Domain 5 - Identity and Access Management Flashcards

1
Q

Centralized administration

A

one element responsible for configuring access controls. Only modified
through central administration, very strict control,

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Decentralized administration

A

access to information is controlled by owners or creators of
information, may not be consistency with regards to procedures, difficult to form system wide view of
all user access at any given time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

SSO Advantage

A

Ability to use stronger passwords, easier administration, less time to access resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

SSO Disadvantage

A

once a key is compromised all resources can be accessed, if Db compromised all PWs
compromised

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

KERBEROS Key Type

A

Guards a network with three elements: authentication, authorization, & auditing. SYMMETRIC
KEYS
Kerberos addresses Confidentiality and integrity and authentication, not availability, can be combined
with other SSO solutions
Kerberos Is based on symmetric key cryptology (and is not a propriety control)
Time synchronization is critical, 5 minutes is bad

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Kerboros Advantages

A

Benefits: inexpensive, loads of OS’s, mature protocol. Passwords are never exchanged only hashes of passwords

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Kerboros Disadvantages

A

Disadvantage: takes time to administer, can be bottleneck or single point of failure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The Kerberos logon process

A

• The user types a username and password into the client.
• The client encrypts the username with AES for trans. to the KDC.
• The KDC verifies the username against a database of known credentials.
• The KDC generates a symmetric key that will be used by the client and the Kerberos server. It
encrypts this with a hash of the user’s password. The KDC also generates an encrypted timestamped TGT. The KDC then ransmits the encrypted symmetric key and the encrypted timestamped TGT to the client.
• The client installs the TGT for use until it expires. The client also decrypts the symmetric key
using a hash of the user’s password.
• Then the user can use this ticket to service to use the service as
an application service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SESAME

A
  • Public Key Cryptology
  • European
  • Needham-Schroeder protocol
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SESAME weakness

A

only authenticates the first block and not the complete message

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Rainbow Tables

A

(tables with passwords that are already in hash format, pre-hashed PW paired with
high-speed look up functions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Implementation Attack

A

This is a type of attack that exploits weaknesses in the Implementation of a
cryptography system. It focuses on exploiting the software code, not just errors and flaws but the
methodology employed to program the encryption system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Statistical Attack

A

Exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the
hardware or operating system hosting the cryptography application.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

HAVAL

A

Hash of Variable Length (HAVAL) is a modification of MD5. HAVAL uses 1,024-bit
blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption
algorithm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Synchronous (TIME BASED) dynamic

A

Uses time or a counter between the token and the

authentication server, secure-ID is an example

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Asynchronous (NOT TIME BASED)

A

Server sends a nonce (random value) This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication

17
Q

Challenge/response token

A

Generates response on a system/workstation provided challenge; synchronous – timing, asynchronous - challenge

18
Q

SAML (SOAP)

A

To exchange authentication and authorization data between security domains.
SAML 2.0 enables web-based to include SSO.
Most used federated SSO
XML Signature – use digital signatures for authentication and message integrity based on XML
signature standard.
Relies on XML Schema

19
Q

SAML Roles

A

Principal (user)
• Identity provider (IdP)
• Service provider (SP)

20
Q

Identity as a Service

A

Is a third-party service that provides
identity and access management, Effectively provides SSO for the cloud and is especially useful when
internal clients access cloud-based Software as a Service (SaaS) applications.
• Ability to provision identities held by the service to target applications
• Access includes user authentication, SSO, authorization enforcement
• Log events , auditing
• Federation - sharing identity and authentication behind the scenes (like booking flight →
booking hotel without re authenticating) by using a federate identity so used across business
boundaries
• SSO
• Access Management enforces RULES!

21
Q

Access Control Matrix

A

An access control matrix is a table that includes subjects, objects, and
assigned privileges. When a subject attempts an action, the system checks the access control matrix to
determine if the subject has the appropriate privileges to perform the action

22
Q

Capability Tables

A

They are different from ACLs in that a capability table is focused on subjects
(such as users, groups, or roles). For example, a capability table created for the accounting role will
include a list of all objects that the accounting role can access and will include the specific privileges
assigned to the accounting role for these objects

23
Q

ACL focus

A

ACLs are object focused and identify access granted to subjects for any specific object.

24
Q

Capability table focus

A

Capability tables are subject focused and identify the objects that subjects can access.

25
Q

Permissions

A

Refer to the access granted for an object and determine what you can do with it. If you
have read permission for a file, you’ll be able to open it and read it. You can grant user permissions to
create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so
in this context, access rights and permissions are synonymous

26
Q

Rights

A

Refers to the ability to take an action on an object. For example, a user might have the right to
modify the system time on a computer or the right to restore backed-up data. This is a subtle distinction
and not always stressed. You’ll rarely see the right to take action on a system referred to as a
permission.

27
Q

Privileges

A

Are the combination of rights and permissions. For example, an administrator for a
computer will have full privileges, granting the administrator full rights and permissions on the
computer. The administrator will be able to perform any actions and access any data on the computer.

28
Q

Constrained Interface Applications

A

(restricted interfaces) to restrict what users can do or see based on their privileges. Applications constrain the interface using different methods. A common method is
to hide the capability if the user doesn’t have permissions to use it. Other times, the application
displays the menu item but shows it dimmed or disabled.

29
Q

Content-Dependent

A

Internal data of each field, data stored by a field, restrict access to data based
on the content within an object. A database view is a content-dependent control. A view retrieves
specific columns from one or more tables, creating a virtual table.

30
Q

Context-Dependent

A

Require specific activity before granting users access. For example, it’s possible
to restrict access to computers and applications based on the current day and/or time. If users attempt
to access the resource outside of the allowed time, the system denies them access.

31
Q

Service Provisioning Markup Language, or SPML

A

An XML-based language designed to allow

platforms to generate and respond to provisioning requests

32
Q

Nmap tool

A

One of the most common tools used to perform both IP probes and port scans. IP probes
are extremely prevalent on the Internet today. Indeed, if you configure a system with a public IP
address and connect it to the Internet, you’ll probably receive at least one IP probe within hours of
booting up. The widespread use of this technique makes a strong case for disabling ping functionality,
at least for users external to a network. Default settings miss @64 K ports
When nmap scans a system, it identifies the current state of each network port on the system. For ports
where nmap detects a result, it provides the current status of that port:

33
Q

Nmap Open

A

The port is open on the remote system and there is an application that is actively
accepting connections on that port.

34
Q

Nmap Closed

A

The port is accessible on the remote system, meaning that the firewall is allowing
access, but there is no application accepting connections on that port.

35
Q

Filtered Nmap

A

Is unable to determine whether a port is open or closed because a firewall is
interfering with the connection attempt