Identity and Access Management (IAM) Flashcards

1
Q

access

A

ability to make use of any information system resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

access authority

A

entity responsible for monitoring and granting access privileges for other authorized entities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

access control

A

mediation of subject and object interactions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

access control list

A

object based description of a single resource and the permission of each subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

access control matrix

A

object based description of a system or multiple resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

access control triple

A

type of access control specification in which a user, program, and data items are listed for each allowed operation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

access level

A

hierarchical portion of the security level used to identify data sensitivity and user clearance or authorization. Note: The access level and the non-hierarchical categories form the sensitivity label of an object.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

access period

A

segment of time, generally expressed on a daily or weekly basis, during which access rights prevail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

access time minimization

A

risk-reducing principle that attempts to avoid prolonging access time to specific data or to the system beyond what is needed to carry out requisite functionality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

access type

A

nature of an access right to a particular device, program, or file (read, write, execute, append, modify, delete, or create)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

accessibility

A

ability to obtain the use of a computer system or a resource or the ability and means necessary to store data, retrieve data, or communicate with a system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

accountability

A

responsibility of a user for the actions taken by their account which requires unique identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

account management

A

process of requesting, establishing, issuing, and closing user accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Administrative

A

control type- that is communication based, typically written or oral. Paperwork, cannot hurt adversary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Attribute -based Access Control (ABAC)

A

Policy a function of a subject’s characteristics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Authentication

A

binary decision by a system of permitting or denying access to the entire system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Authorization

A

granular decision by a system of permitting or denying access to a particular resource on the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Blind testing

A

evaluation of a system without prior knowledge by the tester

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Capability Tables

A

subject based description of a system or a collection of resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Compartmentalize

A

to segregate for the purposes of labeling

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Compensating

A

control category - more than one control on a single asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Content Dependent Access Control

A

system mediation of access with the focus on the context of the request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Control

A

tool which mediates access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Control category

A

most granular organization of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Control type

A

less granular organization of controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Corrective

A

control category- to restore to a previous state by removing the adversary and or the results of their actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Denial of Service

A

consume resources to a point of exhaustion, loss of availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Detective

A

control category- to record an adversary’s actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Deterrent

A

control category- to discourage an adversary from attempting to access

30
Q

Directive

A

control category- to give instructions or inform

31
Q

Discretionary

A

owner directed mediation of access

32
Q

Domain

A

sphere of influence

33
Q

Double blind testing

A

of a system without prior knowledge by the tester or the tested

34
Q

Extended TACACS (XTACACS)

A

a client/server protocol developed in 1990 by Cisco. Separates authentication, authorization, and accounting.

35
Q

Identification

A

to assert or claim credentialing to an authentication system

36
Q

Intrusion Detection Systems

A

controls for logging and alerting

37
Q

Intrusion Prevention Systems

A

controls for termination of attempt to access object

38
Q

Kerberos

A

authentication protocol which only uses symmetric session keys between principals distributed by a 3rd party using different preshared symmetric keys

39
Q

Keystroke Logging

A

recording activities at the keyboard level. Threat adversarial.

40
Q

Labeling

A

to set the clearance of a subject or the classification of an object

41
Q

Least privilege

A

just enough access to do the job

42
Q

Mandatory

A

system directed mediation of access with labels

43
Q

Marking

A

physical description on the exterior of an object that communicates the existence of a label

44
Q

Masquerading

A

claiming another’s identity at a physical level. Threat adversarial

45
Q

Need-to-know

A

requirement of access to data for a clearly defined purpose

46
Q

Non-discretionary

A

system directed mediation of access without labels and not reprogrammable at run time, typically refering to physical devices, not technical systems.

47
Q

Object

A

passive system resource

48
Q

Password cracking

A

to reveal authentication credentials. Threat adversarial

49
Q

Penetration testing

A

authorized security personnel using the tools and techniques of attackers to determine vulnerabilities of systems for the purpose of remediation planning

50
Q

Permission

A

authorization for a subject to interact with an object

51
Q

Physical

A

control type- tangible barrier to entry. Will hurt adversary.

52
Q

Preventive

A

control category- to stop the adversary before system access

53
Q

Privacy-Aware Role Based Access Control

A

system mediation of access with the focus on the object’s privacy

54
Q

RADIUS

A

Remote Authentication Dial in User Service - a client/server protocol that provides authentication and authorization for remote users. Provides accounting capabilities. Transport uses UDP. Encryption for Password only. Authentication and authorization is combined.

55
Q

Recovery

A

control category- to restore to a previous state with some data loss

56
Q

Risk-adaptive access control (RAdAC)

A

Policy changes dynamically based on the risk environment

57
Q

Role Based Access Control

A

system mediation of access with the focus on the function or role of the subject

58
Q

Rule Based Access Control

A

system mediation of access with the focus on the function either group concept or source & destination

59
Q

SESAME

A

authentication protocol which uses both asymmetric and symmetric keys

60
Q

Shoulder Surfing

A

to physically view another’s keyboard and monitor activities. Threat adversarial

61
Q

Single Sign-On

A

one account is used for many resources. Authentication services threat.

62
Q

Social Engineering

A

to convince another to take an inappropriate action through manipulation. Threat adversarial

63
Q

Spoofing

A

claiming another’s identity at a technical level. Threat adversarial

64
Q

Subject

A

active system entity

65
Q

TACACS

A

Terminal Access Controller Access Control System - a client/server protocol that was developed to control who could use dial-up lines.

66
Q

TACACS+

A

Terminal Access Controller Access Control System Plus - a Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers. Transport uses TCP. Encryption for entire body of packet. Authentication and authorization is separated.

67
Q

Targeted testing

A

narrow scope examination of a system

68
Q

Technical (Logical)

A

control type - hardware and or software mechanisms which require system interaction to gain access. Adversary must choose to interact.

69
Q

Temporal Isolation

A

system mediation of access with the focus on the time of day

70
Q

Trojan Horse

A

an application with a secondary purpose or execution unknown to the user, which uses the account of the user to gain access or control of a system

71
Q

Authentication Services (Controls)

A

Proper registration/enrollment
Protect databases
2FA
Account expirations
Password manager/vault

72
Q

Authentication Services (Threats)

A

User Password Management
Adversarial
Single Sign On