Chapter 4 Access Control, Authentication, Authorization Flashcards

1
Q

What is Access Control?

131

A

the act of allowing only authorized users into a system, and keeping people you don’t want in out.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Identification vs. Authentication

131

A

Identification is finding out who someone is. Authentication is proving it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

5 different forms of authentication

131

A

Something you know: password or PIN
something you have: smart card or token
Something you are: biometrics
Something you do: an action you take to complete authentication
Somewhere you are: geolocation (not so likely anymore)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Single-Factor Authentication

132

A

Just one form of authentication. Usually like a username and password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Multifactor Authentication

133

A

Whenever you use more than one method of authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Layered Security and Defense In Depth

133

A

it essentially just means you should have more than one type of security present.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Tokens

135

A

Authenticate the user. Essentially just a sliver of information that tells the computer who you are.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Federations

135

A

A collection of networked computers that agree on communication standards
IM programs are an example of this

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Transitive Access

136

A

When A trusts B and B trusts C, A and C might implicitly trust each other. This is taken care of with transitive trusts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

PAP

139

A

Password Authentication Protocol

-Legacy system that sends username and password to an authentication server in plain text.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

SPAP

139

A

Shiva PAP

  • Main difference between this and PAP is that the username and password are encrypted
  • It is less secure than CHAP and is susceptible to replay attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

CHAP (139)

A

Challenge Handshake Authentication Protocol

  • The connecting machine needs to generate a random number (usually a hash) and sends it to the server.
  • The server will periodically ask for that number again, which prevents man-in-the-middle attacks.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

TOTP

139

A

Time-Based One Time Password

  • Uses a time-based factor to create unique passwords.
  • Google Authenticator is a good example
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

HOTP

139

A

HMAC-Based OTP

-Uses Hash Message Authentication Code to authenticate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Password Length and Complexity

account policy enforcement, page 139

A

On Windows, enabling password complexity requires:

  • Cannot contain parts of username over 3 consecutive characters
  • Must be at least eight characters long
  • Must contain an element from 3 of the following
    • A-Z
    • a-z
    • 0-9
    • !$%
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Password Expiration

account policy enforcement, page 140

A

90 days is about standard, but Microsoft recommends 42 days. You should enable password history so they can’t just use the same password every time.

17
Q

RADIUS

145

A

Remote Authentication Dial-In User Service
-Allows authentication of remote and other network connections. It was originally intended for use with Dial-Up, but it is still being kept state-of-the-art
-If there’s only one RADIUS server on a network, if it goes down the whole network will.
More RADIUS servers means more stability

18
Q

TACACS

146

A

A good competitor for RADIUS. Cisco uses it as standard now. Unlike RADIUS, it combines Authentication and Authorization rather than separating them.

19
Q

SAML

147

A

an XML based authentication, generally used by service providers authenticating those who are accessing their information.

20
Q

Kerberos

148

A

Uses a Key Distribution Center (KDC) to authenticate the “principal” (user) and provides them with a ticket

  • this ticket provides authentication.
  • The weakness is the KDC going down
21
Q

Single Sign-On

149

A

Gives the authenticated user instant access to everything they need. Passwords are generally stored on a server, which poses a significant security risk.

22
Q

Mandatory Access Control (MAC)

151

A

High security and inflexible

Rights and privileges must be defined and, if need be, changed by the admin

23
Q

Discretionary Access Control (DAC)

151

A

A little more flexible

Allows users to share information with each other dynamically.

24
Q

Role-Based Access Control (RBAC)

152

A

Essentially just establishing group policy.

25
Q

Role-Based Access Control

152

A

You use the settings of the preconfigured security policy

26
Q

User Access Review

154

A

Periodically review your employees’ permissions to make sure they’re not getting too powerful

27
Q

Common Access Card (CAC)

155

A

Cards used by the DOD
-You have your picture, beneath which is a chip and a barcode, and on the back there’s a magnetic strip with another barcode

28
Q

Personal Identification Verification Card (PIV)

156

A

Will soon be the standard for all government workers and contractors