Information Technology /Security+ (SY0-701): Lesson 4: Implement Identity Part 2
Security+ (SY0-701): Lesson 4: Implement Identity Part 2
This deck covers key concepts from Lesson 4 of the Security+ (SY0-701) course, focusing on identity implementation and access control models.
List the 3 types of hard authentication tokens
Smart cards
One-time password (OTP)
Security key
Tap or swipe ↕ to flip
Swipe ←→Navigate
SSpeak
FFocus
1/40
Key Terms
Term
Definition
List the 3 types of hard authentication tokens
Smart cards
One-time password (OTP)
Security key
Define a 'Smart card'
A security device similar to a credit card that can store authentication information.
What authentication information is stored on a smart card?
User's digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card.
Define a 'Security key'
Refers to a portable hardware security module (HSM) with a computer interface, such as USB or NFC; Most closely associated with U2F.
Define a 'soft authentication token'
An OTP generated by the identity provider that is transmitted to the supplicant.
How can a soft authentication token be made more secure?
With the use of an authenticator app.
Related Flashcard Decks
Study Tips
- Press F to enter focus mode for distraction-free studying
- Review cards regularly to improve retention
- Try to recall the answer before flipping the card
- Share this deck with friends to study together
| Term | Definition |
|---|---|
List the 3 types of hard authentication tokens |
|
Define a 'Smart card' | A security device similar to a credit card that can store authentication information. |
What authentication information is stored on a smart card? | User's digital certificate, the private key associated with the certificate, and a personal identification number (PIN) used to activate the card. |
Define a 'Security key' | Refers to a portable hardware security module (HSM) with a computer interface, such as USB or NFC; Most closely associated with U2F. |
Define a 'soft authentication token' | An OTP generated by the identity provider that is transmitted to the supplicant. |
How can a soft authentication token be made more secure? | With the use of an authenticator app. |
Define 'Passwordless Authentication' | Multifactor authentication scheme that uses ownership and biometric factors, but not knowledge factors. |
What is best practice for securing passwordless authentication? | The authenticator must be trusted and resistant to spoofing or cloning attacks. |
What concept is used to ensure secure passwordless authentication? | Attestation |
Define 'Attestation' in context of passwordless authentication | Capability of an authenticator to prove that it is a trusted root. |
How is an authenticator attested? | Each security key is manufactured with an attestation and model ID. |
Define 'permissions' in the context of authorization | Security settings that control access to objects. |
Define 'Discretionary access control (DAC)' | Access control model; Each resource is protected by an access control list (ACL) managed by the resource's owner(s) |
Why is 'Discretionary access control (DAC)' considered insecure? | Makes centralized administration of security policies the most difficult to enforce; Vulnerable to insider threats and abuse of compromised accounts. |
Define 'Mandatory access control (MAC)' | Access control model; Object and users are allocated a clearance level - Subjects are permitted to read objects classified at their own clearance level or below. |
Define 'Role-based access control (RBAC)' | Access control model; Resources are protected by ACLs that are managed by administrators providing permissions based on job function. |
What makes 'Role-based access control (RBAC)' nondiscretionary? | Right to modify the permissions assigned to each role is reserved to a system owner; Each principal cannot modify the ACL of a resource. |
Define a 'security group' | Collection of user accounts to establish Role-based access control (RBAC). |
Define 'Attribute-based access control (ABAC)' | Access control technique that evaluates a set of attributes that each subject possesses to determine if access should be granted. |
What attributes can be used in Attribute-based access control (ABAC)? | group/role memberships; IP/location; OS version; current patches and AV. |
Define 'Rule-based access control'/ nondiscretionary access control | Any access control model where access control policies are determined by system-enforced rules rather than system users; RBAC, ABAC, MAC, conditional access. |
Define 'Conditional Access' | Conditional access system monitors account or device behavior throughout a session; If certain conditions are met, it may suspend the account or may require the user to reauthenticate. |
What makes User Account Control (UAC) a form of conditional access? | User is prompted for confirmation or authentication when making requests that require elevated privileges. |
Define 'Least privilege' | Subject should be allocated the minimum necessary rights, privileges, or information to perform its role. |
Define 'authorization creep' | Over time, a user acquires more and more rights, either directly or by being added to security groups or roles. |
Define 'provisioning' | Process of setting up a service according to a standard procedure or best practice checklist. |
What are the 5 general steps of provisioning a user account? |
|
Define 'Deprovisioning' | Process of removing an account, host, or application from the production environment; Revoking any access that had been assigned to the subject/object. |
Define a 'security identifier (SID)' | A unique value assigned to an account by Windows and that is used by the OS to identify that account. |
Define 'group policy objects (GPOs)' | On a Windows domain, a way to deploy per-user and per-computer settings. |
Define 'geolocation' | Identification or estimation of the physical location of an object and applying rule based access control. |
How does geolocation determine the location of a subject/object? | IP address and location services/GPS. |
Define a 'time-of-day restrictions' | Establishes authorized login hours for a subject. |
Define a 'duration-based login policy' | Establishes maximum amount of time a subject may be logged in for. |
Define a 'impossible travel time/risky login policy' | Tracks the location of login events over time. If these do not meet a threshold, the account will be disabled. |
Define a 'temporary permissions policy' | Removes an account from a security role or group after a defined period. |
Define a 'privileged account' | Can make significant configuration changes to a host, rights to network appliances, application servers, and databases. |
Define 'Privileged access management (PAM)' | Policies, procedures, and technical controls to prevent compromise of privileged accounts. |
Define 'zero standing privileges (ZSP)' | Permissions are explicitly requested and are only granted for a limited period. |
List 3 implementations of 'zero standing privileges (ZSP)' |
|