Domain 5 - Identity and Access Management Flashcards Preview

CISSP > Domain 5 - Identity and Access Management > Flashcards

Flashcards in Domain 5 - Identity and Access Management Deck (83):

These access controls include policies or procedures to implement and enforce overall access control.



These access controls include hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems.



These access controls include physical barriers deployed to prevent direct contact and access with systems or areas within a facility.



What are the 3 authentication factors?

something you know (such as a password or PIN), something you have (such as a smartcard or token), and something you are (based on biometrics).


What identifies the accuracy of a biometric method

the crossover rate


a mechanism that allows subjects to authenticate once on a system and access multiple objects without authenticating again.

Single sign-on (SSO)


An active entity that accesses a passive object to receive information from, or data about, an object. They can be users, programs, processes, computers, or anything else that can access a resource.



A passive entity that provides information to active subjects. Some examples include files, databases, computers, programs, processes, printers, and storage media.



An access control is any hardware, software, or administrative policy or procedure that controls access to resources. The goal is to provide access to authorized subjects and prevent unauthorized access attempts. Name the 3 primary control types.

preventive, detective, and corrective.


This access control attempts to thwart or stop unwanted or unauthorized activity from occurring. Examples of these access controls include fences, locks, biometrics, mantraps, lighting, alarm systems, separation of duties policies, job rotation policies, data classification, penetration testing, access control methods, encryption, auditing, the presence of security cameras or closed circuit television (CCTV),
smartcards, callback procedures, security policies, security awareness training, antivirus software, firewalls, and intrusion prevention systems.

preventive control


There are 7 access controls: 3 main ones and 4 others. What are the four other types of access controls?

deterrent, recovery, directive, and compensation access controls.


This access control attempts to discover or detect unwanted or unauthorized activity. These controls operate after the fact and can discover the activity
only after it has occurred. Examples include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation policies, mandatory vacation policies, audit trails, honeypots or honeynets, intrusion detection
systems, violation reports, supervision and reviews of users, and incident investigations.

A detective control


This access control modifies the environment to return
systems to normal after an unwanted or unauthorized activity has occurred. They attempt to correct any problems that occurred as a result of a security incident. They can be simple, such as terminating malicious activity or rebooting a system. They also include antivirus solutions that can remove or quarantine a virus, backup and restore plans to ensure that lost data can be restored, and active intrusion detection systems that can modify the environment to stop an attack in progress.

A corrective control


This access control attempts to discourage security policy violations. They are similar to preventive controls but these often depend on individuals deciding not to take an unwanted action. In contrast, a preventive control actually blocks the action. Some examples include policies, security awareness training, locks, fences, security badges, guards, mantraps, and security cameras.

A deterrent control


This access control attempts l to repair or restore resources, functions, and capabilities after a security policy violation. They are an extension of corrective controls but have more advanced or complex abilities. Examples include backups and restores, fault-tolerant drive systems, system imaging, server clustering, antivirus software, and database or virtual machine shadowing.

A recovery control


This access control attempts to direct, confine, or control the actions of subjects to force or encourage compliance with security policies. Examples include security policy requirements or criteria, posted notifications, escape route exit signs, monitoring, supervision, and procedures.

A directive control


This access control provides an alternative when it
isn’t possible to use a primary control, or when necessary to increase the effectiveness of a primary control. As an example, a security policy might dictate the use of smartcards by all employees but it takes a long time for new employees to get a smartcard. The organization could issue hardware tokens to employees as a compensating control. These tokens provide stronger authentication than just a username and password.

A compensation control


the process of a subject claiming, or professing, an identity.



This verifies the identity of the subject by comparing one or more factors against a database of valid identities, such as user accounts.



Subjects are granted access to objects based on proven identities. For example, administrators grant users access to files based on the user’s proven identity.



Users and other subjects can be held accountable for their actions when auditing is implemented. Auditing tracks subjects and records when they access objects, creating an audit trail in one or more audit logs. For example, auditing can record when a user reads, modifies, or deletes a file. Auditing provides this.



What is Type 1 authentication factor

something you know


What is Type 2 authentication factor

something you have


What is Type 3 authentication factor

something you are or something you do


A series of questions about facts or predefined responses that only the subject should know.

cognitive password


Hardware tokens that are time-based and synchronized with an authentication server

Synchronous Dynamic Password Tokens


Hardware token that generates passwords based on an algorithm and an incrementing counter.

Asynchronous Dynamic Password Tokens


In biometrics this error occurs when a valid subject is not authenticated. This is also known as a false negative authentication.

A Type 1 error


In biometrics this occurs when an invalid subject is authenticated. This is also known as a false positive authentication.

A Type 2 error


The ratio of Type 1 errors to valid authentications is known as

false rejection rate (FRR)


The ratio of Type 2 errors to valid authentications is called

false acceptance rate (FAR)


centralized access control technique that allows a subject to be authenticated only once on a system and to access multiple resources without authenticating

Single sign-on (SSO)


Ticket authentication is a mechanism that employs a third-party entity to prove identification and provide authentication. The most common and well-known ticket system is



the trusted third party that provides authentication services. Kerberos uses symmetric-key cryptography to authenticate clients to servers. All clients and servers are registered with the this, and it maintains the
secret keys for all network members.

key distribution center (KDC)


This hosts the functions of the KDC: a ticket-granting service (TGS), and an authentication service (AS). However, it is possible to host the ticket-granting service on another server. One of it's services verifies or rejects the authenticity and timeliness of tickets. This server is often called the KDC.

Kerberos Authentication Server


This part of Kerberos provides proof that a subject has
authenticated through a KDC and is authorized to request tickets to access other objects. It is encrypted and includes a symmetric key, an expiration time, and the user’s IP address. Subjects present this when requesting tickets to access objects.

Ticket-Granting Ticket


In Kerberos this is an encrypted message that provides proof that a subject is authorized to access an object.



With this access control all objects have owners and the owners can modify permissions.

discretionary access control


the possibility or likelihood that a threat can exploit a vulnerability and cause damage to assets.



These are granted to a subject and refer to the access granted for an object and determine what you can do with it.



This primarily refers to the ability to take an action on an object.

A right


the combination of rights and permissions.



This principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

Implicit Deny


a table that includes subjects, objects, and assigned privileges. When a subject attempts an action, the system checks this to determine if the subject has the appropriate privileges to perform the action.

Access Control Matrix


These are another way to identify privileges assigned to subjects. They are different from ACLs in that it is focused on subjects (such as users, groups, or roles).

Capability Tables


Applications use these to restrict what users can do or see based on their privileges. An ATM screen is a good example. The Clark Wilson security model uses these.

Constrained User Interface


These restrict access to data based on the content within an object. A database view is a good example.

Content-dependent access controls


These require specific activity before granting users access. As an example, consider the data flow for a transaction selling digital products online. Users add products to a shopping cart and begin the checkout process. The first page in the checkout flow shows the products in the shopping cart, the next page collects credit card data, and the last page confirms the purchase and provides instructions for downloading the digital products. The system denies access to the download page if users don’t go through the purchase process first.

Context-dependent access controls


This principle ensures that subjects are granted access only to what they need to know for their work tasks and job functions.

Need to Know


This principle ensures that subjects are granted only
the privileges they need to perform their work tasks and job functions. This is sometimes lumped together with need to know. The only difference is that this will also include rights to take action on a system.

Least Privilege


This principle ensures that sensitive functions are split into tasks performed by two or more employees. It helps to prevent fraud and errors by creating a system of checks and balances.

Separation of Duties and Responsibilities


A document that defines the security requirements for an organization. It identifies assets that need protection and the extent to which security solutions should go to protect them. Some organizations create this as a single document, and other organizations create multiples, with each one focused on a separate area.

security policy


This uses multiple layers or levels of access controls to provide layered security.

defense-in-depth strategy.


This allows the owner, creator, or data custodian of an object to control and define access to that object. It is implemented using access control lists (ACLs) on objects.

discretionary access controls (DACs)


In this access control Administrators administer control and can make changes that affect the entire environment.

nondiscretionary access controls


Systems that employ this type of access controls define a subject’s ability to access an object based on the subject’s role or assigned tasks. It is often implemented using groups.

Role-based access control


the tendency for privileges to accrue to users over time as their roles and access needs change.

Privilege creep


This type of access control uses a set of rules, restrictions, or filters to determine what can and cannot occur on a system. It includes granting a subject access to an object, or granting the subject the ability to perform an action. A distinctive characteristic about these models is that they have global rules that apply to all subjects. One common example is a firewall.

rule-based access control (rule-BAC)


This model relies on the use of classifi l cation labels. Each classification label represents a security domain , or a realm of security. A security domain is a collection of subjects and objects that share a common security policy. For example, a security domain could have the label Secret.

mandatory access control (MAC)


the possibility or likelihood that a threat will exploit
a vulnerability resulting in a loss such as harm to an asset.



a potential occurrence that can result in an undesirable outcome. This includes potential attacks by criminals or other attackers. It also includes natural occurrences such as floods or earthquakes, and accidental acts by employees.



any type of weakness. The weakness can be due to a flaw or limitation in hardware or software, or the absence of a security control such as the absence of antivirus software on a computer.



This attempts to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls or countermeasures.

Risk management


This refers to identifying the actual value of assets with the goal of prioritizing them. Risk management focuses on assets with the highest value and identifies controls to
mitigate risks to these assets.

Asset valuation


This refers to the process of identifying, understanding,
and categorizing potential threats. A goal is to identify a potential list of threats to these systems and to analyze the threats.

Threat modeling


This refers to a group of attackers who are working together and are highly motivated, skilled, and patient. They have advanced knowledge and a wide variety of skills to detect and exploit vulnerabilities. They are persistent and focus on exploiting one or more specific targets rather than just any target of opportunity.

advanced persistent threat (APT)


This refers to collecting multiple pieces of nonsensitive information and combining (i.e., aggregating) them to learn sensitive information.

Access aggregation


an attempt to discover passwords by using every possible password in a predefined database or list of common or expected passwords.

dictionary attack


an attempt to discover passwords for user accounts by systematically attempting all possible combinations of letters, numbers, and symbols.

brute-force attack


This access attack focuses on finding collisions.

birthday attack


It takes a long time to find a password by guessing it, hashing it, and then comparing it with a valid password hash. These reduce this time by using large databases of precomputed hashes.

rainbow table


a group of random bits, added to a password before hashing it.



Capturing packets sent over a network with the intent of analyzing the packets.



This is pretending to be something, or someone, else. A lot of attacks are based on this.



This is a form of social engineering that attempts to trick users into giving up sensitive information, opening an attachment, or clicking a link.



This is a form of phishing targeted to a specific group of users, such as employees within a specific organization.

Spear phishing


a variant of phishing that targets senior or high-level executives such as CEOs and presidents within a company.



Phishing attacks launched via IM and VOIP



attack prevents a system from processing or responding to legitimate traffic or requests for resources.

denial-of-service (DoS)


Which part of Kerberos provides the Ticket Granting Tickets that allows access to the realm or domain

Authentication Service


Which part of Kerberos provides tickets that allow access to objects within the realm or domain

Ticket Granting Service


Which protocol does RADIUS use, TCP or UDP?



Which protocol does TACACS and Diameter use, TCP or UDP?