Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CISSP > Domain 5: Identity and Access Management > Flashcards

Domain 5: Identity and Access Management Flashcards

1
Q

What is a credential set?

A

A credential set is the term used for the combination of both the identification and authentication of a user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are static passwords?

A

Static passwords are reusable passwords that may or may not expire. They are typically user-generated and work best when combined with another authentication type, such as a smart card or biometric control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are passphrases?

A

Passphrases are long static passwords, comprised of words in a phrase or sentence

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are one time passwords?

A

One-time passwords may be used for a single authentication. They are very secure but difficult to manage. A one-time password is impossible to reuse and is valid for just a one-time use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are dynamic passwords?

A

Dynamic passwords change at regular intervals. RSA security makes a synchronous token device called SecurID that generates a new token code every 60 seconds. The user combines their static PIN with the RSA dynamic token code to create one dynamic password that changes every time it is used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a rainbow table?

A

A rainbow table acts as a database that contains the precomputed hashed output for most or all possible passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the purpose of a salt?

A

A salt allows one password to hash multiple ways. Some systems (like modern UNIX/Linux systems) combine a salt with a password before hashing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the purpose of a salt value?

A

A salt value ensures that the same password will encrypt differently when used by different users. This method offers the advantage that an attacker must
encrypt the same word multiple times (once for each salt or user) in order to mount a successful password-guessing attack.”1 As a result, rainbow tables are far less effective, if not completely ineffective, for systems using salts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are synchronous dynamic tokens?

A

Synchronous dynamic tokens use time or counters to synchronize a displayed token code with the code expected by the authentication server (AS).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are asynchronous dynamic tokens?

A

Asynchronous dynamic tokens are not synchronized with a central server. The most common variety is challenge-response tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the three metrics used to judge biometric accuracy?

A

Three metrics are used to judge biometric accuracy: the false reject rate (FRR), the false accept rate (FAR), and the crossover error rate (CER)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When does a false rejection occur?

A

A false rejection occurs when an authorized subject is rejected by the biometric system as unauthorized. False rejections are also called a Type I error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When does a false acceptance occur?

A

A false acceptance occurs when an unauthorized subject is accepted as validThis type of error is also called a Type II error

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does the CER describe?

A

The CER describes the point where the FRR and FAR are equal. CER is also known as the equal error rate (EER). The CER describes the overall accuracy of a biometric system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is a retina scan?

A

A retina scan is a laser scan of the capillaries that feed the retina of the back of the eye. This can seem personally intrusive because the light beam must directly enter the pupil, and the user usually needs to press their eye up to a laser scanner eyecup.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is an iris scan?

A

An iris scan is a passive biometric control. A camera takes a picture of the iris, the colored portion of the eye, and then compares photos within the authentication database

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are keyboard dynamics?

A

Keyboard dynamics refer to how hard a person presses each key and the rhythm in which the keys are pressed. Surprisingly, this type of access control is cheap to implement and can be effective

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What do dynamic signatures measure?

A

Dynamic signatures measure the process by which someone signs his/her name. This process is similar to keyboard dynamics, except that this method measures the handwriting of the subjects while they sign their name

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the purpose of centralized access control?

A

Centralized access control concentrates access control in one logical point for a system or organization. Instead of using local access control databases, systems authenticate via third-party ASs. Centralized access control can be used to provide single sign-on (SSO), where a subject may authenticate once, then access multiple systems.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What does centralized access control provide?

A

Centralized access control centrally provides the three As of access control: authentication, authorization, and accountability.
• Authentication: proving an identity claim.
• Authorization: actions-authenticated subjects are allowed to perform on a system.
• Accountability: the ability to audit a system and demonstrate the actions of subjects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the purpose of decentralized access control

A

Decentralized access control allows IT administration to occur closer to the mission and operations of the organization. In decentralized access control, an organization spans multiple locations, and the local sites support and maintain independent systems, access control databases, and data. Decentralized access control is also called distributed access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does SSO allow for?

A

Single sign-on (SSO) allows multiple systems to use a central AS. This allows users to authenticate once and have access to multiple different systems. It also allows security administrators to add, change, or revoke user privileges on one central system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

When does access aggregation occur? When does this happen?

A

Access aggregation occurs as individual users gain more access to more systems. This can happen intentionally, as a function of SSO. It can also happen unintentionally, because users often gain new entitlements, also called access rights, as they take on new roles or duties. This can result in authorization creep, in which users gain more entitlements without shedding the old ones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What does FIdM do?

A

Federated identity management (FIdM) applies SSO at a much wider scale: ranging from cross-organization to Internet scale. It is sometimes simply called identity management (IdM).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What does FIdM use to exchange security information?

A

FIdM may use OpenID or SAML (security association markup language). SAML is an XML-based framework for exchanging security information, including authentication data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are the 8 components of Kerberos?

A

Kerberos has the following components:
• Principal: Client (user) or service.
• Realm: A logical Kerberos network.
• Ticket: Data that authenticates a principal’s identity.
• Credentials: A ticket and a service key.
• KDC: Key Distribution Center, which authenticates principals. (consists of TGS and AS)
• TGS: Ticket Granting Service.
• AS: Authentication server
• C/S: Client Server, regarding communications between the two

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What are the 6 steps in the Kerberos authentication process?

A

Kerberos authentication process:

  1. Send TGT request sending only plaintext user ID.
  2. Sends session key encrypted with user’s secret key + TGT encrypted with TGS secret key.
  3. TGT + Service request encrypted with the client/TGS session key.
  4. Client to server ticket encrypted with server’s secret key + client/session key encrypted with the client/TGS session key.
  5. Client/session key encrypted with the client/TGS session key + new authenticator encrypted with the client/server session Key.
  6. Timestamp authentication Client/Server Session Key.
28
Q

What is SESAME?

A

SESAME stands for secure European system for applications in a multivendor environment, an SSO system that supports heterogeneous environments. SESAME can be thought of as a sequel of sorts to Kerberos, “SESAME adds to Kerberos: heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation.

29
Q

What does SESAME use in place of Kerberos tickets?

A

SESAME uses privilege attribute certificates (PACs) in place of Kerberos’ tickets

30
Q

What is RADIUS?

A

The remote authentication dial in user service (RADIUS) protocol is a third-party authentication system. RADIUS is described in RFCs 2865 and 2866, and it uses the UDP ports 1812 (authentication) and 1813 (accounting)

31
Q

What is TACACS+

A

The terminal access controller access control system (TACACS) is a centralized access control system that requires users to send an ID and static (reusable) password for authentication. TACACS uses UDP port 49 and may also use TCP. However, reusable passwords are a vulnerability; the improved TACACS+ provides better password protection by allowing a two-factor strong authentication.

32
Q

Why is the password authentication protocol (PAP) insecure?

A

A user enters a password and it is sent across the network in clear text

33
Q

What does CHAP provide?

A

The challenge-handshake authentication protocol (CHAP) provides protection against playback attacks. It uses a central location that challenges remote users.

34
Q

What is DAC?

A

DAC - (Discretionary Access Control) gives subjects full control of objects they have created or been given access to. Used when availability is most important.

35
Q

What is MAC?

A

MAC - (Mandatory Access Control) is system-enforced access control based on a subject’s clearance and an object’s labels. Used when confidentiality is most important.

36
Q

What is RBAC?

A

RBAC - (Role Based Access Control) is where access to objects is granted based on the role of the subject.

37
Q

What is ABAC?

A

ABAC - (Attribute Based Access Control) is where access to objects is granted based on subjects, objects AND environmental conditions.

38
Q

What are the three types of attributes in ABAC?

A

Subject (user) – Name, role, ID, clearance, etc.

Object (resource) – Name, owner, and date of creation. Environment – Location and/or time of access, and threat levels.

39
Q

What is RUBAC?

A

RUBAC - (Rule Based Access Control) is access that’s granted based on IF/THEN statements.

40
Q

When is DAC most often used?

A

DAC (Discretionary Access Control): Often used when Availability is most important.

  • Access to an object is assigned at the discretion of the object owner.
  • The owner can add, remove rights, commonly used by most OS’s’.
  • Uses DACL’s (Discretionary ACL), based on user identity.
41
Q

When is RBAC used?

A

RBAC (Role Based Access Control): Often used when Integrity is most important

42
Q

What is context based access control?

A

Context-based access control:
- Access to an object is controlled based on certain contextual parameters, such as location, time, sequence of responses, access history.

43
Q

What is content based access control?

A

Content-based access control:

  • Access is provided based on the attributes or content of an object, then it is known as a content-dependent access control.
  • In this type of control, the value and attributes of the content that is being accessed determine the control requirements.
  • Hiding or showing menus in an application, views in databases, and access to confidential information are all content-dependent.
44
Q

What is task based access control?

A

Task-based access control is another nondiscretionary access control model related to RBAC. Task-based access control is based on the tasks each subject must perform, such as writing prescriptions, restoring data from a backup tape, or opening a help desk ticket

45
Q

What is a nonce?

A

Nonce: (arbitrary number that may only be used once).

  • It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks.
  • They can also be useful as initialization vectors and in cryptographic hash function.
46
Q

What is the purpose of clipping levels?

A

Clipping levels: Clipping levels are in place to prevent administrative overhead.

  • It allows authorized users who forget or mistype their password to still have a couple of extra tries.
  • It prevents password guessing by locking the user account for a certain timeframe (an hour), or until unlocked by an administrator.
47
Q

What is IDaaS?

A

IDaaS (Identity as a Service):
- Identity and access management that is built, hosted and managed by a third party service provider.
- Native cloud-based IDaaS solutions can provide SSO functionality through the
cloud, Federated Identity Management for Access Governance, Password Management, …
- Hybrid IAM solutions from vendors like Microsoft and Amazon provide cloud-based directories that link with on-premises IAM systems

48
Q

What are the four AD trust models?

A

AD Trust models:

  • One-way trust: One domain allows access to users on another domain, but the other domain does not allow access to users on the first domain.
  • Two-way trust: Two domains allow access to users on both domains.
  • Trusted domain: The domain that is trusted; whose users have access to the trusting domain.
  • Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.
  • Intransitive (non-transitive) trust: A one way trust that does not extend beyond two domains
49
Q

When is MAC used?

A

MAC (Mandatory Access Control): Often used when Confidentiality is most important.
- Access to an object is determined by labels and clearance, this is often used in the military or in organizations where confidentiality is very important

50
Q

Diameter was designed to replace Radius, but the change never happened. Where is Diameter COMMONLY used now?

A

Diameter is largely used in the 3/4G space, RADIUS is used elsewhere. Was intended to replacement for RADIUS, but the use cases changed and both now have different uses. Also provides centralized AAA (Authentication, Authorization, and Accounting) management for users who connect and use a network service.

51
Q

If we were to implement SESAME instead of KERBEROS, what would it uses instead of tickets?

A

SESAME (Secure European System for Applications in a Multi-vendor Environment): Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos’ tickets. It uses PKI encryption (asymmetric), which fixed the Kerberos the plaintext storage of symmetric keys issue.

52
Q

The TACACS+ protocol as default uses which TCP port?

A

49

53
Q

Which security issue in Kerberos was addressed in SESAME with Public Key Infrastructure (PKI)?

A

SESAME (Secure European System for Applications in a Multi-vendor Environment): Uses a PAS (Privilege Attribute Server), which issues PACs (Privilege Attribute Certificates) instead of Kerberos’ tickets. It uses PKI encryption (asymmetric), which fixed the Kerberos the plaintext storage of symmetric keys issue.

54
Q

What is a WEAKNESS of the Challenge Handshake Authentication Protocol (CHAP)?

A

CHAP (Challenge-Handshake Authentication Protocol): The CHAP server stores plaintext passwords of each client, an attacker gaining access to the server can steal all the client passwords stored on it.

55
Q

As part of our authentication process, we have issued our staff TOTP tokens. How do they work?

A

Something you have - Type 2 Authentication: TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.

56
Q

We have, after a long project, implemented biometrics in our organization. What do we want for our biometrics?

A

We want a good mix of FRR and FAR they are both curved graphs, where they meet on the graph is the CER (Crossover Error Rate), this is where we want to be.

57
Q

What is the PRIMARY reason we would implement clipping levels?

A

Clipping levels are in place to prevent administrative overhead. It allows authorized users who forget or mistype their password to still have a couple of extra tries. It prevents password guessing by locking the user account for a certain time frame (an hour), or until unlocked by an administrator.

58
Q

Jane is implementing active directory throughout our organization. She wants all the domains to trust each other, which type of trust domain should she implement?

A

Transitive trust: A trust that can extend beyond two domains to other trusted domains in the forest.

59
Q

What is key stretching?

A

Key stretching – Adding 1-2 seconds to password verification. If an attacker is brute forcing password and need millions of attempts it will become an unfeasible attack.

60
Q

What is transparency?

A

A characteristic of a service, security control, or access mechanism that ensures it is unseen by users.

61
Q

How are domains related to decentralized access control?

A

A domain is a real of trust that shares a common security policy. This is a form of decentralized access control.

62
Q

What is masquerading?

A

Using another person’s secure ID to gain unauthorized entry into a facility.

63
Q

What is a cognitive password?

A

A series of questions about facts or predefined responses that only the subject should know.

64
Q

What is OAuth?

A

OAuth is an open SSO standard designed to work with HTTP. It allows users to log on with one account.

65
Q

What can a user entitlement review detect?

A

Violation of the principle of least security. Privilege creep.

66
Q

What is the difference between HOTP and TOTP?

A

HOTP (HMAC-based one-time password): Shared secret and incremental counter, generate code when asked,
valid till used.
TOTP (Time-based One-Time Password): Time based with shared secret, often generated every 30 or 60 seconds, synchronized clocks are critical.

67
Q

What access control models would we prefer if confidentiality is the highest priority? Availability? Integrity?

A

If it is Confidentiality we would most likely go with
Mandatory Access Control.
If it is Availability we would most likely go with
Discretionary Access Control.
If it is Integrity we would most likely go with Role Based
Access Control or Attribute Based Access Control.

CISSP (11 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions