IT Security: Defense against the digital dark arts. Week3: AAA Security (Not Roadside Assistance)
In the three As of security, which part pertains to describing what the user account does or doesn't have access to?
Authorization; Authorization pertains to describing what the user account does or doesn't have access to.
Authorization is concerned with determining ______ to resources.
access; Authorization deals with determining access to resources.
True or false: Clients authenticate directly against the RADIUS server.
false; Clients don't actually interact directly with the RADIUS server; the authentication is relayed via the Network Access Server.
The authentication server is to authentication as the ticket granting service is to _______. integrity identification verification authorization
identification; Not quite. Please refer back to the "Authentication" lesson for a refresher.
What does OpenID provide?
authentication delegation; OpenID allows authentication to be delegated to a third-party authentication service.
How is authentication different from authorization?
authentication is verifying an identity, authorization is verifying access to a resource; Authentication is proving that an entity is who they claim to be, while authorization is determining whether or not that entity is permitted to access resources.
What elements of a certificate are inspected when a certificate is verified? Check all that apply.
"not valid before" date trust of the signatory CA "not valid after" date; To verify a certificate, the period of validity must be checked, along with the signature of the signing certificate authority, to ensure that it's a trusted one.
How is auditing related to accounting?
Accounting is recording access and usage, while auditing is reviewing these records; Accounting involves recording resource and network access and usage. Auditing is reviewing these usage records by looking for any anomalies.
What is a CRL?
Certificate Revocation List; CRL stands for "Certificate Revocation List." It's a list published by a CA, which contains certificates issued by the CA that are explicitly revoked, or made invalid.
What does OAuth provide?
Access delegation; OAuth is an open authorization protocol that allows account access to be delegated to third parties, without disclosing account credentials directly.
Which of these are examples of "something you have" for multifactor authentication? Check all that apply.
OTP; OTP or One-Time-Password, is a physical token that is commonly used to generate a short-lived number. RSA SecureID token; RSA SecureID token is an example of an OTP. It is a small battery-powered device with an LCD display.
A Lightweight Directory Access Protocol (LDAP) uses a _____ structure to hold directory objects. Data Information Tree Bind Organizational Unit Distinguished Name
Organizational Unit; Not quite. Please review the videos in the "LDAP" module for a refresher.
A systems administrator is designing a directory architecture to support Linux servers using Lightweight Directory Access Protocol (LDAP). The directory needs to be able to make changes to directory objects securely. Which of these common operations supports these requirements?
StartTLS, delete; StartTLS permits a client to communicate securely using LDAPv3 over TLS. The delete operation can make a change to a directory object.
Kerberos enforces strict _____ requirements, otherwise authentication will fail.
Time; Kerberos enforces strict time requirements, requiring the client and server clocks to be relatively closely synchronized, otherwise authentication will fail.
True or false: The Network Access Server handles the actual authentication in a RADIUS scheme.
false; The Network Access Server only relays the authentication messages between the RADIUS server and the client; it doesn't make an authentication evaluation itself.
Authentication is concerned with determining _______.
identity; Authentication is concerned with confirming the identities of individuals.
What are some characteristics of a strong password? Check all that apply,
is at least eight characters long includes numbers and special characters; A strong password should contain a mix of character types and cases, and should be relatively long -- at least eight characters, but preferably more.
What role does authorization play?
it determines whether or not an entity has access to a resource; Authorization has to do with what resource a user or account is permitted or not permitted to access.
What advantages does single sign-on offer? Check all that apply.
it reduces the total number of credentials it reduces time spent authenticating; SSO allows one set of credentials to be used to access various services across sites. This reduces the total number of credentials that might be otherwise needed. SSO authentication also issues an authentication token after a user authenticates using username and password. This token then automatically authenticates the user until the token expires. So, users don't need to reauthenticate multiple times throughout a work day.
What are the names of similar entities that a Directory server organizes entities into?
organizational units; Directory servers have organizational units, or OUs, that are used to group similar entities.
Security Keys utilize a secure challenge-and-response authentication system, which is based on ________.
public key cryptography; Security keys use public key cryptography to perform a secure challenge response for authentication.
An Open Authorization (OAuth) access token would have a _____ that tells what the third party app has access to.
scope; An Open Authorization (OAuth) access token would have a scope that tells what the third party app has access to.
In a multi-factor authentication scheme, a password can be thought of as:
something you know; Since a password is something you memorize, it's something you know when talking about multi-factor authentication schemes.
What are some drawbacks to using biometrics for authentication? Check all that apply.
there are potential privacy concerns biometric authentication is difficult or impossible to change if compromised; If a biometric characteristic, like your fingerprints, is compromised, your option for changing your "password" is to use a different finger. This makes "password" changes limited. Other biometrics, like iris scans, can't be changed if compromised. If biometric authentication material isn't handled securely, then identifying information about the individual can leak or be stolen.
In what way are U2F tokens more secure than OTP generators?
they're resistant to phishing attacks; With one-time-password generators, the one-time password along with the username and password can be stolen through phishing. On the flip side, U2F authentication is impossible to phish, given the public key cryptography design of the authentication protocol.
What does a Kerberos authentication server issue to a client that successfully authenticates?
ticket-granting ticket; Once authenticated, a Kerberos client receives a ticket-granting ticket from the authentication server. This TGT can then be presented to the ticket-granting service in order to be granted access to a resource.
What does a Terminal Access Controller Access Control System Plus (TACACS+) keep track of? Check all that apply.
track user authentication; TACACS+ tracks user authentication. commands that were ran; TACACS+ tracks commands that were ran by a user. systems users authenticated to; TACACS+ tracks the devices or systems that a user authenticated to.