Identity and Access Management Security Flashcards
Gabby is designing a multifactor authentication system for her company. She has decided to use a passphrase, a time-based code generator, and a PIN to provide additional security. How many distinct factors will she have implemented when she is done?
A. One
B. Two
C. Three
D. Four
Answer:
B. While it may seem like Gabby has implemented three different factors, both a PIN and a passphrase are knowledge-based factors and cannot be considered distinct factors. She has implemented two distinct factors with her design. If she wanted to add a third factor, she could replace either the password or the PIN with a fingerprint scan or other biometric factor.
Susan wants to manage access based on the job titles of members of her organization’s staff. What kind of access control is best suited to this requirement?
A. Role-based access control
B. Attribute-based access control
C. Mandatory access control
D. Discretionary access control
Answer:
B. An individual’s job title is an attribute, which means that attribute-based access control is the appropriate answer. Titles may be used to help identify a role, but they do not necessarily match roles directly, meaning that role-based access control is not the right choice. Discretionary access control empowers users to make decisions about rights, and mandatory access control enforces access control at the system level.
During an incident response process, Michelle discovers that the administrative credentials for her organization’s Kerberos server have been compromised and that attackers have issued themselves a TGT without an expiration date. What is this type of ticket called?
A. A master ticket
B. A golden ticket
C. A KDC
D. A MGT
Answer:
B. The nightmare scenario of having a compromised Kerberos server that allows attackers to issue their own ticket-granting tickets (TGTs), known as golden tickets, would result in attackers being able to create new tickets, perform account changes, and even to create new accounts and services. A KDC is a Kerberos key distribution center; MGT and master tickets were both made up for this question.
Which of the following technologies is NTLM associated with?
A. SAML
B. Active Directory
C. OAuth
D. RADIUS
Answer:
B. The NT LAN Manager (NTLM) security protocols are associated with Active Directory. SAML, OAuth, and RADIUS do not use NTLM.
Jim was originally hired into the helpdesk at his current employer but has since then moved into finance. During a rights audit, it is discovered that he still has the ability to change passwords for other staff members. What is this issue called?
A. Rights mismanagement
B. Least privilege
C. Permission misalignment
D. Privilege creep
Answer:
D. Privilege creep occurs as staff members change roles but their rights and permissions are not updated to match their new responsibilities. This violates the concept of least privilege. Rights mismanagement and permission misalignment are both terms made up for this question.
What type of attack occurs when an attacker takes advantage of OAuth open redirects to take on the identity of a legitimate user?
A. Impersonation
B. Session hijacking
C. MitM
D. Protocol analysis
Answer:
A. OAuth redirect exploits are a form of impersonation attack, allowing attackers to pretend to be a legitimate user. Session hijacking would take advantage of existing sessions, whereas man-in-the-middle (MitM) attacks take advantage of being in the path of communications. Protocol analysis is a networking term used when reviewing packet contents.
The 2013 Yahoo breach resulted in almost 1 billion MD5 hashed passwords being exposed. What user behavior creates the most danger when this type of breach occurs?
A. Insecure password reset questions
B. Use of federated credentials
C. Password reuse
D. Unencrypted password storage
Answer:
C. Breaches of passwords stored in easily recoverable or reversible formats paired with user IDs or other identifying information create significant threats if users reuse passwords. Attackers can easily test the passwords they recover against other sites and services. Poor password reset questions are a threat even without a breach, and unencrypted password storage is an issue during breaches, but this type of breach is enabled by poor storage, rather than a result of the breach. Use of federated credentials are not a critical concern in cases like this.
Authentication that uses the IP address, geographic location, and time of day to help validate the user is known as what type of authentication?
A. Token-based
B. Context-based
C. NAC
D. System-data contextual
Answer:
B. Context-based authentication allows authentication decisions to be made based on information about the user, the system they are using, or other data like their geographic location, behavior, or even the time of day. Token-based authentication uses a security token to generate a onetime password or value, and NAC (network access control) is a means of validating systems and users that connect to a network. System-data contextual is a made-up answer for this question.
Which of the following is not a common attack against Kerberos?
A. Administrator account attacks
B. Ticket reuse attacks
C. Open redirect-based attacks
D. TGT-focused attacks
Answer:
C. Common attacks against Kerberos include attacks aimed at administrative accounts, particularly those that attempt to create a ticket-granting ticket (TGT). Ticket reuse attacks are also common. Open redirect-based attacks are associated with OAuth rather than Kerberos.
Which of the following technologies is not a shared authentication technology?
A. OpenID Connect
B. LDAP
C. OAuth
D. Facebook Connect
Answer:
B. LDAP is sometimes used for single sign-on (SSO) but is not a shared authentication technology. OpenID Connect, OAuth, and Facebook Connect are all examples of shared authentication technologies.
Angela is concerned about attackers enumerating her organization’s LDAP directory. What LDAP control should she recommend to help limit the impact of this type of data gathering?
A. LDAP replication
B. ACLs
C. Enable TLS
D. Use MD5 for storage of secrets
Answer:
B. LDAP access control lists (ACLs) can limit which accounts or users can access objects in the directory. LDAP replication may help with load issues or denial-of-service attacks, TLS helps to protect data in transit, but MD5 storage for secrets like passwords is a bad idea!
What security design is best suited to protect authentication and authorization for a network that uses TACACS+?
A. Use TACACS+ built-in encryption to protect traffic
B. Implement TACACS++
C. Enable accounting services to detect issues
D. Route management traffic over a dedicated network
Answer:
D. TACACS+ should be run on an isolated management network to protect it from attackers. It does not provide built-in encryption, TACACS++ does not exist, and while enabling auditing features is a good idea, it won’t stop attacks from occurring.
Jason has user rights on his Linux workstation, but he wants to read his department’s financial reports, which he knows are stored in a directory that only administrators can access. He executes a local exploit, which gives him the ability to act as root. What type of attack is this?
A. Privilege escalation
B. Zero-day
C. Rootkit
D. Session hijacking
Answer:
A. Jason’s exploit is a form of privilege escalation, which uses a flaw to gain elevated privileges. Local users have a far greater ability to attempt these attacks in most organizations, since flaws that are only exploitable locally often get less attention from administrators than those that can be exploited remotely. A zero-day attack would use previously unknown flaws to exploit a system, rootkits are aimed at acquiring and maintaining long term access to systems, and session hijacking focuses on taking over existing sessions.
Which of the following methods is not an effective method for preventing brute-force password guessing attacks via login portals?
A. CAPTCHAs
B. Returning an HTTP error
C. Login throttling
D. Failed login account lockout
Answer:
B. CAPTCHAs, login throttling, and locking out accounts after a set number of failed logins are all useful techniques to stop or delay brute-force password guessing attacks. Some sites also use unique URLs, or limit the IP ranges that systems can authenticate from. Returning an HTTP error actually works in the attacker’s favor, as they can key off of that error to try their next login attempt!
Which party in a federated identity service model makes assertions about identities to service providers?
A. RPs
B. CDUs
C. IDPs
D. APs
Answer:
C. Identity providers (IDPs) make assertions about identities to relying parties and service providers in a federation. CDUs and APs are not terms used in federated identity designs.