3.8 Flashcards

1
Q

Password keys

A

This looks like a USB device and works in conjunction with your password to provide multifactor authentication. An example of this is YubiKey. YubiKey is a Federal Information Processing Standards (FIPS) 140-2 validation that provides the highest-level Authenticator Assurance Level 3 (AAL3) used for storing passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

password vaults

A

Password vaults are stored locally on the device and store all of your passwords so that you don’t need to remember them. The password vault uses AES-256 encryption, so it makes storage secure. A vault is only as secure as the master password that is used to protect the vault itself and normally employs multi-factor authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

TPM

A

TPM chips are normally built into the motherboard of a computer, and they are used when you are using Full Disk Encryption (FDE). An example of FDE would be Bitlocker.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

HSM

A

An HSM can be a removable device that can be attached to a computer or server via a USB connection. They are also used to store encryption keys, a key escrow that holds the private keys for third parties and stores them in an HSM.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Knowledge-based authentication

A

This is normally used by banks, financial institutions, or email providers to identify someone when they want a password reset. There are two different types of KBA, dynamic and static, and they have their strengths and weaknesses:
– Static KBA: These are questions that are common to the user. For example, “What is the name of your first school?” and these are deemed pretty weak.
– Dynamic KBA: These are deemed to be more secure because they do not consist of questions provided beforehand.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

EAP

A

Extensible Authentication Protocol (EAP) is an authentication framework allowing point-to-point connections. These are commonly used with wireless communication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Challenge-Handshake Authentication Protocol(CHAP)

A

Challenge-Handshake Authentication Protocol (CHAP) is used to provide authentication across a point-to-point link using PPP. In this protocol, authentication after the link has been established is not mandatory. CHAP is designed to provide authentication periodically through the use of a challenge/response system sometimes described as a three-way handshake.

CHAP uses PPP, which supports three functions:
—Encapsulate datagrams across serial links
—Establish, configure, and test links using LCP (Link Control Protocol)
—Establish and configure different network protocols using NCP (Network Control Protocol)

PPP supports two authentication protocols:
—Password Authentication Protocol (PAP)
—Challenge-Handshake Authentication Protocol (CHAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Password Authentication Protocol

A

Password Authentication Protocol (PAP) authentication involves a two-way handshake in which the username and password are sent across the link in clear text.
PAP should be avoided at all costs as the passwords are transmitted as clear text and can be easily captured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

802.1X

A

802.1X is an authentication standard that supports port-based authentication services between a user and an authorization device, such as an edge router. 802.1X is commonly used on wireless access points as a port-based authentication service prior to admission to the wireless network. 802.1X over wireless uses either 802.11i or an EAP-based protocol, such as EAP-TLS or PEAP-TLS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

RADIUS

A

Remote Authentication Dial-In User Service (RADIUS) is a protocol that was developed as an AAA protocol.
RADIUS is designed as a connectionless protocol utilizing User Datagram Protocol (UDP) as its transport-level protocol. Connection-type issues, such as timeouts, are handled by the RADIUS application instead of the transport layer. RADIUS utilizes UDP ports 1812 for authentication and authorization and 1813 for accounting functions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Single sign-on(SSO)

A

Single sign-on (SSO) is a form of authentication that involves the transferring of credentials between systems. As more and more systems are combined in daily use, users are forced to have multiple sets of credentials. A user may have to log in to three, four, five, or even more systems every day just to do her job.
Single sign-on allows a user to transfer her credentials so that logging in to one system acts to log her in to all of them.
This has the advantage of reducing login hassles for the user. It also has the disadvantage of combining the authentication systems in such a way that if one login is compromised, then all of the user’s logins are compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Security Assertion Markup Language(SAML)

A

Security Assertion Markup Language (SAML) is a single sign-on capability used for web applications to ensure user identities can be shared and are protected. It defines standards for exchanging authentication and authorization data between security domains. It is becoming increasingly important with cloud-based solutions and with Software as a Service (SaaS) applications, as it ensures interoperability across identity providers.

SAML is an XML-based protocol that uses security tokens and assertions to pass information about a “principal” (typically an end user) to a SAML authority (an “identity provider” or IdP) and the service provider (SP).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Terminal Access Controller Access Control System Plus (TACACS+)

A

TACACS+ uses TCP as its transport protocol, typically operating over TCP port 49. This port is used for the login process. Both UDP and TCP port 49 are reserved for the TACACS+ login host protocol.

TACACS+ is a protocol that takes a client/server model approach and handles authentication, authorization, and accounting (AAA) services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

OAuth

A

OAuth (Open Authorization) is an open protocol that allows secure, token-based authorization on the Internet from web, mobile, and desktop applications via a simple and standard method.

OAuth was created to remove the need for users to share their passwords with third-party applications, instead substituting a token. OAuth 2.0 expanded this into also providing authentication services, so it can eliminate the need for OpenID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

OpenID

A

OpenID allows clients of all types, including mobile, JavaScript, and web-based clients, to request and receive information about authenticated sessions and end users. OpenID is intended to make the process of proving who you are easier, the first step in the authentication–authorization ladder.
OpenID and OAuth are typically used together, yet have different purposes. OpenID is used for authentication, whereas OAuth is used for authorization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Kerberos

A

Kerberos securely passes a symmetric key over an insecure network using the Needham-Schroeder symmetric key protocol. Kerberos is built around the idea of a trusted third party, termed a key distribution center (KDC), which consists of two logically separate parts: an authentication server (AS) and a ticket-granting server (TGS). Kerberos communicates via “tickets” that serve to prove the identity of users.

17
Q

Attribute-based Access Control(ABAC)

A

In Attribute-Based Access Control (ABAC), access is restricted based on an attribute in the account. John could be an executive and some data could be restricted to only those with the executive attribute. This is a user attribute from the directory services, such as a department or a location. You may wish to give different levels of control to differentdepartments

18
Q

Role-based access Control

A

This is a subset of duties within a department. An example would be two people within the finance department who only handle the petty cash. In IT terms, it could be that only two of the IT team administer the email server.

19
Q

Rule-Based access Control

A

In Rule-Based Access Control (RBAC), a rule is applied to all of the people within a department, for example, contractors will only have access between 8 a.m. and 5 p.m., and the help desk people will only be able to access Building 1, where their place of work is. It can be time-based or have some sort of restriction, but it applies to the whole department.

20
Q

MAC

A

a mandatory access control is “a means of restricting access to objects based on the sensitivity (as represented by a label) of the information contained in the objects and the formal authorization (i.e., clearance) of subjects to access information of such sensitivity.” In this case, the owner or subject can’t determine whether access is to be granted to another subject; it is the job of the operating system to decide.

21
Q

Discretionary access control(DAC)

A

DACs are “a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject.”

22
Q

Conditional Access

A

Conditional access is an access control scheme where specific conditions are examined before access is given. A condition could be the user location when accessing resources: if local, then grant access; if remote, then deny access.

23
Q

Privileged Access Management

A

Privileged access management is a combination of the policies, procedures, and technologies for controlling access to and use of elevated or privileged accounts. This enables the organization to log and control privileged access across the entire environment. The primary purpose is to limit the attack surface that these accounts have, and to minimize exposure based on current operational needs and conditions.

24
Q

Filesystem permissions

A

Permissions control what a user is allowed to do with objects on a system, and rights define the actions a user can perform on the system itself.

Permissions can be applied to a specific user or group to control that user or group’s ability to view, modify, access, use, or delete resources such as folders and files.