Chapter 5 Identity and Access Management Flashcards by Scott Weisman

What is a capabilities table?

Capabilities tables list the privileges assigned to subjects and identify the objects that subjects can access.

How well did you know this?

Not at all

Perfectly

Which of the following is NOT a weakness in Kerberos?

a) The KDC is a single Point of failure
b) Compromise of the KDC would allow attackers to impersonate any user
c) Authentication information is not encrypted
d) Susceptible to password guessing

C) Kerberos encrypts messages using secret keys providing protection for authentication traffic.

How well did you know this?

Not at all

Perfectly

Place the following in order for Kerberos authentication process

a) Client/server ticket generated
b) TGT generated
c) Client/TGS key generated
d) User accesses service
e) User provides authentication credentials

1) User provides authentication credentials
2) Client/TGS key is generated
3) TGT generated
4) Client/server ticket generated
5) User accesses service

How well did you know this?

Not at all

Perfectly

Callback to a landline phone number is an example of what type of a factor?

a) Something you know
b) Somewhere you are
c) Something you have
d) Something you are

b) A callback to a landline phone number is an example of a “somewhere you are” factor because the fixed physical location of a wird phone. A callback to a mobile phone would be “something you have”

How well did you know this?

Not at all

Perfectly

Scott needs to set up an AD trust to allow authentication with an existing Kerberos K5 domain. What type of trust does he need to create?

a) Shortcut trust
b) Forest trust
c) External turst
d) Realm trust

D) Kerberos uses realms, and the proper type of trust to set up for an AD environment that needs to connect to a K5 domain is a realm trust.

How well did you know this?

Not at all

Perfectly

When a client sends a username and password to the KDC, how is the username and password protected?

a) 3DES encryption
b) TLS encryption
c) SSL encryption
d) AES encryption

D) The client in Kerberos uses AES to encrypt the username and password prior to sending it to the KDC

How well did you know this?

Not at all

Perfectly

What two important elements does the KDC send to the client after verifing the username is valid?

a) An encrypted TGT and a public key
b) An access ticket and a public key
c) An encrypted, time stamped TGT and a symmetric key encrypted with a hash of the user’s password
d) An encypted, time stamped TGT and an access token

C) The KDC uses the user’s password to generate a hash and then uses that hash to encrypt a symmetric key and an encrypted time-stamped TGT to the client

How well did you know this?

Not at all

Perfectly

What tasks must the client perform before it can use the TGT?

It must accept te TGT and decrypt the symmetric key

How well did you know this?

Not at all

Perfectly

Biba is what type of access control model?

a) MAC
b) DAC
c) Role BAC
d) ABAC

A) Biba uses a lattice to control access and is a form of the MAC model. IT does not use rules, roles, or attributes, nor does it allow user discretion

How well did you know this?

Not at all

Perfectly

Which of the following is a client/server protocol designed to allow network access servers to authenticate remote users by sending access request message to a central server?

a) Kerberos
b) EAP
c) RADIUS
d) Oauth

c) Radius is an AAA protocol used to provide authentication and authorization; it is often used for modems, wireless networks, and network devices. IT uses netwrok access servers to send access requests to central Radius Servers

How well did you know this?

Not at all

Perfectly

What is a resource-based access control?

Resource-based access controls match permissions to resources like a storage volume. Resource-based access controls are becoming increasingly common in cloud-based infrastructure as a service environments.

How well did you know this?

Not at all

Perfectly

Scott uses a sniffer to monitor traffic from a RADIUS server configured with default settings. What protocol should he monitor and what traffic will he be able to read?

a) UDP, none. All Radius traffic is encrypte
b) TCP, all traffic but the passwords, which are encrypted
c) UDP, all traffic but the passwords, which are encrypted
d) TCP, none. All RADIUS traffic is encrypted

C) By default, RADIUS uses UDP and only encrypts passwords. RADIUS supports TCP and TLS, but this is not a default setting

How well did you know this?

Not at all

Perfectly

Which of the following is not part of Kerberos authentication system?

a) KDC
b) TGT
c) AS
4) TS

D) A Key Distribution Center (KDC) provides authentication services, and ticket-granting tickets (TGTs) provide proof that a subject has authenticated and can request tickets to access objects. Authentiction services (ASs) are part of the KDC. There is no TS in a Kerberos infrastructure.

How well did you know this?

Not at all

Perfectly

What is race conditions?

Race conditions occur when two or more processes need to access the same resource in the right order

How well did you know this?

Not at all

Perfectly

Which of the following is not a valid LDAP DN (distinguished name)

a) cn-ben+out-sales
b) ou=example
c) cn=ben,out=example;
d) ou=example, dc=example, dc=com+dc=org

C) LDAP distinguished names are made up of zero or more comma-separated components known as relative distinguished names. CN=ben,ou=example; ends with a semicolon and is not a valid DN

How well did you know this?

Not at all

Perfectly

What is the stored sample of a biometric factor called? 
A) Reference Template
b) Token store
c) Biometric password
d) Enrollment artfifact

A) The stored sample of a biometric factor is called a reference profile or a reference template.

How well did you know this?

Not at all

Perfectly

Scott is working to imrpvoe the strength of his organization’s passwords by changing the password policy. The password system that he is using allows for uppercase and lower case letters as well as numbers, but no characters. How much additional complexity does adding a single character to the minimum length of passwords for her organization create?

a) 26 times more complex
b) 62 times more complex
c) 36 times more complex
d) 2 to the 62 power more complex

b) The complexity of brute-forcing a password increases based on both the number of potential characters and the number of letters added. In this case, there are 26 lowercase letters, 26 uppercase letters, and 10 possible digits. That creates 62 possibilities. Since we added only a single letter of length, we get 62 to the power of 1, or 62 possibilities, and thus the new passwords would be 62 times harder to brute-force on average

How well did you know this?

Not at all

Perfectly

Which pair of the following factors is key for user acceptance of biometric identification identification systems?

a) The FAR
b) The throughput rate and the time required to enroll
c) The CER and the EER
d) How often users must re enroll and the reference profile requirements

B) Biometric systems can face major usability challenges if the time to enroll is long (over a couple of minutes) and if the speed at which the biometric system is able to scan and accept or reject the user is too slow.

How well did you know this?

Not at all

Perfectly

What solution can best help address concerns about 3rd parties that control SSO redirects?

a) An awareness campaign about trusted third parties
b) Handling redirects at the local site
d) Implementing an IPS to capture SSO rediret attacks

a) While many solutions are technical, if a trusted 3rd party redirects to an unexpected authentication site, awareness is often the best defense.

Scott needs to send information about services he is providing to a 3rd party organization, What standards based markup language should he choose to build the interface

a) SAML
b) SOAP
c) SPML
d) XACML

c) Service provisioning Markup Language, or SPML, is an XML-based language designed to allow platforms to generate and respond to provisioning requests. SAML is used to make authorization and authentication data, while XACML is used to describe access controls. SOAP, or simple object access protocol, is a messaging protocol and could be used for any XML messaging but is not a markup language itself.

Scott configures his LDPAt client to connect to an LDAP directory server. According to the configuration guide, his client should connect to the server on port 636. What does this indicate to Jim about the configuration of the LDAP server?
A) It requires connections over SedSL/TLS
B) It supports only unencrypted connections
C) It provides global catalog services
D) It does not provide global catalog services

A )Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus indicating that the server supports encrypted connections. Since neither port 3268, or 3269 are mentioned, we do not know if the server provides support for a global catalog.

By default, in what format does open LDAP store the value of the user Password attribute

a) In the clar
b) Salted and Hashed
c) MD5 hasehd
d) Ecnrypted using AES256 encryption

By default, Open LDAP stores the userPassword attribute in the clear. This means that ensuring that the password is provided to OpenLDAP in a secure format is te responsibility of the administration or programmer who builds its provisioning system

Which of the following is a ticket-based authentication protocol designed to provide secure communications? 
A) RADIUS
B) OAuth 
C) SAML 
D) Kerberos

D) Kerberos is an authentication protocol that uses tickets nd provides secure communications between the client, key distribution center(KDC), Ticket granting service (TGS), authentication server (AS), and endpoint services.

In a Kerberos environment, when a user needs to access a network resource, what is sent to the TGS? 
A) A TGT
B) An AS
C) The SS
D) A session key

A) When clients perform a client service authorization, they send a TGT and the ID of the requested service to the TGS, and the TGS responds with a client-to-server ticket and session key back to the client if the request is validated. An AS is an authentication server, and the SS is a service server, neither of which can be sent.

``` What type of attack is the creation and exchange of state tokens intended to prevent? A) XSS B) CSRF C) SQL injection D) XACML ```

B) The anti-forgery state token exchanged during Oauth sessions is intended to prevent cross-site request forgery. Tihs males sure hat the unique session token with the authentication response from google's OAuth service is available to verfy that the user, not an attacker, is making a request.

``` During a review of support incidents, Scott's organization discovered that password changes accounted for more than a quarter of its help desk's cases. Which of the following options would most likely drecrease that number significantly? A) MFA B) Biometric authentication C) Self-service password reset D) passphrases ```

C) Self-service password reset tools typically have a significant impact on the number of password reset contacts that a help desk has.

``` Scott wants to allow cloud-based applications to act on his behalf to access information from other sites. Which of the following tools can allow that? A) Kerberos B) OAuth C) OpenID D) LDAP ```

B) OAuth provides the ability to access resources from another service and would meet Scotts needs. Open ID would allow him to to use an acount from another service with his application, and Kerberos and LDAP are used more frequently for in-house services.

``` What authentication technology can be paired with OAuth to perform identity verification and obtain user profile information using RESTful API? A) SAML B) Shibboleth C) OpeID Connect D) Higgins ```

C) Open ID Connect is a RESTful, JSON-based authentication protocol that, when paired with OAuth, can provide identiy verification and basic profile information.

Scott has a seret clearance and is accessin fies that use a MAC scheme to apply the top secret, secret, confidential, and unclassified scheme. What classification levels of data can he access provided tat he has a valid need-to-know-? A) Top secret and Secret B) Secret, confidential , and unclassified C) Secret data only D) Secret and unclassified

C) In a MAC system, classifications do not have to include rights to lower levels. This means tat the only label we can be sure Scott has rights to is secret.

``` Scott uses a software-based token that changes its code every minute. What type of token is he using? A) Asynchronous B) Smart Card C) Synchronous D) Static ```

C) Synchronous soft tokens, such as good Authentication, use a time-based algorithm that generates constantly changing series of codes. Asynchronous tokens typically require a challenge to be entered on the token to allow it to calculate a response, which the server compares to the expected response.

``` What type of token-based authentication system uses a challenge/response process in which the challenge has to be entered on the token A) Asynchronous B) Smart Card C) Synchronous D) RFID ```

A) Asynchronous tokens use a challenge/response process in which the system sends a challenge and the user responds with a PIN and a calculated response to the challenge. The server performs the same calculations, and if both match, it authenticates the user.

``` What LDAP authentication mode can provide secure authentication? A) Anonymous B) SASL C) Simple D) S-LDAP ```

B) The simple authentication and security layer (SASL) or LDAP provides support for a range of autnetication types, including secure methods.

``` Which of the following type 3 authenticators is appropriate to use by itself rather than in combination with other biometric factors? A) Voice pattern recognition B) Hand Geometry C) Palm Scans D) Heart/Pulse patterns ```

C) Palm scans compare the vein patterns in the palm to a databae to authenticate a user. Vein patterns are unique, and this method is a better single-factor authentication method than the others listed.

What danger is created by allowing the OpenID relying party to control the connection to the OpenID provider? A) It may cause incorrect selection of the proper Open ID provider B) Creates the possibility of a phishing attack by sending data to a fake open ID provider C) Relying party may be able to steal the client's username and password D) relying party may not send a signed assertion

B) Allowing the relying party to provide the redirect to the OpenID provider could allow a phishing attack by directing clients to a fake OpenID provider that can capture valid credentials

``` RAID-5 is a example of what type of control? A) Administrative B) Recovery C) Compensation D) Logical ```

B) Drives in RAID-5 array are intended to handle failure of a drive. This is an example of a recovery control, which is used to return operations to normal after a failure

``` What open protocol was designed to replace RADIUS inclduing support for additional commands and protocols , replacing UDP traffic with TCP, and providing for extensible commands- but does not preserve backward compatibility with RADIUS? A) TACACS B)RADIUS-NG C) Kerberos D) Diameter ```

D) Diameter was designed to provide enchaced modern features to replace RADIUS. Diameter provides better reliability and a broad range of improved functionality.

Susan is troublesooting Kerberos authentication problems with symptoms including TGTs that are not accepted as valid and an inability to receive new tickets. If the system she is troubleshooting is properly configured for Kerberos authentication, her username and password are correct, and her network connection is functioning, what is the most-likely issue A) The Kerberos Server is offline B)There is a protocol mismatch C) The client's TGT have been marked as compromised and de-authorized D) The Kerberos Server and the local client's time clocks are not synchronized

D) Kerberos relies on properly synchronized time on each end of a connection to function. If the local time is more than 5 minutes out of sync, valid TGT will be invalid and the system won't recieve any new tickets.

``` What authentication protocol does Windows use by default for Active Directory systems? A) RADIUS B) Kerberos C) OAuth D) TACACS+ ```

B) Windows uses Kerberos for authentication. RADIUS is typically ued for wireless networks, modems, and network devices, while OAuth is primarily used for web applications. TACACS+ is used for network devices.

Scott configure LDAP server to provide services on 636 and 3269. What type of LDAP services has he configured based on LDAP's default ports? A) Unsecure LDAP and unsecure global directory B) Unsecure LDAP and secre global directory C) Secure LDAP and secure global directory D) Secure LDAP and unsecure global directory

C) Default ports for SSL/TLS LDAP directory information and global catalog services are 636 and 3269, respectively. Unsecure LDAP uses 389 and unsecure global directory services use 3268

What is a dictionary attack?

An attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

What is a birthday attack?

A birthday attack is an attack that focuses on finding collisions for passwords that have the same hash.

What is a Rainbow Table Attack?

An attack that uses a large database of precomputed hashes to crack the hash value of a stored password.

What is a side-channel attack on smartcards?

A passive, noninvasive attack intended to observe the operation of a device. When the attack is successful, the attacker can learn valuable information contained within the card, such as an encryption key. Side-channel attacks analyze the information sent to the reader.

``` Who or what grants permissions to users in a DAC model? A) Admins B) Access Control Lists C) Assigned labels D) Data Custodian ```

D) The data custodian (or owner) grants permissions to users in a discretionary access control model.

``` Which of the following best describes a characteristic of the MAC model? A) Employs explicit-deny philosophy B) Permissive C) Rule-based D) Prohibitive ```

D) MAC prohibitive, and it uses implicit deny (not explicit deny).