Domain 5 - Identity And Access Management

Question 1

Low security cost because security is configured based on roles.

Answer 1

Role-based access control (RBAC)

Question 2

Easier to implement than other access control models.

Answer 2

RBAC

Question 3

Is not user friendly.

Answer 3

RBAC

Question 4

More user friendly than other access control models.

Answer 4

Discretionary Access Control (DAC)

Question 5

Allow the data owner to determine user access rights.

Answer 5

DAC

Question 6

If a user needs access to a file, he only needs to contact the file owner.

Answer 6

DAC

Question 7

Is not discretionary in nature.

Answer 7

RBAC

Question 8

is discretionary in nature.

Answer 8

DAC

Question 9

Is not used in a highly secure environment.

Answer 9

RBAC

Question 10

Use in a highly secure environment.

Answer 10

Mandatory Access Control (MAC)

Question 11

Every subject and object is assigned a security label.

Answer 11

MAC

Question 12

Is easy to enforce minimum privilege for general users.

Answer 12

RBAC

Question 13

Users are assigned into roles based on the structure of the organization, which is usually hierarchical.

Answer 13

RBAC

Question 14

A popular access control model used in commercial applications, especially large network applications.

Answer 14

RBAC

Question 15

Access Control models considered non-discretionary in nature.

Answer 15

RBAC, MAC, and context-based access control (CBAC)

Question 16

This method type relies on security policies and security labels to determine an object’s access to resources.

Answer 16

Non-discretionary access control method

Question 17

This type of access control allows the resource owner to determine the level of resource access given to a user.

Answer 17

Discretionary Access Control (DAC)

Question 18

These type of method of access control is usually managed by a central administrator who determines that the subject’s access rights are based on security policy and the user’s roles and responsibilities related to his duties in the organization.

Answer 18

Non-discretionary access control method

Question 19

Benefits of Role-based access control.

Answer 19

Easy to implement and manage; cost effective

Question 20

Drawbacks of Role-based access control.

Answer 20

Not user friendly, not discretionary, not good for highly secure environments.

Question 21

Popular access control model used for commercial applications.

Answer 21

Role-based access control

Question 22

User name + password

Answer 22

one-factor authentication (something you know)

Question 23

User name + password + smart card

Answer 23

two-factor authentication (something you know and something you have)

Question 24

User name + password + smart card + fingerprint

Answer 24

three-factor authentication (something you know, something you have, something you are)

Question 25

Allows access based on a user’s or a group’s identity.

Answer 25

DAC

Question 26

What is a Preventative Access Control?

Answer 26

A Preventitive Control attempts to stop unwated access

Question 27

What is a Dectective Access Control?

Answer 27

A Detective Control attempts to discover or detect unwanted or unauthorized activity

Question 28

What is a Corrective Access Control?

Answer 28

A Corrective Access Control modifies the enviroment to return systems to a normal after an unwanted or unauthorized activity has occurred

Question 29

What is a Detettent Access Control?

Answer 29

A Deterrent Access Control attempts to discourage security policy violations

Question 30

What is a Recovery Access Control?

Answer 30

A Recovery Access Control attempts to repair or restore resources, functions, and capabilities after a security policy violation.

Question 31

What is a Directive Access Control?

Answer 31

A Directive Access Control attempts to direct, confine, or control the actions of subjects to force or encourage compliance with security policies.

Question 32

What is a Compensating Access Control?

Answer 32

A Compensating Access Control provides an alternative when it isn’t possible to use a primary control, or when necessary to increase the effectiveness of a primary control.

Question 33

What is an Administrative Access Control?

Answer 33

An Administrative Access Control are the policies and procedures defined by an organizations security policy , regulations or requirements.

Question 34

What is a Logical/Technical Access Control?

Answer 34

Logical Access Controls (also known as technical access controls) are the hardware or software mechanisms used to manage access and to provide protection for resources and systems.

Question 35

What is a Physical Access Control?

Answer 35

Physical Access Controls are items that you can physically touch (doors, gates etc).

Question 36

What Identification as it relates to Authentication?

Answer 36

Identifiction is how you claim your identity to a system such as a username. Identification and Authentication always occur together as a single two-step process.

Question 37

What is Authentication as it relates to Identification?

Answer 37

If Identification is the username that you provide and Authentication would be a password. Identification and Authentication always occur together as a single two-step process.

Question 38

What is Authotization as it relates to IAAA?

Answer 38

Subjects are granted access to objects based on proven identies. For example, administrators grant users access to files based on the users proven identity.

Question 39

What does IAAA stand for?

Answer 39

Identify, Authentication, Authorization and Accountability

Question 40

What is a Type 1 Authentication Factor?

Answer 40

Type 1 authentication is something that you know

Question 41

What is a Type 2 Authentication Factor?

Answer 41

Type 2 authentication factor is something you have.

Question 42

What is a Type 3 Authentication Factor?

Answer 42

Type 3 authentication factor is something you are

Question 43

What is context aware authnetication?

Answer 43

Location of the user, time of day, mobile device etc

Question 44

What is a cognitive password?

Answer 44

A cognative password is a series of challenge questions about facts or predefined responses that only the subject should know

Question 45

What type of certificate does a Smartcard use?

Answer 45

Asymmetric

Question 46

What is a Common Access Card or a Personal Identity Vertification Card?

Answer 46

It’s a smart card with the employees photo on it which they wear as they walk around the building. This is used in government buildings.

Question 47

What is a Token Device?

Answer 47

OTP tokens like RSA tags

Question 48

What is a Synchronous Dynamic Password Token?

Answer 48

Hardware tokens that create synchronous dynamic passwords are time-based and synchronized with an authentication server. Usually every 60 seconds.

Question 49

What is an Asynchronous Dynamic Password Token?

Answer 49

Does not use a clock, instead it generates the password based on an algorithm and an incrementing counter. Each time you log in it will create a new password token.