Chapter 2 Flashcards

Question

HOTP

Answer 1

Tokens using the HMAC-based One-Time Password (HOTP) algorithm change their code based upon a moving counter. Each time the code is used, both the authentication server and the token use the algorithm with a shared secret key to generate the next code. Since they have the same shared secret, they both generate the same code. You can often identify HOTP tokens by the fact that the user presses a button to generate the next password. HOTP creates a one-time-use password that does not expire until it is used,

Answer 2

Tokens using the Time-based One-Time Password (TOTP) algorithm change their code based upon the current time. You can recognize TOTP tokens by the fact that their code changes automatically, often every 30-60 seconds. TOTP creates a one-time password that expires after 30-60 seconds.

Answer 3

Some authentication systems use Short Message Service (SMS) to send one-time passwords to user’s phones. As an example, after you enter your credentials, the system may challenge you by sending a code to your phone and asking you to enter the code on the system. This proves that you have access to the phone. Be careful, though! NIST SP-800-63B (mentioned earlier) points out several vulnerabilities with SMS for two-step authentication and discourages its use. Normally, mobile devices display SMS text on the screen when it arrives. it may be possible for an attacker to hijack your phone number and reroute the text message to their own device.

Answer 4

send messages to users on another device but instead of including a code, they ask the user to acknowledge the request on their phone. Imagine Lisa registered her smartphone with a website. Later, when she accesses the website and enters her username, the site sends a push notification to her phone. She can then approve or decline the access by pressing a button on her smartphone.

Answer 5

Uses biometrics for authentication. Biometrics measure some physical characteristic of the user to confirm their identity. In most cases, biometrics are the strongest form of authentication because they are the most difficult for an attacker to falsify. While you might be able to easily steal someone’s password, it’s much harder to steal their retina!

Answer 6

The third factor of authentication (something you are, defined with biometrics) is the strongest individual authentication factor. Biometric methods include fingerprint recognition, vein pattern matching, retinal and iris scans, facial recognition, voice recognition, and gait analysis. Iris and retina scans are the strongest biometric methods mentioned in this section. Iris scans are commonly preferred over retinal scans because retinal scans are intrusive and may reveal private medical concerns. Facial recognition and gait analysis can bypass the enrollment process when used for identification instead of authorization.

Answer 7

The biometric efficacy rate refers to the performance of the system under ideal conditions. If the system is implemented correctly, it can be very exact. However, if it isn’t implemented correctly, its real-world effectiveness may not match the efficacy rate. False acceptance. This is when a biometric system incorrectly identifies an unknown user as a registered user. The false acceptance rate (FAR) identifies the percentage of times false acceptance occurs. False rejection. This is when a biometric system incorrectly rejects a registered user. The false rejection rate (FRR) identifies the percentage of times false rejections occur. True acceptance. This indicates that the biometric system correctly identified a registered user. True rejection. This indicates that the biometric system correctly rejected an unknown user.

Answer 8

crossover error rate..has to do with Biometric Efficacy rates By plotting the FAR and FRR using different sensitivities, you can determine a biometric system’s efficacy. . The CER is the point where the FAR crosses over with the FRR. A lower CER indicates that the biometric system is more accurate. A lower CER indicates that the biometric system is more accurate. The system represented with the solid lines is more accurate than the system represented by the dashed lines.

Answer 9

The somewhere you are authentication attribute identifies a user’s location. Geolocation is a group of technologies used to identify a user’s location and is the most common method used in this factor. Many authentication systems use the Internet Protocol (IP) address for geolocation. The IP address provides information on the country, region, state, city, and sometimes even the zip code.

Answer 10

The somewhere you are authentication attribute can also be used to identify impossible travel time or risky login situations. As an example, imagine Lisa logs in to her account from her home in Springfield, and then a moment later, someone else logs in in Bahamas.

Answer 11

Two-factor authentication (sometimes called dual-factor authentication) uses two different authentication factors: something you have and something you know, or something you know and something you are. Some examples of two-factor authentication include: A soft token (something you have) and a password (something you know) A fingerprint scan (something you are) and a PIN (something you know) A security key (something you have) and a retinal scan (something you are) It’s worth noting that using two methods of authentication in the same factor is not two-factor authentication. For example, requiring users to enter a password and a reusable PIN (both in the something you know factor) is single-factor authentication, not two-factor authentication. In this case, the reusable PIN isn’t sent to users via a smartphone. Instead, the user enters a PIN value known only to them, just as if it was a password. Similarly, using a thumbprint and a retina scan is not two-factor authentication because both methods are in the something you are factor.

Answer 12

Passwordless authentication is not necessarily multifactor authentication. You can use a single something you have or something you are factor to use passwordless authentication. Remember this. Passwordless authentication is not necessarily multifactor authentication. You can use a single something you have or something you are factor to use passwordless authentication.

Answer 13

SIEM files. What happened is either a login success or failure When it happened is determined by the time and date stamps Where it happened is typically an IP address or computer name Who or what did it refers to the user account

Answer 14

Account management is concerned with creating, managing, disabling, and terminating accounts. When the account is active, access control methods are used to control what the user can do. Additionally, administrators use access controls to control when, where, and how users can log on.

Answer 15

Credential policies define login policies for different personnel, devices, and accounts. This includes items in the something you know factor (such as passwords) or any other factor or combination of factors. It’s common for an organization to apply credential policies differently to different types of accounts. The following list identifies different account types and credential policies associated with each: Personnel or end-user accounts. Most accounts are for regular users or the personnel working in the organizations. Administrators create these accounts and then assign appropriate privileges based on the user’s job responsibilities. It’s common to assign a basic credential policy that applies to all personnel. This could be a password policy defining things like the minimum password length, password history, and account lockout policies, as defined earlier in this chapter Administrator and root accounts. Administrator and root accounts are privileged accounts that have additional rights and privileges beyond what a regular user has. As an example, someone with administrator privileges on a Windows computer has full control over the Windows computer. Linux systems have a root account, which grants additional privileges, similar to an administrator account on Windows systems. Credential policies require stronger authentication methods for these privileged accounts, such as multifactor authentication. Additionally, privileged access management techniques (described in the next section) apply additional controls to protect these accounts. Service accounts. Some applications and services need to run under the context of an account, and a service account fills this need. As an example, SQL Server is a database application that runs on a server, and it needs access to resources on the server and the network. Administrators create a regular user account, name it something like sqlservice, assign it appropriate privileges, and configure SQL Server to use this account. Note that this is like a regular end-user account. The only difference is that it’s used by the service or application, not an end user. Credential policies may require long, complex passwords for these accounts, but they should not expire. If the password expires, the account can no longer log on, and the service or application will stop. Device accounts. Computers and other devices also have accounts though it isn’t always apparent. As an example, Microsoft Active Directory only allows users to log on to computers joined to the domain. These computers have computer accounts and Active Directory manages their passwords. Third-party accounts. Third-party accounts are accounts from external entities that have access to a network. As an example, many organizations use security applications that have administrative access to a network. These should have strong credential policies in place with strong password policies enforced at a minimum. Guest accounts. Windows operating systems include a Guest account. These are useful if you want to grant someone limited access to a computer or network without creating a new account. For example, imagine an organization contracts with a temp agency to have someone do data entry. The agency may send a different person every day. Enabling the Guest account for this person would be simpler than creating a new account every day. Administrators commonly disable the Guest account and only enable it in special situations. Shared and generic account/credentials. An organization can create a regular user account that temporary workers will share. Shared accounts are discouraged for normal work. However, if a temp agency is sending someone different every day, a shared account may provide a better solution than a guest account because access can be tailored for the shared account. Basic credential policies apply to shared and generic accounts.

Answer 16

Remember This! Privileged access management (PAM) systems implement stringent security controls over accounts with elevated privileges such as administrator or root-level accounts. Some capabilities include allowing authorized users to access the administrator account without knowing the password, logging all elevated privilege usage, and automatically changing the administrator account password. Privileged access management (PAM) allows an organization to apply more stringent security controls over accounts with elevated privileges, such as administrator or root-level accounts. PAM implements the concept of **just-in-time permissions.** In other words, administrators don’t have administrative privileges until they need them. When they need them, their account sends a request for the elevated privileges. The underlying PAM system grants the request, typically by adding the account to a group with elevated privileges. After a pre-set time (such as 15 minutes), their account is automatically removed from the group, revoking the elevated privileges. PAM systems also safeguard administrative accounts by storing their passwords in a password vault. In many cases, they are set up so that no human ever sees or accesses the password for an administrative account. Instead, the PAM system uses that password on their behalf.

Answer 17

PAM Privileged access management feature These are temporary accounts with administrative privileges that are issued for a limited period of time (such as few hours) and then are destroyed when the user is finished with their work. Some capabilities of PAM are: Allow users to access the privileged account without knowing the password Automatically change privileged account passwords periodically Limit the time users can use the privileged account Allow users to check out credentials Log all access of credentials PAM is the protection against password types of attacks. It reduces the opportunities for attackers to use administrative privileges. PAM systems use logging and monitoring to show when these accounts are used and what users did with them.

Answer 18

PAM or Privileged access management feature In other words, administrators don’t have administrative privileges until they need them. When they need them, their account sends a request for the elevated privileges. The underlying PAM system grants the request, typically by adding the account to a group with elevated privileges. After a pre-set time (such as 15 minutes), their account is automatically removed from the group, revoking the elevated privileges.

Answer 19

It’s common to require administrators to have two accounts. They use one for regular day-to-day work. It has the same limited privileges as a regular end user. The other account has elevated privileges required to perform administrative work, and they use this only when performing administrative work. The benefit of this practice is that it reduces the exposure of the administrative account to an attack.

Answer 20

Account management policies often dictate that personnel should not use shared or generic accounts. Instead, each user has at least one account, which is only accessible to that user. If multiple users share a single account, you cannot implement basic authorization controls. As a reminder, four key concepts are: Identification. Users claim an identity with an identifier such as a username. Account management policies often dictate that personnel should not use shared or generic accounts. Authentication. Users prove their identity using an authentication method such as a password. Authorization. Users are authorized access to resources, based on their proven identity. Accounting. Logs record activity using the users’ claimed identity..

Answer 21

Deprovisioning is the process used to disable a user’s account when they leave the organization. Most organizations require administrators to disable user accounts as soon as possible when employees leave the organization. This process is often automated, disabling a user’s account as soon as they are inactivated in the human resources system. Disabling is preferred over deleting the account, at least initially. If administrators delete the account, they also delete any encryption and security keys associated with the account. However, these keys are retained when the account is disabled. Terminated employee. An account disablement policy specifies that accounts for ex-employees are disabled as soon as possible. This ensures a terminated employee doesn’t become a disgruntled ex-employee who wreaks havoc on the network. Note that “terminated” refers to both employees who resign and employees who are fired. Leave of absence. If an employee will be absent for an extended period, the account should be disabled while the employee is away. Organizations define extended periods differently, with some organizations defining it as only two weeks, whereas other organizations extending it out to as long as two months. Account deletion. When the organization determines the account is no longer needed, administrators delete it. For example, the policy may direct administrators to delete accounts that have been inactive for 60 or 90 days. Remember This! An account disablement policy identifies what to do with accounts for employees who leave permanently or are on a leave of absence. Most policies require administrators to disable the account as soon as possible so that ex-employees cannot use the account. Disabling the account ensures that data associated with it remains available. Security keys associated with an account remain available when the account is disabled, but the security keys (and data they encrypted) are no longer accessible if it is deleted.

Answer 22

Time-based logins (sometimes referred to as time-of-day restrictions) ensure that users can only log on to computers during specific times. If a user tries to log on to a system outside the restricted time, the system denies access to the user.

Answer 23

Account audit can detect privilege creep, a common problem that violates the principle of least privilege. Privilege creep (or permission bloat) occurs when a user is granted more and more privileges due to changing job requirements,

Answer 24

An account audit looks at the rights and permissions assigned to users and helps enforce the least privilege principle. The audit identifies the privileges (rights and permissions) granted to users and compares them against what the users need. It can detect privilege creep, a common problem that violates the principle of least privilege. Privilege creep (or permission bloat) occurs when a user is granted more and more privileges due to changing job requirements, Remember This! Usage auditing records user activity in logs. A usage auditing review looks at the logs to see what users are doing and it can be used to re-create an audit trail. Permission auditing reviews help ensure that users have only the access they need and no more and can detect privilege creep issues.

Answer 25

Attestation is a formal process for reviewing user permissions. In an attestation process, managers formally review each user’s permissions and certify that those permissions are necessary to carry out the user’s job responsibilities.

Answer 26

Single sign-on (SSO) refers to a user’s ability to log on once and access multiple systems without logging on again. SSO increases security because the user only needs to remember one set of credentials and is less likely to write them down. It’s also much more convenient for users to access network resources if they only have to log on one time.

Answer 27

The Lightweight Directory Access Protocol (LDAP) is a core component of many single-sign-on systems. LDAP allows users and applications to retrieve information about users from the organization’s directory – a centralized repository of information about user accounts, devices, and other objects. Windows domains use LDAP to handle queries for information from Active Directory.

Answer 28

A federation requires a federated identity management system that all members of the federation use. In the previous the members of the federation are the power plant and the school system. Members of the federation agree on a standard for federated identities and then exchange the information based on the standard. A federated identity links a user’s credentials from different networks or operating systems, but the federation treats it as one identity.

Answer 29

Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)–based data format used for SSO on web browsers. Imagine two websites hosted by two different organizations. Normally, a user would have to provide different credentials to access either website. However, if the organizations trust each other, they can use SAML as a federated identity management system. Users authenticate with one website and are not required to authenticate again when accessing the second website. Many web-based portals use SAML for SSO. The user logs on to the portal once, and the portal then passes proof of the user’s authentication to back-end systems. As long as one organization has authenticated users, they are not required to authenticate again to access other sites within the portal. Remember This! SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications. SAML defines three roles. Principal. This is typically a user, such as Homer. The user logs on once. If necessary, the principal requests an identity from the identity provider. Principal. This is typically a user, such as Homer. The user logs on once. If necessary, the principal requests an identity from the identity provider. Service provider. A service provider is an entity that provides services to principals. In this example, the Springfield school system is the service provider for Homer. It hosts one or more websites accessible through a web-based portal. When Homer accesses a school system website, the service provider queries the IdP to verify that he has valid credentials before granting access. This process sends several XML-based messages between the systems. However, it is usually transparent to the user.

Answer 30

Extensible Markup Language Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)–based data format used for SSO on web browsers. Imagine two websites hosted by two different organizations. Normally, a user would have to provide different credentials to access either website.

Answer 31

OAuth is an open standard for authorization that many companies use to provide secure access to protected resources. It allows users to grant one service access to information in another service without disclosing their login credentials. For example, Google services support OAuth. Imagine that you are signing up for a new scheduling service called Doodle and you would like to allow that service to view and edit entries on your Google Calendar. You don’t want to give Doodle the password to your Google account because that would allow them to access your email and anything else. Instead, Doodle asks for authorization to access information in your Google account using the OAuth popup shown in Figure Remember This It’s easy to get confused about what OAuth does because the name is ambiguous! Remember that the “Auth” in OAuth stands for authorization, not authentication!

Answer 32

Subjects are typically users or groups that access an object. Occasionally, the subject may be a service that is using a service account to access an object. Authorization Models use this

Answer 33

Objects are items such as files, folders, shares, and printers that subjects access. The access control helps. Authorization Models use this

Answer 34

Role-based access control (role-BAC) uses roles to manage rights and permissions for users. This is useful for users within a specific department who perform the same job functions. An administrator creates the roles and then assigns specific rights and permissions to the roles (instead of to the users). When an administrator adds a user to a role, the user has all the rights and permissions of that role Remember This! A role-based access control scheme uses roles based on jobs and functions. A roles and permissions matrix is a planning document that matches the roles with the required privileges..

Answer 35

Rule-based access control. The most common example is with rules in routers and firewalls. However, more advanced implementations cause rules to trigger within applications, too. Remember This! Rule-based access control is based on a set of approved instructions, such as an access control list. Some rule-BAC systems use rules that trigger in response to an event, such as modifying ACLs after detecting an attack or granting additional permissions to a user in certain situations.

Answer 36

Access control lists. Routers and firewalls use rules within access control lists (ACLs). These rules define the traffic that the devices allow into the network, such as allowing Hypertext Transfer Protocol (HTTP) traffic for web browsers. These rules are typically static. In other words, administrators create the rules, and the rules stay the same unless an administrator changes them again.

Answer 37

Hypertext Transfer Protocol (HTTP) traffic for web browsers. These rules are typically static. In other words, administrators create the rules, and the rules stay the same unless an administrator changes them again.

Answer 38

In the discretionary access control (DAC) scheme, objects (such as files and folders) have an owner, and the owner establishes access for the objects. Many operating systems, such as Windows and most Unix-based systems, use the DAC scheme. Remember This! The DAC scheme specifies that every object has an owner, and the owner has full, explicit control of the object. Microsoft NTFS uses the DAC scheme. The DAC scheme is significantly more flexible than the MAC scheme described in the next section. MAC has predefined access privileges, and the administrator is required to make the changes. With DAC, if you want to grant another user access to a file you own, you simply make the change, and that user has access.

Answer 39

New Technology File System. A common example of the DAC scheme is the New Technology File System (NTFS) used in Windows. NTFS provides security by allowing users and administrators to restrict access to files and folders with permissions. The following section explains how NTFS uses the DAC scheme. Write. Users can change the contents of a file, such as changing words in a text file. This doesn’t give them the ability to delete a file, but they can delete the contents. Read. Read permission allows a user to open and view the contents of a file. Read & execute. This gives a user permission to run any executable files, including scripts. Modify. Modify allows users to view and change files, including deleting files and folders or adding files to a folder. Full control. Users can do anything with a file or folder and modify its permissions. It’s possible to assign either Allow or Deny access to any file or folder. However, the filesystem uses a deny by default policy. If allow access is not granted, the system denies access by default. Firewalls often refer to this as implicit deny.

Answer 40

security identifiers,,Microsoft systems identify users with security identifiers (SIDs), though you will rarely see a SID. A SID is a long string of numbers beginning with the letter S and separated by a series of dashes. For example, a SID might look like this: S-1-5-21-3991871189-223218. Instead of the system displaying the SID, it looks up the name associated with the SID and displays that name. Similarly, Microsoft systems identify groups with a SID.

Answer 41

discretionary access control list Every object (such as a file or folder) includes a discretionary access control list (DACL) that identifies who can access it in a system using the DAC scheme. The DACL is a list of Access Control Entries (ACEs). Each ACE is composed of a SID and the permission(s) granted to the SID. As an example, a folder named Study Notes might have the following permissions assigned:

Answer 42

Access Control Entries discretionary access control list Every object (such as a file or folder) includes a discretionary access control list (DACL) that identifies who can access it in a system using the DAC scheme. The DACL is a list of Access Control Entries (ACEs). Each ACE is composed of a SID and the permission(s) granted to the SID. As an example, a folder named Study Notes might have the following permissions assigned:

Answer 43

The mandatory access control (MAC) scheme uses labels (sometimes referred to as sensitivity labels or security labels) to determine access. Security administrators assign labels to both subjects (users) and objects (files or folders). When the labels match, the system can grant a subject access to an object. When the labels don’t match, the access scheme blocks access. Military units make wide use of this scheme to protect data.

Answer 44

Security-enhanced Linux (SELinux) is one of the few operating systems using the mandatory access control scheme. It was created to demonstrate how the MAC scheme can be added to an operating system. In contrast, Windows operating systems use the discretionary access control scheme. An SELinux policy is a set of rules that override standard Linux permissions. However, even if an SELinux policy is in place, it isn’t necessarily enforced. SELinux has three modes: Enforcing mode will enforce the SELinux policy and ignore permissions. In other words, even if the permissions allow access to a file or directory, users will be denied access unless they meet the relevant SELinux policy rules. Permissive mode does not enforce the SELinux policy but instead uses the permissions. However, the system logs any access that would normally be blocked. This is useful when testing a policy. Disabled mode does not enforce the SELinux policy and does not log anything related to the policy.

Answer 45

Many meanings The mandatory access control (MAC) scheme is one of several access control schemes discussed later in this chapter. Remember This! The MAC scheme uses sensitivity labels for users and data. It is commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals.

Answer 46

The MAC scheme uses different levels of security to classify both the users and the data. These levels are contained in a lattice, which defines the levels of security that are possible for an object and the security levels that a user is cleared to access. Users are only allowed to access an object if their security clearance is equal to or higher than the level of the object. Remember This! The MAC scheme uses sensitivity labels for users and data. It is commonly used when access needs to be restricted based on a need to know. Sensitivity labels often reflect classification levels of data and clearances granted to individuals.

Answer 47

An attribute-based access control (ABAC) system evaluates attributes and grants access based on the value of these attributes. Attributes can be almost any characteristic of a user, the environment, or the resource. ABAC uses policies to evaluate attributes and grant access when the system detects a match in the policy.

Answer 48

software-defined networks Subject. This is typically a user. You can use any user property as an attribute such as employment status, group memberships, job roles, logged-on status, and more. In the example, the subject is identified as being logged on and a member of the researchers group. Object. This is the resource (such as a file, database, or application) that the user is trying to access. In the example,the object is research sites. The research sites object would include Internet access via a proxy server along with a specific list of URLs of research sites. Action. The action is what the user is attempting to do, such as reading or modifying a file, accessing specific websites, and accessing website applications. The example allows access to specific websites. Environment. The environment includes everything outside of the subject and object attributes. This is often referred to as the context of the access request. It can include the time, location, protocols, encryption, devices, and communication method. In the example, it specifies the main network as an environmental attribute. Remember This! The ABAC scheme uses attributes defined in policies to grant access to resources. It’s commonly used in software-defined networks (SDNs).

Answer 49

Account lockouts. Watch for user accounts that have been locked out due to repeated failed login attempts, as those failed logins may be a sign of malicious activity. Concurrent session usage. If the same user is logged in to the same (or different systems) from different locations at the same time, that may indicate that more than one person is using the account. Impossible travel time. If a user completes a login from one location and then logs in from another geographic location without having spent enough time to travel between those locations, that may also indicate two users sharing the same account. Blocked content. If content filters are screening out unusual levels of malicious code, that’s worthy of further investigation. Resource consumption. If processor time, memory, storage, or other resources are being used excessively without explanation, that may indicate that malicious code is running on the system. Resource inaccessibility. If services suddenly become unavailable, malicious activity may be interfering with them. For example, a website may go down because of malicious code running on the web server.

Answer 50

Uses tickets instead of passwords

Answer 51

SSO for web browsers and the web