701 - Chapter 2 Flashcards
Within the access control process, what is the process of tracking user activity and recording the activity in the logs? This activity along with related others creates what?
Accounting, audit Trail
What are the three main authentication factors, and what is the fourth?
Something you know, something you have, something you are… Somewhere you are
Something you know typically refers to what?
A shared secret… Such as a password or a PIN
What are the current password recommendations per Microsoft, NIST, and the US DHS?
Hash all passwords, require MTA, don’t require mandatory password resets, require passwords to be at least eight characters, check for common passwords and prevent their use, tell users not to use the same password on more than one site, allow all special characters, including spaces but don’t require them
What are the four common character types included in passwords?
Uppercase, lowercase, numbers, special characters
True or false the best practice for password security is to have password expiration policies
False… Allowing users to keep their passwords for as long as they like is considered best practice because the thinking is they will use very strong password when only having to do it one time
True or false A password is considered complex if it uses at least three of the four character types
False, complex passwords will use a mix of all four character types
What is the minimum number in days before a password can be changed called?
Password age
What remembers past passwords for users and prevents them from reusing them?
A password history system
What is a single source designed to keep most of your passwords?
Password manager or password vault
What is KBA and what are the two types?
Knowledge based authentication…static and dynamic
How is static KBA used?
For users with an account, it’s the security questions and answers
How is dynamic KBA mostly used?
For users without an account, the site will query public and private data sources like credit reports, vehicle registrations, taxes to craft multiple-choice questions that only the user would know. In addition, there is a limited amount of time in order to answer these questions.
What is the use of dynamic KBA to verify a new users identity when they are creating an account for the first time? And what is this an important step for?
Identity proofing…the provisioning process
What is the maximum number of times a user can enter the wrong password? and how long an account remains locked is called what?
Account lockout threshold and account lockout duration
Account lockout policies are meant to thwart what type of attacks?
Brute force, and dictionary attacks
What are the four things that a smart card provides?
Confidentiality, integrity, authentication, non-repudiation
True or false smart cards provide two factor authentication?
True… Something you have and something you know
A random number that is provided to you and that you use to provide to an authentication server is called what?
One time password 0TP
Hard tokens and soft tokens, both use what?
One time passwords, OTP
What are the two different ways that tokens remain in sync with authentication servers regarding generating OTPs?
HMAC based one time password, HOTP and time based one time password TOTP
When does a HOTP password expire? And when does a TOTP expire?
Does not expire until it is used, expires after 30 to 60 seconds
True or false SMS for two step authentication is very secure
False it’s use is discouraged.
What is the notification called that instead of using a code, it asks the user to acknowledge the request on their phone?
Push notification
Smart cards, security keys, hard tokens, soft tokens, SMS and push notifications are all examples of what with regards to two factor authentication?
Something you have
What measures some physical characteristic of the user to confirm their identity?
Biometrics
True or false biometrics are the strongest form of authentication because they are the most difficult for an attack or to falsify?
True
Name the seven biometric methods…
Fingerprints, vein matching, retina imaging, iris scanners, facial recognition, voice recognition, gait analysis
Which of the biometric methods is used at many passport free border crossings around the world?
Iris scanners
What uses the facial recognition system?
iPhones
What two methods of bio metrics are the strongest
Iris and retina scans
What two biometric methods are passive and can even bypass the enrollment process when used for identification instead of authorization?
Facial recognition and gait analysis
What are the four possible results for a biometric system when attempting to authenticate the user?
False acceptance FAR, false rejection FRR, true acceptance, true rejection
What is the metrics that refers to the performance of the biometric system under ideal conditions called?
Efficacy rate
Increasing the sensitivity of a biometric system does what to the FAR and what to the FRR?
Decreases and increases
What is the point where the FAR and the FRR cross?
The crossover error rate CER
What do many authentication systems use for Geo location with somewhere you are?
The IP address
True or false, using two methods in the same factor of authentication for example, something you know, is still two factor authentication
False… Two factor authentication uses two different authentication factors for example, something you have and something you know
True or false password less authentication is not necessarily multifactor authentication?
True, it can still be a single something you have or something you are factor
What is usually logged in the authentication log for a user login attempt?
What happened success or failure, when it happened, where it happened, typically an IP address or computer name and who which refers to the user account
This type of account is for regular users or for the personnel working in that organization?
Personnel or end user accounts
This account type is a privileged account that has additional rights and privileges beyond what a regular user has? For Linux Systems what is this account called?
Administrator and root accounts
This account type allows an application to run under its context?
Service account
This account type is for computers and other devices?
Device account
This account type is for external entities that have access to your network?
Third-party accounts
This account type is included with windows by default and allow limited access to a computer or network?
Guest account
This account type can be used by temporary workers and will be shared, these accounts are also discouraged for normal work?
Shared and generic account/credentials
This type of system implements stringent security controls over accounts with elevated privileges, such as administrator or root level accounts?
Privileged access management PAM Systems
What is the concept of granting permissions at time of need? And what systems tend to use this concept?
Just in time permissions… PAM Systems
What is a temporary account that are issued for a limited period of time and then are destroyed when the user is finished with their work?
Temporal accounts
What are the five capabilities of a PAM system?
Allow users to access the privileged account without knowing the password, automatically change privileged account passwords, limit the time users can use the privilege account, allow users to check out credentials, log all access of credentials
PAM Systems are the protection against what types of attacks?
Where an attacker gets access to administrative account and password
What is common for administrators to have with regards to accounts?
To have two accounts, one as a regular day-to-day user and the other is the administrator account
An administrator having two accounts minimizes what risk by using their normal day-to-day account?
Privilege escalation where malware can assume the privileges of the logged in account
What is the process used to disable a users account when they leave the organization?
Deprovisioning
Why is an account initially disabled rather than deleted?
Disabling the account ensures that the data associated with it remains available. One example is the security keys associated with that account that are used for encryption.
What is it called when a user can only log onto computers during specific times?
Time based logins or time of day restrictions
What is the process an Organization will perform that looks at the rights and permissions assigned to users, and helps enforce the least privilege principle?
An account audit or Permission auditing reviews
What is a common problem that violates the principle of least privilege and occurs when a users granted more and more privileges due to changing job requirements but the unneeded privileges are never removed?
Privilege creep
What is the formal process for reviewing user permissions called?
Attestation
This review looks at the logs to see what users are doing, and it can be used to re-create an audit trail?
A usage audit review
What refers to a user ability to log on once and access multiple systems without logging on again?
Single sign on
What does SSO use for additional logins after the first sign on?
A secure token for authentication
What is the power behind SSO Systems?
Their interoperability with the many operating systems, devices, applications, and services used in an organization
What is a core component of many single sign-on systems?
LDAP or lightweight directory access protocol
What is it called when two or more separate organizations want to utilize SSO? And what do they need for it to work?
Federation… a federated identity management system
What can be used for SSO on web browsers and can act as a federated identity management system for them?
security assertion markup language, SAML
What standard is SAML based on?
XML
What are the three objects defined by SAML?
The principal which is typically a user, an identity provider, a service provider
In SAML, this role creates, maintains and manages identity, information authentication, and authorization for principals?
Identity provider
In SAML, this is the entity that provides services to the principles?
Service provider
This is an open standard for authorization that many companies used to provide secure access to protected resources?
OAuth
This authorization model uses roles based on jobs and functions?
Role based access control (role-BAC)
What are two other names used for role-BAC?
Hierarchy based and job/task/function based
What is a planning document at matches rules with the required privileges in role-BAC?
A roles and permissions matrix
An implementation of role-BAC based on organizational groups is called what
Group based privileges
What is a benefit of group based privileges?
They reduce the administrative workload of access management as users assigned to a group automatically inherit the privileges assigned to that group
This authorization model uses a set of approved instructions such as an ACL?
Rule-based access control or rule-BAC
What is a common example where rule – BAC is used?
Routers and firewalls
How can an IPS extend rule – BAC?
By using rules that can trigger a response to an event such as modifying an ACL after detecting an attack or granting additional permissions to a user in certain situations
What is the access control where objects have an owner and the owner establishes access to those objects? What is a common example?
Discretionary access control DAC…windows NTFS
What is a deny by default policy? And what is another name for that?
If allow access is not granted the system denies access by default… An implicit deny
This form of access control uses labels that are assigned to both subject and objects that require a match for both for access to be granted?
Mandatory access control MAC
This version of Linux uses MAC?
Security enhanced Linux SELinux
What does a MAC scheme use to define and illustrate different levels and labels of security to classify both users and data?
A lattice
One other restriction that a MAC scheme provides is what?
A restriction based on a need to know
This form of access access control, evaluates attributes, and grants access based on the value of these attributes?
Attribute based access control ABAC
What commonly uses ABAC access control?
Software defined networks SDN
With ABAC, what are the rules called?
Policy statements
What are the four elements in an ABAC policy statement?
Subject, object, action, environment
When reviewing authentication logs, what are some of the key things that you should be looking out for?
Account lockouts, concurrent session usage, impossible travel time, blocked content, resource consumption, resource, inaccessibility, log anomalies
