Domain 5: Identity and Access Management

Question 1

Identity and Access Management

Answer 1

Focus on harmonizing the provisioning of users and managing their access across multiple systems with different native access control systems

Question 2

Identity Management

Answer 2

Controls the life cycle of all accounts in a system

Verifies someone is who they say they are

Question 3

Access Management

Answer 3

Controls the assignment of rights/privileges to those accounts
Verifies someone has the right accesses to do what is requested

Question 4

Identity Proofing

Answer 4

Precedes creation of a user account
Not the same as authentication
Requires the prospective employee to prove their identity to the employer

Question 5

Provisioning/Deprovisioning Identities

Answer 5

Traditionally different cloud vendors used non-standard provisioning APIs
Enterprises to develop and maintain proprietary connectors to integrate with multiple SaaS providers
Alternatively can be made easier, cloud, etc.

Question 6

Type 1 Authentication

Answer 6

Something you know

Question 7

Type 2 Authentication

Answer 7

Something you have

Question 8

Type 3 Authentication

Answer 8

Something you are

Question 9

Multifactor

Answer 9

combination of the 3 types of authentication

Question 10

Mutual Authentication

Answer 10

Both parties authenticate to each other

Question 11

Token

Answer 11

A one time use passcode from device that synchs with authentication server, or time based

Question 12

Physiological traits for Authentication

Answer 12

Fingerprint, hand geometry, iris, retina

Question 13

Behavior based traits for authentication

Answer 13

voice, gait, signature, keyboard cadence

Question 14

Type I Error

Answer 14

False Rejection - legitimate user is barred from access. caused by identifying too much information

Question 15

Type II Error

Answer 15

False Acceptance - an impostor is allowed access. Security threat and a system that doesn’t have enough info

Question 16

CER Crossover Error Rate

Answer 16

Where Type I and Type II errors intersect on a graph. Goal is to have a low number

Question 17

Biometrics concerns

Answer 17

User acceptance
Intrusive (Retina scans can reveal health information)
Time for enrollment and verification
Cost/benefit
Cannot revoke biometrics

Question 18

Single Sign-on (SSO)

Answer 18

Allows a user to provide credentials to an authentication server and receive accessed to interconnected or disparate systems

Question 19

Kerberos

Answer 19

Network authentication protocol designed from MITs project Athena. Tries to ensure authentication security in an insecure environment

Question 20

Kerberos password Transmission

Answer 20

Does not transmit password over the network

Question 21

Kerberos Authentication Server (AS)

Answer 21

Allows authentication of the user and issues to a Ticket Granting Ticket (TGT)

Question 22

Kerberos Ticket Granting Service (TGS)

Answer 22

After receiving the TGT from the user, the TGS issues a ticket for a particular user to access a particular service

Question 23

Kerberos Key Distribution Center (KDC)

Answer 23

system which runs the Ticket Granting Service (TGS) and Authentication Service (AS)

Question 24

Kerberos Ticket

Answer 24

Means of distributing session keys

Question 25

Kerberos Carnival comparison

Answer 25

Receive wrist band entering carnival at admissions - Receive encrypted TGT From AS Wrist band needed for tickets - TGT ticket goes to TGS to distribute keys Tickets get you access to rides -

Question 26

Kerberos Ticket Granting Ticket (TGT)

Answer 26

Ticket that gives access that is encrypted with your password, similar to wrist band

Question 27

Kerberos synchronization

Answer 27

must be within 5 minutes of each other

Question 28

Service Provisioning Markup Language (SPML)

Answer 28

Used to exchange account info between systems for federated SSO and account provisioning

Question 29

System Cross-Domain Identity Management (SCIM)

Answer 29

Used to exchange account info between systems for federated SSO and account provisioning

Question 30

Security Assertion Markup Language (SAML)

Answer 30

Another markup language utilized for SSO and Federated accounts

Question 31

OpenID Connect

Answer 31

Alternative to SAML

Question 32

OAuth 2.0

Answer 32

Not designed for SSO - links accounts (Spotify to Facebook, etc) and does a job on your behalf.

Question 33

Role Based Access Control (RBAC)

Answer 33

Good solution to mitigate privilege creep and provides strongest constraint of user access Well suited for environments with high turnover Groups of users are assigned roles to have different permissions

Question 34

Discretionary Access Control (DAC)

Answer 34

Security of an object is at the owners discretion Access is granted through an ACL Identity based

Question 35

Mandatory Access Control (MAC)

Answer 35

Used where classification and confidentiality is of utmost importance Generally you have to buy a specific MAC system (SELinux, Trusted Solaris) All objects have a security label

Question 36

Attribute Based Access Control (ABAC)

Answer 36

Permissions or privilege granted based on attributes of object (location, role, tenure, any other attribute)

Question 37

Audits

Answer 37

Ensure compliance with policy and standards

Question 38

Service Organizational Control (SOC) Report 1

Answer 38

Pertains to financial controls

Question 39

Service Organizational Control (SOC) Report 2

Answer 39

Pertains to trust services (Security, Availability, Confidentiality, Process Integrity and Privacy) For existing customers

Question 40

Service Organizational Control (SOC) Report 3

Answer 40

Also pertains to trust services (Security, Availability, Confidentiality, Process Integrity and Privacy) For new customers, Publicly Available Information

Question 41

Personnel Vulnerability Testing

Answer 41

Includes reviewing employee tasks and identifying vulnerabilities in the standard practices and procedures

Question 42

Physical Vulnerability Testing

Answer 42

Includes reviewing the facility and perimeter protection mechanisms

Question 43

System and Network Vulnerability Testing

Answer 43

Automated scanning product identifies known system vulnerabilities

Question 44

Vulnerability Scans

Answer 44

Probe systems, applications, and networks, looking for weaknesses that may be exploited by an attacker

Question 45

Network Discovery SCanning

Answer 45

Scan a range of IP addresses, searching for systems with open network ports

Question 46

TCP SYN Scanning

Answer 46

Sends a single packet to each scanned port with the SYN flag set

Question 47

TCP Connect Scanning

Answer 47

Opens a full connection to the remote system on the specified port

Question 48

TCP ACK Scanning

Answer 48

Sends a packet with the ACK flag set, indicating that it is part of an open connection

Question 49

NMAP

Answer 49

tool used for network discovery

Question 50

Penetration Testing Steps

Answer 50

Discovery - Footprinting and gathering information about the target Enumeration - Performing port scans and resource identification methods Vulnerability Mapping - Identifying vulnerabilities in identified systems and resources Exploitation - Attempting to gain unauthorized access by exploiting vulnerabilities Report to Management - Deliver management documentation of findings and suggested countermeasures

Question 51

Remote Logging

Answer 51

Putting the log files on a separate box will require the attackers to target that box too, which at the very least buys you time to notice the intrusion

Question 52

Simplex Communication

Answer 52

Use one way communication between the reporting devices and the central log repository

Question 53

Replication

Answer 53

Making multiple copies and keeping them in different locations

Question 54

Write-once media

Answer 54

Create a back up of log files that can be written to only once, preventing tampering

Question 55

Cryptographic hash chaining

Answer 55

Let you know if files have changed

Question 56

Signature Based Analysis Engine

Answer 56

Network attacks have distinct signatures that is data that is passed between attacker and victim. These signatures are stored in a database and network traffic is compared to this database.

Question 57

Profile Matching Analysis Engine

Answer 57

Anomaly based. Works off a baseline of normal behavior and looks for anomalous network behavior outside of accepted norms. Prone to false positives.