Course 5 – IT Security: Defense Against the Digital Dark Arts

by
Contents hide
1 Week 3: AAA Security (Not Roadside Assistance)
2 PRACTICE QUIZ: AUTHENTICATION
3 PRACTICE QUIZ: AUTHORIZATION AND ACCOUNTING
4 QUIZ: AAA SECURITY (NOT ROADSIDE ASSISTANCE)
Spread the love

Week 3: AAA Security (Not Roadside Assistance)

During this week of the course, we will focus on the essentials of the three A’s in cybersecurity that every tech role should embrace: authentication, authorization, and accounting. They are the very bases for enabling system access and data therein in any organization. At the end of this module, you will be able to assess the best methods of authentication and authorization and align users to their appropriate access levels.

Learning objectives:

  • Identify and describe the most common authentication services.
    Understand and be able to select the most appropriate for specific scenarios in authentication or authorization.
  • Grant users access to organizational resources based on their defined role, responsibilities, and level of authority.

PRACTICE QUIZ: AUTHENTICATION

1. How is authentication different from authorization?

  • Authentication is identifying a resource; authorization is verifying access to an identity.
  • Authentication is verifying access to a resource; authorization is verifying an identity.
  • Authentication is verifying an identity; authorization is verifying access to a resource. (CORRECT)
  • They’re the same thing.

Right on! Clearly! Authentication is the procedure under which an entity is confirmed to be who it claims to be. Authorization identifies if that entity, now authenticated, can proceed to an access point for certain resources or actions. Both are fundamental security mechanisms to allow only the authorized user into sensitive data and systems.

2. What type of process is the NIST Incident Response Lifecycle?

  • Contains dictionary words
  • Includes numbers and special characters (CORRECT)
  • Is at least eight characters long (CORRECT)
  • Is used across accounts and systems

You got it! A good password should combine letters both upper and lowercase, numbers, and special characters. The password should also be long enough, preferably at least eight characters or longer, as the longer the password, the more secure it is. All of this helps in preventing common attacks such as dictionary or brute force methods.

3. In a multi-factor authentication scheme, a password can be thought of as:

  • something you are.
  • something you know. (CORRECT)
  • something you have.
  • something you use.

Wohoo! Totally! A password, in accordance to multi-factor authentication (MFA), is something that you know. MFA generally requires at least two of the factors as follows: something that you know (for instance, password), something that you have (for example, smartphone, security token), and something that you are sometimes (like a fingerprint or recognition via facial scanning). Thus, through this stratification, security becomes magnified because unauthorized individuals do not find it easy to access.

4. What are some drawbacks to using biometrics for authentication? Check all that apply.

  • There are potential privacy concerns. (CORRECT)
  • Biometric authentication is much slower than alternatives.
  • Biometric authentication is difficult or impossible to change if compromised. (CORRECT)
  • Biometrics are easy to share.

That’s exactly right! That’s right! Biometric authentication has this limitation: unlike passwords, fingerprints or iris scans can’t be changed when compromised. You can use some other finger if your fingerprint is stolen; but iris scans cannot be changed at all. Another major security risk arises when biometric data is not stored or transmitted securely, as there remain high chances that sensitive personal information left to the exposure could be stolen. Hence, security for biometric data and combining it with something else in multi-factor authentication for better assurance remains most important.

5. In what way are U2F tokens more secure than OTP generators?

  • They can’t be cloned.
  • They’re password-protected.
  • They’re cheaper.
  • They’re resistant to phishing attacks. (CORRECT)

Great job! True! One Time Passwords (OTP) generators are subject to phishing attacks, where an assailant can induce the user into revealing the OTP, username, and password. Compare Universal 2nd Factor authentication (U2F) that relies on public key cryptography, and you will see a drastic difference in security. In the case of U2F, the authentication process will be a private key kept stored on a physical security device such as a USB key and a public key that resides on the server. Since the private key never leaves the device and with the authentication process being tied to that specific website, it is practically impossible for an attacker to phish or intercept the authentication information. Thus, U2F ends up being a far superior resistant method against phishing attacks.

6. What elements of a certificate are inspected when a certificate is verified? Check all that apply.

  • Trust of the signatory CA (CORRECT)
  • Certificate key size
  • “Not valid after” date (CORRECT)
  • “Not valid before” date (CORRECT)

Yep! The certificate must be verified first for the periods of validity and then for the signature of the signing certificate authority regarding the trustworthiness.

7. What is a CRL?

  • Caramel Raspberry Lemon
  • Certificate Recording Language
  • Certificate Revocation List (CORRECT)
  • Certified Recursive Listener

Good job! CRL are abbreviations used for the term Certificate Revocation List. This is a list published by a Certificate Authority (CA) that contains the explicitly revoked or invalidated certificates that this CA has published.

8. What are the names of similar entities that a Directory server organizes entities into?

  • Organizational Units (CORRECT)
  • Clusters
  • Groups
  • Trees

Awesome! Directory servers have organizational units (OUs) that are created to group similar entities under one name.

9. True or false: The Network Access Server handles the actual authentication in a RADIUS scheme.

  • True
  • False (CORRECT)

Nice work! A Network Access Server merely sends the authentication messages between the client and the RADIUS server without evaluating authentication itself.

10. True or false: Clients authenticate directly against the RADIUS server.

  • True
  • False (CORRECT)

Correct! The clients communicate with RADIUS indirectly; the actual authenticating process is done via the NAS (Network Access Server).

11. What does a Kerberos authentication server issue to a client that successfully authenticates?

  • A ticket-granting ticket (CORRECT)
  • An encryption key
  • A digital certificate
  • A master password

Exactly! Subsequent after logging in, the Kerberos client gets the Ticket Granting ticket (TGT) from an authentication server. This TGT can subsequently be presented to the Ticket Granting Service to acquire access to a resource.

12. What advantages does single sign-on offer? Check all that apply.

  • It enforces multifactor authentication.
  • It reduces the total number of credentials, (CORRECT)
  • It provides encrypted authentication.
  • It reduces time spent authenticating. (CORRECT)

You nailed it! Single Sign-On (SSO) is a method that allows any user to access a multitude of services in a variety of systems or organizations using a single set of credentials to reduce the burden of multiple login IDs or passwords. Once a user is authenticated on entering the username and password, an authentication token is generated and this token keeps the user authenticated automatically for subsequent access until it expires, thereby preventing the user to authenticate again during the entire working hours.

13. What does OpenID provide?

  • Digital signatures
  • Cryptographic hashing
  • Certificate signing
  • Authentication delegation (CORRECT)

Yep! OpenID allows authentication to be delegated to a third-party authentication service.

PRACTICE QUIZ: AUTHORIZATION AND ACCOUNTING

1. What role does authorization play?

  • It determines whether or not an entity has access to a resource. (CORRECT)
  • It verifies an entity’s identity.
  • It verifies passwords.
  • It provides strong encryption.

Awesome! Authorization is the process of defining the resources to which a particular user or account is granted or denied access.

2. What does OAuth provide?

  • Confidentiality
  • Integrity
  • Access delegation (CORRECT)
  • Secure communications

Wohoo! OAuth is an open authorization protocol that allows delegating the access of accounts to third parties without having to disclose credentials to them.

3. How is auditing related to accounting?

  • They’re not related.
  • They’re the same thing.
  • Accounting is reviewing records, while auditing is recording access and usage.
  • Accounting is recording access and usage, while auditing is reviewing these records. (CORRECT)

That’s exactly right! Accounting is the process of documenting the consumption of resources and network access. Auditing takes a look at the records created with regards to this consumption to identify anomalies in usage.

QUIZ: AAA SECURITY (NOT ROADSIDE ASSISTANCE)

1. Authentication is concerned with determining _______.

  • Identity (CORRECT)
  • Validity
  • Eligibility
  • Access

Wohoo! Authentication is a method of validating people’s identities.

2. Which of the following are valid multi-factor authentication factors? Check all that apply.

  • Something you know (CORRECT)
  • Something you did
  • Something you have (CORRECT)
  • Something you are (CORRECT)

Nice job! The authentication methods which multi-factor authentication comprises of are: (1) something you know such as a password and (2) something that you have like a physical token and (3) something you are which refers to a biometric factor.

3. Security Keys are more ideal than OTP generators because they’re resistant to _______ attacks.

  • Password
  • Brute force
  • DDoS
  • Phishing (CORRECT)

Yep! Although OTP codes are subject to phishing attacks, security keys use a challenge-response system that prevents phishing attacks.

4. In the three As of security, what is the process of proving who you claim to be?

  • Authorization
  • Authentication (CORRECT)
  • Accounting
  • Authored

Great work! It is part of out of three A’s. Authentication is all about proving one’s asserted identity.

5. Which of these passwords is the strongest for authenticating to a system?

  • P@55w0rd!
  • P@w04d!$$L0N6 (CORRECT)
  • P@ssword!
  • Password!

Right on! The reason behind this strong password is that it contains a good length, a combination of numbers, uppercase and lowercase letters, and special characters.

6. An organization needs to setup a(n) _____ infrastructure to issue and sign client certificates.

  • ID
  • CRL
  • CA (CORRECT)
  • LDAP

You nailed it! The organization will have to create a certificate authority (CA) infrastructure to issue and sign client certificates for secure authentication and communication for its users.

7. A systems administrator is designing a directory architecture to support Linux servers using Lightweight Directory Access Protocol (LDAP). The directory needs to be able to make changes to directory objects securely. Which of these common operations supports these requirements?

  • Bind, modify.
  • Bind, add.
  • Search, modify.
  • StartTLS, delete. (CORRECT)

You got it! The operation of deletion makes modification of a directory object possible by removing it from the directory. An intranet user can securely communicate over TLS for LDAPv3 with StartTLS.

8. Kerberos enforces strict _____ requirements, otherwise authentication will fail.

  • Time (CORRECT)
  • AES
  • NTP
  • Strong password

Great work! With StartTLS, it is possible to securely communicate over LDAPv3 using TLS. The deletion operation will allow modifications in the directory object by removing it from the directory.

9. Which of these are examples of an access control system? Check all that apply.

  • OpenID
  • OAuth (CORRECT)
  • RADIUS (CORRECT)
  • TACACS+ (CORRECT)

Woohoo! OAuth is an example of authorization method for applications.

Woohoo! Yeah, RADIUS is a full AAA system of course it does refer to the Authorization thing.

Woohoo! Terminal Access Controller Access Control System Plus (TACACS+) is a full AAA protocol which also handles the Authorization.

10. A company is utilizing Google Business applications for the marketing department. These applications should be able to temporarily access a user’s email account to send links for review. Why should the company use Open Authorization (OAuth) in this situation?

  • Utilize a Key Distribution Center server
  • Compatibility with third party apps (CORRECT)
  • Gain access through a wireless access point
  • Administer multiple network devices

Well done! With the help of Open Authorization or OAuth, third-party websites and applications can get access to users’ information such as e-mail without the need of the account credentials.

11. What does a Terminal Access Controller Access Control System Plus (TACACS+) keep track of? Check all that apply.

  • Systems users authenticated to (CORRECT)
  • Commands that were ran (CORRECT)
  • Track user authentication (CORRECT)
  • Bandwidth and resource usage

Yippee! TACACS+ logs the devices or systems accessed by a user.

Yippee! TACACS+ registers commands that have been executed by a user.

Yippee! TACACS+ tracks user authentication.

12. The two types of one-time-password tokens are ______ and ______. Check all that apply.

  • Counter-based (CORRECT)
  • Identity-based
  • Password-based
  • Time-based (CORRECT)

Marketing or preferably promotional – an otp generating ticket/work can be counter-based. The counter in this case is incremented in the token as well the server at the time of successful authentication.

Marketing or preferably promotional – an otp generating ticket/work can be time-based. In this case, the time is used to synchronize the time with the time on the server.

13. Security Keys utilize a secure challenge-and-response authentication system, which is based on ________.

  • Symmetric encryption
  • Shared secrets
  • Public key cryptography (CORRECT)
  • Steganography

Awesome job! Security keys allow for a secure challenge-response authentication mechanism by public key cryptography, so that credentials are not revealed in the course of authenticating in the process.

14. In a Certificate Authority (CA) infrastructure, why is a client certificate used?

  • To authenticate the server
  • To authenticate the client (CORRECT)
  • To authenticate the subordinate CA
  • To authenticate the CA

Right on! A client certificate is used to authenticate the client with other computers.

15. Which of these are examples of a Single Sign-On (SSO) service? Check all that apply.

  • OpenID (CORRECT)
  • Kerberos (CORRECT)
  • Tokens
  • Relying Parties

Exactly! OpenID is an example of a decentralized Single Sign-On (SSO) service.

Got it! Kerberos is an example of a centralised Single Sign-On (SSO) service.

16. An Open Authorization (OAuth) access token would have a _____ that tells what the third party app has access to.

  • template
  • scope (CORRECT)
  • request
  • e-mail

Right on! A scope in the Open Authorization (OAuth) access token mentions what resources or actions a third-party application has the rights of access for.

17. Authorization is concerned with determining ______ to resources.

  • Validity
  • Eligibility
  • Access (CORRECT)
  • Identity

Correct! Authorization deals with determining access to resources.

18. Kerberos uses _____ as authentication tokens.

  • Passwords
  • Certificates
  • Cryptographic keys
  • Tickets (CORRECT)

Great work! The tickets issued through Kerberos serve as both authentication and authorizations for access to resources based on the user’s identity and privileges.

19. What is used to request access to services in the Kerberos process?

  • Client-to-Server ticket
  • Ticket Granting Ticket (CORRECT)
  • Client ID
  • TGS session key

Woohoo! A Ticket Granting Ticket (TGT) refers to the utilization within Kerberos to access a service. This is acquired immediately after carrying out the authentication process, through which it can be used directly to communicate with the Ticket Granting Service, which provides service-specific tickets in return.

20. In the three As of security, which part pertains to describing what the user account does or doesn’t have access to?

  • Accounting
  • Authentication
  • Authorization (CORRECT)
  • Accessibility

A user account’s authorization will define what it can access and not access. You have got it right!

21. Access control entries can be created for what types of file system objects? Check all that apply.

  • Programs (CORRECT)
  • Files (CORRECT)
  • Folders (CORRECT)
  • APIs

Great work! The ACEs or access control entries can define those permissions which can control reading, writing or executing functionalities on the files and the folders.

22. Your bank set up multifactor authentication to access your account online. You know your password. What other factor combined with your password qualifies for multifactor authentication? Check all that apply.

  • Passphrase
  • PIN
  • Bank card (CORRECT)
  • Fingerprint (CORRECT)

Well done! A bank card is a tangible asset because you own it. This makes the multifactor authentication system consist of at least two elements, for example, something you know such as a PIN and the other as something you have such as a bank card.

23. Multiple client switches and routers have been set up at a small military base. The network team decided to implement Terminal Access Controller Access-Control System Plus (TACACS+), along with Kerberos, and an external Lightweight Directory Access Protocol (LDAP) service. What is the primary reason TACACS+ was chosen for this?

  • NIPRNet
  • Single Sign-On
  • Network access
  • Device administration (CORRECT)

Right on! In a nutshell, TACACS+ serves the purpose of authentication, authorization, and accounting, being mainly used in the domain of device administration. This ensures that the access control and action on the network devices and services is recorded and logged properly.

24. A(n) _____ defines permissions or authorizations for objects.

  • Extensible Authentication Protocol
  • Access Control Entries
  • Network Access Server
  • Access Control List (CORRECT)

You nailed it! ACL is basically access permission for objects, specifying users or groups who can access or alter any resources.

25. A network admin deployed a Terminal Access Controller Access Control System Plus (TACACS+) system so other admins can properly manage multiple switches and routers on the local area network (LAN). The system will keep track and log admin access to each device and the changes made. This “logging” satisfies which part of the three As of security?

  • Authentication
  • Accounting (CORRECT)
  • Authorization
  • Administration

Well done! An accurate assessment of the activity and changes through logging satisfies accounting within the three As of security and ensures that all actions can be audited and monitored.

26. Authz is short for ________.

  • Authoritarian
  • Authorization (CORRECT)
  • Authored
  • Authentication

Correct: Authorization sometimes utilized the short term… “authz.”

27. Which of these are examples of “something you have” for multifactor authentication? Check all that apply.

  • RSA SecureID token (CORRECT)
  • Password
  • PING
  • OTP (CORRECT)

Awesome! Example of OTP is RSA SecureID, and it’s actually a small battery-powered device that has an LCD screen.

Awesome! An OTP (One-Time Password) is a typical physical token that generates a temporary number for secure authentication purposes.

28. A Lightweight Directory Access Protocol (LDAP) uses a _____ structure to hold directory objects.

  • Distinguished Name
  • Organizational Unit
  • Data Information Tree (CORRECT)
  • Bind

You nailed it! An Access Control List (ACL) declares the permissions and authorization that an object has against which users or groups are granted or denied access to assets or activities.

29. Authn is short for ________.

  • Authentication (CORRECT)
  • Authoritarian
  • Authorization
  • Authored

Correct: Yep! Authentication is sometimes referred to as “authn” for short.

30. In addition to the client being authenticated by the server, certificate authentication also provides ______.

  • Server authentication (CORRECT)
  • Integrity
  • Authorization
  • Malware protection

Correct: Indeed, the client is going to validate the server’s certificate, giving server authentication and client authentication when required.

Leave a Comment