Given a scenario, implement authentication and authorization solutions

Question 1

Authentication management

Answer 1

Password keys
Password vaults
TPM
HSM
Knowledge-based authentication

Question 2

Password keys

Answer 2

Password key—USB tokens for connecting to PCs and smartphones. Some can use nearfield communications (NFC) or Bluetooth as well as physical connectivity

Question 3

Password vaults

Answer 3

Password vault—software-based password manager, typically using a cloud service to allow access from any device (pcmag.com/picks/the-best-password-managers). A USB key is also likely to use a vault for backup. Most operating systems and browsers implement native password vaults. Examples include Windows Credential Manager and Apple’s iCloud Keychain (imore.com/icloud-keychain).

Question 4

TPM

Answer 4

Trusted Platform Module (TPM)—a secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance. The TPM is usually a module within the CPU. Modification of TPM data is only permitted by highly trusted processes. A TPM can be used to present a virtual smart card (docs.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview).

Question 5

HSM

Answer 5

An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.

Question 6

Knowledge-based authentication

Answer 6

Knowledge-based authentication refers primarily to issuing users with password-based account access mechanisms. Configuring password-based authentication protocols and supporting users with authentication issues is an important part of the information security role. In this topic, you will learn how some common authentication protocols work and about the ways that they can be put at risk by password cracking techniques.

Question 7

Authentication/authorization

Answer 7

EAP
Challenge Handshake Authentication Protocol 
     (CHAP)
Password Authentication Protocol (PAP)
802.1X
RADIUS
Single sign-on (SSO)
Security Assertions Markup Language (SAML)
Terminal Access Controller Access Control System 
     Plus (TACACS+)
OAuth
OpenID
Kerberos

Question 8

EAP

Answer 8

Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.

Question 9

Challenge Handshake Authentication Protocol (CHAP)

Answer 9

Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.

Question 10

Password Authentication Protocol (PAP)

Answer 10

Obsolete authentication mechanism used with PPP. PAP transfers the password in plaintext and so is vulnerable to eavesdropping.

Question 11

802.1X

Answer 11

A standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.

Question 12

RADIUS

Answer 12

A standard protocol used to manage remote and wireless authentication infrastructures.

Question 13

Single sign-on (SSO)

Answer 13

An authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

Question 14

Security Assertions Markup Language (SAML)

Answer 14

An XML-based data format used to exchange authentication information between a client and a service.

Question 15

Terminal Access Controller Access Control System Plus (TACACS+)

Answer 15

An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.

Question 16

OAuth

Answer 16

Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.

Question 17

OpenID

Answer 17

An authentication layer that sits on top of the OAuth 2.0 authorization protocol.

Question 18

Kerberos

Answer 18

A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.

Question 19

Access control schemes

Answer 19

Attribute-based access control (ABAC)
Role-based access control
Rule-based access control
MAC
Discretionary access control (DAC)
Conditional access
Privilege access management
Filesystem permissions

Question 20

Attribute-based access control (ABAC)

Answer 20

An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.

Question 21

Role-based access control

Answer 21

An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.

Question 22

Rule-based access control

Answer 22

A non-discretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.

Question 23

MAC

Answer 23

Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).

Question 24

Discretionary access control (DAC)

Answer 24

Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).

Question 25

Conditional access

Answer 25

Conditional access is an example of rule-based access control. A conditional access system monitors account or device behavior throughout a session. If certain conditions are met, the account may be suspended or the user may be required to reauthenticate, perhaps using a 2-step verification method. The User Account Control (UAC) and sudo restrictions on privileged accounts are examples of conditional access. The user is prompted for confirmation or authentication when requests that require elevated privileges are made. Role-based rights management and ABAC systems can apply a number of criteria to conditional access, including location-based policies (docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview).

Question 26

Privilege access management

Answer 26

A privileged account is one that can make significant configuration changes to a host, such as installing software or disabling a firewall or other security system. Privileged accounts also have rights to log on network appliances and application servers.

Privileged access management (PAM) refers to policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts and to mitigate risks from weak configuration control over privileges. These controls identify and document privileged accounts, giving visibility into their use, and manage the credentials used to access them (beyondtrust.com/resources/glossary/privileged-access-management-pam).

Question 27

Filesystem permissions

Answer 27

An access control model can be applied to any type of data or software resource but is most closely associated with network, file system, and database security. With file system security, each object in the file system has an ACL associated with it. The ACL contains a list of accounts (principals) allowed to access the resource and the permissions they have over it. Each record in the ACL is called an access control entry (ACE). The order of ACEs in the ACL is important in determining effective permissions for a given account.