Domain 5 - Identity and Access Management

Question 1

Centralized administration

Answer 1

one element responsible for configuring access controls. Only modified
through central administration, very strict control,

Question 2

Decentralized administration

Answer 2

access to information is controlled by owners or creators of
information, may not be consistency with regards to procedures, difficult to form system wide view of
all user access at any given time

Question 3

SSO Advantage

Answer 3

Ability to use stronger passwords, easier administration, less time to access resources.

Question 4

SSO Disadvantage

Answer 4

once a key is compromised all resources can be accessed, if Db compromised all PWs
compromised

Question 5

KERBEROS Key Type

Answer 5

Guards a network with three elements: authentication, authorization, & auditing. SYMMETRIC
KEYS
Kerberos addresses Confidentiality and integrity and authentication, not availability, can be combined
with other SSO solutions
Kerberos Is based on symmetric key cryptology (and is not a propriety control)
Time synchronization is critical, 5 minutes is bad

Question 6

Kerboros Advantages

Answer 6

Benefits: inexpensive, loads of OS’s, mature protocol. Passwords are never exchanged only hashes of passwords

Question 7

Kerboros Disadvantages

Answer 7

Disadvantage: takes time to administer, can be bottleneck or single point of failure

Question 8

The Kerberos logon process

Answer 8

• The user types a username and password into the client.
• The client encrypts the username with AES for trans. to the KDC.
• The KDC verifies the username against a database of known credentials.
• The KDC generates a symmetric key that will be used by the client and the Kerberos server. It
encrypts this with a hash of the user’s password. The KDC also generates an encrypted timestamped TGT. The KDC then ransmits the encrypted symmetric key and the encrypted timestamped TGT to the client.
• The client installs the TGT for use until it expires. The client also decrypts the symmetric key
using a hash of the user’s password.
• Then the user can use this ticket to service to use the service as
an application service

Question 9

SESAME

Answer 9

• Public Key Cryptology
• European
• Needham-Schroeder protocol

Question 10

SESAME weakness

Answer 10

only authenticates the first block and not the complete message

Question 11

Rainbow Tables

Answer 11

(tables with passwords that are already in hash format, pre-hashed PW paired with
high-speed look up functions

Question 12

Implementation Attack

Answer 12

This is a type of attack that exploits weaknesses in the Implementation of a
cryptography system. It focuses on exploiting the software code, not just errors and flaws but the
methodology employed to program the encryption system

Question 13

Statistical Attack

Answer 13

Exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the
hardware or operating system hosting the cryptography application.

Question 14

HAVAL

Answer 14

Hash of Variable Length (HAVAL) is a modification of MD5. HAVAL uses 1,024-bit
blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption
algorithm

Question 15

Synchronous (TIME BASED) dynamic

Answer 15

Uses time or a counter between the token and the

authentication server, secure-ID is an example

Question 16

Asynchronous (NOT TIME BASED)

Answer 16

Server sends a nonce (random value) This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication

Question 17

Challenge/response token

Answer 17

Generates response on a system/workstation provided challenge; synchronous – timing, asynchronous - challenge

Question 18

SAML (SOAP)

Answer 18

To exchange authentication and authorization data between security domains.
SAML 2.0 enables web-based to include SSO.
Most used federated SSO
XML Signature – use digital signatures for authentication and message integrity based on XML
signature standard.
Relies on XML Schema

Question 19

SAML Roles

Answer 19

Principal (user)
• Identity provider (IdP)
• Service provider (SP)

Question 20

Identity as a Service

Answer 20

Is a third-party service that provides
identity and access management, Effectively provides SSO for the cloud and is especially useful when
internal clients access cloud-based Software as a Service (SaaS) applications.
• Ability to provision identities held by the service to target applications
• Access includes user authentication, SSO, authorization enforcement
• Log events , auditing
• Federation - sharing identity and authentication behind the scenes (like booking flight →
booking hotel without re authenticating) by using a federate identity so used across business
boundaries
• SSO
• Access Management enforces RULES!

Question 21

Access Control Matrix

Answer 21

An access control matrix is a table that includes subjects, objects, and
assigned privileges. When a subject attempts an action, the system checks the access control matrix to
determine if the subject has the appropriate privileges to perform the action

Question 22

Capability Tables

Answer 22

They are different from ACLs in that a capability table is focused on subjects
(such as users, groups, or roles). For example, a capability table created for the accounting role will
include a list of all objects that the accounting role can access and will include the specific privileges
assigned to the accounting role for these objects

Question 23

ACL focus

Answer 23

ACLs are object focused and identify access granted to subjects for any specific object.

Question 24

Capability table focus

Answer 24

Capability tables are subject focused and identify the objects that subjects can access.

Question 25

Permissions

Answer 25

Refer to the access granted for an object and determine what you can do with it. If you
have read permission for a file, you’ll be able to open it and read it. You can grant user permissions to
create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so
in this context, access rights and permissions are synonymous

Question 26

Rights

Answer 26

Refers to the ability to take an action on an object. For example, a user might have the right to
modify the system time on a computer or the right to restore backed-up data. This is a subtle distinction
and not always stressed. You’ll rarely see the right to take action on a system referred to as a
permission.

Question 27

Privileges

Answer 27

Are the combination of rights and permissions. For example, an administrator for a
computer will have full privileges, granting the administrator full rights and permissions on the
computer. The administrator will be able to perform any actions and access any data on the computer.

Question 28

Constrained Interface Applications

Answer 28

(restricted interfaces) to restrict what users can do or see based on their privileges. Applications constrain the interface using different methods. A common method is
to hide the capability if the user doesn’t have permissions to use it. Other times, the application
displays the menu item but shows it dimmed or disabled.

Question 29

Content-Dependent

Answer 29

Internal data of each field, data stored by a field, restrict access to data based
on the content within an object. A database view is a content-dependent control. A view retrieves
specific columns from one or more tables, creating a virtual table.

Question 30

Context-Dependent

Answer 30

Require specific activity before granting users access. For example, it’s possible
to restrict access to computers and applications based on the current day and/or time. If users attempt
to access the resource outside of the allowed time, the system denies them access.

Question 31

Service Provisioning Markup Language, or SPML

Answer 31

An XML-based language designed to allow

platforms to generate and respond to provisioning requests

Question 32

Nmap tool

Answer 32

One of the most common tools used to perform both IP probes and port scans. IP probes
are extremely prevalent on the Internet today. Indeed, if you configure a system with a public IP
address and connect it to the Internet, you’ll probably receive at least one IP probe within hours of
booting up. The widespread use of this technique makes a strong case for disabling ping functionality,
at least for users external to a network. Default settings miss @64 K ports
When nmap scans a system, it identifies the current state of each network port on the system. For ports
where nmap detects a result, it provides the current status of that port:

Question 33

Nmap Open

Answer 33

The port is open on the remote system and there is an application that is actively
accepting connections on that port.

Question 34

Nmap Closed

Answer 34

The port is accessible on the remote system, meaning that the firewall is allowing
access, but there is no application accepting connections on that port.

Question 35

Filtered Nmap

Answer 35

Is unable to determine whether a port is open or closed because a firewall is
interfering with the connection attempt