Occurs when users claim or profess their identity with identifiers such as usernames or email addresses
Users prove their identity with a password
Worked together with identification to provide a comprehensive access management system
Message track user activity and record activity in logs
Allow security professionals to re-create the events that preceded a security incident
When does identification occur?
It occurs when a user claims an identity such as with a username or email address
When does authentication occur?
Authentication occurs when the user proves the claimed identity and the credentials are verified
What is the best way to provide accounting?
What is that something you know factor?
This factor typically refers to a shared secret such as a password or even a pen
This is the least secured form of authentication
What is a strong password?
Doesn't include words found in the dictionary
Combines at least three of the following for character types
Complex passwords use a mix of character types. Strong passwords use a mixes character types and have a minimum password length of at least 14 characters
What needs to happen before resetting passwords for users?
Verify the user's identity
It is best to create a temporary password expires on the first use
What is a group policy?
Group policy is implemented on a domain controller with a domain
Administrators use it to create password policies implement security settings configure host-based firewalls and more
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Password must meet complexity requirements
Store password using reversible encryption
How do you prevent users from using the same password again?
How do you prevent users from guessing password?
Account lockout threshold
Account lockout duration
The first factor of authentication is the weakest factor
What is the something you have authentication factor?
This authentication factor refers to something you can physically hold
What is a smartcard?
Smart cards are credit card sized cards that have an embedded microchip and a certificate
What are two requirements for a smartcard?
Embedded certificate which holds a users private key
Public key infrastructure which supports issuing and managing the certificates
What is a CAC?
Common access card
Specialized types of smartcard used by the US department of defense
Includes a picture of the user and other readable information
Used to gain access into secure locations and to log onto computer systems
Personal identity verification card
specialized type of smartcard used by federal agencies
Includes photo identification and provides confidentiality integrity authentication and non-repudiation for the users
Smartcard is an example of two factor authentication
In an electronic device about the size of a remote key for the car
Displays a number that expires every 60 seconds
This is used for authentication via a website
Open standard used for creating one time passwords
Uses a hash
Generates password that expires in 30 seconds
What is a significant benefit of one-time passwords?
Dual factor authentication
HOTp and T OTP can be used as software tokens for authentication
What is the something you are authentication factor?
Uses biometrics for authentication
Biometric methods are the strongest form of authentication because they're the most difficult for an attacker to falsify
Usually used for identification not authentication
When a biometrics system incorrectly identifies an authorized user as an authorized user
When a biometrics system incorrectly rejects an authorized user
What is that somewhere you are authentication factor?
Uses geolocation to identify a users location
What are the strongest biometric methods methods?
Iris and retina scans
Crossover error rates measure the accuracy of a system
What can a company implement to combat weak passwords?
A technical password policy
What can an organization due to combat forgotten passwords?
Password recovery procedure
Network authentication mechanism used within Windows active directory domain and some UNIX environments known as realms
Provides mutual authentication that can help prevent men in the middle attacks and uses tickets to help prevent replay attacks
What are three requirements for kerberos?
Method of issuing tickets used for authentication
A database of subjects or users
New technology LAN manager
Suite of protocols that provide authentication integrity and confidentiality within Windows systems
Lightweight directory access protocol
Specifies formats and message to query directories
LDAP is based on an earlier version of X.500
Windows active directory domains and unix realms use LDAP to identify objects in query strings with code such as CN DC
It also encrypts transmissions with TLS
The ability of a user to log on or access multiple systems by providing credentials only once
One set of credentials is used throughout a users entire session
This can be used for different operating systems
Create an indirect trust relationship
Parent and child domain
Security assertion markup language
This is a language to establish trust
This is used to exchange authentication and authorization information between different parties
Three roles in SAML
Principal which is the typical user
Identity provider which creates maintains and manages identity information for the principal
provides services to principals
For example redirecting the principal to obtaining in identity
How do you provide SSO for web-based applications?
Use security assertion markup language
This links and uses credentials from different networks or operating systems and treats it as one identity
This is useful for when parties want to access each others network but it is not feasible to join the networks
One of the federated identity solutions period
More affordable solution then commercially available federated identity solutions
Makes it easy for developers to expand its usefulness
Open standard for authorization many companies use to provide secure access to protected resources
Instead of creating a different account for each website you access you can often use the same account that you've created for different sites
Works OAUTH 2.0 and it allows clients to verify the identity of an uses without managing their credentials
For example logging in with Facebook to a site that personalizes for you
Lease privilege specifies that individuals and processes are granted only the Rights and permissions needed to perform assigned tasks or functions
end user accounts
Accounts for a regular users
Has additional rights and privileges beyond what a regular user has
For example administrative account
Useful for when you want to grab some unlimited access to a computer or network without creating a new account
Eight type of regular and user accounts that only is used by the service or application
For example SQL Server is a database application that runs on a server and it needs access to resources on the server and network
Requiring administrators to use two accounts one with administrator privileges and another with regular user privileges helps prevent privilege escalation attacks.
Users should not use shared accounts
Account disablement policy
Disabling accounts once an employee leaves
Security keys associated with into account remains available when the account is disabled but are no longer accessible if the account is deleted
What should a company implement if they only want users to access between 8 AM and 5 PM
Time of day restrictions
What should a company do if they are creating an account for a temporary contractor? Tab
Create an account expiration date for temporary account
What should a company do if users has many passwords?
For example Google auto fill
Role-based access control (role-BAC)
Uses roles to manage rights and permissions for users
This is useful for users within a specific department who perform the same job functions
What does a company do if they want to simplify user administration?
Apply group-based access control which is control based on groups and roles
Group based privileges reduce the administrative work load of access management
Administrators put user accounts into groups and assign privileges to the groups
rule-based access control is based on what?
a set of approved instructions, such as an access control list
Some-ruleBAC systems use rules that trigger in response to an event, such as modifying access control lists after detecting an attack or granting additional permissions to a user in certain situations
Discretionary access control
every object has an owner, and the owner establishes access for the objects.
Unix and windows use this
for example microsoft rtfs allowing users and administrators to restrict access to files and folders with permissions
What is one flaw to using the DAC model?
Discretionary Access Control
Susceptiblity to trojans
Mandatory Access Control
uses labels to determine access.
labels must match to be able to see a file
higher level clearances unlock lower level clearances
used when access needs to be restricted on a need to know
Attribute-based access control values attributes and grants access based on the value of these attributes
usage of policies
commonly used in Software defined networks
what are the five factors of authentication?
something you know
something you have
something you are
somewhere you are
something you do