Chapter 2 - Understanding Identity and Access Management

Ace your homework & exams now with Quizwiz!

An ______ model evaluates attributes and grants access based on the value of these attributes. It is used in many software defined networks (SDNs).

ABAC (Attribute Based Access Control)

______ methods track user activity and record the activity in logs.

Accounting

Something you ____ authentication factor uses biometrics, such as fingerprints and retina scans.

Are

_____ methods allow entities to prove their identity by using credentials known to another entity.

Authentication

Authentication occurs when an entity (Supplicant) provides proof of an identity (such as a password) to a _____, that then passes the credentials to an _____ _____ that verifies the authentication.

Authenticator, authentication server

_____ provides access to resources based on a proven identity.

Authorization

_____ authentication methods are the most difficult to falsify. They include voice and facial recognition, fingerprints, retina scans, iris scans, and palm scans; and can also be used for identification.

Biometric

_____ and ______ cards can be used as photo IDs and as smart cards (both authentication and authentication).

CAC (Common Access Cards), PIV (Personal Identity Verification)

The _____ indicates the quality of the biometric system - the lower the better they are.

CER (Crossover Error Rate)

Password _____ ensures passwords are complex and include at least three of the four character types, such as special characters.

Complexity

_____ _____ systems store and simplify the use of credentials for users. When users access web sites needing credentials, the system automatically retrieves the stored credentials and submits them to the web site.

Credential management

In the _____ model, every object has an owner. The owner has explicit access and establishes access for any other user. Microsoft's _____ uses this model, with every object having a discretionary access control list (DACL). The DACL identifies who has access and what access they are granted. A major flaw of this model is its susceptibility to ______ _____.

DAC (Discretionary Acces Control), NTFS, Trojan Horses

An account _____ policy ensures that inactive accounts are disabled. Accounts for employees who either resign or are terminated should be disabled as soon as possible.

Disablement

Something you _____ authentication factor are things like gestures on a touch screen.

Do

______-factor (or two-factor) authentication uses two different factors of authentication, such as a USB token and a PIN.

Dual

Configuring ______ dates on temporary accounts ensures they are disabled automatically.

Expiration

The _____ , or false match rate, identifies the percentage of times false acceptance occurs in biometric systems.

FAR (False Acceptance Rate)

The _____ , or false nonmatch, identifies the percentage of times false rejections occur in biometric systems.

FRR (False Rejection Rate)

A _____ identity links a user's credentials from different networks or operating systems, but is treated as one identity.

Federated

SSO can be used to provide central authentication with a _____ database and use this authentication in an environment with different operating systems (nonhomogeneous environment).

Federated

Somewhere you are authentication factor uses ______, a computer name, or a MAC address.

Geolocation

____-based privileges are a form of RBAC. Administrators create groups, add users to the groups, and then assign permissions to the groups. This simplifies administration because administrators do not have to assign permissions to users individually.

Group

Most organizations ensure the _____ account is disabled.

Guest

_____ creates a one-time-use password that does not expire until it is used.

HOTP (HMAC-Based One Time Password)

_____ and _____ are open source standards used to create one-time-use passwords.

HOTP (HMAC-based One Time Password), TOTP (Time-based One Time Password)

Something you _____ authentication factor are things such as a smart card, CAC, PIV, or token.

Have

Password _____ remembers past passwords and prevents users from re-using passwords.

History

_____ occurs when a user claims or professes an identity, such as with a username, an email address, a PIV card, or by using biometrics.

Identification

Administrators should verify a user's _____ before resetting the user's password. When resetting passwords manually, administrators should configure them as temporary passwords that _____ after their first use, requiring users to create a new password the first time they log on. Self-service password systems automate password recovery.

Identity, expire

_____ is a network authentication protocol using tickets issued by a KDC or TGT server. If a ticket-granting ticket expires, the user might not be able to access resources. Microsoft Active Directory domains and Unix Realms use this protocol for authentication.

Kerberos

Something you _____ authentication factor are things such as a username and password.

Know

_____ specifies the formats and methods used to query directories. It also provides a single point of management for objects, such as users and computers, in an Active Directory domain or Unix realm. The following is an example if an LDAP string: LDAP://CN=Homer,CN=Users,DC=GetCertifiedGetAhead,DC=com

LDAP

Password _____ specifies the minimum number of characters in the password.

Length

_____ policies prevent users from logging on from certain locations.

Location

Account _____ policies lock out an account after a user enters an incorrect password too many times.

Lockout

______ uses security or sensitivity labels to identify objects (what you'll secure) and subjects (users). It is often used when access needs to be restricted based on a ______ _____ _____. The administrator establishes access based on predefined security labels. These labels are often defined with a lattice to specify the upper and lower security boundaries.

MAC (Mandatory Access Contol), Need to know

Administrators routinely perform account _____. This is often done with scripts to automate the processes and includes deleting accounts that are no longer needed.

Maintenance

_____ password age or password expiration forces users to change their password periodically. When administrators reset user passwords, the password should expire upon first use.

Maximum

______ password age is used with password history to prevent users from changing their password repeatedly to get back to the original password.

Minimum

______ authentication is stronger than any form of single- or dual-factor authentication.

Multifactor

_____ with OpenID Connect is used by many web sites to streamline the authentication process for users. It allows users to log on to many web sites with another account, such as one they've created with Google, Facebook, PayPal, Microsoft, or Twitter.

OAuth

Password _____ provide a technical means to ensure users employ secure password practices.

Policies

Account policies often requires administrators to have two accounts (an administrator account and a standard users account) to prevent _____ _____ and other attacks.

Privilege escalation

The _____ model uses roles to grant access by placing users into roles based on their assigned jobs, functions, or tasks. A matrix matching job titles with required privileges is useful as a planning document.

RBAC (Role Based Access Control)

Accounts should be _____ to verify they are still required. For example, if the organization extends a contract, it's a simple matter to recertify the account. Administrators verify that the contract has been extended, change the expiration date, and enable the account.

Recertified

The _____-based Access Control model is based on a set of approved instructions, such as ACL rules in a firewall. Some implementations use rules that trigger in response to an event, such as modifying ACLs after detecting an attack.

Rule

_____ is an XML-based standard used to exchange authentication and authorization information between different parties. It is used with web-based applications.

SAML (Security Assertion Markup Language)

LDAP Secure (LDAPS) encrypts transmissions with the ____ or the ____ protocols.

SSL, TLS

_____ allows users to authenticate with a single user account and access multiple resources on a network without authenticating again.

SSO (Single Sign On)

Password policies should apply to any entity using a password. This includes user accounts and accounts used by _____ and _____. Applications with internally created passwords should still adhere to the organization's password policy.

Services, applications

Users should not _____ accounts. It prevents effective identification, authentication, authorization, and accounting.

Share

The something you know factor typically refers to a _____ _____, such as a password or PIN. This is the least secure form of authentication.

Shared secret

_____ is an open source federated identity solution that includes Open SAML libraries.

Shibboleth

Authentication methods using two or more methods in the same factor are considered _____-factor. For example, a password and a PIN are both in the something you know factor.

Single

_____-factor authentication includes one or more authentication methods within the same factor, such as PIN and password.

Single

_____ _____ are credit card-sized cards that have embedded certificates used for authentication. They require a PKI to issue certificates.

Smart cards

Passwords should be _____ and changed often. Complex passwords include multiple character types. Strong passwords are complex and at least _____ characters long.

Strong, 14

_____ creates a one-time-password that expires after 30 seconds.

TOTP

The principle of least privilege is a _____ control that uses access controls. It specifies that individuals or processes are granted only the rights and permissions needed to perform assigned tasks or functions, but not more.

Technical

_____ restrictions can prevent users from logging on or accessing network resources during specific hours.

Time

_____ (or key fobs) display numbers in an LCD. These numbers provide rolling, one-time use passwords and are synchronized with a server. USB tokens include an embedded chip and a USB connection. Generically, these are called hardware tokens.

Tokens


Related study sets

Chapter 4-3: Government Regulation and Assistance

View Set

chapter 7 Other group Influences on CB

View Set

Pre-Licensing Insurance Course Chapter 13

View Set