701 - Chapter 2 Flashcards

1
Q

Within the access control process, what is the process of tracking user activity and recording the activity in the logs? This activity along with related others creates what?

A

Accounting, audit Trail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the three main authentication factors, and what is the fourth?

A

Something you know, something you have, something you are… Somewhere you are

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Something you know typically refers to what?

A

A shared secret… Such as a password or a PIN

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are the current password recommendations per Microsoft, NIST, and the US DHS?

A

Hash all passwords, require MTA, don’t require mandatory password resets, require passwords to be at least eight characters, check for common passwords and prevent their use, tell users not to use the same password on more than one site, allow all special characters, including spaces but don’t require them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the four common character types included in passwords?

A

Uppercase, lowercase, numbers, special characters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

True or false the best practice for password security is to have password expiration policies

A

False… Allowing users to keep their passwords for as long as they like is considered best practice because the thinking is they will use very strong password when only having to do it one time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

True or false A password is considered complex if it uses at least three of the four character types

A

False, complex passwords will use a mix of all four character types

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is the minimum number in days before a password can be changed called?

A

Password age

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What remembers past passwords for users and prevents them from reusing them?

A

A password history system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a single source designed to keep most of your passwords?

A

Password manager or password vault

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is KBA and what are the two types?

A

Knowledge based authentication…static and dynamic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How is static KBA used?

A

For users with an account, it’s the security questions and answers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How is dynamic KBA mostly used?

A

For users without an account, the site will query public and private data sources like credit reports, vehicle registrations, taxes to craft multiple-choice questions that only the user would know. In addition, there is a limited amount of time in order to answer these questions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the use of dynamic KBA to verify a new users identity when they are creating an account for the first time? And what is this an important step for?

A

Identity proofing…the provisioning process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the maximum number of times a user can enter the wrong password? and how long an account remains locked is called what?

A

Account lockout threshold and account lockout duration

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Account lockout policies are meant to thwart what type of attacks?

A

Brute force, and dictionary attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the four things that a smart card provides?

A

Confidentiality, integrity, authentication, non-repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

True or false smart cards provide two factor authentication?

A

True… Something you have and something you know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

A random number that is provided to you and that you use to provide to an authentication server is called what?

A

One time password 0TP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Hard tokens and soft tokens, both use what?

A

One time passwords, OTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the two different ways that tokens remain in sync with authentication servers regarding generating OTPs?

A

HMAC based one time password, HOTP and time based one time password TOTP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

When does a HOTP password expire? And when does a TOTP expire?

A

Does not expire until it is used, expires after 30 to 60 seconds

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

True or false SMS for two step authentication is very secure

A

False it’s use is discouraged.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the notification called that instead of using a code, it asks the user to acknowledge the request on their phone?

A

Push notification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Smart cards, security keys, hard tokens, soft tokens, SMS and push notifications are all examples of what with regards to two factor authentication?

A

Something you have

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What measures some physical characteristic of the user to confirm their identity?

A

Biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

True or false biometrics are the strongest form of authentication because they are the most difficult for an attack or to falsify?

A

True

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Name the seven biometric methods…

A

Fingerprints, vein matching, retina imaging, iris scanners, facial recognition, voice recognition, gait analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the biometric methods is used at many passport free border crossings around the world?

A

Iris scanners

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What uses the facial recognition system?

A

iPhones

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What two methods of bio metrics are the strongest

A

Iris and retina scans

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What two biometric methods are passive and can even bypass the enrollment process when used for identification instead of authorization?

A

Facial recognition and gait analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What are the four possible results for a biometric system when attempting to authenticate the user?

A

False acceptance FAR, false rejection FRR, true acceptance, true rejection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is the metrics that refers to the performance of the biometric system under ideal conditions called?

A

Efficacy rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Increasing the sensitivity of a biometric system does what to the FAR and what to the FRR?

A

Decreases and increases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is the point where the FAR and the FRR cross?

A

The crossover error rate CER

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What do many authentication systems use for Geo location with somewhere you are?

A

The IP address

38
Q

True or false, using two methods in the same factor of authentication for example, something you know, is still two factor authentication

A

False… Two factor authentication uses two different authentication factors for example, something you have and something you know

39
Q

True or false password less authentication is not necessarily multifactor authentication?

A

True, it can still be a single something you have or something you are factor

40
Q

What is usually logged in the authentication log for a user login attempt?

A

What happened success or failure, when it happened, where it happened, typically an IP address or computer name and who which refers to the user account

41
Q

This type of account is for regular users or for the personnel working in that organization?

A

Personnel or end user accounts

42
Q

This account type is a privileged account that has additional rights and privileges beyond what a regular user has? For Linux Systems what is this account called?

A

Administrator and root accounts

43
Q

This account type allows an application to run under its context?

A

Service account

44
Q

This account type is for computers and other devices?

A

Device account

45
Q

This account type is for external entities that have access to your network?

A

Third-party accounts

46
Q

This account type is included with windows by default and allow limited access to a computer or network?

A

Guest account

47
Q

This account type can be used by temporary workers and will be shared, these accounts are also discouraged for normal work?

A

Shared and generic account/credentials

48
Q

This type of system implements stringent security controls over accounts with elevated privileges, such as administrator or root level accounts?

A

Privileged access management PAM Systems

49
Q

What is the concept of granting permissions at time of need? And what systems tend to use this concept?

A

Just in time permissions… PAM Systems

50
Q

What is a temporary account that are issued for a limited period of time and then are destroyed when the user is finished with their work?

A

Temporal accounts

51
Q

What are the five capabilities of a PAM system?

A

Allow users to access the privileged account without knowing the password, automatically change privileged account passwords, limit the time users can use the privilege account, allow users to check out credentials, log all access of credentials

52
Q

PAM Systems are the protection against what types of attacks?

A

Where an attacker gets access to administrative account and password

53
Q

What is common for administrators to have with regards to accounts?

A

To have two accounts, one as a regular day-to-day user and the other is the administrator account

54
Q

An administrator having two accounts minimizes what risk by using their normal day-to-day account?

A

Privilege escalation where malware can assume the privileges of the logged in account

55
Q

What is the process used to disable a users account when they leave the organization?

A

Deprovisioning

56
Q

Why is an account initially disabled rather than deleted?

A

Disabling the account ensures that the data associated with it remains available. One example is the security keys associated with that account that are used for encryption.

57
Q

What is it called when a user can only log onto computers during specific times?

A

Time based logins or time of day restrictions

58
Q

What is the process an Organization will perform that looks at the rights and permissions assigned to users, and helps enforce the least privilege principle?

A

An account audit or Permission auditing reviews

59
Q

What is a common problem that violates the principle of least privilege and occurs when a users granted more and more privileges due to changing job requirements but the unneeded privileges are never removed?

A

Privilege creep

60
Q

What is the formal process for reviewing user permissions called?

A

Attestation

61
Q

This review looks at the logs to see what users are doing, and it can be used to re-create an audit trail?

A

A usage audit review

62
Q

What refers to a user ability to log on once and access multiple systems without logging on again?

A

Single sign on

63
Q

What does SSO use for additional logins after the first sign on?

A

A secure token for authentication

64
Q

What is the power behind SSO Systems?

A

Their interoperability with the many operating systems, devices, applications, and services used in an organization

65
Q

What is a core component of many single sign-on systems?

A

LDAP or lightweight directory access protocol

66
Q

What is it called when two or more separate organizations want to utilize SSO? And what do they need for it to work?

A

Federation… a federated identity management system

67
Q

What can be used for SSO on web browsers and can act as a federated identity management system for them?

A

security assertion markup language, SAML

68
Q

What standard is SAML based on?

A

XML

69
Q

What are the three objects defined by SAML?

A

The principal which is typically a user, an identity provider, a service provider

70
Q

In SAML, this role creates, maintains and manages identity, information authentication, and authorization for principals?

A

Identity provider

71
Q

In SAML, this is the entity that provides services to the principles?

A

Service provider

72
Q

This is an open standard for authorization that many companies used to provide secure access to protected resources?

A

OAuth

73
Q

This authorization model uses roles based on jobs and functions?

A

Role based access control (role-BAC)

74
Q

What are two other names used for role-BAC?

A

Hierarchy based and job/task/function based

75
Q

What is a planning document at matches rules with the required privileges in role-BAC?

A

A roles and permissions matrix

76
Q

An implementation of role-BAC based on organizational groups is called what

A

Group based privileges

77
Q

What is a benefit of group based privileges?

A

They reduce the administrative workload of access management as users assigned to a group automatically inherit the privileges assigned to that group

78
Q

This authorization model uses a set of approved instructions such as an ACL?

A

Rule-based access control or rule-BAC

79
Q

What is a common example where rule – BAC is used?

A

Routers and firewalls

80
Q

How can an IPS extend rule – BAC?

A

By using rules that can trigger a response to an event such as modifying an ACL after detecting an attack or granting additional permissions to a user in certain situations

81
Q

What is the access control where objects have an owner and the owner establishes access to those objects? What is a common example?

A

Discretionary access control DAC…windows NTFS

82
Q

What is a deny by default policy? And what is another name for that?

A

If allow access is not granted the system denies access by default… An implicit deny

83
Q

This form of access control uses labels that are assigned to both subject and objects that require a match for both for access to be granted?

A

Mandatory access control MAC

84
Q

This version of Linux uses MAC?

A

Security enhanced Linux SELinux

85
Q

What does a MAC scheme use to define and illustrate different levels and labels of security to classify both users and data?

A

A lattice

86
Q

One other restriction that a MAC scheme provides is what?

A

A restriction based on a need to know

87
Q

This form of access access control, evaluates attributes, and grants access based on the value of these attributes?

A

Attribute based access control ABAC

88
Q

What commonly uses ABAC access control?

A

Software defined networks SDN

89
Q

With ABAC, what are the rules called?

A

Policy statements

90
Q

What are the four elements in an ABAC policy statement?

A

Subject, object, action, environment

91
Q

When reviewing authentication logs, what are some of the key things that you should be looking out for?

A

Account lockouts, concurrent session usage, impossible travel time, blocked content, resource consumption, resource, inaccessibility, log anomalies