Domain 5 Identity and Access Management Flashcards
Which type of password provides MAXIMUM security because a new password is required for each new log-on?
One-time or dynamic password
What can be defined as a table of subjects and objects indicating what actions individual subjects can take upon individual objects?
An access control matrix
How are memory cards and smart cards different?
Memory cards have no processing power
Which of the following access control models introduces user security clearance and data classification?
Mandatory access control
Most access violations are:
Accidental
Which biometric method analyzes the speed of signing (stroke), and the pressure the signer exerts to generate a signature?
Signature Dynamics
A central authority determines what subjects can have access to certain objects based on the organizational structure is called:
Non-Discretionary Access Control
A central authority determines what subjects can have access to certain objects based on the organizational security policy.
The key focal point of this question is the ‘central authority’ that determines access rights.
What is called the verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time?
Authentication
Authentication is verification that the user’s claimed identity is valid and is usually implemented through a user password at log-on time.
Which of the following is the LEAST user accepted biometric device?
Retina scan
Which access control model is best suited in an environment where a high security level is required and where it is desired that only the administrator grants access control?
MAC
MAC provides high security by regulating access based on the clearance of individual users and sensitivity labels for each object. Clearance levels and sensitivity levels cannot be modified by individual users – for example, user Joe (SECRET clearance) cannot reclassify the “Presidential Doughnut Recipe” from “SECRET” to “CONFIDENTIAL” so that his friend Jane (CONFIDENTIAL clearance) can read it. The administrator is ultimately responsible for configuring this protection in accordance with security policy and directives from the Data Owner.
DAC is incorrect. In DAC, the data owner is responsible for controlling access to the object.
Which of the following access control models requires defining classification for objects?
Mandatory Access Control
With mandatory access control (MAC), the authorization of a subject’s access to an object is dependant upon labels, which indicate the subject’s clearance, and classification of objects.
Which type of security control is also known as “Logical” control?
Technical:Technical security controls are also called Logical Controls
Which access control method allows the data owner (the person who created the file) to control access to the information they own?
DAC - Discretionary Access Control
DAC - Discretionary Access Control is where the user controls access to the data they create or manage.
It is the least secure method of access control because of a few factors:
- Employee changeover can lead to confusion of data ownership or abandoned data.
- Employees are not traditionally experienced enough to manage data permissions and maintain them in a reliable fashion.
- People in general are the least reliable component of any organization
Which of the following pairings uses technology to enforce access control policies within systems?
Preventive/Technical
Which of the following access control models is based on sensitivity labels?
Mandatory access control
Smart cards are an example of which type of control?
Technical control
Logical or technical controls involve the restriction of access to systems and the protection of information. Smart cards and encryption are examples of these types of control.
Controls are put into place to reduce the risk an organization faces, and they come in three main flavors: administrative, technical, and physical. Administrative controls are commonly referred to as “soft controls” because they are more management-oriented. Examples of administrative controls are security documentation, risk management, personnel security, and training. Technical controls (also called logical controls) are software or hardware components, as in firewalls, IDS, encryption, identification and authentication mechanisms. And physical controls are items put into place to protect facility, personnel, and resources. Examples of physical controls are security guards, locks, fencing, and lighting.
Many types of technical controls enable a user to access a system and the resources within that system. A technical control may be a username and password combination, a Kerberos implementation, biometrics, public key infrastructure (PKI), RADIUS, TACACS +, or authentication using a smart card through a reader connected to a system. These technologies verify the user is who he says he is by using different types of authentication methods. Once a user is properly authenticated, he can be authorized and allowed access to network resources.
Which of the following would be used to compare accuracy of biometric devices?
CER
equal error rate or crossover error rate (EER or CER): the rate at which both accept and reject errors are equal. The value of the EER can be easily obtained from the ROC curve. The EER is a quick way to compare the accuracy of devices with different ROC curves. In general, the device with the lowest EER is most accurate.
The following are used as performance metrics for biometric systems:
false accept rate or false match rate (FAR or FMR): the probability that the system incorrectly matches the input pattern to a non-matching template in the database. It measures the percent of invalid inputs which are incorrectly accepted. In case of similarity scale, if the person is imposter in real, but the matching score is higher than the threshold, then he is treated as genuine that increase the FAR and hence performance also depends upon the selection of threshold value.
false reject rate or false non-match rate (FRR or FNMR): the probability that the system fails to detect a match between the input pattern and a matching template in the database. It measures the percent of valid inputs which are incorrectly rejected.
failure to enroll rate (FTE or FER): the rate at which attempts to create a template from an input is unsuccessful. This is most commonly caused by low quality inputs.
failure to capture rate (FTC): Within automatic systems, the probability that the system fails to detect a biometric input when presented correctly.
template capacity: the maximum number of sets of data which can be stored in the system.
Which of the following terms BEST describes linking of a person’s electronic identity and attributes for use across identity management systems and uses SAML to exchange authentication and authorization data?
Federated ID
The term Federated ID describes a common set of standards, policies and protocols to coordinate access between separate domains while avoiding making users authenticate to that other domain.
SAML - Security Assertion Markup Language is an XML standard for exchanging authentication and authorization data. It supports the Federated ID concept and addresses most importantly web browser single sign-on or SSO.
Crossover Error Rate (CER) –
describes the point where the False Reject Rate (FRR) and False Accept Rate (FAR) are equal.
CER is also known as the Equal Error Rate (EER). The Crossover Error Rate describes the overall accuracy of a biometric system.
Discretionary Access Control (DAC) –
gives subjects full control of objects they have created or been given access to, including sharing the objects with other subjects
False Accept Rate (FAR) –
occurs when an unauthorized subject is accepted by the biometric system as valid. Also called a Type II error.
False Reject Rate (FRR) –
occurs when an authorized subject is rejected by the biometric system as unauthorized. Also called a Type I error.
Mandatory Access Control (MAC) –
system-enforced access control based on subject’s clearances and object’s labels
Role-Based Access Controls (RBAC) –
subjects are grouped into roles and each defined role has access permissions based upon the role, not the individual
Rainbow table
acts as a database that contains the pre-computed hashed output for most or all possible passwords. Rainbow tables take a considerable amount of time to generate and are not always complete: they may not include all possible password/ hash combinations.
A hybrid attack
appends, prepends, or changes characters in words from a dictionary before hashing, to attempt the fastest crack of complex passwords. For example, an attacker may have a dictionary of potential system administrator passwords but also replaces each letter “o” with the number “0”.
minimum password management security features include the following:
Password history = set to remember 24 passwords
• Maximum password age = 90 days
• Minimum password age = 2 days (this is because users do not cycle through 24 passwords to return immediately to their favorite)
• Minimum password length = 8 characters
• Passwords must meet complexity requirements = true
• Store password using reversible encryption = false
Synchronous dynamic tokens
Synchronous dynamic tokens use time or counters to synchronize a displayed token code with the code expected by the authentication server: the codes are synchronized.
Asynchronous Dynamic Token
The most common variety is challenge-response tokens. Challenge-response token authentication systems produce a challenge, or input for the token device. Then the user manually enters the information into the device along with their PIN, and the device produces an output. This output is then sent to the system.
