Lesson 8 - Implementing Identity and Account Management Controls Flashcards
The process of bringing in a new employee, contractor, or supplier.
Onboarding
An agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.
nondisclosure agreement (NDA)
A concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.
Separation of Duties
A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.
Least Privilege
The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person’s duties.
Job Rotation
The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.
Mandatory Vacation
The process of ensuring that all HR and other requirements are covered when an employee leaves an organization.
An exit interview (or offboarding
A collection of user accounts that are useful when establishing file permissions and user rights because when many individuals need the same level of access.
a security group account
a group could be established containing all the relevant users
Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access.
default account
A host or network account that is designed to run a background service, rather than to log on interactively.
Service accounts
The value assigned to an account by Windows and that is used by the operating system to identify that account.
Security Identifier (SID)
On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.
Group Policy Objects (GPOs)
A set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.
Account policies
The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.
Geolocation
The practice of creating a virtual boundary based on real-world geography.
Geofencing
The addition of location metadata to files or devices.
Geotagging
Policies or configuration settings that limit a user’s access to resources.
Time of day policy
An employee who gains more and more access privileges the longer they remain with the organization.
Authorization Creep
If a user has moved to a new job, old privileges may need to be revoked and new ones granted.
Recertification
Security settings that control access to objects including file system items and network resources.
Permissions
Access control model where each resource is protected by an Access Control List (ACL) managed by the resource’s owner (or owners).
Discretionary Access Control (DAC)
An access control model where resources are protected by ACLs that are managed by administrators and that provide user permissions based on job functions.
Role-Based Access Control (RBAC)
Each record in the ACL is called an access control
ACE
ACLs can be enforced by a file system that supports permissions, such as NTFS, ext3/ext4, or ZFS.
Linux command for managing file permissions.
chmod
Access control model where resources are protected by inflexible, system defined rules. Resources (objects) and users (subjects) are allocated a clearance level (or label).
Mandatory Access Control (MAC)
An access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted.
Attribute-Based Access Control (ABAC)
A non-discretionary access control technique that is based on a set of operational rules or restrictions to enforce a least privileges permissions policy.
Rule-Based Access Control (RBAC)
As such, RBAC, ABAC, and MAC are all examples of rule-based (or non-discretionary) access control.
Policies, procedures, and support software for managing accounts and credentials with administrative permissions.
Privileged access management (PAM)
A network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.
Directory Services
The Lightweight Directory Access Protocol (LDAP) is a protocol widely used to query and update X.500 format directories.
A unique identifier for any given resource within an X.500-like directory.
Distinguished Name
A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.
Federation
In a federated network, the service that holds the user account and performs authentication.
Identity Provider (IdP)
An XML-based data format used to exchange authentication information between a client and a service.
Security Assertions Markup Language (SAML)
An XML-based web services protocol that is used to exchange messages.
Simple Object Access Protocol (SOAP)
Standard for federated identity management, allowing resource servers or consumer sites to work with user accounts created and managed on a separate identity provider.
OAuth
An authentication layer that sits on top of the OAuth 2.0 authorization protocol.
OpenID Connect (OIDC)
OAuth is explicitly designed to authorize claims and not to authenticate users.
OpenID uses XML-format messaging and supports only web applications and not mobile apps.
A policy that governs employees’ use of company equipment and Internet services. ISPs may also apply AUPs to their customers.
Acceptable Use Policy
Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice.
Code of Conduct
An organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.
Clean Desk Policy
Training event where learners must identify a token within a live network environment.
Capture the Flag (CTF)
Computer-Based Training (CBT)
