Domain 5: Identity and Access Management (Controlling Access and Managing Identity)

Question 1

Password cracking

Answer 1

refers to an offline technique in which the attacker has gained access to the password hashes or database

Question 2

Clipping levels

Answer 2

Clipping levels can help to differentiate the attacks from noise, however they can also cause false negatives if the attackers can glean the threshold beneath which they must operate.

Question 3

A hybrid attack

Answer 3

prepends, or changes characters in words from a dictionary before hashing, to attempt the fastest crack of complex passwords

Question 4

Synchronous dynamic tokens

Answer 4

use time or counters to synchronize a displayed token code with the code expected by the authentication server: the codes are synchronized.

Question 5

False Reject Rate (FRR)

Answer 5

A false rejection occurs when an authorized subject is rejected by the biometric system as unauthorized. False rejections are also called a Type I error

Question 6

False Accept Rate (FAR)

Answer 6

A false acceptance occurs when an unauthorized subject is accepted as valid.Type II error

Question 7

SAML

Answer 7

SAML is an XML-based framework for exchanging security information, including authentication data.

Question 8

he primary weakness of Kerberos is that..

Answer 8

the KDC stores the keys of all principals

Question 9

The KDC and TGS are also

Answer 9

single points of failure:

Question 10

SESAME stands for Secure European System for Applications in a Multi-vendor Environment, a single sign-on system that supports heterogeneous environments

Answer 10

It addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys.

Question 11

The Password Authentication Protocol (PAP)

Answer 11

and is referred to as being, “not a strong authentication method.

Question 12

The advantage of using CHAP over PAP

Answer 12

he additional security provided by the shared secret used during the challenge and response: a sniffer that views the entire challenge/response process will not be able to determine the shared secret.

Question 13

Discretionary Access Control (DAC)

Answer 13

gives subjects full control of objects they have created or been given access to, including sharing the objects with other subjects

Question 14

Mandatory Access Control (MAC)

Answer 14

is system-enforced access control based on a subject’s clearance and an object’s labels. Subjects and Objects have clearances and labels, respectively, such as confidential, secret, and top secret.

Question 15

Role-Based Access Control (RBAC)

Answer 15

defines how information is accessed on a system based on the role of the subject

Question 16

Task-based access control

Answer 16

non-discretionary access control model, related to RBAC. Task-based access control is based on the tasks each subject must perform, such as writing prescriptions, or restoring data from a backup tape, or opening a help desk ticket. It attempts to solve the same problem that RBAC solves, focusing on specific tasks, instead of roles.

Question 17

Content-dependent access control

Answer 17

adds additional criteria beyond identification and authentication:

Question 18

Context-dependent access control

Answer 18

applies additional context before granting access. A commonly used context is time. After identification and authentication, a help desk worker who works Monday–Friday from 9 AM to 5 PM will be granted access at noon on a Tuesday