13 - Managing Identity and Authentication Flashcards

1
Q

What different parts of an org are considered an asset?

A
  • Information: All the data of an org.
  • Systems: Any IT systems that provide a service.
  • Devices: Any computing system including servers, laptops, phones, and printers.
  • Facilities: Any physical location that owns or rents.
  • Personnel: Any people working for an organization.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is an Access Control?

A

Any hardware, software, or administrative policy or procedure that controls access to resources.

  1. Identify and Authenticate
  2. Authorize permissions
  3. Grant or restrict access
  4. Audit activity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the different types of access controls?

A
  • Preventive: Attempts to thwart or stop unwanted activity from happening.
  • Detective: Attempts to discover or detect unwanted activity.
  • Corrective: Modifies the environment to return systems to normal after an unwanted activity has occurred.
  • Deterrent: Attempts to discourage security policy violations.
  • Recovery: Attempts to repair or restore resources/functions after a security policy violation.
  • Directive: Attempts to direct subjects to comply with security policies.
  • Compensating: Attempts to provide an alternative or enhancement to existing security control.
  • Administrative: Policies and procedures defined by an org.
  • Logical/Technical: Hardware/software mechanisms used to manage access and provide protection.
  • Physical: physical mechanisms that are meant to prevent direct contact with systems or areas within a facility.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is the difference between Identification and Authentication?

A
  • Identification: The process of a subject claiming an identity.
  • Authentication: Verifies the identity of the subject by cross-checking several factors related to the account.

**Identification and Authentication always occur together in a 2-step process**

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is Registration/Proofing?

A
  • Registration: When a user is first given an identity, proper documentation is necessary in order to prove their identity.
  • Proofing: Extra steps are taken in order to prove the identity someone is claiming: SSN, extra info about themselves.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the difference between Authorization and Accountability?

A
  • Authorization: Who is trusted to perform specific actions.
  • Accountability: Subjects are responsible for their actions. Usually done with auditing.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are the different types of Authentication Factors?

A
  1. Type 1: Something you know (PW, PIN)
  2. Type 2: Something you have (smartcards, USB)
  3. Type 3: Something you are (biometric)

**Type 3 is the strongest**

Additionals:

  • Somewhere you are
  • Context-Aware: Using a mobile device to confirm certain details of a user.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are Passwords?

A

A password is a string of characters that a user inputs for authentication (Type 1). Passwords are generally static, meaning they are not changed for a period of time.

Passwords are generally the weakest form of authentication because users generally use easy to remember ones, use the same one for multiple places, arent stored properly, etc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some common characteristics enforced on Password policies?

A
  • Maximum Age: Maximum days a password can be used until it needs to be changed.
  • Complexity: How many character types it uses.
  • Length: The number of characters in a password.
  • History: Keeps track of a certain number of previously used passwords so they won’t be re-used.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a Passphrase?

A

A string of words that is generally easy to remember for the user but longer than normal passwords which makes it harder to crack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are Cognitive Passwords?

A

A series of challenge questions about facts or predefined responses that only the subject should know which will later be used for authentication.

**The flaw can be that sometimes this info can be found on social media sites about people.**

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are Smartcards and Tokens?

A
  • Smartcards: An ID or badge that has an integrated circuit chip embedded that contains info about the user. Most current cards can also include a microprocessor and certificate for encryption.
  • Tokens: A password-generating device that users can carry with them. An authentication server knows what number the token is carrying at any given time. Tokens are generally used with another authentication mechanism. Tokens use dynamic onetime passwords that are used only once and are no longer valid after use.
    • Synchronous Dynamic Password Tokens: Time-based and synchronized with an authentication server.
    • Asynchronous Dynamic Password Tokens: Password does not use a clock, it is generated by an algorithm and a counter. The password will stay the same until used. The authentication server sends a challenge number, the user enters it into token which then generates the OTP.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is Two-Step Authentication?

A

Adding an additional authentication method in addition to a username/password such as a text message.

  • HMAC-based One-Time Password (HOTP): Uses HMAC hash function to use a one-time password. Stays valid until used.
  • Time-based One-Time Password (TOTP): Similar to HOTP but has a time limit on the how long PW stays valid.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are Biometrics?

A

Characteristics that are either physiological or behavioral are used for authentication: fingerprints, retina scans, palms cans, keystroke patterns, etc.

  • Fingerprints: Visible patterns on the fingers and thumbs of people.
  • Face Scans: Geometric patterns of faces for detection and recognition.
  • Retina Scans: The pattern of blood vessels in the back of the eye. Most accurate form of biometric authentication.
  • Iris Scan: The colored area around the pupil. The 2nd most accurate form.
  • Palm Scans: Measures the veins patterns in the palm which are unique as fingerprints.
  • Hand Geometry: Physical dimensions of the hand.
  • Heart/Pulse Patterns: Measuring the heartbeat or pulse of a person to ensure a real person is providing the biometric factor.
  • Voice Pattern Recognition: The characteristics of a person’s speaking voice, known a voiceprint.
  • Signature Dynamics: Examines both how a subject performs the act of writing and features in a written sample.
  • Keystroke Patterns: Measures how a subject uses a keyboard by analyzing flight time and dwell time.
    • Flight Time: How long it takes between key presses
    • Dwell Time: How long a key is pressed.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What are Biometric Error Ratings?

A
  • False Rejection Rate (Type I Error): When a valid subject is not authenticated
  • False Acceptance Rate (Type II Error): When an invalid subject is authenticated.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Multifactor Authentication?

A

Any authentication using two or more factors.

17
Q

What is Device Authentication?

A

The method of verifying the health of a device and confirming it is associated with a known user.

18
Q

What are the 2 different categories of Identity Management?

A
  • Centralized Access Control: All verifications are done by a single entity.
  • Decentralized Access Control: Verifications are done by various entities located throughout a system.
19
Q

What are the different Identity Verification Methods/Protocols?

A
  • Single Sign-On: Centralized access control that allows a subject to be authenticated once on a system and then access multiple resources without authenticating again.
  • LDAP and Centralized Access Control: The use of a directory service (centralized database) to manage permissions and authenticate subjects.
  • LDAP and PKIs: The use of digital certificates in transmissions and the use of LDAP to query a CA for certificate functions.
  • Kerberos: Ticket authentication for authentication.
    • Key Distribution Center (KDC): Maintains the secret keys for all network members
    • Kerberos Authentication Server: Hosts the functions of teh KDC. The Authentication Service (AS) verifies or rejects the authenticity and timeliness of tickets. Also hosts the Ticket Granting Service (TGS).
    • Ticket-Granting Ticket (TGT): provides proof that a subject has authenticated and can request access to other objects.
    • Ticket: An encrypted message that provides proof that a subject is authorized to access an object.
  • Federated Identity Management and SSO: SSO to be used among many different organizations.
  • Scripted Access: Establish communication links by providing an automated process to transmit login credentials at the start of a logon session.
20
Q

What is the Kerberos Logon Process?

A
  1. User types a username and password
  2. Client encrypts the username with AES for transmission to the KDC
  3. KDC verifies the username against a database of known creds
  4. KDC generates a symmetric key that will be used by the client.
  5. KDC sends over key and TGT
  6. Client installs the TGT for use until it expires.
21
Q

What type of languages can be used in a Federated Identity environment?

A
  • HTML (Hypertext Markup Language): Used to describe how data is displayed by using tags for aspects such as size and color.
  • XML (Extensible Markup Language): Actually describes the data being displayed. A common way for different systems to import and export data.
  • SAML (Security Assertion Markup Language): An XML-based language that is used to exchange authentication and authorization info between orgs.
  • SPML (Service Provisioning Markup Language): XML-based language that can display LDAP-based info.
  • XACML (Extensible Access Control Markup Language): XML-based that displays access control policies.
  • OAuth 2.0 (Open Authorization): Open standard used for access delegation. Allowing an app access to your Twitter account by being redirected to Twitter to log in directly. Your Twitter creds are not exposed and access is limited.
  • OpenID: Decentralized authentication, allowing users to log in to unrelated websites by using the OpenID provider.
    • A user goes to a website, the website redirects the user to OpenID provider and authenticates, the provider then redirects the user back to the website with permission.
  • Open ID Connect: Authentication layer that uses OAuth 2.0 framework. Utilizes REST web services to obtain a JSON Web Token (JWT).
22
Q

What is scripted access?

A

When logon scripts establish communication links by providing an automated process to transmit credentials at the start of a session. Can mimic SSO.

23
Q

What is a Credential Management System?

A

Provides secure storage space for credentials when SSO isn’t available. Uses encryption to prevent unauthorized access.

24
Q

What are Identity Services?

A
25
Q

What are some techniques to protect/manage user sessions?

A
  • Screen Savers: Screen savers can be used to have users reauthenticate after a specified idle time.
  • Time Limit: Having secured online sessions automatically terminate after a set period of time.
26
Q

What are some protocols used for AAA (Authentication, Authorization, and Accounting)?

A
  • RADIUS (Remote Authentication Dial-in User Service): Uses a centralized server for authenticating remote users. The user connects to a network access server which then forwards creds to RADIUS for authentication. RADIUS uses UDP and encrypts only the password.
  • TACACS+ (Terminal Access Controller Access-Control System): Separates authentication, authorization, and accounting into separate processes. Encrypts all info and uses TCP port 49.
  • Diameter: Enhanced version of RADIUS and supports a wide range of protocols, such as IP and VoIP. Uses Stream Control Transmission Protocol (SCTP) port 3868. Supports IPsec and TLS.
27
Q

What are the main responsibilities of the Identity and Access Provisioning Lifecycle?

A
  • Provisioning: The creation of a user account that involves the enrollment of an account. Verifies the identity of the user, provides the credentials and adds the account to appropriate groups.
  • Account Review: The periodic audit of accounts to ensure inactive accounts are disabled and employees do not have excessive privileges.
    • Privilege Creep: A user that gains privileges over time but as they change roles never removes old privileges.
  • Account Revocation: The timely disablement of accounts when necessary (job termination and leave of absence).