Chapter 2: Understanding Identity and Access Management Flashcards
What does AAA stand for?
Authentication - Proven identity
Authorization - Access granted based on proven identity
Accounting - Tracking user’s activity and logging them to create an audit trail
See page 36 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
What are the authentication factors?
Something you know - Password or PIN
Something you have - CAT card or RSA Key Fob
Something you are - Biometric
See page 37 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
What is difference between password expiration and password history?
Password expiration indicates the length of time required to pass for a password to be changed. This is also known as the maximum password age.
Password history keeps track of a set number of used passwords, and prohibits users from using old passwords frequently. This is also known as the minimum password age.
See page 38 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
What are Password Keys?
Password keys are used to reset passwords on systems. They are commonly bootable optical discs or bootable USB flash drives.
See page 39 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
What does KBA stand for and what are the 2 types? What’s the difference between the two KBAs?
Knowledge Base Authentication (KBA) can either be Static or Dynamic.
Static KBA - are used to verify your identity when you have forgotten your password, such as your first pet’s name. While creating an account users are prompted to provide answers to these static questions.
Dynamic KBA - identifies individuals without an account. Users are prompted to identify themselves by answering questions based on data sourced from public records and private data sources. Questions such as, which of the following address have you lived at, what is your car payment?
See page 39 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
What is the fundamental difference between HOTP and TOTP?
Both of these open source standards create a one-time-use password, where they differ is that HOTP one-time-use password only expires after it is used (if never used, it never expires). Where TOTP one-time-use passwords are timestamped, meaning they expire after a predefined amount of time (usually 30 seconds).
See page 42 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
What is the CER and what does a low CER indicate about a Biometric system?
The Crossover Error Rate (CER) is the point where the False Acceptance Rate (FAR) and the False Rejection Rate (FRR) cross over.
The lower the CER the more accurate a biometric system is.
See page 42 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
What are the authentication attributes and how are they used in general?
- Someone you know (A friend, or boss)
- Somewhere you are (Location-based services)
- Something you can do (A gesture on a screen)
- Something you exhibit (A badge)
Authentication attributes are used to help identify a user base on characteristics and traits. They are used in conjunction with one or more authentication factors and are rarely used on their own for authentication.
See pages 46 & 47 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
What are PAM systems and what are some of their capabilities listed in the text?
Privilege Access Management (PAM) systems implement stringent security controls over accounts with elevated privileges (Think Root or Administrator accounts).
Capabilities:
- Allow users to access privileged accounts without a password
- Automatically change privilege account password periodically
- Limit the time a user can use a privileged account
- Allow users to check out credentials
- Log all access of credentials
See pages 49 & 50 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
A policy that restricts users from logging on to a system outside of a predefine time (i.e., 9am - 5pm) is referred to as what?
Time-Based Logins or Time-of-Day Restrictions
See pages 51 & 52 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
An audit that examines the privilege (rights and permission) assigned to a user’s digital profile and aids to enforce the principle of least privilege is referred to as what?
Account Audit
See page 42 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
A network authentication protocol that uses a KDC to issue timestamped tickets to authenticate users on a network and gain access to resources on the network?
Kerberos
See page 53 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study and or https://www.youtube.com/watch?v=VpBCJ8vS7T0&t=319s
An identity management system that holds users’ identities and authenticates users in a non-homogeneous environment is referred to as what?
Federated identity management system - These are used in a Federation to support SSO.
See page 54 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
A federated identity management system used for SSO for web browsers and can also be used for authorization is referred to as what?
Security Assertion Markup Language (SAML) - this is an Extensible Markup Language (XML) based data format used for SSO for web-based applications and browsers.
See page 54 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study
An open standard protocol that allows users to use a single authenticated account to access one or more secure website services, rather than users creating individual accounts for each site to access these services is referred to as what?
OAuth - Open Authorization
See page 55 of CompTIA Security+ SY0-601: Get Certified Get Ahead by Darril Gibson for an in-depth study