8: Identity and Access Management Flashcards
What does AAA stand for in security concepts?
Authentication, Authorization, and Accounting
AAA is a framework for controlling access to computer resources, enforcing policies, and auditing usage.
What is the purpose of mitigation techniques in security?
To secure the enterprise
Mitigation techniques help reduce vulnerabilities and protect against potential threats.
What is an Access Control List (ACL)?
A list that defines permissions for users and groups regarding resources
ACLs specify which users or systems have access to specific resources and what actions they can perform.
What is provisioning in the context of identity management?
The process of creating user accounts and granting access rights
Provisioning ensures that users have the necessary access to perform their job functions.
What does identity proofing entail?
Verifying the identity of a user before granting access
Identity proofing is crucial for ensuring that the user is who they claim to be.
What is Single Sign-On (SSO)?
A user authentication process that allows a user to access multiple applications with one set of login credentials
SSO improves user experience and reduces password fatigue.
What are the factors involved in multifactor authentication?
- Something you know
- Something you have
- Something you are
- Somewhere you are
Multifactor authentication enhances security by requiring multiple forms of verification.
What are the types of access controls?
- Mandatory
- Discretionary
- Role-based
- Rule-based
- Attribute-based
- Time-of-day restrictions
- Least privilege
Different models of access control can be applied based on organizational needs.
What is the significance of privileged access management tools?
They ensure proper controls and monitoring for superusers and privileged accounts
Tools like just-in-time permissions and password vaulting help manage high-level access.
What are password best practices?
- Length
- Complexity
- Reuse
- Expiration
- Age
Following these practices can significantly enhance password security.
What is the concept of interoperability in identity management?
The ability of different authentication and authorization services to work together
Interoperability ensures seamless access across systems and applications.
Fill in the blank: Identities are one of the most important _______ in modern organizations.
security layers
Managing identities effectively is critical for organizational security.
What is the role of accounting in AAA?
Tracking user actions and resource usage
Accounting provides a record of who accessed what resources and when.
What does the term ‘authentication’ refer to?
The process of verifying the identity of a user or system
Authentication ensures that users are who they claim to be.
What is the purpose of implementing identity and access management?
To control access to systems and services, and manage user rights
Effective identity and access management is vital for organizational security.
What are identities?
Sets of claims made about a subject
Subjects can include people, applications, devices, systems, or organizations, with the most common application being individuals.
What type of information is typically linked to identities?
Attributes or information about the subject
This includes details important for the use of their identity.
What is the difference between attributes and traits?
Attributes are changeable; traits are inherent
Examples: attributes can include title or address; traits include height or eye color.
What is the most commonly used means of claiming an identity?
Usernames
Usernames are associated with an identity but are not authentication factors themselves.
What are certificates in the context of identity?
Stored on a system or paired with a device to identify systems or individuals
Certificates can be used for both devices and individual identities.
What are tokens?
Physical devices that present a certificate or information
Tokens may generate a code or connect via USB/Bluetooth.
What are SSH keys?
Cryptographic representations of identity replacing a username and password
SSH keys enhance security by eliminating the need for traditional credentials.
What do smartcards use for identity verification?
An embedded chip
Smartcards can be contactless or require a physical chip reader and often generate key pairs on the card.
What is a common issue with key pairs?
Exposed or lost key pairs can create security hassles
Common problems include uploading private keys to public repositories.
What is a common poor practice related to key pairs?
Poor passphrase management or using a blank passphrase
This is particularly concerning for SSH keys.
How do cloud service providers handle key pair security?
They monitor for uploads to third-party services and subsequent exploits
Training developers and administrators on proper handling is crucial.
What is critical for the security of smartcards?
The security of the card and its key generation/storage
Well-designed smartcards generate key pairs on the card to prevent unauthorized copies.
What is the purpose of authentication?
To prove that a subject’s identity is theirs.
What does authorization verify?
What you have access to.
What are the two main functions of authentication and authorization combined?
- Verify who you are
- Allow access to resources based on authorization
What does SSO stand for?
Single Sign-On
List three authentication protocols mentioned in the text.
- EAP
- CHAP
- RADIUS
What is the Extensible Authentication Protocol (EAP) commonly used for?
Wireless network authentication.
What is the Challenge Handshake Authentication Protocol (CHAP) designed to provide?
More security than earlier protocols like PAP.
What standard does 802.1X represent?
Network access control (NAC).
What is RADIUS used for?
Authentication, authorization, and accounting (AAA) for network devices.
True or False: RADIUS operates in a client-server model.
True.
What does TACACS+ provide in addition to authentication?
Authorization and accounting services.
What are the three main elements of Kerberos users?
- Primary
- Instance
- Realms
Fill in the blank: Single sign-on systems allow a user to log in with a single identity and then use multiple systems or services without _______.
reauthenticating
What is the Lightweight Directory Access Protocol (LDAP) commonly used for?
Identity management infrastructure and organizational directory.
What is the Security Assertion Markup Language (SAML)?
An XML-based open standard for exchanging authentication and authorization information.
What is OpenID used for?
Decentralized authentication.
What does OAuth allow users to do?
Determine what information to provide to third-party applications without sharing credentials.
What is the role of an identity provider (IdP) in federated identity deployments?
Manage the life cycle of digital identities and provide authentication services.
What is attestation?
A formal verification that something is true.
What is a relying party (RP)?
A party that requires authentication and identity claims from an IdP.
What is interoperability in the context of identity management?
The ability to connect different organizations together using standards-based technologies.
List two technologies used for federated authentication.
- OpenID Connect
- SAML
What is a common use case for cloud service providers regarding identity management?
Support some form of identity federation.
What is the purpose of authentication?
To prove that a subject’s identity is theirs.
What does authorization verify?
What you have access to.
What are the two main functions of authentication and authorization combined?
- Verify who you are
- Allow access to resources based on authorization
What does SSO stand for?
Single Sign-On
List three authentication protocols mentioned in the text.
- EAP
- CHAP
- RADIUS
What is the Extensible Authentication Protocol (EAP) commonly used for?
Wireless network authentication.
What is the Challenge Handshake Authentication Protocol (CHAP) designed to provide?
More security than earlier protocols like PAP.
What standard does 802.1X represent?
Network access control (NAC).
What is RADIUS used for?
Authentication, authorization, and accounting (AAA) for network devices.
True or False: RADIUS operates in a client-server model.
True.
What does TACACS+ provide in addition to authentication?
Authorization and accounting services.
What are the three main elements of Kerberos users?
- Primary
- Instance
- Realms
Fill in the blank: Single sign-on systems allow a user to log in with a single identity and then use multiple systems or services without _______.
reauthenticating
What is the Lightweight Directory Access Protocol (LDAP) commonly used for?
Identity management infrastructure and organizational directory.
What is the Security Assertion Markup Language (SAML)?
An XML-based open standard for exchanging authentication and authorization information.
What is OpenID used for?
Decentralized authentication.
What does OAuth allow users to do?
Determine what information to provide to third-party applications without sharing credentials.
What is the role of an identity provider (IdP) in federated identity deployments?
Manage the life cycle of digital identities and provide authentication services.
What is attestation?
A formal verification that something is true.
What is a relying party (RP)?
A party that requires authentication and identity claims from an IdP.
What is interoperability in the context of identity management?
The ability to connect different organizations together using standards-based technologies.
List two technologies used for federated authentication.
- OpenID Connect
- SAML
What is a common use case for cloud service providers regarding identity management?
Support some form of identity federation.
What is the core of the authentication process?
Proving that the claimed identity belongs to the user.
What is the most common means of authentication?
Using a password.
What are two major flaws of passwords?
- Can be stolen and used by third parties
- Susceptible to brute-force attacks.
What is multifactor authentication (MFA)?
A security process that requires multiple forms of verification.
What are the password best practices recommended by NIST?
- Use Show Password to prevent typos
- Use password managers
- Store secrets securely using salting and secure hashing
- Lock accounts after multiple attempts
- Employ multifactor authentication.
Fill in the blank: Passwords should be stored securely using _______.
salting and secure hashing methods.
What does NIST recommend regarding password complexity?
Reduce complexity requirements and emphasize length.
What is one of the primary benefits of using a password manager?
Reduction in password reuse.
What happens when a password manager is breached?
User secrets, such as master passwords and MFA seeds, may be exposed.
What is passwordless authentication?
Authentication relying on something you have or are, rather than a password.
What are some factors that can be used in passwordless authentication?
- Security tokens
- One-time password applications
- Biometric factors.
True or False: Multifactor authentication can help reduce risks associated with compromised passwords.
True.
What are the four factors defined by the Security+ exam outline for MFA?
- Something you know
- Something you have
- Something you are
- Somewhere you are.
What is a one-time password (OTP)?
A password that is usable only once.
What are the two primary models for generating one-time passwords?
- Time-based one-time passwords (TOTP)
- HMAC-based one-time passwords (HOTP).
How can TOTP passwords be generated?
Using an algorithm that derives a one-time password based on the current time.
What is a common attack against one-time passwords?
Tricking users into providing their OTP.
What does the acronym HMAC stand for?
Hash-based Message Authentication Codes.
What are some common biometric technologies?
- Fingerprints
- Retina scans
- Voice prints.
Fill in the blank: The FIDO2 standard supports both the W3C Web Authentication specification and the _______.
Client to Authenticator Protocol (CTAP).
What are the risks associated with using SMS for OTP?
Can be redirected using a cloned SIM or compromised VoIP systems.
What is the purpose of password expiration dates?
To ensure passwords are not used for extended periods of time.
True or False: Password managers are only available as third-party applications.
False.
What are static codes in the context of one-time passwords?
Pre-generated codes that do not require a device or connectivity.
What are biometric factors?
They rely on the unique physiology of the user to validate their identity.
Examples include voice prints and gait.
Name three common biometric technologies.
- Fingerprints
- Retina scanning
- Iris recognition
What is the purpose of fingerprint scanning?
To check the unique patterns of ridges and valleys on fingertips using scanners.
Used in devices like Windows laptops and mobile devices.
How does retina scanning identify users?
It uses the unique patterns of blood vessels in the retina.
This method is distinct from iris recognition.
What is the difference between iris recognition and retina scanning?
Iris recognition uses pattern recognition and infrared imaging, while retina scanning uses blood vessel patterns.
Iris recognition can be performed from a greater distance.
What technology is used for facial recognition?
It matches specific features to an original image in a database.
Widely used in Apple iPhone for Face ID.
Describe voice recognition systems.
They rely on patterns, rhythms, and sounds of a user’s voice to recognize the user.
What is vein recognition?
It uses scanners to see the pattern of veins in a user’s finger or arm.
Unlike fingerprint scanners, vein scanners do not require contact.
What does gait analysis measure?
It measures how a person walks to identify them.
Define Type I errors in biometric systems.
False rejection rate (FRR), where a legitimate biometric measure is presented but rejected.
What are Type II errors in biometric systems?
False acceptance errors, measured as the false acceptance rate (FAR), where an unauthorized biometric factor is accepted.
What does the receiver operating characteristic (ROC) compare?
It compares the FRR against the FAR of a system.
What is the FIDO Alliance’s FRR threshold for certification?
3 percent of attempts for FRR and .01 percent for FAR for their basic BioLevel1 requirement.
What is the Imposter Attack Presentation Match Rate (IAPMR)?
It measures how often an attack will succeed against a biometric system.
Why did retina scanners fail to gain popularity?
Most people do not want to bend over and peer into a retina scanner.
What challenges have early fingerprint scanners faced?
They struggled to scan many fingerprints, especially from users with worn fingerprints.
This can be due to manual labor or chemical exposure.
What is a consideration when deploying biometric systems?
User acceptance must be assessed, and backup methods should be available for some users.
True or False: Biometric systems are always easy to deploy.
False
What shows the successful implementation of biometric factors?
The broad usage of Apple’s Face ID and Touch ID, along with Android’s fingerprint readers.
What is required to claim an identity and access a system or service?
An account
Accounts contain information about a user, including rights and permissions.
What are the basic account types?
- User accounts
- Privileged or administrative accounts
- Shared and generic accounts
- Guest accounts
- Service accounts
These account types vary in their permissions and intended use.
What is a user account?
An account that ranges from basic access to systems to power users with broad rights
Example: Windows Standard User account.
What defines privileged or administrative accounts?
Accounts like the root account on Linux, Unix systems, and the Windows Administrator account
These accounts have elevated permissions.
What are shared and generic accounts?
Accounts often prohibited by security policies, useful but problematic for tracking actions
Organizations may use delegation to avoid shared account issues.
What are guest accounts?
Accounts for temporary users with limited privileges and minimal user information
They typically have very restricted access.
What are service accounts?
Accounts associated with applications and services, not for interactive logins
Organizations enforce security policies for service accounts.
What are the two most important phases in the user account life cycle?
- Provisioning (creation)
- Deprovisioning (termination)
These phases are critical for account management.
What occurs during account provisioning?
Creation of the account and setting of resources, permissions, and attributes
May involve identity proofing.
What is identity proofing?
The process of verifying the identity of the person claiming the account
Commonly involves government IDs and personal information.
What is the concept of least privilege?
The practice of granting users only the minimum permissions necessary for their roles
A key aspect of permission management.
What is permission creep?
The accumulation of excessive permissions by users over time
Often occurs when users take on new roles without proper permission review.
What is the preferred method of account termination?
Complete removal of the account
This reduces the risk of dormant accounts being compromised.
What is privileged access management (PAM)?
Tools used to manage administrative and privileged accounts
Focus on maintaining least privilege and providing granular controls.
What are just-in-time (JIT) permissions?
Permissions granted and revoked only when needed
Helps prevent ongoing access when not necessary.
What is password vaulting?
A method to access privileged accounts without knowing the password
Allows for logged, auditable events related to credential use.
What are ephemeral accounts?
Temporary accounts with limited lifespans
Used for specific purposes or guests, requiring proper deprovisioning.
What is the purpose of access control schemes?
To determine which users, services, and programs can access various files or other objects.
What does Mandatory Access Control (MAC) rely on?
The operating system to enforce control as set by a security policy administrator.
True or False: In a MAC implementation, users can change the security policies set centrally.
False.
Where are MAC implementations commonly found?
In high-security systems like SELinux and Windows as Mandatory Integrity Control (MIC).
What is Discretionary Access Control (DAC)?
An access control scheme that allows owners to delegate rights and permissions to objects.
Fill in the blank: The owner of a file in DAC can set permissions for the ______, group, or world.
[owner]
What is the main principle behind Role-Based Access Control (RBAC)?
Roles are matched with privileges assigned to those roles.
List the three primary rules of RBAC.
- Role assignment
- Role authorization
- Permission authorization
True or False: RBAC systems allow subjects to have multiple roles.
True.
What is Rule-Based Access Control (RuBAC)?
An access control method applied using a set of rules or access control lists (ACLs).
What is an example of Rule-Based Access Control?
A firewall ruleset.
What does Attribute-Based Access Control (ABAC) rely on?
Policies driven by attributes of the users.
What is a key advantage of ABAC systems?
Flexibility due to complex rulesets based on combinations of attributes.
What is a downside of ABAC policies?
They can be complex to manage well.
What do time-of-day restrictions limit?
When activities can occur.
Fill in the blank: The concept of _______ states that accounts should only be given the minimum permissions necessary.
[least privilege]
What do filesystem controls determine?
Which accounts, users, groups, or services can perform actions like reading, writing, and executing files.
What does the Linux permission string ‘drwxrwxrwx’ indicate?
It shows the type of file and user, group, and world permissions.
How can Windows file permissions be set?
Using the command line or the GUI.
What does the ‘Modify’ permission in Windows allow?
Viewing as well as changing files or folders.
What is a common attack that exploits weak filesystem permissions?
Directory traversal attacks.
What is the purpose of access control schemes?
To determine which users, services, and programs can access various files or other objects.
What does Mandatory Access Control (MAC) rely on?
The operating system to enforce control as set by a security policy administrator.
True or False: In a MAC implementation, users can change the security policies set centrally.
False.
Where are MAC implementations commonly found?
In high-security systems like SELinux and Windows as Mandatory Integrity Control (MIC).
What is Discretionary Access Control (DAC)?
An access control scheme that allows owners to delegate rights and permissions to objects.
Fill in the blank: The owner of a file in DAC can set permissions for the ______, group, or world.
[owner]
What is the main principle behind Role-Based Access Control (RBAC)?
Roles are matched with privileges assigned to those roles.
List the three primary rules of RBAC.
- Role assignment
- Role authorization
- Permission authorization
True or False: RBAC systems allow subjects to have multiple roles.
True.
What is Rule-Based Access Control (RuBAC)?
An access control method applied using a set of rules or access control lists (ACLs).
What is an example of Rule-Based Access Control?
A firewall ruleset.
What does Attribute-Based Access Control (ABAC) rely on?
Policies driven by attributes of the users.
What is a key advantage of ABAC systems?
Flexibility due to complex rulesets based on combinations of attributes.
What is a downside of ABAC policies?
They can be complex to manage well.
What do time-of-day restrictions limit?
When activities can occur.
Fill in the blank: The concept of _______ states that accounts should only be given the minimum permissions necessary.
[least privilege]
What do filesystem controls determine?
Which accounts, users, groups, or services can perform actions like reading, writing, and executing files.
What does the Linux permission string ‘drwxrwxrwx’ indicate?
It shows the type of file and user, group, and world permissions.
How can Windows file permissions be set?
Using the command line or the GUI.
What does the ‘Modify’ permission in Windows allow?
Viewing as well as changing files or folders.
What is a common attack that exploits weak filesystem permissions?
Directory traversal attacks.
What is identity and access management?
A key element in organizational security.
What is authentication?
The process of proving your claim to an identity by providing one or more factors.
What are the factors involved in authentication?
They include:
* Something you know
* Something you have
* Something you are
* Somewhere you are
What does authorization provide to authenticated users?
Privileges and rights needed to accomplish their roles.
What types of user accounts exist?
They range from:
* Guest users
* Normal users
* Service accounts
* Privileged administrative accounts
What do account policies shape?
Details and requirements for each account, including when accounts should be locked out or disabled.
Name some common authentication methods and technologies.
Examples include:
* RADIUS
* LDAP
* EAP
* CHAP
* OAuth
* OpenID
* SAML
What is the purpose of single sign-on (SSO)?
Allows users to log in once and use their identities throughout many systems.
What is federation in identity management?
Uses identity providers to authenticate users for various service providers without needing a distinct identity.
What enables interoperability between identity and authorization systems?
Standards and shared protocols.
What is attestation in the context of identity management?
Validation that a user or identity belongs to the user claiming it.
How has multifactor authentication impacted password security?
It has limited problems such as password theft, reuse, and brute-force attacks.
What is biometric authentication?
Uses physical traits such as fingerprint, retina print, or facial recognition.
What is critical to know about biometric authentication?
How often it incorrectly allows the wrong person in or rejects a legitimate user.
What types of authentication tokens are commonly used?
Both hardware- and software-based authentication tokens.
What are hardware security keys?
Increasingly common authentication tokens.
What do password vaults provide?
Cryptographically secured storage to keep passwords secure.
What has changed regarding password best practices?
Focus has shifted to length as the primary control to avoid brute forcing.
What is passwordless authentication?
Replacing passwords with secure tokens or applications.
Name some access control schemes.
They include:
* Attribute-based access control
* Discretionary access control
* Mandatory access control
* Role-based access control
What does privileged access management ensure?
That administrative users are well managed.
What are just-in-time permissions?
A technique used in privileged access management systems.
What are ephemeral accounts?
Temporary accounts used in privileged access management.
Linux file permissions
A. Linux file permissions are read left to right, with the first three characters indicating read, write, and execute permissions (rwx) for the owner of the file, the second three apply to the group, and the last three to all other users. Any indicated with a – are not allowed for that set.
Windows
