Domain 5 - Identity and Access Management

Question 1

ACCESS

Answer 1

is flow of information between a subject and an object

Question 2

CONTROL

Answer 2

security features that control how users and systems communicate and interact with other systems and resources Subject - active entity that requests access to an object or data within the object (user, program)

Question 3

Subject

Answer 3

active entity that requests access to an object or data within the object (user, program)

Question 4

Object

Answer 4

is a passive entity that contains information (computer, database, file, program) access control techniques support the access control models

Question 5

Approaches to Administration

Answer 5

Centralized administration
Decentralized administration
Hybrid

Question 6

Centralized administration

Answer 6

one element responsible for configuring access controls. Only modified through central administration, very strict control

Question 7

Decentralized administration

Answer 7

access to information is controlled by owners or creators of information, may not be consistency with regards to procedures, difficult to form system wide view of all user access at any given time

Question 8

Hybrid

Answer 8

centralized control is exercised for some information and decentralized for other information

Question 9

Identity Management: What 4 key principles does access control relies on?

Answer 9

IAAA
Identification
Authentication
Authorization
Accountability

Question 10

Identification/Assertion

Answer 10

• Registration

– verify an individual’s identity and adds a unique identifier to an identity system

• ensuring that a subject is who he says he is
• bind a user to the appropriate controls based on the unique user instance
• Unique user name, account number etc. OR an issuance (keycard)

Question 11

Authentication

Answer 11

• Process of Verifying the user
• User provides private data
• Establish trust between the user and the system for the allocation of privileges

Question 12

Authorization

Answer 12

• resources user is allowed to access must be defined and monitored
• First piece of credentials Authorization

Question 13

Accountability

Answer 13

who was responsible for an action?

• Logging – best way to provide accountability, change log for approved changes and change management process

Question 14

What is the Relationship between Identity, Authentication, and Authorization?

Answer 14

• Identification provides uniqueness
• Authentication provides validity
• Authorization provides control

Question 15

Logical Access Controls: tools used for IAAA

Answer 15

MAC Address – 48 bit number, supposed to be globally unique, but now can be changed by software, not a strong ID or auth. Tool

Question 16

Single Sign On (SSO)

Answer 16

SSO referred to as reduced sign-on or federated ID management

Advantage - ability to use stronger passwords, easier administration, less time to access resources.

Disadvantage - once a key is compromised all resources can be accessed, if Db compromised all PWs compromised Thin client is also a single sign on approach

Question 17

What areas of access control does KERBEROS address?

Answer 17

Kerberos addresses Confidentiality and integrity and authentication, not availability, can be combined with other SSO solutions Kerberos Is based on symmetric key cryptology (and is not a propriety control)

Question 18

What type of cryptography is KERBEROS base on?

Answer 18

symmetric key cryptography

Question 19

What are some benefits of KERBEROS?

Answer 19

inexpensive, loads of OS’s, mature protocol

Question 20

What are some Disadvantage of KERBEROS?

Answer 20

takes time to administer, can be bottleneck or single point of failure

Question 21

In KERBEROS, what is a Realm?

Answer 21

Indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication server has the authority to authenticate a user, host or service.

Question 22

KDC

Answer 22

Key Distribution Center, grants tickets to client for specific servers. Knows all secret keys of all clients and servers from the network, TGS and AS, single point of failure

Question 23

AS

Answer 23

Authentication server

Question 24

TGS

Answer 24

Ticket granting server

Question 25

Discuss the Kerberos logon process.

Answer 25

• The user types a username and password into the client.
• The client encrypts the username with AES for trans. to the KDC.
• The KDC verifies the username against a database of known credentials.
• The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user’s password. The KDC also generates an encrypted timestamped TGT. The KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client.
• The client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user’s password. - Then the user can use this ticket to service to use the service as an application service

Question 26

SESAME

Answer 26

• Public Key Cryptology
• European
• Needham-Schroeder protocol

Two tickets:

• One authentication, like Kerberos
• Other defines the access privileges a user has
• Works with PACS (Privileged Attribute Certificates)
• sesame uses both symmetric as asymmetric encryption (thus improvement upon Kerberos)

Question 27

What is a weakness with SESAME?

Answer 27

only authenticates the first block and not the complete message

Question 28

KRYPTOKNIGHT

Answer 28

IBM – thus RACF

Question 29

SCRIPTING

Answer 29

scripts contain logon information that auths. users

Question 30

DIRECTORY SERVICE

Answer 30

a centralized database that includes information about subjects and objects, .

Hierarchical naming schema, active directory has sophisticated security resources (group policy, user rights accounts, DNS services)

Question 31

Categories of authentication factors: Type 1

Answer 31

authentication factor is something you know. Examples include a password, PIN, or passphrase.

Question 32

Categories of authentication factors: Type 2

Answer 32

authentication factor is something you have. Physical devices that a user possesses can help them provide authentication. Examples include a smartcard (CAC), hardware token, smartcard, memory card, or USB drive.

Question 33

Categories of authentication factors: Type 3

Answer 33

authentication factor is something you are or something you do. It is a physical characteristic of a person identified with different types of biometrics.

Question 34

Something a user knows TYPE 1

Answer 34

PASSWORDS cheap and commonly used password generators user chooses own (do triviality and policy checking)

Longer PW more effective than all else PWs never stored for web applications in a well-designed environment.

Salted hashes are stored and compared 62 choices (upper, lower, 10 numbers), add single character to PW and complexity goes up 62X

Question 35

One-time password aka dynamic password

Answer 35

used only once

Question 36

Static password

Answer 36

Same for each logon

Question 37

Passphrase

Answer 37

easiest to remember. Converted to a virtual password by the system.

Question 38

Cognitive password

Answer 38

easy to remember like your mother’s maiden name

Question 39

brute force attack

Answer 39

try many different characters aka exhaustive

Question 40

dictionary attack

Answer 40

try many different words

Question 41

Social engineering

Answer 41

convince an individual to give access

Question 42

Rainbow Tables

Answer 42

tables with passwords that are already in hash format, pre-hashed PW paired with high-speed look up functions

Question 43

Implementation Attack

Answer 43

This is a type of attack that exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system

Question 44

Statistical Attack

Answer 44

exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the hardware or operating system hosting the cryptography application.

Question 45

Seed SALT

Answer 45

NONCE, random values added to the encryption process to add more complexity

Question 46

HAVAL

Answer 46

Hash of Variable Length (HAVAL) is a modification of MD5. HAVAL uses 1,024-bit blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption algorithm

Question 47

Something a user has TYPE 2

Answer 47

Key, swipe card, access card, badge, tokens

Question 48

What are the 4 types of Tokens?

Answer 48

Static password token

Question 49

Synchronous (TIME BASED) dynamic

Answer 49

uses time or a counter between the token and the authentication server, secure-ID is an example

Question 50

Asynchronous (NOT TIME BASED)

Answer 50

server sends a nonce (random value) This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication

Question 51

Challenge/response token

Answer 51

generates response on a system/workstation provided challenge; synchronous – timing, asynchronous - challenge

Question 52

Something a user is TYPE 3

Answer 52

What you do: behavioral What you are: physical

Question 53

BIOMETRICS: TYPE 1 error

Answer 53

False rejection rate FRR -

Question 54

BIOMETRICS: TYPE 2 error

Answer 54

False Acceptance rate FAR

Question 55

CER Crossover Error Rate or EER Equal Error rate

Answer 55

where FRR = FAR.

The lower CER/ERR the more accurate the system.

Question 56

zephyr chart

Answer 56

iris scans

Question 57

Finger print

Answer 57

stores full fingerprint (one- to-many identification

Question 58

finger scan

Answer 58

only the features (one to one identification)

Question 59

Fingerprints

Answer 59

Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae

Question 60

Retina Scans

Answer 60

Scans the blood-vessel pattern of the retina on the backside of the eyeball. Can show medical conditions MOST ACCURATE

Question 61

Iris Scans

Answer 61

Scan the colored portion of the eye that surrounds the pupil.

Question 62

Facial Scans

Answer 62

Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.

Question 63

Palm Scans

Answer 63

The palm has creases, ridges and grooves throughout it that are unique to a specific person. Appropriate by itself as a Type 3 authenticator

Question 64

Hand Geometry

Answer 64

The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry.

Question 65

Voice Print

Answer 65

Distinguishing differences in people’s speech sounds and patterns.

Question 66

Signature Dynamics

Answer 66

Electrical signals of speed and time that can be captured when a person writes a signature.

Question 67

Keyboard Dynamics

Answer 67

Captures the electrical signals when a person types a certain phrase.

Question 68

Hand Topology

Answer 68

Looks at the size and width of an individual’s hand and fingers.

Question 69

SAML

Answer 69

To exchange authentication and authorization data between security domains.

SAML 2.0 enables web-based to include SSO

Question 70

What are the Roles in SAML?

Answer 70

• Principal (user)
• Identity provider (IdP)
• Service provider (SP)

Question 71

XML Signature

Answer 71

use digital signatures for authentication and message integrity based on XML signature standard.

Relies on XML Schema

Question 72

Identity as a Service (IDaaS)

Answer 72

Identity as a Service, or Identity and Access as a Service is a third-party service that provides identity and access management, Effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based Software as a Service (SaaS) applications.

 Ability to provision identities held by the service to target applications

 Access includes user authentication, SSO, authorization enforcement

 Log events , auditing

 Federation - sharing identity and authentication behind the scenes (like booking flight –> booking hotel without re authenticating) by using a federate identity so used across business boundaries  SSO

 Access Management enforces RULES!

Question 73

Cloud Identity

Answer 73

users are created and managed in Office 365

Question 74

Directory Synchronization

Answer 74

users are created and managed in an on premises identity provider

Question 75

Federated Identity

Answer 75

on-premises identity provider handles login request. Usually used to implement SSO -

MS AD using MS AD Federation Services

• Third Party based identity
• Shibboleth SAML 2.0

Question 76

Authorization Mechanisms / Access Control

Answer 76

DAC - Discretionary Access Control

MAC - Mandatory Access Control

role-BAC - role-based access control

rule-BAC - rule-based access control

Question 77

What Authentication mechanism does Window use?

Answer 77

Kerberos

Question 78

What Authentication mechanism do wireless networks, modems, and network devices use?

Answer 78

RADIUS

Question 79

What Authentication mechanism do web applications use?

Answer 79

OAuth

Question 80

What Authentication mechanism do network devices use?

Answer 80

TACACS+

Question 81

Role-BAC (RBAC)

Answer 81

task-based access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks, is often implemented using groups, form of nondiscretionary. OFF BUSINESS DESIGN

Hybrid RBAC

Limited RBAC

CAN MODEL ALL GROUPS OFF ORGANIZATION #! USED

Question 82

Rule-BAC

Answer 82

based on rules within an ACL, uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system.

It includes granting a subject access to an object, or granting the subject the ability to perform an action.

A distinctive characteristic about rule-BAC models is that they have global rules that apply to all subjects.

One common example of a ruleBAC model is a firewall.

Firewalls include a set of rules or filters within an ACL, defined by an administrator.

The firewall examines all the traffic going through it and only allows traffic that meets one of the rules.

Government #1

Question 83

Mandatory Access Control

Answer 83

BELL Model!

Question 84

Lattice based

Answer 84

Label – all objects and subjects have a label Authorization depended on security labels which indicate clearance and classification of objects (Military).

Restriction: need to know can apply. Lattice based is part of it! (A as in mAndatory!).

Question 85

Non-discretionary access control / Mandatory

Answer 85

A central authority determines what subjects have access based on policies. Role based/task based. Also lattice based can be applied (greatest lower, least upper bounds apply)

Question 86

Discretionary Access Control

Answer 86

Graham Denning

Access through ACL’s. Discretionary can also mean: Controlled access protection (object reuse, protect audit trail). User directed

Performs all of IAAA, identity based access control model

• hierarchical x500 standard protocol like LDAP for allowing subjects to interact with the directory
• Organized through name spaces (Through Distinguished names )
• Needs client software to interact
• META directory gathers information from multiple sources and stores them into once central directory and synchronizes
• VIRTUAL directory only points where the data resides

DACs allows the owner, creator, or data custodian of an object to control and define access to that object. All objects have owners, and access control is based on the discretion or decision of the owner. As the owner, the user can modify the permissions of the file to grant or deny access to other users. Identity-based access control is a subset of DAC because systems identify users based on their identity and assign resource ownership to identities. A DAC model is implemented using access control lists (ACLs) on objects. Each ACL defines the types of access granted or denied to subjects. It does not offer a centrally controlled management system because owners can alter the ACLs on their objects at will. Access to objects is easy to change, especially when compared to the static nature of mandatory access controls.

Question 87

Access Control Models

Answer 87

Access control models use many different types of authorization mechanisms, or methods, to control who can access specific objects.

Question 88

Implicit Deny

Answer 88

basic principle that most authorization mechanisms use it. The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

Question 89

Access Control Matrix

Answer 89

An access control matrix is a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks the access control matrix to determine if the subject has the appropriate privileges to perform the action

Question 90

Capability Tables

Answer 90

They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles). For example, a capability table created for the accounting role will include a list of all objects that the accounting role can access and will include the specific privileges assigned to the accounting role for these objects. The difference between an ACL and a capability table is the focus. ACLs are object focused and identify access granted to subjects for any specific object. Capability tables are subject focused and identify the objects that subjects can access. Comparing Permissions, Rights, and Privileges When studying access control topics, you’ll often come across the terms permissions, rights, and privileges. Some people use these terms interchangeably, but they don’t always mean the same thing.

Question 91

Permissions

Answer 91

refer to the access granted for an object and determine what you can do with it. If you have read permission for a file, you’ll be able to open it and read it. You can grant user permissions to create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so in this context, access rights and permissions are synonymous

Question 92

Rights

Answer 92

refers to the ability to take an action on an object. For example, a user might have the right to modify the system time on a computer or the right to restore backed-up data. This is a subtle distinction and not always stressed. You’ll rarely see the right to take action on a system referred to as a permission.

Question 93

Privileges

Answer 93

are the combination of rights and permissions. For example, an administrator for a computer will have full privileges, granting the administrator full rights and permissions on the computer. The administrator will be able to perform any actions and access any data on the computer.

Question 94

Constrained Interface Applications

Answer 94

(restricted interfaces) to restrict what users can do or see based on their privileges. Applications constrain the interface using different methods. A common method is to hide the capability if the user doesn’t have permissions to use it. Other times, the application displays the menu item but shows it dimmed or disabled.

Question 95

Content-Dependent

Answer 95

internal data of each field, data stored by a field, restrict access to data based on the content within an object. A database view is a content-dependent control. A view retrieves specific columns from one or more tables, creating a virtual table.

Question 96

Context-Dependent

Answer 96

require specific activity before granting users access. For example, it’s possible to restrict access to computers and applications based on the current day and/ or time. If users attempt to access the resource outside of the allowed time, the system denies them access.

Question 97

Work Hours

Answer 97

context-dependent control

Question 98

Need to Know

Answer 98

ensures that subjects are granted access only to what they need to know for their work tasks and job functions. Subjects may have clearance to access classified or restricted data but are not granted authorization to the data unless they actually need it to perform a job.

Question 99

Least Privilege

Answer 99

ensures that subjects are granted only the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that least privilege will also include rights to take action on a system.

Question 100

Separation of Duties and Responsibilities

Answer 100

ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances.

Question 101

SPML

Answer 101

Service Provisioning Markup Language

an XML-based language designed to allow platforms to generate and respond to provisioning requests.

Question 102

SAML

Answer 102

used to make authorization and authentication data

Question 103

XACML

Answer 103

used to describe access controls

Question 104

SOAP

Answer 104

Simple Object Access Protocol, is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.
Reconnaissance

Question 105

What is Reconnaissance?

Answer 105

While malicious code often relies on tricking users into opening or accessing malware, other attacks directly target machines. Performing reconnaissance can allow an attacker to find weak points to target directly with their attack code. To assist with this targeting, attacker-tool developers have created a number of automated tools that perform network reconnaissance.

Question 106

IP Probes

Answer 106

(also called IP sweeps or ping sweeps) are often the first type of network reconnaissance carried out against a targeted network. With this technique, automated tools simply attempt to ping each address in a range. Systems that respond to the ping request are logged for further analysis. Addresses that do not produce a response are assumed to be unused and are ignored.

Question 107

Nmap tool

Answer 107

one of the most common tools used to perform both IP probes and port scans. IP probes are extremely prevalent on the Internet today. Indeed, if you configure a system with a public IP address and connect it to the Internet, you’ll probably receive at least one IP probe within hours of booting up. The widespread use of this technique makes a strong case for disabling ping functionality, at least for users external to a network. Default settings miss @64 K ports When nmap scans a system, it identifies the current state of each network port on the system. For ports where nmap detects a result, it provides the current status of that port:

Open - The port is open on the remote system and there is an application that is actively accepting connections on that port.

Closed - The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port.

Question 108

Filtered Nmap

Answer 108

is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt

Question 109

Port Scans

Answer 109

After an attacker performs an IP probe, they are left with a list of active systems on a given network. The next task is to select one or more systems to target with additional attacks. Often, attackers have a type of target in mind; web servers, file servers, and other servers supporting critical operations are prime targets. To narrow down their search, attackers use port scan software to probe all the active systems on a network and determine what public services are running on each machine. For example, if the attacker wants to target a web server, they might run a port scan to locate any systems with a service running on port 80, the default port for HTTP services.

Question 110

Vulnerability Scans

Answer 110

The third technique is the vulnerability scan. Once the attacker determines a specific system to target, they need to discover a specific vulnerability in that system that can be exploited to gain the desired access permissions. A variety of tools available on the Internet assist with this task. Some of the more popular tools for this purpose include Nessus, OpenVAS, Qualys, Core Impact, and Nexpose. These packages contain a database of known vulnerabilities and probe targeted systems to locate security flaws. They then produce very attractive reports that detail every vulnerability detected. From that point, it’s simply a matter of locating a script that exploits a specific vulnerability and launching an attack against the victim.