Domain 5: Identity and Access Management

Question 1

MAC

Answer 1

Mandatory Access Control

Uses classifications and labels to define user access.

Used in very strict environments.

The Operating System enforces MAC (when used in a digital format).

Question 2

DAC

Answer 2

Discretionary Access Control

Discretionary Access Control (DAC) allows the Data Owner to control and define access to objects.

Question 3

ABAC

Answer 3

Attribute Access Control

Attribute-Based Access Control (ABAC) makes decisions based on attributes for either the subject, object, or actions.

Question 4

RBAC

Answer 4

Role-based Access Control

Role-Based Access Control (RBAC) maps a subject’s role with their needed operations and tasks.

Question 5

Type 1 authentication factor

Answer 5

Something you know: password, PIN

Question 6

Type 2 Authentication factor

Answer 6

Something you have: Smartcard, MFA app on phone

Question 7

Type 3 Authentication factor

Answer 7

Something you are: Fingerprint, voice id, face id

Question 8

CER

Answer 8

Cross-over Error Rate: Defines the point where false rejection rates are equal to false acceptance rates.

Question 9

Type 1 Error

Answer 9

Falsely rejected Authentication (user should have access but is denied)

Question 10

Type 2 Error

Answer 10

False acceptance (User should NOT have access but is granted access.)

Question 11

Registration (biometrics)

Answer 11

Registration is the capturing of an individuals biometric data.

(is this capturing of any type of identifiable data?)

Question 12

Hybrid Federation

Answer 12

Related to a type of authentication infrastructure:

Authentication occurs on-premise, not in the cloud. Grants access to resources outside of just on-premise.

Question 13

Cloud based federation

Answer 13

Uses a third party for shared federated identities. i.e. okta or duo

Question 14

On-premise federation

Answer 14

Federation is hosted on premises for access to on-premises resources.

Question 15

Relationship of federated identities and SSO

Answer 15

SSO provides single sign on to one organization.

Multiple SSO systems that agree to share information and access create a FEDERATION.

Question 16

Two basic components of PKI

Answer 16

CA and RA - certificate authority and registration authority.

Public Key Infrastructure (PKI) uses a central authority to store encryption keys or certificates in order to establish the identity or digital signature of a user. PKI systems use certificate authorities (CAs) and registration authorities (RAs).

Question 17

OAuth Connect pairs with _____ to perform identity verification, and obtain user profile information

Answer 17

Open ID Connect

Question 18

Audit Trail

Answer 18

Log that provides play by play record of actions.

The audit trail allows an administrator to review events and users linked to those events. It can be used to review employee misconduct or provide a log of events leading to system failure. An audit trail is required for some security standards, including the Health Insurance Portability and Accountability Act (HIPAA).

Question 19

Smart Card

Answer 19

Smart cards are credit card-sized devices that contain a microprocessor. A smart card typically contains an encrypted private key issued through a public key infrastructure (PKI) system that the authenticating environment trusts. When the smart card is inserted into a reader, the user must enter a PIN before the smart card releases the private key. Smart cards can be programmed to wipe themselves if a PIN is entered incorrectly too many times.

Question 20

Identification device with the best tamper resistance

Answer 20

Smart Card

Question 21

Access Control Matrix

Answer 21

Table that list objects, subjects, and their privileges.

Question 22

SPML

Answer 22

Service Provisioning Markup Language

Used to provision users, resources, and services.

Question 23

Is Non-Discretionary Access Model a thing?

Answer 23

Yes

The Non-Discretionary Access Control model uses a central administration element to govern access. Mandatory Access Control models employ data classification labels to control access.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 681-690.

Question 24

OpenID Provider

Answer 24

OpenID Provider or Identity Provider or IdP) performs user authentication, user consent, and token issuance

Question 25

OpenID Relying Party

Answer 25

The resource or server the end-user is trying to access. This resource will relay authentication request to the open id provider

Question 26

OpenID End-User

Answer 26

The user attempting to log in

Question 27

asynchronous token device

Answer 27

An asynchronous token device generates a one-time password using a challenge/response mechanism. An example of this could be if a workstation displayed a numerical challenge value.

Question 28

Data Owner

Answer 28

Typically C-Suite.

In smaller orgs, may also be a System Owner

the entity that collects/creates the PII and is legally responsible and accountable for protecting it and educating others about how to protect the data through dissemination of intellectual property rights documentation, policies and regulatory requirements, specific protective measures that are expected of custodians, and compliance requirements.

Question 29

System Owner

Answer 29

System owner could also be a SME/Program Manager for a particular application/service

Sometimes also the Data Owner.

Sometimes also the Custodian.

Question 30

Data Custodian

Answer 30

Person actually doing the day to day things.

Question 31

Synchronous Token

Answer 31

i.e. microsoft authenticator, google authenticator, okta authenticator

Question 32

Asynchronous Token

Answer 32

Out of band, one time token.

Question 33

Mutual Authentication

Answer 33

Form of identifying the server or service you’re connecting to. They authenticate you, you authenticate them.

i.e. SSL cert on the VPN server you remote into for work.

Question 34

What is required for Accountability to work?

Answer 34

Identification and Authentication:

Accountability relies on the effectiveness of identification and authentication, but it does not require effective authorization.

Question 35

Oauth provides ___ NOT ___

Answer 35

Authorization, NOT Authentication.

Question 36

Diameter

Answer 36

Diameter was developed after and inspired by RADIUS to overcome the limitations associated with compatibility among other authentication mechanisms. Additionally, Diameter is able to separate authentication, authorization, and accounting services.

Question 37

Rainbow Table

Answer 37

A rainbow table is usually a large file with a list of pre-computed hashes and corresponding passwords.

NOTE - passwords are pre-hashed, saving time in a brute force attack.

Question 38

Are Smart Cards a combination of Type 1 and Type 2 access controls?

Answer 38

YES!

Smart Cards will prompt a user for a PIN or password after scanned.

Question 39

Compartmentalized Environment

Answer 39

Type of MAC control.

In a compartmentalized environment, there is no relationship between one security domain and another. Each domain represents a separate isolated compartment. To gain access to an object, the subject must have specific clearance for each security domain. For example, a general may have access to Top Secret information about troop movements but not Top Secret information about nuclear missile construction.

Question 40

Iris Scan

Answer 40

Scan of colored part of eye. Iris scanning would be the best choice when considering an individual’s health conditions.

Question 41

Retinal Scan

Answer 41

However, retinal is also considered to be the most invasive type of biometric scanning and, unlike tLhe iris, the blood vessels in the retina can be affected by health conditions. Retinal scans may also conflict with privacy laws because they can contain certain aspects of an individual’s health, such as diabetes or high blood pressure.

Question 42

In a MAC environment, labels or classification assignment can only be performed by _________.

Answer 42

System Admins

The modification of the label or classification of a resource in Mandatory Access Control (MAC) can only be performed by system administrators. Strict auditing should be implemented to ensure that system administrators do not modify resources that should not be modified.

Question 43

Workflow-based account provisioning

Answer 43

Provisioning that occurs through an established workflow

Question 44

Automated Provisioning of accounts

Answer 44

Central software driven process

Question 45

Discretionary Account Provisioning

Answer 45

When manager sets up each employees acct.

Question 46

SPML

Answer 46

Used in identity federations: is used to initiate XML-based provisioning/de-provisioning processes from the identity provider to its target service providers. SPML allow users to bypass out-of-band account creation requirements using provisioning/synchronization mechanisms from LDAP, database

Question 47

Constrained User Interface

Answer 47

There are three major types of restricted interfaces:
Menus and Shells:
Database Views
Physically Constrained Interfaces