Chapter 3: Investigating Identity and Access Management Flashcards by Dakota Edmunds

This is the process of maintaining the log files that monitor when users login and log out.

Accounting

How well did you know this?

Not at all

Perfectly

This is an entity that can validate that the credentials that are present are valid. This identity could be a certificate, token, or details such as a username or password.

Identity Provider

How well did you know this?

Not at all

Perfectly

Username
Attribute
Smart Card
Certification
Token
SSH Keys

The following can be used when accessing a person’s identity as it needs to be unique to them:

How well did you know this?

Not at all

Perfectly

This can be digital that can either be a SAML used for federation services or a token used by Open Authentication (OAuth).

Token

How well did you know this?

Not at all

Perfectly

These are used by an administrator using a secure connection to the server. First of all, the public and private key pair is made. The public key is stored on a server, and the private key is stored on the admin’s desktop.

SSH Keys

How well did you know this?

Not at all

Perfectly

This identifier is linked to the account to grant access to the network in a Microsoft Active Directory environment. Once the account with this identifier is deleted, the identifier can never be used again and a new one will need to be created.

Security Identifier

How well did you know this?

Not at all

Perfectly

This type of account has no real access. This type of account cannot install software – they give users limited access to the computer systems. There are two type of this account– one for the local machine and one for the domain.

User Account

How well did you know this?

Not at all

Perfectly

This type of account is a legacy account that was designed to give limited access to a single computer without the need to create a user account. It is normally disabled because it can be seen as a security threat.

Guest Account

How well did you know this?

Not at all

Perfectly

This type of account is given to external speakers who need access to the internet while delivering their presentation.

Sponsored Guest Account

How well did you know this?

Not at all

Perfectly

TIP

A guest speaker should be allocated a sponsored guest account.

TIP

How well did you know this?

Not at all

Perfectly

This type of account has a much higher access to the system and tend to be used by members of the IT team. Administrators are an example of this type of account.

Privilege Account

How well did you know this?

Not at all

Perfectly

This type of account can install and manage the configuration of a server or a computer. This type of account has the privilege to create, delete, and manage user accounts. An Administrator should have two type of accounts – a user account for routine tasks, and then an admin account to carry out their admin duties.

Administrative Account

How well did you know this?

Not at all

Perfectly

When software is installed on a privilege computer or server, it will need a higher level of privilege to run the software, but at the same time, we need a lower-level admin account so this type of account fits the bill.

Service Account

How well did you know this?

Not at all

Perfectly

TIP

A service account is a type of administrator account used to run an application.

TIP

How well did you know this?

Not at all

Perfectly

This type of account is for when a group of people perform the same duties, such as members of customer services, they can use this type of account. If you are trying to monitor or audit individual employees, then you cannot use this type of account.

Shared Account

How well did you know this?

Not at all

Perfectly

This type of account are default admin accounts created by manufacturers for devices ranging from baby alarms to smart ovens and smart TVs. They all have default usernames and passwords. This becomes a problem for cybercrime because account credentials can be searched online easily, so it is advised to change the username and password associated with those default accounts.

Generic Accounts

How well did you know this?

Not at all

Perfectly

TIP

If you do not change the password and username for household devices, known as IOT, it is possible for a cybercriminal to hack your home.

TIP

How well did you know this?

Not at all

Perfectly

This type of token requires time synchronization, because the password needs to be used in a very short period of time, normally between 30 and 60 seconds. It could be used when you want to access secure cloud storage or your online bank account:

Time-Based One-Time Password (TOTP)

How well did you know this?

Not at all

Perfectly

This type of token is a one-time password. The main distinguishing factor is that there is no time limit.

HMAC-Based One-Time Password (HOTP)

How well did you know this?

Not at all

Perfectly

This is similar to a CAC, but it is used by federal agencies rather than the military.

Personal Identity Verification (PIV)

How well did you know this?

Not at all

Perfectly

This is a port-based authentication protocol that is used when a device is connected to a switch or when a user authenticates to a wireless access point. Authentication is normally done by a certificate.

1EEE 802.1x

How well did you know this?

Not at all

Perfectly

This location-based authentication can be used to block any attempt to login outside of the locations that have been determined as allowed regions. Geolocation can track your location by your IP address and the ISP that you are using.

Context-Aware Location

How well did you know this?

Not at all

Perfectly

This location-based authentication can be used to identify where your phone is located by using Global Positioning System (GPS).

Smart Phone Location Services

How well did you know this?

Not at all

Perfectly

This location-based authentication is a security feature used by cloud providers such as Microsoft with their Office 365 package to prevent fraud. If someone logs in from Toronto and thirty minutes later log into the service from Las Vegas, their login attempt will be blocked.

Impossible Travel Time

How well did you know this?

Not at all

Perfectly

This location-based authentication is also used by cloud providers where they have a database of the devices used by each user. An email will be sent when the system cannot identify the device used to log in.

Risky Login

This is an additional layer of security where the user is authenticated and a SMS message is sent to the user's phone. They then insert the code that was sent via message and are authenticated; this is has a time limit.

SMS Authentication

This technology authentication method can vary from a hardware that has received a one-time password to the fob or card used to gain access to a building via a card reader.

Token Key

An email is sent to the user when access to their systems has been received by an unusual device; for example, if I access Dropbox from a friend's laptop.

Push Notification

This authentication technology method will trigger a phone when someone has accessed a system.

Phone Call

This authentication technology method is an internet standard where the server signs a token with its private key and sends it to a user to prove who they are. It can also be used to digitally sign documents and email. It is used by Open Authentication (OAuth).

JavaScript Object Notation Web Token (JWT)

These codes change after a period of time, like a PIN for a smart card. These are commonly used by broadband engineers.

Static Codes

This could be using Kerberos, who completes a Ticket Granting Ticket session that results in a ticket that can be exchanged to give access to applications. It could also be used for certificate-based authentication or, in the case of the cloud, use conditional access to gain access to applications.

Authentication Applications

This looks like a USB device and works in conjunction with your password to provide multifactor authentication. An example would be YubiKey.

Password Keys

These chips are normally built into motherboards of a computer and they become useful when you are using Full Disk Encryption (FDE).

Trusted Platform Module (TPM)

This is normally used by financial institutions, banks, or email providers to identify someone when they want a password reset. Two different type of this authentication management: - Static KBA - Dynamic KBA

Knowledge-Based Authentication (KBA)

These are questions that are common to the user. For example: " What is the name of your first school?" These are pretty weak.

Static KBA

These are deemed to be more secure because they do not consist of questions provided beforehand.

Dynamic KBA

This is an authentication framework allowing point-to-point connections. These are commonly used with wireless communication.

Extensible Authentication Protocol (EAP)

This is a version of EAP that encapsulated the EAP data and made it more secure for WLANS.

Protected Extensible Authentication Protocol (PEAP)

This form of EAP was developed by Cisco. It does not use certificates, but protected access credentials instead. It is used in wireless networks.

EAP-FAST (Flexible Authentication via Secure Tunneling)

This form of EAP needs X509 certificates installed on endpoints for authentication.

EAP-TLS

This form of EAP needs the certificates to be installed on the server. It creates a tunnel for the users' credentials to travel through.

EAP-TTLS

This server is UDP-based and it authenticates servers such as VPN servers, Remote Access Servers (RAS) servers, and 802.1x authenticating switch. This server could be used to check any remote access policies and verify that authentication was allowed by contacting the domain controller.

RADIUS Server

These clients could be VPN servers, RAS servers, and the 802.1x authentication switch. Each of these clients needs a private key that is sometimes known as the session key or shared secret to join the RADIUS environment. RADIUS authentication uses UDP port 1812 RADIUS accounting uses UDP port 1813

RADIUS Clients

This is a more modern version of RADIUS that works on TCP. Diameter is the AAA server that uses EAP.

Diameter

This is the Cisco AAA server that uses TCP, and uses TCP port 49 for authentication.

TACACS+

Allows someone working remotely, either from a hotel room or home, to connect securely through the internet to the corporate network.

Virtual Private Network (VPN)

This is a legacy protocol that pre-dated the VPN. This client used modems and a dial-up network using telephone lines. It was very restricted in speed.

Remote Access Services (RAS)

There are numerous methods of authentication used by VPN or RAS: - Password Authentication Protocol (PAP) - Challenge Handshake Authentication Protocol (CHAP) - MS CHAP/MSCHAP version 2

Authentication for VPN/RAS

This authentication method for a VPN or RAS should be avoided at all costs as the passwords are transmitted as clear text and can easily captured.

Password Authentication Protocol (PAP)

This authentication method for a RAS server is done with a four-stage process: 1. Client makes connection request to RAS 2. RAS replies with challenge that is a random string. 3. Client uses password as encryption key to encrypt challenge. 4. RAS encrypts the original challenge with a password stored for the user. If both values match, the client logs in.

Challenge Handshake Authentication Protocol (CHAP)

This is Microsoft's version of MS CHAP. This is the newer version of MS CHAP and can be sued by both VPN and RAS.

MS CHAP/MSCHAP version 2

This is a solution that helps protect the privilege accounts within a domain, preventing attacks such as pass the hash, pass the ticket, and privilege escalation. This gives visibility in terms of who is using privilege accounts and what tasks they are being used for.

Privilege Access Management (PAM)

This is a remote forest that has a very high level of security.

bastion forest

Gives the admin just enough privileges to carry out a certain task.

Just Enough Administration (JEA)

Manages the users in groups. These store objects such as users and computers as x500 objects. These objects form what is called a distinguished name and are organized and stored by the _____. It is comprised of three different objects, DC (Domain), Organization Unit (OU), and CN(anything else). ____ is the active directory storeman responsible for storing the X500 objects.

Lightweight Directory Access Protocol(LDAP)

This is the Microsoft authentication protocol introduced with the release of Windows Server 2000. It is the only authentication protocol that uses tickets, Updated Sequence Numbers, and is time stamped. If ____ authentication fails, this is normally down to the user's computer or device clock being out of sync with the domain controller by 5 minutes or more.

Kerberos

This is the process for Kerberos for obtaining your service tickets. This is where the user sends their credentials to a domain controller that starts the authentication process and, when it has been confirmed, it will send back a service ticket that has a 10 hour lifespan.

Ticket Granting Ticket (TGT)

This can be placed on your LAN to keep the domain computers and servers in sync with each other.

Network Time Protocol (NTP)

This is used to prove who the user is. It exchanges their service ticket for a session ticket. The server then allows them access to the resources.

Service Ticket

This provides a single sign-on as the user needs to log in only once. It then uses the service ticket to prove who they are, and a session ticket is returned

Single Sign-On/Mutual Authentication

This is a legacy authentication protocol that stores passwords using the MD4 hash that is very easy to crack. It is susceptible to the pass-the-hash attack. Kerberos prevents the pass-the-hash attack as it uses an encrypted database.

NT Lan Manager (NTLM)

This is where you have a parent domain and maybe one or more child domains that trust one another so long as the conditions allow it: these are called trees. For example, between the parent domain and each child domain is a two-way transitive trust, where resources can be shared two ways. Since the parent domain trusts both child A and Child B, it can be said that Child A and Child B transitively trust each other as long as admin for each allow it.

Transitive trust

A term used for a domain; it could be a parent or a child domain.

trees

TIP You need to remember that Kerberos is the only authentication protocol that uses tickets. It also prevents replay attacks as it uses USN numbers and timestamps. It can also prevent pass-the-hash attacks.

TIP

TIP When the exam mentions a third-party authentication, this can only mean federation services. Federation services require cookies to be enabled.

TIP

This kind of service is used when two different companies want to authenticate between each other when they participate in a joint venture. The companies don't want to merge but rather keep their identity and have their own management in place. These are known as third-parties. Each company has their own directory database and normally only has access to their respective domain, but with this type of trust, they can use each others' domains as long as they have alternative credentials.

Federation Services

These are extended attributes used by their directory services. They are, in addition to the basic attributes, comprising of the following: Employee ID Email Address

User-Extended Attributes

it is a XML-based authentication, which is used to pass the extended attribute credentials between company A and Company B in a federation service setup.

Security Assertion Mark-up Language (SAML)

Mr. Red from Company A wants access to limited resources from Company B so he contacts them through a web browser and Company B asks him for his Employee ID and password. Company B now uses the SAML to pass authentication details of Mr. Red to Company A. Mr. Red's domain controller confirms that they are correct then Company B sends out a certificate to Mr. Red's laptop. This certificate is used next time for authentication. They could alternatively use cookies.

Federation Services - Authentication and Federation Services - Exchange of Extended Attributes

TIP When the exams mentions authentication using extended attributes, this can only mean federation services. Cookies used for authentication would also be federation services.

TIP

This is an open source federation service product that uses SAML authentication. It would be used for small federation service environment. This can also use cookies alternatively.

Shibboleth

This is used in a domain environment. This is where someone logs into the domain and then can access several resources. such as the file or email server, without needing to input their credentials again. Federation services and Kerberos is a good example of ____.

Single Sign-on (SSO)

Provides authorization to enable third-party applications to obtain limited access to a web service.

OAuth 2.0

This open authentication method uses OAuth to allow users to log in to a web application without needing to manage the user's account. It allows users to authenticate by using their google, Facebook, or Twitter account.

Open ID Connect

- Fingerprint Scanner - Retina Scanner - Iris Scanner - Voice Recognition - Facial Recognition - Vein - Gait Analysis

Authorization via Biometrics

Released with Windows 10, it uses an infrared camera making it better than regular cameras as they can have trouble with lighting.

Windows Hello

It accepts unauthorized users and allows them to gain access. This is known as a Type ll error. Unauthorized users are allowed; look for the middle letter as an A.

False Acceptance Rate (FAR)

It is where legitimate users who should gain access are rejected and cannot get in. This is known as a Type l error. Authorized users are rejected; look for the middle letter as an R.

False Rejection Rate (FRR)

TIP When looking at FAR or FRR, remember to look at the middle letter. Authorized users are rejected, the middle letter in FRR is R for reject. Unauthorized users are allowed so we look for the middle letter being A therefore we get FAR. Remember Authorized that starts with A does not belong to FAR that has an A as the middle letter. A does not select A.

Tip

This is where the FAR and FRR are equal. If you are going to purchase a biometric system, you need a system that has a low CER.

Crossover Error Rate (CER)

With a biometric system, you would want one with a low efficacy rate. This can be measured by looking at the CER point. You need a device with a low efficacy rate and a CER of less than 5%.

Efficacy Rates

Could be more than two different factors; it just means multiple factors.

Multi-Factor Authentication

This would be username, PIN, or your dare of birth;

Something You Know

Biometric authentication

Something You Are

Things like swiping a card, inserting your signature, or your gait.

Something You Do

The location you are in.

Somewhere You Are

Security Token, key fob, Date of birth.

Something You Have

This is made easy by the use of proximity cards, while guards on reception can also control access to the company. We can apply multi-factor authentication by using smart card authentication.

On-Premises Authentication

This method should adopt a zero-trust model, where every connection is deemed to be a hacker as we cannot see who is logging. We could then use conditional statements to prove who is the person logging in, by using if-then statements. The three areas of conditional access are Signal, Decision, and Enforcement.

In The Cloud Authentication

This could be user or group, location, device, calculated risk, and the application that needs to be accessed.

Signal

This could range from allow to block, or require multifactor authentication (MFA).

Decision

Access to the application that has been approved.

Enforcement

These providers have a central database of the devices that a person uses to log in. If the system deems that the device cannot be approved, it will notify user of a risky login. If that is not approved, the user will be denied.

Cloud Service Providers (CSPs)

TIP In the Sec+ exam, when people move department, they are given new accounts and the old account remains active until it has been disabled.

TIP

Employing Leaving Extended Absence Period Guest Account

Reasons for Disabling an Account

Process where an auditor will review all the user accounts. If auditor finds anything wrong, they will report their findings to management. They are the snitch.

Account Recertification

Ensuring that account are created in accordance with the standard naming convention, disabled when the employee initially leaves, and then deleted after a certain time period has been reached.

Account Maintenance

If you want to know immediately when there is a change to a user account, such as it being given higher privileges, then you need active account monitoring or you need to set up a SIEM system.

TIP

This system is used for real-time monitoring and can be used to aggregate, decipher, and normalize non-standard log formats; The only time this system will not provide the correct information is when the wrong filters are used or where we scan the wrong host

Security Information and Event Management

- Account Management - Account Expiry - Time and Day Restriction - Account Lockout

SEIM Filters

TIP If a time restriction is to be placed on a group of contractors, RBAC will be used. Time and day restrictions can only be used for individuals.

TIP

TIP If group-based access is used in the exam question, then the solution will be a group-based access solution.

TIP

Enforce Password History Password Reuse Maximum Password Age Minimum Password Age Complex Passwords Store Passwords Using Reversible Encryption (Disable when you can) Account Lockout - Threshold Account lockout - Duration

Passwords - Group Policy Configurations