Chapter 13- Managing Identity and Authentication (IAM) Flashcards
1
Q
- What is a subject?
A
Subject is an active entity that accesses a passive object to receive information from or data about an object.
2
Q
- Subject can be:
A
users, programs, processes, services, computers or anything that can access a resource
3
Q
- List company assets:
A
information (data), systems (IT e.g. fileserver), devices (servers, laptops), facilities (building) and personnel (staff)
4
Q
- What is an object?
A
Object is a passive entity that provides information to active subjects.
5
Q
- Examples of objects are:
A
files databases, computers, programs, processes, services, printers and storage media.
6
Q
- What is the primary reason why organizations implement access control mechanisms?
A
to prevent losses.
7
Q
- There are 3 categories of IT losses:
A
Loss of confidentiality, Integrity and Availability
8
Q
- List security Triad (aka AIC triad, CIA Triad):
A
Confidentiality, Integrity and Availability.
9
Q
- What is confidentiality?
A
Access Controls help ensure that only authorised subjects can access objects.
10
Q
- What is integrity?
A
Integrity ensures that data or system configurations are not modified without authorization or that is authorized changes occur security controls detect the changes.
11
Q
- What is availability?
A
Availability means that authorised requests for objects must be granted to subjects within a reasonable amount of time.
12
Q
- Types of access control:
A
corrective, preventive and detective.
13
Q
- What is Access Control?
A
Access Control is any hardware, software, administrative policy or procedure that controls access to resources.
14
Q
a
A
a
15
Q
- List 4 other types of control
A
a
16
Q
- What is Preventive Control:
A
Preventive Control attempts to thwart or stop unwanted or unauthorised activity from occurring
17
Q
- What is Detective Access Control?
A
Detective attempts to discover or detect unwanted or unauthorised activity.
18
Q
- What is Corrective Access Control:
A
Corrective Control modifies the environment to return the systems to normal after an unwanted or unauthorised activity has occurred.
19
Q
- What are Deterrent Control?
A
Deterrent Access Control attempts to discourage security policy violations. it is very similar to preventive controls but depends on individuals deciding not to take unwanted action.
20
Q
- What is Recovery Access Control?
A
Recovery Access Control attempts to repair or restore resources, functions and capabilities after a security policy violation.
21
Q
- What is Directive Access Control?
A
Directive Access Control attempts to direct, confine or control the actions of subjects to force or encourage compliance with security policies.
22
Q
- What are Compensating Access Control
A
A compensating Access Control provides an alternative when it is not possible to use a primary control. or when necessary to increase the effectiveness of a primary control.
23
Q
- List access control types based on implementations:
A
physical, technical and administrative
24
Q
- What are Administrative Access Controls?
A
Administrative Access controls are policies and procedures defined by an organisation’s security policy and other regulations or requirements. They are sometimes referred to as management controls.
25
25. What is Logical or Technical Access Control?
Logical Access Control are the hardware or software mechanisms used to manage access and to provide protection for resources and systems. e.g. authentication methods, encryption, access control lists
26
26. What is Physical Control?
Physical Access Control are item that you physically touch. They include physical mechanisms deployed to prevent, monitor or detect direct contact with systems or areas within a facility. e.g. mantraps, motion detectors, badges etc.
27
27. What is Identification?
Identification is the process of a subject claiming or professing an identity. e.g. typing a user name, swiping a smartcard
28
28. What is Authentication?
1. Authentication verifies the identity of the subject by comparing one or more factors against a database of valid identities.
29
29. What is a single two step process?
A single two-step process occurs when identification and authentication occur together. Without both, a subject cannot gain access to a system.
30
30. What is Authorization?
Authorization is a process where subjects are granted access to objects based on proven identities
31
What is accountability?
Accountability means that Users and other data subjects can be held accountable for their actions when auditing is implemented.
32
32. Audit logs provide________:
Non Repudiation
33
33. List all or nothing aspects of access control:
identification and authentication because you either pass or fail with this.
34
34. Auditing, logging and monitoring provide ________:
Accountability.
35
35. List 3 authentication factors:
* Type 1 (weak): Something you know e.g. pin
* Type 2: Something you have e.g. smartcard, token
* Type 3 (stronger): Something you are or do e.g. fingerprints, keystroke dynamics i.e. behavioural biometrics.
* *Somewhere you are- identifies subject’s location.
36
36. Describe Context-Aware Authentication.
. Mobile Device Management (MDM) systems use context-aware authentication to identify mobile device users. It can identify multiple elements such as the location of the user, the time of day, and the mobile device. If the user meets all the requirements (location, time, and type of device in this example), it allows the user to log on using the other methods such as with a username and password.
37
37. What is Cognitive Password?
Cognitive Password is a series of challenge questions about facts or predefined responses that only the subject should know. e.g. What is your mother’s maiden name?
38
38. Describe smartcards:
Smartcards is a credit-card sized ID or badge and has integrated circuit chip embedded in it. It is used for identification and authentication purposes.
• Most current smartcards include a microprocessor and one or more certificates.
39
39. What are hardware tokens?
Hardware tokens are password generating devices that users carry with them.
40
40. List 2 types of tokens:
Hardware tokens are password generating devices that users carry with them.
41
41. What are Synchronous Dynamic Password Tokens?
Synchronous Dynamic passwords are time based and synchronized with an authentication server
42
42. What are Asynchronous Dynamic Password Token?
Asynchronous Dynamic Password Tokens generates passwords based on an algorithm and an incrementing counter.
43
43. What are hardware token problems:
if the token or hardware breaks users will not be able to gain access.
44
44. List the standards that 2 step authorization use:
Hash Message Authentication Code (HMAC) One-Time Password (HOTP)
• Time-based One Time Passwords (TOTP)
45
45. What is Hashed Message Authentication Code One-Time Passwords (HOTP)?
Hashed Message Authentication Code (HMAC) use HMAC-One Time Passwords to create onetime passwords. HOTP remains valid until used.
46
46. What are Time One Time Passwords (TOTP)?
Timed One Time Passwords are valid for a certain timeframe and expires if not used.
47
47. What is the difference between Retina Scans and Iris scans?
Retina scans focus on the pattern of blood vessels at the back of the eyes while IRIS scans focus on the coloured area of the eyes.
48
48. What is False rejection?
False Rejection occurs when a valid user is not authenticated. This also called False Negative.
49
49. What is False Acceptance Rate?
False Acceptance occurs when an invalid subject is authenticated. This also known as false positive or Type II error.
50
50. What is False Rejection Rate (FRR):
False Rejection Rate (FRR) is the ratio of false rejections to valid authentications.
51
51. What is False Acceptance Rate?
False Acceptance Rate (FAR) is the ratio of false positives to valid authentications.
52
52. What is Enrolment (Registration) of biometrics?
Enrolment or Registration allows a biometric device to work as an identification and authentication mechanism
53
53. What is Reference Profile?
Reference Profile or Template is the stored sample of a biometric factor.
54
54. What is the throughput rate for biometrics?
The throughput rate is the amount of time the system requires to scan a subject and approve or deny access.
55
55. What is multi-factor authentication?
this is any authentication using 2 or more factors
56
56. What is Centralised Access Control?
Centralised Access Control implies that all authorisation verification is performed by a single entity within the system.
57
57. What is decentralised Access Control
Decentralised Access control implies that various entities throughout a system perform authorization verification. (Distributed Access Control).
58
58. What is Single Sign On (SSO)?
Single Sign On is a centralised access control technique that allows a subject to be authenticated once on a system and to access multiple systems without authenticating again
59
59. Disadvantage of Single Sign On (SSO)?
Once an account is compromised an attacker gains unrestricted access to all other authorised resources
60
60. Public-Key Infrastructure (PKI) uses ______ when integrating digital certificates into transmission.
Lightweight Directory Access Protocol (LDAP)
61
61. What is Public Key Infrastructure?
This is a group of technologies used to manage digital certificates during a certificate lifecycle
62
62. ________ and __________ can be used to support single sign on capabilities:
Lightweight Directory Access Control (LDAP) and Centralised access control systems.
63
63. what is ticket Authentication?
Ticket Authentication is a mechanism that employs third party entity to prove identification and provide authentication. the most common ticket system is Kerberos.
64
64. What is Kerberos?
Kerberos is a single sign on solution for users and provides protection for log on credentials.
• Kerberos provides confidentiality and integrity for authentication traffic.
• it helps protect against eavesdropping and replay attacks.
65
65. List 5 key elements of Kerberos:
```
Key Distribution Center
• Kerberos Distribution Center (KDC)
• Kerberos Authentication Server
• Ticket-Granting Ticket (TGT)
• Ticket
```
66
66. What is Key Distribution Center (KDC)?
Key Distribution Center is a trusted third party that provide authentication services. Uses symmetric cryptography.
67
67. What is Kerberos Authentication Server?
Kerberos Authentication Server hosts the function of the key Distribution Center (KDC): a Ticket Granting Service (TGS) and Authentication Service (AS)
68
68. What is Ticket Granting Ticket (TGT):
a Ticket Granting Ticket (TGT) provides proof that a subject has authenticated through a Key Distribution Center (KDC) and is authorised o request tickets to access other objects.
69
69. What is a ticket?
A ticket is an encrypted message that provides proof that a subject is authorised to access an object.
70
70. Disadvantage of using Kerberos?
Single Line of Failure if it stops working.
71
71. What is Security Assertion Markup Language (SAML)?
Security Assertion Markup Language (SAML) is an XML based language that is used to exchange authentication and authorisation between federated organisations. it is used to provide SSO for browser access.
72
72. What are Credential Management Systems?
Credential Management System provides a storage space for users to keep their credentials when Single Sign On is not available.
73
73. What is Identity as a Service (IDaaS)?
Identity as a Service or Identity and access as a service (IDaaS) is a third party service that provides identity and access management.
• IDaaS effectively provides SSO for the cloud and is especially useful when internal clients access cloud-based software as a service (SaaS) applications. e.g. google, Office 365
74
74. What are AAA Protocols?
Protocols that provide Authentication, Authorisation and Accounting are referred to as AAA Protocols.
• These provide centralized access control with remote access systems such as virtual private networks (VPNs) and other types of network access servers.
75
75. What is Remote Authentication Dial-in User Service (RADIUS)?
Remote Authentication Dial-in User Service centralizes authentication for remote connections. Many internet service providers (ISPs) use RADIUS for authentication.
• RADIUS uses the User Datagram Protocol (UDP).
76
76. What is Terminal Access Controller Access Control Systems (TACACS+)?
Terminal Access Controller Access Control Systems was introduced as an alternative to RADIUS.
• It separates authentication, authorization, and accounting into separate processes, which can be hosted on three separate servers if desired.
• TACACS+ encrypts all of the authentication information.
• TACACS and XTACACS use UDP port 49
• TACACS+ uses Transmission Control Protocol (TCP) port 49.
77
77. What is Diameter?
It supports a wide range of protocols, including traditional IP, Mobile IP, and Voice over IP (VoIP).
• Diameter uses TCP port 3868 or Stream Control Transmission Protocol (SCTP) port 3868
• It also supports Internet Protocol security (IPsec) and Transport Layer Security (TLS) for encryption.
78
78. What is excessive privilege?
excessive privilege occurs when users have more privileges than their work tasks dictate. Unnecessary privileges should be revoked.
79
79. What are creeping privileges?
Creeping privileges (privilege creep involves a user account accumulating privileges over time as job roles and assigned tasks change but unnecessary privileges are never removed.
80
80. What is the principle of Least Privilege?
The principle of least privilege ensure that subjects are granted only the privileges that they need to perform their wok tasks and job functions but no more.
81
a
a
82
a
a
83
a
a
84
a
a
85
a
a
