3.8 Given a Scenarior, Implement authentication and authorization Solutions Flashcards

1
Q

Authentication management

A

Authentication proves an identity with some type of credentials, such as a username and password. For example, identification occurs when users claim (or profess) their identity with identifiers such as usernames or email addresses. Users then prove their identity with authentication, such as with a password. In this context, a user’s credentials refer to both a claimed identity and an authentication mechanism.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Password keys

A

Password keys are used to reset passwords on systems. They are commonly a bootable optical disc or bootable USB flash drive. After rebooting the system to the device, they allow you to recover or reset all user and administrator passwords. These are useful to users who have forgotten their passwords. They are also helpful to forensic experts who need to access computers without knowing the passwords. Of course, they are also valuable for attackers who have stolen computers, such as laptops.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Password vaults

A

A password vault (or password manager) is a single source designed to keep most of your passwords. Instead of requiring you to memorize many different passwords, you only need to remember the password to open the vault. It keeps these passwords in an encrypted format, preventing unauthorized users from seeing them.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Trusted platform module (TPM)

A

The Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Hardware Security Module (HSM)

A

A physical computing device that safeguards and manages cryptographic keys and provides cryptographic processing. An HSM is or contains a cryptographic module.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Knowledge-based authentication

A

Some organizations use knowledge-based authentication (KBA) to prove the identity of individuals. There are two types: static KBA and dynamic KBA. Static KBA is typically used to verify your identity when you’ve forgotten your password. After creating your account (or when you create your account), you’re prompted to answer questions about yourself, such as your first dog’s name or your mother’s maiden name. Later, when you try to retrieve a forgotten password, you’re first prompted to answer the same questions. Dynamic KBA identifies individuals without an account. Organizations use this for high-risk transactions, such as with a financial institution or a health care company. The site queries public and private data sources, such as credit reports or third-party organizations. It then crafts multiple-choice questions that only the user would know and often includes an answer similar to “none of these apply.”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Authentication/Authorisation

A

If you understand identification (claiming an identity, such as with a username) and authentication (proving the identity, such as with a password), it’s easier to add in the other two elements of AAA—authorization and accounting.

If users can prove their identity, that doesn’t mean that they are automatically granted access to all resources within a system. Instead, users are granted authorization to access resources based on their proven identity. This can be as simple as granting a user permission to read data in a shared folder.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Extensible authentication protocol (EAP)

A

The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands the authentication methods used by the Point-to-Point Protocol (PPP), a protocol often used when connecting a computer to the internet. EAP is used on encrypted networks to provide a secure way to send identifying information to provide network authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Challenge-Handshake Authentication Protocol (Chap)

A

CHAP (Challenge-Handshake Authentication Protocol) is a challenge and response authentication method that Point-to-Point Protocol (PPP) servers use to verify the identity of a remote user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Password authentication protocol (PAP)

A

PAP, or password authentication protocol, is a point-to-point protocol (PPP) authentication method that uses passwords to validate users. It is an internet standard (RFC 1334), password-based authentication protocol. Using PAP, data is not encrypted. It is sent to the authentication server as plain text.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

802.1x

A

802.1X defines a port-based network access control and authentication protocol that prevents unauthorized clients from connecting to a LAN through publicly accessible ports unless they are properly authenticated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

RADIUS

A

Remote Authentication Dial-In User Service (RADIUS) is a networking protocol that authorizes and authenticates users who access a remote network. A protocol is a collection of rules that control how something communicates or operates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Single sign on (SSO)

A

Single sign-on (SSO) refers to a user’s ability to log on once and access multiple systems without logging on again. SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down. It’s also much more convenient for users to access network resources if they only have to log on one time.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Security Assertion markup language (SAML)

A

Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)–based data format used for SSO on web browsers. Imagine two websites hosted by two different organizations. Normally, a user would have to provide different credentials to access either website. However, if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one website and are not required to authenticate again when accessing the second website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Terminal access controller access control system plus (TACACS+)

A

Terminal Access Controller Access Control System) An access control protocol used to authenticate a user logging into the network. TACACS is a simple username/password system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

OAUTH

A

OAuth is an open standard for authorization many companies use to provide secure access to protected resources. Instead of creating a different account for each website you access, you can often use the same account you’ve created with Google, Facebook, PayPal, Microsoft, or Twitter. You can think of OAuth as open authorization.

17
Q

OpenID

A

OpenID is an authentication standard maintained by the OpenID Foundation. An OpenID provider holds the user’s credentials, and websites that support OpenID prompt users to enter their OpenID. Imagine Homer created an OpenID identifier on the myopenid.com website as homer.myopenid.com. When prompted, he would enter his identifier and then click Sign in. He’ll then be redirected to the provider’s website (myopenid.com in this example). Homer enters his password to authenticate. In some cases, the OpenID provider prompts you to give the website other information, and Homer can allow or deny the release of this additional information. This page shows how the process works: http://openidexplained.com/use.

18
Q

Kerberos

A

Kerberos is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms. It was originally developed at MIT (the Massachusetts Institute of Technology) for Unix systems and later released as a request for comments (RFC). Kerberos provides mutual authentication that can help prevent on-path attacks (also known as man-in-the-middle attacks) and uses tickets to help prevent replay attacks.

Kerberos uses symmetric-key cryptography to prevent unauthorized disclosure and to ensure confidentiality.

19
Q

Attribute-based access control (ABAC)

A

An attribute-based access control (ABAC) evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy. As a simple example, Homer is a Nuclear Safety Inspector at the Springfield Nuclear Power Plant. His user account may be defined with the following attributes: employee, inspector, and nuclear aware. A file server at the plant includes a share called Inspector, and it holds documents commonly used by nuclear safety inspectors. An ABAC policy for the share might grant access to the share for any subjects that have the attributes of employee, inspector, and nuclear aware.

20
Q

Rule-based access control

A

Rule-based access control (rule-BAC) uses rules. The most common example is with rules in routers or firewalls. However, more advanced implementations cause rules to trigger within applications, too. Routers and firewalls use rules within access control lists (ACLs). These rules define the traffic that the devices allow into the network, such as allowing Hypertext Transfer Protocol (HTTP) traffic for web browsers. These rules are typically static. In other words, administrators create the rules, and the rules stay the same unless an administrator changes them again.

21
Q

Mandatory access control

A

The mandatory access control (MAC) scheme uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access scheme blocks access.

22
Q

Discretionary access control

A

In the discretionary access control (DAC) scheme, objects (such as files and folders) have an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most Unix-based systems, use the DAC scheme. A common example of the DAC scheme is the New Technology File System (NTFS) used in Windows. NTFS provides security by allowing users and administrators to restrict access to files and folders with permissions. NTFS is based on the DAC scheme, and the following section explains how it uses the DAC scheme.

23
Q

Conditional access

A

Microsoft has implemented Conditional Access within Azure Active Directory environments. It can be used with traditional access control schemes but adds additional capabilities to enforce organizational policies. Conditional Access uses policies, which are if-then statements. As a simple example, imagine several shares on a server hold sensitive documents related to the nuclear power plant. In addition to protecting these shares with traditional permissions, administrators create a Conditional Access policy that requires users to log on with multifactor authentication (MFA) to access them. Homer has permission to access these shares, and when he tries to access one of them, the policy checks to see if he used MFA. If so, he’s granted access, but if not, the policy blocks his access. Conditional Access policies use signals, which are similar to attributes in an ABAC scheme.

24
Q

Privileged access management (PAM)

A

Privileged access management (PAM, sometimes called privileged account management) allows an organization to apply more stringent security controls over accounts with elevated privileges, such as administrator or root-level accounts. PAM implements the concept of just-in-time administration. In other words, administrators don’t have administrative privileges until they need them.

25
Q

File system Permissions

A

filesystem permissions in Linux, using read, write, and execute permissions. Microsoft systems also use filesystem permissions with NTFS. The following bullets describe basic NTFS permissions