Lesson 7 - Implementing Authentication Controls

Question 1

A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.

Answer 1

identity and access management (IAM)

Question 2

The process by which a user account (and its credentials) is issued to the correct person. Sometimes referred to as enrollment.

Answer 2

Identification

Question 3

A method of validating a particular entity’s or individual’s unique credentials.

Answer 3

Authentication

Question 4

The process of determining what rights and privileges a particular entity has.

Answer 4

Authorization

Question 5

Tracking authorized usage of a resource or use of rights by a subject and alerting when unauthorized use is detected or attempted

Answer 5

Accounting

Question 6

A security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.

Answer 6

authentication, authorization, and accounting (AAA).

Question 7

Number used in conjunction with authentication devices such as smart cards; as the PIN should be known only to the user, loss of the smart card should not represent a security risk.

Answer 7

personal identification number (PIN)

Question 8

An authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.

Answer 8

multifactor authentication (MFA)

Question 9

A challenge-response authentication protocol created by Microsoft for use in its products.

Answer 9

NT LAN Manager (NTLM) authentication
The preferred system for network authentication is based on Kerberos, but legacy network applications might use NT LAN Manager (NTLM) authentication.

Question 10

Framework for implementing authentication providers in Linux.

Answer 10

pluggable authentication module (PAM)

Question 11

An authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

Answer 11

single sign-on (SSO) s

Question 12

A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.

Answer 12

Kerberos

Question 13

Component of Kerberos that authenticates users and issues tickets (tokens).

Answer 13

Key Distribution Center (KDC)
There are two services that make up a KDC: the Authentication Service and the Ticket Granting Service.
The KDC runs on port 88 using TCP or UDP.

Question 14

In Kerberos, a token issued to an authenticated account to allow access to authorized application servers.

Answer 14

Ticket Granting Ticket (TGT)
The Ticket Granting Ticket (TGT; or user ticket) is time-stamped (under Windows, they have a default maximum age of 10 hours). This means that workstations and servers on the network must be synchronized (to within five minutes) or a ticket will be rejected. This helps prevent replay attacks.
Ticket Granting Ticket (TGT)—this contains information about the client (name and IP address) plus a timestamp and validity period. This is encrypted using the KDC’s secret key.
TGS session key for use in communications between the client and the Ticket Granting Service (TGS). This is encrypted using a hash of the user’s password.
All the TGT does is identify who you are and confirm that you have been authenticated—it does not provide you with access to any domain resources.

Question 15

Obsolete authentication mechanism used with PPP that transfers the password in plaintext and so is vulnerable to eavesdropping.

Answer 15

Password Authentication Protocol (PAP)
PAP transfers the password in plaintext and so is vulnerable to eavesdropping.

Question 16

Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.

Answer 16

Challenge Handshake Authentication Protocol (CHAP)

Question 17

Implementation of CHAP created by Microsoft for use in its products.

Answer 17

MS-CHAPv2
Because of the way it uses vulnerable NTLM hashes, MS-CHAP should not be deployed without the protection of a secure connection tunnel so that the credentials being passed are encrypted.

Question 18

Brute force attack in which multiple user accounts are tested with a dictionary of common passwords.

Answer 18

Password Spraying

Question 19

A type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.

Answer 19

Brute-Force Attack

Question 20

A type of password attack that compares encrypted passwords against a predetermined list of possible password values.

Answer 20

Dictionary Attack

Question 21

Tool for speeding up attacks against Windows passwords by precomputing possible hashes.

Answer 21

Rainbow Table Attack

Question 22

An attack that uses multiple attack methods, including dictionary, rainbow table, and brute force attacks when trying to crack a password.

Answer 22

Hybrid Attack

Question 23

A device similar to a credit card that can store authentication information, such as a user’s private key, on an embedded microchip.

Answer 23

Smart-card authentication

Question 24

A secure cryptoprocessor enclave implemented on a PC, laptop, smartphone, or network appliance.

Answer 24

Trusted Platform Module (TPM)

Question 25

An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.

Answer 25

Hardware Security Module (HSM)

Question 26

Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.

Answer 26

Extensible Authentication Protocol (EAP)

Question 27

A standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.

Answer 27

IEEE 802.1X
Where EAP provides the authentication mechanisms, the IEEE 802.1X Port-based Network Access Control (NAC) protocol provides the means of using an EAP method when a device connects to an Ethernet switch port, wireless access point (with enterprise authentication configured), or VPN gateway. 802.1X uses authentication, authorization, and accounting (AAA) architecture

Question 28

In EAP architecture, the device requesting access to the network.

Answer 28

Supplicant
the device requesting access, such as a user’s PC or laptop.

Question 29

A PNAC switch or router that activates EAPoL and passes a supplicant’s authentication data to an authenticating server, such as a RADIUS server.

Answer 29

Authenticators.
Also referred to as RADIUS clients.

Question 30

The authentication server, positioned within the local network.

Answer 30

AAA server
authentication, authorization, and accounting (AAA) architecture
With AAA, the NAS devices do not have to store any authentication credentials. They forward this data between the AAA server and the supplicant.

Question 31

There are two main types of AAA server:

Answer 31

RADIUS and TACACS+

Question 32

A standard protocol used to manage remote and wireless authentication infrastructures.

Answer 32

Remote Authentication Dial-in User Service (RADIUS)
RADIUS supports PAP, CHAP, and EAP. Most implementations now use EAP, as PAP and CHAP are not secure.
It sends the Access-Request to the AAA server using UDP on port 1812 (by default).
Optionally, the NAS can use RADIUS for accounting (logging). Accounting uses port 1813. The accounting server can be different from the authentication server.

Question 33

A port-based network access control (PNAC) mechanism that allows the use of EAP authentication when a host connects to an Ethernet switch.

Answer 33

EAP over LAN (EAPoL)

Question 34

An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.

Answer 34

Terminal Access Controller Access-Control System Plus (TACACS+)
TACACS+ uses TCP communications (over port 49), and this reliable, connection-oriented delivery makes it easier to detect when a server is down.
TACACS+ uses TCP communications (over port 49), and this reliable, connection-oriented delivery makes it easier to detect when a server is down.
Authentication, authorization, and accounting functions are discrete.

Question 35

A physical or virtual item that contains authentication and/or authorization data, commonly used in multifactor authentication.

Answer 35

Token

Question 36

A password that is generated for use in one specific session and becomes invalid after the session ends.

Answer 36

one-time password (OTP)

Question 37

An industry body comprising the main PKI providers, such as Verisign and Entrust, that was established with the aim of developing an open, strong authentication framework.

Answer 37

Initiative for Open Authentication (OATH)

Question 38

An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.

Answer 38

HMAC-based One-time Password Algorithm (HOTP)

Question 39

An improvement on HOTP that forces one-time passwords to expire after a short period of time.

Answer 39

Time-based One-time Password Algorithm (TOTP)

Question 40

generate a software token on a server and send it to a resource assumed to be safely controlled by the user. The token can be transmitted to the device in a number of ways:

Answer 40

2-step verification or out-of-band mechanisms
Ways:
Short Message Service (SMS)
Phone call
Push notification
Email

Question 41

Physical characteristics stored as a digital data template can be used to authenticate a user. Typical features used include facial pattern, iris, retina, or fingerprint pattern, and signature recognition.

Answer 41

biometric authentication

Question 42

Biometric assessment metric that measures the number of valid subjects who are denied access.

Answer 42

False Rejection Rate (FRR)
Where a legitimate user is not recognized.
This is also referred to as a Type I error or false non-match rate (FNMR).
FRR is measured as a percentage.

Question 43

Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.

Answer 43

False Acceptance Rate (FAR)
Where an interloper is accepted (Type II error or false match rate [FMR]).
FAR is measured as a percentage.

Question 44

Biometric evaluation factor expressing the point at which FAR and FRR meet, with a low value indicating better performance.

Answer 44

Crossover Error Rate (CER)
The point at which FRR and FAR meet.
The lower the CER, the more efficient and reliable the technology.

Question 45

the time required to create a template for each user and the time required to authenticate. This is a major consideration for high traffic access points, such as airports or railway stations.

Answer 45

Throughput (speed)

Question 46

Incidents in which a template cannot be created and matched for a user during enrollment.

Answer 46

Failure to Enroll Rate (FER)

Question 47

Biometric authentication device that can produce a template signature of a user’s fingerprint then subsequently compare the template to the digit submitted for authentication.

Answer 47

Fingerprint scanners

Question 48

Scanning with an infrared light is shone into the eye to identify the pattern of blood vessels.

Answer 48

Retinal scan

Question 49

Scanning that matches patterns on the surface of the eye using near-infrared imaging and so is less intrusive than retinal scanning (the subject can continue to wear glasses, for instance) and a lot quicker.

Answer 49

Iris scan

Question 50

Biometric mechanism that identifies a subject based on movement pattern.

Answer 50

Gait analysis