3.8

Question 1

Password keys

Answer 1

This looks like a USB device and works in conjunction with your password to provide multifactor authentication. An example of this is YubiKey. YubiKey is a Federal Information Processing Standards (FIPS) 140-2 validation that provides the highest-level Authenticator Assurance Level 3 (AAL3) used for storing passwords.

Question 2

password vaults

Answer 2

Password vaults are stored locally on the device and store all of your passwords so that you don’t need to remember them. The password vault uses AES-256 encryption, so it makes storage secure. A vault is only as secure as the master password that is used to protect the vault itself and normally employs multi-factor authentication.

Question 3

TPM

Answer 3

TPM chips are normally built into the motherboard of a computer, and they are used when you are using Full Disk Encryption (FDE). An example of FDE would be Bitlocker.

Question 4

HSM

Answer 4

An HSM can be a removable device that can be attached to a computer or server via a USB connection. They are also used to store encryption keys, a key escrow that holds the private keys for third parties and stores them in an HSM.

Question 5

Knowledge-based authentication

Answer 5

This is normally used by banks, financial institutions, or email providers to identify someone when they want a password reset. There are two different types of KBA, dynamic and static, and they have their strengths and weaknesses:
– Static KBA: These are questions that are common to the user. For example, “What is the name of your first school?” and these are deemed pretty weak.
– Dynamic KBA: These are deemed to be more secure because they do not consist of questions provided beforehand.

Question 6

EAP

Answer 6

Extensible Authentication Protocol (EAP) is an authentication framework allowing point-to-point connections. These are commonly used with wireless communication.

Question 7

Challenge-Handshake Authentication Protocol(CHAP)

Answer 7

Challenge-Handshake Authentication Protocol (CHAP) is used to provide authentication across a point-to-point link using PPP. In this protocol, authentication after the link has been established is not mandatory. CHAP is designed to provide authentication periodically through the use of a challenge/response system sometimes described as a three-way handshake.

CHAP uses PPP, which supports three functions:
—Encapsulate datagrams across serial links
—Establish, configure, and test links using LCP (Link Control Protocol)
—Establish and configure different network protocols using NCP (Network Control Protocol)

PPP supports two authentication protocols:
—Password Authentication Protocol (PAP)
—Challenge-Handshake Authentication Protocol (CHAP)

Question 8

Password Authentication Protocol

Answer 8

Password Authentication Protocol (PAP) authentication involves a two-way handshake in which the username and password are sent across the link in clear text.
PAP should be avoided at all costs as the passwords are transmitted as clear text and can be easily captured.

Question 9

802.1X

Answer 9

802.1X is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router. 802.1X is commonly used on wireless access points as a port-based authentication service prior to admission to the wireless network. 802.1X over wireless uses either 802.11i or an EAP-based protocol, such as EAP-TLS or PEAP-TLS.

Question 10

RADIUS

Answer 10

Remote Authentication Dial-In User Service (RADIUS) is a protocol that was developed as an AAA protocol.
RADIUS is designed as a connectionless protocol utilizing User Datagram Protocol (UDP) as its transport-level protocol. Connection-type issues, such as timeouts, are handled by the RADIUS application instead of the transport layer. RADIUS utilizes UDP ports 1812 for authentication and authorization and 1813 for accounting functions.

Question 11

Single sign-on(SSO)

Answer 11

Single sign-on (SSO) is a form of authentication that involves the transferring of credentials between systems. As more and more systems are combined in daily use, users are forced to have multiple sets of credentials. A user may have to log in to three, four, five, or even more systems every day just to do her job.
Single sign-on allows a user to transfer her credentials so that logging in to one system acts to log her in to all of them.
This has the advantage of reducing login hassles for the user. It also has the disadvantage of combining the authentication systems in such a way that if one login is compromised, then all of the user’s logins are compromised.

Question 12

Security Assertion Markup Language(SAML)

Answer 12

Security Assertion Markup Language (SAML) is a single sign-on capability used for web applications to ensure user identities can be shared and are protected. It defines standards for exchanging authentication and authorization data between security domains. It is becoming increasingly important with cloud-based solutions and with Software as a Service (SaaS) applications, as it ensures interoperability across identity providers.

SAML is an XML-based protocol that uses security tokens and assertions to pass information about a “principal” (typically an end user) to a SAML authority (an “identity provider” or IdP) and the service provider (SP).

Question 13

Terminal Access Controller Access Control System Plus (TACACS+)

Answer 13

TACACS+ uses TCP as its transport protocol, typically operating over TCP port 49. This port is used for the login process. Both UDP and TCP port 49 are reserved for the TACACS+ login host protocol.

TACACS+ is a protocol that takes a client/server model approach and handles authentication, authorization, and accounting (AAA) services.

Question 14

OAuth

Answer 14

OAuth (Open Authorization) is an open protocol that allows secure, token-based authorization on the Internet from web, mobile, and desktop applications via a simple and standard method.

OAuth was created to remove the need for users to share their passwords with third-party applications, instead substituting a token. OAuth 2.0 expanded this into also providing authentication services, so it can eliminate the need for OpenID.

Question 15

OpenID

Answer 15

OpenID allows clients of all types, including mobile, JavaScript, and web-based clients, to request and receive information about authenticated sessions and end users. OpenID is intended to make the process of proving who you are easier, the first step in the authentication–authorization ladder.
OpenID and OAuth are typically used together, yet have different purposes. OpenID is used for authentication, whereas OAuth is used for authorization.

Question 16

Kerberos

Answer 16

Kerberos securely passes a symmetric key over an insecure network using the Needham-Schroeder symmetric key protocol. Kerberos is built around the idea of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an authentication server (AS) and a ticket-granting server (TGS). Kerberos communicates via “tickets” that serve to prove the identity of users.

Question 17

Attribute-based Access Control(ABAC)

Answer 17

In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute. This is a user attribute from the directory services, such as a department or a location. You may wish to give different levels of control to differentdepartments

Question 18

Role-based access Control

Answer 18

This is a subset of duties within a department. An example would be two people within the finance department who only handle the petty cash. In IT terms, it could be that only two of the IT team administer the email server.

Question 19

Rule-Based access Control

Answer 19

In Rule-Based Access Control (RBAC), a rule is applied to all of the people within a department, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access Building 1, where their place of work is. It can be time-based or have some sort of restriction, but it applies to the whole department.

Question 20

MAC

Answer 20

a mandatory access control is “a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.” In this case, the owner or subject can’t determine whether access is to be granted to another subject; it is the job of the operating system to decide.

Question 21

Discretionary access control(DAC)

Answer 21

DACs are “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.”

Question 22

Conditional Access

Answer 22

Conditional access is an access control scheme where specific conditions are examined before access is given. A condition could be the user location when accessing resources: if local, then grant access; if remote, then deny access.

Question 23

Privileged Access Management

Answer 23

Privileged access management is a combination of the policies, procedures, and technologies for controlling access to and use of elevated or privileged accounts. This enables the organization to log and control privileged access across the entire environment. The primary purpose is to limit the attack surface that these accounts have, and to minimize exposure based on current operational needs and conditions.

Question 24

Filesystem permissions

Answer 24

Permissions control what a user is allowed to do with objects on a system, and rights define the actions a user can perform on the system itself.

Permissions can be applied to a specific user or group to control that user or group’s ability to view, modify, access, use, or delete resources such as folders and files.