Domain Four: Identity and Access Management Flashcards
What is the notion of accountability in IAM ?
The ability to report and understand who, what and when things change
What is authentication ?
This is the process that verifies the identity
What is authorisation ?
Determines what can be done through a process of allowing and denying access to resources.
What is federation ?
Similar to SSO but this covers across enterprises rather than just systems within an enterprise.
Why is identification important ?
We need to be able to identify resources this includes thing such as hardware, software, people and processes.
What is multi factor authentication ?
Is a combination of two or more types of authentication
There are five different types
What you are (biometric)
What you have (token)
What you know (passwords)
Where you are (location)
What you do
What is single sign on ?
This is the transferring of credentials between systems. It is the ability to have a single login for multiple systems
What is transitive trust ?
Transitive trust is the concept that if one domain trust another then the trusted domain can also be trusted by another domain that trusts the initial domain.
If A trust B and B trusts C then A trusts C
What in IAM is the notion of Account Maintenance ?
Account maintenance refers to all the processes that are run to make sure that the account is valid, and appropriated for its needs
Define Guest Accounts ?
Limited access accounts for guest users.
Define privileged accounts ?
They often have higher permissions than general user accounts and are only assumed by certain users needing to do higher order tasks not in their day to day activity. Should be closely monitored.
What is a service account ?
Service accounts are similar to shared account they also are tied to a job function but unlike shared accounts they do not need human interaction to achieve the task at hand.
What is a shared account ?
These are accounts used by multiple people to achieve a job function such as backup administrator. They should be monitored regularly and some organisations only allow them to be assumed rather than log in directly.
Define a user account ?
These are accounts that are attributed to individual users and may have a friendly name and also a unique id. Often it is the unique id that is logged.
You should not immediately delete an account when a user leaves because you get tombstoning. This is where because the user has left there is nothing to tie the log user id back to. Most organisations recommend a 90 day account disablement before deletion.
What is Group based access control ?
This refers to assigning users to groups that have permissions rather than handling individual users. This is done to ease the admin overhead and complexity.
Why do we need a secure JML process ?
We should have a rigorous JML process to stop people having access after they leave the organisation or accumulating access as they move from position to position
What is the concept of least privilege ?
Only assign the minimum required permissions to achieve job function
What is the process of recertification ?
Is the process of verifying that the account is still required and can be done via reports looking when the account was last accessed.
At HMRC there is a process that flags all AWS user accounts that have not been logged into for 30 days.
Why should we have a standard naming convention for accounts ?
Accounts should be named with a standard naming convention that can accommodate growth but not display information that would be useful to an attacker.
mark.teasdale@acme.co.uk is a good example
What is the concept of time managed accounts ?
Only allow access for a specified time period this could be normal working hours or for highly dangerous accounts measured in hours.
What is credential management ?
Refers to the policies, procedures and techniques to manage credentials
What is account lockout ?
Used when suspected nefarious activity is seen or rules are violated such as more than three attempts to login.
What are Group Policy objects ?
Microsoft technology which can be controlled from the enterprise and installed on the local machine to control credential settings and password complexity rules.
What is password history ?
We should also limit the re-using of passwords by having a policy on historical passwords.
What are some of the elements contained in a password policy ?
An enforceable policy that sets out the rules on what constitutes an acceptable password
Password Length
Renewal
Symbols allowed
Case
Numbers
Expiry rules
What is attribute access control ?
Grants access if the attributes of both the resource and the user are sufficient to grant access. Uses boolean logic (IF this user has this attribute, THEN this user has this access to the resource)
What is FAR in biometrics ?
FAR - False Acceptance Rate - Rate at which people incorrectly get access
What is FRR in biometrics ?
False Rejection Rate - Rate at which people incorrectly get refused access
What is CER in biometrics ?
Cross Over Rate - This is the rate when tuning a device where ideal is FRR = FAR
What is Discretionary access control ?
This is where resource owners or administrators determine the permissions of other users over those resources.
What is Mandatory access control ?
Used primarily in government and military settings. In MAC subjects (users) and objects (resources) are assigned classification levels. Rules enforce whether a user has access to a resource or not based on those classification levels.
What is Role based access control ?
Roles and job functions are matched and each role has a set of permissions that grant access to that resource. Users are then assigned to the relevant role.
What is Rule based access control ?
Access is granted based on a set of rules can become cumbersome quickly because maintenance.
What are the two types of tokens in IAM ?
Hardware Tokens - RSA
Software Tokens - Google Authenticator
What is the challenge handshake authentication protocol ?
Challenge Handshake Authentication Protocol (CHAP) is used to provide authentication via a point to point protocol.
Authentication is continuously verified through a challenge/response system where the server periodically challenges the client. The server sends the challenge, the client uses a one way hashing function to calculate the response and sends it back to the server. The server compares the response vs the expected response and if they match the communication continues.
MSCHAP is a microsoft version brought in under Windows 2000
What is Kerberos ?
It is a SSO solution where once authenticated they receive a ticket that can be used to access other resources.
What is LDAP ?
LDAP is a lightweight implementation of the directory access protocol and its a way of governing resources especially credentials across the enterprise. It implements the X.500 standard.
What are the two governing bodies of DAP ?
There are two governing bodies
Iternational Telecommunication Union (ITU) for the X.500 standard
Internet Engineering Task Force (IETF) for its internet usage
Why has the Microsoft product NTLM been deprecated ?
Microsoft product mainly replace by Kerberos because of its use of the weak MD4 encryption algorithm.
What is OAUTH ?
Token exchange pattern that gives authorisation and access to resources remotely on internet for web, mobile and desktop used by Google etc
What is OPENID ?
Used in conjunction with OAUTH but provides more information about the user stored in the IdP. It is often another call to the IdP over and above authentication calls which are handled by OAUTH.
Used mainly in federated situations with web and apis
What is the Password Authentication Protocol ?
Password Authentication Protocol is the predecessor to CHAP and is deprecated due to the fact the both the username and password were sent in clear text.
What is RADIUS ?
Remote Authentication Dial-In User Service is a very common authentication protocol in use today.
What ports does RADIUS use ?
It uses UDP ports 1812 for authentication and authorisation and 1813 for accountability.
What is SAML ?
XML based open standard for exchanging authentication and authorization information between identity and service provider. Used primarily for SSO in web based applications.
SAML issues information on successful authentication and authorisation on a user.
What is Shibboleth ?
Used where Orgs need SSO but have incompatible authentication and authorisation mechanisms. Started in 2000 but not widely adopted still. Based on SAML uses HTTP/POST to push those profiles from the identity provider to the service provider.
What is TACACS ?
Terminal Access Controller Access Control System is another client server authentication protocol. It only uses one port TCP 49 for both authentication and authorisation unlike RADIUS.
Cisco created a propriety version XTacacs that is the basis of the version used today TACACS+
TACACS+ has additional support for accounting.
What port does TACACS use ?
TCP port 49
What are the five common ways to assert identity ?
Usernames
Certificates
Tokens
SSH Keys
Smartcards
What is the most common authentication mechanism for wireless networks ?
EAP
What is the main characteristic of Kerberos ?
Authentication via a ticketing system over an untrusted network.
What is the main weakness of RADIUS ?
The main weakness of radius is that it sends its passwords obfuscated by a shared secret and a MD5 hash so to add extra protection it is often used in conjunction with IPSec Tunnels.
How does RADIUS work ?
A RADIUS Client (or Network Access Server) is a networking device (like a VPN concentrator, router, switch) that is used to authenticate users.
A RADIUS Server is a background process that runs on a UNIX or Windows server. It lets you maintain user profiles in a central database. Hence, if you have a RADIUS Server, you have control over who can connect with your network.
When a user tries to connect to a RADIUS Client, the Client sends requests to the RADIUS Server. The user can connect to the RADIUS Client only if the RADIUS Server authenticates and authorizes the user.
Do Radius servers offer accounting functionality ?
RADIUS Servers are also used for accounting purposes. RADIUS accounting collects data for network monitoring, billing, or statistical purposes. The accounting process typically starts when the user is granted access to the RADIUS Server. However, RADIUS accounting can also be used independently of RADIUS authentication and authorization.
What is the differences between TACACS and RADIUS ?
Because TCP is a connection-oriented protocol, TACACS+ has to implement transmission control. RADIUS, however, is not required to detect and correct transmission errors such as packet loss or timeouts, etc., as it makes use of UDP which is connectionless. RADIUS encrypts only the users’ password as it travels from the RADIUS client to RADIUS server. All other information such as the username, authorization, accounting are transmitted in clear text. Therefore, it is vulnerable to different types of attacks. TACACS+ encrypts all the information mentioned above and therefore does not have the vulnerabilities present in the RADIUS protocol.
Whats the difference between Federation and SSO ?
Similar to SSO but this covers across enterprises rather than just systems within an enterprise.
In federation terminology what does the principal refer to ?
The principal normally refers to the user
In federation terminology what is the role of the IdP ?
Provision of identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be.
In federation terminology what is a service provider ?
Provide services to users whose identities have been attested to by an IdP aka Relying party
What are the additional recommendations from NIST around passwords ?
Allow Pasting into Password Fields,
Eliminate password hints
Reduce password complexity in favour of increasing length
Not requiring special characters
Monitoring New Passwords
Whats the most common way to undermine MFA OTP ?
Phising
What are the two most common OTP protocols ?
Time OTP and HMAC
What is the False Rejection Rate type 1 error in biometrics ?
incorrect rejection rate because biometric was valid
What is the Fals Acceptance Rate in biometrics ?
Rate of acceptance incorrectly with invalid biometric
What measure compares FAR and FRR ?
Reciever Operating Characteristic (ROC)
In PAM what is JIT permissions ?
Permissions that are removed after time expiration or a task has been completed.
In PAM what is password vaulting ?
Allows users to access privileged accounts without passwords
In PAM what are ephemeral accounts ?
Accounts with a limited lifespan such as guest accounts
What is the least secure MA technique ?
SMS replies which can be intercepted with clone sims
What is an example of something you can do ?
Windows Picture Password
Does attribute access include time of access as an attribute ?
Yes
What is access federation ?
Federation allows different organizations to share digital identities, enabling single sign-on across them. While centralized access management manages access centrally, it doesn’t necessarily mean sharing digital identities across different organizations
What type of backup copies every transaction ?
Journaling is a form of backup that involves recording all transactions in a system which can be used to restore the system to a previous state
What is a statement of work?
It provides detailed instructions and requirements for specific tasks or projects to be carried out by a vendor, making it suitable for the software development project
In incident response what is acquisition ?
Acquisition involves identifying and gathering evidence related to the security incident. This may include collecting logs from affected systems, taking disk images, or other procedures to catalogue everything that may be used as evidence in a court proceeding
Why does NIST not recommend password complexity enforcement ?
Complexity can increase employess writing down their passwords it is better option Encouraging employees to keep their passwords confidential and use strong, unique passwords for each account is a crucial aspect of password management best practices
What is the execution phase of security awareness practices ?
The Execution phase is where security awareness policies and procedures are put into operation, encompassing actions like user training, dissemination of awareness resources, and monitoring the efficacy of the awareness initiative.
Does a SIEM require agent based software ?
no
What is the difference between End of life and legacy ?
End-of-life refers to hardware that is no longer supported by the manufacturer, often leading to unpatched and exploitable vulnerabilities. Legacy hardware denotes older systems or components still in use, which can be vulnerable, but doesn’t necessarily mean they are unsupported or at their end-of-life.
What is E-Discovery ?
E-discovery is an essential component of incident response and primarily relates to the collection and handling of electronic data. It is designed to be used as evidence in legal cases and includes in its scope anything that is stored electronically - emails, documents, databases, presentation files, voicemails, video/audio files, social media posts, and more
What is the recommended encryption protocol for wireless today ?
AES is currently the most secure and widely adopted encryption protocol for wireless networks. Its strong encryption algorithms and extensive testing demonstrate its effectiveness against various attacks. AES is the recommended choice for ensuring robust security in wireless communication. It is not deprecated. While TKIP was an improvement over an older encryption protocol, it is still considered weak and has known vulnerabilities.
What is the workforce multiplier?
The workforce multiplier refers to the ability to scale and amplify the effectiveness of the security team by combining the efforts of human professionals with automation and orchestration
