Identity and Access Management

Question 1

Access Provision Lifecycle

Answer 1

only setup account for those who require them
review account data for error/inconsistencies
audit access authorization/failures
remove access when necessary

Question 2

Identification

Answer 2

Positive/Negative Identification

Question 3

Authentication

Answer 3

Requires a key piece of information that only the users knows - aka password

Question 4

Authorization

Answer 4

tied closely to principle of least privileges

Question 5

Types of Authentication

Answer 5

Know, Have, Are, Somplace(GPS/Geo Location)

Question 6

Passphrases

Answer 6

compared to strong password - less entropy per character but more over entropy due to length

Question 7

Password guessing

Answer 7

guessing password

Question 8

Password cracking

Answer 8

determine cleartext password based on stole password hashes

Question 9

Dictionary attack

Answer 9

word list, hash to see if matches

Question 10

Hybrid

Answer 10

begin with word list and adds/changes characters

Question 11

Brute force

Answer 11

attempts every possible password

All combinations

Question 12

Rainbow tables

Answer 12

calculate hash for every password

Salt makes rainbow ineffective

Question 13

Salt

Answer 13

random number that is hashed along with the salt

Question 14

Tokens

Answer 14

Counter Based - asynchronous dynamic password token

Time-Based - Synchronous dynamic password token

Question 15

Synchronous dynamic password token

Answer 15

same time (RSA token)

Question 16

Asynchronous dynamic password token

Answer 16

Password available, no time limit

Question 17

Biometrics Identifiers

Answer 17

Fingerprints
Palm scan
Hand geometry
Voice print
Retina pattern
Iris scan
Facial recognition

Question 18

False Reject Rate (FRR)

Answer 18

Type I Error

It’s me but rejects me

Question 19

False Accept Rate (FAR)

Answer 19

Type II Error
It’s not me but accepts it - intruder
Remember Type II is worst than Type I

Question 20

Crossover Error Rate (CER)

Answer 20

Point where False Reject Rate and False Accept Rate are equal
Equal Error Rate

Question 21

Enrollment (Biometrics)

Answer 21

Needs to enroll in 2 minutes

Question 22

Throughput (Biometrics)

Answer 22

10 subjects/min - once ever 6 seconds

Question 23

Key Distribution Center (KDC)

Answer 23

Vuln - contains all users password in plaintext
access to all keys
issues TGT

Question 24

Kerberos

Answer 24

symmetric encryption

***Mutual authentication is best part about it

Question 25

SESAME

Answer 25

European equivalent to Kerberos

Question 26

Directory Services

Answer 26

TCP: 389

LDAP

Question 27

Screensaves & timeout

Answer 27

Screensavers - 5 minutes

Automatic logoff after 10 minutes

Question 28

Federated Identity Management

Answer 28

users across different organization can authenticated

Question 29

Security Asssertions Markup Language (SAML)

Answer 29

standard-based means of allowing for communication of identity and authentication information.

Question 30

Service Provider (SP) (SAML)

Answer 30

application that can lever identity/auth assertion

Think of an application that is used google gmail to authenticate

Question 31

Identity Provider (IdP) (SAML)

Answer 31

This would be google gmail authenticator

Question 32

Assertions Consumer Services

Answer 32

host by the Service Provider and is the IdP sends the assertions

Question 33

Identity Provider (IDP) (OpenID)

Answer 33

sites that the sources of identify information

Question 34

Replaying Parties (RP) (OpenID)

Answer 34

sites that can use identity information from IdP

Question 35

RedirectURL (OpenID)

Answer 35

redirect URL information RP that the subject has been successfully authenticated

Question 36

RedirectURL (OpenID)

Answer 36

redirect URL information RP that the subject has been successfully authenticated

Question 37

Identity As A Service (IDaaS)

Answer 37

Single Sign-On for cloud

Dual Factor authentication and encryption critical components

Question 38

Subject: Active

Answer 38

user, process, device

Active entity

Question 39

Subject: Passive

Answer 39

files, directories, pipes

passive entity that contains or receives information

Question 40

Rules

Answer 40

Filters

Question 41

Labels

Answer 41

Sensitivity

Question 42

Mandatory Access Control Strengths

Answer 42

Controlled by systems, can’t be overridden

strict control/cannot share

Question 43

Mandatory Access Control (MAC) Weakness

Answer 43

Protects information in digital form
Assumes:
trust users/admin
levels have been applies by individual
User do not share account or access
Proper physical security in place

Question 44

Discretionary Access Control (DAC)

Answer 44

owner can change security attributes - think Windows file that can be changed by user
tabular listing (think how unix displays files across with the permission listed

Question 45

Discretionary Access Control (DAC) Strengths

Answer 45

fast and can modify their own files

Question 46

Discretionary Access Control (DAC) Weakness

Answer 46

intentionally/unintentionally grant access when they shouldn’t
Simple error cause unauthorized disclosure
DAC depends on users acting in trustworthy manner

Question 47

Non-Discretionary Access Control

Answer 47

central authority determines which object a subject can access
Rule-based: Firewall
Role-Based: 
Task-Based: focus on task vs roles
Attribute-Based:

Question 48

Non-RBAC Role-Based Access Control (RBAC)

Answer 48

user granted access via Access Control List

Question 49

Limited RBAC Role-Based Access Control (RBAC)

Answer 49

users mapped to applications

Local system account

Question 50

Hybrid RBAC Role-Based Access Control (RBAC)

Answer 50

users assigned roles that is assigned access to systems

Question 51

Full RBAC Role-Based Access Control (RBAC)

Answer 51

access is controlled by roles and applied to applications and systems.
think Active Directory

Question 52

Attribute-Based Access Control (ABAC)

Answer 52

access decisions based on subject/object attributes, environmental conditions
Complex - e.g. based on time, where you logged in from, etc..

Question 53

Content Dependent

Answer 53

access based on data content

Think of browsing the web at work

Question 54

Context Dependent

Answer 54

Account locked out after x number of attempts

think of incrementing counter

Question 55

Captcha

Answer 55

mechanism for enforcing a context-dependent access control

Question 56

Constrained User Interface

Answer 56

Limited menu options within an application

Question 57

Temporal (Time-Based) Isolation

Answer 57

during week accept time cards, then blocks, before opening again.