Loading...
Menu

CISA-Testing Concept-Single Sign On (SSO) (Domain-5)

 

Domain-5

Testing Concept-Single Sign-On (SSO)

Hemang Doshi

CISA, ACA, DISA, FIII

Details about this E-Book:

The objective of this e-book is to ensure that CISA candidate get adequate knowledge on concept of ‘Single Sign-On (SSO) ’. Concepts have been simplified for easy reference of CISA candidates.

Questions, Answers and Explanation (QAE) on concept are designed in accordance with CISA exam pattern.

What is single sign on?

 

 

 

Single sign-on (SSO) is a user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications.

 

 

Advantages of Single Sign On:

 

(1)Multiple passwords not required. This encourages user to select a stronger password.

 

(2)Improves administrator’s ability to manage user’s accounts.

 

(3)Reduces administrative overhead cost in resetting passwords due to lower number of IT help desk calls about passwords.

 

(4)Reduces time taken by users to log into multiple applications.

 

Disadvantages of Single Sign On:

 

(1)SSO acts as a single authentication point for multiple applications which constitute risk of single point of failure.

 

(2)Support of all major operating system environments is difficult.

 

Single Sign on vis-à-vis Reduced Sign on:

 

In SSO user needs to log in just one time for all the applications. In RSO, users need to sign in individually for each application (with same user ID & password).

 

In layman’s term, unlike SSO where a user logs on just one time, RSO challenges the user again for higher risk applications while keeping the frequency of authentication low.

 

Kerberos

 

-One Example of SSO is Kerberos.

 

-Kerberos is an authentication service used to validate services and users in distributed computing environment (DCE).

 

-In client server environment, only users are authenticated however in distributed computing environment (DCE) both users and servers authenticate themselves.

 

-At initial logon time, Kerberos third party application is used to verify the identity of the client.

 

Point to remember for CISA Exam:

 

(1)When CISA question is about major risk of SSO, our answer should be:

 

-SSO acts as single authentication point for multiple applications.

-SSO acts a single point of failure.

 

If both the options are there, please select ‘SSO acts as single authentication point for multiple applications’. This is more specific answer as compared to ‘SSO acts a single point of failure’.

 

(2)When CISA question is about most important control for SSO, our answer should be implementation of strong password policy.

 

Question, Answer & Explanation on Single Sign-On:

Below QAE are solely on the concept of Single Sign-On. Candidates are advised to attempt below questions multiple times. More emphasis to be given on explanation part for better understanding.

 

 

(1) An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems .A major risk of using single sign-on (SSO) is that it:

 

A. acts as a single authentication point for multiple applications.

B. acts as a single point of failure.

C. acts as a bottleneck for smooth administration.

D. leads to a lockout of valid users in case of authentication failure.

 

Answer A. acts as a single authentication point for multiple applications.

 

Explanation:

SSO acts as a single authentication point for multiple applications which constitute risk of single point of failure. The primary risk associated with single sign-on is the single authentication point. A Single point of failure provides a similar redundancy to the single authentication point. However, failure can be due to any other reasons also. So more specific answer to this question is option A.

 

(2) An organization is introducing a single sign-on (SSO) system. In SSO, unauthorized access:

 

A. will have minor impact.

B. will have major impact.

C. is not possible.

D. is highly possible.

 

Answer: B. will have major impact.

 

Explanation:

Single sign-on (SSO) is a user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. This constitutes risk of single point of failure. The impact will be greater since the hacker needs to know only one password to gain access to all the related applications and therefore, cause greater concerns than if only the password to one of the systems is known. Introduction of SSO will not have any relevance on possibility (higher or lower) of unauthorized access.

 

 

(3) An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems .A major risk of using single sign-on (SSO) is that:

 

A. It increases security administrator work load.

B. It reduces administrator’s ability to manage user’s accounts.

C. It increases time taken by users to log into multiple applications.

D. Unauthorized password disclosure can have greater impact.

 

Answer: D. Unauthorized password disclosure can have greater impact.

 

Explanation:

Single sign-on (SSO) is a user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications. This constitutes risk of single point of failure. The impact will be greater since the hacker needs to know only one password to gain access to all the related applications and therefore, cause greater concerns than if only the password to one of the systems is known.SSO improves the administrator’s ability to manage user’s accounts. SSO reduces time taken by users to log into multiple applications and work load of security administration.

 

 

(4) An organization is introducing a single sign-on (SSO) system. Under the SSO system, users will be required to enter only one user ID and password for access to all application systems. To prevent unauthorized access, the MOST important action is to:

 

A. to monitor all failed attempts.

B. regular review of log files.

C. implement a strong password policy.

D. to deactivate all unused accounts.

 

Answer: C. implement a strong password policy.

Explanation:

A strong password policy is better preventive control. Other options are good practice but may not able address the risk of unauthorized access if password is compromised.

 

 

Which following is most important benefit of Single Sign On?

 

A. Easier administration of password management.

B. It can avoid a potential single point of failure issue

C. Maintaining SSO is easy as it is not prone to human errors

D. It protects network traffic

 

Answer: A. Easier administration of password management.

 

Explanation:

Easier administration of changing or deleting passwords is the major advantage of implementing SSO. The advantages of SSO include having the ability to use stronger passwords, easier administration of changing or deleting the passwords, and requiring less time to access resources.

 

 

Risk of unauthorised access can be best control by:

 

A. Before-image/after-image logging

B. Vitality detection

C. Multimodal biometrics

D. Kerberos

 

Answer: D. Kerberos

 

Explanation:

Kerberos is a network authentication protocol for client-server applications that can be used to restrict access to the database to authorized users. Vitality detection and multimodal biometrics are controls against spoofing and mimicry attacks. Before-image/after-image logging of database transactions is a detective control, as opposed to Kerberos, which is a preventative control.

 

 

 

Mock Test

To attempt mock test on single sign-on, please visit below link:

 

[+ http://datainfosec.blogspot.in/2017/02/mock-test-single-sign-on-sso-cisa.html?m=1+]

 

Other CISA Exam- Study Material

 

Domain 1

 

Steps of Risk Assessment

 

https://www.youtube.com/watch?v=F2j8xhPaFTg

 

https://www.Shakespir.com/books/view/622303

 

Types of Risk

 

https://www.youtube.com/watch?v=FvuvARXcjss

 

 

Compliance & Substantive Testing

https://youtu.be/3-u2mpIZzW8

 

https://www.Shakespir.com/books/view/625599

 

 

Difference between Inherent Risk & Residual Risk

 

https://www.youtube.com/watch?v=72kv6yOpXEI

 

Difference between Vulnerability & Threat

 

https://www.youtube.com/watch?v=6KxEbth2Ziw

 

Audit Charter

 

https://www.youtube.com/watch?v=rbCJ3ceDuso

 

https://www.Shakespir.com/books/view/633923

 

COBIT-5

 

https://youtu.be/WfwjpDdBqr4

 

Internal Controls

 

https://youtu.be/RuX2hLnm3vY

 

Control Self Assessment (CSA)

 

https://youtu.be/cGcMmt-03as

 

https://www.Shakespir.com/books/view/658967

 

Sampling

 

https://youtu.be/Ynif7SqvkvM

 

https://www.Shakespir.com/books/view/661847

 

 

Domain 2

 

Outsourcing Functions

 

https://youtu.be/vQsX6ZQSDXk

 

IT Strategy Committee & IT Steering Committee

 

https://youtu.be/Za9VMrSe094

 

IT Alignment with Business Objectives

 

https://www.youtube.com/watch?v=FEsP2LXSF9U

 

https://www.Shakespir.com/books/view/633047

 

IT Balanced Score Card

 

https://youtu.be/tvNAvAL9ZIg

 

https://www.Shakespir.com/books/view/639816

 

Roles of various functions of IT

 

https://youtu.be/UMDZrfp1W2Q

 

https://www.Shakespir.com/books/view/645822

 

 

 

Domain 3

 

Online Auditing Techniques

 

https://www.youtube.com/watch?v=HmGFIJlLu-4

 

https://www.Shakespir.com/books/view/637926

 

Parity-Checksum-CRC

 

https://youtu.be/Y14jVvOKqaU

 

https://www.Shakespir.com/books/view/656262

 

Check Digit

 

https://youtu.be/VH2yd3A6bMc

 

https://www.Shakespir.com/books/view/656262

 

PERT-CPM-Gantt Chart-FPA-EVA-Timebox

 

https://youtu.be/zYZYvcr_-3M

 

https://www.Shakespir.com/books/view/666753

 

Testing in SDLC

 

https://www.youtube.com/watch?v=43nFUFzTbBU

 

https://www.Shakespir.com/books/view/687052

 

 

 

Domain 4

 

Recovery Time Objective (RTO) and Recovery Point Objective (RPO)

 

https://youtu.be/2rDusGnW9qw

 

https://www.Shakespir.com/books/view/646456

 

 

Alternate Recovery Site

 

https://youtu.be/jCpcqaazkY4

 

https://www.Shakespir.com/books/view/647476

 

Domain 5

 

Digital Signature

 

https://youtu.be/_N3jisd1Vis

 

https://www.Shakespir.com/books/view/648923

 

Wireless (Wi-Fi)Security

 

https://youtu.be/csbd_V9PknI

 

https://www.Shakespir.com/books/view/651918

 

Firewall Types

 

https://youtu.be/x650kcv6Mfk

 

https://www.Shakespir.com/books/view/654726

 

Firewall Implementation

 

https://youtu.be/lltKNTdjg4Y

 

https://www.Shakespir.com/books/view/654726

 

Logical Access

 

https://www.Shakespir.com/books/view/630325

 

Classification of Information Assets

 

https://youtu.be/z7MwD8_ayCs

 

https://www.Shakespir.com/books/view/669437

 

 

Asymmetric Encryption

 

https://www.Shakespir.com/books/view/674900

 

https://youtu.be/mCM6dyQ_KmQ

 

 

Elements of Public Key Infrastructure

 

https://www.Shakespir.com/books/view/679445

 

https://youtu.be/ZqVciCzS3ng

 

Biometrics

 

https://www.Shakespir.com/books/view/685250

 

https://youtu.be/EmTOytQv4yM

 

 

IDS & IPS

 

https://youtu.be/0J49Ij_l8VU

 

https://www.Shakespir.com/books/view/692601

 

OSI Architecture

 

https://youtu.be/vkjBo2_9aDE

 

https://www.Shakespir.com/books/view/703536

 

 

 

 

 


CISA-Testing Concept-Single Sign On (SSO) (Domain-5)

Point to remember for CISA Exam: (1)When CISA question is about major risk of SSO, our answer should be: -SSO acts as single authentication point for multiple applications. -SSO acts a single point of failure. If both the options are there, please select ‘SSO acts as single authentication point for multiple applications’. This is more specific answer as compared to ‘SSO acts a single point of failure’. (2)When CISA question is about most important control for SSO, our answer should be implementation of strong password policy.

  • ISBN: 9781370888764
  • Author: Hemang Doshi
  • Published: 2017-02-28 09:20:16
  • Words: 1366
CISA-Testing Concept-Single Sign On (SSO) (Domain-5) CISA-Testing Concept-Single Sign On (SSO) (Domain-5)