Chapter 3: Investigating Identity and Access Management Flashcards
This is the process of maintaining the log files that monitor when users login and log out.
Accounting
This is an entity that can validate that the credentials that are present are valid. This identity could be a certificate, token, or details such as a username or password.
Identity Provider
Username Attribute Smart Card Certification Token SSH Keys
The following can be used when accessing a person’s identity as it needs to be unique to them:
This can be digital that can either be a SAML used for federation services or a token used by Open Authentication (OAuth).
Token
These are used by an administrator using a secure connection to the server. First of all, the public and private key pair is made. The public key is stored on a server, and the private key is stored on the admin’s desktop.
SSH Keys
This identifier is linked to the account to grant access to the network in a Microsoft Active Directory environment. Once the account with this identifier is deleted, the identifier can never be used again and a new one will need to be created.
Security Identifier
This type of account has no real access. This type of account cannot install software – they give users limited access to the computer systems. There are two type of this account– one for the local machine and one for the domain.
User Account
This type of account is a legacy account that was designed to give limited access to a single computer without the need to create a user account. It is normally disabled because it can be seen as a security threat.
Guest Account
This type of account is given to external speakers who need access to the internet while delivering their presentation.
Sponsored Guest Account
TIP
A guest speaker should be allocated a sponsored guest account.
TIP
This type of account has a much higher access to the system and tend to be used by members of the IT team. Administrators are an example of this type of account.
Privilege Account
This type of account can install and manage the configuration of a server or a computer. This type of account has the privilege to create, delete, and manage user accounts. An Administrator should have two type of accounts – a user account for routine tasks, and then an admin account to carry out their admin duties.
Administrative Account
When software is installed on a privilege computer or server, it will need a higher level of privilege to run the software, but at the same time, we need a lower-level admin account so this type of account fits the bill.
Service Account
TIP
A service account is a type of administrator account used to run an application.
TIP
This type of account is for when a group of people perform the same duties, such as members of customer services, they can use this type of account. If you are trying to monitor or audit individual employees, then you cannot use this type of account.
Shared Account
This type of account are default admin accounts created by manufacturers for devices ranging from baby alarms to smart ovens and smart TVs. They all have default usernames and passwords. This becomes a problem for cybercrime because account credentials can be searched online easily, so it is advised to change the username and password associated with those default accounts.
Generic Accounts
TIP
If you do not change the password and username for household devices, known as IOT, it is possible for a cybercriminal to hack your home.
TIP
This type of token requires time synchronization, because the password needs to be used in a very short period of time, normally between 30 and 60 seconds. It could be used when you want to access secure cloud storage or your online bank account:
Time-Based One-Time Password (TOTP)
This type of token is a one-time password. The main distinguishing factor is that there is no time limit.
HMAC-Based One-Time Password (HOTP)
This is similar to a CAC, but it is used by federal agencies rather than the military.
Personal Identity Verification (PIV)
This is a port-based authentication protocol that is used when a device is connected to a switch or when a user authenticates to a wireless access point. Authentication is normally done by a certificate.
1EEE 802.1x
This location-based authentication can be used to block any attempt to login outside of the locations that have been determined as allowed regions. Geolocation can track your location by your IP address and the ISP that you are using.
Context-Aware Location
This location-based authentication can be used to identify where your phone is located by using Global Positioning System (GPS).
Smart Phone Location Services
This location-based authentication is a security feature used by cloud providers such as Microsoft with their Office 365 package to prevent fraud. If someone logs in from Toronto and thirty minutes later log into the service from Las Vegas, their login attempt will be blocked.
Impossible Travel Time
This location-based authentication is also used by cloud providers where they have a database of the devices used by each user. An email will be sent when the system cannot identify the device used to log in.
Risky Login
This is an additional layer of security where the user is authenticated and a SMS message is sent to the user’s phone. They then insert the code that was sent via message and are authenticated; this is has a time limit.
SMS Authentication
This technology authentication method can vary from a hardware that has received a one-time password to the fob or card used to gain access to a building via a card reader.
Token Key
An email is sent to the user when access to their systems has been received by an unusual device; for example, if I access Dropbox from a friend’s laptop.
Push Notification
This authentication technology method will trigger a phone when someone has accessed a system.
Phone Call
This authentication technology method is an internet standard where the server signs a token with its private key and sends it to a user to prove who they are. It can also be used to digitally sign documents and email. It is used by Open Authentication (OAuth).
JavaScript Object Notation Web Token (JWT)
These codes change after a period of time, like a PIN for a smart card. These are commonly used by broadband engineers.
Static Codes
This could be using Kerberos, who completes a Ticket Granting Ticket session that results in a ticket that can be exchanged to give access to applications. It could also be used for certificate-based authentication or, in the case of the cloud, use conditional access to gain access to applications.
Authentication Applications
This looks like a USB device and works in conjunction with your password to provide multifactor authentication. An example would be YubiKey.
Password Keys
These chips are normally built into motherboards of a computer and they become useful when you are using Full Disk Encryption (FDE).
Trusted Platform Module (TPM)
This is normally used by financial institutions, banks, or email providers to identify someone when they want a password reset.
Two different type of this authentication management:
- Static KBA
- Dynamic KBA
Knowledge-Based Authentication (KBA)
These are questions that are common to the user. For example: “ What is the name of your first school?” These are pretty weak.
Static KBA
These are deemed to be more secure because they do not consist of questions provided beforehand.
Dynamic KBA
This is an authentication framework allowing point-to-point connections. These are commonly used with wireless communication.
Extensible Authentication Protocol (EAP)
This is a version of EAP that encapsulated the EAP data and made it more secure for WLANS.
Protected Extensible Authentication Protocol (PEAP)
This form of EAP was developed by Cisco. It does not use certificates, but protected access credentials instead. It is used in wireless networks.
EAP-FAST (Flexible Authentication via Secure Tunneling)
This form of EAP needs X509 certificates installed on endpoints for authentication.
EAP-TLS