Domain 5 -- Identity and Access Management

Question 1

What is a subject?

Answer 1

• A subject is an active entity that requests access to an object or the data within an object
• Can be user, program or process that accesses an object to accomplish a task

Question 2

What is an object?

Answer 2

• An object is a passive entity that contains information or needed functionality
• Can be a computer, database, file, computer program, directory or field contained in a table in a tableBASE

Question 3

What is Identification?

Answer 3

Identification describes a method by which a subject (user, program or process) claims to have a specific identity (user name, account number or email address)

Question 4

What is authentication?

Answer 4

Authentication is the process by which a system verifies the identity of the subject, usually by requireing a piece of information that only the claimed identity should havew

Question 5

A user identification and authentication information together combine to create ________________.

Answer 5

credentials

Question 6

What is meant by a race condition with respect to Identity and Access Management?

Answer 6

If authentication and authorization are split into 2 functions, it’s possible that the authorization will occur before the user is authenticated.

Question 7

What are three somethings for authentication?

Answer 7

1. Type 1 Something a person knows
2. Type 2 Something a person has
3. Type 3 Something a person is

Question 8

Creating or issuing secure identitites should include which 3 aspects?

Answer 8

• Uniqueness
  
  • must uniquely identify a person
• Non-descriptive
  
  • Don’t use ID’s like Administrator or backup_operator
• Issuance
  
  • Provided by another authority
    
    • Example is an ID card

Question 9

it is important to authenticate not only users, but also __________.

Answer 9

systems

Question 10

What are 4 Identification Component Requirements?

Answer 10

• Each value should be unique
• A standard naming scheme should be followed
• The value should be nondescriptive of the user’s position or tasks
• The value should not be shared between users

Question 11

What are the 3 things that MAC can stand for in the CISSP exam?

Answer 11

1. Media Access Control (MAC Address)
2. Mandatory Access Control
3. Message Authentication Code

Question 12

What are the rules for a database directory based on the X.500 standard?

Answer 12

• The directory has a tree structure to organize entries using parent-child configuration
• Each entry has a unique name made up of attributes of a specific object
• The attributes used in the directory are dictated by the defined schema
• The unique identifiers are called distinguished names

Question 13

Are cookies always stored on disk?

Answer 13

No.

Some cookies are permanent and remain on the user’s hard disk

Other cookies – such as cookies issued by a bank to allow a user to perform online banking should only be held in memory

Question 14

Web Access Management Products are typically used for ___________ users and Credential Management products are typically used for __________ users

Answer 14

external

internal

Question 15

What’s the difference between password synchronization and SSO

Answer 15

• With password synchronization, the tool takes the user’s password and then updates all the applications he uses with this password. The user must still log in separately to each application
• SSO means that the SSO software intercepts the user ID/password dialog and fills it in for the user. The user only needs to log in once.

Question 16

What are the downsides of SSO?

Answer 16

• It’s expensive
• It can take a long time to implement
• All user credentials are stored in one place. If an attacker broke in, then they would have everything.

Question 17

What are the two categories of biomentrics?

Answer 17

1. Physiological - what you are
   
   • fingerprints
   • retina scans
2. Behavioral - what you do
   
   • signature dynamics

Question 18

What is the Crossover Error Rate (CER) as it relates to biometric authentication systems

Answer 18

It’s the point at which the percentage of false positives and false negatives are equal.

Question 19

What are some of the biometrics that can be used to identify a user?

Answer 19

• Fingerprint
• Palm scan
• Hand geometry
• Retina scan
• Iris scan
• Signature dynamics
• Keystroke dynamics
• voice print
• facial scan
• Hand topogragy

Question 20

What are six ways an attacker can try to steal passwords?

Answer 20

1. electronic monitoring
2. access password file
3. brute force attacks
4. dictionary attacks
5. social engineering
6. rainbow table

Question 21

What are some of the common methods of authentication via “something you know?”

Answer 21

• PIN
• Password
• Passphrase
• Cognitive password (favorite color)
• personal history info
• CAPTCHA

Question 22

What’s the key difference between synchronous and asynchronous token devices?

Answer 22

Synchronous tokens depend on using time or a counter as a core piece of the authentication process

Asynchronous tokens depend on a nonce – a random value sent by the authentication server. User enters the nonce into the token device, which encrypts it and gives the user a OTP, which the users sends to the auth server along with userid/pw.
If the auth server can decrypt the value and it matches what was sent earlier, the user is authenticated.

Question 23

What are some of the cryptographic methods that are used in authenticating a user?

Answer 23

• Digital Signature (private key that is used to encrypt a hash value)
• Passphrase -StickWithMeKidAndYouWillWearDiamonds
  
  • application converst passphrase into a virtual passphrase that might be 128 bytes long.
  • The virtual password is what is actually used for authentication on the wire

Question 24

What’s the difference between a memory card and a smart card?

Answer 24

• A memory card can only hold information, but not process information
• A smart card can both hold and process information

Question 25

If an attacker steals someone’s smart card, can they do a lot of damage with it?

Answer 25

Not really because the attacker would need the user’s pin before the smart card would work.

Question 26

What are the two types of smart cards?

Answer 26

1. contact – which require physical contact with the reader to work
2. contactless – which use an antenna on the chip to receive power from the reader to work.

Question 27

What’s the difference between a fault generation attack and a side channel attack on a smart card?

Answer 27

fault generation is where you attempt to introduce an error in the smart card by using higher voltages or some other means to intentionally introduce an error and find clues to reverse engineer the device

Side channel attacks observe how they work under various circumstances to find clues to use in reverse engineering. (eg. differential power analysis).

Question 28

What is authorization creep?

Answer 28

Over time employees move from one dept to another and they get more and more access rights than they really need any more.

Question 29

What are the main components of Kerberos?

Answer 29

• Key Distribution Center (KDC)
  
  • holds all users and services secret keys
  • provides authentication and key distribution service
  • Principals are users and services
• Kerberos authentication process

Question 30

What is the difference between a secret key and a session key in Kerberos

Answer 30

• Secret key is shared between the Key Distribution Center (KDC) and the principal and is static in nature
• A session key is shared between two principals and is generated when needed and destroyed with the session has completed

Question 31

Kerberos is an example of a ____________ technology.

Answer 31

Single Sign On (SSO)

Question 32

What are the weaknesses of Kerberos?

Answer 32

• The Key Distribution Center (KDC) can be a SPOF (redundancy needed)
• KDC must be scalable
• Secret Keys are stored on user workstations, which means that it’s possible for users to obtain the cryptographic keys
• Session keys are decrypted and reside on user workstations (either in cache or a session key table. They can be captured by attackers
• KDC is susceptible to password guessing. The KDC does not know if a dictionary attack is taking place
• Network traffic is not protected by Kerberos if encryption is not enabled
• If keys are too short, they are vulnerable to brute force attacks
• Kerberos requires client and server clocks to be synchronized

Question 33

• What is a counter measure to Kerberos lack of functionality against dictionary attacks?

Answer 33

The operating system can limit the number of password attempts a user can make.

Question 34

What are 4 single sign-on technologies?

Answer 34

• Kerberos
• Security Domains
• Directory Services
• Thin Clients

Question 35

What are system-level events that can be audited and logged?

Answer 35

• System performance
• Logon attempts (successful and unsuccessful)
• Logon ID
• Date and time of each logon attempt
• Lockouts of users and terminals
• Use of admin utilities
• Devices used
• Functions performed
• Requests to alter config files

Question 36

What are Application-level events that can be audited and logged?

Answer 36

• Error messages
• Files opened and closed
• Modification of files
• Security violations within applications

Question 37

What are user-level events that can be audited and logged?

Answer 37

• Identification and authentication attempts
• Files, services, and resources used
• commands initiated
• Security violations

Question 38

What is a Security Information and Event Management (SIEM) system?

Answer 38

• Products that gather logs from various devices
  
  • servers
  • firewalls
  • routers
  • etc.
• They attempt to analyze and correlate data

Question 39

What are three common triggers for session termination?

Answer 39

1. Timeout
2. Inactivity
3. Anomoly

Question 40

What is a federated identity?

Answer 40

A federated identity is a portable identity that can be used across business boundaries

Question 41

What is Service Provisioning Markup Language (SPML)?

Answer 41

• It’s based on XML
• It is used for the exchange of provisioning data between applications, which could reside in one organization or many
• It allows for the automation of user management
• Allows for integration and interoperation of service provisioning requests across various platforms

Question 42

What does the Security Assertion Markup Language (SAML) do?

Answer 42

SAML is used to allow a user to log in one time and gain access to different and separat web-based applications.

SAML is an XML standard

Question 43

Transmission of SAML data frequently takes place using this protocol.

Answer 43

SOAP – Simple Object Access Protocol

Question 44

What does XACML stand for and what does it do?

Answer 44

XACML - stands for eXtensible Access Control Markup Language

It is used to express security policies and access rights to assets provided through web services and other enterprise applications

Question 45

What is OpenID? and what are the 3 roles it defines?

Answer 45

It is an open standard for user authentication by third parties

The three roles are:

• End user
• Relying party – the server that owns the resource that the end user is trying to access
• OpenID provider (e.g. Google)

Question 46

What is Oauth and what does it do?

Answer 46

• Oath is an open standard for authorization (not authentication) to third parties
• It gives the user the ability to allow a website to access a third party
  
  • For example a user could give linked in the ability to allow Linked in to access Google to get all of his contacts to see who he knows and can connect with on Linked IN

Question 47

What is OpenID Connect?

Answer 47

• OpenID Connect is an authentication layer built on the OAuth 2.0 protocol
• It allows transparent authentication and authorization of client resource requests
• Usually used to allow a web app to authenticate an end user using a third-party IdP

Question 48

What are the five main types of access control models?

Answer 48

1. Discretionary
2. Mandatory
3. Role Based
4. Rule based
5. Attribute based

Question 49

How does Discretinary Access Control Work?

Answer 49

• Discretionary access control enables a user to decide which subjects will have access to it.
  
  • if a user creates a file, for example, he can decide who else can have access to it
• Windows, Linux, MacOS are DAC-based
• DAC’s can be implemented at the file or directory tree level

Question 50

How does Mandatory Access Control work?

Answer 50

• A user basically has no rights
• Most users have never used such a system
• Used to protect top-secret information
• Security labels are attached to all objects
• EXam Tip – MAC systems are considered non-discretionary
• MAC systems enforce Need to Know rules

Question 51

How does a MAC-based system decide whether a subject can access an object?

Answer 51

• The system compares the subject’s clearance and need to know level with the objects security label

Question 52

What’s the main idea of Role-Based Access Control?

Answer 52

• A Role-based access control (RBAC) model uses centrally administered set of controls to determine how subjects and objects interact

Question 53

What is Core RBAC?

Answer 53

Core RBAC

• Has many to many relationships among individual users and privileges
• Uses a session as a mapping between a user and a subset of assigned roles
• Accommodates traditional but robust group-based access control

Question 54

What is Hierarchical RBAC?

Answer 54

Hierarchical RBAC:

• Uses role relations in defining user membership and privilege inheritance
  
  • Example: nurse can access a set of files
  • Technician can access another set of files
  • Doctor role can inherit the access rights of the Nurse and technician roles
• Reflects organizational structures and functional deliniations
• Supports two types of hierarchies:
  
  • Limited hierarchies (Role 1 inherits from Role 2 and no other role)
  • General hierarchites (allows many levels of hierarchies)

Question 55

What is rule-based access control?

Answer 55

Rule-based access control uses specific rules that indicate what can and cannot happen between a subject and an object

• Usually built on top of Role Based Access Control (RBAC)
• Commonly called RB-RBAC (Rule based RBAC)
• Provide a way to define specific and detailed situation in which a subject can or cannot access an object

Question 56

How does an Attribute-Based Access Control system work and what are some examples:

Answer 56

ABAC uses attributes of any part of a system to define allowable access. It gives the most granularity: Examples:

• Subjects: Clearance, position title, department, years with company, training certification, member of project team, location
• Objects: Classification, files related to a particular project, HR records, location, security system component
• Actions - Review, Approve, comment, archive, configure, restart
• Context - Time of Day, Project status (opened/closed), fiscal year, ongoing audit

Question 57

What are the 3 main types of contrained user interfaces?

Answer 57

1. Menus and shells
   
   • Limited menu options
   • restricted shells in UNIX
2. Database Views
   
   • different views of the data presented according to the user’s privileges
3. Physically contrained interfaces
   
   • The only buttons that work for you are things like:
     
     • Withdraw
     • View balance
     • Deposit

Question 58

What does RADIUS mean and what does it provide?

Answer 58

• RADIUS stands for Remote Authentication Dial-In User Service
  
  • Network protocol based on client server model
  • provides for authentication, authorization and audits
  • Most ISP’s use RADIUS
  • Open Protocol

Question 59

What does TACACS mean and what does it do?

Answer 59

• TACACS stands for Terminal Access controller Access Control System
• Very similar to RADIUS
• It improves upon RADIUS by encrypting username, accounting and authorized services between client and server
• Where RADIUS uses UDP, TACACS uses TCP

Question 60

What is Diameter and how does it work?

Answer 60

• DIAMETER is an improvement upon RADIUS
• Where as RADIUS and TACACS+ are client/server, DIAMETER is peer-based
• DIAMETER provides AAA functionality

Question 61

What is an Access Control Matrix?

Answer 61

an Access Control Matrix is a table of subjects and objects indicating what actioins individual subjects can take upon individual objects

Question 62

What is a Capability table and how is it different from an Access Control table?

Answer 62

A Capability Table specified the access rights a certainsubject possesses pertaining to specific objects

It’s different from An ACL (colulmn in matrix) because the subject is bound to the capability table, whereas the object is bound to to the ACL

See Figure 5-23.

Question 63

What is an Access Control List (ACL)?

Answer 63

And ACL is a list of subjets that are authorized to access a specific object and they define what level of authorization is granted.

A capability corresponds to a row in a in the access control matrix

A ACL corresponds to the column in the access control matrix

Question 64

What is Content-Dependent Access Control?

Answer 64

The access to an object is determined by the contents of that object

Example – example is when email filters look for terms like “Confidential”, social security number, “Top Secret”

It’s also done to control web surfing

Question 65

What is Context dependent Access Control and how is it different from Content Dependent Access Control?

Answer 65

• Context Dependent Access Control makes access decisions based on the context of a collection of information, rather than on the sensitivity of the data.
• Example is a Stateful firewall.
  
  • TCP requires SYN, then SYN/ACK, then ACK
  • It won’t allow packets throught that are not following the sequence
• Another example is the sequence of the data that is being accessed.
  
  • The military mission
  • The location
  • Then stop the info about weapons shipments, because the combined information revealed in context would be at a higher level of security clearance
• Idea is to keep track of the context of what the user is doing in order to not allow them to piece together the bigger picture

Question 66

What are some of the scenarios that should be reviewed for user access?

Answer 66

• Extended vacation or sabbatical
• Hospitalization
• Long-term disability
• Investigation for possible wrong-doing
• Unexpected disappearance

Question 67

Give examples of Administrative Access Controls.

Answer 67

• Policy and procedures
• Personnel controls
• Supervisory structure
• Security-awareness training
• Testing

Question 68

Give examples of Physical Access Controls.

Answer 68

• Network segregation
• Perimeter security - physical access to facilities
• Computer controls
• Work area separation
• data backups
• Cabling
• Control Zone – different zones of a building for different purposes

Question 69

Give examples of Technical Access Controls.

Answer 69

• System access
• Network architecture
• Network Access
• Encryption and protocols
• Auditing

Question 70

What’s the danger with object reuse?

Answer 70

• Object Reuse – where a hard drive has residual data and it is not wiped clean before reuse. Likewise with software objects

Question 71

What is Emanation Security? How is it related to TEMPEST? And what are the countermeasures to ensure emanation security

Answer 71

• Emanation Security is about electrical devices emanating signals which could hold important information
• TEMPEST was a study by the DoD when then turned into a standard to outline countermeasures to control spurious electrical signals emanating from electrical equipment
  
  • eg - Faraday cage made of metal to limit amount of radiation released
  • Mostly for military equipment
• Countermeasures
  
  • White noise - makes it hard to distinguish the important stuff
  • Control Zone - e.g. put materials in the walls to contain electrical signals

Question 72

What is an Intrusion Detection System (IDS) and what are the two main types?

Answer 72

• Intrusion Detection is the process of detecting an unauthorized use of, or attack upon a computer, network or teleconnunication infrastructure.
• Three main components – sensors, analyzers, admin interfaces
• Two types:
  
  • Network based (NIDS) - Monitor network communications
    
    • looks at all network traffic (not only for itself) and sends it for analysis
  • Host based (HIDS) - monitor activity within an individual system
    
    • Usually only installed on critical servers

Question 73

What are the 3 different types of IDS’s and what are their key characteristics?

Answer 73

• Signature-based
  
  • Pattern matching like antivirus software
  • signatures must be continuously updated
  • Cannot identify new attacks
  • Two types – Pattern Matching and Stateful Matching
• Anomaly based
  
  • Behavioral-based system that learns the “normal” activities of an environment
  • Can detect new attacks
  • Three types — Statistical anomoly based, protocol anomolly based, traffic anomaly based
• Rule-based
  
  • If/Then rules
  • use of expert systmes for artificial intelligence characteristics
  • Cannot detect new attacks

Question 74

What’s the difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System?

Answer 74

• An IDS only detects something bad may be taking place and sends an alert
• An IPS has the goal of not only decting that something is going wrong, but also to do something about it, like kill a connection
• An IDS is detective, after-the-fact technology
• An IPS is preventive, proactive technology

Question 75

What’s a honeypot and why would you use one?

Answer 75

• It’s a sacrificial lamb on the network.
• Not locked down
• ports are opened and services are enabled
• Contains no real data
• Must ride the line between enticement – Leaving ports open to entice a bad guy
• Vs. Entrapment – having a web page that allows for downloading files and then charging them with tresspassing. Entrapment is illegal
• Always check with legal counsel before setting up a honeypot.

Question 76

What is a network sniffer and what’s another name for one?

Answer 76

• A sniffer is a tool that can capture network traffic. It must have access to a NIC in promiscuous mode
• Another name for a sniffer is protocol analyzer

Question 77

What is the proper sequence of the basic components and activities ina web access control process?

Answer 77

1. User sends in credentials to web server
2. Web server validates user’s credentials
3. User requests access to object
4. Web server verifies the request with security policy to determine if user is allowed to do it.

Question 78

What are the four steps of a buffer overflow attack?

Answer 78

1. Remote user connects to system
2. User sends data to application (data exceeds allocated buffer for empty variable
3. Data is executed and overwrites the buffer and possibly other memory segments
4. Malicious code of the attacker’s choosing executes

Question 79

What are the four main steps of authentication using OpenID

Answer 79

1. The user’s agent (usually a web browser) requests the protected resource from the relying party
2. The relying party connects to the OpenID provider and creates a shared secret for the transaction
3. The server then redirects the user agent to the OpenID provider for authentication
4. Upon authentication by the provider, the user agent receives a redirect (containing an authentication token, also known as an OpenID) to the relying party. The token contains a field signed with the shared secret, so the relying party is assurece that the user is authenticated.

Question 80

What are the 5 steps of the OpenID Connect (OIDC) model?

Answer 80

1. User Request
2. Relying party redirect to OpenID provider
3. User authenticates
4. User is granted consent
5. OpenID provider redirects to Relying party with user info

Question 81

How does Kerberos work?

Answer 81

Question 82

What is SESAME?

Answer 82

Secure European System for Applications in a Multivendor Environment (SESAME) is actually a technology built upon the Kerberos foundation. However, SESAME provides different capabilities and uses public key cryptography. SESAME differs from Kerberos in that it uses PACs for authentication instead of the Kerberos ticket exchange methodology.

Question 83

Intrusion detection systems (IDSs) are complex tools with many components. Each component serves a specific purpose. Which component actually initiates an alarm or activity when the system detects a violation?

Answer 83

Response box

Question 84

How does a virtual directory play a role within an identity management system?

Answer 84

It has the same role and can be used instead of a meta-directory.

Question 85

Which model implements access control matrices to control how subjects interact with objects?

Answer 85

Discretionary Access Control (DAC)

DAC is implemented and enforced through the use of access control lists (ACLs), which are held in a matrix. MAC is implemented and enforced through the use of security labels.

Question 86

What is the best reason to select a rule-based access control system?

Answer 86

It allows for access decisions to be based on complex situations

Question 87

Is there any interoperability between TACACS/XTACACS and TACACS+ ?

Answer 87

There is no interoperability between them. They are two totally different protocols.

Question 88

What is a AAA Protol

Answer 88

A AAA protocol supports:

• Authentication
• Authorization
• Auditing.

Examples are Diameter, RADIUS, TACACS+

Question 89

Know how to answer LDAP questions such as this:

Answer 89

Each distinguished name (DN) in an LDAP directory represents a collection of attributes about a specific object, and is stored in the directory as an entry. DNs are composed of Common Name (CN) components which describe the object, and Domain Components (DC) which describe the domain in which the object resides. Which of the following makes the most sense when constructing a DN?

A. dc=Shon Harris,cn=LogicalSecurity,dc=com.

B. cn=Shon Harris,dc=LogicalSecurity,cn=com.

C. cn=Shon Harris,cn=LogicalSecurity,dc=com.

D. cn=Shon Harris,dc=LogicalSecurity,dc=com

Question 90

What’s the main reason for using Role Based Access Control (RBAC)?

Answer 90

It is difficult to assign each and every user the exact level of access

Question 91

Most Kerberos implementations use an authenticator. What is an authenticator and what is its purpose?

Answer 91

Principal identification and a time stamp encrypted with a shared session key. It is used to authenticate the requesting principal and is a countermeasure against replay attacks.

Question 92

Is a Token device a form of identification?

Answer 92

No

Token devices are authenticating devices that are used in combination with an identification component, such as a user name.

Question 93

Know:

• False Acceptance Rate
• False Rejection Rate
• Type I Error
• Type II Error

Answer 93

False Rejection Rate is the amount of authorized users who were improperly rejected and the False Acceptance Rate is a Type II error.

Question 94

What is a key benefit of the DIAMETER protocol?

Answer 94

Up until the conception of Diameter, IETF had individual working groups who define how Voice over IP (VoIP), Fax over IP (FoIP), Mobile IP, and remote authentication protocols work. Defining and implementing them individually in any network can easily end up in too much confusion and interoperability. It requires customers to roll out and configure several different policy servers and increases the cost with each new added service. With Diameter all of these services can be authenticated over the same authentication architecture.

Question 95

Describe the high level flow with Radius?

Answer 95

User is a client to the access server and the access server is a client to the RADIUS server. Communication cannot go directly from the user to the RADIUS server.

Question 96

What are Type 1 and Type 2 errors when it comes to biometric systems?

Answer 96

A Type 1 Error is a FRR (False Rejection Rate)

A Type 2 Error is related to FAR (False Acceptance Rate)

Question 97

What is Web Access Management

Answer 97

Web access management (WAM) software controls what users can access when using a web browser to interact with web-based enterprise assets. This type of technology is continually becoming more robust and experiencing increased deployment. This is because of the increased use of e-commerce, online banking, content providing, web services, and more.

Question 98

What is the difference between the two?

Question 99

A digital identity is made up of attributes, entitlements, and traits. Which of the following has the incorrect mapping when considering these identity characteristics?

Answer 99

Attributes = department, role in company, shift time, clearance, etc.

Entitlements = resources available to user, authoritative rights in the company

Traits = biometric information, height, sex

Question 100

With respect to a NIDS, what is one type of traffic that it CANNOT monitor?

Answer 100

encrypted trafficc