Chapter 3: Investigating Identity and Access Management

Question 1

This is the process of maintaining the log files that monitor when users login and log out.

Answer 1

Accounting

Question 2

This is an entity that can validate that the credentials that are present are valid. This identity could be a certificate, token, or details such as a username or password.

Answer 2

Identity Provider

Question 3

Username
Attribute
Smart Card
Certification
Token
SSH Keys

Answer 3

The following can be used when accessing a person’s identity as it needs to be unique to them:

Question 4

This can be digital that can either be a SAML used for federation services or a token used by Open Authentication (OAuth).

Answer 4

Token

Question 5

These are used by an administrator using a secure connection to the server. First of all, the public and private key pair is made. The public key is stored on a server, and the private key is stored on the admin’s desktop.

Answer 5

SSH Keys

Question 6

This identifier is linked to the account to grant access to the network in a Microsoft Active Directory environment. Once the account with this identifier is deleted, the identifier can never be used again and a new one will need to be created.

Answer 6

Security Identifier

Question 7

This type of account has no real access. This type of account cannot install software – they give users limited access to the computer systems. There are two type of this account– one for the local machine and one for the domain.

Answer 7

User Account

Question 8

This type of account is a legacy account that was designed to give limited access to a single computer without the need to create a user account. It is normally disabled because it can be seen as a security threat.

Answer 8

Guest Account

Question 9

This type of account is given to external speakers who need access to the internet while delivering their presentation.

Answer 9

Sponsored Guest Account

Question 10

TIP

A guest speaker should be allocated a sponsored guest account.

Answer 10

TIP

Question 11

This type of account has a much higher access to the system and tend to be used by members of the IT team. Administrators are an example of this type of account.

Answer 11

Privilege Account

Question 12

This type of account can install and manage the configuration of a server or a computer. This type of account has the privilege to create, delete, and manage user accounts. An Administrator should have two type of accounts – a user account for routine tasks, and then an admin account to carry out their admin duties.

Answer 12

Administrative Account

Question 13

When software is installed on a privilege computer or server, it will need a higher level of privilege to run the software, but at the same time, we need a lower-level admin account so this type of account fits the bill.

Answer 13

Service Account

Question 14

TIP

A service account is a type of administrator account used to run an application.

Answer 14

TIP

Question 15

This type of account is for when a group of people perform the same duties, such as members of customer services, they can use this type of account. If you are trying to monitor or audit individual employees, then you cannot use this type of account.

Answer 15

Shared Account

Question 16

This type of account are default admin accounts created by manufacturers for devices ranging from baby alarms to smart ovens and smart TVs. They all have default usernames and passwords. This becomes a problem for cybercrime because account credentials can be searched online easily, so it is advised to change the username and password associated with those default accounts.

Answer 16

Generic Accounts

Question 17

TIP

If you do not change the password and username for household devices, known as IOT, it is possible for a cybercriminal to hack your home.

Answer 17

TIP

Question 18

This type of token requires time synchronization, because the password needs to be used in a very short period of time, normally between 30 and 60 seconds. It could be used when you want to access secure cloud storage or your online bank account:

Answer 18

Time-Based One-Time Password (TOTP)

Question 19

This type of token is a one-time password. The main distinguishing factor is that there is no time limit.

Answer 19

HMAC-Based One-Time Password (HOTP)

Question 20

This is similar to a CAC, but it is used by federal agencies rather than the military.

Answer 20

Personal Identity Verification (PIV)

Question 21

This is a port-based authentication protocol that is used when a device is connected to a switch or when a user authenticates to a wireless access point. Authentication is normally done by a certificate.

Answer 21

1EEE 802.1x

Question 22

This location-based authentication can be used to block any attempt to login outside of the locations that have been determined as allowed regions. Geolocation can track your location by your IP address and the ISP that you are using.

Answer 22

Context-Aware Location

Question 23

This location-based authentication can be used to identify where your phone is located by using Global Positioning System (GPS).

Answer 23

Smart Phone Location Services

Question 24

This location-based authentication is a security feature used by cloud providers such as Microsoft with their Office 365 package to prevent fraud. If someone logs in from Toronto and thirty minutes later log into the service from Las Vegas, their login attempt will be blocked.

Answer 24

Impossible Travel Time

Question 25

This location-based authentication is also used by cloud providers where they have a database of the devices used by each user. An email will be sent when the system cannot identify the device used to log in.

Answer 25

Risky Login

Question 26

This is an additional layer of security where the user is authenticated and a SMS message is sent to the user’s phone. They then insert the code that was sent via message and are authenticated; this is has a time limit.

Answer 26

SMS Authentication

Question 27

This technology authentication method can vary from a hardware that has received a one-time password to the fob or card used to gain access to a building via a card reader.

Answer 27

Token Key

Question 28

An email is sent to the user when access to their systems has been received by an unusual device; for example, if I access Dropbox from a friend’s laptop.

Answer 28

Push Notification

Question 29

This authentication technology method will trigger a phone when someone has accessed a system.

Answer 29

Phone Call

Question 30

This authentication technology method is an internet standard where the server signs a token with its private key and sends it to a user to prove who they are. It can also be used to digitally sign documents and email. It is used by Open Authentication (OAuth).

Answer 30

JavaScript Object Notation Web Token (JWT)

Question 31

These codes change after a period of time, like a PIN for a smart card. These are commonly used by broadband engineers.

Answer 31

Static Codes

Question 32

This could be using Kerberos, who completes a Ticket Granting Ticket session that results in a ticket that can be exchanged to give access to applications. It could also be used for certificate-based authentication or, in the case of the cloud, use conditional access to gain access to applications.

Answer 32

Authentication Applications

Question 33

This looks like a USB device and works in conjunction with your password to provide multifactor authentication. An example would be YubiKey.

Answer 33

Password Keys

Question 34

These chips are normally built into motherboards of a computer and they become useful when you are using Full Disk Encryption (FDE).

Answer 34

Trusted Platform Module (TPM)

Question 35

This is normally used by financial institutions, banks, or email providers to identify someone when they want a password reset.

Two different type of this authentication management:

• Static KBA
• Dynamic KBA

Answer 35

Knowledge-Based Authentication (KBA)

Question 36

These are questions that are common to the user. For example: “ What is the name of your first school?” These are pretty weak.

Answer 36

Static KBA

Question 37

These are deemed to be more secure because they do not consist of questions provided beforehand.

Answer 37

Dynamic KBA

Question 38

This is an authentication framework allowing point-to-point connections. These are commonly used with wireless communication.

Answer 38

Extensible Authentication Protocol (EAP)

Question 39

This is a version of EAP that encapsulated the EAP data and made it more secure for WLANS.

Answer 39

Protected Extensible Authentication Protocol (PEAP)

Question 40

This form of EAP was developed by Cisco. It does not use certificates, but protected access credentials instead. It is used in wireless networks.

Answer 40

EAP-FAST (Flexible Authentication via Secure Tunneling)

Question 41

This form of EAP needs X509 certificates installed on endpoints for authentication.

Answer 41

EAP-TLS

Question 42

This form of EAP needs the certificates to be installed on the server. It creates a tunnel for the users’ credentials to travel through.

Answer 42

EAP-TTLS

Question 43

This server is UDP-based and it authenticates servers such as VPN servers, Remote Access Servers (RAS) servers, and 802.1x authenticating switch. This server could be used to check any remote access policies and verify that authentication was allowed by contacting the domain controller.

Answer 43

RADIUS Server

Question 44

These clients could be VPN servers, RAS servers, and the 802.1x authentication switch. Each of these clients needs a private key that is sometimes known as the session key or shared secret to join the RADIUS environment.

RADIUS authentication uses UDP port 1812

RADIUS accounting uses UDP port 1813

Answer 44

RADIUS Clients

Question 45

This is a more modern version of RADIUS that works on TCP.

Diameter is the AAA server that uses EAP.

Answer 45

Diameter

Question 46

This is the Cisco AAA server that uses TCP, and uses TCP port 49 for authentication.

Answer 46

TACACS+

Question 47

Allows someone working remotely, either from a hotel room or home, to connect securely through the internet to the corporate network.

Answer 47

Virtual Private Network (VPN)

Question 48

This is a legacy protocol that pre-dated the VPN. This client used modems and a dial-up network using telephone lines. It was very restricted in speed.

Answer 48

Remote Access Services (RAS)

Question 49

There are numerous methods of authentication used by VPN or RAS:

• Password Authentication Protocol (PAP)
• Challenge Handshake Authentication Protocol (CHAP)
• MS CHAP/MSCHAP version 2

Answer 49

Authentication for VPN/RAS

Question 50

This authentication method for a VPN or RAS should be avoided at all costs as the passwords are transmitted as clear text and can easily captured.

Answer 50

Password Authentication Protocol (PAP)

Question 51

This authentication method for a RAS server is done with a four-stage process:

1. Client makes connection request to RAS
2. RAS replies with challenge that is a random string.
3. Client uses password as encryption key to encrypt challenge.
4. RAS encrypts the original challenge with a password stored for the user. If both values match, the client logs in.

Answer 51

Challenge Handshake Authentication Protocol (CHAP)

Question 52

This is Microsoft’s version of MS CHAP. This is the newer version of MS CHAP and can be sued by both VPN and RAS.

Answer 52

MS CHAP/MSCHAP version 2

Question 53

This is a solution that helps protect the privilege accounts within a domain, preventing attacks such as pass the hash, pass the ticket, and privilege escalation. This gives visibility in terms of who is using privilege accounts and what tasks they are being used for.

Answer 53

Privilege Access Management (PAM)

Question 54

This is a remote forest that has a very high level of security.

Answer 54

bastion forest

Question 55

Gives the admin just enough privileges to carry out a certain task.

Answer 55

Just Enough Administration (JEA)

Question 56

Manages the users in groups. These store objects such as users and computers as x500 objects. These objects form what is called a distinguished name and are organized and stored by the _____. It is comprised of three different objects, DC (Domain), Organization Unit (OU), and CN(anything else). ____ is the active directory storeman responsible for storing the X500 objects.

Answer 56

Lightweight Directory Access Protocol(LDAP)

Question 57

This is the Microsoft authentication protocol introduced with the release of Windows Server 2000. It is the only authentication protocol that uses tickets, Updated Sequence Numbers, and is time stamped. If ____ authentication fails, this is normally down to the user’s computer or device clock being out of sync with the domain controller by 5 minutes or more.

Answer 57

Kerberos

Question 58

This is the process for Kerberos for obtaining your service tickets. This is where the user sends their credentials to a domain controller that starts the authentication process and, when it has been confirmed, it will send back a service ticket that has a 10 hour lifespan.

Answer 58

Ticket Granting Ticket (TGT)

Question 59

This can be placed on your LAN to keep the domain computers and servers in sync with each other.

Answer 59

Network Time Protocol (NTP)

Question 60

This is used to prove who the user is. It exchanges their service ticket for a session ticket. The server then allows them access to the resources.

Answer 60

Service Ticket

Question 61

This provides a single sign-on as the user needs to log in only once. It then uses the service ticket to prove who they are, and a session ticket is returned

Answer 61

Single Sign-On/Mutual Authentication

Question 62

This is a legacy authentication protocol that stores passwords using the MD4 hash that is very easy to crack. It is susceptible to the pass-the-hash attack. Kerberos prevents the pass-the-hash attack as it uses an encrypted database.

Answer 62

NT Lan Manager (NTLM)

Question 63

This is where you have a parent domain and maybe one or more child domains that trust one another so long as the conditions allow it: these are called trees. For example, between the parent domain and each child domain is a two-way transitive trust, where resources can be shared two ways. Since the parent domain trusts both child A and Child B, it can be said that Child A and Child B transitively trust each other as long as admin for each allow it.

Answer 63

Transitive trust

Question 64

A term used for a domain; it could be a parent or a child domain.

Answer 64

trees

Question 65

TIP

You need to remember that Kerberos is the only authentication protocol that uses tickets. It also prevents replay attacks as it uses USN numbers and timestamps. It can also prevent pass-the-hash attacks.

Answer 65

TIP

Question 66

TIP

When the exam mentions a third-party authentication, this can only mean federation services. Federation services require cookies to be enabled.

Answer 66

TIP

Question 67

This kind of service is used when two different companies want to authenticate between each other when they participate in a joint venture. The companies don’t want to merge but rather keep their identity and have their own management in place. These are known as third-parties. Each company has their own directory database and normally only has access to their respective domain, but with this type of trust, they can use each others’ domains as long as they have alternative credentials.

Answer 67

Federation Services

Question 68

These are extended attributes used by their directory services. They are, in addition to the basic attributes, comprising of the following:

Employee ID
Email Address

Answer 68

User-Extended Attributes

Question 69

it is a XML-based authentication, which is used to pass the extended attribute credentials between company A and Company B in a federation service setup.

Answer 69

Security Assertion Mark-up Language (SAML)

Question 70

Mr. Red from Company A wants access to limited resources from Company B so he contacts them through a web browser and Company B asks him for his Employee ID and password.

Company B now uses the SAML to pass authentication details of Mr. Red to Company A. Mr. Red’s domain controller confirms that they are correct then Company B sends out a certificate to Mr. Red’s laptop. This certificate is used next time for authentication. They could alternatively use cookies.

Answer 70

Federation Services - Authentication and Federation Services - Exchange of Extended Attributes

Question 71

TIP

When the exams mentions authentication using extended attributes, this can only mean federation services. Cookies used for authentication would also be federation services.

Answer 71

TIP

Question 72

This is an open source federation service product that uses SAML authentication. It would be used for small federation service environment. This can also use cookies alternatively.

Answer 72

Shibboleth

Question 73

This is used in a domain environment. This is where someone logs into the domain and then can access several resources. such as the file or email server, without needing to input their credentials again. Federation services and Kerberos is a good example of ____.

Answer 73

Single Sign-on (SSO)

Question 74

Provides authorization to enable third-party applications to obtain limited access to a web service.

Answer 74

OAuth 2.0

Question 75

This open authentication method uses OAuth to allow users to log in to a web application without needing to manage the user’s account. It allows users to authenticate by using their google, Facebook, or Twitter account.

Answer 75

Open ID Connect

Question 76

• Fingerprint Scanner
• Retina Scanner
• Iris Scanner
• Voice Recognition
• Facial Recognition
• Vein
• Gait Analysis

Answer 76

Authorization via Biometrics

Question 77

Released with Windows 10, it uses an infrared camera making it better than regular cameras as they can have trouble with lighting.

Answer 77

Windows Hello

Question 78

It accepts unauthorized users and allows them to gain access. This is known as a Type ll error. Unauthorized users are allowed; look for the middle letter as an A.

Answer 78

False Acceptance Rate (FAR)

Question 79

It is where legitimate users who should gain access are rejected and cannot get in. This is known as a Type l error. Authorized users are rejected; look for the middle letter as an R.

Answer 79

False Rejection Rate (FRR)

Question 80

TIP

When looking at FAR or FRR, remember to look at the middle letter. Authorized users are rejected, the middle letter in FRR is R for reject. Unauthorized users are allowed so we look for the middle letter being A therefore we get FAR. Remember Authorized that starts with A does not belong to FAR that has an A as the middle letter. A does not select A.

Answer 80

Tip

Question 81

This is where the FAR and FRR are equal. If you are going to purchase a biometric system, you need a system that has a low CER.

Answer 81

Crossover Error Rate (CER)

Question 82

With a biometric system, you would want one with a low efficacy rate. This can be measured by looking at the CER point. You need a device with a low efficacy rate and a CER of less than 5%.

Answer 82

Efficacy Rates

Question 83

Could be more than two different factors; it just means multiple factors.

Answer 83

Multi-Factor Authentication

Question 84

This would be username, PIN, or your dare of birth;

Answer 84

Something You Know

Question 85

Biometric authentication

Answer 85

Something You Are

Question 86

Things like swiping a card, inserting your signature, or your gait.

Answer 86

Something You Do

Question 87

The location you are in.

Answer 87

Somewhere You Are

Question 88

Security Token, key fob, Date of birth.

Answer 88

Something You Have

Question 89

This is made easy by the use of proximity cards, while guards on reception can also control access to the company. We can apply multi-factor authentication by using smart card authentication.

Answer 89

On-Premises Authentication

Question 90

This method should adopt a zero-trust model, where every connection is deemed to be a hacker as we cannot see who is logging. We could then use conditional statements to prove who is the person logging in, by using if-then statements. The three areas of conditional access are Signal, Decision, and Enforcement.

Answer 90

In The Cloud Authentication

Question 91

This could be user or group, location, device, calculated risk, and the application that needs to be accessed.

Answer 91

Signal

Question 92

This could range from allow to block, or require multifactor authentication (MFA).

Answer 92

Decision

Question 93

Access to the application that has been approved.

Answer 93

Enforcement

Question 94

These providers have a central database of the devices that a person uses to log in. If the system deems that the device cannot be approved, it will notify user of a risky login. If that is not approved, the user will be denied.

Answer 94

Cloud Service Providers (CSPs)

Question 95

TIP

In the Sec+ exam, when people move department, they are given new accounts and the old account remains active until it has been disabled.

Answer 95

TIP

Question 96

Employing Leaving

Extended Absence Period

Guest Account

Answer 96

Reasons for Disabling an Account

Question 97

Process where an auditor will review all the user accounts. If auditor finds anything wrong, they will report their findings to management. They are the snitch.

Answer 97

Account Recertification

Question 98

Ensuring that account are created in accordance with the standard naming convention, disabled when the employee initially leaves, and then deleted after a certain time period has been reached.

Answer 98

Account Maintenance

Question 99

If you want to know immediately when there is a change to a user account, such as it being given higher privileges, then you need active account monitoring or you need to set up a SIEM system.

Answer 99

TIP

Question 100

This system is used for real-time monitoring and can be used to aggregate, decipher, and normalize non-standard log formats; The only time this system will not provide the correct information is when the wrong filters are used or where we scan the wrong host

Answer 100

Security Information and Event Management

Question 101

• Account Management
• Account Expiry
• Time and Day Restriction
• Account Lockout

Answer 101

SEIM Filters

Question 102

TIP

If a time restriction is to be placed on a group of contractors, RBAC will be used. Time and day restrictions can only be used for individuals.

Answer 102

TIP

Question 103

TIP

If group-based access is used in the exam question, then the solution will be a group-based access solution.

Answer 103

TIP

Question 104

Enforce Password History

Password Reuse

Maximum Password Age

Minimum Password Age

Complex Passwords

Store Passwords Using Reversible Encryption (Disable when you can)

Account Lockout - Threshold

Account lockout - Duration

Answer 104

Passwords - Group Policy Configurations