Managing Identity and Authentication Flashcards

1
Q

Know how physical access controls protect assets

A

Physical access controls are those you can touch, and they directly protect systems, devices, and facilities by controlling access and controlling the environment. Indirectly, they also protect information and applications by limiting physical access.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Know how logical access controls protect assets

A

Logical access controls include authentication, authorization, and permissions. They limit who can access information stored on systems and devices. They also limit access to configuration settings on systems and devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Know the difference between subjects and objects

A

You’ll find that CISSP questions and security documentation commonly use the terms subject and object, so it’s important to know the difference between them. Subjects are active entities (such as users) that access passive objects (such as files). A user is a subject who accesses objects while performing some action or accomplishing a work task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Know the difference between identification and authentication

A

Access controls depend on effective identification and authentication. Subjects claim an identity, and identification can be as simple as a username for a user. Subjects prove their identity by providing authentication credentials such as the matching password for a username. People, devices, and services all verify their identity by giving proper credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Understand the establishment of identity, registration, and proofing

A

New employees establish their identity with official documentation such as a passport, driver’s license, or birth certificate. HR personnel then begin the registration process, which includes creating an account for new employees. When biometric authentication is used, the registration process also collects biometric data. Identity proofing includes knowledge-based authentication and cognitive passwords. These ask users a series of questions that only the user would know.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Understand the difference between authorization and accountability

A

After authenticating subjects, systems authorize access to objects based on their proven identity. Auditing logs and audit trails record events, including the identity of the subject that performed an action. The combination of effective identification, authentication, and auditing provides accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Understand the details of the primary authentication factors

A

The three primary factors of authentication are something you know (such as a password or PIN), something you have (such as a smartcard or token), and something you are (based on biometrics). Multifactor authentication (MFA) includes two or more authentication factors, and using MFA is more secure than using a single authentication factor. Passwords are the weakest form of authentication, but password policies help increase their security by enforcing complexity and history requirements. Smartcards include microprocessors and cryptographic certificates, and tokens create onetime passwords. Biometric methods identify users based on characteristics such as fingerprints. The crossover error rate (CER) identifies the accuracy of a biometric method and shows where the false rejection rate (FRR) is equal to the false acceptance rate (FAR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Understand single sign-on

A

Single sign-on (SSO) is a mechanism that allows subjects to authenticate once and access multiple objects without authenticating again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Describe how federated identity systems are implemented

A

FIM systems are implemented on-premises (providing the most control), via a third-party cloud service, or as a hybrid of both.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe just-in-time (JIT) provisioning

A

JIT provisioning creates user accounts on thirdparty sites the first time a user logs onto the site. JIT reduces the administrative workload.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Know about credential management systems

A

Credential management systems help developers easily store usernames and passwords and retrieve them when a user revisits a website. The W3C published the Credential Management API as a working draft in 2019, and developers commonly use it as a credential management system. It allows users to log on automatically to websites without entering their credentials again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Explain session management

A

Session management processes help prevent unauthorized access by closing unattended sessions. Developers commonly use web frameworks to implement session management. These frameworks allow developers to ensure sessions are closed after a specific amount of inactivity, such as after 2 minutes.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Understand the identity and access provisioning lifecycle

A

The identity and access provisioning lifecycle refers to the creation, management, and deletion of accounts. Provisioning ensures that accounts have appropriate privileges based on task requirements and employees receive any needed hardware. Onboarding processes inform employees of organizational processes. Deprovisioning processes disable or delete an account when employees leave, and offboarding processes ensure that employees return all the hardware an organization issued to them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Explain the importance of role definition

A

When an organization creates new job roles, it’s important to identify privileges needed by anyone in these new roles. Doing so ensures that employees in these new roles do not have excessive privileges.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe the purpose of account access reviews

A

Account access reviews are performed on user accounts, system accounts, and service accounts. These reviews ensure that accounts don’t have excessive privileges. They can often detect when accounts have excessive privileges and when unused accounts have not been disabled or deleted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly