Professional Documents
Culture Documents
• subject---is an active entity that requests access to an object, which is a passive entity.
• can be a user, program, or process.
• Self-service password reset reduces help-desk call volumes by allowing users to reset their
own passwords.
• Assisted password reset reduces the resolution process for password issues for the helpdesk
department.
• IdM directories contain all resource information, users’ attributes, authorization profiles,
roles, and possibly access control policies so other IdM applications have one centralized
resource from which to gather this information.
• User provisioning refers to the creation, maintenance, and deactivation of user objects and
attributes as they exist in one or more systems, directories, or applications.
• User access reviews ensure there are no active accounts that are no longer needed.
• The HR database is usually considered the authoritative source for user identities because
that is where each user’s identity is first developed and properly maintained.
• Access control lists are bound to objects and indicate what subjects can use them.
• A capability table is bound to a subject and lists what objects it can access.
• Some examples of remote access control technologies are RADIUS, TACACS+, and
Diameter.
• A Type I error in biometrics means the system rejected an authorized individual, and a
Type II error means an imposter was authenticated.
• A memory card cannot process information, but a smart card can through the use of
integrated circuits and processors.
• Least-privilege and need-to-know principles limit users’ rights to only what is needed to
perform tasks of their job.
• Single sign-on capabilities can be accomplished through Kerberos, domains, and thin
clients.
• The Kerberos user receives a ticket granting ticket (TGT), which allows him to request
access to resources through the ticket granting service (TGS). The TGS generates a new
ticket with the session keys.
• Keystroke monitoring is a type of auditing that tracks each keystroke made by a user.
• Just removing pointers to files (deleting file, formatting hard drive) is not always enough
protection for proper object reuse.
• Information can be obtained via electrical signals in airwaves. The ways to combat this
type of intrusion are TEMPEST, white noise, and control zones.
• Strong authentication requires two of the three user authentication attributes (what someone
knows, is, or has).
• The following are weaknesses of Kerberos: the KDC is a single point of failure; it is
susceptible to password guessing; session and secret keys are locally stored; KDC needs to
always be available; and there must be management of secret keys.
• Phishing is a type of social engineering with the goal of obtaining personal information,
credentials, credit card numbers, or financial data.
• A race condition is possible when two or more processes use a shared resource and the
access steps could take place out of sequence.
• Mutual authentication is when two entities must authenticate to each other before sending
data back and forth. Also referred to as two-way authentication.
• A directory service is a software component that stores, organizes, and provides access to
resources, which are listed in a directory (listing) of resources. Individual resources are
assigned names within a namespace.
• A cookie is data that is held permanently on a hard drive in the format of a text file or held
temporarily in memory. It can be used to store browsing habits, authentication data, or
protocol state information.
• A federated identity is a portable identity, and its associated entitlements, that can be used
across business boundaries without the need to synchronize or consolidate directory
information.
• Replay attack is a form of network attack in which a valid data transmission is maliciously
or fraudulently repeated with the goal of obtaining unauthorized access.
• Clipping level is a threshold value. Once a threshold value is passed, the activity is
considered to be an event that is logged, investigated, or both.
• Smart cards can require physical interaction with a reader (contact) or no physical
interaction with the reader (contactless architectures). Two contactless architectures are
combi (one chip) and hybrid (two chips).
• A side channel attack is carried out by gathering data pertaining to how something works
and using that data to attack it or crack it, as in differential power analysis or
electromagnetic analysis.
• Authorization creep takes place when a user gains too much access rights and permissions
over time.
• Security information and event management (SIEM) implements data mining and analysis
functionality to be carried out on centralized logs for situational awareness capabilities.
• Intrusion detection systems are either host or network based and provide behavioral
(statistical) or signature (knowledge) types of functionality.
• A web portal is commonly made up of portlets, which are pluggable user interface software
components that present information and services from other systems.
• The Service Provisioning Markup Language (SPML) allows for the automation of user
management (account creation, amendments, revocation) and access entitlement
configuration related to electronically published services across multiple provisioning
systems.
• The Security Assertion Markup Language (SAML) allows for the exchange of
authentication and authorization data to be shared between security domains.
• OpenID is an open standard and protocol that allows third-party authentication of a user.
• OAuth is an open standard that allows a user to grant authority to some web resource, like a
contacts database, to a third party.
• OpenID Connect is an authentication layer built on the OAuth 2.0 protocol that allows
transparent authentication and authorization of client resource requests.
• The Simple Object Access Protocol (SOAP) is a protocol specification for exchanging
structured information in the implementation of web services and networked environments.