Access Control and Identity Management Flashcards

1
Q

AAA Model

A

Authentication
Authorization
Accounting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

POLA/POLP

A

Principles of Least Access

Principles of Least Privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Identification

A

Process of IDing an entity for authentication
User ID guidelines:
* Uniqueness
* Non-descriptive (doesn’t say job)
* Issuance secure (process of getting ID)
Most common forms:
* User Name, User ID, Acct Number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Authentication

A
Verifies users ID
One or more of three factors:
* Something you know
** Passwords/PINs
* Something you have
** ATM Card, CAC, Tokens
* Something you are
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Authentication Tokens Types

A
Passive or Stored Value
* Storage device that store some kind of key
* Magnetic strip or bar code
* Static password
Active
* Processor that computes one-time password
* Synchronous Dynamic Token
* Asynchronous Dynamic Token
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Type 1 Authentication Methods

A

Something you know

Passwords/PINs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Type 2 Authentication Methods

A

Something you have

ATM card, CAC, Tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Type 3 Authentication Methods

A

Something you are

Biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CER

A

Crossover Error Rate

Least amount of both False Reject Rate and False Accept Rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Strong Authentication

A

Multiple types of the same factor

Eg. Two “somethings you have”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SSO

A

Single Sign On

Authenticate only once

Eg uses SSO: Kerberos, SESAME, directory services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Kerberos

A
Principal - device on network
Realm - like a domain
KDC (Key Distribution Center)
* AS (Authentication Server)
* TGS (Ticket-Granting Server)
* TGT (Ticket-Granting Ticket)
* RTGS (Remote Ticket-Granting Service)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

X.500 Standard

A

For Directory Services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Directory Services

A

Logical means of organizing resources

ACLs to control access to resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

LDAP

A

Lightweight Directory Access Protocol

Standardized directory access protocol
Allows queries to be made of directories
X.500 Standard
Port 389
Port 636 for LDAP over TLS/SSL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Types of LDAP Authentication

A
Anonymous:
* Username only
Simple:
Name/Password in clear
Uses Port 389; port 636 over SSL
SASL for secure
17
Q

SASL

A

Simple Authentication and Security Layer

Can utilize Kerberos, MD5, S/Key, IPSec, TLS

18
Q

DIT

A

Directory Information Tree

19
Q

Microsoft’s Active Directory

A

Directory Services

Backbone for all security, access, and network implementations.
One or more servers manage
Tree structure

20
Q

RADIUS

A

Remote Authentication Dial-In User Service

Centralized system for AAA
Supports PAP, CHAP and EAP
Only password is encrypted
UDP 1812 (Authentication), 1813 (Accounting)

Client = network access server
Server = stores all authentication and network access information

Ability to audit and account

21
Q

Diameter

A

AAA protocol suite designed to handle broadband and other connections

End-to-end encryption through IPSec, TLS or both

Mutual authentication

TCP port 3868

22
Q

TACACS+

A

Terminal Access Controller Access Control System

Alternative to RADIUS
Cisco product
AAA performed separately
Supports PAP, CHAP and EAP
Multi-factor authentication
Encrypts entire body of authentication packet

TCP port 49

23
Q

Implicit/Explicit Deny

A

Implicit: By not specifically allowing access.
Explicit: By specifically denying

24
Q

Least Privilege

A

Just what they NEED to do their job not what they WANT.

25
Q

Need-to-know

A

You don’t need to know everything

26
Q

Separation of Duties

A

Prevents fraud by requiring more than one person complete a critical process

27
Q

Job Rotation

A

Rotate critical jobs so all data is not in the hands of one person.

28
Q

Mandatory Vacation

A

Used by co to check for fraudulent workers

29
Q

Non-Discretionary Access Controls

A

MAC - Mandatory Access Control
RBAC - Role-Based Access Control
- Rule based Access Control

30
Q

DAC

A

Discretionary Access Control

Each object has an owner
Owner establishes privileges
Allows info to be shared easily
Access granted/denied based on ACL

31
Q

MAC

A

Mandatory Access Control

  • Security clearance sensitivity levels
  • Access based on clearance and need to know
32
Q

RBAC

A

Role-Based Access Control

  • Based on responsibilities that come with your role
  • Review frequently to prevent privilege creep
33
Q

Rule-Based Access Control

A

Form of ACL that looks at every request and compares them
Access granted depending on result
Firewalls and Routers

34
Q

ACL

A

Access Control List

Hold permissions for users/groups
Each entry can specify type of access

Eg. Read-only, Change, Full control

35
Q

Privileges

A

Given because of where they work or the group they belong to

36
Q

Rights

A

Assigned to an individual based upon need to know

37
Q

Permissions

A
Based upon need to know
File controls (read, write, modify, etc.)
38
Q

Privilege Creep

A

Individuals gain a higher level of access than they normally need

Usually because of temporary access, accidentally, transferring depts.

39
Q

Privilege Escalation

A

Vertical
* Lower privilege users access functions or content reserved for higher privilege users
Horizontal
* Normal user accesses functions/content reserved for other users.