Domain 5: Identity and Access Management

Question 1

What is Access?

Answer 1

Flow of information between a subject and an object

Question 2

What is an Access Control?

Answer 2

It is a security feature that controls how subjects and objects communicate and interact with other systems and resources.

Question 3

What is Object?

Answer 3

Passive entity that contains information (computer, database, file, program) that is accessed by a subject.

Question 4

Centralised administration: Approaches to Administration

Answer 4

One element responsible for configuring access controls. Only modified through central administration, very strict control.

Question 5

Decentralised administration: Approaches to Administration

Answer 5

Access to information is controlled by owners or creators of information. There may be a lack of consistency with regards to procedures, as it is difficult to form a system wide view of all user access at any given time

Question 6

Hybrid: Approaches to Administration

Answer 6

Centralised control is exercised for some infomation and decentralised for other information

Question 7

IAAA

Answer 7

Four key principles upon which access control relies:

1. Identification
2. Authentication
3. Authorisation
4. Accountability

Question 8

Explain the principle of Identification/Assertion

Answer 8

This is about ensuring a subject is who he says he is. It binds a user to the appropriate controls based on the unique user instance. This may also include Registration which is about verifying an individual’s identity and adds a unique idenfier to an identity system.

Question 9

Explain the principle of Authentication

Answer 9

Process of verifying the user where the user provides private data and establishes trust between the user and the system for the allocation of privileges.

Question 10

Explain the principle of Authorisation

Answer 10

Checks the resources user is allowed to access. These resources must be defined and monitored.

Question 11

Explain the principle of Accountability

Answer 11

Who was responsible for an action? Logging is the best way to provide accountability, where change log for approved changes and change management process is captured.

Question 12

Relationship between Identity, Authentication, and Authorisation

Answer 12

• Identification provides uniquness
• Authentication provides validity
• Authorsiation provides control

Question 13

Logical Access Controls

Answer 13

Tools used to administer IAAA

Question 14

MAC Address

Answer 14

48 bit number, supposed to be globally unique, however, can be spoofed by software and no longer acts as a strong ID or authentication.

Question 15

SSO

Answer 15

Single Sign On. It is also referred to as Reduced Sign On or federated ID management.

Question 16

SSO Advantages

Answer 16

Ability to use stronger passwords, easier administration, and less time to access resources

Question 17

SSO Disadvantages

Answer 17

Once a key is compromised, all resources can be accessed. Similarly, if DB is compromised all PWs are compromised. A thin client is also a SSO approach.

Question 18

Kerberos

Answer 18

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using symmetric keys. Additionally, it addresses confidentiality, integrity, and authentication.

Question 19

Benefits of Kerberos

Answer 19

Inexpensive, supported by a number of OS’s and is a mature protocol

Question 20

Disadvantages of Kerberos

Answer 20

Takes time to administer, can be bottleneck or single point of failure

Question 21

What is ‘Realm’?

Answer 21

Indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication server has the authority to authenticate a user, host, or service. Uses symmetric Key cryptography.

Question 22

KDC

Answer 22

The Key Distribution Centre grants tickets to client for specific servers. It knows all secret keys of all clients and servers from the network, TGS and AS. However, acts as a single point of failure.

Question 23

AS

Answer 23

Authentication Server

Question 24

TGS

Answer 24

Ticket Granting Server

Question 25

Explain the Kerberos logon process

Answer 25

1. The user types a username and password into the client
2. The client encrypts the username with AES for transfer to the KDC.
3. The KDC verifies the username against a database of known credentials.
4. The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user’s password. The KDC also generates an encrypted time stamped TGT to the client.
5. The client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user’s password.
6. Finally, the user can use this ticket to access to the desired service.

Question 26

SESAME

Answer 26

Is a public key cryptology based authentication protocol. Its weakness is that it only authenticates first block and not the complete message. SESAME uses one ticket for authentication, while the other ticket is used for access privileges. This works with Privileged Attribute Certificates (PACS) and can use both symmetric and asymmetric encryption.

Question 27

Logon scripting

Answer 27

Uses scripts to authenticate users

Question 28

Directory service

Answer 28

A centralised database that includes information about subjects and objects. Hierarchical naming scheme, active directory has sophisticated security resources (group policy, user rights accounts, DNS services.

Question 29

Type 1: Single Factor Authentication

Answer 29

Authentication factor is something you know, for example, password, PIN or passphrase

Question 30

Type 2: Multi Factor Authentication

Answer 30

Something you have, such as physical devices that a user can use to provide authentication. Examples include smartcard, hardware token, smartcard, memory card, or USB drive.

Question 31

Type 3: Multi Factor Authentication

Answer 31

Something you are, or something you do. It is a physical characteristic of a person identified with different types of biometrics, such as fingerprint or iris scans.

Question 32

Type 1: Single Factor Authentication Examples

Answer 32

Passwords. A user can chose their own password, however, generally a longer password is a safer one.

Question 33

Salting

Answer 33

A unique value is added to the end of the password to create a different hash value. This adds a layer of security to the hashing process, specifically against brute force attacks.

Question 34

One Time Passwords

Answer 34

Can be one solution to increase security for type 1

Question 35

Passphrase

Answer 35

Easiest to remember. This is converted to a virtual password by the system.

Question 36

Cognitive password

Answer 36

Easy to remember like your mother’s maiden name

Question 37

Hacking

Answer 37

Unauthorised access to password file

Question 38

Brute force attack

Answer 38

Trying many different characters. This is an exhaustive attack

Question 39

Dictionary attack

Answer 39

Trying common words in the dictionary

Question 40

Social Engineering

Answer 40

Spoofing your identity to someone

Question 41

Rainbow tables

Answer 41

Tables with passwords that are already in has formt, pre-hashed PW’s paired with high-speed look up functions

Question 42

Implementation attack

Answer 42

This is a type of attack that exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system.

Question 43

Statistical Attack

Answer 43

Exploits statistical weaknesses in a cryptosystem, such as floating point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the hardware or OS hosting the cryptography application.

Question 44

Password checker and password hacker

Answer 44

Both programs that can find passwords (checker to see if its compliant, hackers to use it by the hacker).

Question 45

Nonce

Answer 45

A number or bit string used only once, in security engineering

Question 46

Type 2: Authentication Examples

Answer 46

Such as key, swipe card, access card, badge, and tokens

Question 47

Static Password Token

Answer 47

Owner authenticates to token, token authenticates to the information system

Question 48

Synchronous (Time Based) Dynamic

Answer 48

Uses time or a counter between the token and the authentication server. Secure ID RSA keys are an example.

Question 49

Asynchronous (Not Time Based) OTP Generation

Answer 49

Server sends a nonce (random value). This goes into the token device, encrypts and delivers a OTP, with an added PIN.

Question 50

Challange/response token

Answer 50

Generates response on a system/workstation provided challenge; synchronous - timing, asynchronous - challenge.

Question 51

Type 3: Authentication Examples

Answer 51

Biometrics, such as fingerprints.

Question 52

Type 1: Biometric Errors

Answer 52

False Rejection Rate (FRR)

Question 53

Type 2: Biometric Error

Answer 53

False Acceptance Rate (FAR)

Question 54

Crossover Error Rate (CER)

Answer 54

Where FRR = FAR. The lower the CER, the more accurate the system.

Question 55

Fingerprint biometric

Answer 55

Made up of ridge engings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.

Question 56

Retina Scans

Answer 56

Scans the blood-vesel pattern of the retina on the backside of the eyeball. Can show medical conditions, however, is the most accurate

Question 57

Iris Scans

Answer 57

Scans the coloured portion of the eye that surrounds the pupil

Question 58

Facial Scans

Answer 58

Takes attributes and characteristics like bone structure, nose ridges, eye widths, forehead sies, and chin shapes into account.

Question 59

Palm Scans

Answer 59

The palm has creases, ridges and grooves throughout it that are unique to a specific person. Appropriate by itself as a Type 3 authenicator.

Question 60

Hand Geometry

Answer 60

The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry.

Question 61

Voice Print

Answer 61

Distinguishing the differences in people’s speech sounds and patterns.

Question 62

Signature Dynamics

Answer 62

Electrical signals of speed and time that can be captured when a person writes a signature

Question 63

Keyboard Dynamics

Answer 63

Captures the electrical signals when a person types a certain phrase

Question 64

Hand Topology

Answer 64

Looks at size and width of an individual’s hand and fingers

Question 65

SAML

Answer 65

Security Assertion Markup Language is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Question 66

SAML 2 and its roles

Answer 66

SAML 2 enables web based applications to include SSO. Roles include:

• Principal (user)
• Identity Provider (IdP)
• Service Provider (SP)

Question 67

XML Signature

Answer 67

Uses digital signature for authentication and message integrity based on XML signature standard.

Question 68

IDaaS

Answer 68

Identity as a Service, is a third party service that provides identity and access managment. Effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based Software as a Service (SaaS) applications. Allows provision of identities held by the service to target applications

Question 69

Cloud Identity

Answer 69

Users are created and managed by an online system, such as Office 365

Question 70

Directory Synchronisation

Answer 70

Users are created and managed in an on premises identity provider

Question 71

Federated Identity

Answer 71

An arrangement that can be made between multiple enterprises to let subscribers use the same identification data to obtain access to the networks of all the enterprises in the group. The use of such a system is sometimes called identity federation.

Question 72

What is an Object

Answer 72

Passive entity that provides information to active subjects.

Question 73

What is a Subject

Answer 73

Active entity that accesses a passive object

Question 74

Four Main types of access control techniques

Answer 74

1. Discretionary Access Control (DAC)
2. Mandatory Access Control (MAC)
3. Role Based Access Control (role BAC)
4. Rule Based Access Control (rule-BAC)

Question 75

RADIUS

Answer 75

Typically used for wireless networks, modems, and network devices.

Question 76

OAuth

Answer 76

An open standard for access delegation, commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.

Question 77

Role BAC

Answer 77

Task based access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks, is often implemented using groups, form of nondiscretionary. Types of RBAC include, Hybrid RBAC, and Limited RBAC.

Question 78

Rule BAC

Answer 78

Based on rules within an ACL, uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action. A distinctive characteristic about rule BAC models is that they have global rules that apply to all subjects.

Question 79

Rule BAC Example

Answer 79

A firewall, which includes a set of rules or filters within an ACL, defined by an administrator. The firewall examines all the traffic going through it and only allows traffic that meets one of the rules.

Question 80

Mandatory Access Control (BELL Model)

Answer 80

Latice based. Label all objects and subjects. Authorisation depends on security labels which indicate clearance and classification of objects. Access provided on a needs to know basis.

Question 81

Non-discretionary access control / Mandatory

Answer 81

A central authority determines what subjects have access based on policies. Role based / task based. Also lattice base can be applied

Question 82

Discretionary Access Control - Graham Denning

Answer 82

Allows the owner, creator, or data custodian of an object to control and define access to that object. DAC is implemented using ACLS on objects. Identity based access control is a subset of DAC. DAC is not centrally managed as the permissions of a file can be changed at the object level.

Question 83

Implicit Deny

Answer 83

Basic principle that most authorisation mechanisms use it. The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

Question 84

Access Control Matrix

Answer 84

A table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks the access control matrix to determine if the subject has the appropriate privileges to perform the action.

Question 85

Capability Tables

Answer 85

They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles). For example, a capability table created for the accounting role will include a list of all objects that the accounting role can access and will include the specific privileges assigned to the role for these objects.

Question 86

Difference between ACL and Capability Table

Answer 86

Difference is in focus. ACL are object focused and identify access granted to subjects for any specific object. While capability tables are subject focused and identify the objects that subjects can access.

Question 87

Permissions

Answer 87

Refer to the access granted for an object and determine what you can do with it. If you have read permission for a file, you’ll be able to open it and read it. You can grant user permissions to create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so in this context, access rights and permissions are synonymous.

Question 88

Rights

Answer 88

Refers to the ability to take an action on an object. For example, a user might have the right to modify the system time on a computer or the right to restore backed-up data. This is a subtle distintion and not always stressed. You’ll rarely see the right to take action on a system referred to as a permission.

Question 89

Privileges

Answer 89

Are the combination of rights and permissions. For example, an administrator for a computer will have full privileges, granting the administrator full rights and permissions on the computer. The administrator will be able to perform any actions and access any data on the computer.

Question 90

Constrained Interface Applications

Answer 90

This restricts what users can do or see based on their privileges. Applications constrain the interface using different methods. A common method is to hide the capability if the user doesn’t have permissions to use it. Other times, the application displays the menu item but shows it dimmed or disabled.

Question 91

Content-Dependent

Answer 91

Internal data of each field, data stored by a field, restrict access to data based on the content within an object. A database view is a content-dependent control. A view retrieves specific columns from one or more tables, creating a virtual table.

Question 92

Work Hours

Answer 92

Context-dependent control (such as 9-5)

Question 93

Need to Know

Answer 93

Ensures that subjects are granted access only to what they need to know for their work tasks and job functions. Subjects may have clearance to access classified or restricted data but are not granted authorisation to the data unless they actually need it to perform a job.

Question 94

Least Privilege

Answer 94

Ensures that subjects are granted only the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that least privilege will also include rights to take action on a system.

Question 95

Seperation of Duties and Responsibilities

Answer 95

Ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and blanaces.

Question 96

Reconnaissance

Answer 96

Allows an attacker to find weak points to target directly with their attack code. Automated tools are used to assist in this process.

Question 97

IP Probes

Answer 97

First type of network reconnaissance carried out against a targeted network. Each address in a range is pinged with all responses logged. Addresses that do not produce a response are assumed to be unused and are ignored.

Question 98

Nmap Tool

Answer 98

One of the most common tools used to perform both IP probes and port scans.

Question 99

Three states of network ports

Answer 99

1. Open: Port is open on system and application is actively receiving connections.
2. Closed. The port is accessible, meaning firewall is allowing access, but there is no application accepting connections on that port.
3. Filtered Nmap: Unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt.

Question 100

Port Scans Results

Answer 100

Once identifying open ports, they identify public services running on each machine, for example, port 80 is used for web servers.

Question 101

Vulnerability Scans

Answer 101

Probe targeted systems to locate security flaws

Question 102

Service Provisioning Markup Language (SPML)

Answer 102

XML based language designed to allow platforms to generate and respond to provisioning requests.

Question 103

SOAP

Answer 103

Simple Object Access Protocol is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.