Ch2: Identity and Access Management Flashcards
Identification
User claims an identity using an identifier such as a username or email address
Authentication
User proves the claimed identity using an authentication mechanism such as a password, and the credentials are verified
Access control systems provide…
Authentication, authorization, and accounting (AAA)
Authorization
Granting access to resources based on permissions granted to the proven identity
Accounting methods…
Track user activity and record the activity in logs (logging) in order to enable creation of an audit trail
Complex vs. Strong passwords
Complex passwords use a mix of character types. Strong passwords use a mix of character types AND have a minimum length of 14
Before resetting passwords, it’s important to verify…
The user’s identity
Best way to manually reset passwords is to…
Create a temporary password that expires after first use
Group policy is implemented on…
A domain controller within a domain
Group policy is used by administrators to…
Create password policies, implement security settings, configure host-based firewalls, and more
GPO
Group Policy Object
Elements of password policies include
Password history, min password age, max password age, min password length, and password complexity
First factor of authentication
Something you know (like a password or PIN). The weakest factor.
Smart cards are used with WHAT factors of authentication?
Two-factor: something you know and something you have
Smart cards work by using…
embedded certificates used with digital signatures and encryption
HOTP
HMAC-based One-Time Password is an open source standard to create one-time use passwords that do not expire
TOTP
Time-based One-Time Password is an open source standard to create one-time use passwords that expire after 30 seconds
Third factor of authentication
Something you are (biometrics). The strongest factor since it is the most difficult for an attacker to falsify.
Biometric methods include
Fingerprints, retina scans, iris scans, voice recognition, facial recognition (iris and retina are strongest)
The measure of a biometric system’s accuracy is called
Crossover Error Rate (CER), and lower CER indicates more accuracy
What is Kerberos?
Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or Unix realm. It issues timestamped tickets from a KDC (or TGT server) that expire after a certain time period.
LDAP
Lightweight Directory Access Protocol specifies formats and methods to query directories. It is based on an earlier version of X.500. Active Directory domains use LDAP to identify objects in query strings. LDAPS encrypts transmissions with TLS.
SSO
Single Sign-On enhances security by requiring users to use and remember only one password (no written-down passwords!)
SAML
Security Assertion Markup Language is an XML-based standard used to exchange authentication and authorization information between different parties. Provides SSO for web-based apps.
Least privilege is a _ control
Technical
Least privilege
Specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks
Requiring administrators to use 2 accounts helps…
prevent privilege escalation attacks
Account disablement policy
Identifies what to do with accounts for employees who leave
Disabling vs. deleting accounts
Disabled accounts allow data and security keys to remain available. Deleted accounts do not
Time-of-day restrictions
Prevents users from logging on during restricted times, and logged-on users from accessing resources during certain times
Location-based restrictions
Restrict user access based on the location of the user (similar to time-of-day restrictions)
Account expiration dates are useful for
Temporary accounts such as temporary contractors
RBAC model (role-based)
Access control model that uses roles based on jobs and functions to control access
RBAC matrix (role-based)
Planning document that matches roles with the required privileges
Group-based privileges
Users are added to groups and inherit the privileges assigned to the group. Admins have a reduced workload since they simply create groups with defined privileges, then add users as needed.
RBAC model (rule-based)
RBAC is based on a set of approved instructions, such as an ACL (access control list). Some RBAC systems use rules that trigger in response to an event (e.g. modifying ACLs after an attack)
DAC model
The discretionary access control model specifies that every object has an owner, and the owner has full, explicit control of the object. (NTFS uses DAC model)
MAC model
The mandatory access control model uses sensitivity labels for users and data (think classifications). Commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals
ABAC model
The attribute-based access control model uses attributes defined in policies to grant access to resources (commonly used in SDNs)