What is the difference between multi factor authentication and single factor authentication quizlet?

identification

is the process whereby a network element recognizes a user's claimed identity.
• Username provides ----------.

Authentication

• is validating the user's claimed identity.
• The combination of username and password provide --------------
• By providing a password, PIN, code, etc., it proves the user is, in fact, who he/she claims to be.

Authentication Factors

•------------ are different methods of proving you are who you claim to be.

Something you know

Username, password, PIN, etc

• "Something you have":

Key, key-fob, smart-card, or token

"Something you are":

This is known as biometrics and measures personal physical characteristics of you.
For example, thumb-print scan, retinal scan, DNA scan, facial or voice recognition, etc.

Somewhere you are

IP address and/or computer name

One, Two, and Three-factor Authentication

• Multifactor authentication is a security system in which more than one form of authentication is implemented to verify the legitimacy of a transaction.

something you are and something you have.

• The strongest forms of multifactor would be

One-factor One type of authentication method.

username and password are example of

Two-Factor Two types of authentication methods.

username and password and fingerprint scanner are example of .

Three-factor Three types of authentication methods.

username and password, fingerprint scan, and a hardware token are example of

Federation

---- links one person's identity across many different services. This allows the user to access more systems easily.

• Frequently paired with Single Sign-On capabilities, which allows a user to sign on once and gain access to all of those federated services without having to log onto each individually.

• SSO (Single Sign-On)

• which allows a user to sign on once and gain access to all of those federated services without having to log onto each individually.

• SSO (Single Sign-On) is frequently utilized for ease of use today. One example could be using your Facebook account to log onto Facebook, Skype, or one of many other associated services.

Multi-factor authentication

----means using more than one method.

Transitive trust/authentication

In PKI, if Company A trust Company B and Company B trust Company C, then Company A trusts Company C, this is describing a

• Applies to both hierarchal model and peer to peer model.

LDAP (short for Lightweight Directory Access Protocol)

---- is a set of protocols for accessing information directories such as Windows Active Directory or Open Directory.

• ---- is a single point of user management.

636

• The default port for secure LDAP is

Kerberos

. is an authentication system developed at MIT to enable two parties to exchange private information across an otherwise open network.

KDC (Key Distribution Center)

• Kerberos works by assigning a unique key, called a ticket, from a ticket granting server known as

• The ticket is then embedded in messages to identify the sender of the message.

• Kerberos

is an access, authentication, and authorization protocol that is more secure than TACACS, RADIUS, and LDAP.

these works well in an Active Directory infrastructure.

With Kerberos

, the KDC authenticates the user and provides a TGT (Ticket Granting Ticket), which is then used in the future for a faster means of authentication.

• TACACS (short for Terminal Access Controller Access Control System)

is an authentication protocol that was commonly used in UNIX networks.

• it allows a remote access server to communicate with an authentication server in order to determine if the user has access to the network.

• The difference between RADIUS and TACACS

• The difference between RADIUS and TACACS is TACACS separates authentication, authorization, and auditing capabilities.

• TACACS+ (Terminal Access Controller Access-Control System Plus)

is a Cisco Systems proprietary protocol which provides access control for routers, network access servers, and other networked computing devices via one or more centralized servers.

TACACS+

provides separate authentication, authorization and accounting services.

TACACS+ , Radius

• ---- encrypts the entire body of the packet being sent rather than just the password, as ---- does

TACACS+ (TACACS Plus)

uses multiple-challenge responses for Authentication, Authorization, and Auditing (AAA).

• PAP (short for Password Authentication Protocol)

is the most basic form of authentication in which a user's name and password are transmitted (cleartext/unencrypted) over a network and compared to a table of name-password pairs.

• CHAP (Challenge Handshake Authentication Protocol)

is more secure as the password is first combined with a salt and then hashed before it is sent over the network. This protects it from clear-text access by anyone who might be sniffing network traffic.

RADIUS (which is short for Remote Authentication Dial-In User Service)

is a central Authentication , Authorization, and Accounting system used to control network access.

Radius

--- allows for authentication of dial-in and other network connections and uses UDP ports 1812 and 1813.

RADIUS Protocol

protocol is a good choice in a mixed-vendor environment as it is compatible with many different operating systems and applications.

diameter

is the newer, more secure replacement for RADIUS, and can use TLS and SCTP to ensure reliable packet transmission. (Transport Layer Security and Stream Control Transmission Protocol)

SAML (Security Assertion Markup Language)

is a data format used to exchange authorization and authentication data between an Identity Provider and a Service Provider for a User (known as a principal)

SAML

----can be used to exchange authentication and authorization information across numerous web-based applications.

•---- is a type of SSO system that can allow one entity to verify a user's identity, and then let others know that the user is legitimate, as well as what actions the user is allowed to perform.

OAuth (Open Authorization)

is an open standard for authentication and authorization that utilizes tokens in order to protect the user's password from different services. This is how a somebody can safely use their Amazon account to log into another third party service.

OAuth

-----acts as a go between to authenticate between two services. Both services agree on a shared password (the token) in order to authenticate the user without exposing the user's password, allowing one service to pull information from another.

• Also controls what information is shared.

• While uses a user's credentials to access another service, its focus is on its ability to share resources.

NTLMv2,

• NTLMv2 is a Microsoft challenge-response authentication protocol that uses MD5 for its hash function.

NTLMv2

implements the strongest hashing algorithm and is better than its younger siblings (NTLM and LANMAN).

LANMAN

is the least secure.

NTLM

is used to secure communication between a server and client.

Common Access Control Models

MAC, DAC, RBAC(Rule), RBAC(Role)

Mandatory Access Control (MAC)

•is the means of restricting access to an object based on the sensitivity (as represented by a label) of the information contained in the object and the formal authorization (clearance) of subjects to access information of such sensitivity.

• The MAC access modelsensitivity labels

• is based on security labels, or also called sensitivity labels

MAC access control model

• uses predefined access privileges to identify if users have permissions to a resource.

• users cannot share resources dynamically.

Discretionary Access Control (DAC)

• is a type of access control in which the owner has complete control over all the objects it owns, and also determines the permissions in the access control lists other users have to those objects.

DAC access control model

• An example of DAC is NTFS permissions.

• The owner of the resource in the ---- is responsible for establishing access permissions to network resources.

• is more often used by corporations.

Role Based Access Control (RBAC)

is a system of controlling which users have access to resources based on the role of the user.

• The concept of separation of duties is most like RBAC

• RBAC access control permissions are established by the role or responsibilities users have in an organization..

Rule-based Access Control (RBAC)

Rule-based Access Control uses the settings in preconfigured security policies to make all decisions.

• Devices that use Rule-based Access Control:

• Firewall • Routers • IPS

Kerberos

A network authentication protocol, provide protection by: authentication, authorization, and auditing

Proximity card readers

are devices that are used to read a proximity card.

• is a generic name for contactless integrated circuit devices used for security access or payment systems.

• is better for door locks than traditional key-punch locks, because it eliminates shoulder-surfing problems often associated with key-punches.

Smart Cards

---are used for authentication and is something that you physically possess.

---is a plastic card the size of a credit card with an integrated circuit built into it.

• The user's private key is the crypto key used on a ---.

• Smart cards and PCMCIA cards

---can be used to store keys.

Biometrics

• are the authentication techniques that rely on measurable physical characteristics that can be automatically checked.

Biometrics

. are considered physical access control methods, not logical.

• The main limitation with these are, expensive and complex.

fingerprint

•---Scanners are considered to be an effective for of biometric as it records a very unique feature.

• however can be relatively easily obtained form a person or otherwise tampered with.

voice recognition

• is a technology that attempts to match a users voice with a phrase previously recorded by said user.

Biometrics - Retina Scanner

• ------ is the most reliable and has the lowest crossover error rate.

•------ by itself would be an example of single-factor authentication.

Retina scanner devices carry significant privacy implications

• ---- devices carry significant privacy implications due to personal health information that can be discovered.

• A false negative

is when a biometric system reports that a verified user is unauthorized.

A false positive

• is when a biometric system identifies an unauthorized user and allows them access.

true positive

is when a biometric scanner identifies users that are authorized and allows them access.

Tokens

is a physical device that an authorized user of computer services is given to ease authentication.

• are used to prove one's identity electronically. The token is used in addition to or in place of a password to prove that the customer is who they claim to be.

Tokens

----allow a user to have a TOTP (Time-based One Time Password).

HOTP (HMAC-based one-time password)

which keeps password for longer amounts of time, which can cause a security concern vs TOTP.

Common Access Card (CAC) Personal Identity Verification (PIV)

--- can hold many advantages for access control security.

• They are a form of smart cards.

• Uses PKI.

• The CAC and PIV have integrated circuit chips, magnetic stripe, bar codes, and contactless capability.

• They can be as basic as a government employee ID number or intelligent enough smart card to contain human readable features like fingerprints.

802.1x

• is the IEEE standard for port-based Network Access Control for enabling restricted use of a WAP or switch's ports to secure communication between authenticated and authorized devices or users.

The RADIUS server

acts as the authentication server when you are using 802.1x authentication.

File System Security

• When managing File systems it is important to have parameters and permissions set to ensure sensitive data is less accessible.

Least Privilege

to allow certain employees to access only what is necessary.

• Make sure all relevant data is backed-up and secured in ace of any event that may otherwise result in data-loss.

• Administrator - The administrator

is who should be in charge of a Windows system.

has permissions to change any settings. It is always a good idea to rename this account if you can.

• Guest

is usually to allow temporary access to the system. They usual just have some access to the internet and some programs. However, this account can be taken advantage of by a malicious hacker so it is always a good idea to disable this account.

Standard User

This is the account for everyday usage of the system. It is good practice for an admin to use a standard account for anything other than admin duties.

Privileged Accounts

are any account that holds access to everything on your network. These can be in the form of admin, root, SYS, or other credentials that would give administrative all-access passes to your applications.

• When using a generic account make sure that the privileges are set to as low as possible as it can be difficult to keep track of credibility.

Least Privilege Policy - control type

• implementation is a technical control

Least Privilege

-requires that a user or a program must be able to access only information and resources that are necessary to its legitimate purpose.

Least Privilege

• This process falls under confidentiality.

• When assigning permissions you should go by the this principles

Onboarding/Offboarding

• The process of bringing in and moving out assets from the network, respectively.

• As employees get hired, fired, promoted, etc. it is important to make sure that relevant accounts are either removed from their relevant network. • Neglecting this may leave would leave some employees with undesirable access.

Auditing - What Is Auditing?

tracks user and operating system activities and records selected events in the security log of Windows.

• Auditing

What occurred?. When?. Who did it?.What was the result?

• Enable auditing to:

• Create a baseline - Determine damages
• Detect threats and attacks - Prevent further damage

• Audit access to objects, management of accounts, and users logging on and logging off.

• Permission auditing is making sure that correct privileges and permissions are assigned to the correct individuals.

• Usage auditing is making sure that resources are being allocated and used where they are supposed to.

To prevent privilege creep

which is the amassing of privileges from an employee that have been employed for a long time.

• Group Policy

is a hierarchical infrastructure that allows a network administrator to implement specific configurations for users and computers.

in part, controls what users can and cannot do on a computer system.

• For example, to enforcing a minimum complexity policy for passwords, restricting remote access to only identified users, to block access to the Windows Task Manager or to restrict access to certain folders.

Time of Day Restrictions

will put restrictions on when (time and day) a user can or cannot log on to a computer system.

can be configured to prevent users from logging on during non-working days.

• For example: If the password policy was configured so users can only log on to their computers Monday - Friday between the hours of 8am - 5pm, and a user tried to log on to their computer at 6pm on Thursday, they would be denied the access to log on.

recovery

• When the need arises, it is good to have a policy in place in order to recover passwords.

• For instance, having authorized-only access to a separate, stored database of employee passwords when a terminated employee's data needs to be read.

• Similarly, enforcing automatic mandatory backs-up in case of compromise or other data loss is good to have in place.

Recovery

• When the need arises, it is good to have a policy in place in order to recover passwords.

• For instance, having authorized-only access to a separate, stored database of employee passwords when a terminated employee's data needs to be read.

• Similarly, enforcing automatic mandatory backs-up in case of compromise or other data loss is good to have in place.

Enforce Password History

How many passwords do you want remembered, so they cannot be reused.

Maximum Password Age

How long can a user use a password.

Minimum Password Age

How long must a user use a password before they can change it.

Password must meet complexity requirements

Users must use three of the following: upper-case, lower case, numbers and special characters.

Account Lockout Duration

Determines how long a user will be locked out after they exceed the Account lockout threshold. If set to zero, an administrator must unlock the account.

Account lockout threshold.

Number of times a user can supply the wrong passwords before their account is locked.

Reset Account Lockout counter after

Determines how long after the last invalid logon attempt before the counter is reset.

Passwords and User Accounts

• To prevent users from re-using old passwords, you must use these two policies together:

• Enforce Password History

• Minimum Password Age

• An Account Lockout Threshold can mitigate Brute Force attacks.

• In the security log, the failed logon events can help you detect Brute Force password cracking attempts.

• Account disablement will ensure that terminated users no longer have access to the network.

What is single factor authentication quizlet?

What is single factor authentication?

What is multifactor authentication quizlet?

How multi