Chapter 3: Identity and Access Management

Question 1

-identify: each person needs some form of identification so they can prove who they are.

-authentication: the second part after proving identity is to provide authentication for that identity. Example—smart card—PIN

-authorization: once the individual has been authenticated they are given access level based on their job.

-accounting: RADIUS/DIAMETER/TACACS+

Answer 1

Identity and Access Management (IAM)

Question 2

Username/Attribute/Smart Card/Certificates/Token/SSH Keys

Answer 2

Identity Types

Question 3

a credit card token with a certificate embedded on a chip; it is used in conjunction with a PIN

Answer 3

Smart Card

Question 4

this is a digital token that can either be a SAML token for federation services or a token used by Open Authentication (OAuth)

Answer 4

Token

Question 5

requires time synchronization because the password needs to be used in a very short period, normally between 30 and 60 seconds.
Example—gives you a code to use within 30 seconds
-type of authentication
-It is commonly used by online services, banks, and websites that need to protect sensitive user accounts from unauthorized access.

Answer 5

Time-Based One-Time Password (TOTP)

Question 6

is similar to TOTP in that a one time password is issued. The main distinguishing factor is that there is no restriction in terms of time, but you can only use this password once.
-type of authentication
–It is commonly used in hardware tokens or offline authentication methods where devices cannot synchronize with a time server.

Answer 6

HMAC-Based One Time Password (HOTP)

Question 7

are used by the government and military personnel. They are similar to smart cards. On the front side, a CAC is a picture of the user with their service, and the reverse shows their blood group and their Geneva Convention Category.

Answer 7

Common Access Card (CAC)

Question 8

this is very similar to the CAC but is used by federal agencies rather than the military.

Answer 8

Personal Identify Verification (PIV)

Question 9

uses Ticket Granting Ticket (TGT) session that results in a service ticket that can be exchanged for a session ticket to give access to servers such as an Exchange Server.

Answer 9

Kerberos

Question 10

can be a removable device that can be attached to a computer or server via a USB connection. They are used to store encryption keys, a key escrow that holds the private keys for third parties and stores them in an HSM.

Answer 10

Hardware Security Module (HSM)

Question 11

this is normally used by banks, financial institutions, or email providers to identify someone when they want a password reset. There are two types of KBA, dynamic and static, and they have their strengths and weaknesses.

Answer 11

Knowledge Based Authentication (KBA)

Question 12

these are questions that are common to the user. For example “what is the name of your first school”

Answer 12

Static KBA

Question 13

these are deemed to be more secure because they do not consist of questions provided beforehand. Example—a bank wants to confirm the identity of a customer and they ask the customer to name three direct debit mandates, the date, and amount paid.

Answer 13

Dynamic KBA

Question 14

authentication framework allowing point to point connections. These are commonly used with wireless connection.

Answer 14

Extensible Authentication Protocol (EAP)

Question 15

is a version of EAP that encapsulates data I the TLS tunnel, ensuring it is secure for WLANS. PEAP only needs a certificate installed on the server.

Answer 15

Protected Extensible Authentication Protocol (PEAP)

Question 16

Flexible Authentication Secure Tunneling, developed by CISCO, does not use certificates but protected access credentials instead. It is used in wireless networks.

Answer 16

EAP-FAST

Question 17

need X509 certificates installed on endpoints for authentication

Answer 17

EAP TLS

Question 18

needs the certificates installed on the server. It creates a tunnel for the users credentials to travel through

Answer 18

EAP TTLS

Question 19

where you have a parent domain and maybe one or more child domains, called trees.

Answer 19

Transitive Trust

Question 20

Third Party to Third Party Authentication; can use cookies for authentication

Answer 20

Federation Services

Question 21

are extended attributes used by their directory services.
–authentication using extended attributes can only be federation services—cookies used for authentication would also be federation services

Answer 21

User Extended Attributes

Question 22

open source federation service product that uses SAML authentication; it would be used in a small federation services environment; can use cookies.

Answer 22

Shibboleth

Question 23

when an IdP provides a mechanism that can prove the identity of a user.
-when using Oauth a token is provided
-when using Kerberos a ticket is provided
-when using federation services provides a cookie
-certifciate based provides a key

Answer 23

Attestation

Question 24

is used in a domain environment; this is where someone logs in to the domain and then can access several resources such as the file or email server, without needing to input their credentials again.
-Federation services and Kerberos are both good examples of SSO

Answer 24

Single Sign On (SSO)

Question 25

provides authorization to enable third party applications to obtain limited access to a web service

Answer 25

OAuth 2.0

Question 26

uses OAuth to allow users to log in to a web application without needing to manage the users account; it allows users to authenticate using their facebook, google, or twitter accounts

Answer 26

OpenID Connect

Question 27

uses individual’s characteristics, for example, using a fingerprint.
-Fingerprint scanner
-Retina Scanner
-Iris Scanner
-Voice Recognition
-Facial Regonition
-Vein
-Gait analysis

Answer 27

Biometrics

Question 28

accepts unauthorized users and allows them to gain access (type2 error)

Answer 28

False Acceptance Rate (FAR)

Question 29

when legitimate users who should gain access are rejected and cannot get in (type 1 error)

Answer 29

False Rejection Rate (FRR)

Question 30

This is where FRR and FAR are equal. You need a system with a low CER

Answer 30

Crossover Error Rate (CER)

Question 31

smart card with pin

Answer 31

Multi-Factor Authentication

Question 32

This would be a username, password, PIN, or date of birth;

Answer 32

Something You Know

Question 33

secure token, key fob, or card; hardware token is tamper-proof and sends a different Pin every 60 seconds

Answer 33

Something You Have

Question 34

biometric authentication; trait of an individual that is used for authentication; iris or retina, palm, vein, fingerprint reader or voice

Answer 34

Something You Are

Question 35

swiping a card, inserting your signature, or maybe the way you walk; dwell time, the speed that you type and how far in you press the keys

Answer 35

Something You Do

Question 36

Location you are in (authentication factor)

Answer 36

Somewhere You Are

Question 37

If I have a username, password, and PIN, then it is _____

Answer 37

single factor (came from all the same group–something you know)

Question 38

If you have a token and a password

Answer 38

Two-Factor

Question 39

This is where more than one factor; smart card (something you have)/inserting it into the reader(something you do)/then inserting the PIN (something you know)

Answer 39

Multifactor

Question 40

have a central database of devices that a person uses to login. If the system deems that the device cannot be approved, it will notify the user of the risky login. If it is not approved, then the user access will be blocked.
-when employee leaves the company the account should be disabled and password should be reset

Answer 40

Cloud Service Provider

Question 41

system is used for real-time monitoring and can be used to aggregate, decipher, and normalize non-standard log formats; it can also filter out false positives.

Answer 41

Security Information and Event Management (SIEM)