Section 3: Investigating Identity and Access Management Flashcards
What is the most common form of authentication that is most likely to be entered incorrectly?
A password; the user may forget the password or may have Caps Lock on by accident.
When you purchase a new wireless access point, what should you do first?
Change the default username and password; many default credentials are available on the internet.
What is password history?
Determines the number of passwords you can use before you can reuse your current password. Some third-party applications or systems may call this a “password reuse” list.
How can you prevent someone from reusing the same password?
Set up password history and combine with a minimum password age to prevent reuse.
Explain what a complex password requires.
Uses three of the following:
- Uppercase and lowercase letters
- Numbers
- Special characters not used in programming
How can you prevent a hacker from inserting a different password many times?
Set up an account lockout with a low value like 3. The hacker would need to guess the password within 3 attempts, otherwise the password is locked out and user account disabled.
What type of factor authentication is a smart card?
Multi-factor authentication.
- The card is something you have
- Inserting it into a card reader is something you do
- The PIN is something you know
How many factors is it if you have a password, PIN, and date of birth?
Single-factor. These are all factors that you know.
What is biometric authentication?
The use of a part of your body or voice for authentication. (iris, retina, palm, fingerprint)
What authentication method can be used by two third parties that participate in a joint venture?
Federation services. FS uses Security Assertion Mark-up Language (SAML) and extended attributes, like an employee’s ID or email address.
Name an XML-based authentication protocol.
Security Assertion Mark-up Language (SAML). Used with federation services.
What is Shibboleth?
Open-source Federation Services protocol.
What protocol is used to store and search for Active Directory objects?
Lightweight Directory Authentication Protocol (LDAP). Used to store objects in X500 format and search Active Directory objects such as users, printers, groups or computers.
What is the format of a distinguished name for a user called Fred who works in the IT department for a company with a domain called Company A that is a dotcom?
A distinguished name in the ITU X500 object format is:
“cn=Fred, ou=IT, dc=Company, dc=Com”
What authentication factor uses tickets, timestamps, and updated sequence numbers and is used to prevent replay attacks?
Kerberos authentication. Also prevents pass-the-hash attacks as it does not use NTLM but stores the account details in an encrypted database.
What is a Ticket Granting Ticket (TGT) session?
A TGT session is a process by which a user logs in to an Active Directory domain using Kerberos authentication and receives a service ticket.
What is single sign-on? Give two examples.
An authentication scheme wherein a user inserts their credentials only once and access different resources like emails and files without needing to re-enter their creds.
Examples:
- Kerberos
- Federation Services
How can you prevent a pass-the-hash attack?
Enable Kerberos or disabling NTLM. Pass-the-hash attacks exploit older systems that use NT Lan Manager (NTLM).
Give an example of when you would use Open ID Connect.
To access a device or portal using Facebook, Twitter, Google or Hotmail creds. The portal itself does not manage the account.
Name two AAA servers and the ports associated with them.
RADIUS: uses UDP port 1812 and is seen as non-proprietary.
TACACS+: uses TCP port 49
Diameter: modern secure form of RADIUS, TCP-based and uses EAP
What is used for accounting in an AAA server?
Accounting is the documentation of when someone logs in and out, typically for billing purposes. Accounting information is typically logged into a database like SQL. RADIUS uses UDP port 1813.
What is the purpose of a VPN solution?
Create a secure connection from a remote location to your corporate network or vice versa. The most secure tunneling protocol is L2TP/IPsec.
Why should you never use PAP authentication?
PAP authentication uses a password in clear test which could be captured easily by a packet sniffer.
What type of device is an iris scanner?
Physical device use for biometric authentication.
Name two possible weaknesses of facial recognition software?
Affected by light
Turning your head slightly to one side
Older systems erroneously accept photographs
Microsoft Windows Hello is more secure using infrared an is not fooled by photographs or affected by light.
What is Type II in biometric authentication and why is it a security risk?
Type II is False Acceptance Rate (FAR). People not permitted to access the network are given access.
Name a time-limited password type.
Time-Based One-Time Password (TOTP), which has a 30-60 second time limit.
How many times can you use an HOTP password? Is there a time restriction associated with it?
HOTP is a one-time password that does not expire until used.
How does a CAC differ from a smart card and who uses CAC?
Both use certificates but CAC is used by military and has a picture, details of the user, blood group and Geneva convention category.
What is a port-based authentication that authenticates both users and devices?
IEE802.1x
What type of account is a service account?
A type of administrative account that allows an application to have a higher level of privileges to run on a desktop or server.
How many accounts should a system administrator for a multinational corporation have and why?
Two accounts:
- A user account for day-to-day tasks
- An administrative account for administrative tasks
What do you need to do when you purchase a baby monitor and why?
Rename the default administrative account and change default password. Baby monitors are IoT devices.
What is a privileged account?
An account with administrative rights.
What is the drawback for security if the company uses shared accounts?
Employees cannot be traced. Shared accounts should be eliminated for monitoring and auditing.
What is a default account? Is it a security risk?
Default accounts/passwords for devices and software that can be found on the internet and used to hack your network or home devices.
The system administrator in a multinational corporation creates a user account using an employee’s first name and last name. Why are they using the same details from each person?
Standard naming convention.
What two actions do you need to complete when John Smith leaves the company?
- Disable his account and reset password
- Delete the account to prevent access to data he used
What is account recertification?
An audit of user accounts and permissions that are usually carried out by an auditor. Also referred to as “user account review.”
What is the purpose of a user account review?
Ensures that old accounts have been deleted and that all current users have the appropriate access to resources and not a higher level of privilege.
What can you implement to find out immediately when a user is placed in a group that may give them a higher level of privileges?
A SIEM can carry out active monitoring and notify administrators of any changes to user accounts/logs.
What will be the two possible outcomes if an auditor finds any working practices that do not conform to the company policy?
- Change management
- New policy will be put in place
If a contractor brings in five consultants for two months of mail server migration, how should you set up their accounts?
Contractor accounts should have an expiry date equal to the last day of the contract.
How can you ensure that the contractors in Question 43 can only access the company network from 9am-5pm daily?
Adopt rule-based access rules.
If you have a company that has five consultants who work in different shift patterns, how can you set up their accounts so that each of them can only access the network during their individual shifts?
Time and day restrictions should be set up against each individual’s user account that matches their shift pattern.
A brute-force attack cracks a password using all combinations of characters and will eventually crack a password. What can you do to prevent a brute force attack?
Account Lockout with a low value.
The IT team has a global group called IT Admin; each member of the IT team is a member of this group and therefore has full control access to the departmental data. Two new apprentices are joining the company and they need to have read access to the IT data. How can you achieve this with the minimum amount of administrative effort?
Create a new group called “IT Apprentices” and add the apprentices’ accounts to the group. Give this group read access to the IT data.
You have different login details and passwords to access Airbnb, Twitter and Facebook, but you keep getting them mixed up and have locked yourself out of these accounts from time to time. What can you implement on your Windows 10 laptop to help you?
The credential manager can be used to store generic and Windows 10 accounts.
You have moved departments, but the employees in your old department still use your old account for access; what should the company have done to prevent this from happening? What should their next action be?
The company should disable the account and reset the password. An account review should follow to find similar accounts.
What is the purpose of the ssh-copy-id command?
To copy and install the public key on the SSH server and add it to the list of authorized keys.
Describe the process of impossible time travel?
A user logs in to a device from one location, then from another location shortly afterward, where it would be impossible to travel that distance in the time between logins.
When you log in to your Dropbox account from my phone, you get an email asking you to confirm that this was a legal login. What have you been subjected to?
Risky login; you have used a secondary device to log in.
What is the purpose of a password vault and how secure is it?
Stores passwords using AES-256 encryption. It is only as secure as the master key.
What type of knowledge-based authentication would a bank normally use?
Dynamic KBA, which would ask you details about your account that are not previously stored questions.
What is the difference between FAR and FRR?
FAR: False Acceptance Rate, allows unauthorized access.
FRR: False Rejection Rate, rejects authorized user access.
What is the solution that helps protect privileged accounts?
Privileged Access Management stores the privileged account in a bastion domain to help protect them from attack.
What is the danger to households with IoT devices?
There are vulnerable generic accounts controlling the devices.
Why do cloud providers adopt a zero-trust model?
Some devices (like iPads) do not belong to a domain, so every connection should be considered unsafe.
Which authentication model gives access to a computer system even though the wrong credentials are being used?
Biometric authentication allows unauthorized user access.
