Domain 5: Identity and Access Management Flashcards

1
Q

MAC

A

Mandatory Access Control

Uses classifications and labels to define user access.

Used in very strict environments.

The Operating System enforces MAC (when used in a digital format).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

DAC

A

Discretionary Access Control

Discretionary Access Control (DAC) allows the Data Owner to control and define access to objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

ABAC

A

Attribute Access Control

Attribute-Based Access Control (ABAC) makes decisions based on attributes for either the subject, object, or actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

RBAC

A

Role-based Access Control

Role-Based Access Control (RBAC) maps a subject’s role with their needed operations and tasks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Type 1 authentication factor

A

Something you know: password, PIN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Type 2 Authentication factor

A

Something you have: Smartcard, MFA app on phone

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Type 3 Authentication factor

A

Something you are: Fingerprint, voice id, face id

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

CER

A

Cross-over Error Rate: Defines the point where false rejection rates are equal to false acceptance rates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Type 1 Error

A

Falsely rejected Authentication (user should have access but is denied)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Type 2 Error

A

False acceptance (User should NOT have access but is granted access.)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Registration (biometrics)

A

Registration is the capturing of an individuals biometric data.

(is this capturing of any type of identifiable data?)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Hybrid Federation

A

Related to a type of authentication infrastructure:

Authentication occurs on-premise, not in the cloud. Grants access to resources outside of just on-premise.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Cloud based federation

A

Uses a third party for shared federated identities. i.e. okta or duo

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

On-premise federation

A

Federation is hosted on premises for access to on-premises resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Relationship of federated identities and SSO

A

SSO provides single sign on to one organization.

Multiple SSO systems that agree to share information and access create a FEDERATION.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Two basic components of PKI

A

CA and RA - certificate authority and registration authority.

Public Key Infrastructure (PKI) uses a central authority to store encryption keys or certificates in order to establish the identity or digital signature of a user. PKI systems use certificate authorities (CAs) and registration authorities (RAs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

OAuth Connect pairs with _____ to perform identity verification, and obtain user profile information

A

Open ID Connect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Audit Trail

A

Log that provides play by play record of actions.

The audit trail allows an administrator to review events and users linked to those events. It can be used to review employee misconduct or provide a log of events leading to system failure. An audit trail is required for some security standards, including the Health Insurance Portability and Accountability Act (HIPAA).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Smart Card

A

Smart cards are credit card-sized devices that contain a microprocessor. A smart card typically contains an encrypted private key issued through a public key infrastructure (PKI) system that the authenticating environment trusts. When the smart card is inserted into a reader, the user must enter a PIN before the smart card releases the private key. Smart cards can be programmed to wipe themselves if a PIN is entered incorrectly too many times.

20
Q

Identification device with the best tamper resistance

A

Smart Card

21
Q

Access Control Matrix

A

Table that list objects, subjects, and their privileges.

22
Q

SPML

A

Service Provisioning Markup Language

Used to provision users, resources, and services.

23
Q

Is Non-Discretionary Access Model a thing?

A

Yes

The Non-Discretionary Access Control model uses a central administration element to govern access. Mandatory Access Control models employ data classification labels to control access.

CISSP Certified Information Systems Security Professional Official Study Guide, 9th Edition. Pg 681-690.

24
Q

OpenID Provider

A

OpenID Provider or Identity Provider or IdP) performs user authentication, user consent, and token issuance

25
Q

OpenID Relying Party

A

The resource or server the end-user is trying to access. This resource will relay authentication request to the open id provider

26
Q

OpenID End-User

A

The user attempting to log in

27
Q

asynchronous token device

A

An asynchronous token device generates a one-time password using a challenge/response mechanism. An example of this could be if a workstation displayed a numerical challenge value.

28
Q

Data Owner

A

Typically C-Suite.

In smaller orgs, may also be a System Owner

the entity that collects/creates the PII and is legally responsible and accountable for protecting it and educating others about how to protect the data through dissemination of intellectual property rights documentation, policies and regulatory requirements, specific protective measures that are expected of custodians, and compliance requirements.

29
Q

System Owner

A

System owner could also be a SME/Program Manager for a particular application/service

Sometimes also the Data Owner.

Sometimes also the Custodian.

30
Q

Data Custodian

A

Person actually doing the day to day things.

31
Q

Synchronous Token

A

i.e. microsoft authenticator, google authenticator, okta authenticator

32
Q

Asynchronous Token

A

Out of band, one time token.

33
Q

Mutual Authentication

A

Form of identifying the server or service you’re connecting to. They authenticate you, you authenticate them.

i.e. SSL cert on the VPN server you remote into for work.

34
Q

What is required for Accountability to work?

A

Identification and Authentication:

Accountability relies on the effectiveness of identification and authentication, but it does not require effective authorization.

35
Q

Oauth provides ___ NOT ___

A

Authorization, NOT Authentication.

36
Q

Diameter

A

Diameter was developed after and inspired by RADIUS to overcome the limitations associated with compatibility among other authentication mechanisms. Additionally, Diameter is able to separate authentication, authorization, and accounting services.

37
Q

Rainbow Table

A

A rainbow table is usually a large file with a list of pre-computed hashes and corresponding passwords.

NOTE - passwords are pre-hashed, saving time in a brute force attack.

38
Q

Are Smart Cards a combination of Type 1 and Type 2 access controls?

A

YES!

Smart Cards will prompt a user for a PIN or password after scanned.

39
Q

Compartmentalized Environment

A

Type of MAC control.

In a compartmentalized environment, there is no relationship between one security domain and another. Each domain represents a separate isolated compartment. To gain access to an object, the subject must have specific clearance for each security domain. For example, a general may have access to Top Secret information about troop movements but not Top Secret information about nuclear missile construction.

40
Q

Iris Scan

A

Scan of colored part of eye. Iris scanning would be the best choice when considering an individual’s health conditions.

41
Q

Retinal Scan

A

However, retinal is also considered to be the most invasive type of biometric scanning and, unlike tLhe iris, the blood vessels in the retina can be affected by health conditions. Retinal scans may also conflict with privacy laws because they can contain certain aspects of an individual’s health, such as diabetes or high blood pressure.

42
Q

In a MAC environment, labels or classification assignment can only be performed by _________.

A

System Admins

The modification of the label or classification of a resource in Mandatory Access Control (MAC) can only be performed by system administrators. Strict auditing should be implemented to ensure that system administrators do not modify resources that should not be modified.

43
Q

Workflow-based account provisioning

A

Provisioning that occurs through an established workflow

44
Q

Automated Provisioning of accounts

A

Central software driven process

45
Q

Discretionary Account Provisioning

A

When manager sets up each employees acct.

46
Q

SPML

A

Used in identity federations: is used to initiate XML-based provisioning/de-provisioning processes from the identity provider to its target service providers. SPML allow users to bypass out-of-band account creation requirements using provisioning/synchronization mechanisms from LDAP, database

47
Q

Constrained User Interface

A

There are three major types of restricted interfaces:
Menus and Shells:
Database Views
Physically Constrained Interfaces