Udemy-Domain 5 Flashcards
___ allow a user to try again after an incorrect password has been entered a certain number of times, but only after a time delay, and is a measure to ___
clipping levels; reduce administrative overhead
DOD and Microsoft recommend passwords expire after ___ days, with a minimum age of ___ days and a history or ___ passwords
90; 2; 24
DOD and Microsoft recommend passwords be at least ___ characters long and meet complexity requirements
8
single-use passwords (including TAN - Transaction Authentication Numbers) are type ___ authentication
2 (something you have)
“realistic” authentication is another word for type ___
3 (something you are/biometric)
from a legal perspective, one issue with biometric scans is that they might ___
invade a users privacy by revealing medical conditions
one issue with biometric authorization is that if it is compromised ___
it can’t be changed
authentication control models tend to emphasize different legs of the CIA triad:
Mandatory Access Control emphasizes ___
Discretionary Access emphasizes ___
Role/Attribute-Based Access emphasizes ___
Confidentiality;
Availability;
Integrity
the most commonly used access control (esp. in the business world) is ___, which is usually combined with a “need to know” qualification
Role-Based
the Attributes in ABAC can belong to the ___, ___ or ___
subject, object/content, environment (context/circumstances)
the ___ in AAA access management requires non-repudiation
Accountability/Auditing
Entities (people or organizations) can have multiple ___, which in turn have multiple ___
Identities; attributes
___ an account creates a problem with audit trails, so generally better to ___ it
deleting; lock
Single Sign-On is a subset of ___ Identity Management
Federated
the most important application of SAML is ___
web browser single sign-on
___ sign-on is a form of single sign-on, like websites allowing you to use your Facebook account to login - good for the website (which now has all your FB data) but bad for you and your privacy
Super
___ is considered a successor to Kerberos for authentication, it is not widely used yet, but solves the problem of ___ by using ___
SESAME (Secure European System for Applications in a Multi-vendor Environment); plaintext storage of shared keys; PKI
the SESAME authentication system issues ___ instead of the tickets issued by Kerberos
PAC (Privilege Attribute Certificates)
RADIUS uses UDP ___ for authentication and UDP ___ for accounting
1812; 1813
Diameter is an authentication intended to replace RADIUS, but mainly used now for ___
3G and 4G applications
the advantage of TACACS+ over RADIUS is that it ___
encrypts the entire credential package, not just the password
CHAP defends against replay attacks by periodically verifying the client with a 3-way handshake, but has the weakness of ___
storing plaintext passwords on the server
