Access Control, Authentication, And Authorization

Front 1

Federations

Back 1

a collection of computer networks that agree on standards of operation such as a security standard.

Front 2

federated identity

Back 2

a means of linking a user's identity with their privileges in a manner that can be used across business boundaries (e.g. Microsoft Passport, Google)

Front 3

Transitive access

Back 3

A trusts B. If B trusts C, then A trusts C.

Front 4

transitive trusts

Back 4

a type of relationship that can exist between domains. in all versions of Active Directory, the default is that all domains in a forest trust each other with 2-way, transitive trust relationships.

Front 5

Authentication Protocols examples

Back 5

PAP ( password authentication protocol)- sends in plain text.
SPAP ( shiva password authentication protocol) - replaced PAP, encrypts username and password.
CHAP ( challenge handshake authentication protocol)-stop man in the middle attacks, uses hash.
TOTP ( time-based one time password)
HOTP (HMAC-based one time password)- uses hash message authentication code algorithm

Front 6

tools to retrieve password with physical access

Back 6

ophcrack

Front 7

password expiration

Back 7

90 days acceptable
42 days recommended by Microsoft

Front 8

minimum password change

Back 8

2 days

Front 9

password history

Back 9

24 months recommended

Front 10

account lockout duration

Back 10

duration before account is unlocked
0-99,999

Front 11

account lockout threshold

Back 11

determines incorrect attempts before account is locked. 0- 999

Front 12

reset account lockout counter after

Back 12

minutes to wait between counting failed login attempts. 0-99,999

Front 13

generic account

Back 13

any account that is shared by multiple users

Front 14

privilege assignment

Back 14

group or user assigned.

Front 15

SLIP ( serial line Internet protocol)

Back 15

designed to connect Unix systems in dial up environments.
used in legacy systems

Front 16

remote authentication types

Back 16

TACACS
TACACS+
XTACACS
RADIUS

Front 17

PPP ( point to point protocol)

Back 17

doesn't provide data security
authenticates thru CHAP
works with POTS, ISDN, T1

Front 18

how does PPP work?

Back 18

by encapsulating the network traffic in NCP. authentication is done via LCP. which allows remote users to access the network. not suitable for WAN connections.

Front 19

identification

Back 19

finding out who someone is

Front 20

authentication

Back 20

mechanism of verifying identification

Front 21

5 factors of authentication

Back 21

something you know (pw/pin)

something you have (id, smart card, token)

something you are (biometrics)

something you do (action)

somewhere you are (geolocation)

Front 22

out-of-band authentication

Back 22

system uses public records to question and then authenticate you. e.g. query specific entries in a user's credit report

Front 23

Mutual authentication

Back 23

when 2 or more parties authenticate each other

Front 24

tokens

Back 24

security tokens are similar to certificates- used to identify and authenticate-destroyed at end of session

Front 25

most common tunneling protocols

Back 25

PPTP (point-to-point tunneling protocol)

L2F (layer 2 forwarding)

L2TP (layer 2 tunneling protocol)

SSH (secure shell)

Front 26

PPTP (point-to-point tunneling protocol)

Back 26

encapsulation in single point environment

encapsulates and encrypts PPP packets

done via clear text

channel is encrypted after negotiation

developed my Microsoft

uses TCP 1723

Front 27

L2F (layer 2 forwarding)

Back 27

created by Cisco primarily for dial up connections

shouldn't be used over WANs

provides authentication but not encryption

uses TCP 1701

Front 28

L2TP (layer 2 tunneling protocol)

Back 28

developed by Microsoft and Cisco

works over IPX, SNA, and IP

can be used as a bridge

no data security- no encryption

for security used with IPSec

uses UDP 1701

Front 29

SSH ( secure shell)

Back 29

originally designed for Unix

uses encryption

use TCP 22

Front 30

IPSec (internet protocol security)

Back 30

not a tunneling protocol, but used in conjenction with

primarily used for LAN-to-LAN connections but can be used with remote connections

provides secure authentication and encryption of data and headers

2 modes: tunneling (data/payload and headers encrypted), transport (only payload encrypted)

add onto IP4, built into IP6

Front 31

RADIUS ( Remote Authentication Dial-In User Service)

Back 31

allows authentication of remote and other network connections

IETF standard

provides single source for authentication

Front 32

TACACS (Terminal Access Controller Access-Control System)

Back 32

alternative to RADIUS

current method is TACACS+

XTACACS- combines authentication and authorization with logging to enable auditing

Front 33

VLAN (virtual local area network)

Back 33

allows you to create groups of users and systems and segment them on the network.

used to contain network traffic to a certain area

increases security by allowing users with similiar data sensitivity levels to be segmented together.

Front 34

SAML( Security Assertion Markup Language)

Back 34

open standard based on XML used for authentication and authorization data.

current version SAML v2.0

Front 35

Authentication Services

Back 35

LDAP

Kerberos

IAS (internet authentication service)

CAS (central authentication service)

Front 36

LDAP (Lightweight directory access protocol)

Back 36

standardized directory access protocol that allow directories to be queried (X.500 based directories)

main protocol used by Active Directory

works on port 389

uses commas between names

LDAPS (secure LDAP) encrypted with SSL/TLS port 636

Front 37

Kerberos

Back 37

designed by MIT

allows for single sign on to a distributed network

uses a KDC (key distribution center)

authenticates principal and provides it with a ticket

the KDC can be a single point of failure

Front 38

TGT (ticket granting ticket)

Back 38

encrypted

time limit of 10hrs

list user privilege- works like a token

Front 39

Primary methods of access control

Back 39

MAC -mandatory access control

DAC- discretionary access control

RBAC - role-based access control

RBAC - rule-basedfaccess control

Front 40

MAC (mandatory access control)

Back 40

all access is predefined- static relations

inflexible

administrators make changes

considered most secure

Front 41

DAC (discretionary access control)

Back 41

flexible

uses ACLs to map user permissions to a resource

owner of resource controls privileges

Front 42

RBAC (role based access control)

Back 42

based upon established roles

group based control/permissions

Front 43

RBAC (rule based access control)

Back 43

uses settings in pre-configured security policies

often used with role based access control

easiest to implement with ACLs

Front 44

Smart Cards

Back 44

2 types : CAC (common access card) & PIV (personal identity verification)

Front 45

CAC (common access card)

Back 45

issued by DoD as general id/authentication card

picture on front, back has magnetic strip and barcode

Front 46

PIV (personal identity verification)

Back 46

for federal employees

required to physical/logical access to government resources

Front 47

implicit deny

Back 47

implied at end of each access control list.

means if the above hasn't been explicitly granted then access is denied.

Front 48

Firewall rules

Back 48

act like ACLs

3 possible actions: block, allow, allow only if secure

Front 49

port security

Back 49

works at layer 2 of OSI model

allows only certain MAc addresses to access port

includes: mac limiting & filtering, 802.1x (port authentication), disable unused ports

Front 50

flood guards

Back 50

protection feature for firewalls that alloows the admin to tweak tolerance for unanswered login attacks.

mitigates DoS attacks

Front 51

loop protection

Back 51

prevents broadcast loops

choice between disabling broadcast forwarding and protect against duplicate ARP requests

Front 52

STP (spanning tree protocol)

Back 52

intended to ensure loop-free bridged Ethernet LANs.

ensure only one active path exists between 2 stations

works at data link layer

Front 53

network bridging

Back 53

device has more that 1 network adapter card installed and a user jumps to the other network

Front 54

Log analysis

Back 54

store logs for baselining

log analysis program - ManageEngine

Front 55

Trusted OS (trusted operating system)

Back 55

any Os that meets the governments requirments for security

Front 56

CC (common criteria)

Back 56

the most common set of standards for security

joint effort between Canada, France, Germany, Netherlands, UK and USA

the evaluation criteria is broken down into 7 Evaluation Assurance Levels (EALs)

Front 57

Evaluation Assurance Levels (EALs)

Back 57

EAL1 - system operates correctly, security threats not serious

EAL2 - developers uses good design practices, security not a high priority

EAL3 - conscientious development to provie moderate security

EAL4 - positive security engineering, commercial development practices-benchmark for commercial

EAL5 - security engineering implemented since early design phase, high levels of security assurance

EAL6 -high levels of specialized security engineering assurance, highly secure from pen attackers

EAL 7- requires extensive testing, measurement and complete independent testing of every component

replaced TCSEC and ITSEC

Front 58

configure router securely

Back 58

1. change default password

2. walk through advanced setting

3. keep firmware upgraded

Front 59

password types for cisco routers

Back 59

Type 7- weak encryption

MD5 - encryption uses 1 way hash, configured via enable secret