Chapter 6 ■ Identity and Access Control ExamQ
Which form of access control is probably best for zero trust architectures to use? A. Role-based B. Subject-based C. Object-based D. Attribute-based
D. Option D, attribute-based, can use complex Boolean logic statements to conditionally evaluate almost any criteria, environmental or situational conditions, and so forth, to authorize an access request. Each of the others provides limited capabilities by comparison; zero trust typically requires the most rigorous access control possible.
What is the role of third parties in identity management and access control? (Choose all that apply.) A. Third parties are those who have access to your systems via federated access, and as such, are part of your trust architectures. B. Credential service can be provided by third parties or by internal services as part of your systems. C. Identity proofing can be provided by external third parties. D. Identity as a service, usually via a cloud or Web-based service, is provided by numerous third parties.
B, C, D. Option A confuses the roles of third-party service providers with those of organizations and individuals that collaborate with you via federated access and is not correct. The others are legitimate examples of third-party roles; note that Option D is still a relatively immature market, and if you're tempted to use IDaaS, choose your vendor with care!
Which of the following are allowed under mandatory access control policies? A. Passing information about the object to another subject B. Changing or creating new security attributes for an object or another subject C. Granting privileges to another subject D. None of these are allowed under mandatory access control policies.
D. Each of the options (A, B, C) is allowing a subject to modify the security enforcements in the system, either for an object it has been granted access to or for some other part of the system. Mandatory access control does not permit this. Thus Option D is correct.
Which form of access control depends on well-defined and up-to-date job descriptions? A. Role-based B. Subject-based C. Object-based D. Attribute-based
A. Option B looks at specific aspects of the subject, which might include duties and tasks in their job description, but Option A is more correct in that role-based access control can apply to subjects and objects both. Option D can contain role-based criteria, but normally this looks at many more conditions and criteria. Option C focuses more on the nature of the object—which may be used by more than one role.
Which statement about subjects and objects is not correct? A. Subjects are what users or processes require access to in order to accomplish their assigned duties. B. Objects can be people, information (stored in any fashion), devices, processes, or servers. C. Objects are the data that subjects want to access in order to read it, write to it, or otherwise use it. D. Subjects are people, devices, or processes.
A. Subjects, by definition, want to do something that involves an object. Thus, Option A has these roles reversed. Subjects can be any kind of entity that can take action. Objects contain information, but also can provide requested services (that is, take action upon request), so Options B and C are correct.
Your IT director has asked you for a recommendation about which access control standard your team should be looking to implement. He's suggested either Diameter or XTACACS, as they used those in his last job. Which of the following gives you the best information to use in replying to your boss? A. The standard is IEEE 802.1X; Diameter and XTACACS are implementations of the standard. B. Diameter is an enhanced RADIUS and has been quite successful. C. XTACACS replaced TACACS+, which could be a good solution for you. D. RADIUS is the standard to work with.
A. Option B is partly correct, but Diameter never caught on in the market for a variety of reasons and is probably out of date by now. Option C is also incorrect—first came TACACS, which gave rise to both XTACACS, a proprietary product, and TACAC+, not the other way around. Option D is incorrect, since systems may be de facto "standards" (because a lot of companies use them), but they are not published standards by appropriate standards agencies.
Which statements about AAA in access control are correct? (Choose all that apply.) A. Accounting provides the authorization to access resources as part of chargeback systems. B. Analysis, auditing, and accounting are the services provided by an access control system's server. C. Authorization checks to see if an identity has the right(s) to access a resource, while authentication validates that the identity is what it claims to be. Accounting tracks everything that is requested, approved, or denied. D. Authentication checks to see if an identity has been granted access privileges, using the access control tables in the central repository; authorization validates the identity is allowed to access the system. Accounting keeps track of all requests, approvals, and denials.
B, C. Access control is not involved with resource chargeback, that is, billing; thus Option A is not correct. Option D has confused the roles of authorization and authentication, which Option C states correctly. Option B is correct—this is the "triple A" of access control.
Multifactor authentication means that our systems validate claims to subject identity based on: A. Third-party trusted identity proofing services B. Digital identity platforms C. Some aspect of what the subject is, knows, or has D. Two different biometric measurements
C. Option A is incorrect; proofing establishes the truthfulness of documents or other information that attest to a person's claim to be that person and is used during the identity provisioning process. Option B can be used as single-factor or as part of a multifactor system, for example, by using a Microsoft account to sign on to a Web service. Option D is incorrect; while this is two different measurements, they both attest to what the subject is (the physical body), and multifactor would require us to look at what the subject has or knows as well.
What kinds of privileges should not be part of what your mandatory access control policies can grant or deny to a requesting subject? (Choose all that apply.) A. Any privilege relating to reading from, writing to, modifying, or deleting the object in question, if it was created or is owned by the requesting subject B. Reading or writing/modifying the metadata associated with an object C. Modifying access control system constraints, rules, or policies D. Reading, writing, deleting, or asking the system to load the object as an executable task or thread and run it
A, C. Be careful of the negative in the question! Mandatory access control policies do not allow subjects or objects to modify the security-related aspects of the systems, its subjects, and its objects; thus, granting the privileges in Option A or C cannot be allowed. Options B and D reflect reasonable and prudent access control checks that all systems should perform before granting access.
John has talked with his IT director about getting an upgrade to their network access control tools that will allow them to implement remediation and quarantine measures. His director thinks this is unnecessary because their enterprise antimalware system provides for quarantine. Is John's director correct? Which of the following should John share with his director? A. No, because malware quarantine moves infected files into safe storage where they cannot be executed or copied by users; network access control quarantine prevents devices that are not up-to-date with software updates or other features from connecting to the Internet without performing required updates. B. Yes, because both kinds of technologies can support quarantine of suspect or questionable systems. C. No, because network access quarantine prevents HTTP or HTTPS connection attempts from systems that do not meet policy requirements by restricting them to webpages with update instructions; malware quarantine puts infected or suspected files out of reach of users to prevent inadvertent or deliberate execution or read attempts on them. D. Yes, because the antimalware system will prevent devices that are infected from accessing any systems resources, whether files, other CPUs, or other nodes on the network.
A. Option A correctly describes malware quarantine, and remediation by quarantine networks for systems not meeting requirements. Option B is incorrect, since antimalware systems do not quarantine systems but only files they encounter during scanning. Option C correctly describes captive portal quarantine by network access control systems, which differs from antimalware file-based quarantine. Option D misstates the capabilities of antimalware systems (unless they fully incorporate access control and identity management functions, of course).
Which statements about a reference monitor in an identity management and access control system are correct? A. It should be tamper-resistant. B. Its design and implementation should be complex so as to defeat reverse engineering attacks. C. It's an abstract design concept, which is not actually built into real hardware, operating systems, or access control implementations. D. It is part of the secure kernel in the accounting server or services provided by strong access control systems.
A. The reference monitor is the functionality that checks every access attempt to see if it should be authorized or denied. As a result, Option D is false (accounting is a recordkeeping function, necessary to access control but done after the access request is granted or denied). Option C is false, as the reference monitor is in fact implemented in operating systems (typically in their security kernel), or as part of a trusted computing base (TCB) module on a motherboard. Option B is the reverse of what's required; we need to be able to inspect, analyze, and verify that the logic and code of the reference monitor does its job completely and correctly and that it does nothing else if we are to consider it highly trustworthy.
In access control authentication systems, which is riskier, false positive or false negative errors? A. False negatives, because they lead to a threat actor being granted access B. False positives, because they lead to a threat actor being granted access C. False negatives, because they lead to legitimate subjects being denied access, which impacts business processes D. False positives, because they lead to legitimate subjects being denied access, which impacts business processes
B. A positive result of an authentication test means that the claimant is who (or what) they claim to be. Thus a false positive is allowing an incorrect identity to access the system, which probably is a threat actor. A negative result denies an identity's claim to be who (or what) they claim to be. Thus a false negative denies a legitimate identity from system access. Thus, Options A and D incorrectly use the concept of negative and positive authentication results (correct and false). While Option C is true, Option B indicates the situation of greatest risk—a threat actor has been legitimized and granted access.
Which statement about single-factor vs. multifactor authentication is most correct? A. Single-factor is easiest to implement but with strong authentication is the hardest to attack. B. Multifactor requires greater implementation, maintenance, and management, but it can be extremely hard to spoof as a result. C. Multifactor authentication requires additional hardware devices to make properly secure. D. Multifactor authentication should be reserved for those high-risk functions that require extra security
B. Option A is false; each additional factor checked increases the challenge an attacker has to overcome to spoof an identity claim. Option C is false; hardware is only needed for factors involving what the subject has, such as a keyfob code generator, or biometric factors. Option D is tempting, and high-risk functions might be best protected with additional security measures, but compared to Option B, it is not as compellingly correct.
Which statement about federated access systems is most correct? A. SSO and federated access provide comparable capabilities and security. B. By making identity more portable, federated access allows multiple organizations to collaborate, but it does require greater attention to access control for each organization and its systems. C. Once you've established the proper trust architecture, federated access systems are simple to implement and keep secure. D. Most federated access systems need to use a digital identity platform or IDaaS to provide proper authentication.
B. Option A is incorrect; SSO is a subset of both the capabilities and security (issues and security solutions) that federated access can support. Option C correctly raises the issue of the trust architecture, but going from there to a full federated access control system, and keeping that secure, can be challenging. Keeping it secure will always require monitoring, analysis, and testing. Option D is incorrect; federated access, like SSO, can use any means of identity authentication that meets the organization's CIANA needs.
Your IT department head wants to implement SSO, but some of the other division heads think it adds too much risk. She asks for your advice. Which statement best helps her address other managers' concerns? A. They're right; by bridging multiple systems together with one common access credential, you risk opening everything to an attacker. B. Yes and no; single sign-on by itself would be risky, but thorough and rigorous access control at the system, application, and data level, tied to job functions or other attributes, should provide one-stop login but good protection. C. Single sign-off involves very little risk; you do, however, need to ensure that all apps and services that users could connect to have timeout provisions that result in clean closing of files and task terminations. D. Since support for single sign-on is built into the protocols and operating systems you use, there's very little risk involved in implementation or managing its use.
B. Option B is correct, as it emphasizes the need to have a rigorous threat modeling or vulnerability assessment drive the way you design and use access control at a very fine-grain level. Option A is only partially correct, because it considers SSO as if it's a one-ingredient answer to a complex situation. Option C confuses single sign-OFF with single sign-ON; it's correct in what it says, but single sign-off is relatively minor issue of little security risk. Option D is incorrect, as it exaggerates basic OS and network capabilities into a "support" that isn't really there. It also misinterprets managements' concern about security risk and addresses implementation risk instead.
Which set of steps correctly shows the process of identity management? 1. Proofing 2. Provisioning 3. Review 4. Revocation 5. Deletion A. 1, 2, 3, 4, and then 5 B. 2, 3, 4 C. 1, 2, 4, 5 D. 2, 3, 5
B. Step 1, Proofing, is part of provisioning, and thus Options A and C are incorrect. Step 5, Deletion, happens after revocation, but it is a cleanup of files, assets, and records, and it is more properly part of a records retention and housekeeping process. It is not part of identity management. Thus, Option D is incorrect. Option B correctly reflects that we start by provisioning an identity, we continually review the privileges assigned to it versus the needs of the job and the organization, and then we revoke it.
What's the most secure way to authenticate device identity prior to authorizing it to connect to the network? A. MAC address whitelisting B. Multifactor authentication that considers device identification, physical location, and other attributes C. Verifying that the device meets system policy constraints as to software and malware updates D. Devices don't authenticate, but the people using them do.
B. Option D is high risk, and therefore incorrect; plugging a device into an empty network connection should start a connection handshake that is an opportunity to block an unknown or unauthorized device from joining the network. Options A and C are parts of how Option B performs such an authentication, and therefore B is the most correct answer and the most secure approach of the three.
Which of the following statements are true about discretionary access control policies? (Choose all that apply.) A. Subjects cannot be allowed to pass information about the object to another subject. B. Changing or creating new security attributes for an object or another subject can only be done by the access control system. C. Subjects can change rules pertaining to access control but only if this is uniformly permitted across the system for all subjects. D. Subjects can be permitted to pass on or grant their own privileges to other subjects.
C, D. Discretionary access control policies allow the systems administrators to grant capabilities (permissions) to subjects to modify aspects of access control restraints, but these must be uniformly defined for all subjects. Thus, Option C is correct, as is Option D. Options A and B apply to mandatory or nondiscretionary access control policies.
What role should zero trust architectures play in your organization's information security strategy, plans, and programs? A. None just yet; this is a theoretical concept that is still being developed by the IETF and government-industry working groups. B. If you've done your threat modeling and vulnerability assessment correctly, you don't need the added complexity of a zero trust architecture. C. By guiding you to micro-segment your networks and systems into smaller, finer-grain zones of trust, you focus your attention on ensuring that any attempts to cross a connection between such zones has to meet proper authentication standards. D. Since the protocols you need to support zero trust do not work on IPv4, you need to wait to include zero trust architectures until you've transitioned your systems to IPv6.
C. Option A is false; zero trust architectures have been used since 2007, and many systems vendors are actively supporting them with additional protocols and capabilities. Option B is only the first step in the process; risk mitigation is where implementation of network designs, including zero trust features, takes place. Option D is false; as an architecture, first you plan how to segment, secure, and "never trust, always verify." Then you build that design, and existing IPv4 commodity products are more than adequate to support such architectures.
Which statement about trust relationships and access control is most correct? A. One-way trust relationships provide the infrastructure for SSO architectures. B. Transitive trust relationships are similar to trust chains but for individual users rather than digital certificates. C. Trust relationships describe the way different organizations are willing to trust each other's domain of users when developing federated access arrangements. D. Transitive trust relationships cannot be supported by federated access technologies.
C. Option A is incorrect; single sign on (SSO) provides sign-on capabilities for an organization's domain of users, while trust relationships refers to interorganizational trust of each other's users as domains or sets. Option B is correct as far as it goes, but it does not relate this to access control; Option C does this correctly. Option D is incorrect; federated access control deals with this in almost all cases.
Why do we need IPSec? A. Now that IPv6 is here, we don't, since its built-in functions replace IPsec, which was for IPv4. B. Since more and more apps are moving to PKI for encryption of data on the move, we no longer need IPSec. C. IPSec provides key protocols and services that use encryption to provide confidentiality, authentication, integrity, and nonrepudiation at the packet level; without it, many of the Layer 2, 3, and 4 protocols are still unprotected from attack. D. Since IPv6 encrypts all traffic at all layers, once you've transitioned your systems to IPv6, you won't need IPSec, except for those legacy IPv4 systems you communicate with.
C. Option A is false; not only does IPv6 contain and support IPSec, it also makes it mandatory. Option B is false; app-level encryption does not protect lower-layer traffic from being snooped or spoofed. Thus Option C is correct. Option D is false; IPv6 doesn't do this encryption, but it builds the features into the protocol stack so that user organizations can choose to implement it. IPv6 and IPv4 are not compatible, so a gateway of some kind will be required anyway, and the issue of security through the gateway will still need to be addressed.
Which statement about extranets and trust architectures is most correct? A. Proper implementation of federated access provides safe and secure ways to bring an extranet into an organization's overall network system; thus an internetwork trust architecture is not needed. B. Extranets present high-risk ways for those outside of an organization to collaborate with the organization and thus need to be kept separate from the trust architecture used for other internetwork activities. C. Extranets provide extensions to an organization's intranet and thus need to use the same trust architecture as implemented in the main organizational network. D. Trust architectures are the integrated set of capabilities, connections, systems, and devices that provide different organizations safe, contained, and secure ways to collaborate together by sharing networks, platforms, and data as required; thus, extranets are an example of a trust architecture.
D. Option A demonstrates misunderstanding of the concept of a trust architecture, which Option D clarifies. Option B also misstates the purpose and intent of trust architectures and their role in reducing the risk of an unconstrained (or totally trusted) extranet. Option C does not correctly state what an extranet is (it allows those external to the organization to share in using the sponsoring organization's internal systems and data); it also is mistaken in saying that the same systems, technologies, connections, etc., that are the internal trust architecture would therefore be appropriate to secure and protect the extranet.
A key employee seems to have gone missing while on an overseas holiday trip. What would you recommend that management do immediately, with respect to identity management and access control, for your federated access systems? Choose the most appropriate statement. A. Deprovision the employee's identity. B. Suspend all access privileges for the employee's identity, except for email, in case the employee tries to use it to contact the company for help. C. Suspend all access privileges for the employee's identity, and notify all federated systems partners to ensure that they take similar steps. D. Suspend all access privileges for devices normally used by the employee, such as their laptop, phablet, or phone (employee-owned, company-provided, or both). If possible, quickly establish a captive portal or quarantine subnet to route access attempts from these devices to.
D. Option A unnecessarily removes the identity from your systems and those of other systems in your federated access system; this would not be called for until the fate of the employee is known to warrant a permanent removal of access privileges. Options B and C still allow devices that the employee had been known to use to access your systems; if the employee, these devices, or both are in hostile hands, this places your systems at risk. Option D is the most secure response.