Chapter 8 Identity and Password Management

Question 1

Identities

Answer 1

Set of claims made about a subject. Subject can be a person, application, device, organization, etc. Identities are linked to information about the subject. This info includes ATTRIBUTES, or information about the subject.

Question 2

Attributes vs. Traits

Answer 2

Attributes are changeable things like title or address. Traits are inherent, like place of birth.

Question 3

SSH Keys

Answer 3

Cryptographic representations of Identity that replace username and password.

Question 4

EAP (Extensible Authentication Protocol)

Answer 4

Authentication framework for wireless networks. Integrates with 802.1X

Question 5

PAP (Password Authentication Protocol)

Answer 5

Password centric authentication protocol. More modern solutions such as CHAP and EAP have replaced it.

Question 6

CHAP (Challenge Handshake Authentication Protocol)

Answer 6

Uses an encrypted challenge and a three-way handshake to send credentials. More secure than protocols like PAP.

Question 7

RADIUS

Answer 7

AAA system for network devices. Passwords are obfuscated by a shared secret and MD5 hash, meaning password security isn’t strong.

Question 8

TACACS+

Answer 8

Cisco proprietary protocol that uses TCP traffic to provide AAA services. Provides full packet encryption as well as granular command controls.

Question 9

Kerberos

Answer 9

Network authentication protocol that allows communication over a non-secure network.

• Works on the basis of tickets to allow nodes communicating over a non-secure network to provide their identity to one another in a secure manner. Comprised of 3 elements, the primary, the instance, and realms. Can use SSO.

Question 10

Kerberos Tickets

Answer 10

When a client wants to access a network service they request an authentication ticket, or ticket granting ticket (TGT). An authentication server checks the clients credentials and responds with the ticket, which is encrypted using the ticket granting service’s (TGS) key.

Question 11

SAML (Security Assertion Markup Language) “Internet systems often rely on a number of core technologies to accomplish Authentication and Authorization”

Answer 11

XML based open standard for exchanging authentication and authorization information. Common solution for federated environments because it can accept SAML assertions from a range of identify providers.

Question 12

OpenID open identity provider (IdP)

Answer 12

Open standard for decentralized authentication, can be leveraged for third party sites. (think Log In with Google). Relying Parties (RPs) direct authentication to the IdP and receive a response back.

Question 13

OAuth

Answer 13

Open standard for authorization. OAuth provides a method for users to determine what information to provide to third-party applications and sites without sharing credentials.

Question 14

SSO (Single Sign On)

Answer 14

SSO allows user to log in with single identity and use multiple systems/services without re-authenticating. *Additional authentication may be required for privileged accounts.

Question 15

Federation

Answer 15

A federated environment allows different organizational units to work together through a defined contract.

Question 16

IdP (Identity Provider)

Answer 16

Provides identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be.

Question 17

SP (Service Providers)

Answer 17

Provide services to users whose identities have been attested to by an IdP.

Question 18

RP (Relying Party)

Answer 18

Similar meaning to service party, the RP will require authentication and identity claims from an IdP.

Question 19

LDAP (Lightweight Directory Access Protocol)

Answer 19

Used to manage and communicate with directories.

Protocol for enabling anyone to locate data about organizations, individuals, and other resources such as files and devices in a network. Often broken into OU (organizational units) and CN (Common Names).

Question 20

MFA (multi-factor authentication) 3 factors

Answer 20

Something you know- passwords, PINs, answer to security question.
Something you have- smartcard, token, security key.
Something you are- fingerprint, retina scan, even typing speed.

Question 21

MFA attributes

Answer 21

Somewhere you are- physical location (location factor)
Something you can do- picture password, (I am not a robot)
Something you can exhibit- behavior pattern
Someone you know- trusted relationships

Question 22

TOTP (Time-based One Time Password)

Answer 22

Uses algorithm to derive a one-time password using the current time as part of the code-generation process (Google Authenticator). Codes valid for a set period of time.

Question 23

HOTP (HMAC-based One-Time Password)

Answer 23

HMAC Based One Time Password, HMAC stands for Hash-based Message Authentication Code. HOTP uses a seed value that both the token or HOTP app and validation server use, as well as a moving factor. You typically press a button, moving factor is a counter, which is stored on the token and server. The codes are iterative so they can be checked for last known use of the token.

Question 24

SMS One Time Password

Answer 24

SMS sent to phone with authentication code. Less secure than both TOTP and HOTP.

Question 25

Push Notification Authentication

Answer 25

Sometimes used when hardware, software tokens and SMS aren't suitable. Not as secure as other methods of authentication.

Question 26

Static Codes

Answer 26

At times there is a need for a one time password that doesn't require connectivity. Static codes are algorithmically pre-generated and printed or stored in a secure location (creating new risk).

Question 27

Biometrics - FRR and FAR

Answer 27

False Rejection Rate is when legitimate biometric measures are presented and the system rejects it. False Acceptance Rate is when illegitimate biometric measures are presented and the system accepts it.

Question 28

Biometrics - ROC and CRR

Answer 28

Relative Operating Characteristic compares FRR and FAR, typically a graph. As you decrease FAR, you increase FRR. System should balance both. CRR is the point on the graph where the two lines intersect.

Question 29

Knowledge Based Authentication

Answer 29

KBA is frequently used for password resets in the form of security questions. Also used to validate users creating accounts. Generated from things the account requestor should know, such as last years tax return amount, or previous home address street number. NOT likely to be your pet name or first car since these things are easily discoverable.

Question 30

Managing Passwords

Answer 30

Password Vaults are software solutions that manage store and secure passwords.

Question 31

TPM (Trusted Platform Module) Standard

Answer 31

TPM Modules have crypto-processors that store RSA key pairs protected by a password set by the user. International Standard.

Question 32

HSM (Hardware Security Module)

Answer 32

Physical security device that manages and secures digital keys, performs encryption/decryption for digital signatures and strong authentication. Traditionally in the form of a plug in card, cloud providers now provide HSMs as a service, allowing secure HSMs to cloud infrastructure.

Question 33

Privileged Access Management

Answer 33

PA tools can be used to ensure the concept of least privilege, allowing only minimum privileges needed for a role/task.

Question 34

Access Control: ABAC

Answer 34

Attribute Based Access Control relies on attributes of the user., allowing rulesets based on attributes that provide the user with specific rights based on the attributes they have. Can be very flexible, but ABAC policies can be complex to manage as a result of that flexibility.

Question 35

Access Control: RBAC

Answer 35

Role Based Access Control systems rely on roles that are matched with the privileges that are assigned to those roles. 3 Rules: Role Assignment - subject can only use permissions matching role they've been assigned. Role Authorization - subjects active role must be authorized for the subject. (prevents subjects from taking on roles not assigned to them.) Permission Authorization - subjects can use only permissions that their active role is allowed to use.

Question 36

Access Control: RuBAC

Answer 36

Rule Based Access Control is applied using set of rules, or access control lists (ACLs) that apply to various objects/resources. When an attempt is made to access an object, the rule is checked to see if the access is allowed.

Question 37

Access Control: MAC

Answer 37

Mandatory Access Control systems rely on the operating system to enforce control as set by a security policy administrator. Relatively rare compared to DAC.

Question 38

Access Control: DAC

Answer 38

Discretionary Access Control is access control in which the owner delegates rights and permissions to those objects they desire. This is how most people run home PCs. Linux Default setup.

Question 39

Security+ Specific Access Controls

Answer 39

Privileged Access Management is the set of controls, tools, and processes used to handle privileges for elevated accounts and rights. Conditional Access describes the process of testing security state of devices and users before allowing access to data, networks and other resources.

Question 40

Filesystem Controls

Answer 40

Filesystem controls determine which accounts, users, groups, or services can perform actions like reading, writing, and executing files.

Question 41

What is DHCP?

Answer 41

Dynamic Host Configuration Protocol is a network management protocol used to assign local IP addresses to devices on a network.

Question 42

What is TLS

Answer 42

Transport Layer Security is an encryption protocol that replaced SSL.

Question 43

What is TCP and UDP

Answer 43

Transmission Control Protocol is a connection oriented protocol whereas UDP is a connectionless protocol. Key difference is speed, UDP is much faster.

Question 44

When is it appropriate to use either TCP or UDP?

Answer 44

TCP should be used when security is more important than speed, such as in file transfers. TCP can retransmit lost packets of data. UDP should be used when speed is more important than security, such as live streaming or video gaming.

Question 45

What is AAA refer to?

Answer 45

Authentication, Authorization, and Accounting.