Domain 5 - Identity and Access Management

Question 1

Crossover Error rate

Answer 1

point where false reject rate and false accept rate equal

Represents the overall accuracy of system.

Question 2

False accept rate

Answer 2

occurs when unauth subject is accepted by a biometric system as valid. AKA Type 2 error

Question 3

False reject rate

Answer 3

when an authorized subject is falseley rejected. Type 1 error

Question 4

Type 1 authentication

Answer 4

something you know

password

Question 5

type 2 auth

Answer 5

something you have (key, keycard)

Question 6

Type 3

Answer 6

something you are (biometric)

Question 7

Credential set

Answer 7

term used for combination of identification and authentication.

Question 8

Passphrase

Answer 8

long password in the form of a sentance. Usually less random.

Question 9

One time passwords

Answer 9

used for single auth. Very secure but difficult to manage.

Question 10

NIST 800-63B guideline

Answer 10

guidelines for password complexity

Question 11

Dynamic Passwords

Answer 11

change at regular intervals. RSA Security makes a synchronous token every 60 seconds.

Expensive

Question 12

Strong authentication

Answer 12

AKA Multifactor authentication

Question 13

Password hashes and pass cracking

Answer 13

password is run through a hash and the hash is stored in DB

Question 14

Linux password hashes

Answer 14

stored in etc/shadow. Only readable by root

Question 15

Windows password hash

Answer 15

stored locally and on domain controller in SAM File/security management file.

Question 16

Dictionary attack

Answer 16

run large list of words through hash algs to try and find collision.

Question 17

Brute force attack

Answer 17

Go through the entire key space. All combos

Question 18

Hybrid attack

Answer 18

appends, prepends, or changes characters in words from a dictionary before hashing. Attempts fastest crack of complex passwords.

Question 19

Rainbow table

Answer 19

large dictionary of HASHED passwords. Trandes off lower CPU resources required, for more storage required.

Question 20

Salts

Answer 20

random value added to pre-hash value. Ensures the same password doesn’t have the same hash twice.

Question 21

Password MGMT: Pasword history

Answer 21

remember the last 24 passwords

Question 22

Password MGMT: Max password age

Answer 22

90

Question 23

Password MGMT: Min password age

Answer 23

2 days

Question 24

Password MGMT: Min password length

Answer 24

8 char

Question 25

Password MGMT: Storage

Answer 25

use non-reversible encryption. i.e. hashing

Question 26

Password MGMT: Storage

Answer 26

use non-reversible encryption. i.e. hashing

Question 27

Synchronous Dynamic Token

Answer 27

Time or Counters are synced with an auth server.

Google authenticator, RSA Secureid

Question 28

Asynchronous Dynamic Token

Answer 28

Not synced with a central server. Most common variet are challenge response tokens (CHAP)

Question 29

Biometrics - accuracy

Answer 29

high accuracy needed

Question 30

Biometrics - data storage

Answer 30

should be less than 1000 bytes

Question 31

Enrollment

Answer 31

How long it takes to get biormetrics initially entered into a system for a user

Question 32

Throughput

Answer 32

How long it takes to be authenticated w/biometric system

Question 33

Throughput

Answer 33

How long it takes to be authenticated w/biometric system

Question 34

Retina scan

Answer 34

scans back of eye

Question 35

iris scan

Answer 35

picture of front of eye.

Question 36

Hand geometry scan

Answer 36

measures specific points of hand. Can store data in as little as 9 bytes.

Question 37

Keyboard dynamics

Answer 37

measures how you type. Not super accurate.

Question 38

Dynamic signature

Answer 38

measures how someone signs their name.

Question 39

voice print

Answer 39

vulnerable to replay attacks. Measures subjects tone of voice while stating a specific phrase.

Question 40

Facial scan/recognition

Answer 40

really accurate.

Question 41

centralized access control

Answer 41

centralized system to provide AAA services

Question 42

Decentralized access control

Answer 42

AC is pushed to perimeter. Branch offices. Provides more local power. Each site has control over data.

Question 43

DAC vs DAC

Answer 43

Decentralized access control or Discretionary access control.

Question 44

SSO

Answer 44

Single sign on

Question 45

SSO

Answer 45

Allows multiple systems to use a central auth server.

Question 46

Allows sec admins to add, change, or revoke permissions on one central system

Answer 46

SSO

Question 47

Disadvantages of SSO

Answer 47

difficult to retrofit
Unattendand desktop is a juicier target. Gives access to more.
Single point of attack.

Question 48

Access provisioning lifecycle

Answer 48

lifecycle of an identity in an AAA system. Accounts for everything from onboarding through to leaving the organization.

Question 49

IBM identity lifecycle rules

Answer 49

1. password policy compliance checking
2. notify users to change passwords before they expire.
3. Identify l8ifecycle changes such as accounts that haven’t been used for 30 days.
4. Identify new accounts that have not been used for 10 days.
5. Identify candidates for deletion because they’ve been suspended for 30 days.
6. when a contract expires, identifying all accts belonging to a business partner and revoke access.

Question 50

Authorization creep/Access Aggregation

Answer 50

subjects maintain old authorization while gaining new.

Question 51

Federated identiy management

Answer 51

Applies SSO at a wider scale. cross organization to internet.

microsoft acct, google acct, github and others.

Question 52

SAML

Answer 52

XML based framework for exchanging sec info, including auth.

Question 53

IDaaS

Answer 53

Identity as a services.

Question 54

LDAP

Answer 54

lightweight directory access protocol. Common, open protocol for interfacing and querying directory service info. TCP/UDP 389

Question 55

LDAPS

Answer 55

LDAP over TLS

Question 56

Kerberos

Answer 56

third party auth service that is used for SSO

AAA

Question 57

Kerberos key distrib model

Answer 57

needham and Schroeder

Question 58

needham and Schroeder key protocol

Answer 58

symmetric encryption alg. base of Kerberos protocol. Aims to establish secure seesion key over insecure network.

Question 59

Kerberos SSO

Answer 59

secret key encryption.

Question 60

Kerberos authentication

Answer 60

Mutual authentication.

Question 61

Current kerberos version

Answer 61

5

Question 62

Kerberos principal

Answer 62

client/user

Question 63

Kerberos realm

Answer 63

logical kerberos network

Question 64

Kerberos ticket

Answer 64

data that authenticates the principals identity

Question 65

Kerberos creds

Answer 65

ticket + service key

Question 66

Kerberos KDC

Answer 66

Key distribution center, authenticates principals

Question 67

Kerberos TGS

Answer 67

ticket granting service

Question 68

Kerberos TGT

Answer 68

ticket granting ticket

Question 69

Kerberos C/S

Answer 69

client server. Regarding comms between the two.

Question 70

Kerberos weaknesses

Answer 70

KDC Stores plaintext keys
Compromise of KDC can be a compromise of every key
KDC and TGS are single points of failure
Replay attacks are possible for the lifetime of the authenticator.

Question 71

SESAME

Answer 71

secure european system for applications in a multi vendor environment

Fixes kerberos weakness of plaintext keys, by using asymmetric encryption.

Question 72

SESAME PACs

Answer 72

private attribute certificate - in place of Kerberos tickets.

Question 73

RADIUS

Answer 73

remote user dial in user servers

Question 74

RADIUS RFCs

Answer 74

2865 and 2866

Question 75

RADIUS Ports

Answer 75

1812 (auth) and 1813 (accounting) both UDP

Question 76

RADIUS old ports

Answer 76

1645 1646 UDP

Question 77

RADIUS AVP

Answer 77

attribute value pairs

Question 78

Diameter

Answer 78

RADIUS successor

Question 79

Diameter

Answer 79

32 bit AVP instead of 8 bit

Question 80

Diameter port

Answer 80

TCP instead of UDP 1812, 1813

Question 81

Diameter RFC

Answer 81

3588 draft, 6733 official

Question 82

TACACS and TACACS+

Answer 82

UDP 49 Not backwards compatible.

Question 83

TACACS

Answer 83

auth is similar to RADIUS

Question 84

AD One way trust

Answer 84

active directory, trust that provides access from trusted domain to resources in teh trustnig domain

Question 85

AD two way trust

Answer 85

both domains trust each other uflly

Question 86

AD Nontransitive

Answer 86

Only the explicitly trusted domains have a trust relationship

If I trust Domain A, and Domain A trusts Domain B. I do not trust Domain B.

Question 87

AD Transitive

Answer 87

If I trust Domain A, and Domain A trusts Domain B. I also trust domain B.

Question 88

Non discretionary Access Control

Answer 88

NDAC - Major difference is that NDACs are centrally administrated, and can make changes that affect the entire environment.

Question 89

DAC -

Answer 89

Discretionary Access Control:

Subjects may have full control of objects. i.e. I have permission to edit certain work documents. Windows, Linux and Unix use DAC

Question 90

MAC

Answer 90

Mandatory Access Controls subjects and objects have clearances and labels.
subject may access only objects of their clearance or lower

Question 91

Password guessing

Answer 91

Online attampt to authenticate with guessed password

Question 92

PAP

Answer 92

Insecure auth AAA Protocol. Cleartext

Question 93

CHAP

Answer 93

Challenge Handshake Auth Protocol. More secure than PAP

Question 94

RBAC

Answer 94

Role Based Access Control

Users are grouped by roles (i.e. doctors, nurses). Permissions/access is granted per role, not per individual.

RBAC is a Type of Nondiscretionary Access control NAC

Question 95

Task-based Access Control

Answer 95

Similar to RBAC, but refined down to giving access based on the tasks/actions and end user would take.

i.e. not all nurses would have the same access. Family practice nurses would not need or want the same access as a surgical nurse.

Question 96

rule-based access control

Answer 96

fairly self-explanatory. Uses if/then statements to code rules.

Question 97

Content dependent AC

Answer 97

Defense in depth additional layer.

Takes into account the nature of the content a user is accessing. I.e. a user has access to HR records, but only their HR records

Question 98

Context Dependent AC

Answer 98

Brings into consideration additional context. I.e. time or location. .