Lesson 4: Implement Identity and Access Management

Question 1

Define Confidentiality in authentication

Answer 1

If account credentials are leaked, threat actors can impersonate the account.

Question 2

Define Integrity in authentication

Answer 2

Authentication mechanism is reliable and not easy for threat actors to bypass or trick with counterfeit credentials.

Question 3

Define Availability in authentication

Answer 3

Time taken to authenticate does not impede workflows and is easy enough for users to operate.

Question 4

Define an ‘authentication factor’

Answer 4

Different technologies for implementing authentication

Question 5

List main authentication factors

Answer 5

Knowledge (username/password/PIN), ownership/token, and biometric/inherence.

Question 6

Define the term ‘password best practices’

Answer 6

Policies to govern secure selection and maintenance of authentication factors; Secrets, such as length, complexity, age, and reuse, smart card, biometric ID.

Question 7

Define the term ‘account policies’

Answer 7

Policies governing user security information, such as password expiration and uniqueness.

Question 8

Define a ‘Password Length’ policy

Answer 8

Enforces a min/max length for passwords.

Question 9

Define a ‘Password Complexity’ policy

Answer 9

Enforces password entropy; Enforces complex passwords that aren’t easy to crack.

Question 10

What are examples of password complexity?

Answer 10

No use of a username within the password and a combination of at least eight uppercase/lowercase alphanumeric and non-alphanumeric characters.

Question 11

Define a ‘Password Age’ policy

Answer 11

Forces the user to select a new password after a set number of days.

Question 12

Define a ‘Password Reuse and History’ policy

Answer 12

Prevents the selection of a password that has been used already.

Question 13

Define the purpose of ‘history’ attribute of a ‘Password Reuse and History’ policy

Answer 13

How many previous passwords are blocked from use.

Question 14

Define the purpose of ‘minimum age’ attribute of a ‘Password Reuse and History’ policy

Answer 14

Prevents a user from quickly cycling through password changes to revert to a preferred phrase.

Question 15

Define a ‘password manager’

Answer 15

Software that can suggest and store passwords to reduce risks from poor user choices and behavior.

Question 16

What is the purpose of a password manager?

Answer 16

To mitigate risk of poor user credential management practices.

Question 17

What are the main risks of using a password manager?

Answer 17

Selection of a weak master password, compromise of the vendor’s cloud storage or systems, impersonation attacks.

Question 18

Define ‘multifactor authentication (MFA)’

Answer 18

Authentication scheme that requires the user to present at least two different factors as credentials.

Question 19

Define an ‘ownership authentication factor’

Answer 19

Something unique you have; smart card, key fob, cryptographic token.

Question 20

Define a ‘biometric/inherence authentication factor’

Answer 20

Something you are; Fingerprint, retinal scan, facial scan.

Question 21

Define a ‘location-based authentication factor’

Answer 21

Somewhere you are; system applies a location-based factor to an authentication decision based on location/IP address.

Question 22

What does it take to configure biometric authentication?

Answer 22

1. A sensor module to acquire biometric samples
2. Extraction module that creates a ‘template’/mathematical representation of the sample

Question 23

Define the process of biometric authentication

Answer 23

A user is rescanned and the scan is compared to their initial template.

Question 24

List the 3 metrics that are used to evaluate biometric authentication performance

Answer 24

1. False Rejection Rate (FRR)
2. False Acceptance Rate (FAR)
3. Crossover Error Rate (CER)

Question 25

Define ‘False Rejection Rate (FRR)’

Answer 25

Measures the number of valid subjects who are denied access as a percentage.

Question 26

Define ‘False Acceptance Rate (FAR)’

Answer 26

Measures the number of unauthorized users who are mistakenly allowed access as a percentage.

Question 27

What is the outcome of a high False Rejection Rate (FRR)?

Answer 27

Causes inconvenience to authorized users.

Question 28

What is the outcome of a high False Acceptance Rate (FAR)?

Answer 28

Can lead to security breaches.

Question 29

Define ‘Crossover Error Rate (CER)’

Answer 29

Expressing the point at which FAR and FRR meet, with a low value indicating better performance.

Question 29

Define throughput in biometric authentication performance

Answer 29

Time required to create a template for each user and the time required to authenticate.

Question 30

Define ‘Failure to Enroll Rate (FER)’

Answer 30

Incidents in which a template cannot be created and matched for a user during enrollment.

Question 31

What are user concerns with biometric authentication?

Answer 31

Users can find it intrusive and threatening to privacy; The technology can be discriminatory or inaccessible to those with disabilities.

Question 32

What is the most common form of biometric authentication?

Answer 32

Fingerprint recognition.

Question 33

List the 3 types of tokens in ownership authentication

Answer 33

1. Certificate-Based Authentication
2. One-Time Password (OTP)
3. Fast Identity Online (FIDO) Universal 2nd Factor (U2F)

Question 34

Define ‘Certificate-Based Authentication’

Answer 34

Supplicant provides a private key that can generate a unique signed token verified in the identity provider by the signature via the public key.

Question 35

Define ‘One-Time Password (OTP)’

Answer 35

A token generated for each authentication decision using some sort of hash function on a shared secret value plus a synchronization seed, such as a timestamp; Does not require PKI

Question 36

Define ‘Fast Identity Online (FIDO) Universal 2nd Factor (U2F)’

Answer 36

Uses asymmetric key pairs to register each account.

Question 37

Define the authentication process of ‘Fast Identity Online (FIDO) Universal 2nd Factor (U2F)’

Answer 37

Private key is locked to the U2F device and signs the token; the public key is registered with the authentication server and verifies the token; Does not use PKI because there is no digital cert.

Question 38

Define ‘hard authentication token’

Answer 38

Authentication token generated by a cryptoprocessor on a dedicated hardware device.

Question 39

What makes hard authentication token secure?

Answer 39

As the token is never transmitted directly, this implements an ownership factor within a multifactor authentication scheme.

Question 40

List the 3 types of hard authentication tokens

Answer 40

1. Smart cards
2. One-time password (OTP)
3. Security key

Question 41

Define a ‘Smart card’

Answer 41

A security device similar to a credit card that can store authentication information.

Question 42

What authentication information is stored on a smart card?

Answer 42

User’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.

Question 43

Define a ‘Security key’

Answer 43

Refers to a portable hardware security module (HSM) with a computer interface, such as USB or NFC; Most closely associated with U2F.

Question 44

Define a ‘soft authentication token’

Answer 44

An OTP generated by the identity provider that is transmitted to the supplicant.

Question 45

How can a soft authentication token be made more secure?

Answer 45

With the use of an authenticator app.

Question 46

Define ‘Passwordless Authentication’

Answer 46

Multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors.

Question 47

What is best practice for securing passwordless authentication?

Answer 47

The authenticator must be trusted and resistant to spoofing or cloning attacks.

Question 48

What concept is used to ensure secure passwordless authentication?

Answer 48

Attestation

Question 49

Define ‘Attestation’ in context of passwordless authentication

Answer 49

Capability of an authenticator to prove that it is a trusted root.

Question 50

How is an authenticator attested?

Answer 50

Each security key is manufactured with an attestation and model ID.

Question 51

Define ‘permissions’ in the context of authorization

Answer 51

Security settings that control access to objects.

Question 52

Define ‘Discretionary access control (DAC)’

Answer 52

Access control model; Each resource is protected by an access control list (ACL) managed by the resource’s owner(s)

Question 53

Why is ‘Discretionary access control (DAC)’ considered insecure?

Answer 53

Makes centralized administration of security policies the most difficult to enforce; Vulnerable to insider threats and abuse of compromised accounts.

Question 54

Define ‘Mandatory access control (MAC)’

Answer 54

Access control model; Object and users are allocated a clearance level - Subjects are permitted to read objects classified at their own clearance level or below.

Question 55

Define ‘Role-based access control (RBAC)’

Answer 55

Access control model; Resources are protected by ACLs that are managed by administrators providing permissions based on job function.

Question 56

What makes ‘Role-based access control (RBAC)’ nondiscretionary?

Answer 56

Right to modify the permissions assigned to each role is reserved to a system owner; Each principal cannot modify the ACL of a resource.

Question 57

Define a ‘security group’

Answer 57

Collection of user accounts to establish Role-based access control (RBAC).

Question 58

Define ‘Attribute-based access control (ABAC)’

Answer 58

Access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.

Question 59

What attributes can be used in Attribute-based access control (ABAC)?

Answer 59

group/role memberships; IP/location; OS version; current patches and AV.

Question 60

Define ‘Rule-based access control’/ nondiscretionary access control

Answer 60

Any access control model where access control policies are determined by system-enforced rules rather than system users; RBAC, ABAC, MAC, conditional access.

Question 61

Define ‘Conditional Access’

Answer 61

Conditional access system monitors account or device behavior throughout a session; If certain conditions are met, it may suspend the account or may require the user to reauthenticate.

Question 62

What makes User Account Control (UAC) a form of conditional access?

Answer 62

User is prompted for confirmation or authentication when making requests that require elevated privileges.

Question 63

Define ‘Least privilege’

Answer 63

Subject should be allocated the minimum necessary rights, privileges, or information to perform its role.

Question 64

Define ‘authorization creep’

Answer 64

Over time, a user acquires more and more rights, either directly or by being added to security groups or roles.

Question 65

Define ‘provisioning’

Answer 65

Process of setting up a service according to a standard procedure or best practice checklist.

Question 66

What are the 5 general steps of provisioning a user account?

Answer 66

1. Identity Proofing
2. Issuing Credentials
3. Issuing Hardware and Software Assets
4. Creating Permissions Assignment
5. Teaching Policy Awareness

Question 67

Define ‘Deprovisioning’

Answer 67

Process of removing an account, host, or application from the production environment; Revoking any access that had been assigned to the subject/object.

Question 68

Define a ‘security identifier (SID)’

Answer 68

A unique value assigned to an account by Windows and that is used by the OS to identify that account.

Question 69

Define ‘group policy objects (GPOs)’

Answer 69

On a Windows domain, a way to deploy per-user and per-computer settings.

Question 70

Define ‘geolocation’

Answer 70

Identification or estimation of the physical location of an object and applying rule based access control.

Question 71

How does geolocation determine the location of a subject/object?

Answer 71

IP address and location services/GPS.

Question 72

Define a ‘time-of-day restrictions’

Answer 72

Establishes authorized login hours for a subject.

Question 73

Define a ‘duration-based login policy’

Answer 73

Establishes maximum amount of time a subject may be logged in for.

Question 74

Define a ‘impossible travel time/risky login policy’

Answer 74

Tracks the location of login events over time. If these do not meet a threshold, the account will be disabled.

Question 75

Define a ‘temporary permissions policy’

Answer 75

Removes an account from a security role or group after a defined period.

Question 76

Define a ‘privileged account’

Answer 76

Can make significant configuration changes to a host, rights to network appliances, application servers, and databases.

Question 77

Define ‘Privileged access management (PAM)’

Answer 77

Policies, procedures, and technical controls to prevent compromise of privileged accounts.

Question 78

Define ‘zero standing privileges (ZSP)’

Answer 78

Permissions are explicitly requested and are only granted for a limited period.

Question 79

List 3 implementations of ‘zero standing privileges (ZSP)’

Answer 79

1. Temporary Elevation
2. Password Vaulting/Brokering
3. Ephemeral Credentials

Question 80

Define ‘Temporary Elevation’

Answer 80

Account gains administrative rights for a limited period; UAC in windows/sudo in Linux.

Question 81

Define ‘Password Vaulting/Brokering’

Answer 81

Privileged account must be “checked out” from a repository and is available for a limited amount of time.

Question 82

Define ‘Ephemeral Credentials’

Answer 82

System generates or enables an account to use to perform the administrative task and then destroys or disables it once the task has been performed.

Question 83

Where are local windows credentials stored?

Answer 83

Security Accounts Manager (SAM) database in the Registry

Question 84

What mechanism compares a subjects submitted plaintext/hash password to the hash value stored in the Security Accounts Manager (SAM) database?

Answer 84

Local Security Authority Subsystem Service (LSASS)

Question 85

What mechanism delivers credentials to Active Directory for authentication?

Answer 85

Local Security Authority Subsystem Service (LSASS)

Question 86

What are examples of remote sign-in?

Answer 86

VPN, enterprise Wi-Fi, web portal.

Question 87

Where are local user account names stored in Linux?

Answer 87

/etc/passwd

Question 88

Where are passwords stored in Linux?

Answer 88

/etc/shadow

Question 89

Define ‘pluggable authentication module (PAM)’

Answer 89

Package for enabling different authentication providers; smart-card log-in, Directory services

Question 90

Define a ‘directory service’

Answer 90

Network service that stores identity information and attributes about all the objects in a particular network; Users, groups, servers, client computers, and printers.

Question 91

What is the most common service used for a directory service?

Answer 91

Lightweight Directory Access Protocol (LDAP)

Question 92

Define ‘Lightweight Directory Access Protocol (LDAP)’

Answer 92

X.500 Protocol used to access network directory databases.

Question 93

Define a ‘distinguished name (DN)’

Answer 93

A collection of attributes that define a unique identifier for any given resource within an X.500-like directory.

Question 94

What makes up a ‘distinguished name (DN)’?

Answer 94

Attribute-value pairs, separated by commas; The most specific attribute is listed first, and successive attributes become progressively broader.

Question 95

Define ‘single sign-on (SSO)’

Answer 95

Authentication technology that enables a user to authenticate once and receive authorizations for multiple services following the initial authentication.

Question 96

Define ‘Kerberos’

Answer 96

A single sign-on authentication and authorization protocol that is based on a time-sensitive, ticket-granting system.

Question 97

Define a ‘key distribution center (KDC)’

Answer 97

A component of Kerberos that authenticates users and issues tickets (tokens).

Question 98

What are the two services that make up key distribution center (KDC)?

Answer 98

1. Authentication Service
2. Ticket Granting Service

Question 99

Who/what can authenticate with Kerberos?

Answer 99

A principal; A user or service

Question 100

Define a ‘Ticket Granting Ticket (TGT)’

Answer 100

Encrypted using KDC’s secret key; A token issued to an authenticated account to allow access to authorized application servers.

Question 101

How is a Ticket Granting Ticket (TGT) requested by a principal (user/service)?

Answer 101

Principal sends the authentication service a request for a TGT by encrypting the time and date with the users password hash as the key.

Question 102

How does a directory service verify a request for Ticket Granting Ticket (TGT)?

Answer 102

If the request hasn’t expired, authentication service checks that the user account is present and the hash in the database matches the decoded hash.

Question 103

What does a principal receive if the authorization service accepts its request for Ticket Granting Ticket (TGT)?

Answer 103

Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) session key.

Question 104

What information is provided in a Ticket Granting Ticket (TGT)?

Answer 104

Name, IP address, time stamp, and validity period.

Question 105

Define a ‘Ticket Granting Service (TGS)’ session key

Answer 105

Encrypted using a hash of the principal’s password; Communicates between the client and the Ticket Granting Service (TGS)

Question 106

Define ‘Federation’

Answer 106

Method of linking a user’s identity across multiple separate identity management systems in different organizations.

Question 107

Define an ‘identity provider (IdP)’

Answer 107

In a federated network, the service that holds the user account and performs authentication.

Question 108

Define ‘Security Assertion Markup Language (SAML)’

Answer 108

An XML-based data format used to exchange authentication information between a client and a service.

Question 109

What language is used to create Security Assertion Markup Language (SAML)?

Answer 109

Written in extensible Markup Language (XML)

Question 110

What protocols are used to establish communications between a client/principal and an identity provider (IdP)?

Answer 110

Using HTTP/HTTPS and Simple Object Access Protocol (SOAP).

Question 111

Define the ‘Simple Object Access Protocol (SOAP)’

Answer 111

XML-based web services protocol used to exchange messages.

Question 112

What mechanism is used to trust an identity provider (IdP)?

Answer 112

A digital signature/certificate

Question 113

Define ‘Representational State Transfer (REST)’

Answer 113

Stateless framework used by application programming interfaces (APIs) for communication and integration.

Question 114

What protocol does a ‘Representational State Transfer (REST)’ API use for authentication and authorization?

Answer 114

Open Authorization (OAuth)

Question 115

Define the ‘Open Authorization (OAuth)’ protocol

Answer 115

Facilitates sharing of data within a user profile between sites.

Question 116

Define ‘JavaScript Object Notation (JSON)’

Answer 116

JavaScript file that uses attribute-value pairs to define configurations .