IAM

Question 1

ability to make use of any information system resources

Answer 1

access

Question 2

entity responsible for monitoring and granting access privileges for other authorized entities

Answer 2

access authority

Question 3

mediation of subject and object interactions

Answer 3

access control

Question 4

object based description of a single resource and the permission of each subject

Answer 4

access control list

Question 5

object based description of a system or multiple resources

Answer 5

access control matrix

Question 6

type of access control specification in which a user, program, and data items are listed for each allowed operation

Answer 6

access control triple

Question 7

hierarchical portion of the security level used to identify data sensitivity and user clearance or authorization. Note: The access level and the non-hierarchical categories form the sensitivity label of an object.

Answer 7

access level

Question 8

segment of time, generally expressed on a daily or weekly basis, during which access rights prevail

Answer 8

access period

Question 9

risk-reducing principle that attempts to avoid prolonging access time to specific data or to the system beyond what is needed to carry out requisite functionality

Answer 9

access time minimization

Question 10

nature of an access right to a particular device, program, or file (read, write, execute, append, modify, delete, or create)

Answer 10

access type

Question 11

ability to obtain the use of a computer system or a resource or the ability and means necessary to store data, retrieve data, or communicate with a system

Answer 11

accessibility

Question 12

responsibility of a user for the actions taken by their account which requires unique identification

Answer 12

accountability

Question 13

process of requesting, establishing, issuing, and closing user accounts

Answer 13

account management

Question 14

that is communication based, typically written or oral. Paperwork, cannot hurt adversary.

Answer 14

Administrative - control type

Question 15

Policy a function of a subject’s characteristics

Answer 15

Attribute -based Access Control (ABAC)

Question 16

binary decision by a system of permitting or denying access to the entire system

Answer 16

Authentication

Question 17

granular decision by a system of permitting or denying access to a particular resource on the system

Answer 17

Authorization

Question 18

evaluation of a system without prior knowledge by the tester

Answer 18

Blind testing

Question 19

subject based description of a system or a collection of resources

Answer 19

Capability Tables

Question 20

to segregate for the purposes of labeling

Answer 20

Compartmentalize

Question 21

more than one control on a single asset

Answer 21

Compensating - control category

Question 22

system mediation of access with the focus on the context of the request

Answer 22

Content Dependent Access Control

Question 23

tool which mediates access

Answer 23

Control

Question 24

most granular organization of controls

Answer 24

Control category

Question 25

less granular organization of controls

Answer 25

Control type

Question 26

to restore to a previous state by removing the adversary and or the results of their actions

Answer 26

Corrective - control category

Question 27

consume resources to a point of exhaustion, loss of availability

Answer 27

Denial of Service

Question 28

to record an adversary’s actions

Answer 28

Detective - control category

Question 29

to discourage an adversary from attempting to access

Answer 29

Deterrent - control category

Question 30

to give instructions or inform

Answer 30

Directive- control category

Question 31

owner directed mediation of access

Answer 31

Discretionary

Question 32

sphere of influence

Answer 32

Domain

Question 33

of a system without prior knowledge by the tester or the tested

Answer 33

Double blind testing

Question 34

a client/server protocol developed in 1990 by Cisco. Separates authentication, authorization, and accounting.

Answer 34

Extended TACACS (XTACACS) - Terminal Access Controller Access Control System

Question 35

to assert or claim credentialing to an authentication system

Answer 35

Identification

Question 36

controls for logging and alerting

Answer 36

Intrusion Detection Systems

Question 37

controls for termination of attempt to access object

Answer 37

Intrusion Prevention Systems

Question 38

authentication protocol which only uses symmetric session keys between principals distributed by a 3rd party using different preshared symmetric keys

Answer 38

Kerberos

Question 39

recording activities at the keyboard level

Answer 39

Keystoke Logging. Threat adversarial

Question 40

to set the clearance of a subject or the classification of an object

Answer 40

Labeling

Question 41

just enough access to do the job

Answer 41

Least privilege

Question 42

system directed mediation of access with labels

Answer 42

Mandatory

Question 43

physical description on the exterior of an object that communicates the existence of a label

Answer 43

Marking

Question 44

claiming another’s identity at a physical level

Answer 44

Masquerading. Threat adversarial

Question 45

requirement of access to data for a clearly defined purpose

Answer 45

Need-to-know

Question 46

system directed mediation of access without labels and not reprogrammable at run time, typically referring to physical devices, not technical systems.

Answer 46

Non-discretionary

Question 47

passive system resource

Answer 47

Object

Question 48

to reveal authentication credentials

Answer 48

Password cracking. Threat adversarial

Question 49

authorized security personnel using the tools and techniques of attackers to determine vulnerabilities of systems for the purpose of remediation planning

Answer 49

Penetration testing

Question 50

authorization for a subject to interact with an object

Answer 50

Permission

Question 51

tangible barrier to entry. Will hurt adversary.

Answer 51

Physical - control type

Question 52

to stop the adversary before system access

Answer 52

Preventive - control category

Question 53

system mediation of access with the focus on the object’s privacy

Answer 53

Privacy-Aware Role Based Access Control

Question 54

a client/server protocol that provides authentication and authorization for remote users. Provides accounting capabilities. Transport uses UDP. Encryption for Password only. Authentication and authorization is combined.

Answer 54

RADIUS - Remote Authentication Dial in User Service

Question 55

to restore to a previous state with some data loss

Answer 55

Recovery - control category

Question 56

Policy changes dynamically based on the risk environment

Answer 56

Risk-adaptive access control (RAdAC)

Question 57

system mediation of access with the focus on the function or role of the subject

Answer 57

Role Based Access Control

Question 58

system mediation of access with the focus on the function either group concept or source & destination

Answer 58

Rule Based Access Control

Question 59

authentication protocol which uses both asymmetric and symmetric keys

Answer 59

SESAME

Question 60

to physically view another’s keyboard and monitor activities

Answer 60

Shoulder Surfing. Threat adversarial

Question 61

one account is used for many resources

Answer 61

Single Sign-On

Question 62

to convince another to take an inappropriate action through manipulation

Answer 62

Social Engineering. Threat adversarial

Question 63

claiming another’s identity at a technical level

Answer 63

Spoofing. Threat adversarial

Question 64

active system entity

Answer 64

Subject

Question 65

a client/server protocol that was developed to control who could use dial-up lines.

Answer 65

TACACS - Terminal Access Controller Access Control System

Question 66

a Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers. Transport uses TCP. Encryption for entire body of packet. Authentication and authorization is separated.

Answer 66

TACACS+ - Terminal Access Controller Access Control System Plus

Question 67

narrow scope examination of a system

Answer 67

Targeted testing

Question 68

hardware and or software mechanisms which require system interaction to gain access. Adversary must choose to interact.

Answer 68

Technical (Logical) - control type

Question 69

system mediation of access with the focus on the time of day

Answer 69

Temporal Isolation

Question 70

an application with a secondary purpose or execution unknown to the user, which uses the account of the user to gain access or control of a system

Answer 70

Trojan Horse

Question 71

Authentication Services (Controls)

Answer 71

Proper registration/enrollment
Protect databases
2FA
Account expirations
Password manager/vault

Question 72

Authentication Services (Threats)

Answer 72

User Password Management
Adversarial
Single Sign On