Module 04 - Identity and Acess Management

Question 1

Definition:
Non-repudiation

Answer 1

Cannot deny having done something in systems or network

Question 2

Acronym:
CSF

Answer 2

Cybersecurity Framework

Question 3

Acronym:
NIST

Answer 3

National Institute of Standards and Technology

Question 4

According to NIST, what are the classification of security tasks?

Answer 4

1. Identify
2. Protect
3. Detect
4. Respond
5. Recover

Question 5

Definition:
Gap Analysis

Answer 5

Process that identifies how security systems deviate from outcomes required, or recommended, by CSTs

Question 6

Definition:
Access Control

Answer 6

Defines how subjects interact with objects.

Subjects => Can be granted access to resources

Objects => Resources

Question 7

Acronym:
IAM

Answer 7

Identity and Access Management

Question 8

Definition:
Identity and Access Management - IAM systems

Answer 8

System that implements access controls

Question 9

What are the processes of IAM?

Answer 9

1. Identification
2. Authentication
3. Authorization
4. Accounting

Question 10

Acronym:
AAA

Answer 10

Authentication, Authorization and Accounting

Question 11

Definition
Zero Trust

Answer 11

Security model that assumes that all devices, users, and services are not inherently trusted, regardless of whether inside or outside a network’s perimeter

Question 12

What are the main concepts of Zero Trust Model?

Answer 12

1. Adaptive identity
2. Threat scope reduction
3. Policy-drive access control

Question 13

Definition:
Adaptive identity [Zero Trust Concept]

Answer 13

Recognition of identity not being static.

UBA

Question 14

Definition:
Threat scope reduction [Zero Trust Concept]

Answer 14

Access to resources are only to the ones needed to complete a task.

[Principle of least privilege]

Question 15

Definition:
Policy-driven access control [Zero Trust Concept]

Answer 15

Access Control policies enforces access restriction based on user identity, device posture and network context.

Question 16

Definition:
Device Posture

Answer 16

Security status of a device, including its security configurations, software versions, and patch levels.

Question 17

In Zero Trust architecture, what are the planes?

Answer 17

Control and data planes

Question 18

Definition:
Control plane

Answer 18

Manages policies that dictate how users and devices are authorized to access network resources.

Divided in Policy Engine and Policy Administrator

Question 19

Definition:
Data plane

Answer 19

Where a subject uses a system to make requests for a given resource.

Question 20

Definition:
Policy Engine

Answer 20

Defines an algorithm and metrics for making dynamic authentication and authorization decisions on a per-request basis.

Question 21

Definition:
Policy Administrator

Answer 21

Issues access tokens and establishes or tears down sessions based on the decisions made by the policy engine.

Question 22

List the access control best practices

Answer 22

1. Principle of least privilege
2. Need to know [Information classification]
3. Separation of Duties [Conflict of interest]
4. Job rotation
5. Defense in depth
6. Identification
7. Multi-Factor Authentication
8. Mutual Authentication
9. Time of day restrictions

Question 23

Acronym:
MFA

Answer 23

Multi-Factor Authentication

Question 24

What are the common methods of controlling access?

Answer 24

Implicit Deny
Explicit Allow
Explicit Deny

Question 25

Acronym:
ACL

Answer 25

Access Control List

Question 26

Acronym:
MAC [Access Control]

Answer 26

Mandatory Access Control

Question 27

Acronym:
DAC

Answer 27

Discretionary Access Control

Question 28

Acronym:
RBAC

Answer 28

Role-Based Access Control

Question 29

Acronym:
ABAC

Answer 29

Attribute-Based Access Control

Question 30

List the types of Access Controls

Answer 30

Discretionary Access Control
Mandatory Access Control
Role-Based Access Control
Attribute-Based Access Control
Rule-Based Access Control

Question 31

Definition:
Discretionary Access Control - DAC

Answer 31

In the DAC Model, every resource has an owner which has full control over the resource, and they can modify its access control list (ACL) to grant rights to others.

Discretionary => By one’s judgment

Question 32

Definition:
Mandatory Access Control - MAC

Answer 32

Model based on security clearance levels.

Each object is given a classification label, and each subject is granted a clearance level.

Question 33

Definition:
Role-Based Access Control - RBAC

Answer 33

Permissions depends on the tasks that an employee or service must be able to perform.

Each set of permissions is a role, or a group account.

Question 34

Definition:
Attribute-Based Access Control - ABAC

Answer 34

Based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes.

Question 35

Definition:
Rule-Based Access Control

Answer 35

Any sort of access control model where access control policies are determined by system-enforced rules rather than system users.

Anything but discretionary access control models.

Ex: RBAC, ABAC, and MAC

Question 36

Definition:
Provisioning

Answer 36

Setting up a service according to a standard procedure or best practice checklist.

Question 37

Definition:
Deprovisioning

Answer 37

Removing the access rights and permissions allocated to a subject

Question 38

Time-based restrictions:

Answer 38

A time-of-day restrictions policy [Login hours]
A duration-based login policy
Impossible travel time/risky login policy
Temporary permissions

Question 39

Identification x Authorization

Answer 39

Identification is saying who you are

Authorization is confirming who you are

Question 40

List the authentication factors

Answer 40

1. Something you know
2. Something you are
3. Somewhere you are
4. Something you can do
5. Something you exhibit
6. Someone you know [CA or Attestation]
7. Something you have

Question 41

Definition and list:
Hard authentication token

Answer 41

Token generated within a secure cryptoprocessor

1. Smart card
2. OTP
3. Security Key

Question 42

Definition and list:
Soft authentication token

Answer 42

OTP generated by the Identity provider (IdP) and transmitted to the supplicant.

1. Email
2. SMS
3. Authentication app

Question 43

Acronym:
IdP

Answer 43

Identity provider

Question 44

Definition:
Passwordless

Answer 44

No longer processes knowledge-based factors.

Question 45

Acronym:
LSASS

Answer 45

Local Security Authority Subsystem Service

Question 46

Acronym:
NTLM

Answer 46

NT LAN Manager

Question 47

Acronym:
VPN

Answer 47

Virtual Private Network

Question 48

Acronym:
SAM [Windows File]

Answer 48

Security Accounts Manager

Question 49

List the windows authentication scenarios

Answer 49

1. Windows local sign-in or interactive logon
2. Windows network sign-in
3. Remote sign-in

Question 50

What protocols are responsible for a network sign-in, in Windows?

Answer 50

Kerberos and NTLM

Question 51

Acronym:
SSH

Answer 51

Secure SHell

Question 52

Acronym:
PAM

Answer 52

Pluggable Authentication Module

Question 53

In linux, what’s the /etc/passwd file?

Answer 53

It’s where user account names are stored

Question 54

In linux, what’s the /etc/shadow file?

Answer 54

It’s where user account password hashed are stored

Question 55

What’s the protocol used in network sign-in, in Linux?

Answer 55

SSH

Question 56

Definition:
Directory Services

Answer 56

Service that stores information about users, computers, security groups/roles, and services.

Question 57

What’s the protocol responsible for directory services?

Answer 57

LDAP - Lightweight Directory Access Protocol

Question 58

Acronym:
LDAP

Answer 58

Lightweight Directory Access Protocol

Question 59

Acronym:
SSO

Answer 59

Single Sign-On

Question 60

Definition:
Single Sign-On - SSO

Answer 60

Authentication method that requires only once authentication and recieves authorizations on other compatible applications to be logged in

Question 61

Definition:
Kerberos

Answer 61

Single sign-on network authentication and authorization protocol.

Named after the three-headed guard dog of Hades (Cerberus)

Question 62

Acronym:
KDC

Answer 62

Key Distribution Center

Question 63

Definition:
Key Distribution Center - KDC

Answer 63

System that vouches tokens for identities, made out of two systems:
- Authentication Service (AS)
- Ticket Granting Service (TGS)

Question 64

True or False:
Kerberos protocol sends the password encrypted in the network

Answer 64

False.

Question 65

In kerberos talk, what are principals

Answer 65

Users or applications that authenticates

Question 66

How is the request for a TGT made?

Answer 66

By encrypting the date and time on the local computer with the user’s password hash as the key, and sending to the AS

Question 67

Acronym:
TGT

Answer 67

Ticket Granting Ticket

Question 68

Definition:
Ticket Granting Ticket - TGT

Answer 68

Identifies a principal but doesn’t provide access to any resource

Question 69

Definition:
Federation [Authentication]

Answer 69

The network trusts accounts created and managed by a different network. The model is similar to Kerberos SSO

Question 70

List federated network protocols

Answer 70

1. SAML - Security Assertion Markup Language
2. SOAP - Simple Object Access Protocol

Question 71

Acronym:
SAML

Answer 71

Security Assertion Markup Language

Written in XML - eXtension Markup Language

Question 72

Acronym:
SOAP

Answer 72

Simple Object Access Protocol

Written in XML - eXtension Markup Language

Question 73

Acronym:
XML

Answer 73

eXtension Markup Language

Question 74

Acronym:
OAuth

Answer 74

Open Authentication

Question 75

Definition:
Open Authentication - OAuth

Answer 75

Facilitate the sharing of information (resources) within a user profile between sites.

Uses REST APIs for communication and JWTs for authentication

Question 76

Acronym:
API

Answer 76

Application Programming Interface

Question 77

Acronym:
REST

Answer 77

REpresentational State Transfer

Question 78

Acronym:
JWT

Answer 78

JSON Web Token

Question 79

Acronym:
JSON

Answer 79

JavaScript Object Notation

Question 80

Definition:
Biometric authentication

Answer 80

Based on a unique physical attribute or characteristic

Question 81

Definition:
False rejection rate (FRR)

Answer 81

Where a legitimate user is not recognized.
Type I error or false non-match rate (FNMR)

Question 82

Definition:
False acceptance rate (FAR)

Answer 82

Where an interloper is accepted.
Type II error or false match rate [FMR]

Question 83

Definition:
Crossover Error Rate (CER)

Answer 83

The point at which FRR and FAR meet

The lower the more efficient and reliable the technology.

Question 84

List the most common biometric information

Answer 84

1. Fingerprint
2. Retina
3. Iris
4. Facial
5. Voice
6. Vein
7. Gait

Question 85

Definition:
Authorization

Answer 85

process of determining privileges of an entity and enforcing them.

Question 86

List the types of permissions

Answer 86

1. Effective permissions
2. Deny permissions
3. Cumulative permissions

Question 87

Advantages of Hierarchical database as in directory sevices

Answer 87

1. Organization
2. Replication
3. Delegation
4. Scalability

Question 88

List Active Directory Components

Answer 88

1. Domain
2. Trees and forests
3. Organizational Units
4. Generic container
5. Object
6. Domain Controller

Question 89

Definition:
Tree [Directory Services]

Answer 89

Group of related domains that share the same DNS namespaces.

Question 90

Definition:
Forest [Directory Services]

Answer 90

Highest level of the organization hierarchy and is a collection of related domain trees.

Question 91

Definition:
Policy [Directory Service]

Answer 91

Set of configuration settings applied to users or computers

Question 92

Acronym:
GPO

Answer 92

Group Policy Object

Question 93

Definition:
Group Policy Object - GPO

Answer 93

Collection of files with registry settings, scripts, templates, and software-specific configuration values.

Collection of Group Policy configurations.

Question 94

What are the types of GPOs and when are applied?

Answer 94

Computer and User configuration types.

Computer => Applied when boots
User => Applied when log on

Question 95

What’s the order GPOs are applied?

Answer 95

1. Local
2. Site
3. Domain
4. OU

LSDOU - Local Site Domain OU

Question 96

Definition:
Hardening

Answer 96

To stregthen

Question 97

List Hardening Authentication Methods

Answer 97

1. Password Policies
2. MFA
3. Account restrictions
4. Account Monitoring
5. Account Maintenance
6. Limit Remote Access
7. Account Lockout Policies

Question 98

List Smart Card Benefits

Answer 98

1. Tamper-resistant storage por PIIs
2. Isolated security-related operations
3. Portable security credentials

Question 99

List Smart Card Weaknesses

Answer 99

1. Microprobing (Possibility to interfere with chip)
2. Software attacks
3. Eavesdropping
4. Fault generation

Question 100

List the options for storing directory information in Linux

Answer 100

1. Local file system
2. LDAP-Compliant database
3. Network Information System (NIS)
4. Windows domain

Question 101

Acronym:
NIS

Answer 101

Network Information System

Question 102

Definition:
Network Information System - NIS

Answer 102

Allows many Linux computers to share common user accounts, group accounts, and passwords.

Question 103

In linux, what’s the /etc/group file?

Answer 103

contains information about each user group.

Question 104

In linux, what’re the managing users configuration files?

Answer 104

1. /etc/default/useradd
2. /etc/login.defs
3. /etc/skel

Question 105

In linux, what’s the /etc/default/useradd file?

Answer 105

Contains default values used by the useradd utility when creating a user account

Question 106

In linux, what’s the /etc/login.defs file?

Answer 106

Contains configurations of login, such as password encryption in shadow file, or password expiration values.

Question 107

In linux, what’s the /etc/skel file?

Answer 107

Contains a set of configuration file templates that are copied into a new user’s home directory when it is created

Question 108

List Linux User Management Commands

Answer 108

1. useradd
2. passwd
3. usermod
4. userdel

Question 109

List Linux User Security Commands and what they do?

Answer 109

1. chage (Set user passwords to expire)
2. ulimit (Limits computer resources used for applications launched from the shell)

Question 110

List Linux Group Commands

Answer 110

1. groupadd
2. groupmod
3. groupdel
4. gpasswd
5. newgrp [Change group ID]
6. usermod [Mod group membership of a user]
7. groups [display groups a user is in]

Question 111

List VPNs architectures

Answer 111

1. site-to-site
2. client-to-client
3. host-to-host

Question 112

Definition:
Client-to-client VPN

Answer 112

Connects a client on a endpoint to a VPN gateway which it’s inserted on the LAN

Question 113

Definition:
Site-to-site VPN

Answer 113

Connects two or more private networks, it connects the edge gateways of the private network on a tunnel connection

Question 114

Definition:
Host-to-host VPN

Answer 114

Securing traffic between two computers where the private network is not trusted.

Question 115

List most common VPN protocols

Answer 115

1. PPTP - Point-to-Point Tunneling Protocol (Deprecated)
2. TLS - Transport Layer Security
3. IPSec - Internet Protocol Security

Question 116

Acronym:
RDP

Answer 116

Remote Desktop Protocol

Question 117

Acronym:
VNC

Answer 117

Virtual Network Computing

Question 118

Definition
VNC - Virtual Network Computing

Answer 118

Remote access tool and protocol.

Question 119

Definition:
AAA server

Answer 119

Handles user requests for access to remote computer resources.

2 solutions: RADIUS and TACACS+.

Question 120

Definition:
RADIUS

Answer 120

AAA Server used by Microsoft.

• Allows separation of Accounting to different servers
• Challenge-response method for authentication.
• Uses UDP ports 1812 (Auths) and 1813 (Account)
• Vulnerable to buffer overflow attacks.

Question 121

Definition:
TACACS+

Answer 121

AAA CISCO server.
- TCP port 49.
- Supports more protocol suites than RADIUS.
- Provides three protocols, one each AAA

TACACS and XTACACS are older protocols

Question 122

Acronym:
RADIUS

Answer 122

Remote Authentication Dial-In User Service

Question 123

Acronym:
TACACS

Answer 123

Terminal Access Controller Access-Control System

Question 124

List LDAP authentication options

Answer 124

1. No authentication
2. Simple bind [DN + cleartext passwd]
3. Simple Authentication and Security Layer (SASL)
4. LDAPS

Question 125

Acronym:
SASL

Answer 125

Simple Authentication and Security Layer

Question 126

Definition:
Simple Authentication and Security Layer - SASL

Answer 126

Means the client and server negotiate using a supported authentication mechanism, such as Kerberos.

Question 127

Acronym:
LDAPS

Answer 127

LDAD Secure