Chapter 2 - Access Management

Question 1

What is:

1. ) Identity
2. ) Authentication
3. ) Authorization

Answer 1

1. ) Who you claim to be: Username
2. ) Verification of Identity: Password
3. ) Granted Accesses or Permissions

Question 2

3 Types of Authentication

Answer 2

1. ) Type 1 - Something you know. Pins, passwords, personal info
2. ) Type 2 - Something you have. Smart card, token.
3. ) Type 3 - Something you are. Biometrics.

Question 3

Password Types

Answer 3

1. ) Static
2. ) Dynamic or OTP
3. ) Cognitive - Type 1 - Fave color
4. ) Passphrase - similar to Static, just more complex

Question 4

Password Policies

Answer 4

1. ) History
2. ) Max Age
3. ) Min Age
4. ) Min Length
5. ) Complexity
6. ) Reversible Encryption - not recommended

Question 5

Tool to Assist with Password Management

Answer 5

KeyPassXC

Question 6

Strong Password - Complexity

Answer 6

12-15 chars
Upper and Lowercase
Numbers and Symbols

Question 7

NIST Password Recommendations - 800-63B

Answer 7

1. ) Encourage Passphrases
2. ) 8 char Min
3. ) No clear text - Salted and Hash Passwords for storage
4. ) Up to 64 Char
5. ) Password Blacklist
6. ) Salted Hash takes care of complexity
7. ) Passwords should NOT expire unless evidence of compromise.

Question 8

What does Salting do?

Answer 8

Adds random bits to a value (password) and creates a Hexidecimal representation. SHA 3 (256) will create a 256 bit Hex Hash.

Question 9

What is a smart card?

What is it an example of?

Answer 9

Card with an embedded certificate that identifies the individual. Usually used with a PIN or password. This is an example of 2FA.

Question 10

What is a Hardware token?

Answer 10

Device that displays a number which changes every X seconds. Considered a dynamic or one time password. Used with Username and Password for 2FA.

Question 11

What are the two types of Hardware tokens?

Answer 11

1. ) Synchronous dynamic password - changes X seconds. Must be synced with Server
2. ) Asynchronous dynamic password - Enter pin into device and get OTP.

Question 12

Examples of Software Tokens and One Time Passwords (OTP).

Answer 12

1. ) HOTP - HMAC (Hash Method Auth Code) - Incrementing Counter plus Secret Key that is reduced in size by HMAC Is Async
2. ) OPIE - OTP In Everything - Used in Networks. Password + other data hashed to create OTP. Is Async
3. ) TOTP - Time Based - Is Sync

Question 13

What is a proximity card?

Answer 13

A card that has electronically embedded data that will be transmitted to a reader when the card passes through a magnetic field which excites the inductor in the card.

Question 14

Examples of Biometrics

Answer 14

1. ) Finger and Thumb prints - can be tricked with images and gummy bears
2. ) Palm - reads vein pattern using infrared scanner. Hand hovers over scanner.
3. ) Retina - reads blood vessel pattern with infrared scanner. Physical contact required. Can reveal medical conditions…which is personal/private information.
4. ) Iris - cameras are used to match Iris patterns. Can be tricked with images. Can fail due to lighting.

Question 15

Biometric Error Types

Answer 15

1. ) False Rejection Rate (FRR)
2. ) False Acceptance Rate (FAR)
3. ) Crossover Error Rate (CER) - Point where FRR and FAR are equal. Low CER indicates a better performing system.

Question 16

Example of 2 Step Verification

Answer 16

Corporate Google Accounts often use Username and Password followed by a 6 digit code sent to a users cell via SMS, voice call or Google mobile app.

Question 17

What is SSO

Answer 17

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., name and password) to access multiple applications

Question 18

What is Kerberos SSO and how does it work?

Answer 18

• Windows and Linux use this protocol to issue tickets. Also referred to as Key Distribution Center
• Auth request to Kerberos Server. Kerberos validates lD. Creates a symmetric key that is hashed with the password. Creates a time stamped ticket-granting ticket (TGT). Sends both to client. Client decrypts key with hash of password. Gets key and can then de/encrypt traffic. If wrong password, it cannot get key. Access to a specific server will send the TGT. The server sends a ticket and key needed. The client sends this to the target server which will verify the ticket. Effectively mutual certification.

Question 19

What is Federated Access?

Answer 19

Where different organizations use trusted identity providers rather than sharing credentials of their users.

Question 20

What is SAML?

Answer 20

Security Assertion Markup Language.
A Federated Identity Management system for web based app servers to provide SSO.

Made up of 3 key roles:

1. ) Principal - the User
2. ) Identity Provider - the trusted system that creates and maintains the identity info of the Principal.
3. ) Service Provider - The entity that provides the services (websites) for the Principal .

Question 21

How is offline authentication achieved?

Answer 21

Locally cached credentials.

Question 22

What are the methods for device authentication?

Answer 22

1. ) MAC Filtering
2. ) Device Fingerprinting
3. ) Mobile Device Management

Question 23

In the context of access controls, what are subjects and objects?

Answer 23

Subjects - The person, bot, system or device requesting the access.
Objects - The data, file, server, facility or component the subject wants access to

Question 24

What are 4 attributes that can control the access of a subject?

Answer 24

1. ) Time
2. ) Location
3. ) Remote access attribute
4. ) Role or group membership (RBAC)

Question 25

What is the Principle of Least Privilege Access?

Answer 25

Giving a subject only those permissions required to do their job.

Question 26

What is a security Kernel?

Answer 26

A central part of an OS that controls access to system resources.

Question 27

What is discretionary access control (DAC)?

Answer 27

DAC is a granular level of subject based access control where users have ownership over the data and can assign permissions to the data for other users via ACLs. Each User / ACL combination is called an Access Control Entry (ACE).

Question 28

What is non-discretionary access control?

Answer 28

Non-granular model where Security Administrators (or other) control the access that is granted to users. Role based, rule based, attribute based and mandatory access control models are types of non-DAC models.

Question 29

What is RBAC?

Answer 29

Role based access controls. Use of roles and groups to determine access.

Question 30

What is Rule-BAC

Answer 30

Rule based access control. Rules or logic is implemented by Administrators to determine access.

Question 31

What is ABAC

Answer 31

Attribute based access control. More granular levels of control than RBAC or Rule-BAC. Allows administrators to build policies.

Question 32

What for elements do policies contain?

Answer 32

1. ) Subjects 2. ) Objects 3. ) Action 4. ) Environment - anything other than those above. I.e. device type, channel, etc.

Question 33

What is Mandatory Access Control (MAC)?

Answer 33

Highest level of security for non-DAC models. Classifies/tags both subjects and objects with labels (i.e. top secret, unclassified, public).

Question 34

What are the 2 principles of the Bell-LaPadula MAC model? What does it enforce?

Answer 34

1. ) No read up - subject cannot read objects with a security level above their own 2. ) No write down - subjects cannot write to objects with a security level below their own. Enforces confidentiality

Question 35

What are the 2 principles of the Biba MAC model? What does in enforce?

Answer 35

1. ) No read down 2. ) No write up Enforces integrity

Question 36

What is the Clark-Wilson MAC model? What does it enforce?

Answer 36

A MAC model that implements 5 certification rules and 4 enforcement rules. Enforces SOD

Question 37

What is the Brewer-Nash (aka Chinese Wall) MAC model? What does it prevent and enforce?

Answer 37

A MAC model that classifies data and then ensure subjects cannot access other types. Prevents conflict of interest and enforces SOD.

Question 38

Describe Access Control Matrix.

Answer 38

A list of objects mapped to ACLs.

Question 39

Describe a Capability Table.

Answer 39

A list of subjects/groups mapped to rights and permissions.

Question 40

What is an ACL?

Answer 40

Access control list - a list of permissions attached to an object.

Question 41

What is identity proofing?

Answer 41

Verification of identity. Providing CVV for credit card purchases or cognitive passwords.

Question 42

What is an example of an account lockout policy?

Answer 42

X failed login attempts locks account for Y minutes.

Question 43

What is entitlement?

Answer 43

The privileges granted to users.

Question 44

What does Identity and Access Management (IAM) include?

Answer 44

1. ) Provisioning 2. ) Maintenance 3. ) Entitlement 4. ) De-provisioning.