GCGA Ch.2 Understanding Identity and Access Management Flashcards
(24 cards)
Authentication
proves an identity with some type of credentials, such as a username and password. Identification occurs when someone makes a claim about their identity w/ unique identifiers (username/email). Users prove it with a password.
Authorization
provides access to resources based on proven identity.
Accounting
tracks user activity, records it in logs. Allows security admins to create an audit trail.
Audit trail
allows security professionals to re-create the events that preceded a security incident.
Authentication methods
something you know (password, PIN), something you have (smart card, phone, USB token), something you are (biometrics), somewhere you are (home, office) - are, place, have, know (APHK)
KBA
Knowledge-Based Authentication - method of authenticating individuals based on what they know
Static KBA
you answer questions about yourself, such as dog’s name or mother’s maiden name
Dynamic KBA
queries public/private data sources like credit reports, vehicle registrations, property records
HOTP & TOTP
HMAC-based one-time password & time-based one-time password - open-source standards used to generate one-time-use passwords; HOTP passwords do not expire until used; TOTP generates one-time passwords that expire after a specified period of time (typically 30-60s)
FAR
False acceptance rate - identifies % of times false acceptance occurs
FRR
False rejection rate - identifies % of times false rejections occur
CER
Crossover error rate - indicates biometric system’s quality. Lower CER is better.
Best practices for accounts
don’t share accounts/passwords, most orgs make sure Guest acct disabled
PAM
Privileged access management - implements stringent security controls over accounts with elevated privileges, such as administrator or root accounts
Account disablement policy
ensures that inactive accounts are disabled (for employees who resign/are terminated).
Account audit
looks at rights & permissions assigned to users; enforces least privilege principle
SAML
Security Assertion Markup Language - XML-based standard used to exchange authentication/authorization info between parties
OAuth
open standard for authorization; allows users to log on with another account, i.e. Google, Facebook, PayPal, Microsoft, etc.; uses API calls to exchange info and a token to show access is authorized.
Role-BAC
role-based access control - uses roles to grant access by placing users into roles based on their assigned jobs, functions, or tasks.
Group-based privileges
a form of role-BAC. Administrators create groups, add users to the groups, and then assign permissions to the groups.
Rule-BAC
rule-based access control - based on a set of approved instructions, such as ACL rules in a firewall. Some rule-BAC implementations use rules that trigger in response to an event, such as modifying ACLs after detecting an attack.
DAC
Discretionary access control - every object has an owner. The owner has explicit access and establishes access for any other user. Microsoft NTFS uses the DAC scheme, with every object having a discretionary access control list (DACL). The DACL identifies who has access and what access they are granted.
MAC
Mandatory access control - uses security or sensitivity labels to identify objects (what you’ll secure) and subjects (users). It is often used when access needs to be restricted based on a need to know. The administrator establishes access based on predefined security labels. These labels are often defined with a lattice to specify the upper and lower security boundaries.
ABAC
Attribute-based access control - evaluates attributes and grants access based on these attributes’ values. It is used in many software-defined networks (SDNs).
