no relationship between one security domain and another. Each domain represents a separate isolated compartment. To gain access to an object, the subject must have specific clearance for each security domain. For example, a general may have access to Top Secret information about troop movements but not Top Secret information about nuclear missile construction.
Iris Scan
Scan of colored part of eye. Iris scanning would be the best choice when considering an individual’s health conditions.
Retinal Scan
However, retinal is also considered to be the most invasive type of biometric scanning and, unlike tLhe iris, the blood vessels in the retina can be affected by health conditions. Retinal scans may also conflict with privacy laws because they can contain certain aspects of an individual’s health, such as diabetes or high blood pressure.
In a MAC environment, labels or classification assignment can only be performed by _________.
System Admins
The modification of the label or classification of a resource in Mandatory Access Control (MAC) can only be performed by system administrators. Strict auditing should be implemented to ensure that system administrators do not modify resources that should not be modified.
Workflow-based account provisioning
Provisioning that occurs through an established workflow
Automated Provisioning of accounts
Central software driven process
Discretionary Account Provisioning
When manager sets up each employees acct.
SPML
Used in identity federations: is used to initiate XML-based provisioning/de-provisioning processes from the identity provider to its target service providers. SPML allow users to bypass out-of-band account creation requirements using provisioning/synchronization mechanisms from LDAP, database
Constrained User Interface
There are three major types of restricted interfaces:
Menus and Shells:
Database Views
Physically Constrained Interfaces
