Lesson 4: Implement Identity and Access Management Flashcards

1
Q

Define Confidentiality in authentication

A

If account credentials are leaked, threat actors can impersonate the account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define Integrity in authentication

A

Authentication mechanism is reliable and not easy for threat actors to bypass or trick with counterfeit credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define Availability in authentication

A

Time taken to authenticate does not impede workflows and is easy enough for users to operate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define an ‘authentication factor’

A

Different technologies for implementing authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

List main authentication factors

A

Knowledge (username/password/PIN), ownership/token, and biometric/inherence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Define the term ‘password best practices’

A

Policies to govern secure selection and maintenance of authentication factors; Secrets, such as length, complexity, age, and reuse, smart card, biometric ID.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Define the term ‘account policies’

A

Policies governing user security information, such as password expiration and uniqueness.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define a ‘Password Length’ policy

A

Enforces a min/max length for passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define a ‘Password Complexity’ policy

A

Enforces password entropy; Enforces complex passwords that aren’t easy to crack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are examples of password complexity?

A

No use of a username within the password and a combination of at least eight uppercase/lowercase alphanumeric and non-alphanumeric characters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Define a ‘Password Age’ policy

A

Forces the user to select a new password after a set number of days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Define a ‘Password Reuse and History’ policy

A

Prevents the selection of a password that has been used already.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Define the purpose of ‘history’ attribute of a ‘Password Reuse and History’ policy

A

How many previous passwords are blocked from use.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Define the purpose of ‘minimum age’ attribute of a ‘Password Reuse and History’ policy

A

Prevents a user from quickly cycling through password changes to revert to a preferred phrase.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Define a ‘password manager’

A

Software that can suggest and store passwords to reduce risks from poor user choices and behavior.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the purpose of a password manager?

A

To mitigate risk of poor user credential management practices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the main risks of using a password manager?

A

Selection of a weak master password, compromise of the vendor’s cloud storage or systems, impersonation attacks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Define ‘multifactor authentication (MFA)’

A

Authentication scheme that requires the user to present at least two different factors as credentials.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Define an ‘ownership authentication factor’

A

Something unique you have; smart card, key fob, cryptographic token.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Define a ‘biometric/inherence authentication factor’

A

Something you are; Fingerprint, retinal scan, facial scan.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Define a ‘location-based authentication factor’

A

Somewhere you are; system applies a location-based factor to an authentication decision based on location/IP address.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What does it take to configure biometric authentication?

A
  1. A sensor module to acquire biometric samples
  2. Extraction module that creates a ‘template’/mathematical representation of the sample
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Define the process of biometric authentication

A

A user is rescanned and the scan is compared to their initial template.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

List the 3 metrics that are used to evaluate biometric authentication performance

A
  1. False Rejection Rate (FRR)
  2. False Acceptance Rate (FAR)
  3. Crossover Error Rate (CER)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Define ‘False Rejection Rate (FRR)’

A

Measures the number of valid subjects who are denied access as a percentage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Define ‘False Acceptance Rate (FAR)’

A

Measures the number of unauthorized users who are mistakenly allowed access as a percentage.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the outcome of a high False Rejection Rate (FRR)?

A

Causes inconvenience to authorized users.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the outcome of a high False Acceptance Rate (FAR)?

A

Can lead to security breaches.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Define ‘Crossover Error Rate (CER)’

A

Expressing the point at which FAR and FRR meet, with a low value indicating better performance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Define throughput in biometric authentication performance

A

Time required to create a template for each user and the time required to authenticate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Define ‘Failure to Enroll Rate (FER)’

A

Incidents in which a template cannot be created and matched for a user during enrollment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What are user concerns with biometric authentication?

A

Users can find it intrusive and threatening to privacy; The technology can be discriminatory or inaccessible to those with disabilities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is the most common form of biometric authentication?

A

Fingerprint recognition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

List the 3 types of tokens in ownership authentication

A
  1. Certificate-Based Authentication
  2. One-Time Password (OTP)
  3. Fast Identity Online (FIDO) Universal 2nd Factor (U2F)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Define ‘Certificate-Based Authentication’

A

Supplicant provides a private key that can generate a unique signed token verified in the identity provider by the signature via the public key.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Define ‘One-Time Password (OTP)’

A

A token generated for each authentication decision using some sort of hash function on a shared secret value plus a synchronization seed, such as a timestamp; Does not require PKI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Define ‘Fast Identity Online (FIDO) Universal 2nd Factor (U2F)’

A

Uses asymmetric key pairs to register each account.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Define the authentication process of ‘Fast Identity Online (FIDO) Universal 2nd Factor (U2F)’

A

Private key is locked to the U2F device and signs the token; the public key is registered with the authentication server and verifies the token; Does not use PKI because there is no digital cert.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Define ‘hard authentication token’

A

Authentication token generated by a cryptoprocessor on a dedicated hardware device.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

What makes hard authentication token secure?

A

As the token is never transmitted directly, this implements an ownership factor within a multifactor authentication scheme.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

List the 3 types of hard authentication tokens

A
  1. Smart cards
  2. One-time password (OTP)
  3. Security key
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Define a ‘Smart card’

A

A security device similar to a credit card that can store authentication information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What authentication information is stored on a smart card?

A

User’s digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Define a ‘Security key’

A

Refers to a portable hardware security module (HSM) with a computer interface, such as USB or NFC; Most closely associated with U2F.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Define a ‘soft authentication token’

A

An OTP generated by the identity provider that is transmitted to the supplicant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

How can a soft authentication token be made more secure?

A

With the use of an authenticator app.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Define ‘Passwordless Authentication’

A

Multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors.

47
Q

What is best practice for securing passwordless authentication?

A

The authenticator must be trusted and resistant to spoofing or cloning attacks.

48
Q

What concept is used to ensure secure passwordless authentication?

A

Attestation

49
Q

Define ‘Attestation’ in context of passwordless authentication

A

Capability of an authenticator to prove that it is a trusted root.

50
Q

How is an authenticator attested?

A

Each security key is manufactured with an attestation and model ID.

51
Q

Define ‘permissions’ in the context of authorization

A

Security settings that control access to objects.

52
Q

Define ‘Discretionary access control (DAC)’

A

Access control model; Each resource is protected by an access control list (ACL) managed by the resource’s owner(s)

53
Q

Why is ‘Discretionary access control (DAC)’ considered insecure?

A

Makes centralized administration of security policies the most difficult to enforce; Vulnerable to insider threats and abuse of compromised accounts.

54
Q

Define ‘Mandatory access control (MAC)’

A

Access control model; Object and users are allocated a clearance level - Subjects are permitted to read objects classified at their own clearance level or below.

55
Q

Define ‘Role-based access control (RBAC)’

A

Access control model; Resources are protected by ACLs that are managed by administrators providing permissions based on job function.

56
Q

What makes ‘Role-based access control (RBAC)’ nondiscretionary?

A

Right to modify the permissions assigned to each role is reserved to a system owner; Each principal cannot modify the ACL of a resource.

57
Q

Define a ‘security group’

A

Collection of user accounts to establish Role-based access control (RBAC).

58
Q

Define ‘Attribute-based access control (ABAC)’

A

Access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.

59
Q

What attributes can be used in Attribute-based access control (ABAC)?

A

group/role memberships; IP/location; OS version; current patches and AV.

60
Q

Define ‘Rule-based access control’/ nondiscretionary access control

A

Any access control model where access control policies are determined by system-enforced rules rather than system users; RBAC, ABAC, MAC, conditional access.

61
Q

Define ‘Conditional Access’

A

Conditional access system monitors account or device behavior throughout a session; If certain conditions are met, it may suspend the account or may require the user to reauthenticate.

62
Q

What makes User Account Control (UAC) a form of conditional access?

A

User is prompted for confirmation or authentication when making requests that require elevated privileges.

63
Q

Define ‘Least privilege’

A

Subject should be allocated the minimum necessary rights, privileges, or information to perform its role.

64
Q

Define ‘authorization creep’

A

Over time, a user acquires more and more rights, either directly or by being added to security groups or roles.

65
Q

Define ‘provisioning’

A

Process of setting up a service according to a standard procedure or best practice checklist.

66
Q

What are the 5 general steps of provisioning a user account?

A
  1. Identity Proofing
  2. Issuing Credentials
  3. Issuing Hardware and Software Assets
  4. Creating Permissions Assignment
  5. Teaching Policy Awareness
67
Q

Define ‘Deprovisioning’

A

Process of removing an account, host, or application from the production environment; Revoking any access that had been assigned to the subject/object.

68
Q

Define a ‘security identifier (SID)’

A

A unique value assigned to an account by Windows and that is used by the OS to identify that account.

69
Q

Define ‘group policy objects (GPOs)’

A

On a Windows domain, a way to deploy per-user and per-computer settings.

70
Q

Define ‘geolocation’

A

Identification or estimation of the physical location of an object and applying rule based access control.

71
Q

How does geolocation determine the location of a subject/object?

A

IP address and location services/GPS.

72
Q

Define a ‘time-of-day restrictions’

A

Establishes authorized login hours for a subject.

73
Q

Define a ‘duration-based login policy’

A

Establishes maximum amount of time a subject may be logged in for.

74
Q

Define a ‘impossible travel time/risky login policy’

A

Tracks the location of login events over time. If these do not meet a threshold, the account will be disabled.

75
Q

Define a ‘temporary permissions policy’

A

Removes an account from a security role or group after a defined period.

76
Q

Define a ‘privileged account’

A

Can make significant configuration changes to a host, rights to network appliances, application servers, and databases.

77
Q

Define ‘Privileged access management (PAM)’

A

Policies, procedures, and technical controls to prevent compromise of privileged accounts.

78
Q

Define ‘zero standing privileges (ZSP)’

A

Permissions are explicitly requested and are only granted for a limited period.

79
Q

List 3 implementations of ‘zero standing privileges (ZSP)’

A
  1. Temporary Elevation
  2. Password Vaulting/Brokering
  3. Ephemeral Credentials
80
Q

Define ‘Temporary Elevation’

A

Account gains administrative rights for a limited period; UAC in windows/sudo in Linux.

81
Q

Define ‘Password Vaulting/Brokering’

A

Privileged account must be “checked out” from a repository and is available for a limited amount of time.

82
Q

Define ‘Ephemeral Credentials’

A

System generates or enables an account to use to perform the administrative task and then destroys or disables it once the task has been performed.

83
Q

Where are local windows credentials stored?

A

Security Accounts Manager (SAM) database in the Registry

84
Q

What mechanism compares a subjects submitted plaintext/hash password to the hash value stored in the Security Accounts Manager (SAM) database?

A

Local Security Authority Subsystem Service (LSASS)

85
Q

What mechanism delivers credentials to Active Directory for authentication?

A

Local Security Authority Subsystem Service (LSASS)

86
Q

What are examples of remote sign-in?

A

VPN, enterprise Wi-Fi, web portal.

87
Q

Where are local user account names stored in Linux?

A

/etc/passwd

88
Q

Where are passwords stored in Linux?

A

/etc/shadow

89
Q

Define ‘pluggable authentication module (PAM)’

A

Package for enabling different authentication providers; smart-card log-in, Directory services

90
Q

Define a ‘directory service’

A

Network service that stores identity information and attributes about all the objects in a particular network; Users, groups, servers, client computers, and printers.

91
Q

What is the most common service used for a directory service?

A

Lightweight Directory Access Protocol (LDAP)

92
Q

Define ‘Lightweight Directory Access Protocol (LDAP)’

A

X.500 Protocol used to access network directory databases.

93
Q

Define a ‘distinguished name (DN)’

A

A collection of attributes that define a unique identifier for any given resource within an X.500-like directory.

94
Q

What makes up a ‘distinguished name (DN)’?

A

Attribute-value pairs, separated by commas; The most specific attribute is listed first, and successive attributes become progressively broader.

95
Q

Define ‘single sign-on (SSO)’

A

Authentication technology that enables a user to authenticate once and receive authorizations for multiple services following the initial authentication.

96
Q

Define ‘Kerberos’

A

A single sign-on authentication and authorization protocol that is based on a time-sensitive, ticket-granting system.

97
Q

Define a ‘key distribution center (KDC)’

A

A component of Kerberos that authenticates users and issues tickets (tokens).

98
Q

What are the two services that make up key distribution center (KDC)?

A
  1. Authentication Service
  2. Ticket Granting Service
99
Q

Who/what can authenticate with Kerberos?

A

A principal; A user or service

100
Q

Define a ‘Ticket Granting Ticket (TGT)’

A

Encrypted using KDC’s secret key; A token issued to an authenticated account to allow access to authorized application servers.

101
Q

How is a Ticket Granting Ticket (TGT) requested by a principal (user/service)?

A

Principal sends the authentication service a request for a TGT by encrypting the time and date with the users password hash as the key.

102
Q

How does a directory service verify a request for Ticket Granting Ticket (TGT)?

A

If the request hasn’t expired, authentication service checks that the user account is present and the hash in the database matches the decoded hash.

103
Q

What does a principal receive if the authorization service accepts its request for Ticket Granting Ticket (TGT)?

A

Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) session key.

104
Q

What information is provided in a Ticket Granting Ticket (TGT)?

A

Name, IP address, time stamp, and validity period.

105
Q

Define a ‘Ticket Granting Service (TGS)’ session key

A

Encrypted using a hash of the principal’s password; Communicates between the client and the Ticket Granting Service (TGS)

106
Q

Define ‘Federation’

A

Method of linking a user’s identity across multiple separate identity management systems in different organizations.

107
Q

Define an ‘identity provider (IdP)’

A

In a federated network, the service that holds the user account and performs authentication.

108
Q

Define ‘Security Assertion Markup Language (SAML)’

A

An XML-based data format used to exchange authentication information between a client and a service.

109
Q

What language is used to create Security Assertion Markup Language (SAML)?

A

Written in extensible Markup Language (XML)

110
Q

What protocols are used to establish communications between a client/principal and an identity provider (IdP)?

A

Using HTTP/HTTPS and Simple Object Access Protocol (SOAP).

111
Q

Define the ‘Simple Object Access Protocol (SOAP)’

A

XML-based web services protocol used to exchange messages.

112
Q

What mechanism is used to trust an identity provider (IdP)?

A

A digital signature/certificate

113
Q

Define ‘Representational State Transfer (REST)’

A

Stateless framework used by application programming interfaces (APIs) for communication and integration.

114
Q

What protocol does a ‘Representational State Transfer (REST)’ API use for authentication and authorization?

A

Open Authorization (OAuth)

115
Q

Define the ‘Open Authorization (OAuth)’ protocol

A

Facilitates sharing of data within a user profile between sites.

116
Q

Define ‘JavaScript Object Notation (JSON)’

A

JavaScript file that uses attribute-value pairs to define configurations .