Identity and access management Flashcards
What provides a near real-time account creation and provisioning process?
JIT
What error type presents an organization with higher risk impacts?
Type 2 - granting access when it should be denied
Is the physiological characteristic being
measured – such as a retina scan – correctly referred to as a security
token
No
the point of equilibrium between false acceptance and false rejection in any authentication or authorization process
The cross-over error rate
Where there are more false acceptances than rejections’ is known as a
FAR False acceptance rate or type 2 error
where there are more false rejections than acceptances’ is a
False Rejection Rate (FRR) or Type I error and measures the rate at which the system fails to recognize a legitimate identity and denies access, again, as a fraction of the total number of attempts.
What are the three A’s of access management
Authentication
Authorisation
Accounting
There are two primary access control systems,
logical and physical
This form of access control allows for
the greatest flexibility in controls along
with the greatest vulnerabilities.
DAC Discretionary Access Control
This facilitates the setting of stricter
permissions for access, based on risk. For
this reason, it is often called risk-intelligent
access control.
Attribute based access control
When considering modern implementations of access control, which model maps users to applications and then roles?
Limited RBAC - In a limited RBAC (Role-Based Access Control) model, the user is first assigned access permission to an application and to a given role within that application; so, a user might have access to a financial application but only as a user, not a developer.
Authorization can have two meanings
- The initial decision to grant certain permissions to an identity, with respect to actions they can take in the future regarding particular objects.
- The real-time confirmation that a request to perform an action, by a subject, toward a given object is allowed by the privileges that have been defined for that subject, object, and other criteria that may apply.
Is kerberos an example of an identity store
yes
Is x.500 an identity store
yes
This is a lightweight version of x.500
LDAP
the Achilles’ heel of Kerberos
encryption processes are ultimately based on passwords. Therefore, it can fall victim to traditional password- guessing attacks.
Where is a potential single point of failure for kerberos
KDC - it is therefore not unusual to see many of them on a network
What are the three roles within Security Assertion Markup Language (SAML)?
Identity provider, relying party, user
Which component in Security Assertion Markup Language (SAML) defines how attributes, authentication and authorization are exchanged?
Assertions
What do bindings do in SAML
Bindings define how SAML assertions and protocol message exchanges are conducted with response/request pairs.
What function does a credential management system perform?
It is the binding between an authenticator and an identifier.
Which fundamental security model is composed of a set of generic rights and a finite set of commands?
Harrison, Ruzzo, Ullman
This model is very similar to the Graham–Denning model, as it is also concerned with situations in which a subject should be restricted from gaining particular privileges.
Harrison, Ruzzo, Ullman
The labels and data constructs that all subjects and objects must have are considered to be what?
Identities
____________ can take the form of many things from a Media Access Control (MAC) address to a username.
Identities
Devices, human or non-human users (with usernames or user IDs or not) and software tasks initiated on behalf of users, are known as
Entities
Devices, human or non-human users (with usernames or user IDs or not) and software tasks initiated on behalf of users, are known as entities within an organisation. These entities have unique characteristics. The amalgamation of these elements is referred to
Identities
With version OAuth 2.0 we see several changes the most noteworthy of which are
- V2.0 is transport-dependent (version 1.0 was not) and requires the use of HTTPS over TLS
(Transport Layer Security). - Access tokens are encrypted in transit
Is OAuth 2.0 transport dependent
Yes, it requires the use of HTTPS over TLS (Transport Layer Security).
This protocol, which runs on top of OAuth 2.0, provides authentication carried out by
the authorization server and is the identity layer that verifies the identity of the user.
OpenID connect
OpenID Connect
- runs on top of OAuth 2.0
- is the identity layer that verifies the identity of the user
Why are SAML and Oauth different to Kerberos
Kerberos is similar and provides a three-step process for identification and authorization but is generally used more within the organization and not between organizations.
SP 800-63-3
The digital identity management guidelines
What are the three digital identity assurance levels outlined in SP 800-63-3
IAL1 - self asserted
IAL2 - identifying attributes supplied remotely
IAL3 - in person identifying attributes + identifying attributes verified by authorised credential provider
At which Identity Assurance Level (IAL) do organizations like Facebook, LinkedIn or Gmail function when allowing users to create accounts with their services?
IAL1
What component, found in Kerberos, is responsible for creating and issuing access tokens to authenticated users
The Ticket Granting Service (TGS) creates and issues service tickets (tokens) based on successfully receiving a valid Ticket Granting Ticket (TGT).
The Ticket Granting Service (TGS) creates and issues service tickets (tokens) based on successfully receiving a valid
Ticket Granting Ticket (TGT).
The TGT is produced by the ______________________ after a successful logon.
Authentication Server (AS)
The TGS and AS are components found within the ________________________
Key Distribution Center (KDS)
OpenID Connect is an implementation of the authorisation framework
Oauth2
Tickets are stored in the ___________ on computers, which are non-pageable areas of memory
Kerb Tray
When the user is authenticated to the AS, it receives a TGT. Does this permit access?
The TGT only allows the user to request access, it does not automatically mean the
user receives access
In Kerberos what is an attractive vector for DoS attacks.
Kerberos’s processes are extremely time sensitive and often require the use of Network Time Protocol (NTP) to ensure times are synchronized.
In almost all cases, organizations and their security teams should be able to define sets or patterns of user activities that are acceptable and expected, in most, if not all circumstances.
User behavior review
sometimes called proactive monitoring, this involves having external agents
run scripted transactions against a web application
Synthetic performance monitoring,
A variety of different systems and processes can benefit
from synthetic performance monitoring. These include
- Website monitoring
- Database monitoring
- TCP port monitoring
- Service-level agreement validation
