Chapter 2 Identity and Access management Flashcards
A service account is used by? and what is their password policy?
A service or application, not an end-user. Password does not expire (service will shutdown), but should be complex.
What is a third-party account for? what is an example?
For external parties that require access to the network. This may include security software that requires administrator privileges.
What is PAM? and what are the benefits?
Privileged access management, used to increase security, privileges are only accessed when required. Limits time of access, change passwords periodically, don’t need to know password (for the user at the time) as access is given to them & logs all usage.
Is there a situation where users should share accounts?
A. Yes
B. No - security risk, can’t track users.
C. It depends
C. Personnel should not, but companies that come in to do a specific type of work can share an account between their employees to do so.
What should be done with default accounts (guest accounts) when not being used?
A. Restricted access
B. Disabled
B
Why are accounts disabled as opposed to wiped/deleted/removed?
Incase they have private keys that are required.
In these situations, what happens to their accounts?
1. Employee is terminated
2. Leave of absence
3. Account is deleted
- Account is disabled immediately once it is no longer in use.
- Disabled while they are away
- Account policy has dictated after X amount of days, accounts to be deleted.
What are the different SSO methods?
Kereboros, Federation, SAML, OAuth, OpenID
What is Kerboros, its uses and benefits? and briefly how it works?
SSO for networks, Windows and Unix. Requires strong mutual auth, KDC gives user a ticket, ticket accepted by network, time limit set (works for 10 hours), prevents on-path attacks.
What unites different operating systems and networks (SSO)? how are these united?
Federation, the two to be ‘united’ agree and exchange a federated identity management database.
What is SAML used for?
web browsers, web portals allowing logins to one place that lets them onto another place as well. Organizations must trust each other to allow this authentication across different websites.
What is OAuth used for?
connecting multiple accounts, i.e using amazon and then using paypal to pay for it, connects these accounts together.
What is the difference between each briefly, 1) role-based, 2) rule-based 3) Discretionary access control (DAC) 4) MAC and 5) ABAC?
Role - based on role
Rule - based on approved lists (like ACL in routers/firewalls), or if Bart is absent, Marge can access etc.
DAC - at MY discretion, as it is MY folder (every object as an owner), I will allow XYZ to read/write/copy or just read etc.
MAC - Based on security clearance, is it public, secret, top secret etc. Military styles.
ABAC - based on attributes, typically includes 4 things, a subject, an object, an action, and environment. Allow X to work on Y by doing Z in environment R.
Conditional access vs ABAC?
Conditional access uses If-Then statements based on policies. I.e required multifactor auth to log in, If yes, Then, allow. Is device home IP, desktop? yes, then don’t allow.
