CISSP Domain 5: Identity and Access Management

Ace your homework & exams now with Quizwiz!

Need to Know

ensures that subjects are granted access only to what they need to know for their work tasks and job functions. Subjects may have clearance to access classified or restricted data but are not granted authorization to the data unless they actually need it to perform a job.

Least Privilege

ensures that subjects are granted only the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that least privilege will also include rights to take action on a system.

Statistical Attack

exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the hardware or operating system hosting the cryptography application.

PASSWORDS

cheap and commonly used password generators, user chooses own (do triviality and policy checking), Longer PW more effective than all else

Which of the following is not a valid LDAP DN (distinguished name)?

cn=ben,ou=example;

Work Hours

context-dependent control

Social engineering

convince an individual to give access

Passphrase

easiest to remember. Converted to a virtual password by the system.

Cognitive password

easy to remember like your mother's maiden name

Separation of Duties and Responsibilities

ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances.

Which of the following is a ticket based authentication protocol designed to provide secure communication?

Kerberos

What authentication protocol does Windows use by default for AD systems?

Kerberos (AD authentication)

Performing reconnaissance

allows an attacker to find weak points to target directly with their attack code. To assist with this targeting, attacker-tool developers have created a number of automated tools that perform network reconnaissance.

Discretionary Access Control (DAC)

allows the owner, creator, or data custodian of an object to control and define access to that object.

Service Provisioning Markup Language, or SPML

an XML-based language designed to allow platforms to generate and respond to provisioning requests.

Privileges

are the combination of rights and permissions. For example, an administrator for a computer will have full privileges, granting the administrator full rights and permissions on the computer. The administrator will be able to perform any actions and access any data on the computer.

Rule-BAC

based on rules within an ACL, uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action.

Implicit Deny

basic principle that most authorization mechanisms use it. The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

What you do

behavioral

Logging

best way to provide accountability, change log for approved changes and change management process

password checker and password hacker

both programs that can find passwords (checker to see if its compliant, hacker to use it by the hacker)

Hybrid

centralized control is exercised for some information and decentralized for other information

What type of attack can be prevent by using a trusted path?

Login spoofing. (Trusted paths are ways to protect data bwt users and security component)

Hand Topology

Looks at the size and width of an individual's hand and fingers.

Biba is what type of access control model?

MAC (Mandatory Access Control model)

What type of access control scheme is shown in the following table?

MAC (Mandatory Access Control)

Access Control System

Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.

Which of the following is not a common threat to access control mechanisms?

Phishing

Dog, guards, and fences are all common examples of what type of control?

Physical controls

Access Control Systems

Physical or electronic systems designed to control who, or what, has access to a network

Which of the following is not a access control layer?

Policy

SAML Specification 2.0 defined Roles

Principal (user), Identity provider (IdP), Service provider (SP), Most used federated SSO

Authentication

Process of Verifying the user, User provides private data, Establish trust between the user and the system for the allocation of privileges

Logical access controls

Protection mechanisms that limit users' access to information and restrict their forms of access on the system to only what is appropriate for them

Facility access control

Protects enterprise assets and provides a history of who gained access and when the access was granted

User ID

Provides the system with a way of uniquely identifying a particular user amongst all the users of that system

Secure European System for Application in a Multi-Vendor Environment (SESAME)

Public Key Cryptology, European Standard similar to Kerberos, Needham-Schroeder protocol

Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?

RADIUS

Some OS's use

Seed SALT or NONCE, random values added to the encryption process to add more complexity

Subject

active entity that requests access to an object or data within the object (user, program)

Kerberos

addresses Confidentiality and integrity and authentication, not availability, can be combined with other SSO solutions

Lattice based, Label

all objects and subjects have a label

A distinctive characteristic about rule-BAC models is that

they have global rules that apply to all subjects. One common example of a rule-BAC model is a firewall.

The US government CAC is an example of what form of Type 2 authentication factor?

A smart card

Role-based access control (RBAC)

An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization.

Rule-based access control (RBAC)

An access control model that is based on a list of predefined rules that determine what accesses should be granted.

Palm Scans

The palm has creases, ridges and grooves throughout it that are unique to a specific person. Appropriate by itself as a Type 3 authenticator

Callback to a home phone number is an example of what type of factor?

"somewhere you are" factor

Kerberos is included in Windows now

(replaced NTLM=NT-LAN Manager)

Rainbow Tables

(tables with passwords that are already in hash format, pre-hashed PW paired with high-speed look up functions

brute force attack

(try many different characters) aka exhaustive

dictionary attack

(try many different words)

During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?

A rainbow table attack

Kathleen needs to setup an AD trust to allow authenctication with an existing Kerberos K5 domain. What type of trust does she need to create?

A realm trust. Appropriate way to set up a AD environment that needs to connect to a K5 domain

What is the stored sample of a biometric factor called?

A reference template/profile

The Kerberos logon process

1. The user types a username and password into the client. 2. The client encrypts the username with AES for trans. to the KDC. 3. The KDC verifies the username against a database of known credentials. 4. The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user's password. The KDC also generates an encrypted time-stamped TGT. The KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client. 5. The client installs the TGT for use until it expires. 6. The client also decrypts the symmetric key using a hash of the user's password. 7. Then the user can use this ticket to service to use the service as an application service

MAC Address

48 bit number, supposed to be globally unique, but now can be changed by software, not a strong ID or auth. tool

Susan is working to improve the strength of her organization's passwords by changing the password policy. THe password system that she is using allows upper-and lowercase letters as well as number but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?

62 times more complex

MAC address

A 48-bit number (typically represented in hexadecimal format) that is supposed to be globally unique

In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS?

A TGT is sent

Kerberos

Developing standard for authenticating network users. Kerberos offers two key benefits: it functions in a multi-vendor network, and it does not transmit passwords over the network.

Which of the following is best described as an access control model that focuses on subjects and identifies the object that each subject can access?

A capability table. Lists the privileges assigned to subject and id objects that subjects can access

Non-discretionary access control / Mandatory

A central authority determines what subjects have access based on policies. Role based/task based. Also lattice based can be applied (greatest lower, least upper bounds apply)

As seen in the following image, a user on a Windows system is not able to use the "Send Message" functionality. What access control model best describes this type of limitation?

A constrained interface

Cryptographic Device

A hardware device that contains non-programmable logic and non-volatile storage dedicated to all cryptographic operations and protection of private keys.

Trusted Platform Modules (TPM)

A local hardware encryption engine and secured storage for encryption keys

Radio Frequency Identification (RFID)

A non-contact, automatic identification technology that uses radio signals to identify, track, sort and detect a variety of objects including people, vehicles, goods and assets without the need for direct contact

Identity-based access control

A subset of DAC because systems identify users based on their identity and assign resource ownership to identities.

Password Management System

A system that manages passwords consistently across the enterprise

Single Sign-On (SSO)

A unified login experience (from the viewpoint of the end user) when accessing one or more systems

Security Assertion Markup Language 2.0 (SAML 2.0)

A version of the SAML OASIS standard for exchanging authentication and authorization data between security domains.

The difference between an ACL and a capability table is.

ACLs are object focused and identify access granted to subjects for any specific object. Capability tables are subject focused and identify the objects that subjects can access.

MIT project Athena

AES from user to KDC, encrypted key, time stamped TGT and hash of PW, install TGT and decrypt key

Issues regarding the usage of Biometrics

Acceptability Issues: privacy, physical, psychological

Mandatory Access Controls (MACs)

Access control that requires the system itself to manage access controls in accordance with the organization's security policies

Discretionary Access Control - Graham Denning

Access through ACL's. Discretionary can also mean Controlled access protection (object reuse, protect audit trail). User directed, Performs all of IAAA, identity based access control model

Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What ypes of process should his company perform to ensure that he has appropriate rights?

Account review

Accountability

Accountability ensures that account management has assurance that only authorized users are accessing the system and using it properly.

Port Scans

After an attacker performs an IP probe, they are left with a list of active systems on a given network. The next task is to select one or more systems to target with additional attacks.

Physical Access Control Systems (PACS)

Allows authorized security personnel to simultaneously manage and monitor multiple entry points from a single, centralized location

Access Control Matrix

An access control matrix is a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks the access control matrix to determine if the subject has the appropriate privileges to perform the action

Rule-Based Access Control

An access control model that based on a list of predefined rules that determine what accesses should be granted

Role-Based Access Control (RBAC)

An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization

Physical access control system

An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.

Fingerprints

Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.

What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token?

Asynchronous

Which of the following is not a weakness in Kerberos?

Authentication info is not encrypted

Lattice based or Label access control

Authorization depended on security labels which indicate clearance and classification of objects (Military). Restriction: need to know can apply. Lattice based is part of it! (A as in mAndatory!).

When an application or system allows a logged-in user to perform specific actions, it is an example of what?

Authorization. Provides user with capabilities or rights

A new customer at a bank that uses fingerprint scanners to authenticate its users is suprised when he scans his fingerprint and is logged in to another customer's account. What type of biometric factor error occurred?

Type 2 error

When Lauren uses a fingerprint scanner to access her bank account. What type of authentication factor is she using?

Type 3 "something you are"

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. What type of attack is the creation and exchange of state tokens intended to prevent?

CSRF

Keyboard Dynamics

Captures the electrical signals when a person types a certain phrase.

Identity as a Service (IDaaS)

Cloud-based services that broker identity and access management functions to target systems on customers' premises and/or in the cloud

Susan has bee asked to recommend whether her organization should use a mandatory access control scheme or a discretionary access control scheme. If flexibility and scalability is an important requirement for implementing access controls, which scheme should she recommend and why?

DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility

Voice Print

Distinguishing differences in people's speech sounds and patterns.

Benefits of IDaaS

Effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based Software as a Service (SaaS) applications. Ability to provision identities held by the service to target applications

Signature Dynamics

Electrical signals of speed and time that can be captured when a person writes a signature.

Multi-factor Authentication

Ensures that a user is who they claim to be. The more factors used to determine a person's identity, the greater the trust of authenticity.

Multi-factor authentication

Ensures that a user is who they claim to be. The more factors used to determine a person's identity, the greater the trust of authenticity.

Biometric TYPE 2 error

False Acceptance rate FAR

Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart,At point B, what probelm is likely to occur?

False acceptance will be very high.

Biometric TYPE 1 error

False rejection rate FRR

Google's identity integration with a variety of organizations and applications across domains is an example of which of the following?

Federation

Identification, Authentication, Authorization and Accountability (IAAA)

Four key principles upon which access control relies

Thin client is also a single sign on approach

Guards a network with three elements: authentication, authorization, & auditing.

Voice pattern recognition is what type of authentication factor?

Type 3 "something you are" (Type 1 "something you know"[pwd], Type 2 "something you have"[CAC])

KRYPTOKNIGHT

IBM - thus RACF, Peer-to-peer relationship between KDC and parties

When a subject claims and identity, what process is occurring?

Identification

Relationship between Identity, Authentication, and Authorization

Identification provides uniqueness, Authentication provides validity Authorization provides control

Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place?

Identity as a Service (IDaaS)

The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from 3 party sources to ask questions based on their past credit reports, such as "Which of the following streets did you live on in 2007? What process is Susan's organization using?

Identity proofing

Alex is in charge of SAML intergration witha major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, If Alex's organization is one that is primarily made up of offsite, traveling users, what availability riks odes integration of crtitcal business application to onsite authentication create and how could he solve it?

If the home organziation is offline, traveling users won't be able to access 3rd party applications; implement a hybrid cloud/local authentication system.

By default, in what format does OpenLDAP store the value of the userPassword attribute?

In the clear

Susan's organization is updating its passowrd policy and wants to use the strongest possible passwrrds. What password requirement will have the highest impact in prevent brute force attacks?

Increase the minimum password length from 8 to 16 characters

Single factor authentication

Involves the use of simply one of the three available factors solely in order to carry out the authentication process being requested.

What danager is created by allowing the OpenID relying party to control the connection to the OpenID provider?

It creates the possiblity of a phishing attack by sending data to a fake OpenID provider.

Using your knowledge of the Kerberos logon process and the following diagram, What tasks must the client perform before is can use the TGT?

It must install the TGT and decrypt the symmetric key

Physical devices for Type 2 authentication

Key, swipe card, access card, badge, tokens

Which of the following items are not commonly associated with restricted interfaces?

Keyboards (Menus, shells, DB views are constrained interfaces)

Questions like "What's your pet's name?" are examples of what type of identity proofing?

Knowledged-based authentication

Microsofts's AD Domain Services is based on which of the following technologies?

LDAP

BIOMETRICS

Most expensive & Acceptable 2 minutes per person for enrollment time, Acceptable 10 people per minute throughput time

Alex's job requires him to see personal health information to ensure proper treatment of patients. His access to ehier medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?

Need to know

Logical access control system

Non-physical system that allows access based upon pre-determined policies.

Rule based access control

Objects are: files, directories and devices;

What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?

OpenID Connect

Which of the following Type 3 authenticator is appropriate to use by istelf rather than in combination with other biometric factors?

Palm scans

During a review of support incidents, Ben's organization discovered that passord changes accounted for more than quarter of its help desk's cases. Which of the following options would be most likely to decrease that number significantly?

Self service password reset tools

When Cris verifies an individual's identity and adds a UID like a user ID to an identity system, what process has occurred?

Registration

Jacob is planning his organization's biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?

Retina scans can reveal information about medical conditions

What type of access control is typically used by firewalls?

Rule-BAC (Based Access Control)

On windows system with utility

SYSKEY. The hashed passwords will be encrypted in their store LM hash and NT Hash

Static password

Same for each logon

Iris Scans

Scan the colored portion of the eye that surrounds the pupil.

Retina Scans

Scans the blood-vessel pattern of the retina on the backside of the eyeball. Can show medical conditions MOST ACCURATE

Kerbero, KryptoKnight, and SESAME are all examples of what type of system?

Single Sign On (SSO) systems

Ben uses a software based token which changes its code every minute. What type of token is he using?

Synchronous

Account management systems

Systems that attempt to streamline the administration of user identity across multiple systems

Which of the following AAA protocols is the most commonly used?

TACACS+

Which of the following is not part of a Kerberos authentication system?

TS

Facial Scans

Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.

Which of the following is not a type of attack used against access controls?

Teardrop

Open Authorization (OAuth)

The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.

CER Crossover Error Rate or EER Equal Error rate, where FRR = FAR

The lower CER/ERR the more accurate the system. No sunlight in iris scanner zephyr chart = iris scans

Closed

The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port.

Open

The port is open on the remote system and there is an application that is actively accepting connections on that port.

Identity proofing

The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential, or other special privilege is indeed who he or she claims to be, and establishing a reliable relationsh

Authorization

The process of defining the specific resources a user needs and determining the type of access to those resources the user may have

Electronic authentication (e-authentication)

The process of establishing confidence in user identities electronically presented to an information system

Authentication

The process of verifying the identity of the user

Hand Geometry

The shape of a person's hand (the length and width of the hand and fingers) measures hand geometry.

Access control tokens

The system decides if access is to be granted or denied based upon the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.

Discretionary access control (DAC)

The system owner decides who gets access.

Vulnerability Scans

The third technique is the vulnerability scan. Once the attacker determines a specific system to target, they need to discover a specific vulnerability in that system that can be exploited to gain the desired access permissions. (ex., Nessus, OpenVAS, Qualys, Core Impact, and Nexpose)

Whic pair of the following factors are key for user acceptance of biometric identification systems?

The throughput rate and the time required to enroll

Capability Tables

They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles). ex., a capability table created for the accounting role will include a list of all objects that the accounting role can access and will include the specific privileges assigned to the accounting role for these objects.

Implementation Attack

This is a type of attack that exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system

Crossover Error Rate (CER)

This is achieved when the type I and type II

Attribute-based access control (ABAC)

This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.

False Acceptance Rate (Type II)

This is erroneous recognition either by confusing one user with another, or by accepting an imposter as a legitimate user.

False Rejection Rate (Type I)

This is failure to recognize a legitimate user.

SAML 2.0

To exchange authentication and authorization data between security domains, enables web-based to include SSO

SESAME process

Two tickets: One authentication, like Kerberos, Other defines the access privileges a user has, Works with PACS (Privileged Attribute Certificates)

If Susan's organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of facrot has she used?

Two types of factors

Access badges

Used to enter secured areas of a facility and are used in conjunction with a badge reader to read information stored on the badge

When you input a user id and password, you are performing what important identity and access management activity?

Validation

When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?

When security is more important than usability

DIRECTORY SERVICE

a centralized database that includes information about subjects and objects, .Hierarchical naming schema, active directory has sophisticated security resources (group policy, user rights accounts, DNS services)

HAVAL - Hash of Variable Length (HAVAL)

a modification of MD5. HAVAL uses 1,024-bit blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption algorithm

Advantage of SSO options

ability to use stronger passwords, easier administration, less time to access resources.

Hacking

access password file

Decentralized administration

access to information is controlled by owners or creators of information, may not be consistency with regards to procedures, difficult to form system wide view of all user access at any given time

SSO referred to as reduced sign-on

federated ID management

META directory

gathers information from multiple sources and stores them into once central directory and synchronizes

Challenge/response token

generates response on a system/workstation provided challenge; synchronous - timing, asynchronous - challenge

KDC - Key Distribution Center

grants tickets to client for specific servers. Knows all secret keys of all clients and servers from the network, TGS (Ticket granting server) & AS (Authentication server), single point of failure

When nmap scans a system

identifies the current state of each network port on the system. For ports where nmap detects a result, it provides the current status of that port

(Identity and) Access as a Service

includes user authentication, SSO, authorization (rule) enforcement, Log events , auditing

Realm

indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication server has the authority to authenticate a user, host or service.

Benefits of Kerberos

inexpensive, loads of OS's, mature protocol

Content-Dependent

internal data of each field, data stored by a field, restrict access to data based on the content within an object. A database view is a content-dependent control. A view retrieves specific columns from one or more tables, creating a virtual table.

SOAP, or Simple Object Access Protocol

is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.

Object

is a passive entity that contains information (computer, database, file, program) access control techniques support the access control models

IDaaS - Identity as a Service, or Identity and Access as a Service

is a third-party service that provides identity and access management,

ACCESS

is flow of information between a subject and an object

A type of Biometric IRIS

is the same as long as you live

A common method of Constrained Interface Applications - (restricted interfaces)

is to hide the capability if the user doesn't have permissions to use it. Other times, the application displays the menu item but shows it dimmed or disabled.

Filtered Nmap

is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt

SAML is used to make authorization and authentication data, while XACML

is used to describe access controls.

If the attacker wants to target a web server, they

might run a port scan to locate any systems with a service running on port 80, the default port for HTTP services.

Fingerprint scanning

most widely used today

PWs (Passwords)

never stored for web applications in a well-designed environment. Salted hashes are stored and compared

IP Probes - (also called IP sweeps or ping sweeps)

often the first type of network reconnaissance carried out against a targeted network. With this technique, automated tools simply attempt to ping each address in a range. Systems that respond to the ping request are logged for further analysis. Addresses that do not produce a response are assumed to be unused and are ignored.

All objects have owners, and access control is based

on the discretion or decision of the owner.

Federated Identity

on-premises identity provider handles login request. Usually used to implement SSO, MS AD using MS AD Federation Services, Third Party based identity, Shibboleth SAML 2.0

Disadvantage of SSO options

once a key is compromised all resources can be accessed, if Db compromised all PWs compromised

Centralized administration

one element responsible for configuring access controls. Only modified through central administration, very strict control,

Nmap tool

one of the most common tools used to perform both IP probes and port scans. IP probes are extremely prevalent on the Internet today. Indeed, if you configure a system with a public IP address and connect it to the Internet, you'll probably receive at least one IP probe within hours of booting up. The widespread use of this technique makes a strong case for disabling ping functionality, at least for users external to a network. Default settings miss @64 K ports

Weakness of SESAME

only authenticates the first block and not the complete message

VIRTUAL directory

only points where the data resides

Static password token -

owner authenticates to token, token authenticates to the information system

What you are

physical

OAuth

primarily used for web applications.

Permissions

refer to the access granted for an object and determine what you can do with it. If you have read permission for a file, you'll be able to open it and read it. You can grant user permissions to create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so in this context, access rights and permissions are synonymous

Rights

refers to the ability to take an action on an object. For example, a user might have the right to modify the system time on a computer or the right to restore backed-up data. This is a subtle distinction and not always stressed. You'll rarely see the right to take action on a system referred to as a permission.

Context-Dependent

require specific activity before granting users access. For example, it's possible to restrict access to computers and applications based on the current day and/ or time. If users attempt to access the resource outside of the allowed time, the system denies them access.

Authorization

resources user is allowed to access must be defined and monitored, First piece of credentials Authorization

Hybrid RBAC

role applied to multiple apps, based on user's specific role within the organization

SCRIPTING

scripts contain logon information that auths. users

CONTROL

security features that control how users and systems communicate and interact with other systems and resources

Asynchronous (NOT TIME BASED)

server sends a nonce (random value) This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication

Federation

sharing identity and authentication behind the scenes (like booking flight --> booking hotel without re authenticating) by using a federate identity so used across business boundaries, SSO

Type 3 authentication factor

something you are or something you do. It is a physical characteristic of a person identified with different types of biometrics

Type 2 authentication factor

something you have. Physical devices that a user possesses can help them provide authentication. Examples include a smartcard (CAC), hardware token, smartcard, memory card, or USB drive.

Type 1 authentication factor

something you know. Examples include a password, PIN, or passphrase.

Fingerprinting

stores full fingerprint (one- to-many identification), finger scan only the features (one to one identification).

SESAME uses both

symmetric as asymmetric encryption (thus improvement upon Kerberos)

Kerberos Is based on

symmetric key cryptology (and is not a propriety control), Time synchronization is critical, 5 minutes is bad

Disadvantages of Kerberos

takes time to administer, can be bottleneck or single point of failure

Role-BAC (RBAC) -

task-based access controls define a subject's ability to access an object based on the subject's role or assigned tasks, is often implemented using groups, form of non discretionary. OFF BUSINESS DESIGN

Constrained Interface Applications - (restricted interfaces)

to restrict what users can do or see based on their privileges. Applications constrain the interface using different methods.

RADIUS

typically used for wireless networks, modems, and network devices

LDAP distinguished names are made up of comma-separated components called relative distinguished names that have an attribute name and a value. DNs hbecome less specific as they progress from left to right. Which of the following LDAP DN best fits this rule?

uid=ben, ou=sales. dc=example dc=com

XML Signature

use digital signatures for authentication and message integrity based on XML signature standard. Relies on XML Schema

TACACS+

used for network devices.

One-time password aka dynamic password

used only once

Cloud Identity

users are created and managed in Office 365

Directory Synchronization

users are created and managed in an on premises identity provider

Limited RBAC

users are mapped to roles w/in a single application, not organizational-wide

Windows

uses Kerberos for authentication.

Synchronous (TIME BASED) dynamic -

uses time or a counter between the token and the authentication server, secure-ID is an example

Identification/Assertion (Registration)

verify an individual's identity and adds a unique identifier to an identity system, ensuring that a subject is who they say they are, bind a user to the appropriate controls based on the unique user instance, Unique user name, account number etc. OR an issuance (keycard)

Often, attackers have a type of target in mind

web servers, file servers, and other servers supporting critical operations are prime targets. To narrow down their search, attackers use port scan software to probe all the active systems on a network and determine what public services are running on each machine.

Accountability

who was responsible for an action?

When Alex sets the permissions shown in the following image as one of many users on a Linux server, what ytpe of access control model is he leveraging?

Discretionary Access Control (permissions setting)

What LDAP authentication mode can provide secure authentication?

SASL (Simple Authentication and Security Layer)

Lauren needs to send information about services she is provisioning to a 3rd party organization. What standards based markup language should she choose to build the interface?

SPML (Service Provisioning Markup Language)

Jim has Secret clearance and is accessing files that use a mandatory access control scheme to apply the TS, Secret, Confidential and UNCLAS label scheme. If his rights include the ability to access all data of his clearnce level or lower, what classification levels of data can he access?

Secret, Confidential and UNCLASS

Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP's default ports?

Secure LDAP and secure global directory

Ben's organization has had an issue with unauthorized access to application and workstations during the lunch hours when employees aren't at their desk. What are the best type of session management solutions for Ben to recommend to help prevent this type of access?

Set session timeouts for applications and use password protected screensavers with inactivity timeouts on workstations.

Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed?

Signature-based detection

What type of access control is being used in the following permission listing; Storage Device X User1: Can read, write, list User2: Can read , list User3: Can read, write, list , delete User4: Can list

rBAC (resource based access control) model, deals with volume storage, esp in IaaS environments

Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart,What should Ben do if the FAR and FRR shown in this diagram doesn't provide an acceptable performace level for his organization's needs?

Assess other biometric systems to compare them

Kathleen works for data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where the servers resides. In the past month, a number of server have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen's best option to make sure that the users of the passcards are who they are supposed to be?

Add a biometric factor

What ytpe of access control is composed of policies and procedures that support regulations, requirements, and the organization's own policies?

Administrative

Which objects and subjects have a label in a MAC model?

All objects and subjects have a label

Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control sytem is Lauren using?

An access control matrix

Alex is in charge of SAML intergration witha major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, What solution can best help address converns about 3 parties that control SSO directs as shown in step 2 in the diagram?

An awareness campaign about trusted 3rd parties

Using your knowledge of the Kerberos logon process and the following diagram, At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?

An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user's password.

What major issues often results from decentralized access control?

Control is not consistent. Loose interpretation of policies and requirements, roles.

The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation?

Context dependent control. (Time)

What open protocol was designed to replace RADIUS-including support for additonal commands and protocols, replacing UDP traffic with TCP, and providing for extensible command- but doesn't preserver backward compatibility with RADIUS?

Diameter

During a log review, Saria discovers a series of logs that show login falures as show here: Jan 31 11:39:12 ip 10-0-0-2 sshd[29092]: Invalid user admin from remote host passwd=orange Jan 31 11:39:20 ip 10-0-0-2 sshd[29092]: Invalid user admin from remote host passwd=orang3 Jan 31 11:39:23 ip 10-0-0-2 sshd[29092]: Invalid user admin from remote host passwd=Orange93 Jan 31 11:39:31 ip 10-0-0-2 sshd[29092]: Invalid user admin from remote host passwd=Orangutan1 What type of attack has Saria discovered?

Dictionary attack. Uses a list of common passwords or dictionary words.

Which of the following types of access controls do not describe a lock?

Directive

The X.500 standards cover what type of important identity systems?

Directory services

What type of access controls allow the owner of a file to grant other users access to it using an access control list?

Discretionary Access Control

Lauren starts her new job and finds that she has access to a variety of sytems that she does not need access to to accomplishe her job. What problem has she encountered?

Excessive privileges

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. Which system or systems is /are responsibile for user authentication for Google+ users?

Google's servers

Brian's large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?

Implement RADIUS over TCP using TLS for protection.

RAID-5 is an example of what type of control?

Recovery

Alex is in charge of SAML intergration with a major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertion will not be successful. What should he do to prevent these potential attacks?

Implement TLS using a strong cipher suite and use digital signatures

Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the serve on port 636. What odes this indicate to Jim about the configuration of the LDAP server?

It requires connections over SSL/TLS

Mandatory access control is based on what type of model?

Lattice-based, uses matrix of classification labels to compartmentalize data

What is the best way to provide accountability for the use of identities?

Logging

Jim wants to allow cloud-based applications to act on its behalf to access information from other sites. Which of the following tools can allow that?

OAuth

Alex has been employed by his company for over a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex's company encountered?

Privilege creep. Acculminating rights from previous jobs held not pertaining to current position.

Which of the following is not a single sign on implementation?

RADIUS (ADFS, Kerberos, CAS are SSO implementations)

Lauren is an information security analyst tasked with deploying technical access controls for her organization. Which of the following is not a logical or technical access control?

RAID Arrays

What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order fro normal function?

Race conditions, two or more processes need access to same resource

Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart, Ben's company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?

The CER (x-over error rate). The point where false acceptance rate (FAR) and the false rejection rate(FRR) crossover. Is a standard assessment used to companre the accuracy of biometric devices

Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?

The Kerberos server and the local client's time clocks are not synchronized

Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. When the e-commerce application creates an account for a Google+ user, where should that user's passwords be stored?

The password is never stored; a salted hash is stored in Google's account mgmt system

Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor and what traffic will she be able to read?

UDP , all traffic but the passwords, which are encrypted

Jim's organization-wide implementation of IDaaS offers broad support for cloud based applications. The ecisting infrastructure for Jim's company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company's onsite identity needs?

Use an on-premise 3td party identity service

Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?

Use information that both the bank and the user have such as questions ulled from their credit report

Using your knowledge of the Kerberos logon process and the following diagram, At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?

Use of AES to encrypt username and password


Related study sets

AP Gov - Chapter 5 RETAKE Review

View Set

Project Planning & Design (PPD)J

View Set

Percy Jackson The Lightning Thief End of Novel Test

View Set

Psych 1.1.1: What is Psychology?

View Set

Chapter 31: Care of Patients with Infectious Respiratory Problems

View Set

Chapter 10 Terms Social Psychology and Human Nature 3e

View Set

Chapter 20: Genomics 1: Analysis of DNA

View Set

7th Grade SS Chapter 5 The Decline of Feudalism

View Set

Praxis 2: content knowledge (5018)

View Set