Domain 5 - Identity and Access Management

Question 1

Information that is created, consumed or modified by an organization. Could be labeled as a ______?

Answer 1

Asset

Question 2

All about the relationship between users and data.

Answer 2

Access Control

Question 3

What control type is defined by the following:

a. Fences
b. locks
c. bio metrics
d. mantraps
e. lighting
f. separation of duties
g. job rotation
h. data classification
i. CCTV

Answer 3

Preventative

Question 4

What control type is defined by the following:

a. security guards
b. motion sensors
c. audit trails
d. review of CCTV footage
e. honeypots | honeynets
f. IDS
g. incident response

Answer 4

Detective

Question 5

What control type is defined by the following:

a. rebooting a system
b. terminating a system
c. A/V software quarantine
d. data restoration
e. IPS

Answer 5

Corrective

Question 6

What control type is defined by the following:

a. policies
b. awareness training
c. locks
d. fences
e. warning signs
f. guards
g. mantraps
h. CCTV

Answer 6

Deterrent

Question 7

What control type is defined by the following:

a. fault tolerant systems
b. system clusters
c. imaging
d. mirroring

Answer 7

Recovery

Question 8

What control type is defined by the following:

a. procedures
b. exit signage
c. announced commands

Answer 8

Directive

Question 9

What control type is defined by the following:

a. When guard is not present to sign in, use badge to swipe
b. when badge swipe does not work, use intercom and CCTV system to request access.

Answer 9

Compensating

Question 10

Provides AAA services between network access servers and an authentication server. The network access server is the client of the ______ server.

Answer 10

RADIUS (PROTOCOL for AAA)

RADIUS only encrypts the password exchange, not the rest of the authentication traffic. Uses UDP.

Question 11

Open source solution for TACACS and XTACACS. Separates AAA processes, allowing them to be hosted separately if necessary.

Answer 11

TACACS+ (PROTOCOL for AAA)

Encrypts ALL authentication information and uses TCP 49

Question 12

Uses TCP port 3368 or Stream Control Protocol (SCTP) port 3668. Supports IPSEC and TLS

Answer 12

Diameter

Question 13

What process defines the following:

a. Identification
b. Authentication
c. Authorization
d. Access / Auditing

Answer 13

IAAA

Access Control Life cycle

Question 14

“subject claiming an identity”

Answer 14

Identification

Question 15

“Verifies / validates identity of subject through comparison of factors provided (provides validity) “

Answer 15

Authentication

Question 16

“Subject is granted access to object based on validated identity”

Answer 16

Authorization

Question 17

“Subject interacts with object”

Answer 17

Access

Tracked through auditing

Question 18

Something you have …

Answer 18

Smartcard or Token

Question 19

Something you know …

Answer 19

Pin or password

Question 20

Something you are …

Answer 20

Biometric

Question 21

3 categories of control are ______

Answer 21

Administrative, Technical and Physical

Question 22

2 types of bio-metrics are ?

Answer 22

Physiological (Fingerprints …etc)

and

Behavioral (Signature and Keystrikes)

Question 23

All users authenticate back to a central authentication server from remote offices.

Answer 23

Centralized Access Control

Question 24

Authenticate once to centralized access control

Answer 24

Single sign On

Question 25

x.500 standard

Answer 25

LDAP

Question 26

x.400 Standard

Answer 26

Email

Question 27

Ticket bases authentication solution relying on symmetric encryption using AES. . Provides confidentiality and integrity for authentication traffic end to end

Answer 27

Kerberos

Question 28

Kerberos:

Verifies and accepts/rejects tickets based on authenticity and timeliness

Answer 28

Authentication Server

Question 29

Kerberos:

Issues tickets to authorized users

Answer 29

Ticket Granting Server

Question 30

Kerberos:

An encrypted message that provides some form or type of proff depending on what type of ticket it is. 2 Types of tickets.

Ticket Granting Ticket
Service ticket

Answer 30

Ticket

Question 31

Kerberos:
Proof that subject has authenticated through a KDC successfully and is authorized to request additional service ticket to access objects

Answer 31

Ticket Granting Ticket (TGT)

Question 32

Kerberos:

Proof that a subject is authorized to access an object

Answer 32

Service Ticket (ST)

Question 33

A third party solution that provides identity and access management. These are clod based servies that broker identifity nad access mgmt functions to target systems on customers’ premises and/or in the cloud.

Answer 33

Identity as a Service (IDaaS)

Question 34

Access to an object is denied unless access has been explicitly granted

Answer 34

Implicit Deny

Question 35

Table that is made up of subjects, objects and assigned privileges. System checks the matrix to see whether a subject has appropriate privileges to carry out an activity.

Answer 35

Access Control Matrix

Question 36

Sub focused, as opposed to an ACL which is object focused.

Answer 36

Capability Table

Question 37

A view that only allows access to features/abilities granted to the subject

Database Views!!!

Answer 37

Constrained Interface

Database Views!!!

(Limited menus inside of an application. Not being able to see admin interface but only what you are entitled to)

Question 38

Bases access control authorization on roles or functions, that are assigned to a user within an organization.

Answer 38

Role Based Access Control (RBAC)

Question 39

grants use access to data or an application using ACLS

Answer 39

NON-RBAC

Question 40

Users are mapped to roles within a single application rather than through an organization wide role structure

Answer 40

Limited RBAC

Question 41

Applies a role to multiple applications or systems based on a users specific role within the organization.

Answer 41

Hybrid RBAC

Question 42

Roles are defined organizations policy and access control infrastructure and then applied to applications and systems across the enterprise

Answer 42

FULL RBAC

Question 43

access is based on list of predefined rules that determine what access should be granted.

Most commonly a form of DAC.

Answer 43

Rule based access control

Example: Firewalls

Question 44

Lattice-based - requires the system to manage access controls in accordance with the organizations security policies and where system owners do not want to allow users to potentially contradict or bypass organizationally mandated access.

Answer 44

Mandatory Access Control

Question 45

Restrict access to data based on the content of the object.

VIEWS IN A DATABASE

Answer 45

Content-Dependent Access Control

Question 46

Based on the context or specific actions that are happening (or not)

Answer 46

Context-Dependent Access Control

Question 47

Use of rules defining one or more attributes

Answer 47

Attribute Based Access Control

Question 48

Bad actor looking to do harm

Answer 48

Cracker

Question 49

Attempt to bypass or circumvent access control methods

Answer 49

Access Control Attacks

Question 50

Collecting multiple pieces of nonsensitive information that are combined to understand sensitive information

Answer 50

Access aggregation Attacks

Counter measures: Defense in depth with least privilege can be effective counter measure.

Question 51

Attempt to discover passwords by using all possible passwords in a predefined list

Answer 51

Dictionary Attack

Counter measures: Complex changing passwords, every 30 days

Question 52

Combination of dictionary and brute force attacks

Answer 52

Hybrid Attack

Counter measures:Complex changing passwords, every 30 days

Question 53

All about collisions!! 2 things to keep in mind:

1. small is bad
2. same hash - different password = SUCCESS

Answer 53

Birthday Attack

Counter measures: Large work factor

Question 54

Attempt to shortcut using tables of pre-computed hash values

Answer 54

Rainbow table attack

Counter measures:

a. Salt
b. Pepper

Question 55

Attacking specfic group of users

Answer 55

Spear Phisihing

Question 56

Phishing attack targeting senior executives

Answer 56

Whaling

Question 57

Pretending to be someone else in hope of assuming their identify

Answer 57

Spoofing

Countermeasure: MFA

Question 58

An attempt to gain trust of targeted individual in hopes of getting them to reveal useful information.

Answer 58

Social Engineering Attack

Question 59

Phishing attack using VOIP or IM

Answer 59

Vishing

Question 60

Side channel
differential power analysis
timing

Answer 60

Smart Card Attacks

Question 61

1. Control Physical Access to System
2. Control electronic access to system
3. create and enforce a strong password policy
4. hash, salt & pepper password
5. employ password masking, obfuscation and tokenization
6. MFA
7. Account lock controls
8. last logon notification
9. Awareness Training

Answer 61

Protection Methods