4.6 Flashcards

Identity and access management, access controls, multifactor authentication, password security

1
Q

IAM stands for

A

Identity and Access Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Giving the right permissions to the right people at the right time is known as

A

IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Software that is used for:

Access control

Authentication and authorization

Identity governance (provisioning/deprovisioning user accounts)

A

IAM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

IAM utilizes ____ access control. That means if a user creates a file, that file is private to that user, even if another user logs into that same device.

A

Mandatory

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The formal process of verifying that a user really is who they say they are. Used by IAM solutions.

A

Identity proofing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An identity proofing process where the user verifies their identity via government documents, answering questions about previous addresses or purchases, or an in-person meeting.

A

Verification/attestation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An identity proofing process where the user verifies their identity by sending credentials (username/password) and may answer security questions. This is an information gathering process.

A

Validation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

An identity proofing process where the IAM system gathers information about a user to verify that the user is who they say they are.

A

Resolution

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

SSO stands for

A

Single Sign-On

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

An authentication solution where the user has to validate their identity only once to access all of the resources in a network.

This is usually limited by time. Ex. You will only be authenticated for 24 hours, after which you will have to authenticate again.

A

SSO

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

LDAP stands for

A

Lightweight Directory Access Protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

The protocol used to query and update an X.500 directory.

It is also often used for authentication/authorization, typically SSO.

A

LDAP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A global directory service that organizes components to manage information.

It follows the format of:
attribute=value

A

X.500

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

SAML stands for

A

Security Assertion Markup Language

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An open-source standard protocol for authentication and authorization with which you can authenticate through a third-party database.

That way, instead of creating/managing your own identity management database for your organization, you can use one that exists elsewhere.

However, this protocol was not created to work with mobile devices, so its use is limited in modern day.

A

SAML

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

An authentication protocol that can authenticate users through a third-party authentication database

A

SAML

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Describe how SAML authentication works

A

User attempts to access Resource Server

Resource Server redirects user to third-party Authorization Server through an encrypted SAML request

User logs in

Authorization Server redirects the user back to the Resource Server with a SAML token

Resource Server verifies the SAML token and grants access to the user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

An authorization framework that allows applications to access resources on a user’s behalf

A

OAUTH

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When you see a message such as:

“[3rd Party App] wants to access your Google Account
This will allow [3rd Party App] to:
See, edit, create, and delete all of your Google Drive files”

What authorization protocol is being used?

A

OAUTH

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

When you see a message such as:

“Sign in through Facebook
Sign in through Twitter
Sign in through Instagram”

What authentication method is being used?

A

Federation / federation authentication

20
Q

Because OAUTH is an authorization protocol and NOT an authentication protocol, what service is used in conjunction with it? This service provides SSO authentication.

A

OpenID

21
Q

An authentication method that allows network access without using a local authentication database.

It allows you login to a resource without having to create a new account specifically for that resource.

It can allow you to sign in through an existing trusted third-party organization with which the two organizations have a trust relationship.

A

Federation

22
Q

What is the main thing to consider when determining which type of IAM services to use

A

Interoperability

Some apps may be compatible with the method you choose; others will need to implement some kind of API or other interoperability measures to make it work.

23
Q

The process of enforcing policies that would allow/disallow users/devices access to resources

A

Access control

24
Q

An access control model that allows users/devices the bare minimum of access to perform their job.

A

Least privilege

25
Q

An access control model that is based on security clearance levels. Every file or object gets a label with the security clearance required to access it.

The administrator of the system defines the security clearance that a user/device has.

A

Mandatory Access Control

26
Q

An access control model that allows the user who created the data to determine who else can access the data, and what they can do to modify it.

Very flexible, but very weak security.

A

DAC

27
Q

An access control model that is based on account roles (manager, director, team lead, project manager, etc.).

Administrators provide access based on the role of the user. Rights are gained implicitly instead of explicitly.

A

RBAC

28
Q

RBAC stands for

A

Role-Based Access Control

29
Q

What does it mean when rights/permissions are gained implicitly instead of explicitly?

A

It means that the rights are assigned due to a user’s role or attribute rather than assigned individually to that user.

30
Q

An access control model that grants rights and permissions according to system-enforced rules. The administrator configures these rules, and attaches them to files. These rules are then enforced once a user attempts to access the resource.

Ex:
Lab network access is only available between 9am-5pm
Only Chrome browsers can complete this web form

A

RuBAC

31
Q

ABAC stands for

A

Attribute-Based Access Control

32
Q

An access control model that develops a complex ruleset to determine whether someone has or doesn’t have access to a resource.

It can examine attributes that are be unique to the user. Seniority, current projects, security clearance level, work status, attempted action to take, etc.
It will also consider external factors like time of day and browser type.

It considers many different parameters, including context. It can evaluate the source IP address, time of day, desired action, and relationship the user has to the data.
All of these criteria are combined to determine whether to grant access.

It is a “next generation” authorization model.

A

ABAC

33
Q

Difference between RuBAC and ABAC

A

RuBAC focuses on rules, related to external factors. Time of day, working hours, schedules, specific devices.

ABAC focuses on attributes that can rely on personal information like active projects, work status, security clearance, seniority, attempted action, etc.

34
Q

RuBAC stands for

A

Rule-Based Access Control

35
Q

An access control model that restricts access during certain times or days of the week.

This model is typically not used on its own.

A

Time-of-day restrictions

36
Q

4 factors used in MFA

A

Something you know
Something you have
Something you are
Somewhere you are

37
Q

3 examples of “something you know”

A

Password
PIN
Pattern

38
Q

4 examples of “something you have”

A

Smart card

USB security key (contains certificate specific to you)

Hardware/software token (RNG)

Your phone (SMS code)

39
Q

1 example of “something you are”

A

Biometric authentication

Fingerprint, iris scan, voice print

40
Q

2 examples of “somewhere you are”

A

IP address
Mobile device location services (GPS)

41
Q

What is password entropy?

A

Unpredictability

42
Q

Software that can remember all of your different passwords for you. It stores your password in one database that has been encrypted.

To use this service, you may need to provide multifactor tokens.

A

Password manager

43
Q

A method of authentication that uses facial recognition, security keys, or PINs instead of using passwords.

This is often used in conjunction with (NOT instead of) passwords or other authentication measures.

A

Password authentication

44
Q

An authentication/authorization measure that gives a technician a temporary set of credentials. These credentials give administrator access for a limited amount of time - just enough time to solve a problem or adjust a configuration.

This prevents attackers from gaining elevated account rights.

A

Just-in-time permissions

45
Q

The entity responsible for allowing or disallowing access based upon a predetermined set of security policies. Used for giving just-in-time permissions to users.

A

Central clearinghouse

AKA password vault

46
Q

Central clearinghouse is AKA

A

Password vault

47
Q

Explain the process of gaining and using just-in-time permissions

A

User requests access from a central clearinghouse/password vault

The central clearinghouse/password vault contains primary credentials. It creates ephemeral credentials based on those primary credentials and supplies them to the user. The primary credentials are never released.

The ephemeral credentials are used for one session and then deleted.