Identity and access management

Question 1

What provides a near real-time account creation and provisioning process?

Answer 1

JIT

Question 2

What error type presents an organization with higher risk impacts?

Answer 2

Type 2 - granting access when it should be denied

Question 3

Is the physiological characteristic being
measured – such as a retina scan – correctly referred to as a security
token

Answer 3

No

Question 4

the point of equilibrium between false acceptance and false rejection in any authentication or authorization process

Answer 4

The cross-over error rate

Question 5

Where there are more false acceptances than rejections’ is known as a

Answer 5

FAR False acceptance rate or type 2 error

Question 6

where there are more false rejections than acceptances’ is a

Answer 6

False Rejection Rate (FRR) or Type I error and measures the rate at which the system fails to recognize a legitimate identity and denies access, again, as a fraction of the total number of attempts.

Question 7

What are the three A’s of access management

Answer 7

Authentication
Authorisation
Accounting

Question 8

There are two primary access control systems,

Answer 8

logical and physical

Question 9

This form of access control allows for
the greatest flexibility in controls along
with the greatest vulnerabilities.

Answer 9

DAC Discretionary Access Control

Question 10

This facilitates the setting of stricter
permissions for access, based on risk. For
this reason, it is often called risk-intelligent
access control.

Answer 10

Attribute based access control

Question 11

When considering modern implementations of access control, which model maps users to applications and then roles?

Answer 11

Limited RBAC - In a limited RBAC (Role-Based Access Control) model, the user is first assigned access permission to an application and to a given role within that application; so, a user might have access to a financial application but only as a user, not a developer.

Question 12

Authorization can have two meanings

Answer 12

1. The initial decision to grant certain permissions to an identity, with respect to actions they can take in the future regarding particular objects.
2. The real-time confirmation that a request to perform an action, by a subject, toward a given object is allowed by the privileges that have been defined for that subject, object, and other criteria that may apply.

Question 13

Is kerberos an example of an identity store

Answer 13

yes

Question 14

Is x.500 an identity store

Answer 14

yes

Question 15

This is a lightweight version of x.500

Answer 15

LDAP

Question 16

the Achilles’ heel of Kerberos

Answer 16

encryption processes are ultimately based on passwords. Therefore, it can fall victim to traditional password- guessing attacks.

Question 17

Where is a potential single point of failure for kerberos

Answer 17

KDC - it is therefore not unusual to see many of them on a network

Question 18

What are the three roles within Security Assertion Markup Language (SAML)?

Answer 18

Identity provider, relying party, user

Question 19

Which component in Security Assertion Markup Language (SAML) defines how attributes, authentication and authorization are exchanged?

Answer 19

Assertions

Question 20

What do bindings do in SAML

Answer 20

Bindings define how SAML assertions and protocol message exchanges are conducted with response/request pairs.

Question 21

What function does a credential management system perform?

Answer 21

It is the binding between an authenticator and an identifier.

Question 22

Which fundamental security model is composed of a set of generic rights and a finite set of commands?

Answer 22

Harrison, Ruzzo, Ullman

Question 23

This model is very similar to the Graham–Denning model, as it is also concerned with situations in which a subject should be restricted from gaining particular privileges.

Answer 23

Harrison, Ruzzo, Ullman

Question 24

The labels and data constructs that all subjects and objects must have are considered to be what?

Answer 24

Identities

Question 25

____________ can take the form of many things from a Media Access Control (MAC) address to a username.

Answer 25

Identities

Question 26

Devices, human or non-human users (with usernames or user IDs or not) and software tasks initiated on behalf of users, are known as

Answer 26

Entities

Question 27

Devices, human or non-human users (with usernames or user IDs or not) and software tasks initiated on behalf of users, are known as entities within an organisation. These entities have unique characteristics. The amalgamation of these elements is referred to

Answer 27

Identities

Question 28

With version OAuth 2.0 we see several changes the most noteworthy of which are

Answer 28

1. V2.0 is transport-dependent (version 1.0 was not) and requires the use of HTTPS over TLS
   (Transport Layer Security).
2. Access tokens are encrypted in transit

Question 29

Is OAuth 2.0 transport dependent

Answer 29

Yes, it requires the use of HTTPS over TLS (Transport Layer Security).

Question 30

This protocol, which runs on top of OAuth 2.0, provides authentication carried out by
the authorization server and is the identity layer that verifies the identity of the user.

Answer 30

OpenID connect

Question 31

OpenID Connect

Answer 31

• runs on top of OAuth 2.0
• is the identity layer that verifies the identity of the user

Question 32

Why are SAML and Oauth different to Kerberos

Answer 32

Kerberos is similar and provides a three-step process for identification and authorization but is generally used more within the organization and not between organizations.

Question 33

SP 800-63-3

Answer 33

The digital identity management guidelines

Question 34

What are the three digital identity assurance levels outlined in SP 800-63-3

Answer 34

IAL1 - self asserted
IAL2 - identifying attributes supplied remotely
IAL3 - in person identifying attributes + identifying attributes verified by authorised credential provider

Question 35

At which Identity Assurance Level (IAL) do organizations like Facebook, LinkedIn or Gmail function when allowing users to create accounts with their services?

Answer 35

IAL1

Question 36

What component, found in Kerberos, is responsible for creating and issuing access tokens to authenticated users

Answer 36

The Ticket Granting Service (TGS) creates and issues service tickets (tokens) based on successfully receiving a valid Ticket Granting Ticket (TGT).

Question 37

The Ticket Granting Service (TGS) creates and issues service tickets (tokens) based on successfully receiving a valid

Answer 37

Ticket Granting Ticket (TGT).

Question 38

The TGT is produced by the ______________________ after a successful logon.

Answer 38

Authentication Server (AS)

Question 39

The TGS and AS are components found within the ________________________

Answer 39

Key Distribution Center (KDS)

Question 40

OpenID Connect is an implementation of the authorisation framework

Answer 40

Oauth2

Question 41

Tickets are stored in the ___________ on computers, which are non-pageable areas of memory

Answer 41

Kerb Tray

Question 42

When the user is authenticated to the AS, it receives a TGT. Does this permit access?

Answer 42

The TGT only allows the user to request access, it does not automatically mean the
user receives access

Question 43

In Kerberos what is an attractive vector for DoS attacks.

Answer 43

Kerberos’s processes are extremely time sensitive and often require the use of Network Time Protocol (NTP) to ensure times are synchronized.

Question 44

In almost all cases, organizations and their security teams should be able to define sets or patterns of user activities that are acceptable and expected, in most, if not all circumstances.

Answer 44

User behavior review

Question 45

sometimes called proactive monitoring, this involves having external agents
run scripted transactions against a web application

Answer 45

Synthetic performance monitoring,

Question 46

A variety of different systems and processes can benefit
from synthetic performance monitoring. These include

Answer 46

• Website monitoring
• Database monitoring
• TCP port monitoring
• Service-level agreement validation