Security Plus - Chapter 8

Question 1

Identity

Answer 1

The sets of claims made about a subject.

Question 2

Subject

Answer 2

People, applications, devices, systems, or organizations that require access to something.

Question 3

Attributes

Answer 3

A broad range of information about a subject:
Name
Age
Location
Job Title

Question 4

Ways to claim a user’s identity

Answer 4

Username - associated with an identity
Certificate - stored on systems or paired with a storage device to identify systems, devices, or individuals
Token - A physical device that may generate a code, plug in a USB, or connect via Bluetooth to present a certificate.
SSH key - Cryptographic representations of identity that replaces a username and password
Smartcard - An embedded chip either used with a chip reader device or contactless is a cryptographic card with the ability to generate key pairs on the card itself.

Question 5

Authentication

Answer 5

Verifies that a user is who they claim that they are.

Question 6

Authorization

Answer 6

Verifies that a user is provided the proper access that is applied to their account. When combined with authentication protocols, this allows a user to access resources, systems, and other objects based on what the user is permitted to access.

Question 7

Extensible Authentication Protocol (EAP)

Answer 7

An authentication framework that is commonly used for wireless networks. Types of EAP implementations:
EAP-TLS
LEAP
EAP-TTLS

Question 8

Challenge Handshake Authentication Protocol (CHAP)

Answer 8

An authentication protocol that uses an encrypted challenge and three-way handshake to send credentials. It is designed to provide more security than earlier protocols like PAP.

Question 9

802.1X

Answer 9

An IEEE standard for network access control (NAC) used for authentication of devices that want to connect to a network. Supplicants send authentication requests to authenticators such as network switches, access points, or wireless controllers, which connect to the authentication server for validation. These authentication servers are typically RADIUS servers which rely on a backend directory, typically LDAP or Active Directory as a source for identity information.

Question 10

Remote Authentication Dial-In User Service (RADIUS)

Answer 10

Operates via TCP or UDP in a client-server model. It sends passwords that are obfuscated by a shared secret and MD5 hash, which is not rather secure. It is usually encrypted using IPSec tunnels for the internal traffic. IT is one of the most common authentication, authorization, and accounting systems for network devices, wireless networks, and other services.

Question 11

Terminal Access Controller Access Control System Plus (TACACS+)

Answer 11

A Cisco designed extension that uses TCP traffic to provide authentication, authorization, and accounting services. It provides full-packet encryption as well as granular command controls, allowing individual commands to be secured as needed.

Question 12

Kerberos

Answer 12

A protocol for authenticating service requests between trusted hosts across an untrusted network like the Internet. It uses authentication to shield the authentication traffic. Kerberos users are composed of three main elements:
Primary - The username
Instance - Differentiates similar primaries
Realms - Consists of groups of users. Realms are separated by Trust boundaries and have distinct Kerberos key distribution centers (KDC’s)

Question 13

Kerberos Process

Answer 13

A client using Kerberos to access a service, the client requests an authentication ticket, ticket-granting ticket (TGT). An authentication server checks the client’s credentials and responds with the TGT, which is encrypted using the secret key of the ticket-granting service (TGS). When the client wants to use a service, the client sends the TGT to the TGS (which is usually also the KDC) and includes the name of the resource it wants to use. The TGS sends back a valid session key for the service, and the client presents the key to the service to access it.

Question 14

Single Sign-On

Answer 14

Allowing users to log in to multiple systems by using a single identity without reauthenticating.

Question 15

Lightweight Directory Access Protocol (LDAP)

Answer 15

An organizational directory of information about the organization. Commonly deployed as part of an identity and access management infrastructure.

Question 16

Security Assertion Markup Language (SAML)

Answer 16

An XML based open standard for Internet-based systems to exchange authentication and authorization information. Usually used between identity providers and service providers.
Used for Federated authentication purposes.

Question 17

OpenID

Answer 17

An open standard for decentralized authentication. OpenID identity providers can be leveraged for third-party sites using established identities. Ex. Google logins to Gmail then also provides access to YouTube, Drive, etc.
Used for Federated authentication purposes.

Question 18

OAuth

Answer 18

An open standard for authorization that ensures users can determine what information to provide to third-party applications and sites without sharing credentials.
Used for authorization of access to protected resources.

Question 19

Federation

Answer 19

Creates a trusted relationship between organizations and third parties, such as partners or application vendors, so they can share identities and authenticate users across domains.

Question 20

Identity Providers (IdP)

Answer 20

Manage the lifecycle of digital identities from creation through maintenance to eventual retirement of the identity in the systems and services it supports. Part of the federated identity deployments when paired with relying parties that trust the IdP to handle authentication and then rely on that authentication to grant access to services.

Question 21

Federation Common Terminology

Answer 21

Principal - The user
Identity Providers - Provides identity and authentication services via an attestation process in which the IdP validates that the user is who they claim to be.
Service Providers - Provides services to users whose identities have been attested to by an identity provider and then perform the requested function.
Attestation - Formal verification that something is true. A user is who they say they are because they have presented an identifier and are authorized by the IdP.
Relying Party - (RP) - Requires authentication and identity claims from an IdP

Question 22

NIST Password Guidelines

Answer 22

Use a Password Manager
Locking accounts after multiple failed attempts
Employ multi-factor authentication
Emphasize length of password
Allow ASCII and Unicode characters in passwords
Monitor passwords to ensure no common, previously compromised, or obvious word selections (username, company name, etc.) are permitted.
Limit on how often a user can use a previously used password
Expiration dates so there is a required timeframe to update a user’s password
Age settings of a password to ensure a user does not reset their password continually until they get back to their preferred former password.

Question 23

Passwordless Authentication

Answer 23

Authentication relies on something you have, security tokens, security keys, one-time password authenticator, or certificates, or something you are like biometrics.

Question 24

Multi-Factor Authentication

Answer 24

A multi-step account login process that requires users to enter more information than just a password. Must contain more than one of the four factors:
Something you know - Password, PIN, or answer to a security question
Something you have - Smartcard, security token, security key, one-time password authenticator
Something you are - Relies on physical characteristics - Fingerprint, retina scan, voice validation, and typing speed or pattern
Somewhere you are - Location factor, based on the current location. GPS, network location, and other data can be used to ensure that users who are in that location can authenticate.

Question 25

One-Time Passwords (OTP)

Answer 25

An automatically generated numeric or alphanumeric string of characters that authenticates a user for a single transaction or login session.

Question 26

Time-Based One Time Password (TOTP)

Answer 26

Uses an algorithm to derive a one-time password using the current time as part of the code-generation process. Code is valid for a set period of time.

Question 27

Hash-Based Messaage Authentication Code (HMAC)-Based One-Time Password (HOTP)

Answer 27

A hash-based message authentication code (HMAC) uses a seed value that both the token or HOTP code-generation application and the validation server use, as well as a moving factor. Pressing a button on a device, which generates a code that is available for a one-time use. Similar to hardware token.

Question 28

Short Message Service One-Time Password (SMSOTP)

Answer 28

When a user has their mobile device number setup to receive a validation code that is available for a one-time validation of their authentication.

Question 29

Biometrics

Answer 29

Something you are:
Fingerprints
Retina Scanning
Iris recognition
Facial recognition
Voice recognition
Vein recognition
Gait analysis

Question 30

Biometric Error Rates

Answer 30

Type 1 Error - False rejection rate (FRR)
- False rejections mean that a legitimate biometric measure was presented and the
system rejected it.
Type 2 Error - False acceptance rate (FAR)
- False acceptances mean an illegitimate biometric measure was presented and
was accepted when it shouldn’t have been.

Question 31

Receiver Operating Characteristic (ROC)

Answer 31

This compares the FRR against the FAR of a system, typically as a graph. For most systems, as you decrease the likelihood of false rejection, you will increase the likelihood of false acceptance. Determining where the accuracy of the system should be set to minimize false acceptance and prevent false rejection is an important element in the configuration of the biometric system.

Question 32

Account Types

Answer 32

User accounts
Privileged/Administrator accounts
Shared/Generic accounts
Guest accounts
Service accounts

Question 33

Account Provisioning

Answer 33

One of the phases of the account lifecycle when accounts are created in the system. The account is created, permissions and other attributes are assigned to the account. During provisioning, the process of identity proofing should occur to ensure that the person that the account is being created for is the person that is claiming the account.

Question 34

Onboarding

Answer 34

The process from the Human Resources department that includes the hiring of an individual, account creation, ensuring the users have the proper permissions for their role, and provide appropriate training to the employee.

Question 35

Account Deprovisioning

Answer 35

One of the phases of the account lifecycle when accounts are deleted/terminated from the system. This process includes removing the account, permissions, access to data, files, and other artifacts as required by the organization policy. This helps ensure that dormant accounts are not available for an attacker to compromise.

Question 36

Permission Creep

Answer 36

When a user is moved into different roles within a system, and the previous role permissions are not removed from the user’s current role permissions.

Question 37

Privileged Access Management (PAM)

Answer 37

Provides organizations the ability to manage and secure access to their most critical systems, applications, and data. Privileged accounts have elevated permissions and capabilities, allowing these users to perform various administrative tasks, access sensitive information, and make changes that typical users cannot.
Has the below characteristics:
- Just-in-time access (JIT) - Permissions that are granted and revoked only when needed. Prevents users from maintaining continuous access when it is unneeded.
- Password vaulting - Allows users to access privileged accounts without needing to know a password.
- Ephemeral account access - Manages temporary accounts with limited lifespans.

Question 38

Access Control Schemes

Answer 38

Determines which users, services, and programs can access various files or other objects that they host.
- Mandatory Access Control (MAC) - Relies on the operating system to enforce control as set by a security policy administrator. Does not allow a user the ability to grant access to files or change security policies that are set centrally.
- Discretionary Access Control (DAC) - Assigns owners for objects like files and directories, then allows those owners the ability to delegate rights and permissions to those objects as they desire.
- Role-Based Access Control (RBAC) - Rely on roles that are then matched with privileges that are assigned to those roles. This provides a quick provisioning process for users based on the job title they are given.
- Rule-Based Access Control (RuBAC) - Applied using a set of rules or access control lists (ACLs) that apply to various objects or resources. Ex. Firewall ruleset
Attribute-Based Access Control (ABAC) - Relies on policies that are driven by attributes of the users. Can be very complex based on combinations of multiple attributes of a user.

Question 39

Role-Based Access Controls (RBAC) Rules

Answer 39

Role Assignment - Subjects can use only the permissions that match a role they have been assigned.
Role Authorization - The subject’s active role must be authorized for that subject. Prevents a subject from taking on roles they shouldn’t have access to do.
Permission Authorization - Subjects can use only permissions that their active role is allowed to use.

Question 40

Access Control Concepts

Answer 40

Time-of-Day restrictions - Limits when activities can be performed by a user. Logon hour restrictions can be configured within a Windows system account via Active Directory
Least privilege - States that accounts and users should only be provided the minimum set of permissions and capabilities that are necessary to perform their role or job function.

Question 41

Filesystem Permissions

Answer 41

Determine which accounts, users, groups, or services can perform actions like reading, writing, and executing files. Understand both Linux and Windows file permissions.