CISSP Domain 5: Identity and Access Management
Need to Know
ensures that subjects are granted access only to what they need to know for their work tasks and job functions. Subjects may have clearance to access classified or restricted data but are not granted authorization to the data unless they actually need it to perform a job.
Least Privilege
ensures that subjects are granted only the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that least privilege will also include rights to take action on a system.
Statistical Attack
exploits statistical weaknesses in a cryptosystem, such as floating-point errors and inability to produce truly random numbers. Statistical attacks attempt to find a vulnerability in the hardware or operating system hosting the cryptography application.
PASSWORDS
cheap and commonly used password generators, user chooses own (do triviality and policy checking), Longer PW more effective than all else
Which of the following is not a valid LDAP DN (distinguished name)?
cn=ben,ou=example;
Work Hours
context-dependent control
Social engineering
convince an individual to give access
Passphrase
easiest to remember. Converted to a virtual password by the system.
Cognitive password
easy to remember like your mother's maiden name
Separation of Duties and Responsibilities
ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances.
Which of the following is a ticket based authentication protocol designed to provide secure communication?
Kerberos
What authentication protocol does Windows use by default for AD systems?
Kerberos (AD authentication)
Performing reconnaissance
allows an attacker to find weak points to target directly with their attack code. To assist with this targeting, attacker-tool developers have created a number of automated tools that perform network reconnaissance.
Discretionary Access Control (DAC)
allows the owner, creator, or data custodian of an object to control and define access to that object.
Service Provisioning Markup Language, or SPML
an XML-based language designed to allow platforms to generate and respond to provisioning requests.
Privileges
are the combination of rights and permissions. For example, an administrator for a computer will have full privileges, granting the administrator full rights and permissions on the computer. The administrator will be able to perform any actions and access any data on the computer.
Rule-BAC
based on rules within an ACL, uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action.
Implicit Deny
basic principle that most authorization mechanisms use it. The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.
What you do
behavioral
Logging
best way to provide accountability, change log for approved changes and change management process
password checker and password hacker
both programs that can find passwords (checker to see if its compliant, hacker to use it by the hacker)
Hybrid
centralized control is exercised for some information and decentralized for other information
What type of attack can be prevent by using a trusted path?
Login spoofing. (Trusted paths are ways to protect data bwt users and security component)
Hand Topology
Looks at the size and width of an individual's hand and fingers.
Biba is what type of access control model?
MAC (Mandatory Access Control model)
What type of access control scheme is shown in the following table?
MAC (Mandatory Access Control)
Access Control System
Means to ensure that access to assets is authorized and restricted based on business and security requirements related to logical and physical systems.
Which of the following is not a common threat to access control mechanisms?
Phishing
Dog, guards, and fences are all common examples of what type of control?
Physical controls
Access Control Systems
Physical or electronic systems designed to control who, or what, has access to a network
Which of the following is not a access control layer?
Policy
SAML Specification 2.0 defined Roles
Principal (user), Identity provider (IdP), Service provider (SP), Most used federated SSO
Authentication
Process of Verifying the user, User provides private data, Establish trust between the user and the system for the allocation of privileges
Logical access controls
Protection mechanisms that limit users' access to information and restrict their forms of access on the system to only what is appropriate for them
Facility access control
Protects enterprise assets and provides a history of who gained access and when the access was granted
User ID
Provides the system with a way of uniquely identifying a particular user amongst all the users of that system
Secure European System for Application in a Multi-Vendor Environment (SESAME)
Public Key Cryptology, European Standard similar to Kerberos, Needham-Schroeder protocol
Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request messages to a central server?
RADIUS
Some OS's use
Seed SALT or NONCE, random values added to the encryption process to add more complexity
Subject
active entity that requests access to an object or data within the object (user, program)
Kerberos
addresses Confidentiality and integrity and authentication, not availability, can be combined with other SSO solutions
Lattice based, Label
all objects and subjects have a label
A distinctive characteristic about rule-BAC models is that
they have global rules that apply to all subjects. One common example of a rule-BAC model is a firewall.
The US government CAC is an example of what form of Type 2 authentication factor?
A smart card
Role-based access control (RBAC)
An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization.
Rule-based access control (RBAC)
An access control model that is based on a list of predefined rules that determine what accesses should be granted.
Palm Scans
The palm has creases, ridges and grooves throughout it that are unique to a specific person. Appropriate by itself as a Type 3 authenticator
Callback to a home phone number is an example of what type of factor?
"somewhere you are" factor
Kerberos is included in Windows now
(replaced NTLM=NT-LAN Manager)
Rainbow Tables
(tables with passwords that are already in hash format, pre-hashed PW paired with high-speed look up functions
brute force attack
(try many different characters) aka exhaustive
dictionary attack
(try many different words)
During a penetration test, Chris recovers a file containing hashed passwords for the system he is attempting to access. What type of attack is most likely to succeed against the hashed passwords?
A rainbow table attack
Kathleen needs to setup an AD trust to allow authenctication with an existing Kerberos K5 domain. What type of trust does she need to create?
A realm trust. Appropriate way to set up a AD environment that needs to connect to a K5 domain
What is the stored sample of a biometric factor called?
A reference template/profile
The Kerberos logon process
1. The user types a username and password into the client. 2. The client encrypts the username with AES for trans. to the KDC. 3. The KDC verifies the username against a database of known credentials. 4. The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user's password. The KDC also generates an encrypted time-stamped TGT. The KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client. 5. The client installs the TGT for use until it expires. 6. The client also decrypts the symmetric key using a hash of the user's password. 7. Then the user can use this ticket to service to use the service as an application service
MAC Address
48 bit number, supposed to be globally unique, but now can be changed by software, not a strong ID or auth. tool
Susan is working to improve the strength of her organization's passwords by changing the password policy. THe password system that she is using allows upper-and lowercase letters as well as number but no other characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?
62 times more complex
MAC address
A 48-bit number (typically represented in hexadecimal format) that is supposed to be globally unique
In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS?
A TGT is sent
Kerberos
Developing standard for authenticating network users. Kerberos offers two key benefits: it functions in a multi-vendor network, and it does not transmit passwords over the network.
Which of the following is best described as an access control model that focuses on subjects and identifies the object that each subject can access?
A capability table. Lists the privileges assigned to subject and id objects that subjects can access
Non-discretionary access control / Mandatory
A central authority determines what subjects have access based on policies. Role based/task based. Also lattice based can be applied (greatest lower, least upper bounds apply)
As seen in the following image, a user on a Windows system is not able to use the "Send Message" functionality. What access control model best describes this type of limitation?
A constrained interface
Cryptographic Device
A hardware device that contains non-programmable logic and non-volatile storage dedicated to all cryptographic operations and protection of private keys.
Trusted Platform Modules (TPM)
A local hardware encryption engine and secured storage for encryption keys
Radio Frequency Identification (RFID)
A non-contact, automatic identification technology that uses radio signals to identify, track, sort and detect a variety of objects including people, vehicles, goods and assets without the need for direct contact
Identity-based access control
A subset of DAC because systems identify users based on their identity and assign resource ownership to identities.
Password Management System
A system that manages passwords consistently across the enterprise
Single Sign-On (SSO)
A unified login experience (from the viewpoint of the end user) when accessing one or more systems
Security Assertion Markup Language 2.0 (SAML 2.0)
A version of the SAML OASIS standard for exchanging authentication and authorization data between security domains.
The difference between an ACL and a capability table is.
ACLs are object focused and identify access granted to subjects for any specific object. Capability tables are subject focused and identify the objects that subjects can access.
MIT project Athena
AES from user to KDC, encrypted key, time stamped TGT and hash of PW, install TGT and decrypt key
Issues regarding the usage of Biometrics
Acceptability Issues: privacy, physical, psychological
Mandatory Access Controls (MACs)
Access control that requires the system itself to manage access controls in accordance with the organization's security policies
Discretionary Access Control - Graham Denning
Access through ACL's. Discretionary can also mean Controlled access protection (object reuse, protect audit trail). User directed, Performs all of IAAA, identity based access control model
Jim has worked in human relations, payroll, and customer service roles in his company over the past few years. What ypes of process should his company perform to ensure that he has appropriate rights?
Account review
Accountability
Accountability ensures that account management has assurance that only authorized users are accessing the system and using it properly.
Port Scans
After an attacker performs an IP probe, they are left with a list of active systems on a given network. The next task is to select one or more systems to target with additional attacks.
Physical Access Control Systems (PACS)
Allows authorized security personnel to simultaneously manage and monitor multiple entry points from a single, centralized location
Access Control Matrix
An access control matrix is a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks the access control matrix to determine if the subject has the appropriate privileges to perform the action
Rule-Based Access Control
An access control model that based on a list of predefined rules that determine what accesses should be granted
Role-Based Access Control (RBAC)
An access control model that bases the access control authorizations on the roles (or functions) that the user is assigned within an organization
Physical access control system
An automated system that manages the passage of people or assets through an opening(s) in a secure perimeter(s) based on a set of authorization rules.
Fingerprints
Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae.
What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token?
Asynchronous
Which of the following is not a weakness in Kerberos?
Authentication info is not encrypted
Lattice based or Label access control
Authorization depended on security labels which indicate clearance and classification of objects (Military). Restriction: need to know can apply. Lattice based is part of it! (A as in mAndatory!).
When an application or system allows a logged-in user to perform specific actions, it is an example of what?
Authorization. Provides user with capabilities or rights
A new customer at a bank that uses fingerprint scanners to authenticate its users is suprised when he scans his fingerprint and is logged in to another customer's account. What type of biometric factor error occurred?
Type 2 error
When Lauren uses a fingerprint scanner to access her bank account. What type of authentication factor is she using?
Type 3 "something you are"
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. What type of attack is the creation and exchange of state tokens intended to prevent?
CSRF
Keyboard Dynamics
Captures the electrical signals when a person types a certain phrase.
Identity as a Service (IDaaS)
Cloud-based services that broker identity and access management functions to target systems on customers' premises and/or in the cloud
Susan has bee asked to recommend whether her organization should use a mandatory access control scheme or a discretionary access control scheme. If flexibility and scalability is an important requirement for implementing access controls, which scheme should she recommend and why?
DAC, because allowing individual administrators to make choices about the objects they control provides scalability and flexibility
Voice Print
Distinguishing differences in people's speech sounds and patterns.
Benefits of IDaaS
Effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based Software as a Service (SaaS) applications. Ability to provision identities held by the service to target applications
Signature Dynamics
Electrical signals of speed and time that can be captured when a person writes a signature.
Multi-factor Authentication
Ensures that a user is who they claim to be. The more factors used to determine a person's identity, the greater the trust of authenticity.
Multi-factor authentication
Ensures that a user is who they claim to be. The more factors used to determine a person's identity, the greater the trust of authenticity.
Biometric TYPE 2 error
False Acceptance rate FAR
Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart,At point B, what probelm is likely to occur?
False acceptance will be very high.
Biometric TYPE 1 error
False rejection rate FRR
Google's identity integration with a variety of organizations and applications across domains is an example of which of the following?
Federation
Identification, Authentication, Authorization and Accountability (IAAA)
Four key principles upon which access control relies
Thin client is also a single sign on approach
Guards a network with three elements: authentication, authorization, & auditing.
Voice pattern recognition is what type of authentication factor?
Type 3 "something you are" (Type 1 "something you know"[pwd], Type 2 "something you have"[CAC])
KRYPTOKNIGHT
IBM - thus RACF, Peer-to-peer relationship between KDC and parties
When a subject claims and identity, what process is occurring?
Identification
Relationship between Identity, Authentication, and Authorization
Identification provides uniqueness, Authentication provides validity Authorization provides control
Jim is implementing a cloud identity solution for his organization. What type of technology is he putting in place?
Identity as a Service (IDaaS)
The financial services company that Susan works for provides a web portal for its users. When users need to verify their identity, the company uses information from 3 party sources to ask questions based on their past credit reports, such as "Which of the following streets did you live on in 2007? What process is Susan's organization using?
Identity proofing
Alex is in charge of SAML intergration witha major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, If Alex's organization is one that is primarily made up of offsite, traveling users, what availability riks odes integration of crtitcal business application to onsite authentication create and how could he solve it?
If the home organziation is offline, traveling users won't be able to access 3rd party applications; implement a hybrid cloud/local authentication system.
By default, in what format does OpenLDAP store the value of the userPassword attribute?
In the clear
Susan's organization is updating its passowrd policy and wants to use the strongest possible passwrrds. What password requirement will have the highest impact in prevent brute force attacks?
Increase the minimum password length from 8 to 16 characters
Single factor authentication
Involves the use of simply one of the three available factors solely in order to carry out the authentication process being requested.
What danager is created by allowing the OpenID relying party to control the connection to the OpenID provider?
It creates the possiblity of a phishing attack by sending data to a fake OpenID provider.
Using your knowledge of the Kerberos logon process and the following diagram, What tasks must the client perform before is can use the TGT?
It must install the TGT and decrypt the symmetric key
Physical devices for Type 2 authentication
Key, swipe card, access card, badge, tokens
Which of the following items are not commonly associated with restricted interfaces?
Keyboards (Menus, shells, DB views are constrained interfaces)
Questions like "What's your pet's name?" are examples of what type of identity proofing?
Knowledged-based authentication
Microsofts's AD Domain Services is based on which of the following technologies?
LDAP
BIOMETRICS
Most expensive & Acceptable 2 minutes per person for enrollment time, Acceptable 10 people per minute throughput time
Alex's job requires him to see personal health information to ensure proper treatment of patients. His access to ehier medical records does not provide access to patient addresses or billing information. What access control concept best describes this control?
Need to know
Logical access control system
Non-physical system that allows access based upon pre-determined policies.
Rule based access control
Objects are: files, directories and devices;
What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using a RESTful API?
OpenID Connect
Which of the following Type 3 authenticator is appropriate to use by istelf rather than in combination with other biometric factors?
Palm scans
During a review of support incidents, Ben's organization discovered that passord changes accounted for more than quarter of its help desk's cases. Which of the following options would be most likely to decrease that number significantly?
Self service password reset tools
When Cris verifies an individual's identity and adds a UID like a user ID to an identity system, what process has occurred?
Registration
Jacob is planning his organization's biometric authentication system and is considering retina scans. What concern may be raised about retina scans by others in his organization?
Retina scans can reveal information about medical conditions
What type of access control is typically used by firewalls?
Rule-BAC (Based Access Control)
On windows system with utility
SYSKEY. The hashed passwords will be encrypted in their store LM hash and NT Hash
Static password
Same for each logon
Iris Scans
Scan the colored portion of the eye that surrounds the pupil.
Retina Scans
Scans the blood-vessel pattern of the retina on the backside of the eyeball. Can show medical conditions MOST ACCURATE
Kerbero, KryptoKnight, and SESAME are all examples of what type of system?
Single Sign On (SSO) systems
Ben uses a software based token which changes its code every minute. What type of token is he using?
Synchronous
Account management systems
Systems that attempt to streamline the administration of user identity across multiple systems
Which of the following AAA protocols is the most commonly used?
TACACS+
Which of the following is not part of a Kerberos authentication system?
TS
Facial Scans
Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account.
Which of the following is not a type of attack used against access controls?
Teardrop
Open Authorization (OAuth)
The OAuth 2.0 authorization framework enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf.
CER Crossover Error Rate or EER Equal Error rate, where FRR = FAR
The lower CER/ERR the more accurate the system. No sunlight in iris scanner zephyr chart = iris scans
Closed
The port is accessible on the remote system, meaning that the firewall is allowing access, but there is no application accepting connections on that port.
Open
The port is open on the remote system and there is an application that is actively accepting connections on that port.
Identity proofing
The process of collecting and verifying information about a person for the purpose of proving that a person who has requested an account, a credential, or other special privilege is indeed who he or she claims to be, and establishing a reliable relationsh
Authorization
The process of defining the specific resources a user needs and determining the type of access to those resources the user may have
Electronic authentication (e-authentication)
The process of establishing confidence in user identities electronically presented to an information system
Authentication
The process of verifying the identity of the user
Hand Geometry
The shape of a person's hand (the length and width of the hand and fingers) measures hand geometry.
Access control tokens
The system decides if access is to be granted or denied based upon the validity of the token for the point where it is read based on time, date, day, holiday, or other condition used for controlling validation.
Discretionary access control (DAC)
The system owner decides who gets access.
Vulnerability Scans
The third technique is the vulnerability scan. Once the attacker determines a specific system to target, they need to discover a specific vulnerability in that system that can be exploited to gain the desired access permissions. (ex., Nessus, OpenVAS, Qualys, Core Impact, and Nexpose)
Whic pair of the following factors are key for user acceptance of biometric identification systems?
The throughput rate and the time required to enroll
Capability Tables
They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles). ex., a capability table created for the accounting role will include a list of all objects that the accounting role can access and will include the specific privileges assigned to the accounting role for these objects.
Implementation Attack
This is a type of attack that exploits weaknesses in the implementation of a cryptography system. It focuses on exploiting the software code, not just errors and flaws but the methodology employed to program the encryption system
Crossover Error Rate (CER)
This is achieved when the type I and type II
Attribute-based access control (ABAC)
This is an access control paradigm whereby access rights are granted to users with policies that combine attributes together.
False Acceptance Rate (Type II)
This is erroneous recognition either by confusing one user with another, or by accepting an imposter as a legitimate user.
False Rejection Rate (Type I)
This is failure to recognize a legitimate user.
SAML 2.0
To exchange authentication and authorization data between security domains, enables web-based to include SSO
SESAME process
Two tickets: One authentication, like Kerberos, Other defines the access privileges a user has, Works with PACS (Privileged Attribute Certificates)
If Susan's organization requires her to log in with her username, a PIN, a password, and a retina scan, how many distinct types of facrot has she used?
Two types of factors
Access badges
Used to enter secured areas of a facility and are used in conjunction with a badge reader to read information stored on the badge
When you input a user id and password, you are performing what important identity and access management activity?
Validation
When might an organization using biometrics choose to allow a higher FRR instead of a higher FAR?
When security is more important than usability
DIRECTORY SERVICE
a centralized database that includes information about subjects and objects, .Hierarchical naming schema, active directory has sophisticated security resources (group policy, user rights accounts, DNS services)
HAVAL - Hash of Variable Length (HAVAL)
a modification of MD5. HAVAL uses 1,024-bit blocks and produces hash values of 128, 160, 192, 224, and 256 bits. Not a encryption algorithm
Advantage of SSO options
ability to use stronger passwords, easier administration, less time to access resources.
Hacking
access password file
Decentralized administration
access to information is controlled by owners or creators of information, may not be consistency with regards to procedures, difficult to form system wide view of all user access at any given time
SSO referred to as reduced sign-on
federated ID management
META directory
gathers information from multiple sources and stores them into once central directory and synchronizes
Challenge/response token
generates response on a system/workstation provided challenge; synchronous - timing, asynchronous - challenge
KDC - Key Distribution Center
grants tickets to client for specific servers. Knows all secret keys of all clients and servers from the network, TGS (Ticket granting server) & AS (Authentication server), single point of failure
When nmap scans a system
identifies the current state of each network port on the system. For ports where nmap detects a result, it provides the current status of that port
(Identity and) Access as a Service
includes user authentication, SSO, authorization (rule) enforcement, Log events , auditing
Realm
indicates an authentication administrative domain. Its intention is to establish the boundaries within which an authentication server has the authority to authenticate a user, host or service.
Benefits of Kerberos
inexpensive, loads of OS's, mature protocol
Content-Dependent
internal data of each field, data stored by a field, restrict access to data based on the content within an object. A database view is a content-dependent control. A view retrieves specific columns from one or more tables, creating a virtual table.
SOAP, or Simple Object Access Protocol
is a messaging protocol and could be used for any XML messaging, but is not a markup language itself.
Object
is a passive entity that contains information (computer, database, file, program) access control techniques support the access control models
IDaaS - Identity as a Service, or Identity and Access as a Service
is a third-party service that provides identity and access management,
ACCESS
is flow of information between a subject and an object
A type of Biometric IRIS
is the same as long as you live
A common method of Constrained Interface Applications - (restricted interfaces)
is to hide the capability if the user doesn't have permissions to use it. Other times, the application displays the menu item but shows it dimmed or disabled.
Filtered Nmap
is unable to determine whether a port is open or closed because a firewall is interfering with the connection attempt
SAML is used to make authorization and authentication data, while XACML
is used to describe access controls.
If the attacker wants to target a web server, they
might run a port scan to locate any systems with a service running on port 80, the default port for HTTP services.
Fingerprint scanning
most widely used today
PWs (Passwords)
never stored for web applications in a well-designed environment. Salted hashes are stored and compared
IP Probes - (also called IP sweeps or ping sweeps)
often the first type of network reconnaissance carried out against a targeted network. With this technique, automated tools simply attempt to ping each address in a range. Systems that respond to the ping request are logged for further analysis. Addresses that do not produce a response are assumed to be unused and are ignored.
All objects have owners, and access control is based
on the discretion or decision of the owner.
Federated Identity
on-premises identity provider handles login request. Usually used to implement SSO, MS AD using MS AD Federation Services, Third Party based identity, Shibboleth SAML 2.0
Disadvantage of SSO options
once a key is compromised all resources can be accessed, if Db compromised all PWs compromised
Centralized administration
one element responsible for configuring access controls. Only modified through central administration, very strict control,
Nmap tool
one of the most common tools used to perform both IP probes and port scans. IP probes are extremely prevalent on the Internet today. Indeed, if you configure a system with a public IP address and connect it to the Internet, you'll probably receive at least one IP probe within hours of booting up. The widespread use of this technique makes a strong case for disabling ping functionality, at least for users external to a network. Default settings miss @64 K ports
Weakness of SESAME
only authenticates the first block and not the complete message
VIRTUAL directory
only points where the data resides
Static password token -
owner authenticates to token, token authenticates to the information system
What you are
physical
OAuth
primarily used for web applications.
Permissions
refer to the access granted for an object and determine what you can do with it. If you have read permission for a file, you'll be able to open it and read it. You can grant user permissions to create, read, edit, or delete a file on a file server. Similarly, you can grant user access rights to a file, so in this context, access rights and permissions are synonymous
Rights
refers to the ability to take an action on an object. For example, a user might have the right to modify the system time on a computer or the right to restore backed-up data. This is a subtle distinction and not always stressed. You'll rarely see the right to take action on a system referred to as a permission.
Context-Dependent
require specific activity before granting users access. For example, it's possible to restrict access to computers and applications based on the current day and/ or time. If users attempt to access the resource outside of the allowed time, the system denies them access.
Authorization
resources user is allowed to access must be defined and monitored, First piece of credentials Authorization
Hybrid RBAC
role applied to multiple apps, based on user's specific role within the organization
SCRIPTING
scripts contain logon information that auths. users
CONTROL
security features that control how users and systems communicate and interact with other systems and resources
Asynchronous (NOT TIME BASED)
server sends a nonce (random value) This goes into token device, encrypts and delivers a one-time password, with an added PIN its strong authentication
Federation
sharing identity and authentication behind the scenes (like booking flight --> booking hotel without re authenticating) by using a federate identity so used across business boundaries, SSO
Type 3 authentication factor
something you are or something you do. It is a physical characteristic of a person identified with different types of biometrics
Type 2 authentication factor
something you have. Physical devices that a user possesses can help them provide authentication. Examples include a smartcard (CAC), hardware token, smartcard, memory card, or USB drive.
Type 1 authentication factor
something you know. Examples include a password, PIN, or passphrase.
Fingerprinting
stores full fingerprint (one- to-many identification), finger scan only the features (one to one identification).
SESAME uses both
symmetric as asymmetric encryption (thus improvement upon Kerberos)
Kerberos Is based on
symmetric key cryptology (and is not a propriety control), Time synchronization is critical, 5 minutes is bad
Disadvantages of Kerberos
takes time to administer, can be bottleneck or single point of failure
Role-BAC (RBAC) -
task-based access controls define a subject's ability to access an object based on the subject's role or assigned tasks, is often implemented using groups, form of non discretionary. OFF BUSINESS DESIGN
Constrained Interface Applications - (restricted interfaces)
to restrict what users can do or see based on their privileges. Applications constrain the interface using different methods.
RADIUS
typically used for wireless networks, modems, and network devices
LDAP distinguished names are made up of comma-separated components called relative distinguished names that have an attribute name and a value. DNs hbecome less specific as they progress from left to right. Which of the following LDAP DN best fits this rule?
uid=ben, ou=sales. dc=example dc=com
XML Signature
use digital signatures for authentication and message integrity based on XML signature standard. Relies on XML Schema
TACACS+
used for network devices.
One-time password aka dynamic password
used only once
Cloud Identity
users are created and managed in Office 365
Directory Synchronization
users are created and managed in an on premises identity provider
Limited RBAC
users are mapped to roles w/in a single application, not organizational-wide
Windows
uses Kerberos for authentication.
Synchronous (TIME BASED) dynamic -
uses time or a counter between the token and the authentication server, secure-ID is an example
Identification/Assertion (Registration)
verify an individual's identity and adds a unique identifier to an identity system, ensuring that a subject is who they say they are, bind a user to the appropriate controls based on the unique user instance, Unique user name, account number etc. OR an issuance (keycard)
Often, attackers have a type of target in mind
web servers, file servers, and other servers supporting critical operations are prime targets. To narrow down their search, attackers use port scan software to probe all the active systems on a network and determine what public services are running on each machine.
Accountability
who was responsible for an action?
When Alex sets the permissions shown in the following image as one of many users on a Linux server, what ytpe of access control model is he leveraging?
Discretionary Access Control (permissions setting)
What LDAP authentication mode can provide secure authentication?
SASL (Simple Authentication and Security Layer)
Lauren needs to send information about services she is provisioning to a 3rd party organization. What standards based markup language should she choose to build the interface?
SPML (Service Provisioning Markup Language)
Jim has Secret clearance and is accessing files that use a mandatory access control scheme to apply the TS, Secret, Confidential and UNCLAS label scheme. If his rights include the ability to access all data of his clearnce level or lower, what classification levels of data can he access?
Secret, Confidential and UNCLASS
Alex configures his LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP's default ports?
Secure LDAP and secure global directory
Ben's organization has had an issue with unauthorized access to application and workstations during the lunch hours when employees aren't at their desk. What are the best type of session management solutions for Ben to recommend to help prevent this type of access?
Set session timeouts for applications and use password protected screensavers with inactivity timeouts on workstations.
Which of the following tools is not typically used to verify that a provisioning process was followed in a way that ensures that the organization's security policy is being followed?
Signature-based detection
What type of access control is being used in the following permission listing; Storage Device X User1: Can read, write, list User2: Can read , list User3: Can read, write, list , delete User4: Can list
rBAC (resource based access control) model, deals with volume storage, esp in IaaS environments
Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart,What should Ben do if the FAR and FRR shown in this diagram doesn't provide an acceptable performace level for his organization's needs?
Assess other biometric systems to compare them
Kathleen works for data center hosting facility that provides physical data center space for individuals and organizations. Until recently, each client was given a magnetic-strip-based keycard to access the section of the facility where their servers are located, and they were also given a key to access the cage or rack where the servers resides. In the past month, a number of server have been stolen, but the logs for the passcards show only valid IDs. What is Kathleen's best option to make sure that the users of the passcards are who they are supposed to be?
Add a biometric factor
What ytpe of access control is composed of policies and procedures that support regulations, requirements, and the organization's own policies?
Administrative
Which objects and subjects have a label in a MAC model?
All objects and subjects have a label
Lauren builds a table that includes assigned privileges, objects, and subjects to manage access control for the systems she is responsible for. Each time a subject attempts to access an object, the systems check the table to ensure that the subject has the appropriate rights to the objects. What type of access control sytem is Lauren using?
An access control matrix
Alex is in charge of SAML intergration witha major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, What solution can best help address converns about 3 parties that control SSO directs as shown in step 2 in the diagram?
An awareness campaign about trusted 3rd parties
Using your knowledge of the Kerberos logon process and the following diagram, At point B in the diagram, what two important elements does the KDC send to the client after verifying that the username is valid?
An encrypted, time-stamped TGT and a symmetric key encrypted with a hash of the user's password.
What major issues often results from decentralized access control?
Control is not consistent. Loose interpretation of policies and requirements, roles.
The security administrators at the company that Susan works for have configured the workstation she uses to allow her to log in only during her work hours. What type of access control best describes this limitation?
Context dependent control. (Time)
What open protocol was designed to replace RADIUS-including support for additonal commands and protocols, replacing UDP traffic with TCP, and providing for extensible command- but doesn't preserver backward compatibility with RADIUS?
Diameter
During a log review, Saria discovers a series of logs that show login falures as show here: Jan 31 11:39:12 ip 10-0-0-2 sshd[29092]: Invalid user admin from remote host passwd=orange Jan 31 11:39:20 ip 10-0-0-2 sshd[29092]: Invalid user admin from remote host passwd=orang3 Jan 31 11:39:23 ip 10-0-0-2 sshd[29092]: Invalid user admin from remote host passwd=Orange93 Jan 31 11:39:31 ip 10-0-0-2 sshd[29092]: Invalid user admin from remote host passwd=Orangutan1 What type of attack has Saria discovered?
Dictionary attack. Uses a list of common passwords or dictionary words.
Which of the following types of access controls do not describe a lock?
Directive
The X.500 standards cover what type of important identity systems?
Directory services
What type of access controls allow the owner of a file to grant other users access to it using an access control list?
Discretionary Access Control
Lauren starts her new job and finds that she has access to a variety of sytems that she does not need access to to accomplishe her job. What problem has she encountered?
Excessive privileges
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. Which system or systems is /are responsibile for user authentication for Google+ users?
Google's servers
Brian's large organization has used RADIUS for AAA services for its network devices for years and has recently become aware of security issues with the unencrypted information transferred during authentication. How should Brian implement encryption for RADIUS?
Implement RADIUS over TCP using TLS for protection.
RAID-5 is an example of what type of control?
Recovery
Alex is in charge of SAML intergration with a major 3rd party partner that provides a varitey of business productivity services for his organization. Using the following diagram and your knowledge of SAML integration and security architecture design, Alex is concerned about eavesdropping on the SAML traffic and also wants to ensure that forged assertion will not be successful. What should he do to prevent these potential attacks?
Implement TLS using a strong cipher suite and use digital signatures
Jim configures his LDAP client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the serve on port 636. What odes this indicate to Jim about the configuration of the LDAP server?
It requires connections over SSL/TLS
Mandatory access control is based on what type of model?
Lattice-based, uses matrix of classification labels to compartmentalize data
What is the best way to provide accountability for the use of identities?
Logging
Jim wants to allow cloud-based applications to act on its behalf to access information from other sites. Which of the following tools can allow that?
OAuth
Alex has been employed by his company for over a decade and has held a number of positions in the company. During an audit, it is discovered that he has access to shared folders and applications due to his former roles. What issue has Alex's company encountered?
Privilege creep. Acculminating rights from previous jobs held not pertaining to current position.
Which of the following is not a single sign on implementation?
RADIUS (ADFS, Kerberos, CAS are SSO implementations)
Lauren is an information security analyst tasked with deploying technical access controls for her organization. Which of the following is not a logical or technical access control?
RAID Arrays
What term properly describes what occurs when two or more processes require access to the same resource and must complete their tasks in the proper order fro normal function?
Race conditions, two or more processes need access to same resource
Ben's organization is adopting biometric authentication for its high-security building's access control system. Using the following chart, Ben's company is considering configuring its systems to work at the level shown by point A on the diagram. To what level is it setting the sensitivity?
The CER (x-over error rate). The point where false acceptance rate (FAR) and the false rejection rate(FRR) crossover. Is a standard assessment used to companre the accuracy of biometric devices
Susan is troubleshooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most likely issue?
The Kerberos server and the local client's time clocks are not synchronized
Chris is the identity architect for a growing e-commerce website that wants to leverage social identity. To do this, he and his team intend to allow users to sue their existing Google accounts as thier primay accounts when using the e-commerce site. This means that when a new user initially connects to a ecomcerc platform, they are given the choic between using their Google+ account using OAuth 2.0, or creating a new account on the platofrm using htier own email address and password of their choice. When the e-commerce application creates an account for a Google+ user, where should that user's passwords be stored?
The password is never stored; a salted hash is stored in Google's account mgmt system
Angela uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should she monitor and what traffic will she be able to read?
UDP , all traffic but the passwords, which are encrypted
Jim's organization-wide implementation of IDaaS offers broad support for cloud based applications. The ecisting infrastructure for Jim's company does not use centralized identity services but uses Active Directory for AAA services. Which of the following choices is the best option to recommend to handle the company's onsite identity needs?
Use an on-premise 3td party identity service
Lauren is responsible for building a banking website. She needs proof of the identity of the users who register for the site. How should she validate user identities?
Use information that both the bank and the user have such as questions ulled from their credit report
Using your knowledge of the Kerberos logon process and the following diagram, At point A in the diagram, the client sends the username and password to the KDC. How is the username and password protected?
Use of AES to encrypt username and password