701 - Chapter 2 Flashcards
Within the access control process, what is the process of tracking user activity and recording the activity in the logs? This activity along with related others creates what?
Accounting, audit Trail
What are the three main authentication factors, and what is the fourth?
Something you know, something you have, something you are… Somewhere you are
Something you know typically refers to what?
A shared secret… Such as a password or a PIN
What are the current password recommendations per Microsoft, NIST, and the US DHS?
Hash all passwords, require MTA, don’t require mandatory password resets, require passwords to be at least eight characters, check for common passwords and prevent their use, tell users not to use the same password on more than one site, allow all special characters, including spaces but don’t require them
What are the four common character types included in passwords?
Uppercase, lowercase, numbers, special characters
True or false the best practice for password security is to have password expiration policies
False… Allowing users to keep their passwords for as long as they like is considered best practice because the thinking is they will use very strong password when only having to do it one time
True or false A password is considered complex if it uses at least three of the four character types
False, complex passwords will use a mix of all four character types
What is the minimum number in days before a password can be changed called?
Password age
What remembers past passwords for users and prevents them from reusing them?
A password history system
What is a single source designed to keep most of your passwords?
Password manager or password vault
What is KBA and what are the two types?
Knowledge based authentication…static and dynamic
How is static KBA used?
For users with an account, it’s the security questions and answers
How is dynamic KBA mostly used?
For users without an account, the site will query public and private data sources like credit reports, vehicle registrations, taxes to craft multiple-choice questions that only the user would know. In addition, there is a limited amount of time in order to answer these questions.
What is the use of dynamic KBA to verify a new users identity when they are creating an account for the first time? And what is this an important step for?
Identity proofing…the provisioning process
What is the maximum number of times a user can enter the wrong password? and how long an account remains locked is called what?
Account lockout threshold and account lockout duration
Account lockout policies are meant to thwart what type of attacks?
Brute force, and dictionary attacks
What are the four things that a smart card provides?
Confidentiality, integrity, authentication, non-repudiation
True or false smart cards provide two factor authentication?
True… Something you have and something you know
A random number that is provided to you and that you use to provide to an authentication server is called what?
One time password 0TP
Hard tokens and soft tokens, both use what?
One time passwords, OTP
What are the two different ways that tokens remain in sync with authentication servers regarding generating OTPs?
HMAC based one time password, HOTP and time based one time password TOTP
When does a HOTP password expire? And when does a TOTP expire?
Does not expire until it is used, expires after 30 to 60 seconds
True or false SMS for two step authentication is very secure
False it’s use is discouraged.
What is the notification called that instead of using a code, it asks the user to acknowledge the request on their phone?
Push notification
Smart cards, security keys, hard tokens, soft tokens, SMS and push notifications are all examples of what with regards to two factor authentication?
Something you have
What measures some physical characteristic of the user to confirm their identity?
Biometrics
True or false biometrics are the strongest form of authentication because they are the most difficult for an attack or to falsify?
True
Name the seven biometric methods…
Fingerprints, vein matching, retina imaging, iris scanners, facial recognition, voice recognition, gait analysis
Which of the biometric methods is used at many passport free border crossings around the world?
Iris scanners
What uses the facial recognition system?
iPhones
What two methods of bio metrics are the strongest
Iris and retina scans
What two biometric methods are passive and can even bypass the enrollment process when used for identification instead of authorization?
Facial recognition and gait analysis
What are the four possible results for a biometric system when attempting to authenticate the user?
False acceptance FAR, false rejection FRR, true acceptance, true rejection
What is the metrics that refers to the performance of the biometric system under ideal conditions called?
Efficacy rate
Increasing the sensitivity of a biometric system does what to the FAR and what to the FRR?
Decreases and increases
What is the point where the FAR and the FRR cross?
The crossover error rate CER