Identity and Access Management (IAM)

Question 1

access

Answer 1

ability to make use of any information system resources

Question 2

access authority

Answer 2

entity responsible for monitoring and granting access privileges for other authorized entities

Question 3

access control

Answer 3

mediation of subject and object interactions

Question 4

access control list

Answer 4

object based description of a single resource and the permission of each subject

Question 5

access control matrix

Answer 5

object based description of a system or multiple resources

Question 6

access control triple

Answer 6

type of access control specification in which a user, program, and data items are listed for each allowed operation

Question 7

access level

Answer 7

hierarchical portion of the security level used to identify data sensitivity and user clearance or authorization. Note: The access level and the non-hierarchical categories form the sensitivity label of an object.

Question 8

access period

Answer 8

segment of time, generally expressed on a daily or weekly basis, during which access rights prevail

Question 9

access time minimization

Answer 9

risk-reducing principle that attempts to avoid prolonging access time to specific data or to the system beyond what is needed to carry out requisite functionality

Question 10

access type

Answer 10

nature of an access right to a particular device, program, or file (read, write, execute, append, modify, delete, or create)

Question 11

accessibility

Answer 11

ability to obtain the use of a computer system or a resource or the ability and means necessary to store data, retrieve data, or communicate with a system

Question 12

accountability

Answer 12

responsibility of a user for the actions taken by their account which requires unique identification

Question 13

account management

Answer 13

process of requesting, establishing, issuing, and closing user accounts

Question 14

Administrative

Answer 14

control type- that is communication based, typically written or oral. Paperwork, cannot hurt adversary.

Question 15

Attribute -based Access Control (ABAC)

Answer 15

Policy a function of a subject’s characteristics

Question 16

Authentication

Answer 16

binary decision by a system of permitting or denying access to the entire system

Question 17

Authorization

Answer 17

granular decision by a system of permitting or denying access to a particular resource on the system

Question 18

Blind testing

Answer 18

evaluation of a system without prior knowledge by the tester

Question 19

Capability Tables

Answer 19

subject based description of a system or a collection of resources

Question 20

Compartmentalize

Answer 20

to segregate for the purposes of labeling

Question 21

Compensating

Answer 21

control category - more than one control on a single asset

Question 22

Content Dependent Access Control

Answer 22

system mediation of access with the focus on the context of the request

Question 23

Control

Answer 23

tool which mediates access

Question 24

Control category

Answer 24

most granular organization of controls

Question 25

Control type

Answer 25

less granular organization of controls

Question 26

Corrective

Answer 26

control category- to restore to a previous state by removing the adversary and or the results of their actions

Question 27

Denial of Service

Answer 27

consume resources to a point of exhaustion, loss of availability

Question 28

Detective

Answer 28

control category- to record an adversary’s actions

Question 29

Deterrent

Answer 29

control category- to discourage an adversary from attempting to access

Question 30

Directive

Answer 30

control category- to give instructions or inform

Question 31

Discretionary

Answer 31

owner directed mediation of access

Question 32

Domain

Answer 32

sphere of influence

Question 33

Double blind testing

Answer 33

of a system without prior knowledge by the tester or the tested

Question 34

Extended TACACS (XTACACS)

Answer 34

a client/server protocol developed in 1990 by Cisco. Separates authentication, authorization, and accounting.

Question 35

Identification

Answer 35

to assert or claim credentialing to an authentication system

Question 36

Intrusion Detection Systems

Answer 36

controls for logging and alerting

Question 37

Intrusion Prevention Systems

Answer 37

controls for termination of attempt to access object

Question 38

Kerberos

Answer 38

authentication protocol which only uses symmetric session keys between principals distributed by a 3rd party using different preshared symmetric keys

Question 39

Keystroke Logging

Answer 39

recording activities at the keyboard level. Threat adversarial.

Question 40

Labeling

Answer 40

to set the clearance of a subject or the classification of an object

Question 41

Least privilege

Answer 41

just enough access to do the job

Question 42

Mandatory

Answer 42

system directed mediation of access with labels

Question 43

Marking

Answer 43

physical description on the exterior of an object that communicates the existence of a label

Question 44

Masquerading

Answer 44

claiming another’s identity at a physical level. Threat adversarial

Question 45

Need-to-know

Answer 45

requirement of access to data for a clearly defined purpose

Question 46

Non-discretionary

Answer 46

system directed mediation of access without labels and not reprogrammable at run time, typically refering to physical devices, not technical systems.

Question 47

Object

Answer 47

passive system resource

Question 48

Password cracking

Answer 48

to reveal authentication credentials. Threat adversarial

Question 49

Penetration testing

Answer 49

authorized security personnel using the tools and techniques of attackers to determine vulnerabilities of systems for the purpose of remediation planning

Question 50

Permission

Answer 50

authorization for a subject to interact with an object

Question 51

Physical

Answer 51

control type- tangible barrier to entry. Will hurt adversary.

Question 52

Preventive

Answer 52

control category- to stop the adversary before system access

Question 53

Privacy-Aware Role Based Access Control

Answer 53

system mediation of access with the focus on the object’s privacy

Question 54

RADIUS

Answer 54

Remote Authentication Dial in User Service - a client/server protocol that provides authentication and authorization for remote users. Provides accounting capabilities. Transport uses UDP. Encryption for Password only. Authentication and authorization is combined.

Question 55

Recovery

Answer 55

control category- to restore to a previous state with some data loss

Question 56

Risk-adaptive access control (RAdAC)

Answer 56

Policy changes dynamically based on the risk environment

Question 57

Role Based Access Control

Answer 57

system mediation of access with the focus on the function or role of the subject

Question 58

Rule Based Access Control

Answer 58

system mediation of access with the focus on the function either group concept or source & destination

Question 59

SESAME

Answer 59

authentication protocol which uses both asymmetric and symmetric keys

Question 60

Shoulder Surfing

Answer 60

to physically view another’s keyboard and monitor activities. Threat adversarial

Question 61

Single Sign-On

Answer 61

one account is used for many resources. Authentication services threat.

Question 62

Social Engineering

Answer 62

to convince another to take an inappropriate action through manipulation. Threat adversarial

Question 63

Spoofing

Answer 63

claiming another’s identity at a technical level. Threat adversarial

Question 64

Subject

Answer 64

active system entity

Question 65

TACACS

Answer 65

Terminal Access Controller Access Control System - a client/server protocol that was developed to control who could use dial-up lines.

Question 66

TACACS+

Answer 66

Terminal Access Controller Access Control System Plus - a Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers. Transport uses TCP. Encryption for entire body of packet. Authentication and authorization is separated.

Question 67

Targeted testing

Answer 67

narrow scope examination of a system

Question 68

Technical (Logical)

Answer 68

control type - hardware and or software mechanisms which require system interaction to gain access. Adversary must choose to interact.

Question 69

Temporal Isolation

Answer 69

system mediation of access with the focus on the time of day

Question 70

Trojan Horse

Answer 70

an application with a secondary purpose or execution unknown to the user, which uses the account of the user to gain access or control of a system

Question 71

Authentication Services (Controls)

Answer 71

Proper registration/enrollment
Protect databases
2FA
Account expirations
Password manager/vault

Question 72

Authentication Services (Threats)

Answer 72

User Password Management
Adversarial
Single Sign On