Identity and Access Management Flashcards
What method of access control is best suited for environments with a high rate of employee turnover?
MAC
DAC
RBAC
RBAC
Role-based access control (RBAC) is best suited for environments with a high rate of employee turnover, because access is defined against static job descriptions rather than transitive user accounts (DAC and ACL) or assigned clearances (MAC)
What mechanism is used to support the exchange of authentication and authorization details between systems, services, and devices?
Biometric
Two-factor authentication
SAML
SAML
SAML is an open standard data format based on XML for the purpose of supporting the exchange of authentication and authorization details between systems, services, and devices. A biometric is an authentication factor, not a means of exchanging authentication information. Two-factor authentication is the use of two authentication factors. LDAP is a protocol used by directory services and is not directly related to authentication
Which is the strongest form of password?
More than eight characters
One-time use
Static
One-time use
A one-time password is always the strongest form of password. A static password is always the weakest form of password. Passwords with more than eight characters and those that use different types of keyboard characters are usually strong, but these factors alone are unable to indicate their strength
Which of the following technologies can be used to add an additional layer of protection between a directory services–based network and remote clients?
SMTP
RADIUS
PGP
RADIUS
RADIUS is a centralized authentication solution that adds an additional layer of security between a network and remote clients. SMTP is the email-forwarding protocol used on the Internet and intranets. PGP is a security solution for email. VLANs are created by switches to logically divide a network into subnets
Which of the following is not a benefit of single sign-on?
The ability to browse multiple systems
Fewer usernames and passwords to memorize
More granular access control
More granular access control
Single sign-on doesn’t address access control and therefore doesn’t provide granular or nongranular access control. Single sign-on provides the benefits of the ability to browse multiple systems, fewer credentials to memorize, and the use of stronger passwords
Federation is a means to accomplish ________.
Accountability logging
ACL verification
Single sign-on
Single sign-on
Federation or federated identity is a means of linking a subject’s accounts from several sites, services, or entities in a single account. Thus it is a means to accomplish single sign-on. Accountability logging is used to relate digital activities to humans. ACL verification is a means to verify that correct permissions are assigned to subjects. Trusted OS hardening is the removal of unneeded components and securing the remaining elements
You have been tasked with installing new kiosk systems for use in the retail area of your company’s store. The company elected to use standard equipment and an open-source Linux operating system. You are concerned that everyone will know the default password for the root account. What aspect of the kiosk should be adjusted to prevent unauthorized entities from being able to make system changes?
Authorization
Accounting
Authentication
Authentication
Since the open-source Linux system likely has a default root password, changing the default password to something unique will have the effect of preventing unauthorized entities from making system changes. Passwords are part of the authentication system. Authorization is access control or the ability to interact with resource objects
Your company has several shifts of workers. Overtime and changing shifts is prohibited due to the nature of the data and the requirements of the contract. To ensure that workers are able to log into the IT system only during their assigned shifts, you should implement what type of control?
Multifactor authentication
Time-of-day restrictions
Location restrictions
Time-of-day restrictions
Time-of-day restrictions are used to limit or restrict what time of day, and often what day of the week, a specific user account can log on to the network or a specific system can be accessed by users
Your company has recently purchased Cisco networking equipment. When you are setting up to allow remote access, what means of AAA service is now available to your organization?
RADIUS
X.500
TACACS+
TACACS+
TACACS+ is a Cisco proprietary AAA service that is available only when using Cisco hardware
Your organization has recently decided to allow some employees to work from home two days a week. While configuring the network to allow for remote access, you realize the risk this poses to the organization’s infrastructure. What mechanism can be implemented to provide an additional barrier against remote access abuse?
Kerberos
Single sign-on
RADIUS
RADIUS
RADIUS is an AAA server that can be used as an additional security barrier between external connections and the private network. A remote access–focused AAA service protects the internal domain controllers from abuse caused by remote connections
You are developing a smart app that will control a new IoT device that automates blinking light fixtures in time with the beat of music. You want to make using the device as simple as possible, so you want to adopt an authentication technique that is seamless for the user. Which technology should you integrate into your app and device?
OpenID Connect
Shibboleth
A secure token
OpenID Connect
OpenID Connect is an Internet-based single sign-on solution. It operates over the OAuth protocol (OAuth is an open standard for authentication and access delegation [federation]) and can be used in relation to web services as well as smart-device apps. The purpose or goal of OpenID Connect is to simplify the process by which applications are able to identify and verify users. Shibboleth is optimized for websites, not for devices and apps
How are effective permissions calculated?
Count the number of allows, subtract the number of denials
Accumulate allows, remove denials
Look at the user’s clearance level
Accumulate allows, remove denials
Effective permissions are calculated by accumulating all allows or grants of access to a resource, and then subtracting or removing any denials to that resource
What form of authorization is based on a scheme of characteristics related to the user, the object, the system, the application, the network, the service, time of day, or even other subjective environmental concerns?
RBAC
DAC
ABAC
ABAC
Attribute-based access control (ABAC) is a mechanism for assigning access and privileges to resources through a scheme of attributes or characteristics. The attributes can be related to the user, the object, the system, the application, the network, the service, the time of day, or even other subjective environmental concerns
Your organization wants to integrate a biometric factor into the existing multifactor authentication system. To ensure alignment with company priorities, what tool should be used in selecting which type or form of biometric to use?
CER comparison
OAuth verifier
Zephyr analysis chart
Zephyr analysis chart
When an organization decides to implement a biometric factor, it is important to evaluate the available options in order to select a biometric solution that is most in line with the organization’s security priorities. One method to accomplish this is to consult a Zephyr analysis chart. This type of chart presents the relative strengths and weaknesses of various characteristics of biometric factor options
What type of biometric error increases as the sensitivity of the device increases?
FAR
FRR
CER
FRR
FRR (false rejection rate) errors increase with sensitivity, whereas FAR (false acceptance rate) errors decrease with an increase in sensitivity
