Wondershare EdrawMind
MindMap Gallery CISSP Study Notes-13 (Managing Identity and Authentication)
- 33
CISSP Study Notes-13 (Managing Identity and Authentication)
This is a mind map about CISSP study notes-13 (Managing Identity and Certification). The main content includes: review questions, exam key points, and knowledge points.
Edited at 2024-03-06 17:44:38
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
CISSP Study Notes-13 (Managing Identity and Authentication)
- bacteria
This is a mind map about bacteria, and its main contents include: overview, morphology, types, structure, reproduction, distribution, application, and expansion. The summary is comprehensive and meticulous, suitable as review materials.
- Plant asexual reproduction
This is a mind map about plant asexual reproduction, and its main contents include: concept, spore reproduction, vegetative reproduction, tissue culture, and buds. The summary is comprehensive and meticulous, suitable as review materials.
- Reproductive development of animals
This is a mind map about the reproductive development of animals, and its main contents include: insects, frogs, birds, sexual reproduction, and asexual reproduction. The summary is comprehensive and meticulous, suitable as review materials.
- Recommended to you
- Outline
CISSP Study Notes-13 (Managing Identity and Authentication)
Knowledge points
Control access to assets
Control physical and logical access
CIA Three Characters and Access Control
Manage identities and authentication
Identity mark
uniqueness
Authentication
occurs simultaneously with identification, two steps of a process
Compare subject and object
main body
object
Identity registration, proof and creation
cognitive password
Security questions, such as when is your birthday
empowerment and accountability
Authorize
Accountability
Relies on identity and authentication, does not require authorization
Overview of authentication factors
what do you know
Password
PIN personal identification number
Password Policy Component
maximum period
If modified within 45 days
Password complexity
Password length
Minimum period, no less than 1 day
Password history to prevent password reuse
Authoritative password suggestions
NIST SP 800-63B
Hash: cannot be stored and transmitted in clear text
Should not expire: Prevent only small changes in passwords
Special characters should not be used
Passwords can be copied and pasted
All characters can be used
Length minimum 8 and maximum 64 characters
Filter passwords to prevent simple passwords
PCI DSS
Expires once every 90 days
At least 7 characters
what do you have
smart card
Tamper proof
token
Synchronize
asynchronous
what do you
biometric factors
Biometric factor error rating
False Rejection Rate FRR Type I Error
False negative, rejecting the correct user
False Acceptance Rate FAR Type II Error
False positive, wrong user allowed
Crossover Error Rate CER or ERR Crossover point of FAR and FRR
Biometric registration
Throughput
The more complex it is, the slower it is, 6s.
Multi-factor authentication MFA
Two-factor authentication using an authentication app
HOTP
Valid until use
TOTP
Time-based one-time password with expiration date
Passwordless authentication
Device authentication
Service identity authentication
Two-way authentication
Implement identity management
Single sign-on SSO
LDAP and centralized access control
security domain
Retrieval service, through identity authentication
LDAP and PKI
The client queries the CA to obtain information about the certificate using the LDAP protocol
SSO and federated identities
Cloud-based services use SSO solutions such as FIM
Multiple organizations can form a federation, share identity information, and log in within the organization to access other organization resources.
Cloud-based federation
local joint
mixed union
Just-in-time
Automatically create an identity to another organization
Credential management system
Credential manager application
script access
Session management
Session persistence
Manage identity and access configuration lifecycle
Configuration and onboarding
Deprovisioning and offboarding
Define new roles
Account maintenance
Account access review
Exam points
Learn how physical access controls protect assets. Physical access control is visible and tangible, directly protecting systems, equipment and facilities by controlling access and controlling the environment, and indirectly protecting information and applications by restricting physical access.
Learn how logical access control protects assets. Logical access controls include authentication, authorization, and permissions that limit who can access information stored on systems and devices, as well as restrict access to system and device settings.
Understand the difference between subject and object. You'll find that CISSP exam questions and security documents often use the terms "subject" and "object," so it's important to understand the difference between the two. A principal is an active entity (such as a user) that accesses a passive object (such as a file). Users are the subjects who access objects when performing certain operations or completing work tasks.
Learn the difference between identity and authentication. Access control relies on valid identification and authentication, so it's important to understand the difference between the two. The subject declares an identity, which can be as simple as a username. A principal proves its identity by providing authentication credentials (such as a password that matches a username).
Learn about identity creation, registration, and proof. New employees have their identity established through official documentation such as a passport, driver's license or birth certificate. The HR colleague then begins the registration process, which includes creating an account for the new employee. When biometric authentication is used, the registration process also collects biometric data. Identity proof includes knowledge-based authentication and cognitive passwords. Cognitive passwords ask the user a series of questions that only the user knows.
Understand the difference between delegation and accountability. After the subject is authenticated, the system will grant the sub-subject access rights to the object based on the proven identity. Audit logs and audit trails record events, including the identity of the principal who performed the action. Accountability requires a combination of effective identification, authentication and auditing.
Learn more about key authentication factors. The three main factors of authentication are "what you know" (such as a password or PIN), "what you have" (such as a smart card or token), and "what you are" (based on biometrics). Multi-factor authentication consists of two or multiple authentication factors, is more secure than using a single authentication factor. Passwords are the weakest form of authentication, but password policies help improve security by enforcing password complexity and history requirements. Smart cards include micro-cards. Processor and encryption certificate, while the token generates a one-time password. Biometric methods identify users based on characteristics such as fingerprints. The Cross Error Rate (CER) reflects the accuracy of the biometric method and is the False Rejection Rate (FRR) equal to the False Acceptance. rate (FAR) position.
Learn about single sign-on. The mechanism of single sign-on allows a subject to authenticate once on the system and access multiple resources without having to authenticate again.
Describe how to implement a federated identity management system. FIM systems can be hosted on-premises (providing maximum control), implemented via a third-party cloud service, or the two can be combined into a hybrid system.
Describe just-in-time (JIT) supply. The 1T configuration creates a user account when the user logs in to a third-party site for the first time. JIT reduces administrative burden.
Learn about proband management systems. Credential management systems help developers easily store usernames and passwords and retrieve them when users revisit the website. The Credential Management API was published as a working draft by the W3C in 2019 and is commonly used by developers as a credential management system. Credential management systems allow users to automatically log into websites without having to enter their credentials again.
Explain session management. The session management process prevents unauthorized access by closing idle sessions. Developers often use web frameworks to implement session management. These frameworks allow developers to ensure that sessions are closed after being idle for a certain amount of time, such as 2 minutes.
Understand the identity and access configuration lifecycle. The identity and access provisioning lifecycle refers to the creation, management, and deletion of accounts.
The provisioning process ensures that accounts are assigned the appropriate permissions based on task requirements and that employees have access to the required hardware devices.
People processes inform employees about organizational processes. When an employee leaves, the deprovisioning process disables or deletes the account, and the offboarding process ensures that employees return all hardware issued to them by the organization.
Explain the importance of role definition. When an organization creates new job roles, it is important to determine the permissions these new roles require. Doing this ensures that employees in these new roles do not have excessive permissions.
Describe the purpose of account access review. Conduct account access reviews of user accounts, system accounts, and service accounts. These reviews ensure that accounts do not have excessive permissions. Account access audits can often detect when accounts have too many permissions and when unused accounts have not been disabled or removed.
Review questions
1 Organization is creating a cloud-based federation and using a third-party service to share the federation identity. Once created, what will people use as their login ID? A. Ordinary account B. Cloud-Based Federated Assigned Accounts C. Hybrid identity management D. Single sign-on
A
2.Which of the following best expresses the primary goal of asset access control? A. Protect the confidentiality, integrity, and availability of systems and data. B. Ensure that only valid principals can authenticate on the system. C. Prevent unauthorized access to objects. D. Ensure that all subjects are authenticated.
A
3. Which of the following is a correct description of the subject? A. The subject is the user account. B. The principal is always the entity that provides or hosts the information or data. C A subject is always an entity that obtains information or data from an object. D. An entity can never switch roles between subject and object.
C
4. According to the recommendations of the National Institute of Standards and Technology (NIST), when do ordinary users need to change their passwords? A. Every 30 days B. Every 60 days C. Every 90 days D. Only when the password is leaked
D
5. The security administrator learns that the user is rotating between two passwords. When the system prompts the user to change their password, the user uses the second password. When the system prompts the user to change the password again, the user uses the first password. What measures can be taken to prevent users from rotating between two passwords? A. Password complexity B. Password History C. Password length D. Password validity period
B
6.Which of the following best illustrates the benefits of passphrases? A. Short in length. B. Easy to remember. C. Contains a set of characters. D. Easy to crack.
B
7. Your organization issues devices to employees. These devices generate passwords every 60 seconds. The device's password is always known to servers hosted within the organization. What type of equipment is this? A. Sync token B. Asynchronous token C.Smart card D. Ordinary access card
A
8. What does the CER of a biometric device mean? A. Indicates the sensitivity is too high. B. Indicates the sensitivity is too low. C. Indicates the point where the false rejection rate equals the false acceptance rate. D. When it is high enough, it means that the accuracy of the biometric device is high.
C
9.Sally has a user account and has previously logged in using the biometric system. The biometric system now fails to recognize Sally, preventing her from logging in. What does this situation indicate? A. False rejection B. Error accepted C. Crossover error D and other errors
A
10 Users use their username to log in when accessing the company network from home. Management wants to implement a second authentication factor for these users. Management wanted a secure solution but also wanted to limit costs. Which of the following meets these requirements? A. Text message (SMS) B. Fingerprint scanning C. Authenticator App D.Personal Identification Number (PIN)
C SMS SMS is not recommended for multi-factor authentication PIN is the same as password, not dual identity authentication
11.Which of the following provides authentication based on the physical characteristics of a subject? A. Account ID B. Biometrics C. Token D.PIN
B
12. The fingerprint reader matches the details in the fingerprint with the data in the database. Which of the following options can accurately identify Fingerprint details? (Please select three.) A. Vein pattern B. Ridge C bifurcation D.Thread
BCD
13. The organization wants to use biometrics for identity authentication, but management doesn’t want to use fingerprints. Which of the following is the most likely reason why management would not want to use fingerprints? A. Fingerprints can be forged. B. Fingerprints can be modified. C. Fingerprints are not always available. D. Registration took too long.
A Fingerprints can be forged or copied
14. Which of the following items ensure log accuracy and support accountability? (Please select two.) A. Identification B. Authorization C. Audit D. Identity authentication
AD The original words in the book, remember
15. Management expects IT networks to support accountability. Which of the following is necessary to meet this requirement? A identity mark B. Completeness C. Identity authentication D.Confidentiality
C Authentication is necessary to ensure that the network supports accountability. Note that authentication means that a user declares their identity (for example, using a username) and proves their identity (for example, using a password). In other words, effective identity authentication includes identification. However, identification does not include authentication. If a user can claim their identity without proving their identity, the system does not support asking for tribute. As long as the user is authenticated, the audit trail (not as a possible answer) helps maintain the integrity of the system. Integrity ensures that unauthorized entities cannot modify data or system settings. Confidentiality ensures that sensitive data cannot be accessed by unauthorized entities and is not relevant to this question.
16. Company security policy states that user accounts of employees who are leaving the company should be disabled during the exit interview. Which of the following is the most likely reason for implementing this strategy? A. Delete the account. B. Remove the privileges assigned to the account. C. Prevent damage. D. Encrypt user data.
C The most likely reason of all options is to prevent damage. If the user's account remains enabled, the user can log in later and cause damage. Disabling an account does not delete the account or remove the privileges the account has. Disabling an account does not encrypt any data but retains encryption keys that administrators can use to decrypt any data encrypted by the user.
17. Administrators can delete or disable accounts when employees leave the organization. In which of the following situations would an administrator be most likely to delete an account? A. Administrators who run services under their own accounts leave the organization. B. Disgruntled employees encrypt files using their own accounts and leave the organization. C. The employee has left the organization and will start a new job tomorrow. D. Temporary employees using shared accounts will not return to the organization.
C The most likely reason for account deletion out of all options is that the employee has left the organization and will start a new job tomorrow. Other options are not suitable for deleting accounts. If an administrator is running a service under their own account, deleting their account will prevent the service from running. Accounts of disgruntled employees should be disabled. If the employee used their account to encrypt data, deleting the account will prevent the administrator from accessing the encrypted data. Passwords for shared accounts used by temporary employees should be changed.
18. Karen is on maternity leave and will be away from work for at least 12 weeks. Which of the following actions should we take while Karen is on vacation? A. Delete account B. Reset account password C. Do nothing D. Disable account
D
19. Security investigators discovered that after exploiting the database server, the attacker obtained the password for the sa account and then used the sa account to access other servers on the network. What steps can be taken to prevent this type of incident from happening in the future? A. Account Deprovisioning B. Disable Account C.Account Access Review D.Account cancellation
C Account access auditing can detect security issues with service accounts, such as the sa (short for system administrator) account in a Microsoft SOL Server system. Reviewing ensures that service account passwords are strong and changed frequently. Other options suggest removing, disabling, or revoking the sa account, but doing so may affect the operation of the database server. Account deprovisioning ensures that an account is deleted when it is no longer needed. Disabling an account ensures that the account is unavailable, while account revocation deletes the account
20. Fred is an administrator who has worked within the organization for more than ten years. Fred previously maintained database servers while working in another department. Fred now works in the programming department but retains access to the database server. Fred recently modified the configuration on the database server so that a script he wrote will run. Unfortunately, Fred's modification disabled the database server for several hours before the database administrator discovered the modification and disposed of it. Which of the following would prevent this disruption? A. Security strategy for strong identity authentication B. Multi-factor authentication C.Log D.Account Access Review
D