More on this book
Community
Kindle Notes & Highlights
identification occurs when users claim (or profess) their identity with identifiers such as usernames or email addresses. Users then prove their identity with authentication, such as with a password.
Authentication, authorization, and accounting (AAA) work together with identification to provide a comprehensive access management system.
Accounting methods track user activity and record the activity in logs.
An audit trail allows security professionals to re-create the events that preceded a security incident.
Remember this Identification occurs when a user claims an identity such as with a username or email address. Authentication occurs when the user proves the claimed identity (such as with a password) and the credentials are verified. Access control systems provide authorization by granting access to resources based on permissions granted to the proven identity. Logging provides accounting.
Remember this
Before resetting passwords for users, it’s important to verify the user’s identity. When resetting passwords manually, it’s best to create a temporary password that expires upon first use.
Group Policy allows an administrator to configure a setting once in a Group Policy Object (GPO) and apply this setting to many users and computers within the domain. Active Directory Domain Services (AD DS) is a directory service Microsoft developed for Windows domain networks.
Remember this
Group Policy is implemented on a domain controller within a domain. Administrators use it to create password policies, implement security settings, configure host-based firewalls, and much more.
Remember this Password policies include several elements. The password history is used with the minimum password age to prevent users from changing their password to a previously used password. Maximum password age causes passwords to expire and requires users to change their passwords periodically. Minimum password length specifies the minimum number of characters in the password. Password complexity increases the key space, or complexity, of a password by requiring more character types.
Public Key Infrastructure (PKI). Chapter 10 covers PKI in more depth, but in short, the PKI supports issuing and managing certificates.
Remember this Smart cards are often used with dual-factor authentication where users have something (the smart card) and know something (such as a password or PIN). Smart cards include embedded certificates used with digital signatures and encryption. CACs and PIVs are specialized smart cards that include photo identification. They are used to gain access into secure locations and to log on to computer systems.
Hash-based Message Authentication Code (HMAC) uses a hash function and cryptographic key for many different cryptographic functions.
HMAC-based One-Time Password (HOTP) is an open standard used for creating one-time passwords, similar to those used in tokens or key fobs.
Time-based One-Time Password (TOTP) is similar to HOTP, but it uses a timestamp instead of a counter. One-time passwords created with TOTP typically expire after 30 seconds.
Remember this HOTP and TOTP are both open source standards used to create one-time use passwords. HOTP creates a one-time use password that does not expire. TOTP creates a one-time password that expires after 30 seconds. Both can be used as software tokens for authentication.
The false acceptance rate (FAR, also known as a false match rate)
false rejection rate (FRR, also known as a false nonmatch rate)
Remember this The third factor of authentication (something you are, defined with biometrics) is the strongest individual method of authentication because it is the most difficult for an attacker to falsify. Biometric methods include fingerprints, retina scans, iris scans, voice recognition, and facial recognition. Iris and retina scans are the strongest biometric methods mentioned in this section, though iris scans are used more than retina scans due to the privacy issues and the scanning requirements. Facial recognition is the most flexible and when using alternate lighting (such as
...more
virtual private network (VPN) IP address changers available online.
Remember this Using two or more methods in the same factor of authentication (such as a PIN and a password) is single-factor authentication. Dual-factor (or two-factor) authentication uses two different factors, such as using a hardware token and a PIN. Multifactor authentication uses two or more factors.
Kerberos is a network authentication mechanism used within Windows Active Directory domains and some Unix environments known as realms.
The Key Distribution Center (KDC) uses a complex process of issuing ticket-granting tickets (TGTs) and other tickets.
Time synchronization. Kerberos version 5 requires all systems to be synchronized and within five minutes of each other.
Remember this Kerberos is a network authentication protocol within a Microsoft Windows Active Directory domain or a Unix realm. It uses a database of objects such as Active Directory and a KDC (or TGT server) to issue timestamped tickets that expire after a certain time period.
New Technology LAN Manager (NTLM) is a suite of protocols that provide authentication, integrity, and confidentiality within Windows systems.
Lightweight Directory Access Protocol (LDAP) specifies formats and methods to query directories.
LDAP Secure (LDAPS) uses encryption to protect LDAP transmissions.
When a client connects with a server using LDAPS,the two systems establish a Transport Layer Security (TLS) session before transmitting any data.
Remember this
LDAP is based on an earlier version of X.500. Windows Active Directory domains and Unix realms use LDAP to identify objects in query strings with codes such as CN=Users and DC=GetCertifiedGetAhead. LDAPS encrypts transmissions with TLS.
Single sign-on (SSO) refers to the ability of a user to log on or access multiple systems by providing credentials only once.
A transitive trust creates an indirect trust relationship.
Security Assertion Markup Language (SAML) is an Extensible Markup Language (XML)– based data format used for SSO on web browsers.
Remember this SAML is an XML-based standard used to exchange authentication and authorization information between different parties. SAML provides SSO for web-based applications.
Shibboleth is one of the federated identity solutions mentioned specifically in the CompTIA Security+ exam objectives.
OAuth is an open standard for authorization many companies use to provide secure access to protected resources.
application programming interface (API)
The principle of least privilege is an example of a technical control implemented with access controls. Privileges are the rights and permissions assigned to authorized users.
Remember this Least privilege is a technical control. It specifies that individuals or processes are granted only those rights and permissions needed to perform their assigned tasks or functions.
Remember this Requiring administrators to use two accounts, one with administrator privileges and another with regular user privileges, helps prevent privilege escalation attacks. Users should not use shared accounts.
Remember this An account disablement policy identifies what to do with accounts for employees who leave permanently or on a leave of absence. Most policies require administrators to disable the account as soon as possible, so that ex-employees cannot use the account. Disabling the account ensures that data associated with it remains available. Security keys associated with an account remain available when the account is disabled, but are no longer accessible if the account is deleted.
Remember this Time-of-day restrictions prevent users from logging on during restricted times. They also prevent logged-on users from accessing resources during certain times. Location- based policies restrict access based on the location of the user.
Remember this Account expiration dates automatically disable accounts on the expiration date. This is useful for temporary accounts such as temporary contractors.
Role-based access control (role-BAC) • Rule-based access control (rule-BAC) • Discretionary access control (DAC) • Mandatory access control (MAC) • Attribute-based access control (ABAC)
Remember this A role-BAC model uses roles based on jobs and functions. A matrix is a planning document that matches the roles with the required privileges.
Remember this Group-based privileges reduce the administrative workload of access management. Administrators put user accounts into security groups, and assign privileges to the groups. Users within a group automatically inherit the privileges assigned to the group.
access control lists (ACLs).
Hypertext Transfer Protocol (HTTP) traffic for web browsers. These rules are typically static.
