Access Control and Identity Management

Question 1

AAA Model

Answer 1

Authentication
Authorization
Accounting

Question 2

POLA/POLP

Answer 2

Principles of Least Access

Principles of Least Privilege

Question 3

Identification

Answer 3

Process of IDing an entity for authentication
User ID guidelines:
* Uniqueness
* Non-descriptive (doesn’t say job)
* Issuance secure (process of getting ID)
Most common forms:
* User Name, User ID, Acct Number

Question 4

Authentication

Answer 4

Verifies users ID
One or more of three factors:
* Something you know
** Passwords/PINs
* Something you have
** ATM Card, CAC, Tokens
* Something you are

Question 5

Authentication Tokens Types

Answer 5

Passive or Stored Value
* Storage device that store some kind of key
* Magnetic strip or bar code
* Static password
Active
* Processor that computes one-time password
* Synchronous Dynamic Token
* Asynchronous Dynamic Token

Question 6

Type 1 Authentication Methods

Answer 6

Something you know

Passwords/PINs

Question 7

Type 2 Authentication Methods

Answer 7

Something you have

ATM card, CAC, Tokens

Question 8

Type 3 Authentication Methods

Answer 8

Something you are

Biometrics

Question 9

CER

Answer 9

Crossover Error Rate

Least amount of both False Reject Rate and False Accept Rate

Question 10

Strong Authentication

Answer 10

Multiple types of the same factor

Eg. Two “somethings you have”

Question 11

SSO

Answer 11

Single Sign On

Authenticate only once

Eg uses SSO: Kerberos, SESAME, directory services

Question 12

Kerberos

Answer 12

Principal - device on network
Realm - like a domain
KDC (Key Distribution Center)
* AS (Authentication Server)
* TGS (Ticket-Granting Server)
* TGT (Ticket-Granting Ticket)
* RTGS (Remote Ticket-Granting Service)

Question 13

X.500 Standard

Answer 13

For Directory Services

Question 14

Directory Services

Answer 14

Logical means of organizing resources

ACLs to control access to resources

Question 15

LDAP

Answer 15

Lightweight Directory Access Protocol

Standardized directory access protocol
Allows queries to be made of directories
X.500 Standard
Port 389
Port 636 for LDAP over TLS/SSL

Question 16

Types of LDAP Authentication

Answer 16

Anonymous:
* Username only
Simple:
Name/Password in clear
Uses Port 389; port 636 over SSL
SASL for secure

Question 17

SASL

Answer 17

Simple Authentication and Security Layer

Can utilize Kerberos, MD5, S/Key, IPSec, TLS

Question 18

DIT

Answer 18

Directory Information Tree

Question 19

Microsoft’s Active Directory

Answer 19

Directory Services

Backbone for all security, access, and network implementations.
One or more servers manage
Tree structure

Question 20

RADIUS

Answer 20

Remote Authentication Dial-In User Service

Centralized system for AAA
Supports PAP, CHAP and EAP
Only password is encrypted
UDP 1812 (Authentication), 1813 (Accounting)

Client = network access server
Server = stores all authentication and network access information

Ability to audit and account

Question 21

Diameter

Answer 21

AAA protocol suite designed to handle broadband and other connections

End-to-end encryption through IPSec, TLS or both

Mutual authentication

TCP port 3868

Question 22

TACACS+

Answer 22

Terminal Access Controller Access Control System

Alternative to RADIUS
Cisco product
AAA performed separately
Supports PAP, CHAP and EAP
Multi-factor authentication
Encrypts entire body of authentication packet

TCP port 49

Question 23

Implicit/Explicit Deny

Answer 23

Implicit: By not specifically allowing access.
Explicit: By specifically denying

Question 24

Least Privilege

Answer 24

Just what they NEED to do their job not what they WANT.

Question 25

Need-to-know

Answer 25

You don’t need to know everything

Question 26

Separation of Duties

Answer 26

Prevents fraud by requiring more than one person complete a critical process

Question 27

Job Rotation

Answer 27

Rotate critical jobs so all data is not in the hands of one person.

Question 28

Mandatory Vacation

Answer 28

Used by co to check for fraudulent workers

Question 29

Non-Discretionary Access Controls

Answer 29

MAC - Mandatory Access Control
RBAC - Role-Based Access Control
- Rule based Access Control

Question 30

DAC

Answer 30

Discretionary Access Control

Each object has an owner
Owner establishes privileges
Allows info to be shared easily
Access granted/denied based on ACL

Question 31

MAC

Answer 31

Mandatory Access Control

• Security clearance sensitivity levels
• Access based on clearance and need to know

Question 32

RBAC

Answer 32

Role-Based Access Control

• Based on responsibilities that come with your role
• Review frequently to prevent privilege creep

Question 33

Rule-Based Access Control

Answer 33

Form of ACL that looks at every request and compares them
Access granted depending on result
Firewalls and Routers

Question 34

ACL

Answer 34

Access Control List

Hold permissions for users/groups
Each entry can specify type of access

Eg. Read-only, Change, Full control

Question 35

Privileges

Answer 35

Given because of where they work or the group they belong to

Question 36

Rights

Answer 36

Assigned to an individual based upon need to know

Question 37

Permissions

Answer 37

Based upon need to know
File controls (read, write, modify, etc.)

Question 38

Privilege Creep

Answer 38

Individuals gain a higher level of access than they normally need

Usually because of temporary access, accidentally, transferring depts.

Question 39

Privilege Escalation

Answer 39

Vertical
* Lower privilege users access functions or content reserved for higher privilege users
Horizontal
* Normal user accesses functions/content reserved for other users.