IAM Flashcards

1
Q

ability to make use of any information system resources

A

access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

entity responsible for monitoring and granting access privileges for other authorized entities

A

access authority

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

mediation of subject and object interactions

A

access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

object based description of a single resource and the permission of each subject

A

access control list

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

object based description of a system or multiple resources

A

access control matrix

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

type of access control specification in which a user, program, and data items are listed for each allowed operation

A

access control triple

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

hierarchical portion of the security level used to identify data sensitivity and user clearance or authorization. Note: The access level and the non-hierarchical categories form the sensitivity label of an object.

A

access level

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

segment of time, generally expressed on a daily or weekly basis, during which access rights prevail

A

access period

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

risk-reducing principle that attempts to avoid prolonging access time to specific data or to the system beyond what is needed to carry out requisite functionality

A

access time minimization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

nature of an access right to a particular device, program, or file (read, write, execute, append, modify, delete, or create)

A

access type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ability to obtain the use of a computer system or a resource or the ability and means necessary to store data, retrieve data, or communicate with a system

A

accessibility

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

responsibility of a user for the actions taken by their account which requires unique identification

A

accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

process of requesting, establishing, issuing, and closing user accounts

A

account management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

that is communication based, typically written or oral. Paperwork, cannot hurt adversary.

A

Administrative - control type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Policy a function of a subject’s characteristics

A

Attribute -based Access Control (ABAC)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

binary decision by a system of permitting or denying access to the entire system

A

Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

granular decision by a system of permitting or denying access to a particular resource on the system

A

Authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

evaluation of a system without prior knowledge by the tester

A

Blind testing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

subject based description of a system or a collection of resources

A

Capability Tables

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

to segregate for the purposes of labeling

A

Compartmentalize

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

more than one control on a single asset

A

Compensating - control category

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

system mediation of access with the focus on the context of the request

A

Content Dependent Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

tool which mediates access

A

Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

most granular organization of controls

A

Control category

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

less granular organization of controls

A

Control type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

to restore to a previous state by removing the adversary and or the results of their actions

A

Corrective - control category

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

consume resources to a point of exhaustion, loss of availability

A

Denial of Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

to record an adversary’s actions

A

Detective - control category

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

to discourage an adversary from attempting to access

A

Deterrent - control category

30
Q

to give instructions or inform

A

Directive- control category

31
Q

owner directed mediation of access

A

Discretionary

32
Q

sphere of influence

A

Domain

33
Q

of a system without prior knowledge by the tester or the tested

A

Double blind testing

34
Q

a client/server protocol developed in 1990 by Cisco. Separates authentication, authorization, and accounting.

A

Extended TACACS (XTACACS) - Terminal Access Controller Access Control System

35
Q

to assert or claim credentialing to an authentication system

A

Identification

36
Q

controls for logging and alerting

A

Intrusion Detection Systems

37
Q

controls for termination of attempt to access object

A

Intrusion Prevention Systems

38
Q

authentication protocol which only uses symmetric session keys between principals distributed by a 3rd party using different preshared symmetric keys

A

Kerberos

39
Q

recording activities at the keyboard level

A

Keystoke Logging. Threat adversarial

40
Q

to set the clearance of a subject or the classification of an object

A

Labeling

41
Q

just enough access to do the job

A

Least privilege

42
Q

system directed mediation of access with labels

A

Mandatory

43
Q

physical description on the exterior of an object that communicates the existence of a label

A

Marking

44
Q

claiming another’s identity at a physical level

A

Masquerading. Threat adversarial

45
Q

requirement of access to data for a clearly defined purpose

A

Need-to-know

46
Q

system directed mediation of access without labels and not reprogrammable at run time, typically referring to physical devices, not technical systems.

A

Non-discretionary

47
Q

passive system resource

A

Object

48
Q

to reveal authentication credentials

A

Password cracking. Threat adversarial

49
Q

authorized security personnel using the tools and techniques of attackers to determine vulnerabilities of systems for the purpose of remediation planning

A

Penetration testing

50
Q

authorization for a subject to interact with an object

A

Permission

51
Q

tangible barrier to entry. Will hurt adversary.

A

Physical - control type

52
Q

to stop the adversary before system access

A

Preventive - control category

53
Q

system mediation of access with the focus on the object’s privacy

A

Privacy-Aware Role Based Access Control

54
Q

a client/server protocol that provides authentication and authorization for remote users. Provides accounting capabilities. Transport uses UDP. Encryption for Password only. Authentication and authorization is combined.

A

RADIUS - Remote Authentication Dial in User Service

55
Q

to restore to a previous state with some data loss

A

Recovery - control category

56
Q

Policy changes dynamically based on the risk environment

A

Risk-adaptive access control (RAdAC)

57
Q

system mediation of access with the focus on the function or role of the subject

A

Role Based Access Control

58
Q

system mediation of access with the focus on the function either group concept or source & destination

A

Rule Based Access Control

59
Q

authentication protocol which uses both asymmetric and symmetric keys

A

SESAME

60
Q

to physically view another’s keyboard and monitor activities

A

Shoulder Surfing. Threat adversarial

61
Q

one account is used for many resources

A

Single Sign-On

62
Q

to convince another to take an inappropriate action through manipulation

A

Social Engineering. Threat adversarial

63
Q

claiming another’s identity at a technical level

A

Spoofing. Threat adversarial

64
Q

active system entity

A

Subject

65
Q

a client/server protocol that was developed to control who could use dial-up lines.

A

TACACS - Terminal Access Controller Access Control System

66
Q

a Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers. Transport uses TCP. Encryption for entire body of packet. Authentication and authorization is separated.

A

TACACS+ - Terminal Access Controller Access Control System Plus

67
Q

narrow scope examination of a system

A

Targeted testing

68
Q

hardware and or software mechanisms which require system interaction to gain access. Adversary must choose to interact.

A

Technical (Logical) - control type

69
Q

system mediation of access with the focus on the time of day

A

Temporal Isolation

70
Q

an application with a secondary purpose or execution unknown to the user, which uses the account of the user to gain access or control of a system

A

Trojan Horse

71
Q

Authentication Services (Controls)

A

Proper registration/enrollment
Protect databases
2FA
Account expirations
Password manager/vault

72
Q

Authentication Services (Threats)

A

User Password Management
Adversarial
Single Sign On