Chapter 4: Access Control, Authentication, and Authorization

Question 1

Identification

Answer 1

Finding out who someone is

Question 2

Authentication

Answer 2

Verifying identification

Question 3

Out-of-band Authentication

Answer 3

The system you are authenticating gets info from public records and asks you questions to help authenticate you.

Question 4

SFA

Answer 4

Single Factor Authentication

Question 5

Mutual Authentication

Answer 5

Multiple parties authenticating each other

Question 6

Layered Security/Defense in Depth

Answer 6

You should implement multiple layers of security

Question 7

Operational Security

Answer 7

• Focuses on how an organization achieves its goals.

- Everything not related to design or physical security.

Question 8

Security Token

Answer 8

• Similar to certificates, it is a small piece of data that holds a sliver of info about the user.
• Authentication system creates the token every time a user connects or when a session begins, and deletes it when they end.

Question 9

Federation

Answer 9

A collection of computer networks that agree on standards of operation.

Question 10

Federated Identity

Answer 10

Allows a user to have a single identity that they can use across different business units or businesses

Question 11

Transitive Access

Answer 11

If A trusts B and B trusts C then A trusts C

Question 12

Shiva Password Authentication Protocol (SPAP)

Answer 12

Like PAP, but encrypts username and password

Question 13

Challenge Handshake Authentication Protocol (CHAP)

Answer 13

• Designed to stop man-in-the-middle attacks

- Periodically asks the client for authentication

Question 14

Time-Based One-Time Password (TOTP)

Answer 14

Uses a time-based factor to create unique passwords

Question 15

Usual minimum password length

Answer 15

8 characters

Question 16

Generic Account

Answer 16

An account that is shared

Question 17

SLIP

Answer 17

One of the first remote authentication protocols, which should not be used now

Question 18

PPP

Answer 18

• No data security, but uses CHAP
• Authentication handled by Link Control Protocol (LCP)
• Encapsulates network traffic with Network Control Protocol (NCP)

Question 19

RADIUS server

Answer 19

Allows authentication of remote and other network connections

Question 20

TACACS+

Answer 20

Similar to RADIUS, authentication

Question 21

Security Assertion Markup Language (SAML)

Answer 21

Open standard based on XML used for authentication and authorization

Question 22

Lightweight Directory Access Protocol (LDAP)

Answer 22

Allows queries to be made of directories

Question 23

Key Distribution Center (KDC)

Answer 23

• Authenticates a user, program, or system and provides it with a ticket used to show it has been authenticated.
• Used in Kerberos

Question 24

Ticket Granting Ticket (TGT)

Answer 24

The ticket given by the KDC, listing the privileges of the user.

Question 25

Mandatory Access Control (MAC)

Answer 25

• All access is predefined

- Considered most secure

Question 26

Discretionary Access Control (DAC)

Answer 26

Incorporates some flexibility, allowing someone with certain permissions to allow someone without the permissions to see stuff

Question 27

Role-Based Access Control (RBAC)

Answer 27

Implements access by job function or by responsibility.

Question 28

Rule-Based Access Control (RBAC)

Answer 28

Use an ACL to deny all but those who appear in a list, or deny only those that appear in a list.

Question 29

Access Review

Answer 29

A process to determine whether a user’s access level is still appropriate.

Question 30

Continuous Monitoring

Answer 30

Ongoing audits of what resources a user actually accesses

Question 31

Thin Clients

Answer 31

Don’t provide any disk storage or removable media, and rely on servers to use applications and data.

Question 32

Common Access Card (CAC)

Answer 32

Issued by the DoD as a general identification/authentication card.

Question 33

Personal Identity Verification Card (PIVC)

Answer 33

A card specific to that one person, used in high up government stuff.

Question 34

3 Firewall Rules

Answer 34

1) Block the connection
2) Allow the connection
3) Allow the connection only if it is secured

Question 35

802.1X

Answer 35

• Port-based security

- AKA EAP over LAN (EAPOL)

Question 36

Loop Protection

Answer 36

Intended to prevent broadcast loops

Question 37

Spanning Tree Protocol (STP)

Answer 37

Intended to ensure loop-free bridged Ethernet LANs

Question 38

Network Bridging

Answer 38

• When a device has multiple NICs and the opportunity presents itself to jump between them.
• We don’t want it on common man’s machines, so disable it!

Question 39

Trusted Operating System (TOS)

Answer 39

Any OS that meets the government’s requirements for security.

Question 40

Common Criteria (CC)

Answer 40

Security evaluation criteria specified by the collaboration between a few countries.

Question 41

Evaluation Assurance Level (EAL)

Answer 41

How the criteria is broken down in CC

Question 42

EAL 1

Answer 42

Wants assurance that the system will operate correctly, but not very concerned with security

Question 43

EAL 2

Answer 43

Requires product developers to use good design practices.

Question 44

EAL 3

Answer 44

Requires conscientious development efforts to provide moderate levels of security

Question 45

EAL 4

Answer 45

• Requires positive security engineering based on good commercial development practices.
• The recommended level for commercial systems

Question 46

EAL 5

Answer 46

Requires special design considerations for high levels of security

Question 47

EAL 6

Answer 47

High levels of protection against significant risks

Question 48

EAL 7

Answer 48

Extremely high levels of security requiring extensive testing

Question 49

Type 7

Answer 49

Weak encryption password type used in routers

Question 50

MD5

Answer 50

The stronger password type used in routers