Domain 5: Identity and Access Management 13%

Question 1

Access Control

Answer 1

who do we give access and what do we give them access to. Spans all layers of our def DID model

Question 2

IAAA (ID, Authn, Auth, Acct)

Answer 2

Access Management

Question 3

Identification

Answer 3

your username, ID #, Employee #, SSN

Question 4

Authentication

Answer 4

Should always be with MFA (multi-fac authen)

Question 5

Type 1 Authentication

Answer 5

Something you know- pwd, pass phrase, PIN etc, also called Knowledge factors.

Question 6

Type 2 Authentication

Answer 6

Something you have- ID, Passport, Smart Card, Token, cookie on PC

Question 7

Type 3 Authentication

Answer 7

Something you are- Biometrics: fingerprint, Iris scan, facial geometry etc

Question 8

Type 4 Authentication

Answer 8

Somewhere you are- IP/MAC address

Question 9

Type 5 Authentication

Answer 9

Something you do- signature, pattern unlock

Question 10

MFA (multi-fac authen)

Answer 10

requires authn from 2 or more categories (Types)

Question 11

Type 1 Brute Force attacks

Answer 11

Uses the entire key space (every possible key), with enough time any plaintext can be decrypted.

Question 12

Type 1 Dictionary attacks

Answer 12

based on a pre-arranged listing, often dictionary words.

Question 13

Type 1 Rainbow tables attacks

Answer 13

Pre-made list of plaintext and matching ciphertext.

Question 14

Type 1 Salt (salting)

Answer 14

random data that is used as an additional input to a one-way function that hashes a password or passphrase.

Question 15

Type 1 Nonce

Answer 15

arbitary # that may only be used once.

Question 16

Type 1 Clipping levels

Answer 16

are in place to prevent administrative overhead.

Question 17

Type 2 Single-use pwd

Answer 17

Something you have.

Question 18

Type 2 Smart Cards

Answer 18

They contain a compu circuit using an integrated circuit chip. Some are contact cards others are contactless cards.

Question 19

Type 2 Token HOTP

Answer 19

(HMAC-based 1-time pwd) shared secret and incremental counter, generate code when asked, valid till used.

Question 20

Type 2 TOTP

Answer 20

(Time-based 1-time pwd) Time based shared secret, often gener every 30/60sec

Question 21

Type 3

Answer 21

False accept means allowing unauth people to access a resource. Falso reject means denying a ligitamit user access to a resource.

Question 22

Type 3 FRR (False rejection rate) Type 1 error

Answer 22

authorized users are rejected

Question 23

Type 3 FAR (False accept rate) Type 2 error

Answer 23

Unauthorized user is granted access.

Question 24

Type 3 CER (Crossover Error Rate)

Answer 24

Where FRR and FAR meet on the graph. We want this.

Question 25

If it is Confidentiality we are concerned with

Answer 25

we would most likey go with Mandatory Access Ctrl

Question 26

If it is Availability we are concerned with

Answer 26

Discretionary Access Ctrl

Question 27

If it is Interity we are concerned with

Answer 27

Role based Access Ctrl or Attribute Based Access Ctrl

Question 28

DAC (Discretionary Acc Ctrl)

Answer 28

access to an object is assigned at the discretion of the object owner. Commonly used by OS’. Uses DACL’s (Discretionary ACL) based on user id.

Question 29

MAC (Mandatory Acc Ctrl)

Answer 29

Acc to an obj is determined by labels and clearance, this is often used in the milit or in orgs where confidentiality is very important. Labels: Objects have labels assigned to them Clearance: Subjects have Clearance assigned to them.

Question 30

RBAC (Role Based Acc Ctrl)

Answer 30

Policy neutral access cntrl mechanism defined around roles and privileges. The most common used form of acc control.

Question 31

ABAC (Attribute Based Acc Ctrl)

Answer 31

Acc to objects is granted based on subjects, objects AND enviro conditions.

Question 32

Context-based acc ctrl

Answer 32

acc to an obj is ctrld based on certain contextual parameters, such as location, time, sequence of responses, access history.

Question 33

Content-based acc ctrl

Answer 33

acc is provided based on the att or content of an obj, . EG hiding or showing menus in an app depending on user.

Question 34

Accountability (often referred to as auditing)

Answer 34

trace an action to a subjects id. Proves who performed given action, it provides non-repudiation. Uses audit trails and logs, to associate a subject with its actions.

Question 35

Hybrid Acc Cntrl Sys

Answer 35

Controlled centralized, but the access lists for that location are pushed daily/hourly to a local server, local admins have no access.

Question 36

Identity and access provisioning

Answer 36

We can have multiple identities per entity and each identitiy can have multiple attributes.

Question 37

FIDM (Federated Identity Management)

Answer 37

having a common set of policies, practices and protocols in place to manage the id and trust into IT users and devices across organizations.

Question 38

FIDM technologies

Answer 38

SAML, OAuth, OpenID, Security Tokens, Microsoft Azure Cloud Services, Windows ID Foundation

Question 39

SSO (single sign-on) is a subset of FIDM

Answer 39

it only uses authentication and tech interoperability. Users use single sign-on for multiple systems. Often deployed in orgs where users have access to 10+ systems, and they think its too burdensome to remember all those passwords.

Question 40

SAML (Security Assertion Markup Language)

Answer 40

An XML-based, open stndard data format for exchanging authn and aurthorization data between parties. **The single most important req that SAML addresses is web browser SSO.

Question 41

Super sign-on

Answer 41

One login can allow you to access many sys and sites. If an account is compromised an attacker can often access multiple other sites or sys.

Question 42

IDaaS (Identity as a Service)

Answer 42

Identity and access management that is built, hosted and managed by a third-party service provider. Native cloud-based IDaaS solu can provide SSO func through the Cloud, Fed ID Management for Access Governance, Pwd Management. Hybrid IAM sol from vendors like MS and Amazon provide cld-based directories that link with on-premises IAM systems.

Question 43

Authentication protocols

Answer 43

it is the most important layer of protection needed for secure communication btw networks.

Question 44

Kerberos

Answer 44

works on basis of tickets to allow nodes comm over a non-secure network to prove their Id to each other. Named after 3 headed guard dog of Hades. Based on client-svr mdl and provides mutual authn. Messages are protected agnst eavesdropping and replay attacks. Builds on symmetric keys and requires a trusted third party, can optionally use PKI. Uses UDP 88 by default, used in AD from Win 100 and onwards, many Unix OS’. Pros: Easy for end users, centrailized ctrl and easy to admin. Cons: Single pof, access to everything with single pwd.

Question 45

SESAME (Secure Euro Sys for App in a Multivendor Enviroment)

Answer 45

often called the successor to KERBEROS. It uses PKI encryp(asymmetric). Not widely used, because Kerberos is already included in most OS’.

Question 46

RADIUS (Remote Authn Dial-in User Service)

Answer 46

provides centralized Authn, Author, and Accounting management for users who cxn and use a ntwk srvc. Widely used by ISP’s and large orgs to manage acc to IP ntwks, AP’s, VPN’s, servers, 802.1x. Runs in App layer, can use TCP or UDP as transport. Network access servers, the gateways to control access to a network, usually contain a RADIUS client component that communicates with the RADIUS server. Use UDP ports 1812 for authn and 1813 for acct can use TCP as the transport layer with TLS for security.

Question 47

Diameter

Answer 47

was intended to replace RADIUS, not never really happened because it is not backwards compt with RADIUS. Switches and AP’s implement RADIUS, but not Diameter. Uses SCTP/TCP.

Question 48

TACACS

Answer 48

Centralized acc cntrl sys requiring users to send an ID and reusable (vulnerable pwd for authn. Uses TCP/UDP port 49. It has been replaced by TACACS+ and RADIUS

Question 49

TACACS+

Answer 49

Provides better pwd protection by using 2 factor authn. Not backwards compat w/TACACS. Uses TCp 49 for authn with srvr. Simliar to RADIUS, but RADIUS only encrypts the pwd. TACACS+ encrypts the entire data package.

Question 50

PAP (Password Authn Protocol)

Answer 50

No longer used because not secure. Credentials are sent over the network in plain text.

Question 51

CHAP (Challenge-Handshake Authn Protocol)

Answer 51

Provides protect against reply attacks by the peer through the use of an incrementally changing identifier and of a variable challenge-value. Requires the client and server know the plaintext of a shared secret, but it is never sent over the network. Used by PPP srvrs to validate the remote clients. Periodically verifies the id of the client by using a 3-way handshake. Vul because it stores plaintext passwords of each client, if an attacker gains access to the srvr they can steall all the pwds on it.

Question 52

AD (Active Directory)

Answer 52

broad range of directory-based identity-related services. Uses LDAP v2/3, Microsoft’s v of Kerberos, and DNS. Uses groups to control access by users to data objects, often used as a RBAC where roles are assigned to groups.

Question 53

AD can use Trust domains

Answer 53

which allow users in one domain to access resources in another.

Question 54

1-way trust

Answer 54

One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.

Question 55

2-way trust

Answer 55

2 domains allow access to users on both domains.

Question 56

Trusted domain

Answer 56

the domain that is trusted/ whose users have access to the trusting domain

Question 57

Transitive trust

Answer 57

a trust that can extend beyon two domains to to other trusted domains in the forest.

Question 58

Intransitivie (non-transitive) trust

Answer 58

a 1-way trust that does not extend beyond 2 domains.