Domain 5 - Identity and Access Management Flashcards

1
Q

These access controls include policies or procedures to implement and enforce overall access control.

A

Administrative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

These access controls include hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems.

A

Logical/technical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

These access controls include physical barriers deployed to prevent direct contact and access with systems or areas within a facility.

A

Physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the 3 authentication factors?

A

something you know (such as a password or PIN), something you have (such as a smartcard or token), and something you are (based on biometrics).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What identifies the accuracy of a biometric method

A

the crossover rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

a mechanism that allows subjects to authenticate once on a system and access multiple objects without authenticating again.

A

Single sign-on (SSO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An active entity that accesses a passive object to receive information from, or data about, an object. They can be users, programs, processes, computers, or anything else that can access a resource.

A

Subjects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

A passive entity that provides information to active subjects. Some examples include files, databases, computers, programs, processes, printers, and storage media.

A

objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

An access control is any hardware, software, or administrative policy or procedure that controls access to resources. The goal is to provide access to authorized subjects and prevent unauthorized access attempts. Name the 3 primary control types.

A

preventive, detective, and corrective.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This access control attempts to thwart or stop unwanted or unauthorized activity from occurring. Examples of these access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties policies, job rotation policies, data classification, penetration testing, access control methods, encryption, auditing, the presence of security cameras or closed circuit television (CCTV),
smartcards, callback procedures, security policies, security awareness training, antivirus software, firewalls, and intrusion prevention systems.

A

preventive control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

There are 7 access controls: 3 main ones and 4 others. What are the four other types of access controls?

A

deterrent, recovery, directive, and compensation access controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

This access control attempts to discover or detect unwanted or unauthorized activity. These controls operate after the fact and can discover the activity
only after it has occurred. Examples include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection
systems, violation reports, supervision and reviews of users, and incident investigations.

A

A detective control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

This access control modifies the environment to return
systems to normal after an unwanted or unauthorized activity has occurred. They attempt to correct any problems that occurred as a result of a security incident. They can be simple, such as terminating malicious activity or rebooting a system. They also include antivirus solutions that can remove or quarantine a virus, backup and restore plans to ensure that lost data can be restored, and active intrusion detection systems that can modify the environment to stop an attack in progress.

A

A corrective control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

This access control attempts to discourage security policy violations. They are similar to preventive controls but these often depend on individuals deciding not to take an unwanted action. In contrast, a preventive control actually blocks the action. Some examples include policies, security awareness training, locks, fences, security badges, guards, mantraps, and security cameras.

A

A deterrent control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

This access control attempts l to repair or restore resources, functions, and capabilities after a security policy violation. They are an extension of corrective controls but have more advanced or complex abilities. Examples include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.

A

A recovery control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

This access control attempts to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.

A

A directive control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

This access control provides an alternative when it
isn’t possible to use a primary control, or when necessary to increase the effectiveness of a primary control. As an example, a security policy might dictate the use of smartcards by all employees but it takes a long time for new employees to get a smartcard. The organization could issue hardware tokens to employees as a compensating control. These tokens provide stronger authentication than just a username and password.

A

A compensation control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

the process of a subject claiming, or professing, an identity.

A

Identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

This verifies the identity of the subject by comparing one or more factors against a database of valid identities, such as user accounts.

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Subjects are granted access to objects based on proven identities. For example, administrators grant users access to files based on the user’s proven identity.

A

Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Users and other subjects can be held accountable for their actions when auditing is implemented. Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs. For example, auditing can record when a user reads, modifies, or deletes a file. Auditing provides this.

A

Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is Type 1 authentication factor

A

something you know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is Type 2 authentication factor

A

something you have

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is Type 3 authentication factor

A

something you are or something you do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

A series of questions about facts or predefined responses that only the subject should know.

A

cognitive password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Hardware tokens that are time-based and synchronized with an authentication server

A

Synchronous Dynamic Password Tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Hardware token that generates passwords based on an algorithm and an incrementing counter.

A

Asynchronous Dynamic Password Tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

In biometrics this error occurs when a valid subject is not authenticated. This is also known as a false negative authentication.

A

A Type 1 error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

In biometrics this occurs when an invalid subject is authenticated. This is also known as a false positive authentication.

A

A Type 2 error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

The ratio of Type 1 errors to valid authentications is known as

A

false rejection rate (FRR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The ratio of Type 2 errors to valid authentications is called

A

false acceptance rate (FAR)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

centralized access control technique that allows a subject to be authenticated only once on a system and to access multiple resources without authenticating
again.

A

Single sign-on (SSO)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Ticket authentication is a mechanism that employs a third-party entity to prove identification and provide authentication. The most common and well-known ticket system is

A

Kerberos

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the this, and it maintains the
secret keys for all network members.

A

key distribution center (KDC)

35
Q

This hosts the functions of the KDC: a ticket-granting service (TGS), and an authentication service (AS). However, it is possible to host the ticket-granting service on another server. One of it’s services verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC.

A

Kerberos Authentication Server

36
Q

This part of Kerberos provides proof that a subject has
authenticated through a KDC and is authorized to request tickets to access other objects. It is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present this when requesting tickets to access objects.

A

Ticket-Granting Ticket

37
Q

In Kerberos this is an encrypted message that provides proof that a subject is authorized to access an object.

A

ticket

38
Q

With this access control all objects have owners and the owners can modify permissions.

A

discretionary access control

39
Q

the possibility or likelihood that a threat can exploit a vulnerability and cause damage to assets.

A

risk

40
Q

These are granted to a subject and refer to the access granted for an object and determine what you can do with it.

A

permissions

41
Q

This primarily refers to the ability to take an action on an object.

A

A right

42
Q

the combination of rights and permissions.

A

privileges

43
Q

This principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

A

Implicit Deny

44
Q

a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks this to determine if the subject has the appropriate privileges to perform the action.

A

Access Control Matrix

45
Q

These are another way to identify privileges assigned to subjects. They are different from ACLs in that it is focused on subjects (such as users, groups, or roles).

A

Capability Tables

46
Q

Applications use these to restrict what users can do or see based on their privileges. An ATM screen is a good example. The Clark Wilson security model uses these.

A

Constrained User Interface

47
Q

These restrict access to data based on the content within an object. A database view is a good example.

A

Content-dependent access controls

48
Q

These require specific activity before granting users access. As an example, consider the data flow for a transaction selling digital products online. Users add products to a shopping cart and begin the checkout process. The first page in the checkout flow shows the products in the shopping cart, the next page collects credit card data, and the last page confirms the purchase and provides instructions for downloading the digital products. The system denies access to the download page if users don’t go through the purchase process first.

A

Context-dependent access controls

49
Q

This principle ensures that subjects are granted access only to what they need to know for their work tasks and job functions.

A

Need to Know

50
Q

This principle ensures that subjects are granted only
the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that this will also include rights to take action on a system.

A

Least Privilege

51
Q

This principle ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances.

A

Separation of Duties and Responsibilities

52
Q

A document that defines the security requirements for an organization. It identifies assets that need protection and the extent to which security solutions should go to protect them. Some organizations create this as a single document, and other organizations create multiples, with each one focused on a separate area.

A

security policy

53
Q

This uses multiple layers or levels of access controls to provide layered security.

A

defense-in-depth strategy.

54
Q

This allows the owner, creator, or data custodian of an object to control and define access to that object. It is implemented using access control lists (ACLs) on objects.

A

discretionary access controls (DACs)

55
Q

In this access control Administrators administer control and can make changes that affect the entire environment.

A

nondiscretionary access controls

56
Q

Systems that employ this type of access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks. It is often implemented using groups.

A

Role-based access control

57
Q

the tendency for privileges to accrue to users over time as their roles and access needs change.

A

Privilege creep

58
Q

This type of access control uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action. A distinctive characteristic about these models is that they have global rules that apply to all subjects. One common example is a firewall.

A

rule-based access control (rule-BAC)

59
Q

This model relies on the use of classifi l cation labels. Each classification label represents a security domain , or a realm of security. A security domain is a collection of subjects and objects that share a common security policy. For example, a security domain could have the label Secret.

A

mandatory access control (MAC)

60
Q

the possibility or likelihood that a threat will exploit

a vulnerability resulting in a loss such as harm to an asset.

A

risk

61
Q

a potential occurrence that can result in an undesirable outcome. This includes potential attacks by criminals or other attackers. It also includes natural occurrences such as floods or earthquakes, and accidental acts by employees.

A

threat

62
Q

any type of weakness. The weakness can be due to a flaw or limitation in hardware or software, or the absence of a security control such as the absence of antivirus software on a computer.

A

vulnerability

63
Q

This attempts to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls or countermeasures.

A

Risk management

64
Q

This refers to identifying the actual value of assets with the goal of prioritizing them. Risk management focuses on assets with the highest value and identifies controls to
mitigate risks to these assets.

A

Asset valuation

65
Q

This refers to the process of identifying, understanding,
and categorizing potential threats. A goal is to identify a potential list of threats to these systems and to analyze the threats.

A

Threat modeling

66
Q

This refers to a group of attackers who are working together and are highly motivated, skilled, and patient. They have advanced knowledge and a wide variety of skills to detect and exploit vulnerabilities. They are persistent and focus on exploiting one or more specific targets rather than just any target of opportunity.

A

advanced persistent threat (APT)

67
Q

This refers to collecting multiple pieces of nonsensitive information and combining (i.e., aggregating) them to learn sensitive information.

A

Access aggregation

68
Q

an attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

A

dictionary attack

69
Q

an attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symbols.

A

brute-force attack

70
Q

This access attack focuses on finding collisions.

A

birthday attack

71
Q

It takes a long time to find a password by guessing it, hashing it, and then comparing it with a valid password hash. These reduce this time by using large databases of precomputed hashes.

A

rainbow table

72
Q

a group of random bits, added to a password before hashing it.

A

salt

73
Q

Capturing packets sent over a network with the intent of analyzing the packets.

A

sniffing

74
Q

This is pretending to be something, or someone, else. A lot of attacks are based on this.

A

Spoofing

75
Q

This is a form of social engineering that attempts to trick users into giving up sensitive information, opening an attachment, or clicking a link.

A

Phishing

76
Q

This is a form of phishing targeted to a specific group of users, such as employees within a specific organization.

A

Spear phishing

77
Q

a variant of phishing that targets senior or high-level executives such as CEOs and presidents within a company.

A

Whaling

78
Q

Phishing attacks launched via IM and VOIP

A

Vishing

79
Q

attack prevents a system from processing or responding to legitimate traffic or requests for resources.

A

denial-of-service (DoS)

80
Q

Which part of Kerberos provides the Ticket Granting Tickets that allows access to the realm or domain

A

Authentication Service

81
Q

Which part of Kerberos provides tickets that allow access to objects within the realm or domain

A

Ticket Granting Service

82
Q

Which protocol does RADIUS use, TCP or UDP?

A

UDP

83
Q

Which protocol does TACACS and Diameter use, TCP or UDP?

A

TCP