Domain Four: Identity and Access Management Flashcards

1
Q

What is the notion of accountability in IAM ?

A

The ability to report and understand who, what and when things change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is authentication ?

A

This is the process that verifies the identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is authorisation ?

A

Determines what can be done through a process of allowing and denying access to resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is federation ?

A

Similar to SSO but this covers across enterprises rather than just systems within an enterprise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Why is identification important ?

A

We need to be able to identify resources this includes thing such as hardware, software, people and processes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is multi factor authentication ?

A

Is a combination of two or more types of authentication

There are five different types

What you are (biometric)
What you have (token)
What you know (passwords)
Where you are (location)
What you do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is single sign on ?

A

This is the transferring of credentials between systems. It is the ability to have a single login for multiple systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is transitive trust ?

A

Transitive trust is the concept that if one domain trust another then the trusted domain can also be trusted by another domain that trusts the initial domain.

If A trust B and B trusts C then A trusts C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What in IAM is the notion of Account Maintenance ?

A

Account maintenance refers to all the processes that are run to make sure that the account is valid, and appropriated for its needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Define Guest Accounts ?

A

Limited access accounts for guest users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define privileged accounts ?

A

They often have higher permissions than general user accounts and are only assumed by certain users needing to do higher order tasks not in their day to day activity. Should be closely monitored.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a service account ?

A

Service accounts are similar to shared account they also are tied to a job function but unlike shared accounts they do not need human interaction to achieve the task at hand.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a shared account ?

A

These are accounts used by multiple people to achieve a job function such as backup administrator. They should be monitored regularly and some organisations only allow them to be assumed rather than log in directly.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define a user account ?

A

These are accounts that are attributed to individual users and may have a friendly name and also a unique id. Often it is the unique id that is logged.

You should not immediately delete an account when a user leaves because you get tombstoning. This is where because the user has left there is nothing to tie the log user id back to. Most organisations recommend a 90 day account disablement before deletion.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is Group based access control ?

A

This refers to assigning users to groups that have permissions rather than handling individual users. This is done to ease the admin overhead and complexity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Why do we need a secure JML process ?

A

We should have a rigorous JML process to stop people having access after they leave the organisation or accumulating access as they move from position to position

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the concept of least privilege ?

A

Only assign the minimum required permissions to achieve job function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the process of recertification ?

A

Is the process of verifying that the account is still required and can be done via reports looking when the account was last accessed.

At HMRC there is a process that flags all AWS user accounts that have not been logged into for 30 days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Why should we have a standard naming convention for accounts ?

A

Accounts should be named with a standard naming convention that can accommodate growth but not display information that would be useful to an attacker.

mark.teasdale@acme.co.uk is a good example

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the concept of time managed accounts ?

A

Only allow access for a specified time period this could be normal working hours or for highly dangerous accounts measured in hours.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is credential management ?

A

Refers to the policies, procedures and techniques to manage credentials

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is account lockout ?

A

Used when suspected nefarious activity is seen or rules are violated such as more than three attempts to login.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What are Group Policy objects ?

A

Microsoft technology which can be controlled from the enterprise and installed on the local machine to control credential settings and password complexity rules.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is password history ?

A

We should also limit the re-using of passwords by having a policy on historical passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are some of the elements contained in a password policy ?

A

An enforceable policy that sets out the rules on what constitutes an acceptable password

Password Length
Renewal
Symbols allowed
Case
Numbers

Expiry rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is attribute access control ?

A

Grants access if the attributes of both the resource and the user are sufficient to grant access. Uses boolean logic (IF this user has this attribute, THEN this user has this access to the resource)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is FAR in biometrics ?

A

FAR - False Acceptance Rate - Rate at which people incorrectly get access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is FRR in biometrics ?

A

False Rejection Rate - Rate at which people incorrectly get refused access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is CER in biometrics ?

A

Cross Over Rate - This is the rate when tuning a device where ideal is FRR = FAR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is Discretionary access control ?

A

This is where resource owners or administrators determine the permissions of other users over those resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is Mandatory access control ?

A

Used primarily in government and military settings. In MAC subjects (users) and objects (resources) are assigned classification levels. Rules enforce whether a user has access to a resource or not based on those classification levels.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is Role based access control ?

A

Roles and job functions are matched and each role has a set of permissions that grant access to that resource. Users are then assigned to the relevant role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is Rule based access control ?

A

Access is granted based on a set of rules can become cumbersome quickly because maintenance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What are the two types of tokens in IAM ?

A

Hardware Tokens - RSA
Software Tokens - Google Authenticator

35
Q

What is the challenge handshake authentication protocol ?

A

Challenge Handshake Authentication Protocol (CHAP) is used to provide authentication via a point to point protocol.

Authentication is continuously verified through a challenge/response system where the server periodically challenges the client. The server sends the challenge, the client uses a one way hashing function to calculate the response and sends it back to the server. The server compares the response vs the expected response and if they match the communication continues.

MSCHAP is a microsoft version brought in under Windows 2000

36
Q

What is Kerberos ?

A

It is a SSO solution where once authenticated they receive a ticket that can be used to access other resources.

37
Q

What is LDAP ?

A

LDAP is a lightweight implementation of the directory access protocol and its a way of governing resources especially credentials across the enterprise. It implements the X.500 standard.

38
Q

What are the two governing bodies of DAP ?

A

There are two governing bodies

Iternational Telecommunication Union (ITU) for the X.500 standard
Internet Engineering Task Force (IETF) for its internet usage

39
Q

Why has the Microsoft product NTLM been deprecated ?

A

Microsoft product mainly replace by Kerberos because of its use of the weak MD4 encryption algorithm.

40
Q

What is OAUTH ?

A

Token exchange pattern that gives authorisation and access to resources remotely on internet for web, mobile and desktop used by Google etc

41
Q

What is OPENID ?

A

Used in conjunction with OAUTH but provides more information about the user stored in the IdP. It is often another call to the IdP over and above authentication calls which are handled by OAUTH.

Used mainly in federated situations with web and apis

42
Q

What is the Password Authentication Protocol ?

A

Password Authentication Protocol is the predecessor to CHAP and is deprecated due to the fact the both the username and password were sent in clear text.

43
Q

What is RADIUS ?

A

Remote Authentication Dial-In User Service is a very common authentication protocol in use today.

44
Q

What ports does RADIUS use ?

A

It uses UDP ports 1812 for authentication and authorisation and 1813 for accountability.

45
Q

What is SAML ?

A

XML based open standard for exchanging authentication and authorization information between identity and service provider. Used primarily for SSO in web based applications.

SAML issues information on successful authentication and authorisation on a user.

46
Q

What is Shibboleth ?

A

Used where Orgs need SSO but have incompatible authentication and authorisation mechanisms. Started in 2000 but not widely adopted still. Based on SAML uses HTTP/POST to push those profiles from the identity provider to the service provider.

47
Q

What is TACACS ?

A

Terminal Access Controller Access Control System is another client server authentication protocol. It only uses one port TCP 49 for both authentication and authorisation unlike RADIUS.

Cisco created a propriety version XTacacs that is the basis of the version used today TACACS+

TACACS+ has additional support for accounting.

48
Q

What port does TACACS use ?

A

TCP port 49

49
Q

What are the five common ways to assert identity ?

A

Usernames
Certificates
Tokens
SSH Keys
Smartcards

50
Q

What is the most common authentication mechanism for wireless networks ?

A

EAP

51
Q

What is the main characteristic of Kerberos ?

A

Authentication via a ticketing system over an untrusted network.

52
Q

What is the main weakness of RADIUS ?

A

The main weakness of radius is that it sends its passwords obfuscated by a shared secret and a MD5 hash so to add extra protection it is often used in conjunction with IPSec Tunnels.

53
Q

How does RADIUS work ?

A

A RADIUS Client (or Network Access Server) is a networking device (like a VPN concentrator, router, switch) that is used to authenticate users.

A RADIUS Server is a background process that runs on a UNIX or Windows server. It lets you maintain user profiles in a central database. Hence, if you have a RADIUS Server, you have control over who can connect with your network.

When a user tries to connect to a RADIUS Client, the Client sends requests to the RADIUS Server. The user can connect to the RADIUS Client only if the RADIUS Server authenticates and authorizes the user.

54
Q

Do Radius servers offer accounting functionality ?

A

RADIUS Servers are also used for accounting purposes. RADIUS accounting collects data for network monitoring, billing, or statistical purposes. The accounting process typically starts when the user is granted access to the RADIUS Server. However, RADIUS accounting can also be used independently of RADIUS authentication and authorization.

55
Q

What is the differences between TACACS and RADIUS ?

A

Because TCP is a connection-oriented protocol, TACACS+ has to implement transmission control. RADIUS, however, is not required to detect and correct transmission errors such as packet loss or timeouts, etc., as it makes use of UDP which is connectionless. RADIUS encrypts only the users’ password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore, it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.

56
Q

Whats the difference between Federation and SSO ?

A

Similar to SSO but this covers across enterprises rather than just systems within an enterprise.

57
Q

In federation terminology what does the principal refer to ?

A

The principal normally refers to the user

58
Q

In federation terminology what is the role of the IdP ?

A

Provision of identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be.

59
Q

In federation terminology what is a service provider ?

A

Provide services to users whose identities have been attested to by an IdP aka Relying party

60
Q

What are the additional recommendations from NIST around passwords ?

A

Allow Pasting into Password Fields,
Eliminate password hints
Reduce password complexity in favour of increasing length
Not requiring special characters
Monitoring New Passwords

61
Q

Whats the most common way to undermine MFA OTP ?

A

Phising

62
Q

What are the two most common OTP protocols ?

A

Time OTP and HMAC

63
Q

What is the False Rejection Rate type 1 error in biometrics ?

A

incorrect rejection rate because biometric was valid

64
Q

What is the Fals Acceptance Rate in biometrics ?

A

Rate of acceptance incorrectly with invalid biometric

65
Q

What measure compares FAR and FRR ?

A

Reciever Operating Characteristic (ROC)

66
Q

In PAM what is JIT permissions ?

A

Permissions that are removed after time expiration or a task has been completed.

67
Q

In PAM what is password vaulting ?

A

Allows users to access privileged accounts without passwords

68
Q

In PAM what are ephemeral accounts ?

A

Accounts with a limited lifespan such as guest accounts

69
Q

What is the least secure MA technique ?

A

SMS replies which can be intercepted with clone sims

70
Q

What is an example of something you can do ?

A

Windows Picture Password

71
Q

Does attribute access include time of access as an attribute ?

A

Yes

72
Q

What is access federation ?

A

Federation allows different organizations to share digital identities, enabling single sign-on across them. While centralized access management manages access centrally, it doesn’t necessarily mean sharing digital identities across different organizations

73
Q

What type of backup copies every transaction ?

A

Journaling is a form of backup that involves recording all transactions in a system which can be used to restore the system to a previous state

74
Q

What is a statement of work?

A

It provides detailed instructions and requirements for specific tasks or projects to be carried out by a vendor, making it suitable for the software development project

75
Q

In incident response what is acquisition ?

A

Acquisition involves identifying and gathering evidence related to the security incident. This may include collecting logs from affected systems, taking disk images, or other procedures to catalogue everything that may be used as evidence in a court proceeding

76
Q

Why does NIST not recommend password complexity enforcement ?

A

Complexity can increase employess writing down their passwords it is better option Encouraging employees to keep their passwords confidential and use strong, unique passwords for each account is a crucial aspect of password management best practices

77
Q

What is the execution phase of security awareness practices ?

A

The Execution phase is where security awareness policies and procedures are put into operation, encompassing actions like user training, dissemination of awareness resources, and monitoring the efficacy of the awareness initiative.

78
Q

Does a SIEM require agent based software ?

A

no

79
Q

What is the difference between End of life and legacy ?

A

End-of-life refers to hardware that is no longer supported by the manufacturer, often leading to unpatched and exploitable vulnerabilities. Legacy hardware denotes older systems or components still in use, which can be vulnerable, but doesn’t necessarily mean they are unsupported or at their end-of-life.

80
Q

What is E-Discovery ?

A

E-discovery is an essential component of incident response and primarily relates to the collection and handling of electronic data. It is designed to be used as evidence in legal cases and includes in its scope anything that is stored electronically - emails, documents, databases, presentation files, voicemails, video/audio files, social media posts, and more

81
Q

What is the recommended encryption protocol for wireless today ?

A

AES is currently the most secure and widely adopted encryption protocol for wireless networks. Its strong encryption algorithms and extensive testing demonstrate its effectiveness against various attacks. AES is the recommended choice for ensuring robust security in wireless communication. It is not deprecated. While TKIP was an improvement over an older encryption protocol, it is still considered weak and has known vulnerabilities.

82
Q

What is the workforce multiplier?

A

The workforce multiplier refers to the ability to scale and amplify the effectiveness of the security team by combining the efforts of human professionals with automation and orchestration

83
Q
A