3.7 Given a Scenarior, Implement Identity and account management controls Flashcards

1
Q

Identity

A

Identity and access management includes many important concepts that are tested on the CompTIA Security+ exam. Users claim an identity with a username and prove their identity by authenticating (such as with a password). They are then granted access to resources based on their proven identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identity providers (Idp)

A

An identity provider (IdP) is a service that stores and manages digital identities. Companies use these services to allow their employees or users to connect with the resources they need. They provide a way to manage access, adding or removing privileges, while security remains tight.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Attributes

A

Authentication attributes help identify a user or a device based on characteristics or traits. These are rarely used on their own but instead are used with one or more authentication factors.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Certificates

A

they are digital files that support cryptography for increased security. The embedded certificate allows the use of a complex encryption key and provides much more secure authentication than is possible with a simple password. Additionally, the certificate can be used with digital signatures and data encryption.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Tokens

A

A token key or (sometimes called a key fob or just a token) is an electronic device about the size of a remote key for a car. You can easily carry token keys in a pocket or purse or connect them to a key chain. They include a liquid crystal display (LCD) that displays a number, and this number changes periodically, such as every 60 seconds. They are sometimes called hardware tokens to differentiate them from logical or software tokens.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

SSH keys

A

An SSH key is a secure access credential used in the Secure Shell (SSH) protocol. SSH keys use key pairs based on public key infrastructure (PKI) technology, the gold standard for digital identity authentication and encryption, to provide a secure and scalable method of authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Smart cards

A

Smart cards are credit card-sized cards that have an embedded microchip and a certificate. Users insert the smart card into a smart card reader, similar to how someone would insert a credit card into a credit card reader. The smart card reader reads the card’s information, including the details from the certificate, which provides certificate-based authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Account types

A

Credential policies define login policies for different personnel, devices, and accounts. This includes items in the something you know factor (such as passwords) or any other factor or combination of factors. It’s common for an organization to apply credential policies differently to different types of accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

User account

A

Most accounts are for regular users or the personnel working in the organizations. Administrators create these accounts and then assign appropriate privileges based on the user’s job responsibilities. It’s common to assign a basic credential policy that applies to all personnel. This could be a password policy defining things like the minimum password length, password history, and account lockout policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Shared and generic

A

An organization can create a regular user account that temporary workers will share. Shared accounts are discouraged for normal work. However, if a temp agency is sending someone different every day, a shared account may provide a better solution than a guest account because access can be tailored for the shared account. Basic credential policies apply to shared and generic accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Guest accounts

A

Windows operating systems include a Guest account. These are useful if you want to grant someone limited access to a computer or network without creating a new account. For example, imagine an organization contracts with a temp agency to have someone do data entry. The agency may send a different person every day. Enabling the Guest account for this person would be simpler than creating a new account every day. Administrators commonly disable the Guest account and only enable it in special situations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Service accounts

A

Some applications and services need to run under the context of an account, and a service account fills this need. As an example, SQL Server is a database application that runs on a server, and it needs access to resources on the server and the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Password Complexity

A

One method used to make passwords more secure is to require them to be complex and strong. A strong password is of sufficient length, doesn’t include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types: Uppercase characters (26 letters A–Z) Lowercase characters (26 letters a–z) Numbers (10 numbers 0–9) Special characters (such as !, $, and *)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Password history

A

A password history system remembers past passwords and prevents users from reusing them. It’s common for password policy settings to remember the last 24 passwords and prevent users from reusing them until they’ve used 24 new passwords.

When using password history, it’s common to use the minimum password age setting. Imagine this is set to 1 day, and the password history is set to 24. After users change their password, they can’t change it again until a day has passed. It’ll take them 24 days of changing their password every day before they can reuse the original password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Password reuse

A

Many users would prefer to use the same password forever simply because it’s easier to remember. Even when technical password policies force users to change their passwords, many users simply change them back to the original password. Unfortunately, this significantly weakens password security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Network location

A

A network location is a profile that includes a collection of network and sharing settings applied to the network you are connected to.

17
Q

Geofencing

A

the use of GPS or RFID technology to create a virtual geographic boundary, enabling software to trigger a response when a mobile device enters or leaves a particular area.

18
Q

Geotagging

A

assign a geotag or geotags to (a digital photograph or video, a posting on social media, etc.).

19
Q

Geolocation

A

Geolocation is a group of technologies used to identify a user’s location and is the most common method used in this factor. Many authentication systems use the Internet Protocol (IP) address for geolocation. The IP address provides information on the country, region, state, city, and sometimes even the zip code.

20
Q

Time-based logins

A

Time-based logins (sometimes referred to as time-of-day restrictions) ensure that users can only log on to computers during specific times. If a user tries to log on to a system outside the restricted time, the system denies access to the user.

As an example, imagine a company operates between 8:00 a.m. and 5:00 p.m. on a daily basis. Managers decide they don’t want regular users logging on to the network except between 6:00 a.m. and 8:00 p.m., Monday through Friday. You could set time-of-day restrictions for user accounts to enforce this. If a user tries to log on outside the restricted time (such as during the weekend), the system prevents the user from logging on.

21
Q

Access policy

A

High-level requirements that specify how access is managed and who may access information under what circumstances.

22
Q

Account permissions

A

Permission auditing reviews help ensure that users have only the access they need and no more and can detect privilege creep issues.

23
Q

Account audits

A

An account audit looks at the rights and permissions assigned to users and helps enforce the least privilege principle. The audit identifies the privileges (rights and permissions) granted to users and compares them against what the users need. It can detect privilege creep, a common problem that violates the principle of least privilege.

24
Q

Impossible travel time/risky login

A
25
Q

Lockouts

A

Permission auditing reviews help ensure that users have only the access they need and no more and can detect privilege creep issues.

26
Q

Disablement

A

Many organizations have a disablement policy that specifies how to manage accounts in different situations. For example, most organizations require administrators to disable user accounts as soon as possible when employees leave the organization. Additionally, it’s common to disable default accounts (such as the Guest account mentioned previously) to prevent them from being used.