A password is most likely to be entered incorrectly; the user may forget the password or may have the caps lock set-up incorrectly.
When purchasing any device, you should change the default username and password as many of these are available on the internet and could be used to access your device.
Password history is the number of passwords you can use before you can reuse your current password. Some third-party applications or systems may call this a Password Reuse list.
Password history could be set up and combined with minimum password age. If I set the minimum password age to 1 day, a user could only change their password a maximum of once per day. This would prevent them from rotating their passwords to come back to the old password.
A complex password uses three of the following; uppercase, lowercase, numbers, and special characters not used in programming.
If I set up an account lockout with a low value such as three, the hacker needs to guess your password within three attempts or the password is lockout, and this disables the user account.
A smart card is multi-factor or dual factor as the card is something you have and the PIN is something you know.
A password, PIN, and date of birth are all factors that you know, therefore it is single factor.
Biometric authentication is where you use a part of your body or voice to authenticate, for example your iris, retina, palm, or fingerprint.
Federated services are an authentication method that can be used by two third parties; this uses SAML and extended attributes such as employee or email address.
Security Assertion Mark-up Language (SAML) is an XML-based authentication protocol used with federated services.
Shibboleth is a small open source Federation Services protocol.
Lightweight Directory Authentication Protocol (LDAP) is used to stores objects in a X500 format and search Active Directory objects such as users, printers, groups, or computers.
A distinguisher name in the ITU X500 object format is: CN=Fred, OU=IT, CN=Company, DC=Com.
Microsoft's Kerberos authentication protocol is the only one that uses tickets. It also uses time stamps and updated sequence numbers and is used to prevent replay attacks.
Stratum 0 is the reference time source. Stratum 1 is set up internally to obtain time from the Stratum 0.
A Ticket Granting Ticket (TGT) process is where a user logs into an Active Directory domain using Kerberos authentication.
Single sign-on is where a user inserts their credentials only once and access different resource such as emails and files without needing to re-enter the credentials. Examples of this are Kerberos, Federated Services, and a smart card.
Pass the hash attacks exploit older systems such as Microsoft NT4.0, which uses NT Lan Manager. You can prevent is by disabling NTLM.
Open ID Connect is where you access a device or portal using your Facebook, Twitter, Google, or Hotmail credentials. The portal itself does not manage the account.
The first AAA server is Microsoft RADIUS, using TCP Port 1812—it is seen as non-proprietary. The second is CISCO TACACS+ and uses TCP Port 49. Diameter is a more modern secure form of RADIUS.
Accounting in an AAA server is where they log the details of when someone logs in and logs out; this can be used for billing purposes. Accounting is normally logged in a database such as SQL.
A VPN solution creates a secure to connect from a remote location to your corporate network or vice versa. The most secure tunneling protocol is L2TP/IPSec.
PAP authentication uses a password in clear text; this could be captured easily by a packet sniffer.
An iris scanner is a physical device used for biometric authentication.
Facial recognition could be affected by light or turning your head slightly to one side; some older facial recognition systems accept photographs. Microsoft Windows Hello is much better as it uses infrared and is not fooled by a photograph or affected by light.
Type II in biometric authentication is Failure Acceptance Rate, where people that are not permitted to access a tour network are given access.
Time based one time password has a short time limit of 30-60 seconds.
HOTP is a one-time password that does not expire until it is used.
A CAC is similar to a smart card as it uses certificates, but the CAC card is used by the military, has a picture, and the details of the user on the front and their blood group and Geneva convention category on the reverse side.
IEE802.1x is port-based authentication that authenticates both users and devices.
A service account is a type of administrative account that allows an application to have the higher level of privileges to run on a desktop or server. An example of this is using a service account to run an anti-visas application.
A system administrator should have two accounts: a user account for day-to-day tasks and an administrative account for administrative tasks.
When I purchase a baby monitor I should rename the default administrative account and change the default password to prevent someone using it to hack my home.
A privilege account is an account with administrative rights.
When monitoring and auditing are carried out, the employees responsible cannot be traced while more than one-person shared accounts. Shared accounts should be eliminated for monitoring and auditing purposes
Default accounts and passwords for devices and software can be found on the internet and used to hack your network or home devices. Ovens, TVs, baby monitors, and refrigerators are examples.
The system administrator is using a standard naming convention.
When John Smith leaves the company, you need to disable his account and reset the password. Deleting the account will prevent access to data he used.
Account recertification is an audit of user account and permissions usually carried out by an auditor; this could also be known as user account reviews.
A user account review ensures that old accounts have been deleted—all current users have the appropriate access to resources and not a higher level of privilege.
A SIEM system can carry out active monitoring and notify the administrators of any changes to user account or logs.
Following an audit, either change management or a new policy will be put in place to rectify any area not conforming to company policy.
The contractor's account should have an expiry date equal to the last day of the contract.
Rule-based access should be adopted so that the contractors can access the company network 9 a.m.-5 p.m. daily.
Time and day restrictions should be set up against each individual's user account equal to their shift pattern.
Account Lockout with a low value will prevent brute-force attacks.
Create a group called IT apprentices then add the apprentices accounts to the group. Give the group read access to the IT data.
The credential manager can be used to store generic and Windows 10 accounts. The user therefore does not have to remember them.
The company should have disabled the account. A user account review needs to be carried out to find accounts in a similar situation.
