Authentication and Authorization
________ takes place when you are presenting credentials to a system to indicate exactly who
you are with respect to the system
ANSWER Identification
_______, also called authenticators, are the pieces of information you present to the system to
assert your identity
ANSWER Credentials
_______ is the process of verifying that the credentials presented are valid and that they do
indeed belong to a user authorized to access the system.
ANSWER Authentication
The credentials are validated against a database of user credentials, and if those credentials
match, the user is allowed to access the system and is said to be ______________.
ANSWER authenticated
______________ covers the rights, permissions, and privileges that a user has only after he has
been successfully authenticated to a system
ANSWER Authorization
What are the authentication factors?
ANSWER 1) Something You Know
2) Something You Have
3) Something You Are
4) Something You Do
5) Somewhere You Are
,What is the the most common example of multifactor authentication?
ANSWER The use of smart cards and PIN combinations
What is a false rejection rate?
ANSWER - also known as a type I error.
- relates to the error caused from rejecting someone who is in fact an authorized user and
should be authenticated in a biometric system
What is a false acceptance rate?
ANSWER - type II error
- indicates the level of errors that the system may generate indicating that unauthorized users
are actually identified and authenticated as valid users in a biometric system
crossover error rate
ANSWER the point at which the system must be tuned to reduce both types of errors
effectively without increasing either one of them
transitive trust
ANSWER A transitive trust usually means that the organization trusts another entity simply
because they are trusted by someone else that the organization trusts
federated system
ANSWER A federated system involves the use of a common authentication system and
credentials database that multiple entities use and share.
This ensures that a user's credentials in Company A would be acceptable in Company B and
Company C, and only access permissions would be the determining factor in accessing systems
and data.
, Windows Active Directory is a good example of a federated system in practice; user credentials
from different domains could be used in other domains if they are all part of the same Active
Directory forest.
Authorization
ANSWER - the process of determining who gets what type of access to systems and data
- part of an access control policy, which relates to how the organization determines who gets
access to what systems and data based upon the sensitivity of those systems and data
access control policy
ANSWER - dictates how an organization handles its authorization processes
- Data sensitivity policies also dictate authorization
- organization's stance on the principle of least privilege, how duties are separated and divided
among key personnel
principle of least privilege
ANSWER - granting only the level of access someone needs to do her job, and no more than
that
- a person should get the minimum access to systems and data required to complete her daily
duties
- applies not only to being able to view and interact with data; it also applies to actions users
can take with respect to the system and the network
separation of duties
ANSWER - involves dividing up critical or security-related tasks and responsibilities among
two or more individuals, rather than allowing one individual to perform an excessive number of
powerful tasks
- When implemented, critical or security-related tasks can't all be performed by one individual
without checks and balances from other individuals
________ takes place when you are presenting credentials to a system to indicate exactly who
you are with respect to the system
ANSWER Identification
_______, also called authenticators, are the pieces of information you present to the system to
assert your identity
ANSWER Credentials
_______ is the process of verifying that the credentials presented are valid and that they do
indeed belong to a user authorized to access the system.
ANSWER Authentication
The credentials are validated against a database of user credentials, and if those credentials
match, the user is allowed to access the system and is said to be ______________.
ANSWER authenticated
______________ covers the rights, permissions, and privileges that a user has only after he has
been successfully authenticated to a system
ANSWER Authorization
What are the authentication factors?
ANSWER 1) Something You Know
2) Something You Have
3) Something You Are
4) Something You Do
5) Somewhere You Are
,What is the the most common example of multifactor authentication?
ANSWER The use of smart cards and PIN combinations
What is a false rejection rate?
ANSWER - also known as a type I error.
- relates to the error caused from rejecting someone who is in fact an authorized user and
should be authenticated in a biometric system
What is a false acceptance rate?
ANSWER - type II error
- indicates the level of errors that the system may generate indicating that unauthorized users
are actually identified and authenticated as valid users in a biometric system
crossover error rate
ANSWER the point at which the system must be tuned to reduce both types of errors
effectively without increasing either one of them
transitive trust
ANSWER A transitive trust usually means that the organization trusts another entity simply
because they are trusted by someone else that the organization trusts
federated system
ANSWER A federated system involves the use of a common authentication system and
credentials database that multiple entities use and share.
This ensures that a user's credentials in Company A would be acceptable in Company B and
Company C, and only access permissions would be the determining factor in accessing systems
and data.
, Windows Active Directory is a good example of a federated system in practice; user credentials
from different domains could be used in other domains if they are all part of the same Active
Directory forest.
Authorization
ANSWER - the process of determining who gets what type of access to systems and data
- part of an access control policy, which relates to how the organization determines who gets
access to what systems and data based upon the sensitivity of those systems and data
access control policy
ANSWER - dictates how an organization handles its authorization processes
- Data sensitivity policies also dictate authorization
- organization's stance on the principle of least privilege, how duties are separated and divided
among key personnel
principle of least privilege
ANSWER - granting only the level of access someone needs to do her job, and no more than
that
- a person should get the minimum access to systems and data required to complete her daily
duties
- applies not only to being able to view and interact with data; it also applies to actions users
can take with respect to the system and the network
separation of duties
ANSWER - involves dividing up critical or security-related tasks and responsibilities among
two or more individuals, rather than allowing one individual to perform an excessive number of
powerful tasks
- When implemented, critical or security-related tasks can't all be performed by one individual
without checks and balances from other individuals
