Lesson 8

Question 1

Federated Identify management

Answer 1

cloud based identify manage provider enables access to many platforms. similar to Kerberos SSO

Question 2

• Certificates and smart cards

Answer 2

• Public key cryptography
• Subject identified by a public key, wrapped in digital certificate
• Private key must be kept secure

Question 3

Tokens

Answer 3

• Authorizations issued under single sign-on

* Avoids need for user to authenticate to each service

Question 4

• Identity provider

Answer 4

• Provisions and manages accounts
• Processes authentication
• Federated identity management

Question 5

• Separation of duties

Answer 5

• Separation of duties
• Standard operating procedures (SOPs)
• Shared authority

Question 6

• Least privilege

Answer 6

Assign sufficient permissions only

• Reduce risk from compromised accounts

Question 7

• Job rotation

Answer 7

• Distributes institutional knowledge and expertise

* Reduces critical dependencies

Question 8

• Mandatory vacations

Answer 8

During that time, the
corporate audit and security employees have time to investigate and discover any
discrepancies in employee activity.

Question 9

• User-assigned privileges

Answer 9

• Assign privileges directly to user
accounts
• Unmanageable if number of users
is large

Question 10

• Group-based privileges

Answer 10

• Assign permissions to security 
groups and assign user accounts 
to relevant groups
• Issues with users inheriting 
multiple permissions

Question 11

Service accounts

Answer 11

are used by scheduled processes and application server software, such
as databases.

Must manage share service acccount credentials

Question 12

Shared/Generic/Device Accounts and Credentials

Answer 12

• Shared accounts
• Accounts whose credentials are known to more than one person
• Generic accounts
• Accounts created by default on OS install
• Only account available to manage a device
• Might use a default password
• Risks from shared and generic accounts
• Breaks principle of non-repudiation
• Difficult to keep credential secure
• Credential policies for devices
• Privilege access management software

Question 13

• Privilege access management software

Answer 13

stores high-risk credentials somewhere other than a spreadsheet

Question 14

SSH

Answer 14

• Secure Shell (SSH) used for remote 
access
•     Host key identifies the server
•     User key pair used to authenticate to 
server
•     Server holds copy of valid users’ 
public keys
•     Keys must be actively managed

Question 15

• Third-party credentials

Answer 15

Passwords and keys to manage
cloud services
• Highly vulnerable to accidental
disclosure

Question 16

Account Password Policy Settings

Answer 16

• Length
• Complexity
• Character combinations
• Aging
• History and reuse
• NIST guidance
• Password hints

Question 17

Account Restrictions

Answer 17

Network location
•     Connecting from a VLAN or IP subnet/remote IP
•      Connecting to a machine type or group (clients versus servers)
• Interactive versus remote logon
• Geolocation
•     By IP address
•     By Location Services
•     Geofencing
•     Geotagging
• Time-based restrictions
• Logon hours
• Logon duration
• Impossible travel time/risky login

Question 18

geoloction vs geotagging vs geofencing

Answer 18

geolocation: location of a user or device can also be calculated using a geolocation

Geofencing: refers to accepting or rejecting access requests based on location.\

Geotagging refers to the addition of location
metadata to files or devices.

Question 19

Account Audits

Answer 19

• Accounting and auditing to detect 
account misuse
•     Use of file permissions to read 
and modify data
•     Failed login or resource access 
attempts

• Recertification
•      Monitoring use of privileges
•      Granting/revoking privileges
•      Communication between IT and 
HR

Question 20

Account Permissions

Answer 20

• Impact of improperly configured 
accounts
•      Insufficient permissions
•      Unnecessary permissions
• Escalating and revoking privileges
• Permission auditing tools

Question 21

Disablement vs lockout

Answer 21

• Disablement
•      Login is disabled until manually reenabled
•     Combine with remote logoff
• Lockout
•      Login is prevented for a period 
and then re-enabled
•      Policies to enforce automatic 
lockout

Question 22

Discretionary vs Role-based access

Answer 22

• Discretionary Access Control (DAC)
• Based on resource ownership
• Access Control Lists (ACLs)
• Vulnerable to compromised privileged user accounts
• Role-Based Access Control (RBAC)
• Non-discretionary and more centralized control
• Based on defining roles then allocating users to roles
• Users should only inherit role permissions to perform particular tasks

Question 23

File System Security

Answer 23

• Access Control List (ACL)
• Access Control Entry (ACE)
• File system support
• Linux permissions and chmod
• Symbolic (rwx)
• User, group, world
• Octal
• r=4
• w=2
• x=1

Question 24

Mandatory vs Attribute-based access control

Answer 24

Mandatory Access control
Labels applied to objects (secret, top seecrat) and clearanced applied subjects

Attribute-Based Access Control (ABAC)
• Access decisions based on a combination of subject and object attributes plus
any context-sensitive or system-wide attributes
• Conditional access

Question 25

Rule-Based Access Control

Answer 25

Rule-based access control is a term that can refer to any sort of access control model where access control policies are determined by system-enforced rules rather than system users. ``` Non-discretionary • System determines rules, not users Conditional access • Continual authentication • User account control (UAC) Privileged access management • Policies, procedures, and technical controls to prevent the malicious abuse of privileged accounts ```

Question 26

Directory Services

Answer 26

Database of subjects (Windows = Active Directory) • Users, computers, security groups/roles, and service Access Control Lists (authorizations) X.500 and Lightweight Directory Access Protocol (LDAP) • Distinguished names • Attribute=Value pairs

Question 27

Protocol used for Directory Services

Answer 27

• X.500 and Lightweight Directory Access Protocol (LDAP) The Lightweight Directory Access Protocol (LDAP) is a protocol widely used to query and update X.500 format directories.

Question 28

Federated identity | management

Answer 28

Federation -is the notion that a network needs to be accessible to more than just a well-defined group of employees. As an example, you can log into twitter with your google account. google verifies the identity.

Question 29

Attestation

Answer 29

verification from and identity provider (IdP) that that user is who she says she is

Question 30

Security Assertions Markup Language (slide 31)

Answer 30

skipped this one

Question 31

API

Answer 31

API is the acronym for Application Programming Interface, which is a software intermediary that allows two applications to talk to each other.

Question 32

REST

Answer 32

• Representational State Transfer (REST) Application Programming Interfaces (APIs) (RESTful APIs) • Framework for implementation not a protocol Many public clouds use application programming interfaces (APIs) based on Representational State Transfer (REST) rather than SOAP. These are often called RESTful APIs. Where SOAP is a tightly specified protocol, REST is a looser architectural framework. This allows the service provider more choice over implementation elements.

Question 33

OAuth

Answer 33

• Designed to communicate authorizations rather than explicitly authenticate a subject • Client sites and apps interact with OAuth IdPs and resource servers that hold the principal’s account/data • Different flow types for server to server or mobile app to server • JavaScript object notation (JSON) web token (JWT)

Question 34

• OpenID Connect (OIDC)

Answer 34

• Adds functions and flows to OAuth to support explicit authentication **Remember, OAuth is more designed to communicat authorizations vs authenticating a subject

Question 35

AUP

Answer 35

Acceptable use policy (AUP) | • Employee use of employer’s hardware and software assets