Professional Documents
Culture Documents
4.0 Identity and Access Management
4.0 Identity and Access Management
SAML is the link between the authentication of a user’s identity and the
authorization to use a service.
Threats (1), (4), (5), (6), (7), and (8) are active attacks. Threats
(2) and (3) are passive attacks.
Session key,
Expiration date, and the
User's IP address
Which protects the user from man-in-the-middle attacks. The TGT is used to obtain a
service ticket from Ticket Granting Service (TGS). User is granted access to network
services only after this service ticket is provided.
Kerberos provides mutual authentication for domain networks.
Kerberos uses the concept of single sign-on to aid accessibility to domain resources
once a user is authenticated.
The server and client authenticate to each other with Kerberos through shared
knowledge of a secret key.
Unless specified, Challenge Handshake Authentication Protocol (CHAP) typically only provides
one-way authentication. CHAP can provide two-way authentication when two Cisco routers are
used to authenticate to one another.
NT LAN Manager (NTLM) is currently the only choice for non-domain networks
(workgroups), and
NTLMv2 should be used exclusively, disabling backward compatibility with LM due to
LM’s vulnerability to password cracking attacks, which NTLMv2 compensates for. NTLM
only provides for client authentication, not mutual authentication.
Local Area Network Manager (LM) is more vulnerable to password cracking attempts. If the
compatibility feature is not disabled, the client sends both LM and New Technology LAN
Manager (NTLM) responses that can be captured by a network sniffer.
Local Area Network Manager (LM) compatibility would not make New Technology LAN
Manager version 2 (NTLMv2) inoperable. However, it would reduce effectiveness in
providing secure authentication, as compatibility could store and send the LM version of the
password hash.
Currently, New Technology Local Area Network Manager (NTLM) is the only choice for
workgroups, which are non-domain networks. LAN Manager version 2 (NTLMv2) is
preferable and should be used over NTLM.
Both New Technology Local Area Network Manager (NTLM) and LAN Manager (LM) are
vulnerable to pass-the-hash attacks. A more robust authentication protocol, such as
Kerberos, can help defend against such an attack.
In the Server Manager tool menu, the person installing the RADIUS client
chooses and
confirms the shared secret for the RADIUS client.
The RADIUS client does not generate its own randomly-assigned passwords. Passwords
are designated by the individual installing the RADIUS client.
The authentication server does not derive the RADIUS password from a network domain
administrative password. This would constitute a security risk, as the compromise of one
password could potentially reveal information about the other.
The RADIUS client password can be set up and reset any time an administrator accesses
the Network Policy Server manager tool. It is typically established when the RADIUS client is
configured.
TACACS+ is similar to RADIUS, but designed Cisco designed it with flexibility in mind.
Its connection-oriented delivery method increases reliability and flexibility. It is
supported by third parties and open-source RADIUS implementations.
TACACS+ is more often used for device management than for authenticating end user
devices. It allows centralized control of accounts set up to manage routers, switches, and
firewall appliances, and detailed management of privileges assigned to those accounts.
This order is correct: Common Name, Organizational Unit, Organization, Country, Domain
Component. In X.500 naming convention, the most specific attribute goes first, and
definitions become broader further down the list.
In the X.500 naming convention, the most specific attribute goes first, and definitions
become broader further down the list. This option begins with the broadest definition.
In X.500 naming convention, the most specific attribute goes first, and definitions become
broader further down the list. This option does not follow a logical order, jumping from a
narrow definition to a broad definition, and then following the narrow to broad rule.
In X.500 naming convention, the most specific attribute goes first, and definitions become
broader further down the list. This definition begins with broader definitions and does not
follow a logical order to the narrowest definition.
Local Area Network Manager (LM) is more vulnerable to password cracking attempts. If the
compatibility feature is not disabled, the client sends both LM and New Technology LAN
Manager (NTLM) responses that can be captured by a network sniffer.
Local Area Network Manager (LM) compatibility would not make New Technology LAN
Manager version 2 (NTLMv2) inoperable. However, it would reduce effectiveness in
providing secure authentication, as compatibility could store and send the LM version of the
password hash.
Currently, New Technology Local Area Network Manager (NTLM) is the only choice for
workgroups, which are non-domain networks. LAN Manager version 2 (NTLMv2) is
preferable and should be used over NTLM.
Both New Technology Local Area Network Manager (NTLM) and LAN Manager (LM) are
vulnerable to pass-the-hash attacks. A more robust authentication protocol, such as
Kerberos, can help defend against such an attack.
A distinguished name in an X.500 directory, or similar directory, identifies a resource by
attribute=value pairs, separated by commas. The attributes are listed in order from most
specific to broadest term.
A schema is the organizational plan the directory follows. Attributes within the directory are
defined by the overall schema. For example, an X.500 directory may contain attribute=value
pairs such as Common Name (CN)=Samuel, and Organizational Unit (OU)= Sales.
Distinguished name, not directory name is the term for the attribute=value pairs that define a
resource in an X.500 directory. These answers appear similar.
Unique name is not a term used in an X.500 directory. Instead the term, distinguished name,
identifies a resource by attribute=value pairs, separated by commas. The attributes are
listed in order from most specific to broadest term.
Compare features of Shibboleth and Security Association Markup Language (SAML) and
determine what Shibboleth provides that SAML does not. (Select two)
ANSWER
I DON'T KNOW YET
Correct Answers
Your Choices
Correct answer Your correct unselected answer
Shibboleth allows the user to choose a preferred identity provider
SAML is an identity provider, while Shibboleth is both an identity provider and service
provider????
One of Shibboleth’s main components, the Embedded Discovery Service, allows the user to
choose a preferred identity provider. The user does not choose the identity provider in
Security Association Markup Language (SAML).
NT LAN Manager (NTLM) authentication is not the strongest protocol available, but it
is a challenge/response protocol, which requires the password to be encrypted, rather
than sent via plaintext, so it is stronger than Password Authentication Protocol (PAP).
Mutual authentication assures that the client and the server are authenticated to one another, and
an attacker cannot intercept the communications exchanged between the two.
Credential dumping makes Kerberos more susceptible to a pass-the-hash or ticket foraging
attack, known as a “golden ticket” if an attacker is able to gain access this way.
A service request is just the first part of the Kerberos authentication process; this alone is
insufficient to protect against such an attack until the principal and application server are
authenticated to one another.
Timestamping prevents tickets from being used again, thus preventing a replay attack.
Pattern matching from templates is an issue with current biometric technologies. Standard
encryption technologies cannot be used to store biometric data, and a biometric scan must be
able to produce the same key each time it is scanned, presenting challenges concerning
credential access and data recovery.
Biometric extraction techniques may improve in the future, but feature extraction models are not
a main point of concern for contemporary biometric technology security.
Reader deployment depends on the type of biometric authentication used; this is not a major
issue, though some methods are easier to deploy than others.
A large, metropolitan airport employs hundreds of workers daily. The facility managers have
been tasked with increasing security checks for employees entering airport terminals, while
maintaining a quick processing time of employee credentials. Analyze the scenario and
determine which biometric scanning procedure best meets the airport’s needs.
Iris scanners
Iris scanners best meet the airport's needs. Iris scanning can be implemented in higher-traffic
areas, where throughput is a concern. At the same time, accuracy is high, while ease of
spoofing is fairly low. The enrollment process for employees is less intrusive than retinal scans.
Retinal scanners are intrusive, complex and expensive. They are not the best option for high-
traffic areas, such as airports.
Voice recognition would be too difficult to implement in this situation, given high levels of
ambient noise in a busy place like an airport.
Fingerprint scanners offer ease of enrollment, but in this high traffic area, it would be difficult to
ensure the scanner remains clean and dry for hundreds of employees.
A new sign-on system for employees requires a token for credential storage. Which sign-
on system does NOT satisfy this requirement?
A Quick Response (QR) code
A Quick Response (QR) code is not a token and does not store credentials. A QR code can
act as a shared secret for authentication, but it is not the token itself.
A USB device can act as a token for credential storage. USB devices typically come in the form
of peripherals, such as smart card readers.
Key fob devices can store credentials and act as a portable token. This type of device usually
produces tokens that expire to protect against the threat of physical interception.
Mobile device applications can store credentials, and these applications often serve as tokens.
An executive user is supposed to have permissions to a given resource, however, when the
user tries to access the resource, access is denied and the user receives an error message.
Analyze the situation to troubleshoot the problem and select which of the following scenarios
provide a plausible explanation for the user’s thwarted access. (Select two)
Access Control Entries (ACEs) are out of order in the Access Control List (ACL)
The system is using Mandatory Access Control (MAC), and the user does not
occupy the correct role
The user has not been granted permissions to the resource they are trying to access
Troubleshooting the order of the Access Control List (ACL) to see if the Access Control Entries
(ACEs) are in order if a user is supposed to have access, and permissions were delegated
appropriately. ACEs must be in a certain order to enforce the ACL properly.
The user may not have been granted access to the resource they are trying to access. If they
are supposed to have access, adding them to the Access Control List (ACL) can remedy this
problem.
Mandatory access control (MAC) bases access on security clearance and need to know, not
strictly on a user’s role.
Access Control Entries (ACEs) are out of order in the Access Control List (ACL)
The user has not been granted permissions to the resource they are trying to access
Attribute-Based Access Control (ABAC) is the ideal choice for assigning
An organization might use RBAC for projects like this because with RBAC, the
policies don’t need to be changed every time a person leaves the organization or
changes jobs: they can simply be removed from the role group or allocated to a
new role. This also means new employees can be granted access relatively
quickly, depending on the organizational role they fulfill.
Back to top
What Is ABAC?
Attribute-based access control draws on a set of characteristics called
“attributes.” This includes user attributes, environmental attributes, and resource
attributes.
User attributes include things like the user’s name, role, organization, ID,
and security clearance.
Environmental attributes include the time of access, location of the data,
and current organizational threat levels.
Resource attributes include things like creation date, resource owner, file
name, and data sensitivity.
Essentially, ABAC has a much greater number of possible control variables
than RBAC. ABAC is implemented to reduce risks due to unauthorized access, as
it can control security and access on a more fine-grained basis. For example,
instead of people in the HR role always being able to access employee and
payroll information, ABAC can place further limits on their access, such as only
allowing it during certain times or for certain branch offices relevant to the
employee in question. This can reduce security issues and can also help with
auditing processes later.
RBAC vs. ABAC
Generally, if RBAC will suffice, you should use it before setting up ABAC access
control. Both these access control processes are filters with ABAC being the
more complex of the two, requiring more processing power and time.
There’s no point in using this more powerful filter—and incurring the
accompanying resource cost—if you don’t need it.
Either way, it’s important to use the minimum number of RBAC and ABAC filters
to structure your access and security landscape. It can help to carefully plan out
your directory data and access approaches to make sure you aren’t using
unnecessary filters or making things overly complex. In many cases, RBAC and
ABAC can be used together hierarchically, with broad access enforced by
RBAC protocols and more complex access managed by ABAC. This means the
system would first use RBAC to determine who has access to a resource, followed
by ABAC to determine what they can do with the resource and when they can
access it.
Role-Based Access Control (RBAC) allocated user permissions based on roles, or group
memberships.
This company requires more fine-grained access controls that also takes other factors into
account.
Discretionary Access Control (DAC) gives access based on a content’s creator or owner, who
grants permissions. This type of control is flexible, yet vulnerable to insider attack, and is task-
heavy for the content creator.
Mandatory Access Control (MAC) enforces rules based on security clearances and labels of
resources, to which a user is granted “need to know” or not. This form is ideal for military units
and highly secure information, but is cumbersome for normal use.
The process of fine-tuning a biometric system involves adjusting the Crossover Error Rate
(CER), the point at which the false rejection rate and false acceptance rate meet.
The False Rejection Rate (FRR) is also known as a type I error, which rejects authorized
templates. FRR most commonly produces frustration, and can impede traffic flow if not properly
tuned.
The False Acceptance Rate (FAR) is the rate at which the system lets in unauthorized users,
which constitutes a security breach. Fine-tuning a system to minimize the FAR is imperative.
A type II error is also known as a false positive, measured by the False Acceptance Rate (FAR).
This is the rate at which unauthorized personnel gain access to the secure facility. This number
must be minimized.
Susceptibility to interception
The password encryption method used by both one-time password algorithms is secure,
using a random number generator to produce the 8-byte key value.
Device synchronization errors can result in key expiration or key error. Although
HMAC-Based One-time Password Algorithm (HOTP) does not use a timestamp, the
device and server may still be synchronized with a counter to invalidate the key should
they go out of sync.
previous
The CEO of a large company calls the help desk and reports issues with access to an
important folder. The CEO is supposed to have access to this folder based on his role.
What can the helpdesk technician identify as possible causes of the problem? (Select
two)
ANSWER
SURE AND INCORRECT
Correct Your
Answers Choices
The system is using Attribute-Based Access Control (ABAC), and the
user does not have the proper clearance
Access Control Entries (ACEs) are out of order in the Access Control
List (ACL)
The system is using Mandatory Access Control (MAC), and the user
does not occupy the correct role
The user has not been granted permissions to the resource they are
trying to access
The user may not have been granted access to the resource they are trying to access. If
they are supposed to have access, adding them to the Access Control List (ACL) can
remedy this problem.
Mandatory access control (MAC) bases access on security clearance and need to know,
not strictly on a user’s role.
THE CORRECT ANSWER
TOTP adds an expiration time to the token
An organization's security policy requires employees to authenticate to the network
using a two-factor authentication and behavioral recognition. Evaluate which of the
following methods utilizes both behavioral recognition and two-factor authentication.
ANSWER
INCORRECT
THE CORRECT ANSWER
Saying a passphrase and entering a passcode at a user terminal
con
User-generated passwords
Susceptibility to interception
Something you know- This is the most common kind of authentication used
for humans. We use passwords every day to access our systems.
Unfortunately, something that you know can become something you just
forgot. And if you write it
1. Password
2. PIN
3. .
4. Something you have (eg. a smart card). This form of human authentication
removes the problem of forgetting something you know, but some object now
must be with you any time you want to be authenticated. And such an object
might be stolen and then becomes something the attacker has.
5. Something you are (eg. a fingerprint). Base authentication on something
intrinsic to the principal being authenticated. It's much harder to lose a
fingerprint than a wallet. Unfortunately, biometric sensors are fairly expensive
and (at present) not very accurate.
hash-based message authentication codes (HMAC)
6. HOTP and TOTP are the two main standards for One-
Time Password but what do they mean from a security
perspective, and why would you choose one over the
other?
7.
8. In both HOTP and TOTP the token (ie, the OTP generator) generates a numeric code,
usually 6 or 8 digits. The security of OTP is based on fact that the codes are constantly
changing and that they are single-use, hence the name.
9. View our range of OTP cards and tokens
19. Choice
20. Choosing between HOTP and TOTP purely from a security perspective clearly favours
TOTP. Importantly, the validating server must be able to cope with potential for time-drift with
TOTP tokens in order to minimize any impact on users.
21. There is also more choice of form-factor with TOTP tokens. Traditional key fob OTP tokens
are getting smaller and Microcosm has now introduced the OTP Card - a credit card sized
OTP token with EPD display. Cards can be a more convenient option as they can be stored
with other cards in a wallet or purse, or in the back of a mobile phone case.
Local groups are not an active directory scope. Domain local is an active
directory scope, but local groups, when configured on a workstation, only
apply to that particular workstation. Domain local groups assign rights to
resources in their same domain.
Global groups are essentially the opposite in scope from domain local groups.
Global groups can contain only accounts from the same domain, but can
access resources and assign rights within any trusted domain.
Universal groups can contain accounts from any trusted domain and access
resources and grant permissions to any object in any trusted domain.
Domain local groups can assign rights to resources within the same domain
only, but accounts from any trusted domain can be a member of domain local
groups. Global groups can only contain accounts from the same domain, but
can assign rights to resources in any domain. These two groups have
essentially opposite scopes.
Organization size does not define the scope of domain local or global groups.
Smaller organizations may only need to employ global groups because they
operate on only one domain, but this decision is up to the organization.
Domain local and global groups assign rights in different domains. Domain
local groups can assign rights within the same domain only, while global
groups can assign rights in any trusted domain.
Domain local and global groups are different both in the accounts they contain
and in the permissions they grant. They serve essentially opposite functions.
Domain local groups assign rights in the same domain and trust accounts
from any domain. Global groups contain accounts from only one domain but
assign rights to resources in any trusted domain.
Microsoft’s rule, “Accounts go into Global groups, which go into Domain Local
groups, which get Permissions” (AGDLP) applies. This system provides a
framework for placing users into Global groups based on their roles, then
those groups are assigned to domain local groups (which have local resource
permissions). This model is scalable and secure.
Only assigning domain local groups is not a very specific method of grouping
individual users, and in a large organization, finer-tuning is required.
A system administrator conducts an audit and notices several anomalous log entries.
The audit seems to indicate an anonymous user making changes to host processes.
Analyze the audit findings and determine the probable cause of these anomalous
entries.
ANSWER
INCORRECT
YOU WERE SURE AND INCORRECT
A system account made unscheduled changes to the operating system
A system account has the most privileges; it creates the host processes the computer
runs and is authorized to make changes to the operating system. This is not likely the
cause of the log anomaly.
Local system accounts can access the network as anonymous users. In isolation, the fact
that these accounts have such access is not reason for concern.
System accounts possess the highest existing privileges of any account, and therefore
cannot gain escalated privileges.
Verify authentication servers are connected to and communicating with the
network
YOU WERE SURE AND INCORRECT
Verifying date/time settings are synchronized between servers and clients
Verify the user’s credentials are valid and readable by authentication
mechanism
THE CORRECT ANSWER
Verifying a user is who they say they are and have authorization to
use the resource
I DON'T KNOW YET
Verifying the date and time setting is a valid troubleshooting task for an
authentication issue. If servers and clients are too far out of synch, credentials
offered will not be considered valid.
To ensure all systems are online and able to communicate, verifying the
authentication server’s connection and communication with the network is a
pertinent troubleshooting task.
Users will be locked out after two incorrect password entries
YOU WERE SURE AND INCORRECT
A password cannot match any of the past 100 passwords used
Passwords must be changed every 30 days
THE CORRECT ANSWER
Passwords cannot contain the username in any configuration
I DON'T KNOW YET
Password lockout requires balancing the need for security and the need for
access. A standard lockout number is three attempts. Any fewer than three
may lead to an increased workload of unlocking accounts.
UAC helps prevent mundane use of administrative accounts by requiring
specific authorization. It does not necessarily prevent escalation of privileges.
This is not a true statement; it is wise to change the name of a default account
and create misleading “dummy accounts” to make it more difficult to find the
true admin account.
It is best practice to use the default administrator accounts only to install the
operating system (OS). Then they should be disabled. This makes it harder for
attackers to find and compromise an admin account. This is called generic
account prohibition.
THE CORRECT ANSWER
General account prohibition makes it harder to identify and
compromise an administrative account
Default administrator accounts should be disabled after being used to install
the Operating System (OS). Systems administrators should have separate
accounts for conducting administrative actions. This system helps protect
against compromise of administrative accounts.
General account prohibition makes admin accounts harder to find and attack.
Aministrative accounts may be disguised under an ordinary user account
name, but this does not protect against privilege escalation.
THE CORRECT ANSWER
Verifying a user is who they say they are and have authorization to
use the resource
Verifying date/time settings are synchronized between servers and clients
YOU WERE SURE AND INCORRECT
Verify the user’s credentials are valid and readable by authentication
mechanism
Verify authentication servers are connected to and communicating with the
network
I DON'T KNOW YET
Verifying the date and time setting is a valid troubleshooting task for an
authentication issue. If servers and clients are too far out of synch, credentials
offered will not be considered valid.
To ensure all systems are online and able to communicate, verifying the
authentication server’s connection and communication with the network is a
pertinent troubleshooting task.
review correct answerskeep going