Domain 5 - Identity and Access Management Flashcards
1
Q
Digital Certificates
A
- may be used as an authN technique for user, service and device identities. Similar to those used to secure websites. Have both a public and private key. Usually issued by certificate authority in a PKI
2
Q
Network access server
A
- client to a RADIUS server, RADIUS server provides AAA services
3
Q
RADIUS
A
- uses UDP 1812/1813 and encrypts the password only, remote access
4
Q
TACACS+
A
uses TCP 49 and encrypts entire session, admin access to network devices
5
Q
Diameter
A
based on RADIUS and improves its weaknesses, NOT COMPATIBLE with RADIUS, used in LTE/4G networks
6
Q
Kerberos
A
- authN protocol (UDP/TCP 88) for active directory (on prem and hybrid), provides confidentiality and integrity using SYMMETRIC key encryption, does not provide logging for accountability, common attacks include replay, pass the ticket, golden ticket, and kerberoasting
7
Q
Need to know
A
- ensures subjects are only granted access to what they NEED for work tasks, subjects with clearance to access is only granted if they need to know
8
Q
Least privilege
A
- subjects are granted only the privs they NEED to perform their job functions, includes rights to take action on a system
9
Q
Separation of Duties/ responsibilities
A
- ensures that sensitive functions are split into tasks performed by 2 or more employees, helps prevent fraud and errors by adding checks and balances
10
Q
Just in Time (JIT)
A
- modern/granular approach to least privilege, allows temp elevation of privilege as its needed and revoking at the end of the window, ie priviliged identiy management (PIM)/ priviliged access management (PAM), implemented through ephemeral accounts or broker and remove access strategy
11
Q
Identification
A
- subject claims an identity ie provides a username
12
Q
Authentication
A
- subject PROVES identity ie provides a password or MFA
13
Q
Authorization
A
- after authentication, determines ACCESS based on proven identity
14
Q
Accountability
A
- auditing logs/ trails record events including identity, provides PROOF
15
Q
MFA
A
- something you know (PIN, password), something you have (trusted device), something you are (biometric), includes 2 or more authN factors, passwords are the WEAKEST form of authN,
16
Q
Smartcards
A
- include microprocessors and cryptographic certificates,
17
Q
Tokens (MFA)
A
- create one time passwords
18
Q
Biometrics (MFA)
A
- identify based on physical characteristics like fingerprints/ retina scan. Know CROSSOVER ERROR RATE and how to calculate.
19
Q
Facial recognition
A
- looks at shape of face, light and angle can affect it, windows Hello uses special infrared camera and is better than others,
20
Q
Veins (MFA biometrics)
A
- uses blood vessels in palm for authentication
21
Q
Gait analysis
A
- looks at how you walk for authN, works with low resolution
22
Q
Crossover error rate (CER) (biometrics)
A
- identifies the accuracy of biometrice method, shows where false rejection and false rates are equal, to change this you increase/decrease sensitivity of the biometric device
23
Q
FAR
A
- false acceptance rate, biometric authN, TYPE 2 ERROR
24
Q
FRR
A
- false rejection rate, biometric authN, TYPE 1 ERROR
25
Single sign on (SSO)
- authN once and then access multiple objects with reauthentication, commons standards include: SAML, SESAME, KryptoKnight, Oauth, OpenID. KNOW SAML/ OAUTH 2.0/ OPENID
26
Security Assertion Markup Language (SAML)
XML based open standard data format for exchanging authN and authZ data between parties, mainly between an identity provider and service provider, Used often in Active Directory Federation services
27
Oauth 2.0
- open standard for authorization, commonly used for internet users to log into 3rd party websites using their Microsoft, Google, Facebook, etc. accounts without exposing their password
28
OpenID
- open standard, decentralized authN, allows users to log into multiple unrelated websites with one set of creds, creds are maintained by a 3rd party service referred to as an OpenID provider
29
Discretionary Access Control (DAC)
- EVERY OBJECT HAS AN OWNER, and the owner can grant or deny access to any other subjects ie new technology file system (NTFS)
30
Role based access control
- uses roles or groups, instead of assigning permissions directly to users they are placed in roles and admins assign privs to the roles. Ie cloud platforms like Azure, typically maps to JOB ROLES and cloning template user accounts
31
Rule based access control
- applies global rules to ALL SUBJECTS, rules are sometimes called restrictions or filters, ie FIREWALLS use rules that allow or block traffic to all users equally
32
Attribute based access control
- can include multiple attributes, more flexible than rule-based that applies to all subjects equally, often used by software defined networks (SDNs)
33
Mandatory access control (MAC)
- uses labels applied to subjects and objects, ie top secret user can access top secret document, called LATTICE BASED
34
Logical/ Technical controls
- hardware/ software used to manage access to resources and provide protection, ie encryption, smart cards, passwords, biometrics, ACLs, protocols, firewalls, IDS
35
Physical controls
- provide protection to facility and real world objects, ie guards, fences, motion detectors, locks, windows, lights, cable protections, swipe cards, dogs, cameras, mantraps, alarms
36
Administrative controls
-policies and procedures defined by organization sec policy, focuses on personnel and business practices, ie policy, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision
37
Preventative (sec control)
- stop unwanted/ unauthZ activity from occuring, ie fences, locks, biometrics, mantraps, alarms, job rotation, data classification, pentesting, ACL
38
Detective Controls
- discover unwanted/ unauthZ activity, often after the fact NOT realtime, ie security guards, dogs, trails, IDS, honeypots, job rotation, mandatory vacation
39
Corrective controls
- restore systems to normal after an unwanted/ unauthZ activity has occurred, ie antivirus, IDS, BCP, Sec policy
40
Compensating controls
- provide options to other existing controls to aid in enforcement of sec policy, ie DRP with alternate office location in case building is damaged in fire
41
Directive controls
- direct/ confine/ control actions of a subject to force/ encourage compliance with sec policy, ie guards, dogs, policy, posted notification, exit signs, supervising work tasks, awareness training
42
Recovery controls
- repair or restore resources/ functions after a violation of sec policy, more advanced/ complex than a corrective control, ie backups/ restores, fault tolerant drives, server clustering, AV software, database shadowing
43
Deterrent control
- discourage violation of sec policy, picks up where preventative policy leaves off, ie locks, fences, badges, guards, cameras, alarms, seperation of duties, awareness training, encyrption, auditing, firewalls
44
Risk
- possibility that a threat can exploit a vulnerability and cause damage to assets
45
Asset valuation
- identifies value of assets, threat modeling identifies threats against these assets
46
Vulnerability analysis
- identifies weaknesses in an orgs valuable assets
47
Dictionary attacks
- use all dictionary words to guess the correct password
48
Brute force
- tries all possible strings, password complexity and length and attacker tools determine efficacy
49
Spoofed logon screen
- fake login screen, sends username and password to attacker
50
Sniffer attack
- aka snooping, attacker uses packet capturing tool to capture, analyze, and read data sent over a network, encrypting data in transit is going to stop this kind of attack
51
Spoofing attacks
- attacker is pretending to be someone else, tries to obtain creds, includes email spoofing, phone number spoofing, IP spoofing
52
Social engineering
- attempt by attacker to convince someone to provide information or perform an action they wouldn’t normally perform
53
Phishing
- trick users into giving up personal information, clicking a malicious link, or opening a malicious attachment, #1 cyber attack in the world
54
Spear phishing
- targets specific users
55
Whaling
- spear phishing against execs or other high level targets
56
Vishing
- phishing with VoIP
57
Access aggregation
- attacker combines nonsensitive information to learn sensitive information, used in recon
58
Prevention (access control attacks)
- long/ complex passwords and changed periodically, account lockout after X attempts, strong password policy, secure endpoints so that spoofed logon screens are not able to be implemented, phishing protections
59
Tempest
- allows reading of monitors from a distance, effective on CRT monitors, Legacy attack, Shoulder surfing is the modern variant
60
White noise
- broadcasting false traffic at all times to mask presence of real emanations, distracting signal
61
Theft prevention
- RFID, barcoding, and inventory. Risk reduction around asset theft
62
shadowed passwords
/etc/password would show an X
63
synchronous token
ie google authenticator
64
asynchronous token
require a challenge to be entered on the token to provide a response
65
static tokens
physical devices that can contain creds
66
federation
federation server processes authentication requests from users and issues security tokens
ie user logs into a third-party website by using their Gmail or AD login credentials
67
enrollment
initial creation of user accounts
