Domain 5: Identity and Access Management Flashcards

Question

What does it take for a subject to be able to access a resource?

Answer 1

For a subject to be able to access a resource, it must be: * Identified * Authenticated * Authorized * Held accountable for its actions

Answer 2

* Biometrics * Password * Passphrase * Cognitive password * One-time password * Token

Answer 3

* Type I error means the system rejected an authorized individual * Type II error means an imposter was authenticated

Answer 4

A memory card cannot process information, but a smart card can through the use of integrated circuits and processors.

Answer 5

Least-privilege and need-to-know principles limit users’ rights to only what is needed to perform tasks of their job.

Answer 6

* Kerberos * Domains * Thin clients

Answer 7

* The Kerberos user receives a ticket granting ticket (TGT) * The TGT allows him to request access to resources through the ticket granting service (TGS) * The TGS generates a new ticket with the session keys

Answer 8

Keystroke monitoring is a type of auditing that tracks each keystroke made by a user.

Answer 9

Object reuse can unintentionally disclose information by assigning media to a subject before it is properly erased.

Answer 10

Just removing pointers to files (deleting file, formatting hard drive) is not always enough protection for proper object reuse.

Answer 11

* TEMPEST * White noise * Control zones

Answer 12

* By what someone knows * By what someone is * By what someone has

Answer 13

* Synchronous (time, event) * Asynchronous (challenge-based)

Answer 14

Strong authentication requires two of the three user authentication attributes: * What someone knows * What someone is * What someone has

Answer 15

* The KDC is a single point of failure * It is susceptible to password guessing * Session and secret keys are locally stored * KDC needs to always be available * There must be management of secret keys

Answer 16

Phishing is a type of social engineering with the goal of obtaining personal information, credentials, credit card numbers, or financial data.

Answer 17

A race condition is possible when two or more processes use a shared resource and the access steps could take place out of sequence.

Answer 18

Mutual authentication is when two entities must authenticate to each other before sending data back and forth. Also referred to as two-way authentication.

Answer 19

A directory service is a software component that stores, organizes, and provides access to resources, which are listed in a directory (listing) of resources. Individual resources are assigned names within a namespace.

Answer 20

A cookie is data that is held permanently on a hard drive in the format of a text file or held temporarily in memory. It can be used to store browsing habits, authentication data, or protocol state information.

Answer 21

A federated identity is a portable identity, and its associated entitlements, that can be used across business boundaries without the need to synchronize or consolidate directory information.

Answer 22

Extensible Markup Language (XML) is a set of rules for encoding documents in machine-readable form to allow for interoperability between various web-based technologies.

Answer 23

Service Provisioning Markup Language (SPML) is an XML-based framework being developed by OASIS for exchanging user, resource, and service provisioning information between cooperating organizations.

Answer 24

Extensible Access Control Markup Language (XACML), which is both a declarative access control policy language implemented in XML and a processing model, describes how to interpret security policies.

Answer 25

Replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated with the goal of obtaining unauthorized access.

Answer 26

Clipping level is a threshold value. Once a threshold value is passed, the activity is considered to be an event that is logged, investigated, or both.

Answer 27

A rainbow table is a set of precomputed hash values that represents password combinations. Rainbow tables are used in password attack processes and usually produce results more quickly than dictionary or brute-force attacks.

Answer 28

Cognitive passwords are fact-or opinion-based information used to verify an individual’s identity.

Answer 29

Smart cards can: * Require physical interaction with a reader (contact) * Require no physical interaction with the reader (contactless architectures) Two contactless architectures are: * Combi (one chip) * Hybrid (two chips)

Answer 30

A side channel attack is carried out by: * Gathering data pertaining to how something works * Using that data to attack it or crack it Examples: * Differential power analysis * Electromagnetic analysis

Answer 31

Authorization creep takes place when a user gains too much access rights and permissions over time.

Answer 32

**Security information and event management (SIEM)** implements data mining and analysis functionality to be carried out on centralized logs for situational awareness capabilities.

Answer 33

Intrusion detection systems are either: * Host based * Network based They provide either: * Behavioral (statistical) functionality * Signature (knowledge) functionality

Answer 34

* Spear-phishing: * Crafted for a specific individual * Pharming: * DNS server is poisoned and points users to a malicious website

Answer 35

A web portal is commonly made up of portlets, which are pluggable user interface software components that present information and services from other systems.

Answer 36

The Service Provisioning Markup Language (SPML) allows for: * Automation of user management * Account creation * Amendments * Revocation * Access entitlement configuration * Related to electronically published services across multiple provisioning systems.

Answer 37

The Security Assertion Markup Language (SAML) allows for the exchange of authentication and authorization data to be shared between security domains.

Answer 38

OpenID is an open standard and protocol that allows third-party authentication of a user.

Answer 39

OAuth is an open standard that allows a user to grant authority to some web resource, like a contacts database, to a third party.

Answer 40

OpenID Connect is an authentication layer built on the OAuth 2.0 protocol that allows transparent authentication and authorization of client resource requests.

Answer 41

The Simple Object Access Protocol (SOAP) is a protocol specification for exchanging structured information in the implementation of web services and networked environments.

Answer 42

Service-oriented architecture (SOA) environments allow for a suite of interoperable services to be used within multiple, separate systems from several business domains.

Answer 43

Radio-frequency identification (RFID) is a technology that provides data communication through the use of radio waves.

Answer 44

A dictionary attack is fed lists, or dictionaries, of commonly used words or combinations of characters, which it then compares against the unknown credentials to identify any matches and guess the passwords.

Answer 45

A rainbow table seeks to mitigate the limitations of dictionary or brute force attacks by precomputing every possible combination of characters in varying password lengths, and storing the hash in an indexed table. Dictionary and brute force password attacks are only marginally successful in breaking passwords. A rainbow table seeks to mitigate this by precomputing every possible combination of characters in varying password lengths and storing the hash in an indexed table. These rainbow tables can be quite large, but they reduce password cracking time by a considerable amount and, in some cases, crack passwords where other methods have failed.

Answer 46

Discretionary access control (DAC) model is implemented and enforced through the use of access control lists (ACLs), which are held in a matrix. MAC is implemented and enforced through the use of security labels.

Answer 47

* Confidentiality * Availability In confidentiality attacks, the tickets used by Kerberos, which are authentication tokens, can be sniffed and potentially cracked. In availability attacks, if an attacker targets the Kerberos KDC server, it can prevent anyone in the realm from logging in. If the KDC is brought down, no entities could communicate to each other through networking methods.

Answer 48

* Dictionary * Brute force attacks A dictionary attack runs through a predefined database of passwords, or possibly an actual dictionary, to determine if any of the words from the database are the correct password. Brute force attacks run through literally every possible character combination one at a time until the password is successfully guessed. Dictionary and brute force attacks can be combined into a hybrid attack.

Answer 49

* Something you know * Something you have * Something you are Something you know includes passwords and PINs. Both of these are susceptible to loss and social engineering. Something you have includes tokens or smartcards. These can be duplicated or the user can be social engineered to give an attacker the object. Something you are includes any form of biometrics. Common examples include fingerprint, iris print, and voice print. These items are susceptible to failure and, in some cases, duplication.

Answer 50

NIDSs have a harder time working on a switched network, compared to traditional nonswitched environments, because data is transferred through independent virtual circuits and not broadcasted, as in nonswitched environments. The IDS sensor acts as a sniffer and does not have access to all the traffic in these individual circuits. So we have to take all the data on each individual virtual private connection, make a copy of it, and put the copies of the data on one port (spanning port) where the sensor is located. This allows the sensor to have access to all the data going back and forth on a switched network.

Answer 51

* Authentication service * Ticket-granting service Authentication service issues ticket-granting tickets (TGT) that are good for admission to the ticket-granting service (TGS). Before network clients can get tickets for services, they must obtain a TGT from the authentication service.With ticket-granting service, clients receive tickets to specific target services. These tickets are used to authenticate to server services.

Answer 52

A network-based IDS monitors network communications. It cannot “see” activity going on inside the computer itself. A host-based IDS monitors activity within a particular computer system. It is installed on individual workstations and/or servers and watches for anomalous activity. An intrusion detection system (IDS) is a system or device designed to detect a security breach. IDSs come in two main types: network-based, which monitor network communications, and host-based, which can analyze the activity within a particular computer system. A network IDS (NIDS) monitors network traffic and cannot “see” the activity going on inside a computer itself. To monitor the activities within a computer system, a company would need to implement a host-based IDS. A host-based IDS (HIDS) can be installed on individual workstations and/or servers and watch for inappropriate or anomalous activity. HIDSs are usually used to make sure users do not delete system files, reconfigure important settings, or put the system at risk in any other way. So, whereas the NIDS understands and monitors the network traffic, a HIDS’s universe is limited to the computer itself. A HIDS does not understand or review network traffic, and a NIDS does not “look in” and monitor a system’s activity.

Answer 53

Only the intrusion prevention system (IPS) is capable of taking preventive or proactive action to halt suspicious activity. Whereas an intrusion prevention system (IPS) is capable of taking preventive or proactive action to halt suspicious activity, an IDS simply identifies suspicious activity and issues an alert to notify administrators or IT personnel. The traditional IDS only detects that something bad may be taking place and sends an alert. The goal of an IPS is to detect this activity and not allow the traffic to gain access to the target in the first place.

Answer 54

* The user connects to the RADIUS client. * The RADIUS client requests credentials from the user. * The user enters credentials. * The RADIUS client encrypts the credentials and passes them to the RADIUS server. * The RADIUS server accepts, rejects, or challenges the credentials.

Answer 55

The Secure European System for Applications in a Multi-vendor Environment (SESAME) project is a single sign-on technology developed to extend Kerberos functionality and improve upon its weaknesses. SESAME uses symmetric and asymmetric cryptographic techniques to authenticate subjects to network resources. One of these certificates provides authentication, as in Kerberos, and the second certificate controls the access privileges assigned to a client.

Answer 56

An access control is a security feature that controls how users and systems communicate and interact with other systems and resources. Access controls protect the systems and resources from unauthorized access and can be components that can help determine the level of authorization after authentication has been successfully completed.

Answer 57

Electrical devices emit emanations (signals) that if captured and interpreted properly can result in confidential data being disclosed. There are two types of emanations: * Radiated (through the air) * Conducted (through wires) TEMPEST started out as a study carried out by the DoD and then turned into a standard that outlines how to develop countermeasures that control spurious electrical signals emitted by electrical equipment.

Answer 58

* Gives control to individuals closer to resources, such as department managers and occasionally users. * Does not use one centralized entity to process access requests. * Peer-to-peer in design lacks standardization and overlapping rights, and might include security holes because of this lack of standardization

Answer 59

* Fingerprints * Retina patterns * Iris patterns * Facial characteristics * Palm patterns * Hand geometry * Voice print * Signature dynamics

Answer 60

* Centralized access control * Decentralized access control Centralized access control has one entity or department that is responsible for overseeing access to all corporate resources. Decentralized access control shares or delegates responsibility for overseeing access to different departments, sites, or entities within the organization.

Answer 61

* Statistical anomaly–based * Protocol anomaly–based * Traffic anomaly–based The statistical anomaly–based approach creates a profile of “normal” and compares activities to this profile. The protocol anomaly–based approach identifies protocols used outside of their common bounds. The traffic anomaly–based approach identifies unusual activity in network traffic. Anomaly-based IDS is also called behavior or heuristic-based.

Answer 62

A user authenticates to a system and the system authenticates to the user. Mutual authentication means it is happening in both directions.

Answer 63

* Administrative controls * Physical controls * Technical controls Administrative controls include things such as policies and procedures and training. Physical controls are things such as doors, locks, or surveillance cameras. Technical controls are things such as software tools used to restrict access to objects.

Answer 64

* TEMPEST * White noise * Control zones TEMPEST is special shielding used on equipment to suppress the signals as they emanate from devices. TEMPEST equipment is implemented to prevent intruders from picking up information through the airwaves or cables with listening devices. White noise uses special devices that send out a stream of frequencies that make it impossible for an attacker to distinguish the real information. Control zones are the practice of designing facilities, walls, floors, ceilings and transmission/power wires to block or filter emanated signals from leaving the zone.

Answer 65

Mandatory Discretionary Nondiscretionary In the mandatory model, the authorization of an entity’s access to an object is dependent upon labels, which indicate the subject’s clearance, and the classification or sensitivity of the object. In the discretionary model, the entity has authority, within certain limitations, to specify what objects can be accessible to subjects. In the nondiscretionary model, a central authority determines what entities can have access to certain objects based on the organizational security policy. The access controls might be based on the individual’s role in the organization (role-based) or the subject’s responsibilities and duties (task-based).

Answer 66

* Use of if/then rule-based programming within expert systems * Use of an expert system allows for artificial intelligence characteristics * The more complex the rules, the more demands on software and hardware processing requirements * Cannot detect new attacks

Answer 67

Remote Authentication and Dial-In User Service (RADIUS) * RADIUS provides three services: * Authentication * Authorization * Accounting (Auditing) It facilitates centralized user administration and keeps all user profiles in one location that all remote services share.

Answer 68

A passphrase is a sequence of characters that is longer than a password. A passphrase is generally a sentence, or phrase, as opposed to a single word. For example, rather than using a password such as “country,” you could use a passphrase such as “asknotwhatyourcountrycandoforyou.” Combined with transposition of alternate and special characters (for example, “askn0twhatyourcountryc@ndo4U”), the passphrase can be significantly more secure than a password. You can also use the passphrase to generate a more complex password that is easier to remember. By taking just the first letter of each word from the passphrase, you can create “anwyccdfy,” which would be difficult to guess or crack.

Answer 69

* False Rejection Rate (FRR) * Type I error * False Acceptance Rate (FAR) * Type II error * Crossover Error Rate (CER) The false rejection rate (FRR) or Type I error is the percentage of valid subjects that are falsely rejected. The false acceptance rate (FAR) or Type II error is the percentage of invalid subjects that are falsely accepted. The crossover error rate (CER) is a measure of the overall accuracy of a biometric system. CER is the point at which the FRR is equal to the FAR. The lower the CER, the more accurate the biometric system is.

Answer 70

User provisioning refers to the creation, maintenance, and deactivation of user objects and attributes, as they exist in one or more systems, directories, or applications.

Answer 71

A single sign-on (SSO) system enables a user to authenticate one time and then access resources in the environment without needing to reauthenticate each time. SSO alleviates the problem of users having to remember multiple usernames and password credentials and having to repeatedly authenticate. * Kerberos * SESAME * KryptoKnight (by IBM) * NetSP (a KryptoKnight derivative) are authentication server systems with operational modes that can implement single sign-on.

Answer 72

A clipping level is when an administrator establishes a threshold that allows a certain number of failed login attempts before an account is simply locked out. This type of access control prevents an attacker from continuing to attempt different combinations of credentials to gain unauthorized access.

Answer 73

* Signature-based systems * Anomaly-based systems Signature-based systems compare monitored network traffic against a database of known threats or suspicious behaviors to look for pattern or signature matches that indicate a potential attack. Anomaly-based systems compare current monitored network traffic against a baseline or known-good network traffic pattern and identify anomalous patterns that might indicate suspicious activity.