Identity and Access Provisioning Lifecycle

Organizations must adopt formal policies and procedures to address account provisioning, review, and revocation.

When new or temporary employees, contractors, partners, auditors, and other third parties require access to an organization’s systems and networks, the organization must have a formal methodology for assessing risk and assigning appropriate access rights. New accounts must be provisioned correctly and in a timely manner to ensure access is ready and available when the user needs it, but not too soon (so as to ensure that new accounts not yet in active use are not compromised by an attacker).

User and system accounts, along with their assigned privileges, should be reviewed on a regular basis to ensure that they are still appropriate. For example, an employee may no longer require the same privilege levels due to rotation of duties (see Chapter 6) or a transfer or promotion.

Finally, when access is no longer required, accounts must be promptly disabled.

Prep Test

1 General-purpose control types include all the following except

A choice_circle Detective

B choice_circle Mandatory

C choice_circle Preventive

D choice_circle Compensating

2 Violation reports and audit trails are examples of what type of control?

A choice_circle Detective technical

B choice_circle Preventive technical

C choice_circle Detective administrative

D choice_circle Preventive administrative

3 “A user cannot deny an action” describes the concept of

A choice_circle Authentication

B choice_circle Accountability

C choice_circle Non-repudiation

D choice_circle Plausible deniability

4 Authentication can be based on any combination of the following factors except

A choice_circle Something you know

B choice_circle Something you have

C choice_circle Something you need

D choice_circle Something you are

5 Unauthorized users that are incorrectly granted access in biometric systems are described as the

A choice_circle False Reject Rate (Type II error)

B choice_circle False Accept Rate (Type II error)

C choice_circle False Reject Rate (Type I error)

D choice_circle False Accept Rate (Type I error)

6 All the following devices and protocols can be used to implement one-time passwords except

A choice_circle Tokens

B choice_circle S/Key

C choice_circle Diameter

D choice_circle Kerberos

7 Which of the following PPP authentication protocols transmits passwords in clear text?

A choice_circle PAP

B choice_circle CHAP

C choice_circle MS-CHAP

D choice_circle FTP

8 Which of the following is not considered a method of attack against access control systems?

A choice_circle Brute force

B choice_circle Dictionary

C choice_circle Denial of Service

D choice_circle Buffer overflow

9 Sensitivity labels are a fundamental component in which type of access control systems?

A choice_circle Mandatory access control

B choice_circle Discretionary access control

C choice_circle Access control lists

D choice_circle Role-based access control

10 Which of the following access control models addresses availability issues?

A choice_circle Bell-La Padula

B choice_circle Biba

C choice_circle Clark-Wilson

D choice_circle None of the above

Answers

1 B. Mandatory. Control types identified by purpose include preventive, detective, corrective, deterrent, recovery, and compensating controls. Review “Control types.”

2 A. Detective technical. Preventive technical controls include access control mechanisms and protocols. Review of audit trails is a detective administrative control, but the actual generating of audit trails is a technical function (control). Review “Technical controls.”

3 C. Non-repudiation. Authentication and accountability are related to but aren’t the same as non-repudiation. Plausible deniability is a bogus answer. Review “Accountability.”

4 C. Something you need. The three factors of authentication are something you know, something you have, and something you are. Review “System access controls.”

5 B. False Accept Rate (Type II error). You should know the biometric error types by both the name (False Accept Rate) and the classification (Type II). The False Reject Rate is a Type I error and describes the percentage of authorized users that are incorrectly denied access. Review “Biometrics and behavior.”

6 D. Kerberos. Kerberos is a ticket-based authentication protocol. Although the tickets that are generated are unique for every log-on, Kerberos relies on shared secrets that are static. Therefore, Kerberos isn’t considered a one-time password protocol. Review these three sections: “One-time passwords,” “Tokens,” and “Single sign-on (SSO).”

7 A. PAP. The Password Authentication Protocol (PAP) transmits passwords in clear text. CHAP and MS-CHAP authenticate by using challenges and responses that are calculated, using a one-way hash function. FTP transmits passwords in clear text but isn’t a PPP authentication protocol. Review “Centralized access controls.”

8 C. Denial of Service. The purpose of an attack against access controls is to gain access to a system. Brute-force and dictionary attacks are both password-cracking methods. Although commonly used in Denial of Service attacks, a buffer overflow attack can exploit vulnerabilities or flaws in certain applications and protocols that will allow unauthorized access. Review “Methods of attack.”

9 A. Mandatory access control. The fundamental components in discretionary access controls are file (and data) ownership and access rights and permissions. Access control lists and role-based access control are types of discretionary access control systems. Review “Access control techniques.”

10 D. None of the above. Bell-La Padula addresses confidentiality issues. Biba and Clark-Wilson address integrity issues. Review “Access control models.”

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.12.162.37