3.8 Authentication & Authorization

Question 1

Define password key

Answer 1

A physical device that must be plugged into a USB port to authenticate

Question 2

Advantages of using a password vault (3)

Answer 2

1. More secure to have multiple passwords to access different services than a single password SSO
2. Vault is encrypted to harden access in case it is compromised
3. Portable - users can access it from nearly any location

Question 3

How is HSM implemented for enterprise security?

Answer 3

Hardware-based device that provides centralized storage and management of all the keys used by an enterprise, can be used for encryption and to generate secrets or private keys

Question 4

Define Knowledge based authentication (KBA)

Answer 4

Asks predefined question that only the true person would know or looks up data to ask a person

Question 5

2 Types of KBA

Answer 5

1. Static - a preconfigured question/answer
2. Asks questions based on public or private information, such as what was the street number of house you lived in previously

Question 6

Define PAP authentication (2)

Answer 6

1. Password authentication protocol
2. No encryption - plaintext

Question 7

Define CHAP (2)

Answer 7

1. Challenge Handshake Authentication Protocol
2. Encrypted authentication

Question 8

Define MS-CHAP (2)

Answer 8

1. Microsoft’s CHAP implementation
2. MS-CHAP & MS-CHAP V2 should not be used due to weak encryption

Question 9

Name 3 secure authentication protocols used with PPTP

Answer 9

1. L2TP
2. IPsec
3. 802.1X

Question 10

Define TACACS+ (2)

Answer 10

1. Terminal Controller Access-Control System
2. AAA alternative to RADIUS

Question 11

Define Kerberos (3)

Answer 11

1. Most complex and robust AAA
2. Provides SSO capabilities
3. Uses mutual authentication between client & server

Question 12

Define Security Assertion Markup Language (SAML) (2)

Answer 12

1. Provides both authentication and authorization
2. Third-party (Federated) authentication & authorization

Question 13

Define 802.1X (3)

Answer 13

1. Network Access Control - authenticates access to use network
2. Commonly integrated with EAP
3. Commonly used for wireless networks, but can be used for wired as well

Question 14

Define OAuth and OpenID

Answer 14

1. Typically used in conjunction
2. OpenID provides authentication and OAuth provides authorization

Question 15

Define MAC model for access control (4)

Answer 15

1. Mandatory Access Control
2. Separate security levels are configured and then all objects are assigned a security level
3. Users are all assigned a security level and can access objects at or below their security level
4. Common in highly secured organizations or government

Question 16

Define DAC model for access control (2)

Answer 16

1. Discretionary access control
2. The user who creates an object is the owner of that object and assigns rights and permissions to it

Question 17

Define Role-based model for access control (2)

Answer 17

1. Commonly used in large organizations
2. Admins assign users to roles and roles are assigned permissions

Question 18

Define ABAC model for access control (2)

Answer 18

1. Attribute-based Access Control
2. Various attributes are used to determine access to resources, such as time of day, source IP address, etc

Question 19

Define Rule-based Access Control

Answer 19

A generic term for access control where an administrator defines the rules for access to objects

Question 20

Define conditional access model for access control (2)

Answer 20

1. Used in cloud-based systems
2. Evaluates a variety of conditions to determine if access to services is allowed

Question 21

Define Privileged access management (PAM) model for access control

Answer 21

A centralized digital vault is used and users checkout privileged access to systems/resources that is valid for a limited time