Features
Features:

Product Tour >

Edraw AI >

Paid Plans:

Individuals >

Business >

Eduaction >
Resources
Blog

History

How-tos & Tips

Discovery

Biography

Business Analysis

Examples

AI concept Map

Free AI Mind Map Generator

Onenote Mind Map

Bcg Matrix Examples

Nike Marketing Strategy

Unilever SWOT Analysis

Make Mind Maps in Google Docs

Guide

FAQs

What's New

Resource Center
Templates
All Templates

Brain Storming Templates

Strategy and Planning Templates

Project Management Templates

Product Management Templates

Human Resources Templates

Agile Workflow Templates

Marketing Templates

Education Templates

Fun and Games Templates

User Gallery
Download
Pricing
Enterprise

MindMap Gallery CISSP Study Notes-13 (Managing Identity and Authentication)

CISSP Study Notes-13 (Managing Identity and Authentication)

This is a mind map about CISSP study notes-13 (Managing Identity and Certification). The main content includes: review questions, exam key points, and knowledge points.

Edited at 2024-03-06 17:44:38

PlotWizard

Recent works View more works>>

CISSP Study Notes-13 (Managing Identity and Authentication)

PlotWizard

Recent works View more works>>

Recommended to you
Outline

CISSP Study Notes-Domain 6 (Security Assessment and Testing)
- 53
PlotWizard
CISSP Study Notes-Domain 4 (Communications and Network Security)
- 129
- 1
PlotWizard
CISSP Study Notes-Domain 3 (Security Architecture and Engineering)
- 81
PlotWizard
CISSP Study Notes-21 (Malicious Code and Application Attacks)
- 41
PlotWizard
CISSP Study Notes-19 (Investigation and Ethics)
- 40
PlotWizard
CISSP study notes-20 (software development security)
- 45
- 1
PlotWizard
CISSP Study Notes-18 (Disaster Recovery Plan)
- 36
- 1
PlotWizard
CISSP Study Notes-17 (Incident Prevention and Response)
- 38
PlotWizard
CISSP Study Notes-15 (Security Assessment and Testing)
- 15
PlotWizard
CISSP Study Notes-14 (Controlling and Monitoring Access)
- 44
PlotWizard

CISSP Study Notes-13 (Managing Identity and Authentication)

Knowledge points

Control access to assets

Control physical and logical access

CIA Three Characters and Access Control

Manage identities and authentication

Identity mark

uniqueness

Authentication

occurs simultaneously with identification, two steps of a process

Compare subject and object

main body

object

Identity registration, proof and creation

cognitive password

Security questions, such as when is your birthday

empowerment and accountability

Authorize

Accountability

Relies on identity and authentication, does not require authorization

Overview of authentication factors

what do you know

Password

PIN personal identification number

Password Policy Component

maximum period

If modified within 45 days

Password complexity

Password length

Minimum period, no less than 1 day

Password history to prevent password reuse

Authoritative password suggestions

NIST SP 800-63B

Hash: cannot be stored and transmitted in clear text

Should not expire: Prevent only small changes in passwords

Special characters should not be used

Passwords can be copied and pasted

All characters can be used

Length minimum 8 and maximum 64 characters

Filter passwords to prevent simple passwords

PCI DSS

Expires once every 90 days

At least 7 characters

what do you have

smart card

Tamper proof

token

Synchronize

asynchronous

what do you

biometric factors

Biometric factor error rating

False Rejection Rate FRR Type I Error

False negative, rejecting the correct user

False Acceptance Rate FAR Type II Error

False positive, wrong user allowed

Crossover Error Rate CER or ERR Crossover point of FAR and FRR

Biometric registration

Throughput

The more complex it is, the slower it is, 6s.

Multi-factor authentication MFA

Two-factor authentication using an authentication app

HOTP

Valid until use

TOTP

Time-based one-time password with expiration date

Passwordless authentication

Device authentication

Service identity authentication

Two-way authentication

Implement identity management

Single sign-on SSO

LDAP and centralized access control

security domain

Retrieval service, through identity authentication

LDAP and PKI

The client queries the CA to obtain information about the certificate using the LDAP protocol

SSO and federated identities

Cloud-based services use SSO solutions such as FIM

Multiple organizations can form a federation, share identity information, and log in within the organization to access other organization resources.

Cloud-based federation

local joint

mixed union

Just-in-time

Automatically create an identity to another organization

Credential management system

Credential manager application

script access

Session management

Session persistence

Manage identity and access configuration lifecycle

Configuration and onboarding

Deprovisioning and offboarding

Define new roles

Account maintenance

Account access review

Exam points

Learn how physical access controls protect assets. Physical access control is visible and tangible, directly protecting systems, equipment and facilities by controlling access and controlling the environment, and indirectly protecting information and applications by restricting physical access.

Learn how logical access control protects assets. Logical access controls include authentication, authorization, and permissions that limit who can access information stored on systems and devices, as well as restrict access to system and device settings.

Understand the difference between subject and object. You'll find that CISSP exam questions and security documents often use the terms "subject" and "object," so it's important to understand the difference between the two. A principal is an active entity (such as a user) that accesses a passive object (such as a file). Users are the subjects who access objects when performing certain operations or completing work tasks.

Learn the difference between identity and authentication. Access control relies on valid identification and authentication, so it's important to understand the difference between the two. The subject declares an identity, which can be as simple as a username. A principal proves its identity by providing authentication credentials (such as a password that matches a username).

Learn about identity creation, registration, and proof. New employees have their identity established through official documentation such as a passport, driver's license or birth certificate. The HR colleague then begins the registration process, which includes creating an account for the new employee. When biometric authentication is used, the registration process also collects biometric data. Identity proof includes knowledge-based authentication and cognitive passwords. Cognitive passwords ask the user a series of questions that only the user knows.

Understand the difference between delegation and accountability. After the subject is authenticated, the system will grant the sub-subject access rights to the object based on the proven identity. Audit logs and audit trails record events, including the identity of the principal who performed the action. Accountability requires a combination of effective identification, authentication and auditing.

Learn more about key authentication factors. The three main factors of authentication are "what you know" (such as a password or PIN), "what you have" (such as a smart card or token), and "what you are" (based on biometrics). Multi-factor authentication consists of two or multiple authentication factors, is more secure than using a single authentication factor. Passwords are the weakest form of authentication, but password policies help improve security by enforcing password complexity and history requirements. Smart cards include micro-cards. Processor and encryption certificate, while the token generates a one-time password. Biometric methods identify users based on characteristics such as fingerprints. The Cross Error Rate (CER) reflects the accuracy of the biometric method and is the False Rejection Rate (FRR) equal to the False Acceptance. rate (FAR) position.

Learn about single sign-on. The mechanism of single sign-on allows a subject to authenticate once on the system and access multiple resources without having to authenticate again.

Describe how to implement a federated identity management system. FIM systems can be hosted on-premises (providing maximum control), implemented via a third-party cloud service, or the two can be combined into a hybrid system.

Describe just-in-time (JIT) supply. The 1T configuration creates a user account when the user logs in to a third-party site for the first time. JIT reduces administrative burden.

Learn about proband management systems. Credential management systems help developers easily store usernames and passwords and retrieve them when users revisit the website. The Credential Management API was published as a working draft by the W3C in 2019 and is commonly used by developers as a credential management system. Credential management systems allow users to automatically log into websites without having to enter their credentials again.

Explain session management. The session management process prevents unauthorized access by closing idle sessions. Developers often use web frameworks to implement session management. These frameworks allow developers to ensure that sessions are closed after being idle for a certain amount of time, such as 2 minutes.

Understand the identity and access configuration lifecycle. The identity and access provisioning lifecycle refers to the creation, management, and deletion of accounts.

The provisioning process ensures that accounts are assigned the appropriate permissions based on task requirements and that employees have access to the required hardware devices.

People processes inform employees about organizational processes. When an employee leaves, the deprovisioning process disables or deletes the account, and the offboarding process ensures that employees return all hardware issued to them by the organization.

Explain the importance of role definition. When an organization creates new job roles, it is important to determine the permissions these new roles require. Doing this ensures that employees in these new roles do not have excessive permissions.

Describe the purpose of account access review. Conduct account access reviews of user accounts, system accounts, and service accounts. These reviews ensure that accounts do not have excessive permissions. Account access audits can often detect when accounts have too many permissions and when unused accounts have not been disabled or removed.

Review questions

1 Organization is creating a cloud-based federation and using a third-party service to share the federation identity. Once created, what will people use as their login ID? A. Ordinary account B. Cloud-Based Federated Assigned Accounts C. Hybrid identity management D. Single sign-on

2.Which of the following best expresses the primary goal of asset access control? A. Protect the confidentiality, integrity, and availability of systems and data. B. Ensure that only valid principals can authenticate on the system. C. Prevent unauthorized access to objects. D. Ensure that all subjects are authenticated.

3. Which of the following is a correct description of the subject? A. The subject is the user account. B. The principal is always the entity that provides or hosts the information or data. C A subject is always an entity that obtains information or data from an object. D. An entity can never switch roles between subject and object.

4. According to the recommendations of the National Institute of Standards and Technology (NIST), when do ordinary users need to change their passwords? A. Every 30 days B. Every 60 days C. Every 90 days D. Only when the password is leaked

5. The security administrator learns that the user is rotating between two passwords. When the system prompts the user to change their password, the user uses the second password. When the system prompts the user to change the password again, the user uses the first password. What measures can be taken to prevent users from rotating between two passwords? A. Password complexity B. Password History C. Password length D. Password validity period

6.Which of the following best illustrates the benefits of passphrases? A. Short in length. B. Easy to remember. C. Contains a set of characters. D. Easy to crack.

7. Your organization issues devices to employees. These devices generate passwords every 60 seconds. The device's password is always known to servers hosted within the organization. What type of equipment is this? A. Sync token B. Asynchronous token C.Smart card D. Ordinary access card

8. What does the CER of a biometric device mean? A. Indicates the sensitivity is too high. B. Indicates the sensitivity is too low. C. Indicates the point where the false rejection rate equals the false acceptance rate. D. When it is high enough, it means that the accuracy of the biometric device is high.

9.Sally has a user account and has previously logged in using the biometric system. The biometric system now fails to recognize Sally, preventing her from logging in. What does this situation indicate? A. False rejection B. Error accepted C. Crossover error D and other errors

10 Users use their username to log in when accessing the company network from home. Management wants to implement a second authentication factor for these users. Management wanted a secure solution but also wanted to limit costs. Which of the following meets these requirements? A. Text message (SMS) B. Fingerprint scanning C. Authenticator App D.Personal Identification Number (PIN)

C SMS SMS is not recommended for multi-factor authentication PIN is the same as password, not dual identity authentication

11.Which of the following provides authentication based on the physical characteristics of a subject? A. Account ID B. Biometrics C. Token D.PIN

12. The fingerprint reader matches the details in the fingerprint with the data in the database. Which of the following options can accurately identify Fingerprint details? (Please select three.) A. Vein pattern B. Ridge C bifurcation D.Thread

BCD

13. The organization wants to use biometrics for identity authentication, but management doesn’t want to use fingerprints. Which of the following is the most likely reason why management would not want to use fingerprints? A. Fingerprints can be forged. B. Fingerprints can be modified. C. Fingerprints are not always available. D. Registration took too long.

A Fingerprints can be forged or copied

14. Which of the following items ensure log accuracy and support accountability? (Please select two.) A. Identification B. Authorization C. Audit D. Identity authentication

AD The original words in the book, remember

15. Management expects IT networks to support accountability. Which of the following is necessary to meet this requirement? A identity mark B. Completeness C. Identity authentication D.Confidentiality

C Authentication is necessary to ensure that the network supports accountability. Note that authentication means that a user declares their identity (for example, using a username) and proves their identity (for example, using a password). In other words, effective identity authentication includes identification. However, identification does not include authentication. If a user can claim their identity without proving their identity, the system does not support asking for tribute. As long as the user is authenticated, the audit trail (not as a possible answer) helps maintain the integrity of the system. Integrity ensures that unauthorized entities cannot modify data or system settings. Confidentiality ensures that sensitive data cannot be accessed by unauthorized entities and is not relevant to this question.

16. Company security policy states that user accounts of employees who are leaving the company should be disabled during the exit interview. Which of the following is the most likely reason for implementing this strategy? A. Delete the account. B. Remove the privileges assigned to the account. C. Prevent damage. D. Encrypt user data.

C The most likely reason of all options is to prevent damage. If the user's account remains enabled, the user can log in later and cause damage. Disabling an account does not delete the account or remove the privileges the account has. Disabling an account does not encrypt any data but retains encryption keys that administrators can use to decrypt any data encrypted by the user.

17. Administrators can delete or disable accounts when employees leave the organization. In which of the following situations would an administrator be most likely to delete an account? A. Administrators who run services under their own accounts leave the organization. B. Disgruntled employees encrypt files using their own accounts and leave the organization. C. The employee has left the organization and will start a new job tomorrow. D. Temporary employees using shared accounts will not return to the organization.

C The most likely reason for account deletion out of all options is that the employee has left the organization and will start a new job tomorrow. Other options are not suitable for deleting accounts. If an administrator is running a service under their own account, deleting their account will prevent the service from running. Accounts of disgruntled employees should be disabled. If the employee used their account to encrypt data, deleting the account will prevent the administrator from accessing the encrypted data. Passwords for shared accounts used by temporary employees should be changed.

18. Karen is on maternity leave and will be away from work for at least 12 weeks. Which of the following actions should we take while Karen is on vacation? A. Delete account B. Reset account password C. Do nothing D. Disable account

19. Security investigators discovered that after exploiting the database server, the attacker obtained the password for the sa account and then used the sa account to access other servers on the network. What steps can be taken to prevent this type of incident from happening in the future? A. Account Deprovisioning B. Disable Account C.Account Access Review D.Account cancellation

C Account access auditing can detect security issues with service accounts, such as the sa (short for system administrator) account in a Microsoft SOL Server system. Reviewing ensures that service account passwords are strong and changed frequently. Other options suggest removing, disabling, or revoking the sa account, but doing so may affect the operation of the database server. Account deprovisioning ensures that an account is deleted when it is no longer needed. Disabling an account ensures that the account is unavailable, while account revocation deletes the account

20. Fred is an administrator who has worked within the organization for more than ten years. Fred previously maintained database servers while working in another department. Fred now works in the programming department but retains access to the database server. Fred recently modified the configuration on the database server so that a script he wrote will run. Unfortunately, Fred's modification disabled the database server for several hours before the database administrator discovered the modification and disposed of it. Which of the following would prevent this disruption? A. Security strategy for strong identity authentication B. Multi-factor authentication C.Log D.Account Access Review