13 - Managing Identity and Authentication Flashcards
What different parts of an org are considered an asset?
- Information: All the data of an org.
- Systems: Any IT systems that provide a service.
- Devices: Any computing system including servers, laptops, phones, and printers.
- Facilities: Any physical location that owns or rents.
- Personnel: Any people working for an organization.
What is an Access Control?
Any hardware, software, or administrative policy or procedure that controls access to resources.
- Identify and Authenticate
- Authorize permissions
- Grant or restrict access
- Audit activity
What are the different types of access controls?
- Preventive: Attempts to thwart or stop unwanted activity from happening.
- Detective: Attempts to discover or detect unwanted activity.
- Corrective: Modifies the environment to return systems to normal after an unwanted activity has occurred.
- Deterrent: Attempts to discourage security policy violations.
- Recovery: Attempts to repair or restore resources/functions after a security policy violation.
- Directive: Attempts to direct subjects to comply with security policies.
- Compensating: Attempts to provide an alternative or enhancement to existing security control.
- Administrative: Policies and procedures defined by an org.
- Logical/Technical: Hardware/software mechanisms used to manage access and provide protection.
- Physical: physical mechanisms that are meant to prevent direct contact with systems or areas within a facility.
What is the difference between Identification and Authentication?
- Identification: The process of a subject claiming an identity.
- Authentication: Verifies the identity of the subject by cross-checking several factors related to the account.
**Identification and Authentication always occur together in a 2-step process**
What is Registration/Proofing?
- Registration: When a user is first given an identity, proper documentation is necessary in order to prove their identity.
- Proofing: Extra steps are taken in order to prove the identity someone is claiming: SSN, extra info about themselves.
What is the difference between Authorization and Accountability?
- Authorization: Who is trusted to perform specific actions.
- Accountability: Subjects are responsible for their actions. Usually done with auditing.
What are the different types of Authentication Factors?
- Type 1: Something you know (PW, PIN)
- Type 2: Something you have (smartcards, USB)
- Type 3: Something you are (biometric)
**Type 3 is the strongest**
Additionals:
- Somewhere you are
- Context-Aware: Using a mobile device to confirm certain details of a user.
What are Passwords?
A password is a string of characters that a user inputs for authentication (Type 1). Passwords are generally static, meaning they are not changed for a period of time.
Passwords are generally the weakest form of authentication because users generally use easy to remember ones, use the same one for multiple places, arent stored properly, etc.
What are some common characteristics enforced on Password policies?
- Maximum Age: Maximum days a password can be used until it needs to be changed.
- Complexity: How many character types it uses.
- Length: The number of characters in a password.
- History: Keeps track of a certain number of previously used passwords so they won’t be re-used.
What is a Passphrase?
A string of words that is generally easy to remember for the user but longer than normal passwords which makes it harder to crack.
What are Cognitive Passwords?
A series of challenge questions about facts or predefined responses that only the subject should know which will later be used for authentication.
**The flaw can be that sometimes this info can be found on social media sites about people.**
What are Smartcards and Tokens?
- Smartcards: An ID or badge that has an integrated circuit chip embedded that contains info about the user. Most current cards can also include a microprocessor and certificate for encryption.
-
Tokens: A password-generating device that users can carry with them. An authentication server knows what number the token is carrying at any given time. Tokens are generally used with another authentication mechanism. Tokens use dynamic onetime passwords that are used only once and are no longer valid after use.
- Synchronous Dynamic Password Tokens: Time-based and synchronized with an authentication server.
- Asynchronous Dynamic Password Tokens: Password does not use a clock, it is generated by an algorithm and a counter. The password will stay the same until used. The authentication server sends a challenge number, the user enters it into token which then generates the OTP.
What is Two-Step Authentication?
Adding an additional authentication method in addition to a username/password such as a text message.
- HMAC-based One-Time Password (HOTP): Uses HMAC hash function to use a one-time password. Stays valid until used.
- Time-based One-Time Password (TOTP): Similar to HOTP but has a time limit on the how long PW stays valid.
What are Biometrics?
Characteristics that are either physiological or behavioral are used for authentication: fingerprints, retina scans, palms cans, keystroke patterns, etc.
- Fingerprints: Visible patterns on the fingers and thumbs of people.
- Face Scans: Geometric patterns of faces for detection and recognition.
- Retina Scans: The pattern of blood vessels in the back of the eye. Most accurate form of biometric authentication.
- Iris Scan: The colored area around the pupil. The 2nd most accurate form.
- Palm Scans: Measures the veins patterns in the palm which are unique as fingerprints.
- Hand Geometry: Physical dimensions of the hand.
- Heart/Pulse Patterns: Measuring the heartbeat or pulse of a person to ensure a real person is providing the biometric factor.
- Voice Pattern Recognition: The characteristics of a person’s speaking voice, known a voiceprint.
- Signature Dynamics: Examines both how a subject performs the act of writing and features in a written sample.
-
Keystroke Patterns: Measures how a subject uses a keyboard by analyzing flight time and dwell time.
- Flight Time: How long it takes between key presses
- Dwell Time: How long a key is pressed.
What are Biometric Error Ratings?
- False Rejection Rate (Type I Error): When a valid subject is not authenticated
- False Acceptance Rate (Type II Error): When an invalid subject is authenticated.