4.0 - Identity and Access Management Flashcards

1
Q

How often does Identification happen?

A

Identification is the process of ascribing a computer ID to an specific user, computer, network device, or computer process. It tends to only happen once, as that entity is brought into the network.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are AAA:

A

AAA stands for:

  • Authentication - verifying identity (login)
  • Authorization - permitting or denying access (rights and permissions)
  • Accounting - tracking resource usage (log files?)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the five broad categories of multi-factor authentication?

A

Multi-factor authentication can include:

  • What you are (biometrics)
  • What you have (token)
  • What you know (password)
  • Somewhere you are (geolocation)
  • Something you do (physical performance)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Identity Federation?

A

Federation or Identity Federation defines policies, protocols and practices to manage identies across systems and organizations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the advantages of SSO?

A

For the user, SSO reduces how often they will have to authenticate.

For the organization, SSO can lock a user out of all systems if one is compromised.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is a Transitive Trust relationship?

A

In a Transitive Trust Relationship. System A enters into a trust relationship with System B. Because System B already trusted System C, now System A also trusts System C. Inherited trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Types of Accounts?

A

Accounts:

  • Shared / Generic
  • Guest
  • Service
  • Privileged
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What auditing method is good at finding compromises and attacks?

A

Audits of failed login attempts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What drives the application of account management?

A

Policies, defined by the business side of the house, should be the driving force behind account management decisions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Account Maintenance?

A

Account Maintenance is the routine screening of all attributes of an account. This questions whether the account is still valid, and whether the access rights are still correct.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When might Location Based Policies be useful.

A

Location Based Policies may be a good idea for remote access, or organizations with many locations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is Credential Management?

A

Credential Management is a process, service or software used to store and manage user credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What pros and cons does the NIST indicate about password rules?

A

In June of 2017, a NIST report stated that complexity rules designed to force entropy into passwords do so at the risk of user behavior such as writing them down or versioning them.

Nonetheless, the standard is to enforce minimum length, and three of the four: upper case, lower case, numbers and special characters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Who should inform the security team about employee departures?

A

The first line management should inform security when an employee leaves the organization. HR should be a back-stop, not a primary.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Why does a system need a miniumum password age.

A

Minimum password age keeps a user from cycling through a number a passwords so their prefered password is no longer in the password history.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Recertification?

A

Recertification is the process of verifying that all users are still employed and still require accounts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

An employee has left the organization. What should be done?

A

Their account should be disabled (not deleted).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How does LDAP connect?

A

LDAP connects to a Directory System Agent (DSA) on TCP/UDP 389.

SDAPS (LDAP over SSL) connects on port 636.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

How does Kerberos authentication work?

A
  1. The user presents credentials and gets a TGT (Ticket-Granting Ticket) from the KDS (Key Distribution Server).
  2. The user presents the TGT and a request for services to the KDS.
  3. The KDS verifies the request and issues a Client-to-Server ticket.
  4. The user presents the Client-to-Server ticket to the requested service.

All transactions are encrypted, making the system safe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is TACACS+ used for?

A

Typically TACACS+ is used for admin access to routers and firewalls.

It typically runs on TCP port 49.

TACACS+ is not backwards compatible with TACACS. It has good separation of authentiction, authorization and accounting functions.

Comms are encrypted with a shared secret that is manually set on devices and never transmitted over a connection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How does TACACS+ authentication work?

A

TACACS+ can use many types of autheticaiton, Typcially a remote connection is made to a NAS (Network Access Server) on the remote network. The NAS authenticates the user, then sends a START message to the requested device. The communication between the user and the requested device begins.

Commands used are START, REPLY and CONTINUE.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Describe TACACS+ Authorization.

A

TACACS+ Authorization can occur before authetication, in which “unknown user” is used. Once authenticated, credentials are passed to authorization.

A REQUEST is made for a service. a RESPONSE may include time and IP restrictions.

24
Q

Describe TACACS+ Accounting.

A

Like Authentication and Authorization, Accounting is optional in TACACS+.

It uses three record (not message types): START, STOP and UPDATE. The time, user and process is noted for each. UPDATE records note that a task is still being performed.

25
Q

What authentication methods does PPP support?

A

PPP supports these types of authentication:

  • PAP (uses cleartext)
  • CHAP (is secure)
26
Q

What features does PPP have that makes CHAP authentication possible?

A

PPP supports these functions for CHAP:

  • Encapsulated datagrams
  • Establish test links using Link Control Protocol
  • Establish different network protocols using NCP (Network Control Protocol)
27
Q

PAP vs. CHAP

A

PAP uses cleartext and is now depreciated. CHAP is secure.

28
Q

Describe MSCHAP.

A

MSCHAP is the Microsoft version of CHAP. Ver 1 is depreciated. MSCHAPv2 offers mutual authentication.

29
Q

Is RADIUS traffic secure?

A

Traffic between RADIUS servers (typcially a NAS) is secured with a manually-entered key.

Traffic from the PC to the RADIUS server is typcially not encrypted.

30
Q

What is RADIUS accounting designed for.

A

RADIUS was designed during the dialup era. As a result, its accounting functions are designed primarily to collect data for user billing.

31
Q

What is SAML?

A

SAML (Secuirty Assertation Markup Language) is an SSO for web applications. It defines methods to share credentials between security domains.

SAML is popular with SaaS applications.

32
Q

What does OAuth do?

A

OAuth (Open Authentication) allows companies such as Google, Facebook and Twitter to permit users to share account information with third-parties.

Did you login to a website using your FB credentials? That used OAuth.

33
Q

How does OpenID work with OAuth?

A

OpenID allows systems to request information about authenticated sessions and end users. This begins the authentication step for OAuth 2.0.

34
Q

What is Sibboleth?

A

Sibboleth is a federated SSO service, based around SAML, which is not gained much acceptance.

35
Q

How do Secure Tokens work?

A

Secure token process:

  1. User requests access with credentials
  2. Secure token service validates
  3. Secure token is provided to user
  4. Client stores the token and includes it with all requests.
  5. Server verifiies token on each request.

This sytem is highly scalable. Tokens can be shared and transported.

36
Q

What is NTLM?

A

NTLM (NT LAN Manager) is a suite of Microsoft security protocols. Both NTLM and LANMAN have been widely replaced by Kerberos. It uses MD4, which is now deprecated.

37
Q

Describe MAC access control.

A

MAC (Mandatory Access Control) puts a label on each object and give the user a similar label. If the item is “Top Secret” the user must have “Top Secret” access to view it.

A user cannot change the security level of an item that is at their level.

This is referred to as Multilevel Security.

38
Q

Describe DAC access control.

A

In DAC (Descretionary Access Control) objects have an owner who can decide which users have access to that object. Users can be assigned access individually or through group memberships.

It is up to the object owner’s “descretion” who they will grant access to.

Unlike MAC access control, DAC uses ACLs to track access.

39
Q

Describe ABAC access control.

A

Under ABAC (Attribute-Based Access Control), an attribute of the object can determine the access for a user.

For instance a doctor may have access to medical records, but only for the patients tagged as enrolled at her clinic.

40
Q

Describe Role-based RBAC.

A

RBAC (Role Based Access Control) grants users memberships in groups based on the job role. Then groups (not users) are granted rights to the network objects.

41
Q

Describe Rule-based RBAC.

A

RBAC (Rule Based Access Control) uses a set of rules in the ACL.

For instance: No user may have access to payroll after 5 p.m. As with MAC, only admins can change the rules.

Rule Based RBAC is usually used along with another access control method.

42
Q

What is the difference between Proximity Cards and Smart Cards?

A

Prox cards are read-only and have no security.

Smart cards use encryption and can pass more data than a prox card.

43
Q

What is a biometric template?

A

A biometric template is a numeric value created by the biometric device that describes the analog data received by the device. This value is compared to the value in the database to determine if the user should be authenticated.

44
Q

Retinal scanner vs. Iris Scanner?

A

Retinal Scanner:

  • Scans with a laser, very close up
  • Low user acceptance

Iris Scanner:

  • Further away, photo not laser
  • Photos can be taken w/o user knowledge and then a custom contact lens created to spoof the system.
  • Some medical conditions can be detected, creating privacy issues.
45
Q

Describe false-positives and false-negatives with biometrics.

A

False-positive - an unauthorized user is granted access.

False-negative - the correct user is denied access

46
Q

What are the false acceptance and rejection rates in biometrics?

A

These occur when the match and nonmatch probability curves overlap. A threshold between the two needs to be set, creating to possible issues:

  • FAR (False Acceptance Rate) is the rate of false-positives. Non-authenticated users who are still able to gain access.
  • FRR (False Rejection Rate) is the rate of false-negatives. Authenticated users who are unable to access the system.
47
Q

What is the CER in biometrics?

A

CER (Crossover Error Rate) is the rate where both the accept and reject error rates are the same. The approve/reject threshold is usually set at or near the CER.

48
Q

How do you calculate FAR and FRR?

A

Do FRR first.

FRR (False Rejection Rate) = Percent of users who cannot enroll (FER) or get false-negatives after enrollment. Out of 1000 users, 5 could not enroll, and 50 of the remaining 995 got false-negatives. FRR = 5.02 percent.

FAR (False Acceptance Rate) = Percent of users who are accepted to the system even though they should have been. 25 of 995 users matched another user’s biometric. FAR = 2.51 percent

Lower FRR and FAR are good. Similar numbers are preferrable.

49
Q

How do tokens work in access management?

A

Tokens represent:

  • Something you have
  • A device that can store more info than the user can memorize

They can be:

  • Hardware - SecureID, etc.
  • Software - a sysmetric key stored on the client, or public key crypto using a PIN
50
Q

These protocols are used to create one-time passwords.

A

HOTP (HMAC-based One-Time Password)

TOTP (Time-based One-Time Password)

51
Q

What is a PIV card?

A

A PIV (Personal Identity Verification) card is a US government-issued smart card for access to federal facilites and information systems. It carries a certificate along with the user’s credentials.

52
Q

What is a CAC card?

A

A CAC (Common Access Card) card is a US DoD-issued smart card given to active duty, Select Reserve members, DoD civilians and select contractors.

It carries a certificate along with the user’s credentials.

53
Q

What is IEEE 802.1x

A

IEEE 802.1x is the standard for port-based authentication on edge routers. It describes authentication methods such as RADIUS.

54
Q

What security issue does IEEE 802.1x contain?

A

802.1x authentication occurs only upon initial connection. This allows a user to insert themselves into the connection by changing packets and using a hub.

Solution: Pair 802.1x with a VPN or IPsec, which provides persistent security.

55
Q

How is database security typically handled.

A

Most databse systems have built-in security, including encryption. Security issues and access levels should be addressed as the sytem is designed. Security overhead is typically negligible.