Chapter 3 Identity and Access Management Flashcards
What is the most common form of authentication that is most likely to be entered incorrectly?
A password is most likely to be entered incorrectly; the user may forget the password or may have the Caps Lock key on by accident.
When you purchase a new wireless access point, what should you do first?
When purchasing any device, you should change the default username and password as many of these are available on the internet and could be used to access your device
What is password history?
Password history determines the number of passwords you can use before you can reuse your current password. Some third-party applications or systems may call this a password reuse list
How can you prevent someone from reusing the same password?
Password history could be set up and combined with a minimum password age to prevent password reuse. If you set the minimum password age to 1 day, a user could only change their password a maximum of once per day. This would prevent them from rotating their passwords to come back to the old password.
Explain what a complex password requires.
A complex password uses three of the following: uppercase and lowercase letters, numbers, and special characters not used in programming.
How can you prevent a hacker from inserting a different password many times?
If you set up an account lockout with a low value, such as 3, the hacker needs to guess your password within three attempts, or the password is locked out and the user account is disabled
What type of factor authentication is a smart card?
A smart card is a multi-factor authentication; the card is something you have, inserting it into a card reader is something you do, and the PIN is something you know
How many factors is it if you have a password, PIN, and date of birth?
A password, PIN, and date of birth are all factors that you know; therefore, it is single-factor.
What is biometric authentication?
Biometric authentication refers to the use of a part of your body or voice for authentication-for example, your iris, retina, palm, or fingerprint
What authentication method can be used by two third parties that participate in a joint venture?
Federated services are an authentication method that can be used by two third parties; this uses SAML and extended attributes, such as an employee’s ID or email address
Name an XML-based authentication protocol
Security Assertion Mark-up Language (SAML) is an XML-based authentication protocol used with federated services.
What is Shibboleth?
Shibboleth is an open-source Federation Services protocol.
What protocol is used to store and search for Active Directory objects?
Lightweight Directory Authentication Protocol (LDAP) is used to store objects in X500 format and search Active Directory objects such as users, printers, groups, or computers.
What is the format of a distinguished name for a user called Fred who works in the IT department for a company with a domain called Company A that is a dotcom?
A distinguished name in the ITU X500 object format is cn=Fred, ou=IT, dc=Company, dc-Com.
What authentication factor uses tickets, timestamps, and updated sequence numbers and is used to prevent replay attacks?
Kerberos authentication protocol is the only one that uses tickets as well as timestamps and updated sequence numbers to prevent replay attacks. It also prevents pass-the-hash attacks as it does not use NTLM but stores the account details in an encrypted database.
What is a Ticket Granting Ticket (TGT) session?
A Ticket-Granting Ticket (TGT) session is a process by which a user logs in to an Active Directory domain using Kerberos authentication and receives a service ticket REL.
What is single sign-on? Give two examples.
Single sign-on is an authentication scheme wherein a user inserts their credentials only once and accesses different resources, such as email and files, without needing to re-enter their credentials. Examples of this are Kerberos and Federation Services.
How can you prevent a pass-the-hash attack?
Pass-the-hash attacks exploit older systems such as Microsoft NT4.0, which uses NT LAN Manager. You can prevent this by enabling Kerberos or disabling NTLM
Give an example of when you would use Open ID Connect.
You would use OpenID Connect to access a device or portal using your Facebook, Twitter, Google, or Hotmail credentials. The portal itself does not manage the account.
Name two AAA servers and the ports associated with them.
The first AAA server is RADIUS, using UDP port 1812. It is seen as non-proprietary. The second is TACACS+ and uses TCP port 49. Diameter is a more modern secure form of RADIUS that is TCP-based and uses EAP.
What is used for accounting in an AAA server?
Accounting for an AAA server pertains to documenting when someone logs in and out. This can be used for billing purposes. Accounting information is normally logged into a database such as SQL. RADIUS Accounting uses UDP port 1813.
What is the purpose of a VPN solution?
A VPN solution creates a secure connection from a remote location to your corporate network or vice versa. The most secure tunneling protocol is L2TP/IPSec.
Why should you never use PAP authentication?
PAP authentication uses a password in clear text which could be captured easily by a packet sniffer