Domain 5 - Identity and Access Management

Question 1

Information

Answer 1

Includes all of the organizations data. Needs to be protected

Question 2

Systems

Answer 2

Includes any and all IT systems that provide a service (File, Web)

Question 3

Facilities

Answer 3

Any Physical location that an org rents/owns. Physical security protects the building

Question 4

Subject

Answer 4

A subject is an active entity that accesses a passive object to receive information from an object. When authorized, subjects can modify objects.

Question 5

Object

Answer 5

An object is a passive entity that provides information to active subjects. Includes files, DB’s, computers, programs, processes etc

Question 6

Access Control

Answer 6

Access Control is any hardware, software or administrative policy that controls access to the resources. The goal is to prevent unauthorized access and provide authorized access

Question 7

Access Control Steps

Answer 7

1. ) Identify and authenticate users
2. ) Determine if access is authorized
3. ) Grant or restrict access based on the subject’s identity
4. ) Monitor and record access attempts

Question 8

Preventive Access Control

Answer 8

A preventive control attempts to stop unwanted or unauthorized activity from occurring.

Question 9

Detective Access Control

Answer 9

A detective control attempts to discover or detect unwanted or unauthorized activity. Detective controls operate after the fact and can discover the activity only after it has occurred

Question 10

Corrective Access Control

Answer 10

A corrective control modifies the environment to return systems to normal after an unwanted or unauthorized activity has occurred.

Question 11

Deterrent Access Control

Answer 11

A deterrent control attempts to discourage security policy violations. Depends on People

Question 12

Directive Access Control

Answer 12

A directive control attempts to direct, confine, or control the actions of subjects to force or encourage compliance with security policies

Question 13

Compensation Access Control

Answer 13

A compensation control provides an alternative when
it isn’t possible to use a primary control, or when necessary to increase the effectiveness
of a primary control

Question 14

Administrative Access Control

Answer 14

Administrative access controls are the policies and
procedures defined by an organization’s security policy and other regulations or
requirements.

Question 15

Logical/Technical Access Control

Answer 15

Logical access controls (also known as technical access controls) are the hardware or software mechanisms used to manage access and to provide
protection for resources and systems.

Question 16

Physical Controls

Answer 16

Physical access controls are items you can physically touch. They include physical mechanisms deployed to prevent, monitor, or detect direct contact with
systems or areas within a facility

Question 17

Confidentiality

Answer 17

Access controls help ensure that only authorized subjects can access objects.

Question 18

Integrity

Answer 18

Integrity ensures that data or system configurations are not modified without authorization, or if unauthorized changes occur, security controls detect the changes.

Question 19

Availability

Answer 19

Authorized requests for objects must be granted to subjects within a reasonable amount of time.

Question 20

Identification

Answer 20

The process of a subject claiming or professing an identity. A subject must provide an identity to a system to start the AAA process

Question 21

Authentication

Answer 21

Verifies the identity of the account by comparing it against a DB of valid identities. Authentication Info needs to be protected

Question 22

Authorization

Answer 22

Subjects are granted access to objects based on proven identities. Authorization indicates who is trusted to perform specific operations.

Question 23

Accountability

Answer 23

Users and other subjects can be held accountable for their actions when auditing is implemented. Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs

Question 24

Auditing

Answer 24

Auditing is the process of tracking and recording

subject activities within logs.

Question 25

Type 1

Answer 25

Something you know

Question 26

Type 2

Answer 26

Something you have

Question 27

Type3

Answer 27

Something you are

Question 28

Tokens

Answer 28

Password generating device.

1. ) Synchronous Dynamic Password Tokens
2. )Asynchronous Dynamic Password Tokens

Question 29

Biometric Type 1 Error

Answer 29

When a valid subject is not authenticated. False negative Authentication. False Rejection rate (FRR)

Question 30

Biometric Type 2 Error

Answer 30

When an valid subject is authenticated. False Positive Authentication. False Acceptance Rate (FAR)

Question 31

Crossover Error Rate (CER)

Answer 31

The point where FAR and FRR % are equal

Question 32

Identity Management Types

Answer 32

1. ) Centralized - Single entity

2. ) Decentralized - Various entities through out the system

Question 33

Single Sign-On (SSO)

Answer 33

Is a centralized access control technique that enables a subject to authenticated once on a system and access multiple resources without authenticating again

Question 34

Ticket Authentication

Answer 34

A mechanism that employs a third party entity to prove identification and provide authentication. Example: Kerberos

Question 35

Key Distribution Center (KDC)

Answer 35

The key distribution center (KDC) is the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the KDC, and it maintains the secret keys for all network members.

Question 36

Kerberos Authentication Server

Answer 36

The authentication server hosts the functions of
the KDC: a ticket-granting service (TGS), and an authentication service. The authentication service verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC.

Question 37

Ticket-Granting Ticket

Answer 37

ticket-granting ticket (TGT) provides proof that a subject has authenticated through a KDC and is authorized to request tickets to access other
objects.

A TGT is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present the TGT when requesting tickets to access objects.

Question 38

Ticket

Answer 38

A ticket is an encrypted message that provides proof that a subject is authorized to access an object. It is sometimes called a service ticket (ST).

Question 39

Identity Management

Answer 39

Is the management of user identities and their credentials

Question 40

SAML

Answer 40

Security Assertion Markup Language. An XML based language that is used to exchange AA info between federated organizations

Question 41

SPML

Answer 41

Security Provisioning Markup Language. Newer version of XML. Specifically designed for exchanging user information for federated SSO. Based on DSML

Question 42

Scripted Access

Answer 42

Establish Communication links by providing an automated process to transmit logon credentials at the start of a logon session

Question 43

SESAME

Answer 43

To address weaknesses in KERBEROS

Question 44

KryptoKnight

Answer 44

Ticket-based - IBM. User P2P instead of third party

Question 45

Newer SSO models

Answer 45

OAuth and OpenID. OAuth 2.0 is not backwards compatible. OpenID foundation looks after OpenID not IETF

Question 46

RADIUS

Answer 46

Centralizes authentication for remote connections. Typically used when the org has more than one network access server. Provides AAA. UDP. RFC2865

Question 47

Identity and Access Provisioning Life Cycle

Answer 47

1. ) Provisioning - Enrollment
2. ) Account Review - Excessive and Creeping Privileges
3. ) Account Termination - ASAP

Question 48

Permissions

Answer 48

Access granted for an object and determine what you can do with it

Question 49

Rights

Answer 49

Refer to the ability to take action on an object

Question 50

Privileges

Answer 50

Combination of Rights and Permissions

Question 51

Authorization Mechanisms

Answer 51

1. ) implicit Deny
2. ) Access Control Matrix
3. ) Capability Matrix
4. ) Constrained Interface
5. ) Content Dependent Control
6. ) Context Dependent Control
7. ) Need to Know
8. ) Lease Privilege

Question 52

Constrained Interface

Answer 52

Application use these to restrict what the user can see or do based on their privileges

Question 53

Context-Dependent Control

Answer 53

Require a specific activity before granting a user access. E-Commerce apps. Pay before you download

Question 54

Need to Know

Answer 54

Subjects are granted access only to what they need to know for their tasks. Subjects may have clearence but are not granted authorization to data unless they need to perform an action

Question 55

Least Privilege

Answer 55

Similar to Need to Know but it also includes rights to take action on an system

Question 56

Security Policy

Answer 56

A document that defines the security requirements of the organization. It identifies the assets that need protection and the extent to which it needs to be protected by the Security Solution.

Question 57

Discretionary Access Control (DAC)

Answer 57

Allows the owner, creator, or data custodian of an object to control and define access to that object. All objects have owners, and access control is based on the discretion or decision of the owner.

Implemented using ACL’s

Question 58

Role Based Access Control (RBAC)

Answer 58

Defines the subject’s ability to access an object based on the subject’s role or assigned tasks.

Implemented using Groups

Question 59

Privilege Creep

Answer 59

Is the tendency for the privileges to accrue for the users over time as their roles and access needs change.

Question 60

Rule Based Access Control (RuBAC)

Answer 60

Uses a set of rules, restriction or filters to determine what can and/or cannot occur on a system. Includes Granting the subject access to an object or granting the subject the ability to perform an action

Question 61

Mandatory Access Control (MAC)

Answer 61

relies on the use of classification labels. Each
classification label represents a security domain, or a realm of security. A security domain is a collection of subjects and objects that share a common security policy.

Question 62

MAC Features

Answer 62

1. ) Compartmentalization
2. ) Need to Know
3. ) Better security than DAC

Question 63

Compartmentalization

Answer 63

No relation between one security domain and another. Each domain represents and isolated compartment

Question 64

Steps for Risk Management

Answer 64

1. ) Identifying Assets
2. ) Identifying Threats
3. ) Identifying Vulnerabilities

Question 65

Asset Valuation

Answer 65

Refers to identifying the actual value of assets with the goal of prioritizing them.

Question 66

Threat modelling

Answer 66

Refers to the process of identifying, understanding and categorizing potential threats. The goal is to identify a potential list of threats to systems and analyze the risk

Question 67

SD3+C

Answer 67

Secure By design, Secure by default, Secure in Deployment and Communication

Question 68

Threat modelling Approaches

Answer 68

1. ) Asset focused
2. ) Attacker focused
3. ) Software focused

Question 69

Vulnerability Analysis

Answer 69

Attempts to discover weaknesses in these systems against potential threats

Question 70

Protection Methods

Answer 70

1. ) Control Physical Access to systems
2. ) Control Electronic access to files
3. ) Encrypt password files
4. ) MFA
5. ) Account Lockout Control
6. ) Password Masking
7. ) Use last logon message