Chapter 2: Understanding Identity and Access Management Flashcards

1
Q

Authentication

A

allows entities to prove their identity by using credentials known to another entity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identification

A

occurs when a user claims or professes an identity, such as with a username, an email address, a PIV card, or by using biometrics.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authentication

A

occurs when an entity provides proof of an identity (such as a password). A second identity is the authenticator and it verifies the authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Authorization

A

provides access to resources based on a proven identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Accounting

A

methods track user activity and record the activity in logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Five factors of authentication are:

A

Something you know, such as a username and password

Something you have, such as a smart card, CAC, PIV, or token

Something you are, using biometrics, such as fingerprints or retina scans

Somewhere you are, using geolocation, a computer name, or a MAC address

Something you do, such as gestures on a touch screen

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The something you know factor typically refers to

A

a shared secret, such as a password or a PIN. This is the least secure form of authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Passwords should be

A

strong and changed often. Complex passwords include multiple character types. Strong passwords are complex and at least 14 characters long.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Administrators should verify

A

a user’s identity before resetting the user’s password. When resetting passwords manually, administrators should configure them as temporary passwords that expire after the first use, requiring users to create a new password the first time they log on. Self-service password systems automate password recovery.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Password policies provide

A

a technical means to ensure users employ secure password practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Password length specifies

A

the minimum number of characters in the password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Password complexity

A

ensures passwords are complex and include at least three of the four character types, such as special characters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Password history

A

remembers past passwords and prevents users from reusing passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Minimum password age is used with password history to prevent

A

users from changing their password repeatedly to get back to the original password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Maximum password age or password expiration forces users to

A

change their password periodically. When administrators reset user passwords, the password should expire upon first use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Password policies should apply to

A

any entity using a password. This includes user accounts and accounts used by services and applications. Applications with internally created passwords should still adhere to the organization’s password policy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Account lockout policies

A

lock out an account after a user enters an incorrect password too many times.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Smart cards are

A

credit card-sized cards that have embedded certificates used for authentication. They require a PKI to issue certificates.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Common Access Cards (CACs) and Personal Identity Verification (PIV) cards can be used as

A

photo IDs and as smart cards (both identification and authentication).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Tokens (or key fobs)

A

display numbers in an LCD. These numbers provide rolling, one-time use passwords and are synchronized with a server. USB tokens include an embedded chip and a USB connection. Generically, these are called hardware tokens.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

HOTP and TOTP are

A

open source standards used to create one- time-use passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

HOTP creates a one-time-use password

A

that does not expire

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

TOTP creates a one- time password

A

that expires after 30 seconds.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Biometric authentication methods

A

are the most difficult to falsify. Physical methods include voice and facial recognition, fingerprints, retina scans, iris scans, and palm scans. Biometric methods can also be used for identification.

25
Q

The false acceptance rate (FAR), or false match rate, identifies

A

the percentage of times false acceptance occurs.

26
Q

The false rejection rate (FRR), or false nonmatch rate, identifies

A

the percentage of times false rejections occur.

27
Q

The crossover error rate (CER) indicates

A

the quality of the biometric system. Lower CERs are better.

28
Q

Single-factor authentication includes

A

one or more authentication methods in the same factor, such as a PIN and a password.

29
Q

Dual-factor (or two-factor) authentication

A

uses two factors of authentication, such as a USB token and a PIN.

30
Q

Multifactor authentication

A

uses two or more factors. Multifactor authentication is stronger than any form of single- factor authentication.

31
Q

Authentication methods using two or more methods in the same factor are

A

single- factor authentication. For example, a password and a PIN are both in the something you know factor, so they only provide single-factor authentication.

32
Q

Kerberos is

A

a network authentication protocol using tickets issued by a KDC or TGT server. If a ticket-granting ticket expires, the user might not be able to access resources. Microsoft Active Directory domains and Unix realms use Kerberos for authentication.

33
Q

LDAP

A

specifies formats and methods to query directories. It provides a single point of management for objects, such as users and computers, in an Active Directory domain or Unix realm. The following is an example of an LDAP string: LDAP:// CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com

34
Q

LDAP Secure (LDAPS)

A

encrypts transmissions with SSL or TLS.

35
Q

Single sign-on (SSO)

A

allows users to authenticate with a single user account and access multiple resources on a network without authenticating again.

36
Q

SSO can be used to

A

provide central authentication with a federated database and use this authentication in an environment with different operating systems (nonhomogeneous environment).

37
Q

SAML is

A

an XML-based standard used to exchange authentication and authorization information between different parties. SAML is used with web-based applications.

38
Q

A federated identity

A

links a user’s credentials from different networks or operating systems, but the federation treats it as one identity.

39
Q

Shibboleth is

A

an open source federated identity solution that includes Open SAML libraries.

40
Q

OAuth and OpenID Connect are

A

used by many web sites to streamline the authentication process for users. They allow users to log on to many web sites with another account, such as one they’ve created with Google, Facebook, PayPal, Microsoft, or Twitter.

41
Q

The principle of least privilege is

A

a technical control that uses access controls. It specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but no more.

42
Q

Users should not

A

share accounts. It prevents effective identification, authentication, authorization, and accounting. Most organizations ensure the Guest account is disabled.

43
Q

Account policies often require administrators to

A

have two accounts (an administrator account and a standard user account) to prevent privilege escalation and other attacks.

44
Q

An account disablement policy ensures

A

that inactive accounts are disabled. Accounts for employees who either resign or are terminated should be disabled as soon as possible. Configuring expiration dates on temporary accounts ensures they are disabled automatically.

45
Q

Time restrictions can prevent users from

A

logging on or accessing network resources during specific hours.

46
Q

Location-based policies prevent users from

A

logging on from certain locations.

47
Q

Accounts should be recertified to

A

verify they are still required. For example, if the organization extends a contract, it’s a simple matter to recertify the account. Administrators verify that the contract has been extended, change the expiration date,
and enable the account.

48
Q

Administrators routinely perform account maintenance. This is often done with

A

scripts to automate the processes and includes deleting accounts that are no longer needed.

49
Q

Credential management systems

A

store and simplify the use of credentials for users. When users access web sites needing credentials, the system automatically retrieves the stored credentials and submits them to the web site.

50
Q

The role-based access control (role-BAC) model uses

A

roles to grant access by placing users into roles based on their assigned jobs, functions, or tasks.

51
Q

A matrix matching job titles with required privileges is useful as a planning document when using

A

role-BAC

52
Q

Group-based privileges are a form of

A

role-BAC. Administrators create groups, add users to the groups, and then assign permissions to the groups. This simplifies administration because administrators do not have to assign permissions to users individually.

53
Q

The rule-based access control (rule-BAC) model is based on

A

set of approved instructions, such as ACL rules in a firewall. Some rule- BAC implementations use rules that trigger in response to an event, such as modifying ACLs after detecting an attack.

54
Q

In the discretionary access control (DAC) model,

A

every object has an owner. The owner has explicit access and establishes access for any other user.

55
Q

Microsoft NTFS uses the

A

DAC model, with every object having a discretionary access control list (DACL).

56
Q

The DACL identifies who has

A

access and what access they are granted.

57
Q

A major flaw of the DAC model is its susceptibility to

A

Trojan horses.

58
Q

Mandatory access control (MAC) uses

A

security or sensitivity labels to identify objects (what you’ll secure) and subjects (users). It is often used when access needs to be restricted based on a need to know. The administrator establishes access based on predefined security labels. These labels are often defined with a lattice to specify the upper and lower security boundaries.

59
Q

An attribute-based access control (ABAC)

A

evaluates attributes and

grants access based on the value of these attributes. It is used in many software defined networks (SDNs).