Identify & Access Management . Flashcards

1
Q

What are the core activities of identity and access management?

A
  • Identification
  • Authentication
  • Authorization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

In an access control system, we seek to limit the access that _____ have to _____.

A
  • Subjects

- Objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Controls work in three different fashions, what are they?

A
  • Technical (or logical) Controls
  • Physical Controls
  • Administrative Controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

This type of access control…

Uses hardware and software mechanisms, such as firewalls and intrusion prevention systems, to limit access.

A

Technical (logical) Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

This type of access control…

Such as locks and keys, limit physical access to controlled spaces.

A

Physical Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

This type of access control…

Such as account reviews, provide management of personnel and business practices.

A

Administrative Controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Multifactor authentication systems combine authentication technologies from two or more of the following categories: Something you know, Something you have, Something you are (T/F)?

A

True!

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What type of factor is…

  • Something you know?
  • Something you have?
  • Something you are?
A
  • Something you know (Type 1 factors)
  • Something you have (Type 2 factors)
  • Something you are (Type 3 factors)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

This type of authentication system…

Relies upon secret information, such as a password.

A

Something you know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

This type of authentication system…

Relies upon physical possession of an object, such as a smartphone.

A

Something you have

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This type of authentication system…

Relies on biometric characteristics of a person, such as a face scan or fingerprint.

A

Something you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Authentication technologies may experience two types of errors, what are they?

A
  • False Positive

- False Negative

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does a False Positive error occur?

A

Errors occur when a system accepts an invalid user as correct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

How does a False Negative error occur?

A

Errors occur when a system rejects a valid user, measured using the false rejection rate (FRR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The effectiveness of an authentication technology uses what?

A

Crossover Error Rate (CER)

- This is where False Acceptance Rate (FAR) and False Rejection Rate (FRR) equal each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Organizations often use centralized access control systems to streamline authentication and authorization and to provide users with a single sign on (SSO) experience (T/F)?

A

True!

17
Q

SSO/ Single Sign On, works with what kind of authentication method?

A

Kerberos

18
Q

______ is an authentication protocol commonly used for backend services.

A

RADIUS

Remote Authentication Dial-In User Service

19
Q

TACACS+ is the only protocol from the TACACS family that is still commonly used (T/F)?

A

True!

20
Q

What is the strongest AAA support for remote users?

A

TACACS+

21
Q

TACACS+ uses UDP and encrypts the entire body for the access request packet, making it more secure than RADIUS (T/F)?

A

True!

22
Q

RADIUS uses UDP and encrypts the entire body for the access request packet (T/F)?

A

False!

  • RADIUS uses UDP, but encrypts only the password for the access request packet.
23
Q

The _____ _____ principle says that any action that is not explicitly authorized for a subject should be denied.

A

implicit deny

24
Q

What forms the basis of many access management systems and provides a listing of subjects and their permissions on objects and groups of objects?

A

Access Control Lists (ACLs)

25
Q

_______ access control systems allow the owners of objects to modify the permissions that other users have on those objects.

A

Discretionary

DAC

26
Q

_______ access control systems enforce predefined policies that users may not modify.

A

Mandatory

MAC

27
Q

______-______ access control assigns permissions to individual users based upon their assigned role(s) in the organization.

A

Role-based

RBAC

28
Q

What is the goal of a Brute Force Attack against passwords?

A

Brute Force Attacks against password systems try to guess all possible passwords.

29
Q

This type of attack refines a Brute Force Attack approach by testing combinations and permutations of dictionary words.

A

Dictionary Attacks

30
Q

This type of attack precomputes hash values for use in comparison.

A

Rainbow Table Attacks

31
Q

_____ passwords with a random value prior to hashing them reduces the effectiveness of rainbow table attacks.

A

Salting

32
Q

This type of attack intercepts a client’s initial request for a connection to a server and proxy that connection to the real service.

  • The client is unaware that they are communicating through a proxy and the attacker can eavesdrop on the communication and inject commands.
A

Man-in-the-middle attack

33
Q

The Least Privilege principle says that users should be provided with the minimum set of privileges necessary to complete their job function (T/F)?

A

True!

34
Q

What does Separation of Duties do?

A

It ensures that a single user does not have the ability to perform two actions that, when combined, allow an undesirable result.

35
Q

Two-person control does not require the approval of two different individuals to take a sensitive action (T/F)?

A

False!

  • Two-person control DOES require the approval of two different individuals to take a sensitive action.