3.7

Question 1

Identity

Answer 1

Each person needs some form of identification so that they can prove who they are; this could be a username, smart card, or some sort of biometric control. It needs to be unique to the person using that form of identity.

Question 2

Identity provider

Answer 2

An identity provider (IdP) is an entity that can validate that the credentials that are presented. The identification could be a certificate, token, or details such as a username or password. IdP is used by cloud providers who use federation services to validate the identity of a user. An example of this is that they would use SAML to pass credentials to the IdP to validate their identity.

Question 3

Attributes

Answer 3

This is a unique variable that the user has in their account details, for example, an employee ID.

Question 4

Certificates

Answer 4

This is a digital certificate where two keys are generated, a public key and a private key. The private key is used for identity.

Question 5

Tokens

Answer 5

This is a digital token that can either be a SAML token used for federation services or a token used by Open Authentication (OAuth).

Question 6

SSH keys

Answer 6

These are typically used by an administrator for secure authentication to a remote Linux server, instead of using username and password. First, a key pair (private and public key) is generated. The public key is stored on the server, with the private key remaining on the administrator’s desktop.

Question 7

Smart Cards

Answer 7

A credit card token with a certificate embedded on a chip; it is used in conjunction with a pin.

Question 8

User Account

Answer 8

A user account, also known as a standard user account, has no real access. They cannot install software – they give users limited access to the computer systems. There are two types of user accounts – those that are local to the machine, and those that access a domain. A domain is another name for a large group ofusers.

Question 9

Shared and generic accounts/credentials

Answer 9

Shared Account: When a group of people performs the same duties, such as members of customer services, they can use a shared account. If you need to set up monitoring or auditing to individual employees, you must eliminate the practice of using shared accounts.

Generic accounts are default administrative accounts created by manufacturers for devices ranging from baby alarms to smart ovens and smart TVs. They all have default usernames and passwords. We should rename the default account name and change the password.

Question 10

Guest Accounts

Answer 10

A guest account is a legacy account that was designed to give limited access to a single computer without the need to create a user account. It is normally disabled as it is no longer useful, and some administrators see it as a security risk.

Question 11

Service Accounts

Answer 11

When software is installed on a computer or server, it needs higher levels of privilege to run the software, but at the same time, we need a lower-level administrative account, and the service account fits the bill. An example of this is an account to run an anti-virus application.

TIP
A service account is a type of administrator account used to run an application.

Question 12

Account Policies

Answer 12

An account policy can act to ensure that the necessary steps are taken to enact a secure password solution, both by users and by the password infrastructure system.

Question 13

Password Complexity

Answer 13

Complex passwords (sometimes known as strong passwords) are formatted by choosing three of the following four groups:

a. Lowercase: For example, a, b, and c
b. Uppercase: For example, A, B, and C
c. Numbers: For example, 1, 2, and 3
d. Special Characters Not Used in Programming: For example, $ and @

If I choose the password P@$$w0rd, then it contains characters from all four groups, but it would be cracked very quickly as most password crackers replace the letter o with a zero and replace an a with the @ sign.

Question 14

Password History

Answer 14

This prevents someone from just reusing the same password. The maximum number that can be remembered is 24 passwords, as set in the screenshot. This would then mean that, when I set my first password, it would then need another 24 passwords before I could use it again.

Question 15

Password reuse

Answer 15

Password reuse is a term used in the exam that means the same as password history. They both prevent someone from reusing the same password. Password history would be used for a Windows operating system and password reuse for any other products. An example of this could be a smartphone or an emailapplication.

Question 16

Network Location

Answer 16

Having restrictions for accounts based on the network location can be a very powerful tool in limiting attack surfaces against privileged accounts.

Question 17

Time-Based logins

Answer 17

Time-Based One-Time Password (TOTP): A TOTP requires time synchronization because the password needs to be used in a very short period, normally between 30 and 60 seconds. In the following diagram, we can see the TOTP that has come to a phone.

Question 18

Access Policies

Answer 18

Access policies are a set of policies to assist in the management of the access control system. From simple policies covering password use, password length, expiration, and lockout, to more complex issues such as account expiration, recovery, and disablement, these directives provide the guidance for security personnel to manage access systems.

Question 19

Account Permissions

Answer 19

Developing a policy for account permissions provides just that guidance to those who are implementing the access control schemes. Data owners may wish to determine who has what rights to their data, but trying to keep up with the details, on an account-by-account basis, is a pathway to failure. This has led to groups, roles, and rules being used to manage the details, but these are guided by policies.

Question 20

Account Audits

Answer 20

Account audits are like all other audits—they are an independent verification that the policies associated with the accounts are being followed. An independent auditor can check all of the elements of policies.

Question 21

Impossible Travel time/risky login

Answer 21

Correct logins to an account can record many elements of information, including where the login came from. This “where” can be a machine in a network, or even a geographic location. Using this metadata, some interesting items can be calculated. Should a login occur from a separate location where the user is already logged in, is it possible for the user to be in two locations at the same time?

Question 22

Lockout

Answer 22

Account lockout is akin to disablement, although lockout typically refers to temporarily blocking the user’s ability to log in to a system.

Question 23

Disablement

Answer 23

Account disablement is a step between the account having access and the account being removed from the system. Whenever an employee leaves a firm, all associated accounts should be disabled to prevent further access by the ex-employee. Disabling is preferable to removal, as removal may result in permission and ownership problems.