701 - Chapter 2 Flashcards by Mike Conrad

Within the access control process, what is the process of tracking user activity and recording the activity in the logs? This activity along with related others creates what?

Accounting, audit Trail

How well did you know this?

Not at all

Perfectly

What are the three main authentication factors, and what is the fourth?

Something you know, something you have, something you are… Somewhere you are

How well did you know this?

Not at all

Perfectly

Something you know typically refers to what?

A shared secret… Such as a password or a PIN

How well did you know this?

Not at all

Perfectly

What are the current password recommendations per Microsoft, NIST, and the US DHS?

Hash all passwords, require MTA, don’t require mandatory password resets, require passwords to be at least eight characters, check for common passwords and prevent their use, tell users not to use the same password on more than one site, allow all special characters, including spaces but don’t require them

How well did you know this?

Not at all

Perfectly

What are the four common character types included in passwords?

Uppercase, lowercase, numbers, special characters

How well did you know this?

Not at all

Perfectly

True or false the best practice for password security is to have password expiration policies

False… Allowing users to keep their passwords for as long as they like is considered best practice because the thinking is they will use very strong password when only having to do it one time

How well did you know this?

Not at all

Perfectly

True or false A password is considered complex if it uses at least three of the four character types

False, complex passwords will use a mix of all four character types

How well did you know this?

Not at all

Perfectly

What is the minimum number in days before a password can be changed called?

Password age

How well did you know this?

Not at all

Perfectly

What remembers past passwords for users and prevents them from reusing them?

A password history system

How well did you know this?

Not at all

Perfectly

What is a single source designed to keep most of your passwords?

Password manager or password vault

How well did you know this?

Not at all

Perfectly

What is KBA and what are the two types?

Knowledge based authentication…static and dynamic

How well did you know this?

Not at all

Perfectly

How is static KBA used?

For users with an account, it’s the security questions and answers

How well did you know this?

Not at all

Perfectly

How is dynamic KBA mostly used?

For users without an account, the site will query public and private data sources like credit reports, vehicle registrations, taxes to craft multiple-choice questions that only the user would know. In addition, there is a limited amount of time in order to answer these questions.

How well did you know this?

Not at all

Perfectly

What is the use of dynamic KBA to verify a new users identity when they are creating an account for the first time? And what is this an important step for?

Identity proofing…the provisioning process

How well did you know this?

Not at all

Perfectly

What is the maximum number of times a user can enter the wrong password? and how long an account remains locked is called what?

Account lockout threshold and account lockout duration

How well did you know this?

Not at all

Perfectly

Account lockout policies are meant to thwart what type of attacks?

Brute force, and dictionary attacks

How well did you know this?

Not at all

Perfectly

What are the four things that a smart card provides?

Confidentiality, integrity, authentication, non-repudiation

How well did you know this?

Not at all

Perfectly

True or false smart cards provide two factor authentication?

True… Something you have and something you know

How well did you know this?

Not at all

Perfectly

A random number that is provided to you and that you use to provide to an authentication server is called what?

One time password 0TP

How well did you know this?

Not at all

Perfectly

Hard tokens and soft tokens, both use what?

One time passwords, OTP

How well did you know this?

Not at all

Perfectly

What are the two different ways that tokens remain in sync with authentication servers regarding generating OTPs?

HMAC based one time password, HOTP and time based one time password TOTP

How well did you know this?

Not at all

Perfectly

When does a HOTP password expire? And when does a TOTP expire?

Does not expire until it is used, expires after 30 to 60 seconds

How well did you know this?

Not at all

Perfectly

True or false SMS for two step authentication is very secure

False it’s use is discouraged.

How well did you know this?

Not at all

Perfectly

What is the notification called that instead of using a code, it asks the user to acknowledge the request on their phone?

Push notification

How well did you know this?

Not at all

Perfectly

Smart cards, security keys, hard tokens, soft tokens, SMS and push notifications are all examples of what with regards to two factor authentication?

Something you have

What measures some physical characteristic of the user to confirm their identity?

Biometrics

True or false biometrics are the strongest form of authentication because they are the most difficult for an attack or to falsify?

True

Name the seven biometric methods…

Fingerprints, vein matching, retina imaging, iris scanners, facial recognition, voice recognition, gait analysis

Which of the biometric methods is used at many passport free border crossings around the world?

Iris scanners

What uses the facial recognition system?

iPhones

What two methods of bio metrics are the strongest

Iris and retina scans

What two biometric methods are passive and can even bypass the enrollment process when used for identification instead of authorization?

Facial recognition and gait analysis

What are the four possible results for a biometric system when attempting to authenticate the user?

False acceptance FAR, false rejection FRR, true acceptance, true rejection

What is the metrics that refers to the performance of the biometric system under ideal conditions called?

Efficacy rate

Increasing the sensitivity of a biometric system does what to the FAR and what to the FRR?

Decreases and increases

What is the point where the FAR and the FRR cross?

The crossover error rate CER

What do many authentication systems use for Geo location with somewhere you are?

The IP address

True or false, using two methods in the same factor of authentication for example, something you know, is still two factor authentication

False… Two factor authentication uses two different authentication factors for example, something you have and something you know

True or false password less authentication is not necessarily multifactor authentication?

True, it can still be a single something you have or something you are factor

What is usually logged in the authentication log for a user login attempt?

What happened success or failure, when it happened, where it happened, typically an IP address or computer name and who which refers to the user account

This type of account is for regular users or for the personnel working in that organization?

Personnel or end user accounts

This account type is a privileged account that has additional rights and privileges beyond what a regular user has? For Linux Systems what is this account called?

Administrator and root accounts

This account type allows an application to run under its context?

Service account

This account type is for computers and other devices?

Device account

This account type is for external entities that have access to your network?

Third-party accounts

This account type is included with windows by default and allow limited access to a computer or network?

Guest account

This account type can be used by temporary workers and will be shared, these accounts are also discouraged for normal work?

Shared and generic account/credentials

This type of system implements stringent security controls over accounts with elevated privileges, such as administrator or root level accounts?

Privileged access management PAM Systems

What is the concept of granting permissions at time of need? And what systems tend to use this concept?

Just in time permissions… PAM Systems

What is a temporary account that are issued for a limited period of time and then are destroyed when the user is finished with their work?

Temporal accounts

What are the five capabilities of a PAM system?

Allow users to access the privileged account without knowing the password, automatically change privileged account passwords, limit the time users can use the privilege account, allow users to check out credentials, log all access of credentials

PAM Systems are the protection against what types of attacks?

Where an attacker gets access to administrative account and password

What is common for administrators to have with regards to accounts?

To have two accounts, one as a regular day-to-day user and the other is the administrator account

An administrator having two accounts minimizes what risk by using their normal day-to-day account?

Privilege escalation where malware can assume the privileges of the logged in account

What is the process used to disable a users account when they leave the organization?

Deprovisioning

Why is an account initially disabled rather than deleted?

Disabling the account ensures that the data associated with it remains available. One example is the security keys associated with that account that are used for encryption.

What is it called when a user can only log onto computers during specific times?

Time based logins or time of day restrictions

What is the process an Organization will perform that looks at the rights and permissions assigned to users, and helps enforce the least privilege principle?

An account audit or Permission auditing reviews

What is a common problem that violates the principle of least privilege and occurs when a users granted more and more privileges due to changing job requirements but the unneeded privileges are never removed?

Privilege creep

What is the formal process for reviewing user permissions called?

Attestation

This review looks at the logs to see what users are doing, and it can be used to re-create an audit trail?

A usage audit review

What refers to a user ability to log on once and access multiple systems without logging on again?

Single sign on

What does SSO use for additional logins after the first sign on?

A secure token for authentication

What is the power behind SSO Systems?

Their interoperability with the many operating systems, devices, applications, and services used in an organization

What is a core component of many single sign-on systems?

LDAP or lightweight directory access protocol

What is it called when two or more separate organizations want to utilize SSO? And what do they need for it to work?

Federation… a federated identity management system

What can be used for SSO on web browsers and can act as a federated identity management system for them?

security assertion markup language, SAML

What standard is SAML based on?

XML

What are the three objects defined by SAML?

The principal which is typically a user, an identity provider, a service provider

In SAML, this role creates, maintains and manages identity, information authentication, and authorization for principals?

Identity provider

In SAML, this is the entity that provides services to the principles?

Service provider

This is an open standard for authorization that many companies used to provide secure access to protected resources?

OAuth

This authorization model uses roles based on jobs and functions?

Role based access control (role-BAC)

What are two other names used for role-BAC?

Hierarchy based and job/task/function based

What is a planning document at matches rules with the required privileges in role-BAC?

A roles and permissions matrix

An implementation of role-BAC based on organizational groups is called what

Group based privileges

What is a benefit of group based privileges?

They reduce the administrative workload of access management as users assigned to a group automatically inherit the privileges assigned to that group

This authorization model uses a set of approved instructions such as an ACL?

Rule-based access control or rule-BAC

What is a common example where rule – BAC is used?

Routers and firewalls

How can an IPS extend rule – BAC?

By using rules that can trigger a response to an event such as modifying an ACL after detecting an attack or granting additional permissions to a user in certain situations

What is the access control where objects have an owner and the owner establishes access to those objects? What is a common example?

Discretionary access control DAC…windows NTFS

What is a deny by default policy? And what is another name for that?

If allow access is not granted the system denies access by default… An implicit deny

This form of access control uses labels that are assigned to both subject and objects that require a match for both for access to be granted?

Mandatory access control MAC

This version of Linux uses MAC?

Security enhanced Linux SELinux

What does a MAC scheme use to define and illustrate different levels and labels of security to classify both users and data?

A lattice

One other restriction that a MAC scheme provides is what?

A restriction based on a need to know

This form of access access control, evaluates attributes, and grants access based on the value of these attributes?

Attribute based access control ABAC

What commonly uses ABAC access control?

Software defined networks SDN

With ABAC, what are the rules called?

Policy statements

What are the four elements in an ABAC policy statement?

Subject, object, action, environment

When reviewing authentication logs, what are some of the key things that you should be looking out for?

Account lockouts, concurrent session usage, impossible travel time, blocked content, resource consumption, resource, inaccessibility, log anomalies