Ch2: Identity and Access Management

Question 1

Identification

Answer 1

User claims an identity using an identifier such as a username or email address

Question 2

Authentication

Answer 2

User proves the claimed identity using an authentication mechanism such as a password, and the credentials are verified

Question 3

Access control systems provide…

Answer 3

Authentication, authorization, and accounting (AAA)

Question 4

Authorization

Answer 4

Granting access to resources based on permissions granted to the proven identity

Question 5

Accounting methods…

Answer 5

Track user activity and record the activity in logs (logging) in order to enable creation of an audit trail

Question 6

Complex vs. Strong passwords

Answer 6

Complex passwords use a mix of character types. Strong passwords use a mix of character types AND have a minimum length of 14

Question 7

Before resetting passwords, it’s important to verify…

Answer 7

The user’s identity

Question 8

Best way to manually reset passwords is to…

Answer 8

Create a temporary password that expires after first use

Question 9

Group policy is implemented on…

Answer 9

A domain controller within a domain

Question 10

Group policy is used by administrators to…

Answer 10

Create password policies, implement security settings, configure host-based firewalls, and more

Question 11

GPO

Answer 11

Group Policy Object

Question 12

Elements of password policies include

Answer 12

Password history, min password age, max password age, min password length, and password complexity

Question 13

First factor of authentication

Answer 13

Something you know (like a password or PIN). The weakest factor.

Question 14

Smart cards are used with WHAT factors of authentication?

Answer 14

Two-factor: something you know and something you have

Question 15

Smart cards work by using…

Answer 15

embedded certificates used with digital signatures and encryption

Question 16

HOTP

Answer 16

HMAC-based One-Time Password is an open source standard to create one-time use passwords that do not expire

Question 17

TOTP

Answer 17

Time-based One-Time Password is an open source standard to create one-time use passwords that expire after 30 seconds

Question 18

Third factor of authentication

Answer 18

Something you are (biometrics). The strongest factor since it is the most difficult for an attacker to falsify.

Question 19

Biometric methods include

Answer 19

Fingerprints, retina scans, iris scans, voice recognition, facial recognition (iris and retina are strongest)

Question 20

The measure of a biometric system’s accuracy is called

Answer 20

Crossover Error Rate (CER), and lower CER indicates more accuracy

Question 21

What is Kerberos?

Answer 21

Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or Unix realm. It issues timestamped tickets from a KDC (or TGT server) that expire after a certain time period.

Question 22

LDAP

Answer 22

Lightweight Directory Access Protocol specifies formats and methods to query directories. It is based on an earlier version of X.500. Active Directory domains use LDAP to identify objects in query strings. LDAPS encrypts transmissions with TLS.

Question 23

SSO

Answer 23

Single Sign-On enhances security by requiring users to use and remember only one password (no written-down passwords!)

Question 24

SAML

Answer 24

Security Assertion Markup Language is an XML-based standard used to exchange authentication and authorization information between different parties. Provides SSO for web-based apps.

Question 25

Least privilege is a _ control

Answer 25

Technical

Question 26

Least privilege

Answer 26

Specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks

Question 27

Requiring administrators to use 2 accounts helps…

Answer 27

prevent privilege escalation attacks

Question 28

Account disablement policy

Answer 28

Identifies what to do with accounts for employees who leave

Question 29

Disabling vs. deleting accounts

Answer 29

Disabled accounts allow data and security keys to remain available. Deleted accounts do not

Question 30

Time-of-day restrictions

Answer 30

Prevents users from logging on during restricted times, and logged-on users from accessing resources during certain times

Question 31

Location-based restrictions

Answer 31

Restrict user access based on the location of the user (similar to time-of-day restrictions)

Question 32

Account expiration dates are useful for

Answer 32

Temporary accounts such as temporary contractors

Question 33

RBAC model (role-based)

Answer 33

Access control model that uses roles based on jobs and functions to control access

Question 34

RBAC matrix (role-based)

Answer 34

Planning document that matches roles with the required privileges

Question 35

Group-based privileges

Answer 35

Users are added to groups and inherit the privileges assigned to the group. Admins have a reduced workload since they simply create groups with defined privileges, then add users as needed.

Question 36

RBAC model (rule-based)

Answer 36

RBAC is based on a set of approved instructions, such as an ACL (access control list). Some RBAC systems use rules that trigger in response to an event (e.g. modifying ACLs after an attack)

Question 37

DAC model

Answer 37

The discretionary access control model specifies that every object has an owner, and the owner has full, explicit control of the object. (NTFS uses DAC model)

Question 38

MAC model

Answer 38

The mandatory access control model uses sensitivity labels for users and data (think classifications). Commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals

Question 39

ABAC model

Answer 39

The attribute-based access control model uses attributes defined in policies to grant access to resources (commonly used in SDNs)