Investigating Identify and Access Management chapter 3
How many accounts should a system administrator for a multinational corporation have and why?
A system administrator should have two accounts: a user account for day-to-day tasks, and an administrative account for administrative tasks.
What is the purpose of a user account review?
A user account review ensures that old accounts have been deleted and that all current users have the appropriate access to resources and not a higher level of privilege
A brute-force attack cracks a password using all combinations of characters and will eventually crack a password. What can I do to prevent a brute-force attack?
Account Lockout with a low value will prevent brute-force attacks.
What is account recertification?
Account recertification is an audit of user accounts and permissions that is usually carried out by an auditor. This is also referred to as a user account review.
What is used for accounting in an AAA server?
Accounting is an AAA server where they log the details of when someone logs in and logs out; this can be used for billing purposes. Accounting is normally logged into a database such as SQL. RADIUS Accounting uses UDP port 1813
What type of device is an iris scanner?
An iris scanner is physical device used for biometric authentication
Which authentication model gives access to a computer system even though the wrong credentials are being used?
Biometric authentication allows unauthorized users access to the system.
What is biometric authentication?
Biometric authentication is where you use a part of your body or voice for authentication, for example, your iris, retina, palm, or fingerprint
Explain what format a complex password takes.
A complex password uses three of the following uppercase and lowercase letters, numbers, and special characters not used in programming
What is the format of a distinguished name for a user called Fred who works in the IT department for a company with a domain called Company A that is a dotcom?
A distinguisher name in the ITU X500 object format is CN=Fred, OU=IT, DC=Company, DC=Com.
What is the most common form of authentication that is most likely to be entered incorrectly?
A password is most likely be entered incorrectly; the user may forget the password or may have the Caps Lock key set up incorrectly.
What is the purpose of a password vault and how secure is it?
A password vault is an application that stores passwords using AES-256 encryption and it is only as secure as the master key
How many factors is it if I have a password, PIN, and date of birth?
A password, PIN and date of birth are all factors that you know; therefore, it is single-factor
What is a privilege account?
A privileged account is an account with administrative rights.
What type of account is a service account?
A service account is a type of administrative account that allows an application to have a higher level of privileges to run on a desktop or server. An example of this is using a service account to run an anti-virus application.
What type of factor authentication is a smart card ?
A smart card is multi-factor is multi-factor or dual-factor as the card is something you have, and inserting it into a card reader is something you do, and the PIN is something you know.
What is a default account? It is a security risk?
Default accounts and passwords for devices and software can be found on the internet and used to hack your network or home devices. Ovens, TVs, baby monitors, and refrigerators are examples, therefore pose a security risk.
what is Shibboleth?
Shibboleth is a small, open source Federation Services protocol
What is single sign-on? Give two examples.
Single sign-on is where a user inserts their credentials only once and accesses different resources, such as email and files, without needing to re-enter the credentials. Examples of this are Kerberos, Federation Services, or a smart card .
Why do cloud providers adopt a zero-trust model?
Some devices being used do not belong to a domain, for example, an iPad, so every connection should be considered unsafe
What is the danger to households with IoT devices?
Some people don't realize that there are generic accounts controlling the devices that make them vulnerable to attack.
I have moved departments, but the employees in my old department still use my old account for access; what should the company have done to prevent this from happening? What should their next action be?
The company should have disabled the account and reset the password. A user account review needs to be carried out to find accounts in a similar situation
If a contractor brings in five consultants for two months of mail server migration, how should I set up their accounts?
The contractor's account should have an expiry date equal to the last day of the contract.
I have different login details and passwords to access Airbnb, Twitter, and Facebook, but I keep getting them mixed up and have locked myself out of these accounts from time to time. What can I implement on my Windows 10 laptop to help me?
The credential manager can be used to store generic and Windows 10 accounts. The user therefore does not have to remember the account details
Name two AAA servers and the ports associated with them.
The first AAA server is Microsoft RADIUS, using UDP port 1812- it is seen as non-proprietary. The second is Cisco TACACS+ and uses TCP port 49. Diameter is a more modern secure form of RADIUS that is TCP-based and uses EAP.
The system administrator in a multination corporation creates a user account using an employee's first name and last name. Why are they doing this time after time?
The system administrator is using a standard naming convention.
What type of knowledge-based authentication would a bank normally use?
They would use a dynamic KBA that would ask you details about your account that are not previously stored questions
When I log in to my Dropbox account from my phone, I get an email asking me to confirm that this was a legal login. What have I been subjected to?
This is know as a risky login as I have used a secondary device to log in to Dropbox
Describe the process of impossible time travel?
This is where a user logs in to a device from one location, and they log in from another location shortly afterward, where it would be impossible to travel that distance in the time between logins
If I have a company that has five consultants who work in different shift patterns, how can I set up their accounts so that each of them can only access the network during their individual shifts?
Time and day restrictions should be set up against each individual's user account matching their shift pattern
What is a time-limited password?
Time-Based One-Time Password (TOTP) has a short time limit of 30-60 seconds.
What is the purpose of the ssh-copy-id command?
To copy and install the public key on the SSH server and add to the list of authorized keys
What is Type II in biometric authentication and why is it a security risk?
Type II in biometric authentication is Failure Acceptance Rate (FAR) , where people that are not permitted to access your network are given access.
What is a solution that helps protect privilege accounts?
Privileged Access Management is a solution that stores the privileged account in a bastion domain to help protect them from attack
How can I ensure that the contractors in Question 44 can only access the company network from 9 am- 5pm daily?
Rule-based access should be adopted so that the contractors can access the company network between 9am and 5pm daily.
What is an XML-based authentication protocol?
Security Assertion Mark-up Language ( SAML) is an XML-based authentication protocol used with Federated Services
What is the difference between FAR and FRR?
FAR allows unauthorized user access, and FRR rejects authorized user access
What could be two drawbacks of using facial recognition?
Facial recognition could be affected by the light or turning your head slightly to one side; some older facial recognition systems accept photographs. Microsoft Windows Hello is much better as it uses infrared and is not fooled by a photographed or affected by light
What authentication method can be used by two third parties that participate in a joint venture?
Federated Services are an authentication method that can be used by two third parties; this uses SAML and extended attributes, such as an employee's ID or email address.
What will be the two possible outcomes if an auditor finds any working practices that do not confirm to the company policy?
Following an audit, either change management or a new policy will put in place to rectify any area not conforming to company policy
How can I prevent a hacker from inserting a password multiple times?
If you set up an account lockout with a low value, such as 3, the hacker needs to guess your password within three attempts or the password is locked out, and this disables the user account.
What protocol is used to store and search for Active Directory objects?
Lightweight Directory Authentication Protocol ( LDAP) is used to a store objects in X500 format and search Active Directory objects such as users ,printers ,groups ,or computers
What authentication factor uses tickets, timestamps, and updated sequence numbers and is used to prevent replay attacks?
Microsoft's Kerberos authentication protocol is the only one that uses tickets. It also uses timestamps and updated sequence numbers to prevent replay attacks. It also prevents pass-the-hash attacks as it does not use NTLM
Give an example of when you would use Open ID Connect.
OpenID connect is where you access a device or portal using your Facebook, Twitter, Google, or Hotmail credentials. The portal itself does not manage the account
How can I prevent a pass-the-hash attack ?
Pass-the-hash attacks exploit older systems such as Microsoft NT4.0, which uses NT LAN Manage. You can prevent this by enabling Kerberos or disabling NTLM
Why should we never us PAP authentication?
Password Authentication protocol (PAP) authentication uses a password in clear text; this could be captured easily by a packet sniffer.
How can I prevent someone from reusing the same password ?
Password history could be set up and combined with a minimum password age to 1 day, a user could only change their password a maximum of once per day. This would prevent them from them from rotating their passwords to come back to the old password
What is password history ?
Password history is the number of passwords that you can use before you can reuse your current passwords. Some third-party applications or systems may call this a password reuse list.
What two actions do I need to complete when John Smith leaves the company ?
When John Smith leaves the company, you need to disable his account and reset the password. Deleting the account will prevent access to the data he used.
When I purchased a new wireless access point, what should I do first ?
When Purchasing any device, you should change the default username and password as many of these are available on the internet and could be used to access your device.
What is the drawback for security if the company uses shared accounts?
When monitoring and auditing are carried out, the employees responsible cannot be traced from more-than-one-person shared accounts. Shared accounts should be eliminated for monitoring and auditing purposes.
What do I need to do when I purchase a baby monitor?
When you purchase a baby monitor, you should rename the default administrative account and change the default password to prevent someone form using it to hack into your home. This is known as an Internet of Things (IoT) item.
How does a CAC differ from a smart card and who uses CAC?
A CAC is similar to a smart card as it uses certificates, but the CAC is used by the military and has a picture and the details of the user on the front, as well as their blood group and Geneva convention category on the reverse side.
What can I implement to find out immediately when a user is placed in a group that may give them a higher level of privilege?
A SIEM system can carry out active monitoring and notify the administrators of any changes to user accounts or logs
What is a Ticket Granting Ticket (TGT) session?
A Ticket-Granting Ticket (TGT) process is where a user logs in to an Active Directory domain using Kerberos authentication and receives a service ticket
What is the purpose of a VPN solution?
A VPN solution creates a secure connection from a remote location to your corporate network or vice versa. The most secure tunneling protocol is L2TP/IPsec.
The It team have a global group called IT Admin; each member of the IT team are members of this group and therefore have full control access to the departmental data. Two new apprentices are joining the company and they need to have read access to the IT data. How can you achieve this with the minimum amount of administrative effort?
Create a group called IT apprentices, and then add the apprentices, accounts to the group. Give the group read access to the IT data
How many times can you use an HOTP password? Is there a time restriction associated with it?
HOTP is a one-time password that does not expire until it is used.
What is a port-based authentication that authenticates both users and devices?
IEE802.1X is port based authentication that authenticates both users and devices.