Identity and Access Management Controls Flashcards
During a visit to a hosting center where your organization keeps some offsite servers, you see a door with an odd-looking panel next to it. You see people approaching the panel and placing their eyes into a hooded viewer. A few seconds after they’ve done this, the door unlocks. What type of biometric scanner might this be?
Voice recognition scanner
Retinal scanner
Fingerprint scanner
Retinal scanner
This is most likely a retinal scanner. Retinal scanners examine blood vessel patterns in the back of the eye. Retinal scanning must be done at short distances; the user has to be right at the device for it to work
You’ve spent the last week tweaking a fingerprint scanning solution for your organization. Despite your best efforts, roughly 1 in 50 attempts will fail even if the user is using the correct finger and their fingerprint is in the system. Your supervisor says 1 in 50 is “good enough” and tells you to move onto the next project. Your supervisor just defined which of the following for your fingerprint scanning system?
False rejection rate
False acceptance rate
Critical threshold
False rejection rate
Your supervisor just defined the false rejection rate (FRR) for your system. The FRR is the level of false negatives, or rejections, that are going to be allowed in the system. In this case your supervisor is willing to accept 1 false rejection for every 50 attempts
Which of the following algorithms uses a secret key with a current timestamp to generate a one-time password?
Date-hashed Message Authorization Password
Time-based One-Time Password
Single sign-on
Time-based One-Time Password
The Time-based One-Time Password (TOTP) algorithm is a specific implementation of an HOTP that uses a secret key with a current timestamp to generate a one-time password
Your organization needs a system for restricting access to files based on the sensitivity of the information in those files. You might suggest which of the following access control systems?
Discretionary access control
Mandatory access control
Confidential access control
Mandatory access control
Mandatory access control (MAC) is a system used in environments with different levels of security classifications. Access to objects (like files) is based on the sensitivity of the information contained in those objects and the authorization of the user to access information with that level of sensitivity
Which of the following describes a major difference between NTFS and FAT32 file systems?
NTFS supports user-level access differentiation.
FAT32 supports group-level access differentiation.
NTFS logs all file access using secure tokens.
NTFS supports user-level access differentiation.
NTFS supports user-level access differentiation and allows you to assign user permissions to files and directories
Your organization has grown too large to support assigning permissions to users individually. Within your organization, you have large groups of users who perform the same duties and need the same type and level of access to the same files. Rather than assigning individual permissions, your organization may wish to consider using which of the following access control methods?
Group-based access control
Shift-based access control
Role-based access control
Role-based access control
Your organization could consider role-based access control. In role-based access control, instead of each user being assigned specific access permissions for the objects associated with the computer system or network, each user is assigned a set of roles that he or she may perform. The roles are in turn assigned the access permissions necessary to perform the tasks associated with the role. Users will thus be granted permissions to objects in terms of the specific duties they must perform—not according to a security classification associated with individual objects
With regard to authentication, an access token falls into which factor category?
Something you are
Something you have
Something you know
Something you have
An access token is a physical object that identifies specific access rights, and in authentication falls into the “something you have” factor category
Which of the following is NOT a common form of hardware token?
Proximity card
USB token
Iris scan
Iris scan
An iris scan would be considered a biometric technique and is not a hardware token. A hardware token is a physical item the user must be in possession of to access their account or certain resources
A client of yours wants a system that will allow them to verify that messages came from specific individuals. In other words, they want to make sure that if a message purports to come from Sally, it really came from Sally. What method of establishing authenticity might you suggest they use?
Digital certificates
One-time passwords
Software tokens
Digital certificates
You might suggest they consider digital certificates. A digital certificate is a digital file that is sent as an attachment to a message and is used to verify that the message did indeed come from the entity it claims to have come from
The hospital client you are working with needs to do a better job restricting access to patient records. They want doctors to have access only to records for their patients and only when the doctors are in the hospital. What type of access control method might work well in this situation?
Role-based access control
Mandatory access control
Attribute-based access control
Attribute-based access control
The hospital should consider using attribute-based access control (ABAC), a form of access control based on attributes. These attributes can be in a wide variety of forms, such as user attributes, resource or object attributes, and environmental attributes. For instance, a doctor can access medical records, but only for patients to which he is assigned, or only when he is on shift. The major difference between ABAC and role-based access control is the ability to include Boolean logic in the access control decision
While depositing cash from a charity fundraiser at a local bank, you notice bank employees are holding up cards next to a panel near a door. A light on the panel turns green and the employees are able to open the door. The light on the panel is normally red. What type of electronic door control is this bank using?
Iris scanner
Hardware tokens
Proximity cards
Proximity cards
The bank employees are using proximity cards, contactless access cards that provide information to the electronic door control system. Proximity cards just need to be close enough to the scanner to work—they do not need to actually touch the scanner
Your colleague is telling you a story she heard about a way to trick fingerprint scanners using gummy bears. She heard that if you press a gummy bear against an authorized user’s finger, you can then use that gummy bear as their fingerprint to fool a fingerprint scanner. If this works, the result is an example of which of the following?
False negative
False positive
Crossover positive
False positive
This is an example of a false positive. A false positive occurs when a biometric is scanned and allows access to someone who is not authorized
The HR department in your organization wants to restrict access to the payroll file such that no one can access the payroll file outside of normal business hours (M–F, 7 A.M. to 6 P.M.). What type of access control method are they asking for?
Rule-based access control
Mandatory access control
Physical access control
Rule-based access control
The HR department is looking for rule-based access control, which uses objects such as ACLs to help determine whether access should be granted or not. In this case, a series of rules are contained in the ACL and the determination of whether to grant access will be made based on these rules
When designing and tweaking biometric systems, the point where both the accept and reject error rates are equal is known as which of the following?
Crossover acceptance rate
Accept-reject overlap rate
Crossover error rate
Crossover error rate
The crossover error rate (CER) is the rate where both accept and reject error rates are equal. This is the desired state for most efficient operation of a biometric system, and it can be managed by manipulating the threshold value used for matching
Which of the following is a smart card identification typically used by the U.S. Department of Defense?
Personal Identity Verification card
Common Access Card
Symmetric Token Card
Common Access Card
The Common Access Card (CAC) is a smart card identification used by the U.S. Department of Defense (DoD) for active-duty military, Selected Reserve members, DoD civilians, and eligible contractors
