Domain Four: Identity and Access Management

Question 1

What is the notion of accountability in IAM ?

Answer 1

The ability to report and understand who, what and when things change

Question 2

What is authentication ?

Answer 2

This is the process that verifies the identity

Question 3

What is authorisation ?

Answer 3

Determines what can be done through a process of allowing and denying access to resources.

Question 4

What is federation ?

Answer 4

Similar to SSO but this covers across enterprises rather than just systems within an enterprise.

Question 5

Why is identification important ?

Answer 5

We need to be able to identify resources this includes thing such as hardware, software, people and processes.

Question 6

What is multi factor authentication ?

Answer 6

Is a combination of two or more types of authentication

There are five different types

What you are (biometric)
What you have (token)
What you know (passwords)
Where you are (location)
What you do

Question 7

What is single sign on ?

Answer 7

This is the transferring of credentials between systems. It is the ability to have a single login for multiple systems

Question 8

What is transitive trust ?

Answer 8

Transitive trust is the concept that if one domain trust another then the trusted domain can also be trusted by another domain that trusts the initial domain.

If A trust B and B trusts C then A trusts C

Question 9

What in IAM is the notion of Account Maintenance ?

Answer 9

Account maintenance refers to all the processes that are run to make sure that the account is valid, and appropriated for its needs

Question 10

Define Guest Accounts ?

Answer 10

Limited access accounts for guest users.

Question 11

Define privileged accounts ?

Answer 11

They often have higher permissions than general user accounts and are only assumed by certain users needing to do higher order tasks not in their day to day activity. Should be closely monitored.

Question 12

What is a service account ?

Answer 12

Service accounts are similar to shared account they also are tied to a job function but unlike shared accounts they do not need human interaction to achieve the task at hand.

Question 13

What is a shared account ?

Answer 13

These are accounts used by multiple people to achieve a job function such as backup administrator. They should be monitored regularly and some organisations only allow them to be assumed rather than log in directly.

Question 14

Define a user account ?

Answer 14

These are accounts that are attributed to individual users and may have a friendly name and also a unique id. Often it is the unique id that is logged.

You should not immediately delete an account when a user leaves because you get tombstoning. This is where because the user has left there is nothing to tie the log user id back to. Most organisations recommend a 90 day account disablement before deletion.

Question 15

What is Group based access control ?

Answer 15

This refers to assigning users to groups that have permissions rather than handling individual users. This is done to ease the admin overhead and complexity.

Question 16

Why do we need a secure JML process ?

Answer 16

We should have a rigorous JML process to stop people having access after they leave the organisation or accumulating access as they move from position to position

Question 17

What is the concept of least privilege ?

Answer 17

Only assign the minimum required permissions to achieve job function

Question 18

What is the process of recertification ?

Answer 18

Is the process of verifying that the account is still required and can be done via reports looking when the account was last accessed.

At HMRC there is a process that flags all AWS user accounts that have not been logged into for 30 days.

Question 19

Why should we have a standard naming convention for accounts ?

Answer 19

Accounts should be named with a standard naming convention that can accommodate growth but not display information that would be useful to an attacker.

mark.teasdale@acme.co.uk is a good example

Question 20

What is the concept of time managed accounts ?

Answer 20

Only allow access for a specified time period this could be normal working hours or for highly dangerous accounts measured in hours.

Question 21

What is credential management ?

Answer 21

Refers to the policies, procedures and techniques to manage credentials

Question 22

What is account lockout ?

Answer 22

Used when suspected nefarious activity is seen or rules are violated such as more than three attempts to login.

Question 23

What are Group Policy objects ?

Answer 23

Microsoft technology which can be controlled from the enterprise and installed on the local machine to control credential settings and password complexity rules.

Question 24

What is password history ?

Answer 24

We should also limit the re-using of passwords by having a policy on historical passwords.

Question 25

What are some of the elements contained in a password policy ?

Answer 25

An enforceable policy that sets out the rules on what constitutes an acceptable password

Password Length
Renewal
Symbols allowed
Case
Numbers

Expiry rules

Question 26

What is attribute access control ?

Answer 26

Grants access if the attributes of both the resource and the user are sufficient to grant access. Uses boolean logic (IF this user has this attribute, THEN this user has this access to the resource)

Question 27

What is FAR in biometrics ?

Answer 27

FAR - False Acceptance Rate - Rate at which people incorrectly get access

Question 28

What is FRR in biometrics ?

Answer 28

False Rejection Rate - Rate at which people incorrectly get refused access

Question 29

What is CER in biometrics ?

Answer 29

Cross Over Rate - This is the rate when tuning a device where ideal is FRR = FAR

Question 30

What is Discretionary access control ?

Answer 30

This is where resource owners or administrators determine the permissions of other users over those resources.

Question 31

What is Mandatory access control ?

Answer 31

Used primarily in government and military settings. In MAC subjects (users) and objects (resources) are assigned classification levels. Rules enforce whether a user has access to a resource or not based on those classification levels.

Question 32

What is Role based access control ?

Answer 32

Roles and job functions are matched and each role has a set of permissions that grant access to that resource. Users are then assigned to the relevant role.

Question 33

What is Rule based access control ?

Answer 33

Access is granted based on a set of rules can become cumbersome quickly because maintenance.

Question 34

What are the two types of tokens in IAM ?

Answer 34

Hardware Tokens - RSA
Software Tokens - Google Authenticator

Question 35

What is the challenge handshake authentication protocol ?

Answer 35

Challenge Handshake Authentication Protocol (CHAP) is used to provide authentication via a point to point protocol.

Authentication is continuously verified through a challenge/response system where the server periodically challenges the client. The server sends the challenge, the client uses a one way hashing function to calculate the response and sends it back to the server. The server compares the response vs the expected response and if they match the communication continues.

MSCHAP is a microsoft version brought in under Windows 2000

Question 36

What is Kerberos ?

Answer 36

It is a SSO solution where once authenticated they receive a ticket that can be used to access other resources.

Question 37

What is LDAP ?

Answer 37

LDAP is a lightweight implementation of the directory access protocol and its a way of governing resources especially credentials across the enterprise. It implements the X.500 standard.

Question 38

What are the two governing bodies of DAP ?

Answer 38

There are two governing bodies

Iternational Telecommunication Union (ITU) for the X.500 standard
Internet Engineering Task Force (IETF) for its internet usage

Question 39

Why has the Microsoft product NTLM been deprecated ?

Answer 39

Microsoft product mainly replace by Kerberos because of its use of the weak MD4 encryption algorithm.

Question 40

What is OAUTH ?

Answer 40

Token exchange pattern that gives authorisation and access to resources remotely on internet for web, mobile and desktop used by Google etc

Question 41

What is OPENID ?

Answer 41

Used in conjunction with OAUTH but provides more information about the user stored in the IdP. It is often another call to the IdP over and above authentication calls which are handled by OAUTH.

Used mainly in federated situations with web and apis

Question 42

What is the Password Authentication Protocol ?

Answer 42

Password Authentication Protocol is the predecessor to CHAP and is deprecated due to the fact the both the username and password were sent in clear text.

Question 43

What is RADIUS ?

Answer 43

Remote Authentication Dial-In User Service is a very common authentication protocol in use today.

Question 44

What ports does RADIUS use ?

Answer 44

It uses UDP ports 1812 for authentication and authorisation and 1813 for accountability.

Question 45

What is SAML ?

Answer 45

XML based open standard for exchanging authentication and authorization information between identity and service provider. Used primarily for SSO in web based applications.

SAML issues information on successful authentication and authorisation on a user.

Question 46

What is Shibboleth ?

Answer 46

Used where Orgs need SSO but have incompatible authentication and authorisation mechanisms. Started in 2000 but not widely adopted still. Based on SAML uses HTTP/POST to push those profiles from the identity provider to the service provider.

Question 47

What is TACACS ?

Answer 47

Terminal Access Controller Access Control System is another client server authentication protocol. It only uses one port TCP 49 for both authentication and authorisation unlike RADIUS.

Cisco created a propriety version XTacacs that is the basis of the version used today TACACS+

TACACS+ has additional support for accounting.

Question 48

What port does TACACS use ?

Answer 48

TCP port 49

Question 49

What are the five common ways to assert identity ?

Answer 49

Usernames
Certificates
Tokens
SSH Keys
Smartcards

Question 50

What is the most common authentication mechanism for wireless networks ?

Answer 50

EAP

Question 51

What is the main characteristic of Kerberos ?

Answer 51

Authentication via a ticketing system over an untrusted network.

Question 52

What is the main weakness of RADIUS ?

Answer 52

The main weakness of radius is that it sends its passwords obfuscated by a shared secret and a MD5 hash so to add extra protection it is often used in conjunction with IPSec Tunnels.

Question 53

How does RADIUS work ?

Answer 53

A RADIUS Client (or Network Access Server) is a networking device (like a VPN concentrator, router, switch) that is used to authenticate users.

A RADIUS Server is a background process that runs on a UNIX or Windows server. It lets you maintain user profiles in a central database. Hence, if you have a RADIUS Server, you have control over who can connect with your network.

When a user tries to connect to a RADIUS Client, the Client sends requests to the RADIUS Server. The user can connect to the RADIUS Client only if the RADIUS Server authenticates and authorizes the user.

Question 54

Do Radius servers offer accounting functionality ?

Answer 54

RADIUS Servers are also used for accounting purposes. RADIUS accounting collects data for network monitoring, billing, or statistical purposes. The accounting process typically starts when the user is granted access to the RADIUS Server. However, RADIUS accounting can also be used independently of RADIUS authentication and authorization.

Question 55

What is the differences between TACACS and RADIUS ?

Answer 55

Because TCP is a connection-oriented protocol, TACACS+ has to implement transmission control. RADIUS, however, is not required to detect and correct transmission errors such as packet loss or timeouts, etc., as it makes use of UDP which is connectionless. RADIUS encrypts only the users’ password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore, it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.

Question 56

Whats the difference between Federation and SSO ?

Answer 56

Similar to SSO but this covers across enterprises rather than just systems within an enterprise.

Question 57

In federation terminology what does the principal refer to ?

Answer 57

The principal normally refers to the user

Question 58

In federation terminology what is the role of the IdP ?

Answer 58

Provision of identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be.

Question 59

In federation terminology what is a service provider ?

Answer 59

Provide services to users whose identities have been attested to by an IdP aka Relying party

Question 60

What are the additional recommendations from NIST around passwords ?

Answer 60

Allow Pasting into Password Fields,
Eliminate password hints
Reduce password complexity in favour of increasing length
Not requiring special characters
Monitoring New Passwords

Question 61

Whats the most common way to undermine MFA OTP ?

Answer 61

Phising

Question 62

What are the two most common OTP protocols ?

Answer 62

Time OTP and HMAC

Question 63

What is the False Rejection Rate type 1 error in biometrics ?

Answer 63

incorrect rejection rate because biometric was valid

Question 64

What is the Fals Acceptance Rate in biometrics ?

Answer 64

Rate of acceptance incorrectly with invalid biometric

Question 65

What measure compares FAR and FRR ?

Answer 65

Reciever Operating Characteristic (ROC)

Question 66

In PAM what is JIT permissions ?

Answer 66

Permissions that are removed after time expiration or a task has been completed.

Question 67

In PAM what is password vaulting ?

Answer 67

Allows users to access privileged accounts without passwords

Question 68

In PAM what are ephemeral accounts ?

Answer 68

Accounts with a limited lifespan such as guest accounts

Question 69

What is the least secure MA technique ?

Answer 69

SMS replies which can be intercepted with clone sims

Question 70

What is an example of something you can do ?

Answer 70

Windows Picture Password

Question 71

Does attribute access include time of access as an attribute ?

Answer 71

Yes

Question 72

What is access federation ?

Answer 72

Federation allows different organizations to share digital identities, enabling single sign-on across them. While centralized access management manages access centrally, it doesn’t necessarily mean sharing digital identities across different organizations

Question 73

What type of backup copies every transaction ?

Answer 73

Journaling is a form of backup that involves recording all transactions in a system which can be used to restore the system to a previous state

Question 74

What is a statement of work?

Answer 74

It provides detailed instructions and requirements for specific tasks or projects to be carried out by a vendor, making it suitable for the software development project

Question 75

In incident response what is acquisition ?

Answer 75

Acquisition involves identifying and gathering evidence related to the security incident. This may include collecting logs from affected systems, taking disk images, or other procedures to catalogue everything that may be used as evidence in a court proceeding

Question 76

Why does NIST not recommend password complexity enforcement ?

Answer 76

Complexity can increase employess writing down their passwords it is better option Encouraging employees to keep their passwords confidential and use strong, unique passwords for each account is a crucial aspect of password management best practices

Question 77

What is the execution phase of security awareness practices ?

Answer 77

The Execution phase is where security awareness policies and procedures are put into operation, encompassing actions like user training, dissemination of awareness resources, and monitoring the efficacy of the awareness initiative.

Question 78

Does a SIEM require agent based software ?

Answer 78

no

Question 79

What is the difference between End of life and legacy ?

Answer 79

End-of-life refers to hardware that is no longer supported by the manufacturer, often leading to unpatched and exploitable vulnerabilities. Legacy hardware denotes older systems or components still in use, which can be vulnerable, but doesn’t necessarily mean they are unsupported or at their end-of-life.

Question 80

What is E-Discovery ?

Answer 80

E-discovery is an essential component of incident response and primarily relates to the collection and handling of electronic data. It is designed to be used as evidence in legal cases and includes in its scope anything that is stored electronically - emails, documents, databases, presentation files, voicemails, video/audio files, social media posts, and more

Question 81

What is the recommended encryption protocol for wireless today ?

Answer 81

AES is currently the most secure and widely adopted encryption protocol for wireless networks. Its strong encryption algorithms and extensive testing demonstrate its effectiveness against various attacks. AES is the recommended choice for ensuring robust security in wireless communication. It is not deprecated. While TKIP was an improvement over an older encryption protocol, it is still considered weak and has known vulnerabilities.

Question 82

What is the workforce multiplier?

Answer 82

The workforce multiplier refers to the ability to scale and amplify the effectiveness of the security team by combining the efforts of human professionals with automation and orchestration