Chapter 2: Understanding Identity and Access Management Flashcards

1
Q

What does AAA stand for?

A

Authentication - Proven identity
Authorization - Access granted based on proven identity
Accounting - Tracking user’s activity and logging them to create an audit trail

See page 36 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are the authentication factors?

A

Something you know - Password or PIN
Something you have - CAT card or RSA Key Fob
Something you are - Biometric

See page 37 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is difference between password expiration and password history?

A

Password expiration indicates the length of time required to pass for a password to be changed. This is also known as the maximum password age.

Password history keeps track of a set number of used passwords, and prohibits users from using old passwords frequently. This is also known as the minimum password age.

See page 38 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are Password Keys?

A

Password keys are used to reset passwords on systems. They are commonly bootable optical discs or bootable USB flash drives.

See page 39 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does KBA stand for and what are the 2 types? What’s the difference between the two KBAs?

A

Knowledge Base Authentication (KBA) can either be Static or Dynamic.

Static KBA - are used to verify your identity when you have forgotten your password, such as your first pet’s name. While creating an account users are prompted to provide answers to these static questions.

Dynamic KBA - identifies individuals without an account. Users are prompted to identify themselves by answering questions based on data sourced from public records and private data sources. Questions such as, which of the following address have you lived at, what is your car payment?

See page 39 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is the fundamental difference between HOTP and TOTP?

A

Both of these open source standards create a one-time-use password, where they differ is that HOTP one-time-use password only expires after it is used (if never used, it never expires). Where TOTP one-time-use passwords are timestamped, meaning they expire after a predefined amount of time (usually 30 seconds).

See page 42 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the CER and what does a low CER indicate about a Biometric system?

A

The Crossover Error Rate (CER) is the point where the False Acceptance Rate (FAR) and the False Rejection Rate (FRR) cross over.

The lower the CER the more accurate a biometric system is.

See page 42 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the authentication attributes and how are they used in general?

A
  • Someone you know (A friend, or boss)
  • Somewhere you are (Location-based services)
  • Something you can do (A gesture on a screen)
  • Something you exhibit (A badge)

Authentication attributes are used to help identify a user base on characteristics and traits. They are used in conjunction with one or more authentication factors and are rarely used on their own for authentication.

See pages 46 & 47 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are PAM systems and what are some of their capabilities listed in the text?

A

Privilege Access Management (PAM) systems implement stringent security controls over accounts with elevated privileges (Think Root or Administrator accounts).

Capabilities:

  • Allow users to access privileged accounts without a password
  • Automatically change privilege account password periodically
  • Limit the time a user can use a privileged account
  • Allow users to check out credentials
  • Log all access of credentials

See pages 49 & 50 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A policy that restricts users from logging on to a system outside of a predefine time (i.e., 9am - 5pm) is referred to as what?

A

Time-Based Logins or Time-of-Day Restrictions

See pages 51 & 52 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An audit that examines the privilege (rights and permission) assigned to a user’s digital profile and aids to enforce the principle of least privilege is referred to as what?

A

Account Audit

See page 42 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

A network authentication protocol that uses a KDC to issue timestamped tickets to authenticate users on a network and gain access to resources on the network?

A

Kerberos

See page 53 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study and or https://www.youtube.com/watch?v=VpBCJ8vS7T0&t=319s

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

An identity management system that holds users’ identities and authenticates users in a non-homogeneous environment is referred to as what?

A

Federated identity management system - These are used in a Federation to support SSO.

See page 54 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

A federated identity management system used for SSO for web browsers and can also be used for authorization is referred to as what?

A

Security Assertion Markup Language (SAML) - this is an Extensible Markup Language (XML) based data format used for SSO for web-based applications and browsers.

See page 54 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An open standard protocol that allows users to use a single authenticated account to access one or more secure website services, rather than users creating individual accounts for each site to access these services is referred to as what?

A

OAuth - Open Authorization

See page 55 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is OpenID?

A

OpenID is an open standard authentication service that allows users to use an existing account to sign in to multiple websites, without needing to create new passwords.

You may choose to associate information with your OpenID that can be shared with the websites you visit, such as a name or email address. With OpenID, you control how much of that information is shared with the websites you visit.

With OpenID, your password is only given to your identity provider, and that provider then confirms your identity to the websites you visit.

See page 56 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study and or https://openid.net/what-is-openid/

17
Q

What is OIDC?

A

OpenID Connect (OIDC) is an iteration of OpenID to provide authorization using OAuth2.0 with the use of JSON Web Token (JWT) aka ID Token.

See page 56 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study and or https://www.youtube.com/watch?v=6DxRTJN1Ffo

18
Q

An access control scheme that uses jobs or functions to determine a user’s level of access is referred to as what?

A

Role-base Access Control

See pages 56 - 58 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

19
Q

A planning document that matches roles with the required level of privileges is referred to as what?

A

Role-BAC Matrix

See page 57 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

20
Q

A more efficient method of implementing Role-BAC which applies privilege to a collective of individuals within the same function is referred to as what?

A

Group-based privilege or Group-based access control

See page 58 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

21
Q

Access control that is based on hierarchy is referred to as what?

A

Role-BAC

See page 58 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

22
Q

Generally implemented on network devices that use ACLs to determine access is referred to as what?

A

Rule-BAC: Note, that some Rule-BAC systems (to include applications) use rules that trigger in response to an event, such as modifying ACLs after detecting an attack or granting additional permission to a user in certain situations.

See page 59 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

23
Q

Which access control scheme acknowledges that owners create objects (folders, files, etc…) over which they establish the permission to access the object for other users?

A

Discretionary Access Control (DAC) - DAC is also used in establishing discretionary access control lists (DACLs) in which access control entries (users and their assigned permission) are combined to form the DACL.

See pages 60 & 61 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

24
Q

An access control scheme that uses labels (aka sensitivity labels or security labels) for both subject and object and the “need to know” principle is referred to as what?

A

Mandatory Access Control (MAC) - when the subject’s label matches the object’s label access is granted is to the object, and when it does not access is blocked.

See pages 61 - 63 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

25
Q

An access control scheme that uses attributes defined in policies to grant access to resources and is commonly used in software-defined networks (SDNs) is referred to as what?

A

Attribute Bases Access Control (ABAC)

See pages 63 & 64 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study

26
Q

An access control that uses policies consisting of “if-then” statements that can be added to other access control schemes to enforce organization policies is referred to as what?

A

Conditional Access

See page 64 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study