Chapter 2 - Understanding Identity and Access Management
An ______ model evaluates attributes and grants access based on the value of these attributes. It is used in many software defined networks (SDNs).
ABAC (Attribute Based Access Control)
______ methods track user activity and record the activity in logs.
Accounting
Something you ____ authentication factor uses biometrics, such as fingerprints and retina scans.
Are
_____ methods allow entities to prove their identity by using credentials known to another entity.
Authentication
Authentication occurs when an entity (Supplicant) provides proof of an identity (such as a password) to a _____, that then passes the credentials to an _____ _____ that verifies the authentication.
Authenticator, authentication server
_____ provides access to resources based on a proven identity.
Authorization
_____ authentication methods are the most difficult to falsify. They include voice and facial recognition, fingerprints, retina scans, iris scans, and palm scans; and can also be used for identification.
Biometric
_____ and ______ cards can be used as photo IDs and as smart cards (both authentication and authentication).
CAC (Common Access Cards), PIV (Personal Identity Verification)
The _____ indicates the quality of the biometric system - the lower the better they are.
CER (Crossover Error Rate)
Password _____ ensures passwords are complex and include at least three of the four character types, such as special characters.
Complexity
_____ _____ systems store and simplify the use of credentials for users. When users access web sites needing credentials, the system automatically retrieves the stored credentials and submits them to the web site.
Credential management
In the _____ model, every object has an owner. The owner has explicit access and establishes access for any other user. Microsoft's _____ uses this model, with every object having a discretionary access control list (DACL). The DACL identifies who has access and what access they are granted. A major flaw of this model is its susceptibility to ______ _____.
DAC (Discretionary Acces Control), NTFS, Trojan Horses
An account _____ policy ensures that inactive accounts are disabled. Accounts for employees who either resign or are terminated should be disabled as soon as possible.
Disablement
Something you _____ authentication factor are things like gestures on a touch screen.
Do
______-factor (or two-factor) authentication uses two different factors of authentication, such as a USB token and a PIN.
Dual
Configuring ______ dates on temporary accounts ensures they are disabled automatically.
Expiration
The _____ , or false match rate, identifies the percentage of times false acceptance occurs in biometric systems.
FAR (False Acceptance Rate)
The _____ , or false nonmatch, identifies the percentage of times false rejections occur in biometric systems.
FRR (False Rejection Rate)
A _____ identity links a user's credentials from different networks or operating systems, but is treated as one identity.
Federated
SSO can be used to provide central authentication with a _____ database and use this authentication in an environment with different operating systems (nonhomogeneous environment).
Federated
Somewhere you are authentication factor uses ______, a computer name, or a MAC address.
Geolocation
____-based privileges are a form of RBAC. Administrators create groups, add users to the groups, and then assign permissions to the groups. This simplifies administration because administrators do not have to assign permissions to users individually.
Group
Most organizations ensure the _____ account is disabled.
Guest
_____ creates a one-time-use password that does not expire until it is used.
HOTP (HMAC-Based One Time Password)
_____ and _____ are open source standards used to create one-time-use passwords.
HOTP (HMAC-based One Time Password), TOTP (Time-based One Time Password)
Something you _____ authentication factor are things such as a smart card, CAC, PIV, or token.
Have
Password _____ remembers past passwords and prevents users from re-using passwords.
History
_____ occurs when a user claims or professes an identity, such as with a username, an email address, a PIV card, or by using biometrics.
Identification
Administrators should verify a user's _____ before resetting the user's password. When resetting passwords manually, administrators should configure them as temporary passwords that _____ after their first use, requiring users to create a new password the first time they log on. Self-service password systems automate password recovery.
Identity, expire
_____ is a network authentication protocol using tickets issued by a KDC or TGT server. If a ticket-granting ticket expires, the user might not be able to access resources. Microsoft Active Directory domains and Unix Realms use this protocol for authentication.
Kerberos
Something you _____ authentication factor are things such as a username and password.
Know
_____ specifies the formats and methods used to query directories. It also provides a single point of management for objects, such as users and computers, in an Active Directory domain or Unix realm. The following is an example if an LDAP string: LDAP://CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com
LDAP
Password _____ specifies the minimum number of characters in the password.
Length
_____ policies prevent users from logging on from certain locations.
Location
Account _____ policies lock out an account after a user enters an incorrect password too many times.
Lockout
______ uses security or sensitivity labels to identify objects (what you'll secure) and subjects (users). It is often used when access needs to be restricted based on a ______ _____ _____. The administrator establishes access based on predefined security labels. These labels are often defined with a lattice to specify the upper and lower security boundaries.
MAC (Mandatory Access Contol), Need to know
Administrators routinely perform account _____. This is often done with scripts to automate the processes and includes deleting accounts that are no longer needed.
Maintenance
_____ password age or password expiration forces users to change their password periodically. When administrators reset user passwords, the password should expire upon first use.
Maximum
______ password age is used with password history to prevent users from changing their password repeatedly to get back to the original password.
Minimum
______ authentication is stronger than any form of single- or dual-factor authentication.
Multifactor
_____ with OpenID Connect is used by many web sites to streamline the authentication process for users. It allows users to log on to many web sites with another account, such as one they've created with Google, Facebook, PayPal, Microsoft, or Twitter.
OAuth
Password _____ provide a technical means to ensure users employ secure password practices.
Policies
Account policies often requires administrators to have two accounts (an administrator account and a standard users account) to prevent _____ _____ and other attacks.
Privilege escalation
The _____ model uses roles to grant access by placing users into roles based on their assigned jobs, functions, or tasks. A matrix matching job titles with required privileges is useful as a planning document.
RBAC (Role Based Access Control)
Accounts should be _____ to verify they are still required. For example, if the organization extends a contract, it's a simple matter to recertify the account. Administrators verify that the contract has been extended, change the expiration date, and enable the account.
Recertified
The _____-based Access Control model is based on a set of approved instructions, such as ACL rules in a firewall. Some implementations use rules that trigger in response to an event, such as modifying ACLs after detecting an attack.
Rule
_____ is an XML-based standard used to exchange authentication and authorization information between different parties. It is used with web-based applications.
SAML (Security Assertion Markup Language)
LDAP Secure (LDAPS) encrypts transmissions with the ____ or the ____ protocols.
SSL, TLS
_____ allows users to authenticate with a single user account and access multiple resources on a network without authenticating again.
SSO (Single Sign On)
Password policies should apply to any entity using a password. This includes user accounts and accounts used by _____ and _____. Applications with internally created passwords should still adhere to the organization's password policy.
Services, applications
Users should not _____ accounts. It prevents effective identification, authentication, authorization, and accounting.
Share
The something you know factor typically refers to a _____ _____, such as a password or PIN. This is the least secure form of authentication.
Shared secret
_____ is an open source federated identity solution that includes Open SAML libraries.
Shibboleth
Authentication methods using two or more methods in the same factor are considered _____-factor. For example, a password and a PIN are both in the something you know factor.
Single
_____-factor authentication includes one or more authentication methods within the same factor, such as PIN and password.
Single
_____ _____ are credit card-sized cards that have embedded certificates used for authentication. They require a PKI to issue certificates.
Smart cards
Passwords should be _____ and changed often. Complex passwords include multiple character types. Strong passwords are complex and at least _____ characters long.
Strong, 14
_____ creates a one-time-password that expires after 30 seconds.
TOTP
The principle of least privilege is a _____ control that uses access controls. It specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but not more.
Technical
_____ restrictions can prevent users from logging on or accessing network resources during specific hours.
Time
_____ (or key fobs) display numbers in an LCD. These numbers provide rolling, one-time use passwords and are synchronized with a server. USB tokens include an embedded chip and a USB connection. Generically, these are called hardware tokens.
Tokens