Chapter 2 - Access Management Flashcards

1
Q

What is:

  1. ) Identity
  2. ) Authentication
  3. ) Authorization
A
  1. ) Who you claim to be: Username
  2. ) Verification of Identity: Password
  3. ) Granted Accesses or Permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

3 Types of Authentication

A
  1. ) Type 1 - Something you know. Pins, passwords, personal info
  2. ) Type 2 - Something you have. Smart card, token.
  3. ) Type 3 - Something you are. Biometrics.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Password Types

A
  1. ) Static
  2. ) Dynamic or OTP
  3. ) Cognitive - Type 1 - Fave color
  4. ) Passphrase - similar to Static, just more complex
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Password Policies

A
  1. ) History
  2. ) Max Age
  3. ) Min Age
  4. ) Min Length
  5. ) Complexity
  6. ) Reversible Encryption - not recommended
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Tool to Assist with Password Management

A

KeyPassXC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Strong Password - Complexity

A

12-15 chars
Upper and Lowercase
Numbers and Symbols

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

NIST Password Recommendations - 800-63B

A
  1. ) Encourage Passphrases
  2. ) 8 char Min
  3. ) No clear text - Salted and Hash Passwords for storage
  4. ) Up to 64 Char
  5. ) Password Blacklist
  6. ) Salted Hash takes care of complexity
  7. ) Passwords should NOT expire unless evidence of compromise.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What does Salting do?

A

Adds random bits to a value (password) and creates a Hexidecimal representation. SHA 3 (256) will create a 256 bit Hex Hash.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a smart card?

What is it an example of?

A

Card with an embedded certificate that identifies the individual. Usually used with a PIN or password. This is an example of 2FA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a Hardware token?

A

Device that displays a number which changes every X seconds. Considered a dynamic or one time password. Used with Username and Password for 2FA.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are the two types of Hardware tokens?

A
  1. ) Synchronous dynamic password - changes X seconds. Must be synced with Server
  2. ) Asynchronous dynamic password - Enter pin into device and get OTP.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Examples of Software Tokens and One Time Passwords (OTP).

A
  1. ) HOTP - HMAC (Hash Method Auth Code) - Incrementing Counter plus Secret Key that is reduced in size by HMAC Is Async
  2. ) OPIE - OTP In Everything - Used in Networks. Password + other data hashed to create OTP. Is Async
  3. ) TOTP - Time Based - Is Sync
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What is a proximity card?

A

A card that has electronically embedded data that will be transmitted to a reader when the card passes through a magnetic field which excites the inductor in the card.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Examples of Biometrics

A
  1. ) Finger and Thumb prints - can be tricked with images and gummy bears
  2. ) Palm - reads vein pattern using infrared scanner. Hand hovers over scanner.
  3. ) Retina - reads blood vessel pattern with infrared scanner. Physical contact required. Can reveal medical conditions…which is personal/private information.
  4. ) Iris - cameras are used to match Iris patterns. Can be tricked with images. Can fail due to lighting.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Biometric Error Types

A
  1. ) False Rejection Rate (FRR)
  2. ) False Acceptance Rate (FAR)
  3. ) Crossover Error Rate (CER) - Point where FRR and FAR are equal. Low CER indicates a better performing system.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Example of 2 Step Verification

A

Corporate Google Accounts often use Username and Password followed by a 6 digit code sent to a users cell via SMS, voice call or Google mobile app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is SSO

A

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Kerberos SSO and how does it work?

A
  • Windows and Linux use this protocol to issue tickets. Also referred to as Key Distribution Center
  • Auth request to Kerberos Server. Kerberos validates lD. Creates a symmetric key that is hashed with the password. Creates a time stamped ticket-granting ticket (TGT). Sends both to client. Client decrypts key with hash of password. Gets key and can then de/encrypt traffic. If wrong password, it cannot get key. Access to a specific server will send the TGT. The server sends a ticket and key needed. The client sends this to the target server which will verify the ticket. Effectively mutual certification.
19
Q

What is Federated Access?

A

Where different organizations use trusted identity providers rather than sharing credentials of their users.

20
Q

What is SAML?

A

Security Assertion Markup Language.
A Federated Identity Management system for web based app servers to provide SSO.

Made up of 3 key roles:

  1. ) Principal - the User
  2. ) Identity Provider - the trusted system that creates and maintains the identity info of the Principal.
  3. ) Service Provider - The entity that provides the services (websites) for the Principal .
21
Q

How is offline authentication achieved?

A

Locally cached credentials.

22
Q

What are the methods for device authentication?

A
  1. ) MAC Filtering
  2. ) Device Fingerprinting
  3. ) Mobile Device Management
23
Q

In the context of access controls, what are subjects and objects?

A

Subjects - The person, bot, system or device requesting the access.
Objects - The data, file, server, facility or component the subject wants access to

24
Q

What are 4 attributes that can control the access of a subject?

A
  1. ) Time
  2. ) Location
  3. ) Remote access attribute
  4. ) Role or group membership (RBAC)
25
Q

What is the Principle of Least Privilege Access?

A

Giving a subject only those permissions required to do their job.

26
Q

What is a security Kernel?

A

A central part of an OS that controls access to system resources.

27
Q

What is discretionary access control (DAC)?

A

DAC is a granular level of subject based access control where users have ownership over the data and can assign permissions to the data for other users via ACLs. Each User / ACL combination is called an Access Control Entry (ACE).

28
Q

What is non-discretionary access control?

A

Non-granular model where Security Administrators (or other) control the access that is granted to users. Role based, rule based, attribute based and mandatory access control models are types of non-DAC models.

29
Q

What is RBAC?

A

Role based access controls. Use of roles and groups to determine access.

30
Q

What is Rule-BAC

A

Rule based access control. Rules or logic is implemented by Administrators to determine access.

31
Q

What is ABAC

A

Attribute based access control. More granular levels of control than RBAC or Rule-BAC. Allows administrators to build policies.

32
Q

What for elements do policies contain?

A
  1. ) Subjects
  2. ) Objects
  3. ) Action
  4. ) Environment - anything other than those above. I.e. device type, channel, etc.
33
Q

What is Mandatory Access Control (MAC)?

A

Highest level of security for non-DAC models. Classifies/tags both subjects and objects with labels (i.e. top secret, unclassified, public).

34
Q

What are the 2 principles of the Bell-LaPadula MAC model?

What does it enforce?

A
  1. ) No read up - subject cannot read objects with a security level above their own
  2. ) No write down - subjects cannot write to objects with a security level below their own.

Enforces confidentiality

35
Q

What are the 2 principles of the Biba MAC model?

What does in enforce?

A
  1. ) No read down
  2. ) No write up

Enforces integrity

36
Q

What is the Clark-Wilson MAC model?

What does it enforce?

A

A MAC model that implements 5 certification rules and 4 enforcement rules.

Enforces SOD

37
Q

What is the Brewer-Nash (aka Chinese Wall) MAC model?

What does it prevent and enforce?

A

A MAC model that classifies data and then ensure subjects cannot access other types.

Prevents conflict of interest and enforces SOD.

38
Q

Describe Access Control Matrix.

A

A list of objects mapped to ACLs.

39
Q

Describe a Capability Table.

A

A list of subjects/groups mapped to rights and permissions.

40
Q

What is an ACL?

A

Access control list - a list of permissions attached to an object.

41
Q

What is identity proofing?

A

Verification of identity. Providing CVV for credit card purchases or cognitive passwords.

42
Q

What is an example of an account lockout policy?

A

X failed login attempts locks account for Y minutes.

43
Q

What is entitlement?

A

The privileges granted to users.

44
Q

What does Identity and Access Management (IAM) include?

A
  1. ) Provisioning
  2. ) Maintenance
  3. ) Entitlement
  4. ) De-provisioning.