Domain 5 - Identity and Access Management

Question 1

These access controls include policies or procedures to implement and enforce overall access control.

Answer 1

Administrative

Question 2

These access controls include hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems.

Answer 2

Logical/technical

Question 3

These access controls include physical barriers deployed to prevent direct contact and access with systems or areas within a facility.

Answer 3

Physical

Question 4

What are the 3 authentication factors?

Answer 4

something you know (such as a password or PIN), something you have (such as a smartcard or token), and something you are (based on biometrics).

Question 5

What identifies the accuracy of a biometric method

Answer 5

the crossover rate

Question 6

a mechanism that allows subjects to authenticate once on a system and access multiple objects without authenticating again.

Answer 6

Single sign-on (SSO)

Question 7

An active entity that accesses a passive object to receive information from, or data about, an object. They can be users, programs, processes, computers, or anything else that can access a resource.

Answer 7

Subjects

Question 8

A passive entity that provides information to active subjects. Some examples include files, databases, computers, programs, processes, printers, and storage media.

Answer 8

objects

Question 9

An access control is any hardware, software, or administrative policy or procedure that controls access to resources. The goal is to provide access to authorized subjects and prevent unauthorized access attempts. Name the 3 primary control types.

Answer 9

preventive, detective, and corrective.

Question 10

This access control attempts to thwart or stop unwanted or unauthorized activity from occurring. Examples of these access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties policies, job rotation policies, data classification, penetration testing, access control methods, encryption, auditing, the presence of security cameras or closed circuit television (CCTV),
smartcards, callback procedures, security policies, security awareness training, antivirus software, firewalls, and intrusion prevention systems.

Answer 10

preventive control

Question 11

There are 7 access controls: 3 main ones and 4 others. What are the four other types of access controls?

Answer 11

deterrent, recovery, directive, and compensation access controls.

Question 12

This access control attempts to discover or detect unwanted or unauthorized activity. These controls operate after the fact and can discover the activity
only after it has occurred. Examples include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection
systems, violation reports, supervision and reviews of users, and incident investigations.

Answer 12

A detective control

Question 13

This access control modifies the environment to return
systems to normal after an unwanted or unauthorized activity has occurred. They attempt to correct any problems that occurred as a result of a security incident. They can be simple, such as terminating malicious activity or rebooting a system. They also include antivirus solutions that can remove or quarantine a virus, backup and restore plans to ensure that lost data can be restored, and active intrusion detection systems that can modify the environment to stop an attack in progress.

Answer 13

A corrective control

Question 14

This access control attempts to discourage security policy violations. They are similar to preventive controls but these often depend on individuals deciding not to take an unwanted action. In contrast, a preventive control actually blocks the action. Some examples include policies, security awareness training, locks, fences, security badges, guards, mantraps, and security cameras.

Answer 14

A deterrent control

Question 15

This access control attempts l to repair or restore resources, functions, and capabilities after a security policy violation. They are an extension of corrective controls but have more advanced or complex abilities. Examples include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.

Answer 15

A recovery control

Question 16

This access control attempts to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.

Answer 16

A directive control

Question 17

This access control provides an alternative when it
isn’t possible to use a primary control, or when necessary to increase the effectiveness of a primary control. As an example, a security policy might dictate the use of smartcards by all employees but it takes a long time for new employees to get a smartcard. The organization could issue hardware tokens to employees as a compensating control. These tokens provide stronger authentication than just a username and password.

Answer 17

A compensation control

Question 18

the process of a subject claiming, or professing, an identity.

Answer 18

Identification

Question 19

This verifies the identity of the subject by comparing one or more factors against a database of valid identities, such as user accounts.

Answer 19

Authentication

Question 20

Subjects are granted access to objects based on proven identities. For example, administrators grant users access to files based on the user’s proven identity.

Answer 20

Authorization

Question 21

Users and other subjects can be held accountable for their actions when auditing is implemented. Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs. For example, auditing can record when a user reads, modifies, or deletes a file. Auditing provides this.

Answer 21

Accountability

Question 22

What is Type 1 authentication factor

Answer 22

something you know

Question 23

What is Type 2 authentication factor

Answer 23

something you have

Question 24

What is Type 3 authentication factor

Answer 24

something you are or something you do

Question 25

A series of questions about facts or predefined responses that only the subject should know.

Answer 25

cognitive password

Question 26

Hardware tokens that are time-based and synchronized with an authentication server

Answer 26

Synchronous Dynamic Password Tokens

Question 27

Hardware token that generates passwords based on an algorithm and an incrementing counter.

Answer 27

Asynchronous Dynamic Password Tokens

Question 28

In biometrics this error occurs when a valid subject is not authenticated. This is also known as a false negative authentication.

Answer 28

A Type 1 error

Question 29

In biometrics this occurs when an invalid subject is authenticated. This is also known as a false positive authentication.

Answer 29

A Type 2 error

Question 30

The ratio of Type 1 errors to valid authentications is known as

Answer 30

false rejection rate (FRR)

Question 31

The ratio of Type 2 errors to valid authentications is called

Answer 31

false acceptance rate (FAR)

Question 32

centralized access control technique that allows a subject to be authenticated only once on a system and to access multiple resources without authenticating
again.

Answer 32

Single sign-on (SSO)

Question 33

Ticket authentication is a mechanism that employs a third-party entity to prove identification and provide authentication. The most common and well-known ticket system is

Answer 33

Kerberos

Question 34

the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the this, and it maintains the
secret keys for all network members.

Answer 34

key distribution center (KDC)

Question 35

This hosts the functions of the KDC: a ticket-granting service (TGS), and an authentication service (AS). However, it is possible to host the ticket-granting service on another server. One of it’s services verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC.

Answer 35

Kerberos Authentication Server

Question 36

This part of Kerberos provides proof that a subject has
authenticated through a KDC and is authorized to request tickets to access other objects. It is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present this when requesting tickets to access objects.

Answer 36

Ticket-Granting Ticket

Question 37

In Kerberos this is an encrypted message that provides proof that a subject is authorized to access an object.

Answer 37

ticket

Question 38

With this access control all objects have owners and the owners can modify permissions.

Answer 38

discretionary access control

Question 39

the possibility or likelihood that a threat can exploit a vulnerability and cause damage to assets.

Answer 39

risk

Question 40

These are granted to a subject and refer to the access granted for an object and determine what you can do with it.

Answer 40

permissions

Question 41

This primarily refers to the ability to take an action on an object.

Answer 41

A right

Question 42

the combination of rights and permissions.

Answer 42

privileges

Question 43

This principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

Answer 43

Implicit Deny

Question 44

a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks this to determine if the subject has the appropriate privileges to perform the action.

Answer 44

Access Control Matrix

Question 45

These are another way to identify privileges assigned to subjects. They are different from ACLs in that it is focused on subjects (such as users, groups, or roles).

Answer 45

Capability Tables

Question 46

Applications use these to restrict what users can do or see based on their privileges. An ATM screen is a good example. The Clark Wilson security model uses these.

Answer 46

Constrained User Interface

Question 47

These restrict access to data based on the content within an object. A database view is a good example.

Answer 47

Content-dependent access controls

Question 48

These require specific activity before granting users access. As an example, consider the data flow for a transaction selling digital products online. Users add products to a shopping cart and begin the checkout process. The first page in the checkout flow shows the products in the shopping cart, the next page collects credit card data, and the last page confirms the purchase and provides instructions for downloading the digital products. The system denies access to the download page if users don’t go through the purchase process first.

Answer 48

Context-dependent access controls

Question 49

This principle ensures that subjects are granted access only to what they need to know for their work tasks and job functions.

Answer 49

Need to Know

Question 50

This principle ensures that subjects are granted only
the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that this will also include rights to take action on a system.

Answer 50

Least Privilege

Question 51

This principle ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances.

Answer 51

Separation of Duties and Responsibilities

Question 52

A document that defines the security requirements for an organization. It identifies assets that need protection and the extent to which security solutions should go to protect them. Some organizations create this as a single document, and other organizations create multiples, with each one focused on a separate area.

Answer 52

security policy

Question 53

This uses multiple layers or levels of access controls to provide layered security.

Answer 53

defense-in-depth strategy.

Question 54

This allows the owner, creator, or data custodian of an object to control and define access to that object. It is implemented using access control lists (ACLs) on objects.

Answer 54

discretionary access controls (DACs)

Question 55

In this access control Administrators administer control and can make changes that affect the entire environment.

Answer 55

nondiscretionary access controls

Question 56

Systems that employ this type of access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks. It is often implemented using groups.

Answer 56

Role-based access control

Question 57

the tendency for privileges to accrue to users over time as their roles and access needs change.

Answer 57

Privilege creep

Question 58

This type of access control uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action. A distinctive characteristic about these models is that they have global rules that apply to all subjects. One common example is a firewall.

Answer 58

rule-based access control (rule-BAC)

Question 59

This model relies on the use of classifi l cation labels. Each classification label represents a security domain , or a realm of security. A security domain is a collection of subjects and objects that share a common security policy. For example, a security domain could have the label Secret.

Answer 59

mandatory access control (MAC)

Question 60

the possibility or likelihood that a threat will exploit

a vulnerability resulting in a loss such as harm to an asset.

Answer 60

risk

Question 61

a potential occurrence that can result in an undesirable outcome. This includes potential attacks by criminals or other attackers. It also includes natural occurrences such as floods or earthquakes, and accidental acts by employees.

Answer 61

threat

Question 62

any type of weakness. The weakness can be due to a flaw or limitation in hardware or software, or the absence of a security control such as the absence of antivirus software on a computer.

Answer 62

vulnerability

Question 63

This attempts to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls or countermeasures.

Answer 63

Risk management

Question 64

This refers to identifying the actual value of assets with the goal of prioritizing them. Risk management focuses on assets with the highest value and identifies controls to
mitigate risks to these assets.

Answer 64

Asset valuation

Question 65

This refers to the process of identifying, understanding,
and categorizing potential threats. A goal is to identify a potential list of threats to these systems and to analyze the threats.

Answer 65

Threat modeling

Question 66

This refers to a group of attackers who are working together and are highly motivated, skilled, and patient. They have advanced knowledge and a wide variety of skills to detect and exploit vulnerabilities. They are persistent and focus on exploiting one or more specific targets rather than just any target of opportunity.

Answer 66

advanced persistent threat (APT)

Question 67

This refers to collecting multiple pieces of nonsensitive information and combining (i.e., aggregating) them to learn sensitive information.

Answer 67

Access aggregation

Question 68

an attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

Answer 68

dictionary attack

Question 69

an attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symbols.

Answer 69

brute-force attack

Question 70

This access attack focuses on finding collisions.

Answer 70

birthday attack

Question 71

It takes a long time to find a password by guessing it, hashing it, and then comparing it with a valid password hash. These reduce this time by using large databases of precomputed hashes.

Answer 71

rainbow table

Question 72

a group of random bits, added to a password before hashing it.

Answer 72

salt

Question 73

Capturing packets sent over a network with the intent of analyzing the packets.

Answer 73

sniffing

Question 74

This is pretending to be something, or someone, else. A lot of attacks are based on this.

Answer 74

Spoofing

Question 75

This is a form of social engineering that attempts to trick users into giving up sensitive information, opening an attachment, or clicking a link.

Answer 75

Phishing

Question 76

This is a form of phishing targeted to a specific group of users, such as employees within a specific organization.

Answer 76

Spear phishing

Question 77

a variant of phishing that targets senior or high-level executives such as CEOs and presidents within a company.

Answer 77

Whaling

Question 78

Phishing attacks launched via IM and VOIP

Answer 78

Vishing

Question 79

attack prevents a system from processing or responding to legitimate traffic or requests for resources.

Answer 79

denial-of-service (DoS)

Question 80

Which part of Kerberos provides the Ticket Granting Tickets that allows access to the realm or domain

Answer 80

Authentication Service

Question 81

Which part of Kerberos provides tickets that allow access to objects within the realm or domain

Answer 81

Ticket Granting Service

Question 82

Which protocol does RADIUS use, TCP or UDP?

Answer 82

UDP

Question 83

Which protocol does TACACS and Diameter use, TCP or UDP?

Answer 83

TCP