4.0 - Identity and Access Management

Question 1

Identification

Answer 1

• Identification occurs when users claim or profess their identity with an identifier such as a username or email address

Question 2

Authentication

Answer 2

• Authentication occurs when a user proves their claimed identity (username, email address) with some type of credential such as a password, PIN, etc. (something you know)
• When a person’s identity is established with proof and confirmed by a system

Question 3

Authorization

Answer 3

• Authorization occurs when a verified user is given access to resources based on the level of their proven identity
• (granting a user permission to read data in a shared folder)
• (granting a user access to certain parts of the building)

Question 4

Accounting

Answer 4

• Accounting is used to track user activity and record the activity in logs
• log and track user activity, which data is being accessed, log in/log out times, computer usage

Question 5

Federation

Answer 5

• requires a federated identity management system that all members of the federation use
• Members of the federation agree on a standard for federated identities and then exchange the information based on the standard
• a federated identity links a user’s credentials from different networks or operating systems, but the federation treats it as one identity

Question 6

Single sign-on

Answer 6

• allows users to log on or access multiple systems by providing credentials once once
• SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down

Question 7

Transitive Trust

Answer 7

• creates an indirect trust relationship between different parties
• within an LDAP-based network, domains use transitive trusts for single sign-on

Question 8

LDAP

Answer 8

• Lightweight Directory Access Protocol specifies formats and methods to query directories such as Active Directory
• Windows Active Directory domains and Unix realms use LDAP to identify objects in query strings
• LDAP is an extension of the X.500 standard that Novell and Microsoft Exchange Server used
• Windows Active Directory used LDAP to query its directory of objects (users, computers, and groups)
• uses TCP port 389

Question 9

Kerberos

Answer 9

• network authentication protocol within a MS Windows AD domain or a Unix realm
• It uses a database of objects such as Active Directory and a Key Distribution Center (KDC) or Ticket-granting Tickets (TGT) server to issue timestamped tickets that expire after a certain time period
• Tickets provide authentication for users when they access resources such as files on a file server
• Uses symmetric-key cryptography to prevent unauthorized disclosure and to ensure confidentiality
• Symmetric-key cryptography uses a single key for both encryption and decryption of the same data
• uses UDP port 88

Question 10

TACACS+

Answer 10

• terminal access controller access-control system plus (TACACS+) is the Cisco alternative to RADIUS
• Provides two security benefits over RADIUS
• encrypts the entire authentication process and uses multiple challenges and responses between the client and the server
• can interact with kerberos
• considered a AAA protocol since it provides all 3 services

Question 11

CHAP

Answer 11

• challenge handshake authentication protocol also uses point-to-point protocol (PPP) and authentication remote users
• client and server both know a shared secret (similar to a password) but the secret isn’t sent in plaintext
• secret is hashed by the client after combining it with a nonce (number used once) provided by the server

Question 12

PAP

Answer 12

• password authentication protocol is used with point-to-point protocol (PPP) to authenticate clients
• PAP sends passwords over a network in cleartext

Question 13

MSCHAP

Answer 13

• microsoft challenge handshake authentication protocol (MSCHAP) supported up to windows 95. improved to MS-CHAPv2
• MS-CHAPv2 requires mutual authentication between the client and the server

Question 14

RADIUS

Answer 14

• remote authentication dial-in user service (radius) is a centralized authentication service
• can also be used as an 802.1x server
• uses the user datagram protocol (UDP) which is best-effort delivery instead of TCP which is guaranteed delivery
• only encrypts the password, not the entire authentication process
• considered a AAA protocol since it provides all 3 services

Question 15

OpenID Connect

Answer 15

• OpenID Connect works with OAuth 2.0 and it allows clients to verify the identify of end users without managing their their credentials
• used to to authenticate users in a federated identity management system
• is easier to implement than SAML but SAML is more efficient

Question 16

OAUTH

Answer 16

• OAuth is an open standard for authorization many companies use to provide secure access to protected resources

Question 17

Shibboleth

Answer 17

• Shibboleth is an open source federated identity solution that includes Open SAML libraries

Question 18

IEEE 802.1X

Answer 18

• port based authentication protocol
• it requires users or devices to to authenticate when they connect to a specific wireless access point, or a specific physical port, and it cam be implemented in both wireless and wired networks
• an 802.1x server provides port-based authentication, ensuring that only authorized clients can connect to a network
• it prevents rogue devices from connecting

Question 19

MAC

Answer 19

• mandatory access control uses sensitivity labels for users and data
• it is commonly used when access needs to be restricted based on a need to know
• sensitivity labels often reflect classification levels of data and clearances granted to individuals

Question 20

MAC

Answer 20

• mandatory access control uses sensitivity labels or security labels for users and data
• it is commonly used when access needs to be restricted based on a need to know
• sensitivity labels often reflect classification levels of data and clearances granted to individuals

Question 21

MAC

Answer 21

• mandatory access control uses sensitivity labels or security labels for users and data
• it is commonly used when access needs to be restricted based on a need to know
• administrators assign labels to both users and objects and when the labels match the system can grant access to an object
• sensitivity labels often reflect classification levels of data and clearances granted to individuals

Question 22

DAC

Answer 22

• discretionary access control specifies that every object has an owner and the owner has full, explicit control of the object

Question 23

DAC

Answer 23

• discretionary access control specifies that every object has an owner and the owner has full, explicit control of the object
• new technology file system (NTFS) in Windows uses discretionary access control

Question 24

ABAC

Answer 24

• ## attribute-based access control evaluates attributes and grants access based on the value of these attributes

Question 25

ABAC

Answer 25

• attribute-based access control evaluates attributes and grants access based on the value of these attributes
• attributes like employee, inspector, and nuclear aware
• uses attributes that identify both subjects and objects, and grants access when a policy identifies a match

Question 26

RoBAC

Answer 26

• role-based accessed control uses roles to manage rights and permission for users
• uses roles based on jobs and functions
• useful for users within a specific department who perform the same job functions
• administrator creates the roles and then assigns specific rights and permissions to the roles (instead of to the users)

Question 27

RuBAC

Answer 27

• rule-based access control uses rules like on a firewall to grant permissions

Question 28

GBAC

Answer 28

• group-based access control provides access based on roles or groups
• administrators put user accounts into security groups, and assign privileges to the groups
• users within a group automatically inherit the privileges assigned to the group