Chapter 4 Flashcards
Identification
the process of verifying a user’s identity before they can access a system or network.
Authentication
The process of verifying a user’s identity before granting them access to a system or network.
Authorization
The process of determining whether a verified user has the necessary permissions to assess a specific resource or perform an action within a system.
Multifactor Authentication (MFA)
Using more than one factor of authentication
Factors
-Something you do - your signature
- Something you exhibit - typing speed
- Someone you know - certificate that’s coming from a server like VeriSign
- Somewhere you are - Physical location thing.
Identification and AAA
- Identification
- Authentication
- Authorization
- Accounting - auditing
Authorization
- Based on permissions granted
- Determines resource permissions
- targets that have permissions applied to them
- example: files, database rows, web app
- Can only occur after authentication
Accounting/auditing
Track permissions usage for accountability purposes.
Who or what accessed which resource, how long, on what date?
Accounting
often called auditing, tracking activity, must have separate user accounts for each user.
types of accounting
- Resource access
- Failed logon attempts
- Changes to files/database records
Authentication Methods
Password vaults
- Also called “password managers”
- Examples: LastPass, cloud-based vaults to store password keys
- A master key protects the vault - don’t forget it!
One-Time Password (OTP)
Unique password (code) generated for single us
- static code sent via e-mail or SMS text
Software notification methods (push notification)
- Phone call
- Short message service (SMS) text.
HMAC-based one-time password (HOTP)
HMAC encrypts a hash to ensure authenticity
Time-based OTP (TOTP)
- code is only valid for a short period of time.
Certificate-based Authentication
PKI certificates are issued by a trusted authority to an individual entity
- Device, VPN, app access
- Can be stored on a smart card
- Called a Personal Identity Verification (PIV) card
- Common access card (CAC) can authenticate to everything
SSH Public Key Authentication
Sign in with username and password (passphrase) as well as a private key.
Public key stored on server.
Private key stored on admin device
Biometrics
- Fingerprints
- Retina
- Iris
- Facial
- Voice
- Vein
- Gait analysis
Efficacy rates
- False acceptance
- False rejection
- Crossover error rate
Access Control Schemes
Credential Policies - Defines who gets access.
- Employees
- Contractors
- Devices
- Service accounts
- Administrator/root accounts
- Privileged Access Management (PAM)
Attribute-Based Access Control (ABAC)
uses attributes to determine permissions
- Example: date of birth or device type
