Chapter 2: Understanding Identity and Access Management

Question 1

Authentication

Answer 1

allows entities to prove their identity by using credentials known to another entity.

Question 2

Identification

Answer 2

occurs when a user claims or professes an identity, such as with a username, an email address, a PIV card, or by using biometrics.

Question 3

Authentication

Answer 3

occurs when an entity provides proof of an identity (such as a password). A second identity is the authenticator and it verifies the authentication.

Question 4

Authorization

Answer 4

provides access to resources based on a proven identity.

Question 5

Accounting

Answer 5

methods track user activity and record the activity in logs.

Question 6

Five factors of authentication are:

Answer 6

Something you know, such as a username and password

Something you have, such as a smart card, CAC, PIV, or token

Something you are, using biometrics, such as fingerprints or retina scans

Somewhere you are, using geolocation, a computer name, or a MAC address

Something you do, such as gestures on a touch screen

Question 7

The something you know factor typically refers to

Answer 7

a shared secret, such as a password or a PIN. This is the least secure form of authentication.

Question 8

Passwords should be

Answer 8

strong and changed often. Complex passwords include multiple character types. Strong passwords are complex and at least 14 characters long.

Question 9

Administrators should verify

Answer 9

a user’s identity before resetting the user’s password. When resetting passwords manually, administrators should configure them as temporary passwords that expire after the first use, requiring users to create a new password the first time they log on. Self-service password systems automate password recovery.

Question 10

Password policies provide

Answer 10

a technical means to ensure users employ secure password practices.

Question 11

Password length specifies

Answer 11

the minimum number of characters in the password.

Question 12

Password complexity

Answer 12

ensures passwords are complex and include at least three of the four character types, such as special characters.

Question 13

Password history

Answer 13

remembers past passwords and prevents users from reusing passwords.

Question 14

Minimum password age is used with password history to prevent

Answer 14

users from changing their password repeatedly to get back to the original password.

Question 15

Maximum password age or password expiration forces users to

Answer 15

change their password periodically. When administrators reset user passwords, the password should expire upon first use.

Question 16

Password policies should apply to

Answer 16

any entity using a password. This includes user accounts and accounts used by services and applications. Applications with internally created passwords should still adhere to the organization’s password policy.

Question 17

Account lockout policies

Answer 17

lock out an account after a user enters an incorrect password too many times.

Question 18

Smart cards are

Answer 18

credit card-sized cards that have embedded certificates used for authentication. They require a PKI to issue certificates.

Question 19

Common Access Cards (CACs) and Personal Identity Verification (PIV) cards can be used as

Answer 19

photo IDs and as smart cards (both identification and authentication).

Question 20

Tokens (or key fobs)

Answer 20

display numbers in an LCD. These numbers provide rolling, one-time use passwords and are synchronized with a server. USB tokens include an embedded chip and a USB connection. Generically, these are called hardware tokens.

Question 21

HOTP and TOTP are

Answer 21

open source standards used to create one- time-use passwords.

Question 22

HOTP creates a one-time-use password

Answer 22

that does not expire

Question 23

TOTP creates a one- time password

Answer 23

that expires after 30 seconds.

Question 24

Biometric authentication methods

Answer 24

are the most difficult to falsify. Physical methods include voice and facial recognition, fingerprints, retina scans, iris scans, and palm scans. Biometric methods can also be used for identification.

Question 25

The false acceptance rate (FAR), or false match rate, identifies

Answer 25

the percentage of times false acceptance occurs.

Question 26

The false rejection rate (FRR), or false nonmatch rate, identifies

Answer 26

the percentage of times false rejections occur.

Question 27

The crossover error rate (CER) indicates

Answer 27

the quality of the biometric system. Lower CERs are better.

Question 28

Single-factor authentication includes

Answer 28

one or more authentication methods in the same factor, such as a PIN and a password.

Question 29

Dual-factor (or two-factor) authentication

Answer 29

uses two factors of authentication, such as a USB token and a PIN.

Question 30

Multifactor authentication

Answer 30

uses two or more factors. Multifactor authentication is stronger than any form of single- factor authentication.

Question 31

Authentication methods using two or more methods in the same factor are

Answer 31

single- factor authentication. For example, a password and a PIN are both in the something you know factor, so they only provide single-factor authentication.

Question 32

Kerberos is

Answer 32

a network authentication protocol using tickets issued by a KDC or TGT server. If a ticket-granting ticket expires, the user might not be able to access resources. Microsoft Active Directory domains and Unix realms use Kerberos for authentication.

Question 33

LDAP

Answer 33

specifies formats and methods to query directories. It provides a single point of management for objects, such as users and computers, in an Active Directory domain or Unix realm. The following is an example of an LDAP string: LDAP:// CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com

Question 34

LDAP Secure (LDAPS)

Answer 34

encrypts transmissions with SSL or TLS.

Question 35

Single sign-on (SSO)

Answer 35

allows users to authenticate with a single user account and access multiple resources on a network without authenticating again.

Question 36

SSO can be used to

Answer 36

provide central authentication with a federated database and use this authentication in an environment with different operating systems (nonhomogeneous environment).

Question 37

SAML is

Answer 37

an XML-based standard used to exchange authentication and authorization information between different parties. SAML is used with web-based applications.

Question 38

A federated identity

Answer 38

links a user’s credentials from different networks or operating systems, but the federation treats it as one identity.

Question 39

Shibboleth is

Answer 39

an open source federated identity solution that includes Open SAML libraries.

Question 40

OAuth and OpenID Connect are

Answer 40

used by many web sites to streamline the authentication process for users. They allow users to log on to many web sites with another account, such as one they’ve created with Google, Facebook, PayPal, Microsoft, or Twitter.

Question 41

The principle of least privilege is

Answer 41

a technical control that uses access controls. It specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.

Question 42

Users should not

Answer 42

share accounts. It prevents effective identification, authentication, authorization, and accounting. Most organizations ensure the Guest account is disabled.

Question 43

Account policies often require administrators to

Answer 43

have two accounts (an administrator account and a standard user account) to prevent privilege escalation and other attacks.

Question 44

An account disablement policy ensures

Answer 44

that inactive accounts are disabled. Accounts for employees who either resign or are terminated should be disabled as soon as possible. Configuring expiration dates on temporary accounts ensures they are disabled automatically.

Question 45

Time restrictions can prevent users from

Answer 45

logging on or accessing network resources during specific hours.

Question 46

Location-based policies prevent users from

Answer 46

logging on from certain locations.

Question 47

Accounts should be recertified to

Answer 47

verify they are still required. For example, if the organization extends a contract, it’s a simple matter to recertify the account. Administrators verify that the contract has been extended, change the expiration date,
and enable the account.

Question 48

Administrators routinely perform account maintenance. This is often done with

Answer 48

scripts to automate the processes and includes deleting accounts that are no longer needed.

Question 49

Credential management systems

Answer 49

store and simplify the use of credentials for users. When users access web sites needing credentials, the system automatically retrieves the stored credentials and submits them to the web site.

Question 50

The role-based access control (role-BAC) model uses

Answer 50

roles to grant access by placing users into roles based on their assigned jobs, functions, or tasks.

Question 51

A matrix matching job titles with required privileges is useful as a planning document when using

Answer 51

role-BAC

Question 52

Group-based privileges are a form of

Answer 52

role-BAC. Administrators create groups, add users to the groups, and then assign permissions to the groups. This simplifies administration because administrators do not have to assign permissions to users individually.

Question 53

The rule-based access control (rule-BAC) model is based on

Answer 53

set of approved instructions, such as ACL rules in a firewall. Some rule- BAC implementations use rules that trigger in response to an event, such as modifying ACLs after detecting an attack.

Question 54

In the discretionary access control (DAC) model,

Answer 54

every object has an owner. The owner has explicit access and establishes access for any other user.

Question 55

Microsoft NTFS uses the

Answer 55

DAC model, with every object having a discretionary access control list (DACL).

Question 56

The DACL identifies who has

Answer 56

access and what access they are granted.

Question 57

A major flaw of the DAC model is its susceptibility to

Answer 57

Trojan horses.

Question 58

Mandatory access control (MAC) uses

Answer 58

security or sensitivity labels to identify objects (what you’ll secure) and subjects (users). It is often used when access needs to be restricted based on a need to know. The administrator establishes access based on predefined security labels. These labels are often defined with a lattice to specify the upper and lower security boundaries.

Question 59

An attribute-based access control (ABAC)

Answer 59

evaluates attributes and

grants access based on the value of these attributes. It is used in many software defined networks (SDNs).