Domain 5: Identity and Access Management

Question 1

Access

Answer 1

Access is a flow of information between a subject and an object.

Question 2

Subject

Answer 2

A subject is an active entity that requests access to an object, which is a passive entity.

A subject can be a user, program, or process.

Question 3

Security mechanisms that provide confidentiality

Answer 3

• Encryption
• Logical and physical access control
• Transmission protocols
• Database views
• Controlled traffic flow

Question 4

IdM examples

Answer 4

• Directories
• Web access management
• Password management
• Legacy single sign-on
• Account management
• Profile update

Question 5

Password synchronization

Answer 5

Password synchronization reduces the complexity of keeping up with different passwords for different systems.

Question 6

Self-service password reset

Answer 6

Self-service password reset reduces help-desk call volumes by allowing users to reset their own passwords.

Question 7

Assisted password reset

Answer 7

Assisted password reset reduces the resolution process for password issues for the help-desk department.

Question 8

What do IdM directories contain?

Answer 8

• All resource information
• Users’ attributes
• Authorization profiles
• Roles
• Access control policies

They are the one centralized resource from which IdM applications gather this information.

Question 9

User provisioning

Answer 9

User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories, or applications.

Question 10

User access reviews

Answer 10

User access reviews ensure there are no active accounts that are no longer needed.

Question 11

What is the authoritative source for user identities?

Answer 11

The HR database is usually considered the authoritative source for user identities because that is where each user’s identity is first developed and properly maintained.

Question 12

Access control models (list 5)

Answer 12

• Discretionary
• Mandatory
• Role based
• Rule based
• Attribute based

Question 13

DAC

Answer 13

Discretionary access control (DAC) enables data owners to dictate what subjects have access to the files and resources they own.

Question 14

MAC

Answer 14

The mandatory access control (MAC) model uses a security label system. Users have clearances, and resources have security labels that contain data classifications.

MAC systems compare these two attributes to determine access control capabilities.

Question 15

RBAC

Answer 15

Role-based access control (RBAC) is based on the user’s role and responsibilities (tasks) within the company.

Question 16

RB-RBAC

Answer 16

Rule-based RBAC (RB-RBAC) builds on RBAC by adding Boolean logic in the form of rules or policies that further restrict access.

Question 17

ABAC

Answer 17

Attribute-based access control (ABAC) is based on attributes of any component of the system. It is the most granular of the access control models.

Question 18

Constrained user interface measurements (list 3)

Answer 18

• Menus and shells
• Database views
• Physically constrained interfaces

Question 19

How is an access control list used?

Answer 19

Access control lists are bound to objects and indicate what subjects can use them.

Question 20

Capability table

Answer 20

A capability table is bound to a subject and lists what objects it can access.

Question 21

Remote access control technology examples (list 3)

Answer 21

• RADIUS
• TACACS+
• Diameter

Question 22

Administrative control examples (list 5)

Answer 22

• Security policy
• Personnel controls
• Supervisory structure
• Security awareness training
• Testing

Question 23

Physical control examples (list 5)

Answer 23

• Network segregation
• Perimeter security
• Computer controls
• Work area separation
• Cable

Question 24

Technical control examples (list 6)

Answer 24

• System access
• Network architecture
• Network access
• Encryption
• Protocols
• Auditing

Question 25

What does it take for a subject to be able to access a resource?

Answer 25

For a subject to be able to access a resource, it must be:

• Identified
• Authenticated
• Authorized
• Held accountable for its actions

Question 26

How can authentication be accomplished? (list 6)

Answer 26

• Biometrics
• Password
• Passphrase
• Cognitive password
• One-time password
• Token

Question 27

Type I and Type II biometric errors

Answer 27

• Type I error means the system rejected an authorized individual
• Type II error means an imposter was authenticated

Question 28

Memory card vs. Smart card

Answer 28

A memory card cannot process information, but a smart card can through the use of integrated circuits and processors.

Question 29

Least-privilege and need-to-know

Answer 29

Least-privilege and need-to-know principles limit users’ rights to only what is needed to perform tasks of their job.

Question 30

Single sign-on (list 3 ways to accomplish)

Answer 30

• Kerberos
• Domains
• Thin clients

Question 31

How does Kerberos work?

Answer 31

• The Kerberos user receives a ticket granting ticket (TGT)
• The TGT allows him to request access to resources through the ticket granting service (TGS)
• The TGS generates a new ticket with the session keys

Question 32

Keystroke monitoring

Answer 32

Keystroke monitoring is a type of auditing that tracks each keystroke made by a user.

Question 33

Object reuse

Answer 33

Object reuse can unintentionally disclose information by assigning media to a subject before it is properly erased.

Question 34

When is deleting not enough?

Answer 34

Just removing pointers to files (deleting file, formatting hard drive) is not always enough protection for proper object reuse.

Question 35

How to prevent data leakage via electrical signals in airwaves

Answer 35

• TEMPEST
• White noise
• Control zones

Question 36

How is user authentication accomplished?

Answer 36

• By what someone knows
• By what someone is
• By what someone has

Question 37

Password-generating token methods

Answer 37

• Synchronous (time, event)
• Asynchronous (challenge-based)

Question 38

What makes strong authentication?

Answer 38

Strong authentication requires two of the three user authentication attributes:

• What someone knows
• What someone is
• What someone has

Question 39

Kerberos weaknesses

Answer 39

• The KDC is a single point of failure
• It is susceptible to password guessing
• Session and secret keys are locally stored
• KDC needs to always be available
• There must be management of secret keys

Question 40

Phishing

Answer 40

Phishing is a type of social engineering with the goal of obtaining personal information, credentials, credit card numbers, or financial data.

Question 41

Race condition

Answer 41

A race condition is possible when two or more processes use a shared resource and the access steps could take place out of sequence.

Question 42

Mutual authentication

Answer 42

Mutual authentication is when two entities must authenticate to each other before sending data back and forth. Also referred to as two-way authentication.

Question 43

Directory service

Answer 43

A directory service is a software component that stores, organizes, and provides access to resources, which are listed in a directory (listing) of resources.

Individual resources are assigned names within a namespace.

Question 44

Cookie

Answer 44

A cookie is data that is held permanently on a hard drive in the format of a text file or held temporarily in memory.

It can be used to store browsing habits, authentication data, or protocol state information.

Question 45

Federated identity

Answer 45

A federated identity is a portable identity, and its associated entitlements, that can be used across business boundaries without the need to synchronize or consolidate directory information.

Question 46

XML

Answer 46

Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form to allow for interoperability between various web-based technologies.

Question 47

SPML

Answer 47

Service Provisioning Markup Language (SPML) is an XML-based framework being developed by OASIS for exchanging user, resource, and service provisioning information between cooperating organizations.

Question 48

XACML

Answer 48

Extensible Access Control Markup Language (XACML), which is both a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies.

Question 49

Replay attack

Answer 49

Replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated with the goal of obtaining unauthorized access.

Question 50

Clipping level

Answer 50

Clipping level is a threshold value.

Once a threshold value is passed, the activity is considered to be an event that is logged, investigated, or both.

Question 51

Rainbow table

Answer 51

A rainbow table is a set of precomputed hash values that represents password combinations.

Rainbow tables are used in password attack processes and usually produce results more quickly than dictionary or brute-force attacks.

Question 52

Cognitive passwords

Answer 52

Cognitive passwords are fact-or opinion-based information used to verify an individual’s identity.

Question 53

Smart card types (List 2)

Answer 53

Smart cards can:

• Require physical interaction with a reader (contact)
• Require no physical interaction with the reader (contactless architectures)

Two contactless architectures are:

• Combi (one chip)
• Hybrid (two chips)

Question 54

Side channel attack

Answer 54

A side channel attack is carried out by:

• Gathering data pertaining to how something works
• Using that data to attack it or crack it

Examples:

• Differential power analysis
• Electromagnetic analysis

Question 55

Authorization creep

Answer 55

Authorization creep takes place when a user gains too much access rights and permissions over time.

Question 56

SIEM

Answer 56

Security information and event management (SIEM) implements data mining and analysis functionality to be carried out on centralized logs for situational awareness capabilities.

Question 57

Intrusion detection

Answer 57

Intrusion detection systems are either:

• Host based
• Network based

They provide either:

• Behavioral (statistical) functionality
• Signature (knowledge) functionality

Question 58

Phishing variants

Answer 58

• Spear-phishing:
  
  • Crafted for a specific individual
• Pharming:
  
  • DNS server is poisoned and points users to a malicious website

Question 59

Web portal

Answer 59

A web portal is commonly made up of portlets, which are pluggable user interface software components that present information and services from other systems.

Question 60

SPML

Answer 60

The Service Provisioning Markup Language (SPML) allows for:

• Automation of user management
  
  • Account creation
  • Amendments
  • Revocation
• Access entitlement configuration
  
  • Related to electronically published services across multiple provisioning systems.

Question 61

SAML

Answer 61

The Security Assertion Markup Language (SAML) allows for the exchange of authentication and authorization data to be shared between security domains.

Question 62

OpenID

Answer 62

OpenID is an open standard and protocol that allows third-party authentication of a user.

Question 63

OAuth

Answer 63

OAuth is an open standard that allows a user to grant authority to some web resource, like a contacts database, to a third party.

Question 64

OpenID Connect

Answer 64

OpenID Connect is an authentication layer built on the OAuth 2.0 protocol that allows transparent authentication and authorization of client resource requests.

Question 65

SOAP

Answer 65

The Simple Object Access Protocol (SOAP) is a protocol specification for exchanging structured information in the implementation of web services and networked environments.

Question 66

SOA

Answer 66

Service-oriented architecture (SOA) environments allow for a suite of interoperable services to be used within multiple, separate systems from several business domains.

Question 67

RFID

Answer 67

Radio-frequency identification (RFID) is a technology that provides data communication through the use of radio waves.

Question 68

What is a dictionary attack against passwords and how does it work?

Answer 68

A dictionary attack is fed lists, or dictionaries, of commonly used words or combinations of characters, which it then compares against the unknown credentials to identify any matches and guess the passwords.

Question 69

What is a rainbow table and how does it work?

Answer 69

A rainbow table seeks to mitigate the limitations of dictionary or brute force attacks by precomputing every possible combination of characters in varying password lengths, and storing the hash in an indexed table. Dictionary and brute force password attacks are only marginally successful in breaking passwords. A rainbow table seeks to mitigate this by precomputing every possible combination of characters in varying password lengths and storing the hash in an indexed table. These rainbow tables can be quite large, but they reduce password cracking time by a considerable amount and, in some cases, crack passwords where other methods have failed.

Question 70

What model implements access control matrices to control how subjects interact with objects when comparing the available models?

Answer 70

Discretionary access control (DAC) model is implemented and enforced through the use of access control lists (ACLs), which are held in a matrix.

MAC is implemented and enforced through the use of security labels.

Question 71

What are two potential attacks that can be conducted against a Kerberos authentication scheme?

Answer 71

• Confidentiality
• Availability

In confidentiality attacks, the tickets used by Kerberos, which are authentication tokens, can be sniffed and potentially cracked.

In availability attacks, if an attacker targets the Kerberos KDC server, it can prevent anyone in the realm from logging in. If the KDC is brought down, no entities could communicate to each other through networking methods.

Question 72

What are two common methods used to crack passwords?

Answer 72

• Dictionary
• Brute force attacks

A dictionary attack runs through a predefined database of passwords, or possibly an actual dictionary, to determine if any of the words from the database are the correct password.

Brute force attacks run through literally every possible character combination one at a time until the password is successfully guessed. Dictionary and brute force attacks can be combined into a hybrid attack.

Question 73

Authentication can be based on three factors, or a combination of two or more of the three. What are the authentication factors?

Answer 73

• Something you know
• Something you have
• Something you are

Something you know includes passwords and PINs. Both of these are susceptible to loss and social engineering.

Something you have includes tokens or smartcards. These can be duplicated or the user can be social engineered to give an attacker the object.

Something you are includes any form of biometrics. Common examples include fingerprint, iris print, and voice print. These items are susceptible to failure and, in some cases, duplication.

Question 74

Describe issues network IDSs have in switched environments.

Answer 74

NIDSs have a harder time working on a switched network, compared to traditional nonswitched environments, because data is transferred through independent virtual circuits and not broadcasted, as in nonswitched environments.

The IDS sensor acts as a sniffer and does not have access to all the traffic in these individual circuits. So we have to take all the data on each individual virtual private connection, make a copy of it, and put the copies of the data on one port (spanning port) where the sensor is located. This allows the sensor to have access to all the data going back and forth on a switched network.

Question 75

What are the two components of the KDC?

Answer 75

• Authentication service
• Ticket-granting service

Authentication service issues ticket-granting tickets (TGT) that are good for admission to the ticket-granting service (TGS).

Before network clients can get tickets for services, they must obtain a TGT from the authentication service.With ticket-granting service, clients receive tickets to specific target services. These tickets are used to authenticate to server services.

Question 76

What are intrusion detection system (IDS) host-based versus network-based approaches?

Answer 76

A network-based IDS monitors network communications. It cannot “see” activity going on inside the computer itself.

A host-based IDS monitors activity within a particular computer system. It is installed on individual workstations and/or servers and watches for anomalous activity.

An intrusion detection system (IDS) is a system or device designed to detect a security breach. IDSs come in two main types: network-based, which monitor network communications, and host-based, which can analyze the activity within a particular computer system.

A network IDS (NIDS) monitors network traffic and cannot “see” the activity going on inside a computer itself. To monitor the activities within a computer system, a company would need to implement a host-based IDS.

A host-based IDS (HIDS) can be installed on individual workstations and/or servers and watch for inappropriate or anomalous activity. HIDSs are usually used to make sure users do not delete system files, reconfigure important settings, or put the system at risk in any other way. So, whereas the NIDS understands and monitors the network traffic, a HIDS’s universe is limited to the computer itself. A HIDS does not understand or review network traffic, and a NIDS does not “look in” and monitor a system’s activity.

Question 77

How is an intrusion prevention system (IPS) different from an intrusion detection system (IDS)?

Answer 77

Only the intrusion prevention system (IPS) is capable of taking preventive or proactive action to halt suspicious activity.

Whereas an intrusion prevention system (IPS) is capable of taking preventive or proactive action to halt suspicious activity, an IDS simply identifies suspicious activity and issues an alert to notify administrators or IT personnel.

The traditional IDS only detects that something bad may be taking place and sends an alert. The goal of an IPS is to detect this activity and not allow the traffic to gain access to the target in the first place.

Question 78

A common method to provide centralized access control is RADIUS. What are the five RADIUS steps?

Answer 78

• The user connects to the RADIUS client.
• The RADIUS client requests credentials from the user.
• The user enters credentials.
• The RADIUS client encrypts the credentials and passes them to the RADIUS server.
• The RADIUS server accepts, rejects, or challenges the credentials.

Question 79

What is SESAME?

Answer 79

The Secure European System for Applications in a Multi-vendor Environment (SESAME) project is a single sign-on technology developed to extend Kerberos functionality and improve upon its weaknesses.

SESAME uses symmetric and asymmetric cryptographic techniques to authenticate subjects to network resources. One of these certificates provides authentication, as in Kerberos, and the second certificate controls the access privileges assigned to a client.

Question 80

What is an access control?

Answer 80

An access control is a security feature that controls how users and systems communicate and interact with other systems and resources.

Access controls protect the systems and resources from unauthorized access and can be components that can help determine the level of authorization after authentication has been successfully completed.

Question 81

What is emanation security and what is the threat that is involved?

Answer 81

Electrical devices emit emanations (signals) that if captured and interpreted properly can result in confidential data being disclosed.

There are two types of emanations:

• Radiated (through the air)
• Conducted (through wires)

TEMPEST started out as a study carried out by the DoD and then turned into a standard that outlines how to develop countermeasures that control spurious electrical signals emitted by electrical equipment.

Question 82

What are characteristics of a decentralized or distributed access control methodology?

Answer 82

• Gives control to individuals closer to resources, such as department managers and occasionally users.
• Does not use one centralized entity to process access requests.
• Peer-to-peer in design lacks standardization and overlapping rights, and might include security holes because of this lack of standardization

Question 83

What are some typical biometric types that uniquely authenticate an individual’s identity?

Answer 83

• Fingerprints
• Retina patterns
• Iris patterns
• Facial characteristics
• Palm patterns
• Hand geometry
• Voice print
• Signature dynamics

Question 84

What are two basic access control models used in organizational access control methodologies?

Answer 84

• Centralized access control
• Decentralized access control

Centralized access control has one entity or department that is responsible for overseeing access to all corporate resources.

Decentralized access control shares or delegates responsibility for overseeing access to different departments, sites, or entities within the organization.

Question 85

List three types of anomaly-based IDS approaches.

Answer 85

• Statistical anomaly–based
• Protocol anomaly–based
• Traffic anomaly–based

The statistical anomaly–based approach creates a profile of “normal” and compares activities to this profile.

The protocol anomaly–based approach identifies protocols used outside of their common bounds.

The traffic anomaly–based approach identifies unusual activity in network traffic.

Anomaly-based IDS is also called behavior or heuristic-based.

Question 86

The process of mutual authentication involves what main steps?

Answer 86

A user authenticates to a system and the system authenticates to the user.

Mutual authentication means it is happening in both directions.

Question 87

What are the three control categories, which also encompass access controls?

Answer 87

• Administrative controls
• Physical controls
• Technical controls

Administrative controls include things such as policies and procedures and training.

Physical controls are things such as doors, locks, or surveillance cameras.

Technical controls are things such as software tools used to restrict access to objects.

Question 88

What are the methods to defend against emanation leakage?

Answer 88

• TEMPEST
• White noise
• Control zones

TEMPEST is special shielding used on equipment to suppress the signals as they emanate from devices. TEMPEST equipment is implemented to prevent intruders from picking up information through the airwaves or cables with listening devices.

White noise uses special devices that send out a stream of frequencies that make it impossible for an attacker to distinguish the real information.

Control zones are the practice of designing facilities, walls, floors, ceilings and transmission/power wires to block or filter emanated signals from leaving the zone.

Question 89

What are the three models for access controls?

Answer 89

Mandatory

Discretionary

Nondiscretionary

In the mandatory model, the authorization of an entity’s access to an object is dependent upon labels, which indicate the subject’s clearance, and the classification or sensitivity of the object.

In the discretionary model, the entity has authority, within certain limitations, to specify what objects can be accessible to subjects.

In the nondiscretionary model, a central authority determines what entities can have access to certain objects based on the organizational security policy. The access controls might be based on the individual’s role in the organization (role-based) or the subject’s responsibilities and duties (task-based).

Question 90

Provide characteristics of a rule-based IDS.

Answer 90

• Use of if/then rule-based programming within expert systems
• Use of an expert system allows for artificial intelligence characteristics
• The more complex the rules, the more demands on software and hardware processing requirements
• Cannot detect new attacks

Question 91

What is RADIUS?

Answer 91

Remote Authentication and Dial-In User Service (RADIUS)

• RADIUS provides three services:
• Authentication
• Authorization
• Accounting (Auditing)

It facilitates centralized user administration and keeps all user profiles in one location that all remote services share.

Question 92

Using a passphrase is a more secure method of authentication than a password. What is a passphrase?

Answer 92

A passphrase is a sequence of characters that is longer than a password.

A passphrase is generally a sentence, or phrase, as opposed to a single word.

For example, rather than using a password such as “country,” you could use a passphrase such as “asknotwhatyourcountrycandoforyou.” Combined with transposition of alternate and special characters (for example, “askn0twhatyourcountryc@ndo4U”), the passphrase can be significantly more secure than a password.

You can also use the passphrase to generate a more complex password that is easier to remember. By taking just the first letter of each word from the passphrase, you can create “anwyccdfy,” which would be difficult to guess or crack.

Question 93

What are the three main performance measures in biometrics?

Answer 93

• False Rejection Rate (FRR)
  
  • Type I error
• False Acceptance Rate (FAR)
  
  • Type II error
• Crossover Error Rate (CER)

The false rejection rate (FRR) or Type I error is the percentage of valid subjects that are falsely rejected.

The false acceptance rate (FAR) or Type II error is the percentage of invalid subjects that are falsely accepted.

The crossover error rate (CER) is a measure of the overall accuracy of a biometric system. CER is the point at which the FRR is equal to the FAR. The lower the CER, the more accurate the biometric system is.

Question 94

What is user provisioning when dealing with access control in an organization?

Answer 94

User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes, as they exist in one or more systems, directories, or applications.

Question 95

One approach to minimize the complexity of authentication is single sign-on (SSO). What is single sign-on?

Answer 95

A single sign-on (SSO) system enables a user to authenticate one time and then access resources in the environment without needing to reauthenticate each time.

SSO alleviates the problem of users having to remember multiple usernames and password credentials and having to repeatedly authenticate.

• Kerberos
• SESAME
• KryptoKnight (by IBM)
• NetSP (a KryptoKnight derivative)

are authentication server systems with operational modes that can implement single sign-on.

Question 96

One method to control access is to implement a clipping level. What is a clipping level as it relates to access control?

Answer 96

A clipping level is when an administrator establishes a threshold that allows a certain number of failed login attempts before an account is simply locked out.

This type of access control prevents an attacker from continuing to attempt different combinations of credentials to gain unauthorized access.

Question 97

What are two basic types of IDS/IPS?

Answer 97

• Signature-based systems
• Anomaly-based systems

Signature-based systems compare monitored network traffic against a database of known threats or suspicious behaviors to look for pattern or signature matches that indicate a potential attack.

Anomaly-based systems compare current monitored network traffic against a baseline or known-good network traffic pattern and identify anomalous patterns that might indicate suspicious activity.