364 Appendix ■ Answers
5 2. B. Registration is the process of adding a user to an identity management system. This
includes creating their unique identifier and adding any attribute information that is
associated with their identity. Proofing occurs when the user provides information to prove
who they are. Directories are managed to maintain lists of users, services, and other items.
Session management tracks application and user sessions.- A. Port 636 is the default port for LDAP-S, which provides LDAP over SSL or TLS, thus
indicating that the server supports encrypted connections. Since neither port 3268 nor
3269 is mentioned, we do not know if the server provides support for a global catalog. - D. The X.500 series of standards covers directory services. Kerberos is described in RFCs;
biometric systems are covered by a variety of standards, including ISO standards; and
provisioning standards include SCIM, SPML, and others. - B. Active Directory Domain Services is based on LDAP, the Lightweight Directory Access
Protocol. Active Directory also uses Kerberos for authentication. - C. Identity proofing can be done by comparing user information that the organization
already has, like account numbers or personal information. Requiring users to create
unique questions can help with future support by providing a way for them to do password
resets. Using a phone call only verifies that the individual who created the account has the
phone that they registered and won’t prove their identity. In-person verification would not
fit the business needs of most websites. - A. By default, OpenLDAP stores the userPassword attribute in the clear. This means
that ensuring that the password is provided to OpenLDAP in a secure format is the
responsibility of the administrator or programmer who builds its provisioning system. - C. Type 2 errors occur in biometric systems when an invalid subject is incorrectly
authenticated as a valid user. In this case, nobody except the actual customer should
be validated when fingerprints are scanned. Type 1 errors occur when a valid subject
is not authenticated; if the existing customer was rejected, it would be a Type 1 error.
Registration is the process of adding users, but registration errors and time of use, method
of use errors are not specific biometric authentication terms. - B. Firewalls use rule-based access control, or Rule-BAC, in their access control lists
and apply rules created by administrators to all traffic that pass through them. DAC, or
discretionary access control, allows owners to determine who can access objects they
control, while task-based access control lists tasks for users. MAC, or mandatory access
control, uses classifications to determine access. - C. When you input a username and password, you are authenticating yourself by
providing a unique identifier and a verification that you are the person who should have
that identifier (the password). Authorization is the process of determining what a user is
allowed to do. Validation and login both describe elements of what is happening in the
process; however, they aren’t the most important identity and access management activity. - C. Kathleen should implement a biometric factor. The cards and keys are an example of
a Type 2 factor, or “something you have.” Using a smart card replaces this with another
Type 2 factor, but the cards could still be loaned out or stolen. Adding a PIN suffers from
the same problem: a PIN can be stolen. Adding cameras doesn’t prevent access to the
facility and thus doesn’t solve the immediate problem (but it is a good idea!).