Chapter 4 Access Control, Authentication, Authorization

Question 1

What is Access Control?

131

Answer 1

the act of allowing only authorized users into a system, and keeping people you don’t want in out.

Question 2

Identification vs. Authentication

131

Answer 2

Identification is finding out who someone is. Authentication is proving it.

Question 3

5 different forms of authentication

131

Answer 3

Something you know: password or PIN
something you have: smart card or token
Something you are: biometrics
Something you do: an action you take to complete authentication
Somewhere you are: geolocation (not so likely anymore)

Question 4

Single-Factor Authentication

132

Answer 4

Just one form of authentication. Usually like a username and password.

Question 5

Multifactor Authentication

133

Answer 5

Whenever you use more than one method of authentication

Question 6

Layered Security and Defense In Depth

133

Answer 6

it essentially just means you should have more than one type of security present.

Question 7

Tokens

135

Answer 7

Authenticate the user. Essentially just a sliver of information that tells the computer who you are.

Question 8

Federations

135

Answer 8

A collection of networked computers that agree on communication standards
IM programs are an example of this

Question 9

Transitive Access

136

Answer 9

When A trusts B and B trusts C, A and C might implicitly trust each other. This is taken care of with transitive trusts.

Question 10

PAP

139

Answer 10

Password Authentication Protocol

-Legacy system that sends username and password to an authentication server in plain text.

Question 11

SPAP

139

Answer 11

Shiva PAP

• Main difference between this and PAP is that the username and password are encrypted
• It is less secure than CHAP and is susceptible to replay attacks.

Question 12

CHAP (139)

Answer 12

Challenge Handshake Authentication Protocol

• The connecting machine needs to generate a random number (usually a hash) and sends it to the server.
• The server will periodically ask for that number again, which prevents man-in-the-middle attacks.

Question 13

TOTP

139

Answer 13

Time-Based One Time Password

• Uses a time-based factor to create unique passwords.
• Google Authenticator is a good example

Question 14

HOTP

139

Answer 14

HMAC-Based OTP

-Uses Hash Message Authentication Code to authenticate

Question 15

Password Length and Complexity

account policy enforcement, page 139

Answer 15

On Windows, enabling password complexity requires:

• Cannot contain parts of username over 3 consecutive characters
• Must be at least eight characters long
• Must contain an element from 3 of the following
  
  • A-Z
  • a-z
  • 0-9
  • !$%

Question 16

Password Expiration

account policy enforcement, page 140

Answer 16

90 days is about standard, but Microsoft recommends 42 days. You should enable password history so they can’t just use the same password every time.

Question 17

RADIUS

145

Answer 17

Remote Authentication Dial-In User Service
-Allows authentication of remote and other network connections. It was originally intended for use with Dial-Up, but it is still being kept state-of-the-art
-If there’s only one RADIUS server on a network, if it goes down the whole network will.
More RADIUS servers means more stability

Question 18

TACACS

146

Answer 18

A good competitor for RADIUS. Cisco uses it as standard now. Unlike RADIUS, it combines Authentication and Authorization rather than separating them.

Question 19

SAML

147

Answer 19

an XML based authentication, generally used by service providers authenticating those who are accessing their information.

Question 20

Kerberos

148

Answer 20

Uses a Key Distribution Center (KDC) to authenticate the “principal” (user) and provides them with a ticket

• this ticket provides authentication.
• The weakness is the KDC going down

Question 21

Single Sign-On

149

Answer 21

Gives the authenticated user instant access to everything they need. Passwords are generally stored on a server, which poses a significant security risk.

Question 22

Mandatory Access Control (MAC)

151

Answer 22

High security and inflexible

Rights and privileges must be defined and, if need be, changed by the admin

Question 23

Discretionary Access Control (DAC)

151

Answer 23

A little more flexible

Allows users to share information with each other dynamically.

Question 24

Role-Based Access Control (RBAC)

152

Answer 24

Essentially just establishing group policy.

Question 25

Role-Based Access Control

152

Answer 25

You use the settings of the preconfigured security policy

Question 26

User Access Review

154

Answer 26

Periodically review your employees’ permissions to make sure they’re not getting too powerful

Question 27

Common Access Card (CAC)

155

Answer 27

Cards used by the DOD
-You have your picture, beneath which is a chip and a barcode, and on the back there’s a magnetic strip with another barcode

Question 28

Personal Identification Verification Card (PIV)

156

Answer 28

Will soon be the standard for all government workers and contractors