Chapter 8

Question 1

When a subject wants to use their identity, what can they use to assert or claim their identity?

Answer 1

One of these:

-Usernames
-Certificates
-Tokens
-SSH Keys
-Smartcards

Question 2

SSH Keys

Answer 2

Cryptographic keys that are a representation of identity that replace usernames and passwords. Remote access is possible without the use of passwords.

Question 3

Single Sign-On (SSO)

Answer 3

An authentication method that allows users to access multiple applications or services using just one set of credentials. Instead of logging in separately to each system, SSO enables seamless access across platforms once the user is authenticated.

Question 4

Lightweight Directory Access Protocol (LDAP)

Answer 4

A directory service and is often used as part of SSO processes. They are frequently used to make available an organizational directory for email and other contact information.

Question 5

RADIUS

Answer 5

An authentication technology.

Question 6

OAuth

Answer 6

An authentication protocol that allows services to receive authentication tokens from an identity provider without needing the user’s password.

Question 7

Security Assertion Markup Language (SAML)

Answer 7

An XML-based open standard for exchanging authentication and authorization information.

Question 8

Identity Provider (IdP)

Answer 8

They manage the life cycle of digital identities from creation through maintenance to eventual retirement of the identity in the systems and services it supports.

Question 9

Service Providers (SPs)

Answer 9

Provide services to users whose identities have been attested to be an identity provider and then perform the requested function.

Question 10

What is something you know ?

Multifactor Authentication (MFA)

Answer 10

Passwords, PINs, or the answer to a security question.

Question 11

What is Something you have ?

Multifactor Authentication (MFA)

Answer 11

A smartcard, USB, or a bluetooth token, or another object or item that is in your possession, like a Titan security key.

Question 12

What is something you are ?

Multifactor Authentication (MFA)

Answer 12

This relies on a physical characteristic of the person who is authenticating themselves. Fingerprints, retina scans, voice prints, and even your typing speed and patterns.

Question 13

What is somewhere you are ?

Multifactor Authentication (MFA)

Answer 13

A location factor, based on your current location, GPS, network location, and other data can be used to ensure only those in the location should be authenticated.

Question 14

False Rejection Rate (FRR)

Evaluating Biometrics

Answer 14

Also known as Type I errors, occur when a legitimate biometric was given and the system rejected it.

Question 15

False Acceptance Errors / False Acceptance Rate (FAR)

Evaluating Biometrics

Answer 15

Also known as Type II errors, these occur when a biometric is given and it is accepted when it shouldn’t be.

Question 16

Receiver Operating Characteristics

Evaluating Biometrics

Answer 16

The ROC compares FRR against FAR of a system, typically a graph.

Question 17

User accounts

Account Types

Answer 17

Can run the gamut from basic access to systems, devices, or applications to power users with broad rights and privileges.

Question 18

Privileged or Administrative Accounts

Account Types

Answer 18

The root account or members of the wheel group on Linux and Unix sytems, and the Windows default Adminstrator Account.

Question 19

Shared and Generic accounts or credentials

Account Types

Answer 19

Often prohibited, can be useful.

Question 20

Guest Accounts

Account Types

Answer 20

Provided to temporary users and have very limited priviliges. Also has far less information about the user who uses them.

Question 21

Service Accounts

Account Types

Answer 21

Associated with applications and services. These should not be used for interactive logins.

Question 22

Identity Proofing

Answer 22

The process of ensuring that the person who the account is being created for is the person who is claiming the account.

Question 23

Permission Creep

Answer 23

It occurs when users take on new roles or are granted new permissions based on tasks they are doing.

Question 24

Privileged Access Management (PAM)

Answer 24

PAM tools focus on ensuring that the concept of least privilege is maintained by helping administrators specify only the minimum set of privileges needed for a role or task.

Question 25

Just-In-Time (JIT) permissions ## Footnote PAM tools

Answer 25

Permissions that are granted and revoked only when needed.

Question 26

Password vaulting ## Footnote PAM tools

Answer 26

Allows users to access privileged accounts without needing to know a password.

Question 27

Ephemeral Accounts ## Footnote PAM tools

Answer 27

Temporary Accounts with limited lifespans. Used for guests or for specific purposes in an organization when a user needs access but should not have an account on an ongoing basis.

Question 28

Access Control Schemes

Answer 28

Helps to determine which users, services, and programs can access various files or other objects that they host.

Question 29

Mandatory Access Control (MAC) ## Footnote Access Control Schemes

Answer 29

MAC systems rely on the operating system to enforce control as set by a security policy administrator. Users do not have the ability to grant access to files or otherwise change the security policies that are set centrally.

Question 30

Discretionary Access Control (DAC) ## Footnote Access Control Schemes

Answer 30

An access control scheme that many people are used to from their own PCs. It allows users to make decisions about access to files and directories they have rights to.

Question 31

Role-Based Access Controls (RBAC) ## Footnote Access Control Schemes

Answer 31

RBAC systems rely on roles that are then matched with privilges that are assigned to those roles. RBAC has three primary rules; role assigment, role authorization, and permission authorization.

Question 32

Role Assignment ## Footnote RBAC

Answer 32

States that subjects can use only permissions that match a role they have been assigned.

Question 33

Role Authorization ## Footnote RBAC

Answer 33

States that the subject's active role must be authorized for the subject. This prevents subjects from taking roles they shouldn't be able to.

Question 34

Permission Authorization ## Footnote RBAC

Answer 34

States that subjects can use only permissions that their active role is allowed to use.

Question 35

Rule-Based Access Control (RuBAC) ## Footnote Access Control Schemes

Answer 35

Applied using a set of rules, or access control lists (ACLs), that apply to various objects or resources. When an attempt is made to access an object, the rule is checked to see if the access is allowed. A firewall is a common example of RuBAC.

Question 36

Attribute-Based Access Control (ABAC) ## Footnote Access Control Schemes

Answer 36

Relies on polices that are driven by attributes of the users. This allows for complex rulesets based on combinations of attributes that provide users with specific rights that match the attributes they have.

Question 37

Time-of-Day Restrictions ## Footnote Access Control Schemes

Answer 37

Limit when activities can occur.

Question 38

Least Privilege ## Footnote Access Control Schemes

Answer 38

The concept that accounts and users should only be given the minimum set of permissions and capabilities necessary to perform their role or job function.

Question 39

File System Control ## Footnote Access Controls

Answer 39

They determine which accounts, users, groups, or services can perform actions like reading, writing, and executing (running) files. LINUX/FILE PERMISSIONS "drwxrwx---"