Module 04 - Identity and Acess Management Flashcards
(128 cards)
1
Q
Definition:
Non-repudiation
A
Cannot deny having done something in systems or network
2
Q
Acronym:
CSF
A
Cybersecurity Framework
3
Q
Acronym:
NIST
A
National Institute of Standards and Technology
4
Q
According to NIST, what are the classification of security tasks?
[NUST Categories]
A
- Identify
- Protect
- Detect
- Respond
- Recover
5
Q
Definition:
Gap Analysis
A
Process that identifies how security systems deviate from outcomes required, or recommended, by CSTs
6
Q
Definition:
Access Control
A
Defines how subjects interact with objects.
Subjects => Can be granted access to resources
Objects => Resources
7
Q
Acronym:
IAM
A
Identity and Access Management
8
Q
Definition:
Identity and Access Management - IAM systems
A
System that implements access controls
9
Q
What are the processes of IAM?
A
- Identification
- Authentication
- Authorization
- Accounting
10
Q
Acronym:
AAA
A
Authentication, Authorization and Accounting
11
Q
Definition
Zero Trust
A
Security model that assumes that all devices, users, and services are not inherently trusted, regardless of whether inside or outside a network’s perimeter
12
Q
What are the main concepts of Zero Trust Model?
A
- Adaptive identity [UBA]
- Threat scope reduction [Principle of Least Privilege]
- Policy-drive access control [Device posture, network context, user identity]
13
Q
Definition:
Adaptive identity [Zero Trust Concept]
A
Recognition of identity not being static.
UBA
14
Q
Definition:
Threat scope reduction [Zero Trust Concept]
A
Access to resources are only to the ones needed to complete a task.
[Principle of least privilege]
15
Q
Definition:
Policy-driven access control [Zero Trust Concept]
A
Access Control policies enforces access restriction based on user identity, device posture and network context.
16
Q
Definition:
Device Posture
A
Security status of a device, including its security configurations, software versions, and patch levels.
17
Q
In Zero Trust architecture, what are the planes?
A
Control and data planes
18
Q
Definition:
Control plane
A
Manages policies that dictate how users and devices are authorized to access network resources.
Divided in Policy Engine and Policy Administrator
19
Q
Definition:
Data plane
A
Where a subject makes access requests for a given resource.
20
Q
Definition:
Policy Engine
A
Responsible for making authentication and authorization decisions per-request.
21
Q
Definition:
Policy Administrator
A
Issues access tokens and establishes or tears down sessions based on the decisions made by the policy engine.
22
Q
List the access control best practices
A
- Principle of least privilege
- Need to know [Information classification]
- Separation of Duties [Conflict of interest]
- Multi-Factor Authentication
- Mutual Authentication
- Time of day restrictions
23
Q
Acronym:
MFA
A
Multi-Factor Authentication
24
Q
What are the common methods of controlling access?
A
Implicit Deny
Explicit Deny
Explicit Allow
25
Acronym:
ACL
Access Control List
26
Acronym:
MAC [Access Control]
Mandatory Access Control
27
Acronym:
DAC
Discretionary Access Control
28
Acronym:
RBAC
Role-Based Access Control
29
Acronym:
ABAC
Attribute-Based Access Control
30
List the types of Access Controls
Discretionary Access Control [DAC]
Mandatory Access Control [MAC]
Role-Based Access Control [RBAC]
Attribute-Based Access Control [ABAC]
31
Definition:
Discretionary Access Control - DAC
In the DAC Model, every resource has an owner which has full control over the resource, and they can modify its access control list (ACL) to grant rights to others.
Discretionary => By one's judgment
32
Definition:
Mandatory Access Control - MAC
Model based on security clearance levels.
Each object is given a classification label, and each subject is granted a clearance level.
33
Definition:
Role-Based Access Control - RBAC
Permissions depends on the tasks that an employee or service must be able to perform.
Each set of permissions is a role, or a group account.
34
Definition:
Attribute-Based Access Control - ABAC
Based on a combination of subject and object attributes plus any context-sensitive or system-wide attributes.
35
Definition:
Rule-Based Access Control
Any sort of access control model where access control policies are determined by system-enforced rules rather than system users.
Anything but discretionary access control models.
Ex: RBAC, ABAC, and MAC
36
Definition:
Provisioning
Setting up a service according to a standard procedure or best practice checklist.
37
Definition:
Deprovisioning
Removing the access rights and permissions allocated to a subject
38
Time-based restrictions:
A time-of-day restrictions policy [Login hours]
A duration-based login policy
Impossible travel time/risky login policy
Temporary permissions
39
Identification x Authentication
Identification is saying who you are
Authentication is confirming who you are
40
List the authentication factors
1. Something you know
2. Something you are
3. Somewhere you are
4. Something you can do
5. Something you exhibit
6. Someone you know [CA or Attestation]
7. Something you have
41
Definition and list:
Hard authentication token
Token generated within a secure cryptoprocessor
1. Smart card
2. OTP
3. Security Key
42
Definition and list:
Soft authentication token
OTP generated by the Identity provider (IdP) and transmitted to the supplicant.
1. Email
2. SMS
3. Authentication app
43
Acronym:
IdP
Identity provider
44
Definition:
Passwordless
No longer processes knowledge-based factors.
45
Acronym:
LSASS
Local Security Authority Subsystem Service
46
Acronym:
NTLM
NT LAN Manager
47
Acronym:
VPN
Virtual Private Network
48
Acronym:
SAM [Windows File]
Security Accounts Manager
49
List the windows authentication scenarios
1. Windows local sign-in or interactive logon
2. Windows network sign-in
3. Remote sign-in
50
What protocols are responsible for a network sign-in, in Windows?
Kerberos and NTLM
51
Acronym:
SSH
Secure SHell
52
Acronym:
PAM
Type of authentication
Pluggable Authentication Module
53
In linux, what's the /etc/passwd file?
It's where user account names are stored
54
In linux, what's the /etc/shadow file?
It's where user account password hashed are stored
55
What's the protocol used in network sign-in, in Linux?
SSH
56
Definition:
Directory Services
Service that stores information about users, computers, security groups/roles, and services.
57
What's the protocol responsible for directory services?
LDAP - Lightweight Directory Access Protocol
58
Acronym:
LDAP
Lightweight Directory Access Protocol
59
Acronym:
SSO
Single Sign-On
60
Definition:
Single Sign-On - SSO
Authentication method that requires only once authentication and recieves authorizations on other compatible applications to be logged in
61
Definition:
Kerberos
Single sign-on network authentication and authorization protocol.
Named after the three-headed guard dog of Hades (Cerberus)
62
Acronym:
KDC
Key Distribution Center
63
Definition:
Key Distribution Center - KDC
System that vouches tokens for identities, made out of two systems:
- Authentication Service (AS)
- Ticket Granting Service (TGS)
64
True or False:
Kerberos protocol sends the password encrypted in the network
False.
65
In kerberos talk, what are principals
Users or applications that authenticates
66
How is the request for a TGT made?
By encrypting the date and time on the local computer with the user's password hash as the key, and sending to the AS
67
Acronym:
TGT
Ticket Granting Ticket
68
Definition:
Token Granting Ticket - TGT
Identifies a principal but doesn't provide access to any resource
69
Definition:
Federation [Authentication]
The network trusts accounts created and managed by a different network. The model is similar to Kerberos SSO
70
List federated network protocols
1. SAML - Security Assertion Markup Language
2. SOAP - Simple Object Access Protocol
71
Acronym:
SAML
Security Assertion Markup Language
Written in XML - eXtension Markup Language
72
Acronym:
SOAP
Simple Object Access Protocol
Written in XML - eXtension Markup Language
73
Acronym:
XML
eXtension Markup Language
74
Acronym:
OAuth
Open Authentication
75
Definition:
Open Authentication - OAuth
Facilitate the sharing of information (resources) within a user profile between sites.
Uses REST APIs for communication and JWTs for authentication
76
Acronym:
API
Application Programming Interface
77
Acronym:
REST
REpresentational State Transfer
78
Acronym:
JWT
JSON Web Token
79
Acronym:
JSON
JavaScript Object Notation
80
Definition:
Biometric authentication
Based on a unique physical attribute or characteristic
81
Definition:
False rejection rate (FRR)
Where a legitimate user is not recognized.
Type I error or false non-match rate (FNMR)
82
Definition:
False acceptance rate (FAR)
Where an interloper is accepted.
Type II error or false match rate [FMR]
83
Definition:
Crossover Error Rate (CER)
The point at which FRR and FAR meet
The lower the more efficient and reliable the technology.
84
List the most common biometric information
1. Fingerprint
2. Retina
3. Iris
4. Facial
5. Voice
6. Vein
7. Gait [walk]
85
Definition:
Authorization
process of determining privileges of an entity and enforcing them.
86
List the types of permissions
1. Effective permissions
2. Deny permissions
3. Cumulative permissions
87
Advantages of Hierarchical database as in directory sevices
1. Organization
2. Replication
3. Delegation
4. Scalability
88
List Active Directory Components
1. Domain
2. Trees and forests
3. Organizational Units
4. Generic container
5. Object
6. Domain Controller
89
Definition:
Tree [Directory Services]
Group of related domains that share the same DNS namespaces.
90
Definition:
Forest [Directory Services]
Highest level of the organization hierarchy and is a collection of related domain trees.
91
Definition:
Policy [Directory Service]
Set of configuration settings applied to users or computers
92
Acronym:
GPO
Group Policy Object
93
Definition:
Group Policy Object - GPO
Collection of files with registry settings, scripts, templates, and software-specific configuration values.
Collection of Group Policy configurations.
94
What are the types of GPOs and when are applied?
Computer and User configuration types.
Computer => Applied when boots
User => Applied when log on
95
What's the order GPOs are applied?
1. Local
2. Site
3. Domain
4. OU
LSDOU - Local Site Domain OU
96
Definition:
Hardening
To stregthen
97
List Hardening Authentication Methods
1. Password Policies
2. MFA
3. Account restrictions
4. Account Monitoring
5. Account Maintenance
6. Limit Remote Access
7. Account Lockout Policies
98
List Smart Card Benefits
1. Tamper-resistant storage por PIIs
2. Isolated security-related operations
3. Portable security credentials
99
List Smart Card Weaknesses
1. Microprobing (Possibility to interfere with chip)
2. Software attacks
3. Eavesdropping
4. Fault generation
100
List the options for storing directory information in Linux
1. Local file system
2. LDAP-Compliant database
3. Network Information System (NIS)
4. Windows domain
101
Acronym:
NIS
Network Information System
102
Definition:
Network Information System - NIS
Allows many Linux computers to share common user accounts, group accounts, and passwords.
103
In linux, what's the /etc/group file?
contains information about each user group.
104
In linux, what're the managing users configuration files?
1. /etc/default/useradd
2. /etc/login.defs
3. /etc/skel
105
In linux, what's the /etc/default/useradd file?
Contains default values used by the useradd utility when creating a user account
106
In linux, what's the /etc/login.defs file?
Contains configurations of login, such as password encryption in shadow file, or password expiration values.
107
In linux, what's the /etc/skel file?
Contains a set of configuration file templates that are copied into a new user's home directory when it is created
108
List Linux User Management Commands
1. useradd
2. passwd
3. usermod
4. userdel
109
List Linux User Security Commands and what they do?
1. chage (Set user passwords to expire)
2. ulimit (Limits computer resources used for applications launched from the shell)
110
List Linux Group Commands
1. groupadd
2. groupmod
3. groupdel
4. gpasswd
5. newgrp [Change group ID]
6. usermod [Mod group membership of a user]
7. groups [display groups a user is in]
111
List VPNs architectures
1. site-to-site
2. client-to-client
3. host-to-host
112
Definition:
Client-to-client VPN
Connects a client on a endpoint to a VPN gateway which it's inserted on the LAN
113
Definition:
Site-to-site VPN
Connects two or more private networks, it connects the edge gateways of the private network on a tunnel connection
114
Definition:
Host-to-host VPN
Securing traffic between two computers where the private network is not trusted.
115
List most common VPN protocols
1. PPTP - Point-to-Point Tunneling Protocol (Deprecated)
2. TLS - Transport Layer Security
3. IPSec - Internet Protocol Security
116
Acronym:
RDP
Remote Desktop Protocol
117
Acronym:
VNC
Virtual Network Computing
118
Definition
VNC - Virtual Network Computing
Remote access tool and protocol.
119
Definition:
AAA server
Handles user requests for access to remote computer resources.
2 solutions: RADIUS and TACACS+.
120
Definition:
RADIUS
AAA Server used by Microsoft.
- Allows separation of Accounting to different servers
- Challenge-response method for authentication.
- Uses UDP ports 1812 (Auths) and 1813 (Account)
- Vulnerable to buffer overflow attacks.
121
Definition:
TACACS+
AAA CISCO server.
- TCP port 49.
- Supports more protocol suites than RADIUS.
- Provides three protocols, one each AAA
TACACS and XTACACS are older protocols
122
Acronym:
RADIUS
Remote Authentication Dial-In User Service
123
Acronym:
TACACS
Terminal Access Controller Access-Control System
124
List LDAP authentication options
1. No authentication
2. Simple bind [DN + cleartext passwd]
3. Simple Authentication and Security Layer (SASL)
4. LDAPS
125
Acronym:
SASL
Simple Authentication and Security Layer
126
Definition:
Simple Authentication and Security Layer - SASL
Means the client and server negotiate using a supported authentication mechanism, such as Kerberos.
127
Acronym:
LDAPS
LDAD Secure
128
