Domain 5 - Identity and Access Management Flashcards

Question

Password MGMT: Storage

Answer 1

use non-reversible encryption. i.e. hashing

Answer 2

use non-reversible encryption. i.e. hashing

Answer 3

Time or Counters are synced with an auth server. Google authenticator, RSA Secureid

Answer 4

Not synced with a central server. Most common variet are challenge response tokens (CHAP)

Answer 5

high accuracy needed

Answer 6

should be less than 1000 bytes

Answer 7

How long it takes to get biormetrics initially entered into a system for a user

Answer 8

How long it takes to be authenticated w/biometric system

Answer 9

How long it takes to be authenticated w/biometric system

Answer 10

scans back of eye

Answer 11

picture of front of eye.

Answer 12

measures specific points of hand. Can store data in as little as 9 bytes.

Answer 13

measures how you type. Not super accurate.

Answer 14

measures how someone signs their name.

Answer 15

vulnerable to replay attacks. Measures subjects tone of voice while stating a specific phrase.

Answer 16

really accurate.

Answer 17

centralized system to provide AAA services

Answer 18

AC is pushed to perimeter. Branch offices. Provides more local power. Each site has control over data.

Answer 19

Decentralized access control or Discretionary access control.

Answer 20

Single sign on

Answer 21

Allows multiple systems to use a central auth server.

Answer 22

difficult to retrofit Unattendand desktop is a juicier target. Gives access to more. Single point of attack.

Answer 23

lifecycle of an identity in an AAA system. Accounts for everything from onboarding through to leaving the organization.

Answer 24

1. password policy compliance checking 2. notify users to change passwords before they expire. 3. Identify l8ifecycle changes such as accounts that haven't been used for 30 days. 4. Identify new accounts that have not been used for 10 days. 5. Identify candidates for deletion because they've been suspended for 30 days. 6. when a contract expires, identifying all accts belonging to a business partner and revoke access.

Answer 25

subjects maintain old authorization while gaining new.

Answer 26

Applies SSO at a wider scale. cross organization to internet. microsoft acct, google acct, github and others.

Answer 27

XML based framework for exchanging sec info, including auth.

Answer 28

Identity as a services.

Answer 29

lightweight directory access protocol. Common, open protocol for interfacing and querying directory service info. TCP/UDP 389

Answer 30

LDAP over TLS

Answer 31

third party auth service that is used for SSO AAA

Answer 32

needham and Schroeder

Answer 33

symmetric encryption alg. base of Kerberos protocol. Aims to establish secure seesion key over insecure network.

Answer 34

secret key encryption.

Answer 35

Mutual authentication.

Answer 36

client/user

Answer 37

logical kerberos network

Answer 38

data that authenticates the principals identity

Answer 39

ticket + service key

Answer 40

Key distribution center, authenticates principals

Answer 41

ticket granting service

Answer 42

ticket granting ticket

Answer 43

client server. Regarding comms between the two.

Answer 44

KDC Stores plaintext keys Compromise of KDC can be a compromise of every key KDC and TGS are single points of failure Replay attacks are possible for the lifetime of the authenticator.

Answer 45

secure european system for applications in a multi vendor environment Fixes kerberos weakness of plaintext keys, by using asymmetric encryption.

Answer 46

private attribute certificate - in place of Kerberos tickets.

Answer 47

remote user dial in user servers

Answer 48

2865 and 2866

Answer 49

1812 (auth) and 1813 (accounting) both UDP

Answer 50

1645 1646 UDP

Answer 51

attribute value pairs

Answer 52

RADIUS successor

Answer 53

32 bit AVP instead of 8 bit

Answer 54

TCP instead of UDP 1812, 1813

Answer 55

3588 draft, 6733 official

Answer 56

UDP 49 Not backwards compatible.

Answer 57

auth is similar to RADIUS

Answer 58

active directory, trust that provides access from trusted domain to resources in teh trustnig domain

Answer 59

both domains trust each other uflly

Answer 60

Only the explicitly trusted domains have a trust relationship If I trust Domain A, and Domain A trusts Domain B. I do not trust Domain B.

Answer 61

If I trust Domain A, and Domain A trusts Domain B. I also trust domain B.

Answer 62

NDAC - Major difference is that NDACs are centrally administrated, and can make changes that affect the entire environment.

Answer 63

Discretionary Access Control: Subjects may have full control of objects. i.e. I have permission to edit certain work documents. Windows, Linux and Unix use DAC

Answer 64

Mandatory Access Controls subjects and objects have clearances and labels. subject may access only objects of their clearance or lower

Answer 65

Online attampt to authenticate with guessed password

Answer 66

Insecure auth AAA Protocol. Cleartext

Answer 67

Challenge Handshake Auth Protocol. More secure than PAP

Answer 68

Role Based Access Control Users are grouped by roles (i.e. doctors, nurses). Permissions/access is granted per role, not per individual. RBAC is a Type of Nondiscretionary Access control NAC

Answer 69

Similar to RBAC, but refined down to giving access based on the tasks/actions and end user would take. i.e. not all nurses would have the same access. Family practice nurses would not need or want the same access as a surgical nurse.

Answer 70

fairly self-explanatory. Uses if/then statements to code rules.

Answer 71

Defense in depth additional layer. Takes into account the nature of the content a user is accessing. I.e. a user has access to HR records, but only their HR records

Answer 72

Brings into consideration additional context. I.e. time or location. .

Domain 5 - Identity and Access Management Flashcards

(98 cards)