Chapter 5: Identity and Access Management (Domain 5) 363
organization is online. Using encrypted and signed communication does not address
availability, redirects are a configuration issue with the third party, and a local gateway
won’t handle remote users. Also, host files don’t help with availability issues with services
other than DNS.- A. While many solutions are technical, if a trusted third party redirects to an unexpected
authentication site, awareness is often the best defense. Using TLS would keep the
transaction confidential but would not prevent the redirect. Handling redirects locally only
works for locally hosted sites, and using a third-party service requires offsite redirects. An
IPS might detect an attacker’s redirect, but tracking the multitude of load-balanced servers
most large providers use can be challenging, if not impossible. In addition, an IPS relies on
visibility into the traffic, and SAML integrations should be encrypted for security, which
would require a man-in-the-middle type of IPS to be configured. - B. Discretionary access control (DAC) can provide greater scalability by leveraging many
administrators, and those administrators can add flexibility by making decisions about
access to their objects without fitting into an inflexible mandatory access control system
(MAC). MAC is more secure due to the strong set of controls it provides, but it does not
scale as well as DAC and is relatively inflexible in comparison. - C. While signature-based detection is used to detect attacks, review of provisioning
processes typically involves checking logs, reviewing the audit trail, or performing a
manual review of permissions granted during the provisioning process. - C. Service Provisioning Markup Language, or SPML, is an XML-based language
designed to allow platforms to generate and respond to provisioning requests. SAML is
used to make authorization and authentication data, while XACML is used to describe
access controls. SOAP, or Simple Object Access Protocol, is a messaging protocol and
could be used for any XML messaging but is not a markup language itself. - C. Rainbow tables are databases of prehashed passwords paired with high-speed lookup
functions. Since they can quickly compare known hashes against those in a file, using
rainbow tables is the fastest way to quickly determine passwords from hashes. A brute-
force attack may eventually succeed but will be very slow against most hashes. Pass-the-
hash attacks rely on sniffed or otherwise acquired NTLM or LanMan hashes being sent
to a system to avoid the need to know a user’s password. Salts are data added to a hash
to avoid the use of tools like rainbow tables. A salt added to a password means the hash
won’t match a rainbow table generated without the same salt. - B. Google’s federation with other applications and organizations allows single sign-on as
well as management of their electronic identity and its related attributes. While this is an
example of SSO, it goes beyond simple single sign-on. Provisioning provides accounts and
rights, and a public key infrastructure is used for certificate management. - D. When users have more rights than they need to accomplish their job, they have
excessive privileges. This is a violation of the concept of least privilege. Unlike creeping
privileges, this is a provisioning or rights management issue rather than a problem of
retention of rights the user needed but no longer requires. Rights collision is a made-up
term and thus is not an issue here.