Chapter 2 Flashcards
Authentication proves:
an identity with some type of credentials such as a username and password
What works together with identification to provide a comprehensive access management system?
Authentication
Authorization
Accounting
(AAA)
Define authorization:
access to resources based on their proven identity
Accounting methods:
track user activity and record the activity in logs
An audit trail allows:
security professionals to re-create the events that preceded a security incident
Implement one factor of authentication for:
basic authentication
Implement two factors of authentication for:
secure authentication
Implement three factors of authentication for:
higher security
Some factors of authentication are:
something you know
something you have
something you are
somewhere you are
something you do
Something you know authentication factor refers to:
a shared secret, such as a password or even a PIN
A strong password is:
of sufficient length, doesn’t include words found in a dictionary or any part of a user’s name, and combines at least three of the four following character types:
Uppercase characters (26 letters A-Z)
Lowercase characters (26 letters a-z)
Numbers (10 numbers 0-9)
Special characters (32 printable characters, such as !, $, and *)
Microsoft began recommending a best practice of setting the minimum password length to at least:
14 characters
You can calculate the key space with the following formula:
n
C^N(C )
Security experts often mention that if you make a password too complex you make it:
less secure
Windows domains use Group Policy to:
manage multiple users and computers in a domain.
Group Policy allows an administrator to configure a setting once in a:
Group Policy Object (GPO) and apply this setting to many users and computers within the domain
Active Directory Domain Services (AD DS) is a:
directory service Microsoft developed for Windows domain networks
The great strength of Group Policy comes when you implement it in a:
Microsoft domain
Organizational units (OUs) are used when:
Administrators use Group Policy to target specific groups of users or computers
Password policies typically start as:
a written document that identifies the organization’s security goals related to passwords
Password policy definitions:
Enforce password history
remembers past passwords and prevents the user from reusing previously used passwords
Password policy definitions:
Maximum password age
defines when users must change their password
Password policy definitions:
Minimum password age
defines how long users must wait before changing their password again
Password policy definitions:
Minimum password length
enforces the character length of the password
Password policy definitions:
Password must meet complexity requirements
require users to have complex passwords that include at least three of the four character types (uppercase letters, lowercase letters, numbers, and special characters)
Password policy definitions:
Store passwords using reversible encryption
stores the password in such a way that the original password can be discovered
What is included in the Password Policy in Windows?
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store passwords using reversible encryption
Accounts will typically have lockout policies to:
prevent users from guessing the password
Two key phrases associated with account lockout policies are:
Account lockout threshold
Account lockout duration
Account lockout threshold is:
the maximum number of times a user can enter the wrong password. When the user exceeds the threshold, the system locks the account
Account lockout duration indicates:
how long an account remains locked. If the duration is set to 0, the account remains locked until an administrator unlocks it
Something you have authentication factor refers to:
something you can physically hold
Smart cards are:
credit card-sized cards that have an embedded microchip and a certificate.
How do you use a smart card?
Users insert the smart card into a smart card reader, which reads the information on the card, including the details from the certificate, which provides certificate-based authentication.
Smart card provides:
confidentiality, integrity, authentication, and non-repudiation
Requirements for a smart card are:
Embedded certificate
Public Key Infrastructure (PKI)
An Embedded certificate holds:
a user’s private key (which is only accessible to the user) and is matched with a public key (that is publicly available to others).
Public Key Infrastructure (PKI) supports:
issuing and managing certificates
A Common Access Card (CAC) is:
a specialized type of smart card used by the U.S. Department of Defense.
A Personal Identity Verification (PIV) card is:
a specialized type of smart card used by
A token or key fob is:
an electronic device about the size of a remote key for a car. They include an LCD that displays a number, and this number changes periodically, such as every 60 seconds
A Hash-based Message Authentication Code (HMAC) uses:
a hash function and cryptographic key for many different cryptographic functions
A HMAC-based One-Time Password (HOTP) is:
an open standard used for creating one-time passwords, similar to those used in tokens or key fobs
A Time-based One-Time Password (TOTP) is:
similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds
Something you are authentication factor uses:
biometrics for authentication
Biometric methods are:
the strongest form of authentication because they are the most difficult for an attacker to falsify
Some examples of biometrics are:
fingerprint scanners
retina scanners
iris scanners
voice recognition
facial recognition
Retina scanners:
scan the retina of one or both eyes and use the pattern of blood vessels at the back of the eye for recognition
Iris scanners:
use camera technologies to capture the patterns of the iris around the pupil for recognition
Voice recognition methods:
identify who is speaking using speech recognition methods to identify different acoustic features
Facial recognition systems:
identify people based on facial features
Two biometric false readings are:
False acceptance
False rejection
False acceptance happens when:
a biometric system incorrectly identifies an unauthorized user as an authorized user
The false acceptance rate (FAR) identifies:
the percentage of times false acceptance occurs
False rejection happens when:
a biometric system incorrectly rejects an authorized user
The false rejection rate (FRR) identifies:
the percentage of times false rejections occur
By increasing the sensitivity of biometric systems it:
decreases the number of false matches and increases the number of false rejections
By decreasing the sensitivity of biometric systems it:
increases the false matches and decreases the false rejections
The Crossover error rate (CER) for two biometric systems is:
the point where the FAR crosses over the FRR. A lower CER indicates that the biometric system is more accurate
Somewhere you are authentication factor identifies:
a user’s location
Geolocation is:
a group of technologies used to identify a user’s location and is the most common method used for the somewhere you are authentication factor
Many authentication systems user the:
Internet Protocol (IP) address for geolocation
The something you do authentication factor refers:
to actions you can take such as gestures on a touch screen, how you write or type
Dual-factor authentication uses:
two different factors of authentication
Multifactor authentication uses:
two or more factors of authentication
Kerberos is:
a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms
Kerberos provides:
mutual authentication that can help prevent man-in-the-middle attacks and uses tickets to help prevent replay attacks
Kerberos includes several requirements for it to work properly. They are:
A method of issuing tickets used for authentication
Time synchronization
A database of subjects or users