Access Control and Identity Management Flashcards

1
Q

AAA Model

A

Authentication
Authorization
Accounting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

POLA/POLP

A

Principles of Least Access

Principles of Least Privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Identification

A

Process of IDing an entity for authentication
User ID guidelines:
* Uniqueness
* Non-descriptive (doesn’t say job)
* Issuance secure (process of getting ID)
Most common forms:
* User Name, User ID, Acct Number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Authentication

A
Verifies users ID
One or more of three factors:
* Something you know
** Passwords/PINs
* Something you have
** ATM Card, CAC, Tokens
* Something you are
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Authentication Tokens Types

A
Passive or Stored Value
* Storage device that store some kind of key
* Magnetic strip or bar code
* Static password
Active
* Processor that computes one-time password
* Synchronous Dynamic Token
* Asynchronous Dynamic Token
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Type 1 Authentication Methods

A

Something you know

Passwords/PINs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Type 2 Authentication Methods

A

Something you have

ATM card, CAC, Tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Type 3 Authentication Methods

A

Something you are

Biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CER

A

Crossover Error Rate

Least amount of both False Reject Rate and False Accept Rate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Strong Authentication

A

Multiple types of the same factor

Eg. Two “somethings you have”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SSO

A

Single Sign On

Authenticate only once

Eg uses SSO: Kerberos, SESAME, directory services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Kerberos

A
Principal - device on network
Realm - like a domain
KDC (Key Distribution Center)
* AS (Authentication Server)
* TGS (Ticket-Granting Server)
* TGT (Ticket-Granting Ticket)
* RTGS (Remote Ticket-Granting Service)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

X.500 Standard

A

For Directory Services

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Directory Services

A

Logical means of organizing resources

ACLs to control access to resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

LDAP

A

Lightweight Directory Access Protocol

Standardized directory access protocol
Allows queries to be made of directories
X.500 Standard
Port 389
Port 636 for LDAP over TLS/SSL
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Types of LDAP Authentication

A
Anonymous:
* Username only
Simple:
Name/Password in clear
Uses Port 389; port 636 over SSL
SASL for secure
17
Q

SASL

A

Simple Authentication and Security Layer

Can utilize Kerberos, MD5, S/Key, IPSec, TLS

18
Q

DIT

A

Directory Information Tree

19
Q

Microsoft’s Active Directory

A

Directory Services

Backbone for all security, access, and network implementations.
One or more servers manage
Tree structure

20
Q

RADIUS

A

Remote Authentication Dial-In User Service

Centralized system for AAA
Supports PAP, CHAP and EAP
Only password is encrypted
UDP 1812 (Authentication), 1813 (Accounting)

Client = network access server
Server = stores all authentication and network access information

Ability to audit and account

21
Q

Diameter

A

AAA protocol suite designed to handle broadband and other connections

End-to-end encryption through IPSec, TLS or both

Mutual authentication

TCP port 3868

22
Q

TACACS+

A

Terminal Access Controller Access Control System

Alternative to RADIUS
Cisco product
AAA performed separately
Supports PAP, CHAP and EAP
Multi-factor authentication
Encrypts entire body of authentication packet

TCP port 49

23
Q

Implicit/Explicit Deny

A

Implicit: By not specifically allowing access.
Explicit: By specifically denying

24
Q

Least Privilege

A

Just what they NEED to do their job not what they WANT.

25
Need-to-know
You don't need to know everything
26
Separation of Duties
Prevents fraud by requiring more than one person complete a critical process
27
Job Rotation
Rotate critical jobs so all data is not in the hands of one person.
28
Mandatory Vacation
Used by co to check for fraudulent workers
29
Non-Discretionary Access Controls
MAC - Mandatory Access Control RBAC - Role-Based Access Control - Rule based Access Control
30
DAC
Discretionary Access Control Each object has an owner Owner establishes privileges Allows info to be shared easily Access granted/denied based on ACL
31
MAC
Mandatory Access Control * Security clearance sensitivity levels * Access based on clearance and need to know
32
RBAC
Role-Based Access Control * Based on responsibilities that come with your role * Review frequently to prevent privilege creep
33
Rule-Based Access Control
Form of ACL that looks at every request and compares them Access granted depending on result Firewalls and Routers
34
ACL
Access Control List Hold permissions for users/groups Each entry can specify type of access Eg. Read-only, Change, Full control
35
Privileges
Given because of where they work or the group they belong to
36
Rights
Assigned to an individual based upon need to know
37
Permissions
``` Based upon need to know File controls (read, write, modify, etc.) ```
38
Privilege Creep
Individuals gain a higher level of access than they normally need Usually because of temporary access, accidentally, transferring depts.
39
Privilege Escalation
Vertical * Lower privilege users access functions or content reserved for higher privilege users Horizontal * Normal user accesses functions/content reserved for other users.