Domain 5 -- Identity and Access Management Flashcards
(101 cards)
1
Q
What is a subject?
A
- A subject is an active entity that requests access to an object or the data within an object
- Can be user, program or process that accesses an object to accomplish a task
2
Q
What is an object?
A
- An object is a passive entity that contains information or needed functionality
- Can be a computer, database, file, computer program, directory or field contained in a table in a tableBASE
3
Q
What is Identification?
A
Identification describes a method by which a subject (user, program or process) claims to have a specific identity (user name, account number or email address)
4
Q
What is authentication?
A
Authentication is the process by which a system verifies the identity of the subject, usually by requireing a piece of information that only the claimed identity should havew
5
Q
A user identification and authentication information together combine to create ________________.
A
credentials
6
Q
What is meant by a race condition with respect to Identity and Access Management?
A
If authentication and authorization are split into 2 functions, it’s possible that the authorization will occur before the user is authenticated.
7
Q
What are three somethings for authentication?
A
- Type 1 Something a person knows
- Type 2 Something a person has
- Type 3 Something a person is
8
Q
Creating or issuing secure identitites should include which 3 aspects?
A
- Uniqueness
- must uniquely identify a person
- Non-descriptive
- Don’t use ID’s like Administrator or backup_operator
- Issuance
- Provided by another authority
- Example is an ID card
- Provided by another authority
9
Q
it is important to authenticate not only users, but also __________.
A
systems
10
Q
What are 4 Identification Component Requirements?
A
- Each value should be unique
- A standard naming scheme should be followed
- The value should be nondescriptive of the user’s position or tasks
- The value should not be shared between users
11
Q
What are the 3 things that MAC can stand for in the CISSP exam?
A
- Media Access Control (MAC Address)
- Mandatory Access Control
- Message Authentication Code
12
Q
What are the rules for a database directory based on the X.500 standard?
A
- The directory has a tree structure to organize entries using parent-child configuration
- Each entry has a unique name made up of attributes of a specific object
- The attributes used in the directory are dictated by the defined schema
- The unique identifiers are called distinguished names
13
Q
Are cookies always stored on disk?
A
No.
Some cookies are permanent and remain on the user’s hard disk
Other cookies – such as cookies issued by a bank to allow a user to perform online banking should only be held in memory
14
Q
Web Access Management Products are typically used for ___________ users and Credential Management products are typically used for __________ users
A
external
internal
15
Q
What’s the difference between password synchronization and SSO
A
- With password synchronization, the tool takes the user’s password and then updates all the applications he uses with this password. The user must still log in separately to each application
- SSO means that the SSO software intercepts the user ID/password dialog and fills it in for the user. The user only needs to log in once.
16
Q
What are the downsides of SSO?
A
- It’s expensive
- It can take a long time to implement
- All user credentials are stored in one place. If an attacker broke in, then they would have everything.
17
Q
What are the two categories of biomentrics?
A
- Physiological - what you are
- fingerprints
- retina scans
- Behavioral - what you do
- signature dynamics
18
Q
What is the Crossover Error Rate (CER) as it relates to biometric authentication systems
A
It’s the point at which the percentage of false positives and false negatives are equal.
19
Q
What are some of the biometrics that can be used to identify a user?
A
- Fingerprint
- Palm scan
- Hand geometry
- Retina scan
- Iris scan
- Signature dynamics
- Keystroke dynamics
- voice print
- facial scan
- Hand topogragy
20
Q
What are six ways an attacker can try to steal passwords?
A
- electronic monitoring
- access password file
- brute force attacks
- dictionary attacks
- social engineering
- rainbow table
21
Q
What are some of the common methods of authentication via “something you know?”
A
- PIN
- Password
- Passphrase
- Cognitive password (favorite color)
- personal history info
- CAPTCHA
22
Q
What’s the key difference between synchronous and asynchronous token devices?
A
Synchronous tokens depend on using time or a counter as a core piece of the authentication process
Asynchronous tokens depend on a nonce – a random value sent by the authentication server. User enters the nonce into the token device, which encrypts it and gives the user a OTP, which the users sends to the auth server along with userid/pw.
If the auth server can decrypt the value and it matches what was sent earlier, the user is authenticated.
23
Q
What are some of the cryptographic methods that are used in authenticating a user?
A
- Digital Signature (private key that is used to encrypt a hash value)
- Passphrase -StickWithMeKidAndYouWillWearDiamonds
- application converst passphrase into a virtual passphrase that might be 128 bytes long.
- The virtual password is what is actually used for authentication on the wire
24
Q
What’s the difference between a memory card and a smart card?
A
- A memory card can only hold information, but not process information
- A smart card can both hold and process information
25
If an attacker steals someone's smart card, can they do a lot of damage with it?
Not really because the attacker would need the user's pin before the smart card would work.
26
What are the two types of smart cards?
1. contact -- which require physical contact with the reader to work
2. contactless -- which use an antenna on the chip to receive power from the reader to work.
27
What's the difference between a fault generation attack and a side channel attack on a smart card?
fault generation is where you attempt to introduce an error in the smart card by using higher voltages or some other means to intentionally introduce an error and find clues to reverse engineer the device
Side channel attacks observe how they work under various circumstances to find clues to use in reverse engineering. (eg. differential power analysis).
28
What is authorization creep?
Over time employees move from one dept to another and they get more and more access rights than they really need any more.
29
What are the main components of Kerberos?
* Key Distribution Center (KDC)
* holds all users and services secret keys
* provides authentication and key distribution service
* Principals are users and services
* Kerberos authentication process
30
What is the difference between a secret key and a session key in Kerberos
* Secret key is shared between the Key Distribution Center (KDC) and the principal and is static in nature
* A session key is shared between two principals and is generated when needed and destroyed with the session has completed
31
Kerberos is an example of a ____________ technology.
Single Sign On (SSO)
32
What are the weaknesses of Kerberos?
* The Key Distribution Center (KDC) can be a SPOF (redundancy needed)
* KDC must be scalable
* Secret Keys are stored on user workstations, which means that it's possible for users to obtain the cryptographic keys
* Session keys are decrypted and reside on user workstations (either in cache or a session key table. They can be captured by attackers
* KDC is susceptible to password guessing. The KDC does not know if a dictionary attack is taking place
* Network traffic is not protected by Kerberos if encryption is not enabled
* If keys are too short, they are vulnerable to brute force attacks
* Kerberos requires client and server clocks to be synchronized
33
* What is a counter measure to Kerberos lack of functionality against dictionary attacks?
The operating system can limit the number of password attempts a user can make.
34
What are 4 single sign-on technologies?
* Kerberos
* Security Domains
* Directory Services
* Thin Clients
35
What are system-level events that can be audited and logged?
* System performance
* Logon attempts (successful and unsuccessful)
* Logon ID
* Date and time of each logon attempt
* Lockouts of users and terminals
* Use of admin utilities
* Devices used
* Functions performed
* Requests to alter config files
36
What are Application-level events that can be audited and logged?
* Error messages
* Files opened and closed
* Modification of files
* Security violations within applications
37
What are user-level events that can be audited and logged?
* Identification and authentication attempts
* Files, services, and resources used
* commands initiated
* Security violations
38
What is a Security Information and Event Management (SIEM) system?
* Products that gather logs from various devices
* servers
* firewalls
* routers
* etc.
* They attempt to analyze and correlate data
39
What are three common triggers for session termination?
1. Timeout
2. Inactivity
3. Anomoly
40
What is a federated identity?
A federated identity is a portable identity that can be used across business boundaries
41
What is Service Provisioning Markup Language (SPML)?
* It's based on XML
* It is used for the exchange of provisioning data between applications, which could reside in one organization or many
* It allows for the automation of user management
* Allows for integration and interoperation of service provisioning requests across various platforms
42
What does the Security Assertion Markup Language (SAML) do?
SAML is used to allow a user to log in one time and gain access to different and separat web-based applications.
SAML is an XML standard
43
Transmission of SAML data frequently takes place using this protocol.
SOAP -- Simple Object Access Protocol
44
What does XACML stand for and what does it do?
XACML - stands for eXtensible Access Control Markup Language
It is used to express security policies and access rights to assets provided through web services and other enterprise applications
45
What is OpenID? and what are the 3 roles it defines?
It is an open standard for user authentication by third parties
The three roles are:
* End user
* Relying party -- the server that owns the resource that the end user is trying to access
* OpenID provider (e.g. Google)
46
What is Oauth and what does it do?
* Oath is an open standard for authorization (not authentication) to third parties
* It gives the user the ability to allow a website to access a third party
* For example a user could give linked in the ability to allow Linked in to access Google to get all of his contacts to see who he knows and can connect with on Linked IN
47
What is OpenID Connect?
* OpenID Connect is an authentication layer built on the OAuth 2.0 protocol
* It allows transparent authentication and authorization of client resource requests
* Usually used to allow a web app to authenticate an end user using a third-party IdP
48
What are the five main types of access control models?
1. Discretionary
2. Mandatory
3. Role Based
4. Rule based
5. Attribute based
49
How does Discretinary Access Control Work?
* Discretionary access control enables a user to decide which subjects will have access to it.
* if a user creates a file, for example, he can decide who else can have access to it
* Windows, Linux, MacOS are DAC-based
* DAC's can be implemented at the file or directory tree level
50
How does Mandatory Access Control work?
* A user basically has no rights
* Most users have never used such a system
* Used to protect top-secret information
* Security labels are attached to all objects
* EXam Tip -- MAC systems are considered non-discretionary
* MAC systems enforce Need to Know rules
51
How does a MAC-based system decide whether a subject can access an object?
* The system compares the subject's clearance and need to know level with the objects security label
52
What's the main idea of Role-Based Access Control?
* A Role-based access control (RBAC) model uses centrally administered set of controls to determine how subjects and objects interact
53
What is Core RBAC?
Core RBAC
* Has many to many relationships among individual users and privileges
* Uses a session as a mapping between a user and a subset of assigned roles
* Accommodates traditional but robust group-based access control
54
What is Hierarchical RBAC?
Hierarchical RBAC:
* Uses role relations in defining user membership and privilege inheritance
* Example: nurse can access a set of files
* Technician can access another set of files
* Doctor role can inherit the access rights of the Nurse and technician roles
* Reflects organizational structures and functional deliniations
* Supports two types of hierarchies:
* Limited hierarchies (Role 1 inherits from Role 2 and no other role)
* General hierarchites (allows many levels of hierarchies)
55
What is rule-based access control?
Rule-based access control uses specific rules that indicate what can and cannot happen between a subject and an object
* Usually built on top of Role Based Access Control (RBAC)
* Commonly called RB-RBAC (Rule based RBAC)
* Provide a way to define specific and detailed situation in which a subject can or cannot access an object
56
How does an Attribute-Based Access Control system work and what are some examples:
ABAC uses attributes of any part of a system to define allowable access. It gives the most granularity: Examples:
* **Subjects**: Clearance, position title, department, years with company, training certification, member of project team, location
* **Objects**: Classification, files related to a particular project, HR records, location, security system component
* **Actions** - Review, Approve, comment, archive, configure, restart
* **Context** - Time of Day, Project status (opened/closed), fiscal year, ongoing audit
57
What are the 3 main types of contrained user interfaces?
1. Menus and shells
* Limited menu options
* restricted shells in UNIX
2. Database Views
* different views of the data presented according to the user's privileges
3. Physically contrained interfaces
* The only buttons that work for you are things like:
* Withdraw
* View balance
* Deposit
58
What does RADIUS mean and what does it provide?
* RADIUS stands for Remote Authentication Dial-In User Service
* Network protocol based on client server model
* provides for authentication, authorization and audits
* Most ISP's use RADIUS
* Open Protocol
59
What does TACACS mean and what does it do?
* TACACS stands for Terminal Access controller Access Control System
* Very similar to RADIUS
* It improves upon RADIUS by encrypting username, accounting and authorized services between client and server
* Where RADIUS uses UDP, TACACS uses TCP
60
What is Diameter and how does it work?
* DIAMETER is an improvement upon RADIUS
* Where as RADIUS and TACACS+ are client/server, DIAMETER is peer-based
* DIAMETER provides AAA functionality
61
What is an Access Control Matrix?
an Access Control Matrix is a table of subjects and objects indicating what actioins individual subjects can take upon individual objects
62
What is a Capability table and how is it different from an Access Control table?
A Capability Table specified the access rights a certainsubject possesses pertaining to specific objects
It's different from An ACL (colulmn in matrix) because the subject is bound to the capability table, whereas the object is bound to to the ACL
See Figure 5-23.
63
What is an Access Control List (ACL)?
And ACL is a list of subjets that are authorized to access a specific object and they define what level of authorization is granted.
A capability corresponds to a row in a in the access control matrix
A ACL corresponds to the column in the access control matrix
64
What is Content-Dependent Access Control?
The access to an object is determined by the contents of that object
Example -- example is when email filters look for terms like "Confidential", social security number, "Top Secret"
It's also done to control web surfing
65
What is Context dependent Access Control and how is it different from Content Dependent Access Control?
* Context Dependent Access Control makes access decisions based on the context of a collection of information, rather than on the sensitivity of the data.
* Example is a Stateful firewall.
* TCP requires SYN, then SYN/ACK, then ACK
* It won't allow packets throught that are not following the sequence
* Another example is the sequence of the data that is being accessed.
* The military mission
* The location
* Then stop the info about weapons shipments, because the combined information revealed in context would be at a higher level of security clearance
* Idea is to keep track of the context of what the user is doing in order to not allow them to piece together the bigger picture
66
What are some of the scenarios that should be reviewed for user access?
* Extended vacation or sabbatical
* Hospitalization
* Long-term disability
* Investigation for possible wrong-doing
* Unexpected disappearance
67
Give examples of Administrative Access Controls.
* Policy and procedures
* Personnel controls
* Supervisory structure
* Security-awareness training
* Testing
68
Give examples of Physical Access Controls.
* Network segregation
* Perimeter security - physical access to facilities
* Computer controls
* Work area separation
* data backups
* Cabling
* Control Zone -- different zones of a building for different purposes
69
Give examples of Technical Access Controls.
* System access
* Network architecture
* Network Access
* Encryption and protocols
* Auditing
70
What's the danger with object reuse?
* Object Reuse -- where a hard drive has residual data and it is not wiped clean before reuse. Likewise with software objects
71
What is Emanation Security? How is it related to TEMPEST? And what are the countermeasures to ensure emanation security
* Emanation Security is about electrical devices emanating signals which could hold important information
* TEMPEST was a study by the DoD when then turned into a standard to outline countermeasures to control spurious electrical signals emanating from electrical equipment
* eg - Faraday cage made of metal to limit amount of radiation released
* Mostly for military equipment
* Countermeasures
* White noise - makes it hard to distinguish the important stuff
* Control Zone - e.g. put materials in the walls to contain electrical signals
72
What is an Intrusion Detection System (IDS) and what are the two main types?
* Intrusion Detection is the process of detecting an unauthorized use of, or attack upon a computer, network or teleconnunication infrastructure.
* Three main components -- sensors, analyzers, admin interfaces
* Two types:
* Network based (NIDS) - Monitor network communications
* looks at all network traffic (not only for itself) and sends it for analysis
* Host based (HIDS) - monitor activity within an individual system
* Usually only installed on critical servers
73
What are the 3 different types of IDS's and what are their key characteristics?
* Signature-based
* Pattern matching like antivirus software
* signatures must be continuously updated
* Cannot identify new attacks
* Two types -- Pattern Matching and Stateful Matching
* Anomaly based
* Behavioral-based system that learns the "normal" activities of an environment
* Can detect new attacks
* Three types --- Statistical anomoly based, protocol anomolly based, traffic anomaly based
* Rule-based
* If/Then rules
* use of expert systmes for artificial intelligence characteristics
* Cannot detect new attacks
74
What's the difference between an Intrusion Detection System (IDS) and an Intrusion Prevention System?
* An IDS only detects something bad may be taking place and sends an alert
* An IPS has the goal of not only decting that something is going wrong, but also to do something about it, like kill a connection
* An IDS is detective, after-the-fact technology
* An IPS is preventive, proactive technology
75
What's a honeypot and why would you use one?
* It's a sacrificial lamb on the network.
* Not locked down
* ports are opened and services are enabled
* Contains no real data
* Must ride the line between enticement -- Leaving ports open to entice a bad guy
* Vs. Entrapment -- having a web page that allows for downloading files and then charging them with tresspassing. Entrapment is illegal
* Always check with legal counsel before setting up a honeypot.
76
What is a network sniffer and what's another name for one?
* A sniffer is a tool that can capture network traffic. It must have access to a NIC in promiscuous mode
* Another name for a sniffer is protocol analyzer
77
What is the proper sequence of the basic components and activities ina web access control process?
1. User sends in credentials to web server
2. Web server validates user's credentials
3. User requests access to object
4. Web server verifies the request with security policy to determine if user is allowed to do it.
78
What are the four steps of a buffer overflow attack?
1. Remote user connects to system
2. User sends data to application (data exceeds allocated buffer for empty variable
3. Data is executed and overwrites the buffer and possibly other memory segments
4. Malicious code of the attacker's choosing executes
79
What are the four main steps of authentication using OpenID
1. The user's agent (usually a web browser) requests the protected resource from the relying party
2. The relying party connects to the OpenID provider and creates a shared secret for the transaction
3. The server then redirects the user agent to the OpenID provider for authentication
4. Upon authentication by the provider, the user agent receives a redirect (containing an authentication token, also known as an OpenID) to the relying party. The token contains a field signed with the shared secret, so the relying party is assurece that the user is authenticated.
80
What are the 5 steps of the OpenID Connect (OIDC) model?
1. User Request
2. Relying party redirect to OpenID provider
3. User authenticates
4. User is granted consent
5. OpenID provider redirects to Relying party with user info
81
How does Kerberos work?
82
What is SESAME?
Secure European System for Applications in a Multivendor Environment (SESAME) is actually a technology built upon the Kerberos foundation. However, SESAME provides different capabilities and uses public key cryptography. SESAME differs from Kerberos in that it uses PACs for authentication instead of the Kerberos ticket exchange methodology.
83
Intrusion detection systems (IDSs) are complex tools with many components. Each component serves a specific purpose. Which component actually initiates an alarm or activity when the system detects a violation?
Response box
84
How does a virtual directory play a role within an identity management system?
It has the same role and can be used instead of a meta-directory.
85
Which model implements access control matrices to control how subjects interact with objects?
Discretionary Access Control (DAC)
DAC is implemented and enforced through the use of access control lists (ACLs), which are held in a matrix. MAC is implemented and enforced through the use of security labels.
86
What is the best reason to select a rule-based access control system?
It allows for access decisions to be based on complex situations
87
Is there any interoperability between TACACS/XTACACS and TACACS+ ?
There is no interoperability between them. They are two totally different protocols.
88
What is a AAA Protol
A AAA protocol supports:
* Authentication
* Authorization
* Auditing.
Examples are Diameter, RADIUS, TACACS+
89
Know how to answer LDAP questions such as this:
Each distinguished name (DN) in an LDAP directory represents a collection of attributes about a specific object, and is stored in the directory as an entry. DNs are composed of Common Name (CN) components which describe the object, and Domain Components (DC) which describe the domain in which the object resides. Which of the following makes the most sense when constructing a DN?
A. dc=Shon Harris,cn=LogicalSecurity,dc=com.
B. cn=Shon Harris,dc=LogicalSecurity,cn=com.
C. cn=Shon Harris,cn=LogicalSecurity,dc=com.
D. cn=Shon Harris,dc=LogicalSecurity,dc=com
90
What's the main reason for using Role Based Access Control (RBAC)?
It is difficult to assign each and every user the exact level of access
91
Most Kerberos implementations use an authenticator. What is an authenticator and what is its purpose?
Principal identification and a time stamp encrypted with a shared **session** key. It is used to authenticate the requesting principal and is a countermeasure against replay attacks.
92
Is a Token device a form of identification?
No
Token devices are authenticating devices that are used in combination with an identification component, such as a user name.
93
Know:
* False Acceptance Rate
* False Rejection Rate
* Type I Error
* Type II Error
False Rejection Rate is the amount of authorized users who were improperly rejected and the False Acceptance Rate is a Type II error.
94
What is a key benefit of the DIAMETER protocol?
Up until the conception of Diameter, IETF had individual working groups who define how Voice over IP (VoIP), Fax over IP (FoIP), Mobile IP, and remote authentication protocols work. Defining and implementing them individually in any network can easily end up in too much confusion and interoperability. It requires customers to roll out and configure several different policy servers and increases the cost with each new added service. With Diameter all of these services can be authenticated over the same authentication architecture.
95
Describe the high level flow with Radius?
User is a client to the access server and the access server is a client to the RADIUS server. Communication cannot go directly from the user to the RADIUS server.
96
What are Type 1 and Type 2 errors when it comes to biometric systems?
A Type 1 Error is a FRR (False Rejection Rate)
A Type 2 Error is related to FAR (False Acceptance Rate)
97
What is Web Access Management
Web access management (WAM) software controls what users can access when using a web browser to interact with web-based enterprise assets. This type of technology is continually becoming more robust and experiencing increased deployment. This is because of the increased use of e-commerce, online banking, content providing, web services, and more.
98
What is the difference between the two?
99
A digital identity is made up of attributes, entitlements, and traits. Which of the following has the incorrect mapping when considering these identity characteristics?
**Attributes** = department, role in company, shift time, clearance, etc.
**Entitlements** = resources available to user, authoritative rights in the company
**Traits** = biometric information, height, sex
100
With respect to a NIDS, what is one type of traffic that it CANNOT monitor?
encrypted trafficc
101
