Chapter 5: Identity and Access Management (Domain 5) 365
- D. Kerberos is an authentication protocol that uses tickets and provides secure
communications between the client, key distribution center (KDC), ticket-granting service
(TGS), authentication server (AS), and endpoint services. RADIUS does not provide the
same level of security by default, SAML is a markup language, and OAuth is designed to
allow third-party websites to rely on credentials from other sites like Google or Microsoft. - D. Administrative access controls are procedures and the policies from which they
derive. They are based on regulations, requirements, and the organization’s own policies.
Corrective access controls return an environment to its original status after an issue, while
logical controls are technical access controls that rely on hardware or software to protect
systems and data. Compensating controls are used in addition to or as an alternative to
other controls. - A. When clients perform a client service authorization, they send a TGT and the ID of
the requested service to the TGS, and the TGS responds with a client-to-server ticket and
session key back to the client if the request is validated. An AS is an authentication server,
and the SS is a service server, neither of which can be sent. - C. In a mandatory access control system, all subjects and objects have a label.
Compartments may or may not be used, but there is not a specific requirement for either
subjects or objects to be compartmentalized. The specific labels of Confidential, Secret,
and Top Secret are not required by MAC. - D. Passwords are never stored for web applications in a well-designed environment.
Instead, salted hashes are stored and compared to passwords after they are salted and
hashed. If the hashes match, the user is authenticated.
6 7. C. When a third-party site integrates via OAuth 2.0, authentication is handled by the
service provider’s servers. In this case, Google is acting as the service provider for user
authentication. Authentication for local users who create their own accounts would occur
in the e-commerce application (or a related server), but that is not the question that is
asked here.
- B. The anti-forgery state token exchanged during OAuth sessions is intended to prevent
cross-site request forgery. This makes sure that the unique session token with the
authentication response from Google’s OAuth service is available to verify that the user,
not an attacker, is making a request. XSS attacks focus on scripting and would have
script tags involved, SQL injection would have SQL code included, and XACML is the
eXtensible Access Control Markup Language, not a type of attack. - A. Knowledge-based authentication relies on preset questions such as “What is your pet’s
name?” and the answers. It can be susceptible to attacks because of the availability of the
answers on social media or other sites. Dynamic knowledge-based authentication relies
on facts or data that the user already knows that can be used to create questions they can
answer on an as-needed basis (for example, a previous address, or a school they attended).
Out-of-band identity proofing relies on an alternate channel like a phone call or text
message. Finally, Type 3 authentication factors are biometric, or “something you are,”
rather than knowledge based.