Lesson 4 - Identity and Access Management Flashcards
PIN
Personal Identification Number
- A number used in conjunction with authentication devices such as smart cards; as the PIN should be known only to the user, loss of the smart card should not represent a security risk.
MFA
Multifactor Authentication
- An authentication scheme that requires the user to present at least two different factors as credentials; for example, something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as “2FA.”
FRR
False Rejection Rate
- A biometric assessment metric that measures the number of valid subjects who are denied access.
FAR
False Acceptance Rate
- A biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.
CER
Crossover Error Rate
- A biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.
FER
Failure to Enroll Rate
- the percentage of genuine users that cannot be enroll
FIDO
Fast Identity Online
- a set of open, standardized authentication protocols intended to ultimately eliminate the use of passwords for authentication
U2F
Universal 2nd Factor
- a cybersecurity standard that enhances two-factor authentication (2FA) using physical security keys, offering a more secure and phishing-resistant login process than traditional methods.
NFC
Near-Field Communication
- a short-range wireless technology that, while offering convenience and security, also presents vulnerabilities like data interception, unauthorized access, and malware injection, requiring careful consideration and mitigation strategies.
OTP
One-Time Password
- A password that is generated for use in one specific session and becomes invalid after the session ends.
SAT
Soft Authentication Token
- OTP sent to a registered number or email account or generated by an authenticator app as a means of two-step verification when authenticating account access.
DAC
Discretionary Access Control
- An access control model where each resource is protected by an access control list (ACL) managed by the resource’s owner (or owners).
MAC
Mandatory Access Control
- An access control model where resources are protected by inflexible, system-defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
RBAC
Role-Based Access Control
- An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
ABAC
Attribute-Based Access Control
- An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
RBAC
Rule-Based Access Control
- A nondiscretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.
UAC
User Account Control
- a Windows security feature that limits application software to standard user privileges until an administrator authorizes an increase or elevation, helping to prevent unauthorized changes to the operating system
SID
Security Identifier
- The value assigned to an account by Windows and that is used by the operating system to identify that account.
GPOs
Group Policy Objects
- On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.
PAM
Privileged Access Management
- Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
SAW
Secure Administrative Workstation
- a hardened, isolated workstation used specifically for performing administrative tasks that require elevated privileges, helping to mitigate credential theft and reuse risks
ZSP
Zero Standing Privileges
- removing all persistent user privileges and granting access only when needed, on a just-in-time basis, to minimize the attack surface and enhance security
LSASS
Local Security Authority Subsystem Service
NTLM
NT LAN Manager
- A challenge-response authentication protocol created by Microsoft for use in its products.
LDAP
Lightweight Directory Access Protocol
- Protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.
DN
Distinguished Name
- A collection of attributes that define a unique identifier for any given resource within an X.500-like directory.
SSO
Single Sign-On
- Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.
KDC
Key Distribution Center
- A component of Kerberos that authenticates users and issues tickets (tokens).
TGT
Ticket Granting Ticket
- In Kerberos, a token issued to an authenticated account to allow access to authorized application servers.
TGS
Ticket Granting Service
- a server that issues service tickets to clients after they have been authenticated and received a Ticket Granting Ticket (TGT) from the Key Distribution Center (KDC).
IdP
Identity Provider
- In a federated network, the service that holds the user account and performs authentication.
SAML
Security Assertion Markup Language
- An XML-based data format used to exchange authentication information between a client and a service.
SOAP
Simple Object Access Protocol
- An XML-based web services protocol that is used to exchange messages.
OAuth
Open Authorization
- A standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.