Identify & Access Management .

Question 1

What are the core activities of identity and access management?

Answer 1

• Identification
• Authentication
• Authorization

Question 2

In an access control system, we seek to limit the access that _____ have to _____.

Answer 2

• Subjects

- Objects

Question 3

Access Controls work in three different fashions, what are they?

Answer 3

• Technical (or logical) Controls
• Physical Controls
• Administrative Controls

Question 4

This type of access control…

Uses hardware and software mechanisms, such as firewalls and intrusion prevention systems, to limit access.

Answer 4

Technical (logical) Controls

Question 5

This type of access control…

Such as locks and keys, limit physical access to controlled spaces.

Answer 5

Physical Controls

Question 6

This type of access control…

Such as account reviews, provide management of personnel and business practices.

Answer 6

Administrative Controls

Question 7

Multifactor authentication systems combine authentication technologies from two or more of the following categories: Something you know, Something you have, Something you are (T/F)?

Answer 7

True!

Question 8

What type of factor is…

• Something you know?
• Something you have?
• Something you are?

Answer 8

• Something you know (Type 1 factors)
• Something you have (Type 2 factors)
• Something you are (Type 3 factors)

Question 9

This type of authentication system…

Relies upon secret information, such as a password.

Answer 9

Something you know

Question 10

This type of authentication system…

Relies upon physical possession of an object, such as a smartphone.

Answer 10

Something you have

Question 11

This type of authentication system…

Relies on biometric characteristics of a person, such as a face scan or fingerprint.

Answer 11

Something you are

Question 12

Authentication technologies may experience two types of errors, what are they?

Answer 12

• False Positive

- False Negative

Question 13

How does a False Positive error occur?

Answer 13

Errors occur when a system accepts an invalid user as correct.

Question 14

How does a False Negative error occur?

Answer 14

Errors occur when a system rejects a valid user, measured using the false rejection rate (FRR).

Question 15

The effectiveness of an authentication technology uses what?

Answer 15

Crossover Error Rate (CER)

- This is where False Acceptance Rate (FAR) and False Rejection Rate (FRR) equal each other.

Question 16

Organizations often use centralized access control systems to streamline authentication and authorization and to provide users with a single sign on (SSO) experience (T/F)?

Answer 16

True!

Question 17

SSO/ Single Sign On, works with what kind of authentication method?

Answer 17

Kerberos

Question 18

______ is an authentication protocol commonly used for backend services.

Answer 18

RADIUS

Remote Authentication Dial-In User Service

Question 19

TACACS+ is the only protocol from the TACACS family that is still commonly used (T/F)?

Answer 19

True!

Question 20

What is the strongest AAA support for remote users?

Answer 20

TACACS+

Question 21

TACACS+ uses UDP and encrypts the entire body for the access request packet, making it more secure than RADIUS (T/F)?

Answer 21

True!

Question 22

RADIUS uses UDP and encrypts the entire body for the access request packet (T/F)?

Answer 22

False!

• RADIUS uses UDP, but encrypts only the password for the access request packet.

Question 23

The _____ _____ principle says that any action that is not explicitly authorized for a subject should be denied.

Answer 23

implicit deny

Question 24

What forms the basis of many access management systems and provides a listing of subjects and their permissions on objects and groups of objects?

Answer 24

Access Control Lists (ACLs)

Question 25

_______ access control systems allow the owners of objects to modify the permissions that other users have on those objects.

Answer 25

Discretionary

DAC

Question 26

_______ access control systems enforce predefined policies that users may not modify.

Answer 26

Mandatory

MAC

Question 27

______-______ access control assigns permissions to individual users based upon their assigned role(s) in the organization.

Answer 27

Role-based

RBAC

Question 28

What is the goal of a Brute Force Attack against passwords?

Answer 28

Brute Force Attacks against password systems try to guess all possible passwords.

Question 29

This type of attack refines a Brute Force Attack approach by testing combinations and permutations of dictionary words.

Answer 29

Dictionary Attacks

Question 30

This type of attack precomputes hash values for use in comparison.

Answer 30

Rainbow Table Attacks

Question 31

_____ passwords with a random value prior to hashing them reduces the effectiveness of rainbow table attacks.

Answer 31

Salting

Question 32

This type of attack intercepts a client’s initial request for a connection to a server and proxy that connection to the real service.

• The client is unaware that they are communicating through a proxy and the attacker can eavesdrop on the communication and inject commands.

Answer 32

Man-in-the-middle attack

Question 33

The Least Privilege principle says that users should be provided with the minimum set of privileges necessary to complete their job function (T/F)?

Answer 33

True!

Question 34

What does Separation of Duties do?

Answer 34

It ensures that a single user does not have the ability to perform two actions that, when combined, allow an undesirable result.

Question 35

Two-person control does not require the approval of two different individuals to take a sensitive action (T/F)?

Answer 35

False!

• Two-person control DOES require the approval of two different individuals to take a sensitive action.