Lesson 8 - Implementing Identity and Account Management Controls

Question 1

The process of bringing in a new employee, contractor, or supplier.

Answer 1

Onboarding

Question 2

An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.

Answer 2

nondisclosure agreement (NDA)

Question 3

A concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

Answer 3

Separation of Duties

Question 4

A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

Answer 4

Least Privilege

Question 5

The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person’s duties.

Answer 5

Job Rotation

Question 6

The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.

Answer 6

Mandatory Vacation

Question 7

The process of ensuring that all HR and other requirements are covered when an employee leaves an organization.

Answer 7

An exit interview (or offboarding

Question 8

A collection of user accounts that are useful when establishing file permissions and user rights because when many individuals need the same level of access.

Answer 8

a security group account
a group could be established containing all the relevant users

Question 9

Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access.

Answer 9

default account

Question 10

A host or network account that is designed to run a background service, rather than to log on interactively.

Answer 10

Service accounts

Question 11

The value assigned to an account by Windows and that is used by the operating system to identify that account.

Answer 11

Security Identifier (SID)

Question 12

On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.

Answer 12

Group Policy Objects (GPOs)

Question 13

A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.

Answer 13

Account policies

Question 14

The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.

Answer 14

Geolocation

Question 15

The practice of creating a virtual boundary based on real-world geography.

Answer 15

Geofencing

Question 16

The addition of location metadata to files or devices.

Answer 16

Geotagging

Question 17

Policies or configuration settings that limit a user’s access to resources.

Answer 17

Time of day policy

Question 18

An employee who gains more and more access privileges the longer they remain with the organization.

Answer 18

Authorization Creep

Question 19

If a user has moved to a new job, old privileges may need to be revoked and new ones granted.

Answer 19

Recertification

Question 20

Security settings that control access to objects including file system items and network resources.

Answer 20

Permissions

Question 21

Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).

Answer 21

Discretionary Access Control (DAC)

Question 22

An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.

Answer 22

Role-Based Access Control (RBAC)

Question 23

Each record in the ACL is called an access control

Answer 23

ACE
ACLs can be enforced by a file system that supports permissions, such as NTFS, ext3/ext4, or ZFS.

Question 24

Linux command for managing file permissions.

Answer 24

chmod

Question 25

Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).

Answer 25

Mandatory Access Control (MAC)

Question 26

An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.

Answer 26

Attribute-Based Access Control (ABAC)

Question 27

A non-discretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.

Answer 27

Rule-Based Access Control (RBAC)
As such, RBAC, ABAC, and MAC are all examples of rule-based (or non-discretionary) access control.

Question 28

Policies, procedures, and support software for managing accounts and credentials with administrative permissions.

Answer 28

Privileged access management (PAM)

Question 29

A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.

Answer 29

Directory Services
The Lightweight Directory Access Protocol (LDAP) is a protocol widely used to query and update X.500 format directories.

Question 30

A unique identifier for any given resource within an X.500-like directory.

Answer 30

Distinguished Name

Question 31

A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.

Answer 31

Federation

Question 32

In a federated network, the service that holds the user account and performs authentication.

Answer 32

Identity Provider (IdP)

Question 33

An XML-based data format used to exchange authentication information between a client and a service.

Answer 33

Security Assertions Markup Language (SAML)

Question 34

An XML-based web services protocol that is used to exchange messages.

Answer 34

Simple Object Access Protocol (SOAP)

Question 35

Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.

Answer 35

OAuth

Question 36

An authentication layer that sits on top of the OAuth 2.0 authorization protocol.

Answer 36

OpenID Connect (OIDC)
OAuth is explicitly designed to authorize claims and not to authenticate users.
OpenID uses XML-format messaging and supports only web applications and not mobile apps.

Question 37

A policy that governs employees’ use of company equipment and Internet services. ISPs may also apply AUPs to their customers.

Answer 37

Acceptable Use Policy

Question 38

Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice.

Answer 38

Code of Conduct

Question 39

An organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.

Answer 39

Clean Desk Policy

Question 40

Training event where learners must identify a token within a live network environment.

Answer 40

Capture the Flag (CTF)

Answer 41

Computer-Based Training (CBT)