Ch2: Identity and Access Management Flashcards

1
Q

Identification

A

User claims an identity using an identifier such as a username or email address

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Authentication

A

User proves the claimed identity using an authentication mechanism such as a password, and the credentials are verified

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access control systems provide…

A

Authentication, authorization, and accounting (AAA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Authorization

A

Granting access to resources based on permissions granted to the proven identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Accounting methods…

A

Track user activity and record the activity in logs (logging) in order to enable creation of an audit trail

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Complex vs. Strong passwords

A

Complex passwords use a mix of character types. Strong passwords use a mix of character types AND have a minimum length of 14

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Before resetting passwords, it’s important to verify…

A

The user’s identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Best way to manually reset passwords is to…

A

Create a temporary password that expires after first use

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Group policy is implemented on…

A

A domain controller within a domain

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Group policy is used by administrators to…

A

Create password policies, implement security settings, configure host-based firewalls, and more

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

GPO

A

Group Policy Object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Elements of password policies include

A

Password history, min password age, max password age, min password length, and password complexity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

First factor of authentication

A

Something you know (like a password or PIN). The weakest factor.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Smart cards are used with WHAT factors of authentication?

A

Two-factor: something you know and something you have

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Smart cards work by using…

A

embedded certificates used with digital signatures and encryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

HOTP

A

HMAC-based One-Time Password is an open source standard to create one-time use passwords that do not expire

17
Q

TOTP

A

Time-based One-Time Password is an open source standard to create one-time use passwords that expire after 30 seconds

18
Q

Third factor of authentication

A

Something you are (biometrics). The strongest factor since it is the most difficult for an attacker to falsify.

19
Q

Biometric methods include

A

Fingerprints, retina scans, iris scans, voice recognition, facial recognition (iris and retina are strongest)

20
Q

The measure of a biometric system’s accuracy is called

A

Crossover Error Rate (CER), and lower CER indicates more accuracy

21
Q

What is Kerberos?

A

Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or Unix realm. It issues timestamped tickets from a KDC (or TGT server) that expire after a certain time period.

22
Q

LDAP

A

Lightweight Directory Access Protocol specifies formats and methods to query directories. It is based on an earlier version of X.500. Active Directory domains use LDAP to identify objects in query strings. LDAPS encrypts transmissions with TLS.

23
Q

SSO

A

Single Sign-On enhances security by requiring users to use and remember only one password (no written-down passwords!)

24
Q

SAML

A

Security Assertion Markup Language is an XML-based standard used to exchange authentication and authorization information between different parties. Provides SSO for web-based apps.

25
Q

Least privilege is a _ control

A

Technical

26
Q

Least privilege

A

Specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks

27
Q

Requiring administrators to use 2 accounts helps…

A

prevent privilege escalation attacks

28
Q

Account disablement policy

A

Identifies what to do with accounts for employees who leave

29
Q

Disabling vs. deleting accounts

A

Disabled accounts allow data and security keys to remain available. Deleted accounts do not

30
Q

Time-of-day restrictions

A

Prevents users from logging on during restricted times, and logged-on users from accessing resources during certain times

31
Q

Location-based restrictions

A

Restrict user access based on the location of the user (similar to time-of-day restrictions)

32
Q

Account expiration dates are useful for

A

Temporary accounts such as temporary contractors

33
Q

RBAC model (role-based)

A

Access control model that uses roles based on jobs and functions to control access

34
Q

RBAC matrix (role-based)

A

Planning document that matches roles with the required privileges

35
Q

Group-based privileges

A

Users are added to groups and inherit the privileges assigned to the group. Admins have a reduced workload since they simply create groups with defined privileges, then add users as needed.

36
Q

RBAC model (rule-based)

A

RBAC is based on a set of approved instructions, such as an ACL (access control list). Some RBAC systems use rules that trigger in response to an event (e.g. modifying ACLs after an attack)

37
Q

DAC model

A

The discretionary access control model specifies that every object has an owner, and the owner has full, explicit control of the object. (NTFS uses DAC model)

38
Q

MAC model

A

The mandatory access control model uses sensitivity labels for users and data (think classifications). Commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals

39
Q

ABAC model

A

The attribute-based access control model uses attributes defined in policies to grant access to resources (commonly used in SDNs)