Domain 5 - Identity and Access Management Flashcards Preview

CISSP > Domain 5 - Identity and Access Management > Flashcards

Flashcards in Domain 5 - Identity and Access Management Deck (83):
1

These access controls include policies or procedures to implement and enforce overall access control.

Administrative

2

These access controls include hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems.

Logical/technical

3

These access controls include physical barriers deployed to prevent direct contact and access with systems or areas within a facility.

Physical

4

What are the 3 authentication factors?

something you know (such as a password or PIN), something you have (such as a smartcard or token), and something you are (based on biometrics).

5

What identifies the accuracy of a biometric method

the crossover rate

6

a mechanism that allows subjects to authenticate once on a system and access multiple objects without authenticating again.

Single sign-on (SSO)

7

An active entity that accesses a passive object to receive information from, or data about, an object. They can be users, programs, processes, computers, or anything else that can access a resource.

Subjects

8

A passive entity that provides information to active subjects. Some examples include files, databases, computers, programs, processes, printers, and storage media.

objects

9

An access control is any hardware, software, or administrative policy or procedure that controls access to resources. The goal is to provide access to authorized subjects and prevent unauthorized access attempts. Name the 3 primary control types.

preventive, detective, and corrective.

10

This access control attempts to thwart or stop unwanted or unauthorized activity from occurring. Examples of these access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties policies, job rotation policies, data classification, penetration testing, access control methods, encryption, auditing, the presence of security cameras or closed circuit television (CCTV),
smartcards, callback procedures, security policies, security awareness training, antivirus software, firewalls, and intrusion prevention systems.

preventive control

11

There are 7 access controls: 3 main ones and 4 others. What are the four other types of access controls?

deterrent, recovery, directive, and compensation access controls.

12

This access control attempts to discover or detect unwanted or unauthorized activity. These controls operate after the fact and can discover the activity
only after it has occurred. Examples include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection
systems, violation reports, supervision and reviews of users, and incident investigations.

A detective control

13

This access control modifies the environment to return
systems to normal after an unwanted or unauthorized activity has occurred. They attempt to correct any problems that occurred as a result of a security incident. They can be simple, such as terminating malicious activity or rebooting a system. They also include antivirus solutions that can remove or quarantine a virus, backup and restore plans to ensure that lost data can be restored, and active intrusion detection systems that can modify the environment to stop an attack in progress.

A corrective control

14

This access control attempts to discourage security policy violations. They are similar to preventive controls but these often depend on individuals deciding not to take an unwanted action. In contrast, a preventive control actually blocks the action. Some examples include policies, security awareness training, locks, fences, security badges, guards, mantraps, and security cameras.

A deterrent control

15

This access control attempts l to repair or restore resources, functions, and capabilities after a security policy violation. They are an extension of corrective controls but have more advanced or complex abilities. Examples include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.

A recovery control

16

This access control attempts to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.

A directive control

17

This access control provides an alternative when it
isn’t possible to use a primary control, or when necessary to increase the effectiveness of a primary control. As an example, a security policy might dictate the use of smartcards by all employees but it takes a long time for new employees to get a smartcard. The organization could issue hardware tokens to employees as a compensating control. These tokens provide stronger authentication than just a username and password.

A compensation control

18

the process of a subject claiming, or professing, an identity.

Identification

19

This verifies the identity of the subject by comparing one or more factors against a database of valid identities, such as user accounts.

Authentication

20

Subjects are granted access to objects based on proven identities. For example, administrators grant users access to files based on the user’s proven identity.

Authorization

21

Users and other subjects can be held accountable for their actions when auditing is implemented. Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs. For example, auditing can record when a user reads, modifies, or deletes a file. Auditing provides this.

Accountability

22

What is Type 1 authentication factor

something you know

23

What is Type 2 authentication factor

something you have

24

What is Type 3 authentication factor

something you are or something you do

25

A series of questions about facts or predefined responses that only the subject should know.

cognitive password

26

Hardware tokens that are time-based and synchronized with an authentication server

Synchronous Dynamic Password Tokens

27

Hardware token that generates passwords based on an algorithm and an incrementing counter.

Asynchronous Dynamic Password Tokens

28

In biometrics this error occurs when a valid subject is not authenticated. This is also known as a false negative authentication.

A Type 1 error

29

In biometrics this occurs when an invalid subject is authenticated. This is also known as a false positive authentication.

A Type 2 error

30

The ratio of Type 1 errors to valid authentications is known as

false rejection rate (FRR)

31

The ratio of Type 2 errors to valid authentications is called

false acceptance rate (FAR)

32

centralized access control technique that allows a subject to be authenticated only once on a system and to access multiple resources without authenticating
again.

Single sign-on (SSO)

33

Ticket authentication is a mechanism that employs a third-party entity to prove identification and provide authentication. The most common and well-known ticket system is

Kerberos

34

the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the this, and it maintains the
secret keys for all network members.

key distribution center (KDC)

35

This hosts the functions of the KDC: a ticket-granting service (TGS), and an authentication service (AS). However, it is possible to host the ticket-granting service on another server. One of it's services verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC.

Kerberos Authentication Server

36

This part of Kerberos provides proof that a subject has
authenticated through a KDC and is authorized to request tickets to access other objects. It is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present this when requesting tickets to access objects.

Ticket-Granting Ticket

37

In Kerberos this is an encrypted message that provides proof that a subject is authorized to access an object.

ticket

38

With this access control all objects have owners and the owners can modify permissions.

discretionary access control

39

the possibility or likelihood that a threat can exploit a vulnerability and cause damage to assets.

risk

40

These are granted to a subject and refer to the access granted for an object and determine what you can do with it.

permissions

41

This primarily refers to the ability to take an action on an object.

A right

42

the combination of rights and permissions.

privileges

43

This principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

Implicit Deny

44

a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks this to determine if the subject has the appropriate privileges to perform the action.

Access Control Matrix

45

These are another way to identify privileges assigned to subjects. They are different from ACLs in that it is focused on subjects (such as users, groups, or roles).

Capability Tables

46

Applications use these to restrict what users can do or see based on their privileges. An ATM screen is a good example. The Clark Wilson security model uses these.

Constrained User Interface

47

These restrict access to data based on the content within an object. A database view is a good example.

Content-dependent access controls

48

These require specific activity before granting users access. As an example, consider the data flow for a transaction selling digital products online. Users add products to a shopping cart and begin the checkout process. The first page in the checkout flow shows the products in the shopping cart, the next page collects credit card data, and the last page confirms the purchase and provides instructions for downloading the digital products. The system denies access to the download page if users don’t go through the purchase process first.

Context-dependent access controls

49

This principle ensures that subjects are granted access only to what they need to know for their work tasks and job functions.

Need to Know

50

This principle ensures that subjects are granted only
the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that this will also include rights to take action on a system.

Least Privilege

51

This principle ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances.

Separation of Duties and Responsibilities

52

A document that defines the security requirements for an organization. It identifies assets that need protection and the extent to which security solutions should go to protect them. Some organizations create this as a single document, and other organizations create multiples, with each one focused on a separate area.

security policy

53

This uses multiple layers or levels of access controls to provide layered security.

defense-in-depth strategy.

54

This allows the owner, creator, or data custodian of an object to control and define access to that object. It is implemented using access control lists (ACLs) on objects.

discretionary access controls (DACs)

55

In this access control Administrators administer control and can make changes that affect the entire environment.

nondiscretionary access controls

56

Systems that employ this type of access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks. It is often implemented using groups.

Role-based access control

57

the tendency for privileges to accrue to users over time as their roles and access needs change.

Privilege creep

58

This type of access control uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action. A distinctive characteristic about these models is that they have global rules that apply to all subjects. One common example is a firewall.

rule-based access control (rule-BAC)

59

This model relies on the use of classifi l cation labels. Each classification label represents a security domain , or a realm of security. A security domain is a collection of subjects and objects that share a common security policy. For example, a security domain could have the label Secret.

mandatory access control (MAC)

60

the possibility or likelihood that a threat will exploit
a vulnerability resulting in a loss such as harm to an asset.

risk

61

a potential occurrence that can result in an undesirable outcome. This includes potential attacks by criminals or other attackers. It also includes natural occurrences such as floods or earthquakes, and accidental acts by employees.

threat

62

any type of weakness. The weakness can be due to a flaw or limitation in hardware or software, or the absence of a security control such as the absence of antivirus software on a computer.

vulnerability

63

This attempts to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls or countermeasures.

Risk management

64

This refers to identifying the actual value of assets with the goal of prioritizing them. Risk management focuses on assets with the highest value and identifies controls to
mitigate risks to these assets.

Asset valuation

65

This refers to the process of identifying, understanding,
and categorizing potential threats. A goal is to identify a potential list of threats to these systems and to analyze the threats.

Threat modeling

66

This refers to a group of attackers who are working together and are highly motivated, skilled, and patient. They have advanced knowledge and a wide variety of skills to detect and exploit vulnerabilities. They are persistent and focus on exploiting one or more specific targets rather than just any target of opportunity.

advanced persistent threat (APT)

67

This refers to collecting multiple pieces of nonsensitive information and combining (i.e., aggregating) them to learn sensitive information.

Access aggregation

68

an attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

dictionary attack

69

an attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symbols.

brute-force attack

70

This access attack focuses on finding collisions.

birthday attack

71

It takes a long time to find a password by guessing it, hashing it, and then comparing it with a valid password hash. These reduce this time by using large databases of precomputed hashes.

rainbow table

72

a group of random bits, added to a password before hashing it.

salt

73

Capturing packets sent over a network with the intent of analyzing the packets.

sniffing

74

This is pretending to be something, or someone, else. A lot of attacks are based on this.

Spoofing

75

This is a form of social engineering that attempts to trick users into giving up sensitive information, opening an attachment, or clicking a link.

Phishing

76

This is a form of phishing targeted to a specific group of users, such as employees within a specific organization.

Spear phishing

77

a variant of phishing that targets senior or high-level executives such as CEOs and presidents within a company.

Whaling

78

Phishing attacks launched via IM and VOIP

Vishing

79

attack prevents a system from processing or responding to legitimate traffic or requests for resources.

denial-of-service (DoS)

80

Which part of Kerberos provides the Ticket Granting Tickets that allows access to the realm or domain

Authentication Service

81

Which part of Kerberos provides tickets that allow access to objects within the realm or domain

Ticket Granting Service

82

Which protocol does RADIUS use, TCP or UDP?

UDP

83

Which protocol does TACACS and Diameter use, TCP or UDP?

TCP