Module 5: Privileged Access

Question 1

Privileged Access: Least Privilege + definition, and why does it help?

Answer 1

giving users the MINIMUM access they need to do their job, reducing risk of misuse/attack

Question 2

Privileged Access: Privileged Users: what are they and what do they do?

Answer 2

users with HIGHER permissions than normal accounts eg system/network admins. can grant other users permissions, assign accounts to groups, configure access settings

Question 3

Privileged Access: PA Management Techniques (3)

Answer 3

1 Just-in-time permissions: users don’t have always-on admin rights. elevated permissions granted ONLY whe needed and for a short time

2 Password vaulting: software that stores and manages credentials in an encrypted “vault”

3 Temporal accounts: accounts created for temporary use with a built-in expiration date

Question 4

Identity + Access Management: Creating User Accounts best practice to avoid what 3 risks?

Answer 4

one person shouldn’t create all user accounts due to risk of insider threat, error, or poor documentation. use checks/balances

Question 5

Identity + Access Management: Identity Proofing

Answer 5

verifying that someone is who they claim to be ie checking documents

Question 6

Identity + Access Management: Federation

Answer 6

federated login

using credentials from your org to log into another org (eg using using your uni credentials to cross register at another uni)

Question 7

Identity + Access Management: Single Sign-on (SSO) + main benefit

Answer 7

authenticate once, access many apps/systems without logging in again. benefit: reduces number of times user must enter credentials

Question 8

Identity + Access Management: LDAP

Answer 8

Lightweight Directory Access Protocol

protocol for querying/updating directories (user data) organized under X.500 standard

Question 9

Identity + Access Management: Cloud Access Security Broker

Answer 9

software that ensures accounst & permissions are synchronized between local (on-site) AAA servers and cloud providers

Question 10

Identity + Access Management: OAuth

Answer 10

Open Authentication, created by Twitter
allows token-based authentication using public/private keys over the Internet

Question 11

Identity + Access Management: Open ID Connect

Answer 11

an improvement to OAuth, simplifigying the SSO process for web apps

Question 12

Identity + Access Management: SAML

Answer 12

Security Assertions Markup Language

framework for exchanging authentication/authorization info, especialy in federated networks

Question 13

Identity + Access Management: Interoperability

Answer 13

the ability for solutions to work across systems using open standards like XML or JSON

Question 14

Identity + Access Management: Attestation

Answer 14

Affirming correctness/validity of information, often used for compliance (verifying user access is correct)

Question 15

Password Concepts: Best Practices (4)

Answer 15

1 length = strength
2 complexity
3 no reuse
4 age/change regulary

Question 16

Password Concepts: Password Managers

Answer 16

store complex passwords in encrypted format. secure but ensure backup access

Question 17

Password Concepts: Passwordless Authentication

Answer 17

no passwords/PINs used; relies on tokens, keys, or physical devices

Question 18

MFA: 5 Authentication factors

Answer 18

MFA = 2+ authentication types for access;

5 factors
1 something you know
2 something you have
3 something you are
4 something you do (eg signature, gait, typing style)
5 someWHERE you are

Question 19

MFA Implementation: Biometrics

Answer 19

use personal traits to identify/authenticate a person

Question 20

MFA Implementation: MFA tokens: Hard/Soft Tokens

Answer 20

hardware or software-based identity devices

hard token ex; RSA token (6-digit code synced with server)

soft token ex: usb token or app-based token (eg yubikey, smart cards)

Question 21

Access Control Models: TBAC

Answer 21

task-based access control: permissions are granted based on specific aks or workflow steps. ex: bank employee is given access to loan approval system only while assigned the ‘approve loan’ task. once finished, access is revoked

Question 22

Access Control Models: MAC

Answer 22

enforced by system rules. often used in military/govt

Question 23

Access Control Models: RBAC

Answer 23

role-based access control

access determined by a user’s role within an organization. if user changes roles, their access changes accordingly

types: MBC
RBAC
ABAC

Question 24

Access Control Models: ABAC

Answer 24

attribute based access control
access based on context/attributes: user, time, location, etc

Question 25

Privileged Access: PA Management Techniques: Just-in-time Permissions

Answer 25

temporary permission granted only for the task duration, then revoked

Question 26

Privileged Access: PA Management Techniques: Password vaulting

Answer 26

Storing credentials in a secure vault with access control (who, when, how long)

Question 27

Privileged Access: PA Management Techniques: Temporal accounts

Answer 27

Short-lived accounts created for temporary tasks, expire after a set time

Question 28

Identity + Access Management: definition

Answer 28

Managing users and their access to systems/resources securely

Question 29

Identity + Access Management: User account documentation

Answer 29

Procedures for creating accounts, assigning roles/permissions appropriately. Involves mapping user roles to correct privileges based on job function.

Question 30

Identity + Access Management: Federated domain

Answer 30

group of trusted domains/companies that allow shared authentication

Question 31

Identity + Access Management: LDAP X.500

Answer 31

X.500 = the structure/rules established bythe ITU for formatting/organizing directory data

Question 32

Identity + Access Management: X.500 attributes

Answer 32

CN common name (eg bob) OU organizational unit (eg accounting) O organization L locality (eg boston) ST state C country DC domain component (eg .com)

Question 33

Identity + Access Management: AAA

Answer 33

Authentication = verifying the identity of a user/device Authorization = what you are allowed to do Accounting = what did you do? (user activity)

Question 34

Identity + Access Management: how does OAuth work?

Answer 34

consumer gets a token to access info from provider’s site and is authorized for specific permissions

Question 35

Identity + Access Management: what is OAuth used for besides login?

Answer 35

useful to authenticate bots and limit access to services

Question 36

MFA Implementation: Smart Cards

Answer 36

cards with embedded chips/certificates for secure access

Question 37

MFA Implementation: RSA Token

Answer 37

a small hardware device (or software app) that generates a random 6-digit code every 60 seconds. used as part of MFA. adds a ‘something you have’ factor

Question 38

MFA Implementation: CAC

Answer 38

Common Access Card - has a chip with a secure certificate

Question 39

Access Control Models: DAC

Answer 39

Discretionary access control “what you want when you want” — user controls their data access