I’m Dr. Michael Mann and tonight's review session is on authentication controls. 3 00:00:31.740 --> 00:00:38.280 This is, of course, in preparation for the Security+ Industry Certification Exam. I am using 4 00:00:38.280 --> 00:00:46.380 questions from the Virginia Cyber Range and we'll go ahead and get started with the first question. 5 00:00:53.640 --> 00:01:02.940 What does AAA refer to when concerning enforcing security policies? 6 00:01:04.620 --> 00:01:08.580 Let's take some responses. What do you think? 7 00:01:09.960 --> 00:01:14.940 One, two, three or four? 8 00:01:19.380 --> 00:01:28.680 If you're not sure is there something that you can see to eliminate fairly quickly. 9 00:01:33.420 --> 00:01:39.900 The last option? And what makes you want to eliminate that? 10 00:01:42.780 --> 00:01:45.060 I agree with you by the way. 11 00:01:48.180 --> 00:01:52.500 The rest of the options kind of make sense but the last option has something extra in there 12 00:01:52.500 --> 00:01:57.900 that doesn't really go with cybersecurity as far as I'm aware. Sure amelioration yeah. 13 00:01:57.900 --> 00:02:07.380 That’s not exactly par for the course for cybersecurity technical language 14 00:02:08.820 --> 00:02:14.520 and it's not like we're interested in ameliorating anything when we're talking 15 00:02:14.520 --> 00:02:20.100 about AAA. Is there another choice that doesn't look right? 16 00:02:23.460 --> 00:02:32.220 So the third choice - starting with access - it's close, closer than the choice number 17 00:02:32.220 --> 00:02:39.840 four that has the term amelioration in it. But really when we're talking about AAA 18 00:02:41.640 --> 00:02:48.180 we're talking about one of the first two choices. So which one is it? 19 00:02:55.200 --> 00:03:00.420 Is it the first choice? The second choice? The second choice, 20 00:03:01.260 --> 00:03:09.360 so “Authentication, authorization, and accounting.” Now, what's the 21 00:03:09.360 --> 00:03:17.580 difference between the two choices? One and two? And it really is just the order in which 22 00:03:18.180 --> 00:03:28.500 the terms are presented. However, is there anything that is important about the order of the terms? 23 00:03:29.100 --> 00:03:37.680 What do you think? Is it like the steps you have to take, the steps have to go a 24 00:03:37.680 --> 00:03:45.900 specific order? Yes, that is correct. First, you are authenticated 25 00:03:46.860 --> 00:03:55.860 before accessing a resource. Then, based upon your credentials, you are authorized to access certain 26 00:03:55.860 --> 00:04:02.940 resources and then, finally, the accounting part keeps track of basically what you've been doing. 27 00:04:03.600 --> 00:04:11.520 So “Authentication, authorization, and accounting” are the correct answers for this question. 28 00:04:13.140 --> 00:04:20.100 This is it's a little tricky because you look at the first two choices and right and you're in 29 00:04:20.100 --> 00:04:27.360 the exam and you're like well you know they're all the same, both saying the same thing, but the 30 00:04:27.360 --> 00:04:37.140 order for this question - the order of the answers - is important. Let's move on to the next one. 31 00:04:46.920 --> 00:04:56.340 Which of the following is the best example of conditional access control? 32 00:04:57.840 --> 00:05:03.000 Choices one through four: A government employee is only allowed to access 33 00:05:03.000 --> 00:05:09.300 information that their security clearance allows them to access; or 34 00:05:10.200 --> 00:05:16.320 A user is given access to a certain level of sensitive files based on the project they have 35 00:05:16.320 --> 00:05:24.660 been assigned to; choice three - An individual who created a document gives access to their friend 36 00:05:24.660 --> 00:05:32.400 for peer review; or choice four - A subject's account approval is evaluated based on your current 37 00:05:32.400 --> 00:05:42.240 operating system? What do you think? Number two sounds like a viable answer. Number two is a viable 38 00:05:42.240 --> 00:05:52.620 answer and in fact it is the correct answer. Yay! Very well done and what about choice number one? 39 00:05:55.560 --> 00:05:58.320 does that look like conditional access control? 40 00:06:03.480 --> 00:06:08.640 No it doesn’t; it's more closely related to mandatory access control 41 00:06:10.140 --> 00:06:16.860 and three is more closely related to discretionary access control 42 00:06:18.480 --> 00:06:26.460 and finally the fourth one is more closely resembling rule-based access control so 43 00:06:26.460 --> 00:06:34.140 knowledge of control models is important for dealing with this type of question. So our 44 00:06:34.140 --> 00:06:41.340 correct answer here is choice number two, “A user is given access to a certain level of sensitive files 45 00:06:41.340 --> 00:06:49.740 based on the project they have been assigned to.” Let's move on to the next question. 46 00:06:56.640 --> 00:06:58.800 This question involves dynamic code. 47 00:06:59.820 --> 00:07:06.120 After entering your username and password in the login screen for your cloud account, you click 48 00:07:06.120 --> 00:07:13.080 submit and then a special code that changes every minute is created for you to authenticate yourself. 49 00:07:14.580 --> 00:07:28.620 What security measure is deploying this dynamic code? Is it TGT, TOTP, SMS or Certificate Authority? 50 00:07:39.480 --> 00:07:46.140 It helps to know what the acronyms stand for the exam is and the course 51 00:07:46.140 --> 00:07:53.400 as you probably know already is big on acronyms. So does anyone know what TGT is? 52 00:07:58.740 --> 00:08:06.300 No? Okay Ticket Granting Ticket. TGT are files created by the key 53 00:08:06.300 --> 00:08:10.200 distribution center portion of Kerberos Authentication. 54 00:08:12.360 --> 00:08:14.220 What about TOTP? 55 00:08:16.140 --> 00:08:17.700 Does anyone know what that one is? 56 00:08:25.620 --> 00:08:34.920 TOTP - Time-based One-Time Passwords and it's a common form of two-factor authentication 57 00:08:36.000 --> 00:08:42.120 and SMS - obviously Short Message Service - and Certificate Authority. So, what do you guys think? 58 00:08:43.440 --> 00:08:46.140 Choice number one, two, three, or four? 59 00:08:54.300 --> 00:08:58.440 I know it's not number three because it doesn't get sent to the phone so maybe number 60 00:08:58.440 --> 00:09:10.560 two? Number two is the correct answer. Awesome. This is a time-based one-time password. 61 00:09:11.400 --> 00:09:18.240 Questions about that or does everybody understand applying based one-time password? 62 00:09:23.640 --> 00:09:27.300 So where would the first one be sent to? The 63 00:09:28.140 --> 00:09:34.380 TGT? Like where would that pop up? 64 00:09:35.160 --> 00:09:44.340 It's a created file that would be used and not necessarily sent to a user 65 00:09:47.100 --> 00:09:53.640 in the same way that a time-based one-time password would be. Oh, okay. 66 00:09:55.680 --> 00:09:59.400 Let's move on to the next question. 67 00:10:04.020 --> 00:10:06.900 Multi-factor authentication: 68 00:10:08.040 --> 00:10:13.800 Which of the following terms most closely relates to multi-factor authentication? 69 00:10:16.020 --> 00:10:24.000 Your choices are: Token key; SSO; PAP; or HSM. They really love their acronyms, don't they? 70 00:10:28.200 --> 00:10:40.200 You mind saying what the acronyms are? Sure, let’s start with first one listed, SSO. Now this 71 00:10:40.200 --> 00:10:48.600 one's pretty widely used. Does anybody know what this is? A single sign-on? Absolutely it is Single 72 00:10:48.600 --> 00:10:58.440 Sign-On and is not involved with multi-factor authentication. How about PAP? 73 00:11:03.180 --> 00:11:14.640 PAP is is Password Authentication Protocol and again not related to multi-factor 74 00:11:14.640 --> 00:11:25.680 authentication in networking you may have come across this as a point-to-point protocol 75 00:11:25.680 --> 00:11:33.240 used between two routers to authenticate but it's generally considered fairly weak. It sends 76 00:11:33.240 --> 00:11:44.280 passwords in plain text and in that context it's typically not used but instead, Challenge 77 00:11:44.280 --> 00:11:53.340 Handshake Authentication Protocol is used in its place. HSM - anybody know what that one is? 78 00:11:57.420 --> 00:12:02.880 So HSM stands for Hardware Security Module 79 00:12:03.480 --> 00:12:10.800 and this is a hardware card that contains a cryptoprocessor and is used at the hardware level. 80 00:12:12.000 --> 00:12:19.800 So just from knowing the definitions of these acronyms it's pretty clear that what's left 81 00:12:19.800 --> 00:12:26.640 is Token key and that is most closely related to multi-factor authentication. 82 00:12:27.600 --> 00:12:34.620 So that's our correct answer for this question and we'll move on to the next one. 83 00:12:45.540 --> 00:12:49.980 Okay, Security Assertion Markup Language 84 00:12:51.300 --> 00:12:57.420 or SAML tokens possess what kind of data after being granted access? 85 00:12:58.920 --> 00:13:04.380 Does anyone think Biometric? 86 00:13:07.980 --> 00:13:15.900 No. No, absolutely not biometric. And PKC data? 87 00:13:19.380 --> 00:13:26.520 Okay, so there's it's not involved with Public Key Chain plain text. 88 00:13:33.300 --> 00:13:37.860 So this is SAML tokens we’re talking bout. 89 00:13:39.660 --> 00:13:46.500 Does it make sense that these tokens might have plain text data. 90 00:13:50.640 --> 00:13:54.180 What do you think? Is that a good choice? 91 00:13:56.880 --> 00:14:04.800 No? No, it is not. So our answer for this question is claim data. 92 00:14:06.600 --> 00:14:17.160 So SAML or SAML token encrypted claim data and that's the answer we're looking here. 93 00:14:21.240 --> 00:14:27.180 So the next question involving SSH public and private keys: 94 00:14:27.180 --> 00:14:35.880 Your organization's network administrator is configuring the Linux server’s 95 00:14:36.660 --> 00:14:42.420 SSH Authentication to allow key-based authentication. 96 00:14:43.920 --> 00:14:56.640 This setup requires that the private key is ___ and the public key is ___. Okay, so what is SSH? 97 00:15:02.220 --> 00:15:03.660 Okay nobody got this? 98 00:15:05.700 --> 00:15:07.500 All right, Secure Shell? 99 00:15:10.320 --> 00:15:15.000 So we're talking about private keys and public keys. Your choices are: 100 00:15:15.840 --> 00:15:22.320 The private key is kept with the user; and the public key is kept with the user. 101 00:15:23.220 --> 00:15:31.500 or The private key is kept with the Linux host and the public key is kept with the Linux host; 102 00:15:32.640 --> 00:15:40.200 or The private key is kept with the user and the public key is kept with the Linux server; 103 00:15:41.460 --> 00:15:49.260 or, finally, the private key is kept with the Linux host and the public key is kept with the user? 104 00:15:52.080 --> 00:16:00.120 What do you think is the correct answer? Is it the third option? The third option - so the private 105 00:16:00.120 --> 00:16:09.480 key is kept with the user and the public key is kept with the Linux server and that is correct. So 106 00:16:10.920 --> 00:16:19.260 probably the easiest way to remember this is that private keys are always kept with the user. 107 00:16:20.340 --> 00:16:23.100 And so the public key is not. 108 00:16:25.740 --> 00:16:32.820 Knowing that of course narrows your answer choices down. 109 00:16:35.160 --> 00:16:47.340 The second choice then is easily eliminated because a private key would not be kept on the 110 00:16:47.340 --> 00:16:57.660 Linux host and neither would the fourth choice be a viable choice as well. 111 00:17:01.860 --> 00:17:03.480 Okay let's move on to the next question. 112 00:17:07.740 --> 00:17:18.720 The ___ model is used to allocate labels to objects and subjects for access control clearances. 113 00:17:20.580 --> 00:17:32.940 So, clearly uh the question involves understanding the acronyms listed again. 114 00:17:33.720 --> 00:17:41.640 Let’s start with that; how about the first one DAC. 115 00:17:45.360 --> 00:17:46.980 Does anybody remember this one? 116 00:17:50.700 --> 00:18:02.340 Okay so this is Discretionary Access Control. How about RBAC? Is that Rule-Based Access 117 00:18:02.340 --> 00:18:09.780 Control? It's confusing; it could be rule-based; could also be something else. 118 00:18:13.020 --> 00:18:14.340 Anybody know what the other 119 00:18:16.740 --> 00:18:17.340 thing is? 120 00:18:20.520 --> 00:18:36.660 So, yes, we have rules, we have discretionary, we also have role-based access. And how about and how about ABAC? 121 00:18:40.140 --> 00:18:47.940 Attribute Based Access Control? Yes, Attribute Based Access Control. 122 00:18:49.500 --> 00:18:57.960 So clearly you need to know something about these different models 123 00:18:58.980 --> 00:19:01.560 to be able to negotiate this type of question. 124 00:19:03.780 --> 00:19:16.380 DAC or discretionary Access Control involves granting access by using some type of access 125 00:19:16.380 --> 00:19:27.600 control list okay and I'm saying that in a very general sense although conceptually 126 00:19:28.320 --> 00:19:37.680 Access Control List or ACLs you may have heard of or come across using them in the sense of 127 00:19:38.220 --> 00:19:48.120 firewall rules or perhaps even access control configured on a router or a switch. 128 00:19:49.200 --> 00:19:58.620 And the idea is kind of the same; we aren't really or we aren't necessarily talking about 129 00:19:59.700 --> 00:20:08.160 ACL’s on a firewall or a router in this question. The question is talking about allocating labels 130 00:20:08.160 --> 00:20:18.780 to objects and subjects. Now if it hadn't said subjects then I would say that 131 00:20:18.780 --> 00:20:24.900 could be it could be talking about network appliances. But when you see the term subjects 132 00:20:27.120 --> 00:20:28.140 what comes to mind? 133 00:20:32.040 --> 00:20:40.080 Like people? Yes, absolutely, like people so that gives us some contextual information 134 00:20:41.100 --> 00:20:47.940 about the question and the answer choices and would also lead me to think that in the second 135 00:20:47.940 --> 00:20:58.860 choice RBAC is referring to role based instead of rule based now we go back to discretionary 136 00:21:00.180 --> 00:21:09.060 and as I said access has granted using some type of access control list in the general sense of 137 00:21:09.060 --> 00:21:15.420 the term and we've already spoken about how on a network appliance you can say for example on 138 00:21:15.420 --> 00:21:26.820 a router set up access control list to control traffic flows and by the same token so to speak 139 00:21:28.080 --> 00:21:38.760 users and groups can be granted access to a file for example based on file permissions. 140 00:21:39.480 --> 00:21:49.980 So the concept of the access control list applies sort of in both domains network appliances 141 00:21:49.980 --> 00:22:00.120 and also people so now the question is is the description in the question allocating labels 142 00:22:00.120 --> 00:22:08.820 to objects and subjects for access control? Is that a type of discretionary access control model? 143 00:22:09.840 --> 00:22:11.880 So what do you think, yes or no? 144 00:22:14.640 --> 00:22:16.380 You have a 50/50 chance. 145 00:22:19.740 --> 00:22:24.720 Anybody want to take a guess? I don't know but I'll just say 146 00:22:24.720 --> 00:22:32.640 yes. The answer is no; it is not discretionary. Good guess, though. 147 00:22:34.800 --> 00:22:37.380 What about role-based access control? 148 00:22:43.080 --> 00:22:45.960 Does that sound like it could possibly be right? 149 00:22:52.740 --> 00:23:01.200 I think role-based could be right. You think it's right? I think so. You do, okay, any particular 150 00:23:01.200 --> 00:23:09.120 reason? Because people could have roles. Sure. That’s the kind of connection I'm making. 151 00:23:09.660 --> 00:23:18.060 Okay and role-based is a type of non-discretionary access control. 152 00:23:19.800 --> 00:23:24.960 Some of the characteristics and it takes a real world approach to structuring access control 153 00:23:25.740 --> 00:23:34.740 and as it sounds it's based on a user's job function within the organization. 154 00:23:36.660 --> 00:23:48.600 But that doesn't necessarily mean that this model allocates labels so it's not role-based. 155 00:23:50.280 --> 00:23:53.340 What about Attribute-Based Access Control? 156 00:23:55.680 --> 00:24:02.460 I think it's this one okay because it's attributes and it's saying labels. 157 00:24:03.360 --> 00:24:11.760 So you're saying the labels that are allocated are attributes. Yeah they could be 158 00:24:12.960 --> 00:24:21.900 so and and I can see why that could be an appealing answer in fact I might even call this 159 00:24:22.980 --> 00:24:32.460 a misdirector. This is not the correct answer. Attributes are often pre-existing 160 00:24:33.600 --> 00:24:41.220 and not handed out necessarily on the fly which is sort of the implication in this question. 161 00:24:43.200 --> 00:24:49.320 So in ABAC - Attribute-Based Access Control . 162 00:24:50.160 --> 00:24:55.260 evaluates the attributes or what we could think of as characteristics 163 00:24:56.880 --> 00:25:06.840 rather than roles to determine access. So the purpose for doing this is to protect 164 00:25:06.840 --> 00:25:15.240 objects such as data or network devices and other IT resources from unauthorized users and actions. 165 00:25:16.020 --> 00:25:23.580 In other words, if you don't have an approved characteristic as defined by the organization's 166 00:25:23.580 --> 00:25:33.300 security policies then you don't get access so we're left with Mandatory Access Control 167 00:25:34.620 --> 00:25:48.600 and so this is where the the allocation of labels comes into play and again knowing 168 00:25:48.600 --> 00:25:56.160 the different models, you kind of go through and use the process of elimination 169 00:25:57.600 --> 00:26:08.700 to negotiate this type of question. Once again, think it's important to point out that 170 00:26:08.700 --> 00:26:19.980 acronyms are a large component of this topic not just this topic but of the industry 171 00:26:19.980 --> 00:26:28.800 certification exam and it really is important to know them. Often I get questions about 172 00:26:28.800 --> 00:26:38.940 you know how to deal with so many not just pieces of of knowledge-based information that 173 00:26:38.940 --> 00:26:45.300 is as opposed to something that is performance oriented but rather something that is more 174 00:26:46.200 --> 00:26:54.180 straight-up knowledge based but also compounded by the fact that there are acronyms and 175 00:26:54.780 --> 00:27:03.180 you know the response is that in the first place you you have to know the acronyms. In 176 00:27:03.180 --> 00:27:12.600 my conversations with students over the years and even for my own purposes because if 177 00:27:12.600 --> 00:27:19.320 I take an industry certification exam I have to deal with the same thing you do. I’m not immune to 178 00:27:20.580 --> 00:27:31.080 the design of the test makers. I see the same exams you do and for me doing 179 00:27:31.080 --> 00:27:39.540 something with the information and it could be something as simple as creating PowerPoints 180 00:27:41.700 --> 00:27:50.460 is helpful because it allows me to do something to create something, to create something, some information product 181 00:27:50.460 --> 00:27:59.160 using the terms or the acronyms and of course when you're doing this you're going to keep the acronym 182 00:27:59.160 --> 00:28:07.440 and then spell it out so you understand what the meaning is. And this this type of work I've always found 183 00:28:07.440 --> 00:28:15.240 useful and if you really want to sort of take it to the next level, especially when it comes 184 00:28:15.240 --> 00:28:26.220 to creating PowerPoints, you can get Jeopardy-style templates that are pre-made and download 185 00:28:26.220 --> 00:28:31.140 them and use them in PowerPoint and then all you have to do is fill in the content information. 186 00:28:32.160 --> 00:28:38.160 So there are two things there that can help you the act of actually doing the work to create 187 00:28:38.160 --> 00:28:48.120 the study tool is very helpful and then of course using it over and over again to help 188 00:28:48.120 --> 00:28:55.740 with your learning and your studies and when you do this kind of work it really helps you to sort 189 00:28:55.740 --> 00:29:04.380 of internalize the information and once you've done that you'll find that recognizing 190 00:29:04.380 --> 00:29:12.360 and understanding and knowing the acronyms becomes a lot easier. So let's move on 191 00:29:20.640 --> 00:29:31.380 So in this question we're talking again about Attribute-Based Access Control and Role-Based. 192 00:29:31.380 --> 00:29:38.940 the question states, Which comparison between Attribute-Based and Role-Based Access Control 193 00:29:39.780 --> 00:29:45.420 is a true statement? Your choices are: 194 00:29:47.400 --> 00:29:55.800 The ABAC configuration covers more broad access controls whereas our back controls 195 00:29:56.460 --> 00:29:59.820 access on a more detailed level; 196 00:30:01.860 --> 00:30:10.920 or number two “The ABAC does not include roles in the access control criteria because that is 197 00:30:10.920 --> 00:30:19.860 what the RBAC is for; number three “The ABAC is the most fine-grained type of Access Control 198 00:30:20.820 --> 00:30:30.660 whereas RBAC is not as precise or, finally, “The RBAC and the ABAC 199 00:30:30.660 --> 00:30:36.600 are on the same level of access controls but they just look at two different parts.” 200 00:30:38.460 --> 00:30:42.540 Okay so what do you think for this question? 201 00:30:46.620 --> 00:30:52.800 Do you see anything that could easily be eliminated? 202 00:30:56.400 --> 00:30:59.160 Let's take a look at the second answer. 203 00:31:01.620 --> 00:31:07.440 It states that ABAC does not include roles 204 00:31:07.980 --> 00:31:14.520 in the access control criteria because that is what role-based is for. 205 00:31:15.780 --> 00:31:26.400 Okay so that's not a true statement; attribute-based does include information about roles than it 206 00:31:26.400 --> 00:31:35.580 has to because the subject is the user requesting access to a resource to perform an action. 207 00:31:36.540 --> 00:31:43.800 So that helps us you know with eliminating the second choice. 208 00:31:46.980 --> 00:31:54.900 Now if you understand that and you look at the fourth choice role-based and attribute based on 209 00:31:54.900 --> 00:32:04.140 the same level and they really can't be because attribute-based includes role-based information 210 00:32:05.760 --> 00:32:14.460 so then that knocks out the fourth choice and that leads us with number one or number three. 211 00:32:17.100 --> 00:32:25.320 Would it be the first one? No, it would actually be the third and if you 212 00:32:25.860 --> 00:32:33.180 think about it obviously you have to study this and prepare for it but 213 00:32:34.020 --> 00:32:45.360 when we talk about attributes in attributes of something - the subject, an object - 214 00:32:47.760 --> 00:32:56.340 the first answer states that attribute-based covers more broad access controls 215 00:32:56.940 --> 00:33:03.000 and the third answer states that attribute-based is the most fine-grained or what we 216 00:33:03.000 --> 00:33:08.520 would call a granular, has a high level of granularity or type of access control 217 00:33:09.300 --> 00:33:14.340 and that is true and in fact that is the correct answer. 218 00:33:15.900 --> 00:33:28.320 Attributes or characteristics make up something larger so attribute-based control 219 00:33:29.340 --> 00:33:38.160 is appropriately named and that answer choice would stand out if you were just trying to look 220 00:33:38.160 --> 00:33:44.040 at this on the basis of elimination based upon what you know and we often use this technique 221 00:33:45.180 --> 00:33:55.080 that becomes the clear choice so it's not a more broad focus it is a granular focus. 222 00:33:57.420 --> 00:33:58.080 All right. 223 00:34:02.820 --> 00:34:10.200 Okay, Describing MFA and MFA is what? 224 00:34:12.060 --> 00:34:18.480 Multi-Factor Identification. Yes, so that was pretty quick; 225 00:34:19.740 --> 00:34:25.440 how were you able to come up with that so quickly? I just kind of memorized it 226 00:34:25.440 --> 00:34:31.020 I've heard it thousands of times. You've heard it thousands of times thank you you've probably used 227 00:34:31.020 --> 00:34:37.080 it thousands of times as well. Do you see what I'm saying or what I'm getting at with these acronyms? 228 00:34:37.620 --> 00:34:43.380 So most people understand very well what multi-factor authentication is and 229 00:34:43.920 --> 00:34:50.220 you know we use it all the time right. We have to use it to get into my portal to 230 00:34:50.220 --> 00:35:00.840 get access to things like Canvas or SIS. So it just adds more credence to the point that 231 00:35:00.840 --> 00:35:10.500 the more you use something the easier it is to recognize it and recall it and deal with it. Okay, 232 00:35:12.660 --> 00:35:21.060 When signing into an account you are told to enter a PIN and the last four digits of 233 00:35:21.060 --> 00:35:28.860 your Social Security number to be authenticated. Does this describe multi-factor Authentication 234 00:35:30.420 --> 00:35:38.160 Not to put too find a point on it but what is a PIN? What does that acronym stand for? 235 00:35:40.560 --> 00:35:44.340 Is it Personal Identification Number? Yes. 236 00:35:46.620 --> 00:35:52.680 Now this is kind of by the way the sort of opposite end of what I've been saying about 237 00:35:52.680 --> 00:36:02.520 acronyms. You can find those that you use so often that you stop thinking about what they mean or 238 00:36:02.520 --> 00:36:09.660 what they're what they stand for with the letter stand for and if that goes on long enough you can 239 00:36:09.660 --> 00:36:18.180 actually forget. Just an interesting point. So we're signing into an account, we enter a pin, we 240 00:36:18.180 --> 00:36:25.500 enter the last four digits of our Social Security Number - Is that multi-factor authentication? 241 00:36:26.820 --> 00:36:34.740 Yes, because it is requiring the user to present at least two different credentials 242 00:36:36.240 --> 00:36:44.520 or no because it is not requiring the user to present more than more than two different 243 00:36:44.520 --> 00:36:53.040 credentials or is it yes because it is adding a layer of protection to the authentication? 244 00:36:54.120 --> 00:37:01.440 Or choice number four, no, because it is not using a combination of different authentication types? 245 00:37:02.880 --> 00:37:04.920 What do you think? 246 00:37:10.320 --> 00:37:16.020 Yes, first one. Okay, the first one. The first one okay; anybody else? 247 00:37:30.660 --> 00:37:36.840 Morgan? I agree with her choice I think that's right. I'm sorry, I was just reading it 248 00:37:36.840 --> 00:37:45.060 before I said something. That’s okay, so you think it’s the first one? Yessir, I agree that it's an 249 00:37:45.060 --> 00:37:51.300 example but then I've never - the only time I ever think of multi-factor authentication is 250 00:37:51.300 --> 00:38:01.440 like getting a text or an email or something. Okay. So I’m so I'm going back and forth. 251 00:38:02.580 --> 00:38:11.280 So let me throw out a few phrases for you to consider: Something you are; 252 00:38:14.880 --> 00:38:16.860 something you have; 253 00:38:19.740 --> 00:38:23.340 or something you know. Does that help? 254 00:38:24.420 --> 00:38:31.980 What do we think now? Is it choice number one, two, three, or four? 255 00:38:36.420 --> 00:38:42.900 And remember: something you are; something you have; something you know. 256 00:38:49.440 --> 00:38:52.500 So in the question you're told that you're entering a PIN 257 00:38:53.400 --> 00:38:57.300 and the last four digits of your Social Security number. 258 00:38:59.880 --> 00:39:01.020 Given that information, 259 00:39:03.720 --> 00:39:11.040 is this answer going to be a yes or a no in terms of multi-factor authentication? 260 00:39:13.200 --> 00:39:19.800 I still say yes. Okay so we've got one vote for yes Yeah I think yes as well. 261 00:39:21.360 --> 00:39:30.960 Which is probably not the reaction. Well this is the fun part right we get to talk about it. 262 00:39:31.980 --> 00:39:37.440 Okay so Morgan did you have a comment? Yeah, I'm confused now. I've been confused. I'm 263 00:39:37.440 --> 00:39:44.280 not gonna lie. So for multi-factor, does it have to like Seth said on like 264 00:39:44.280 --> 00:39:49.080 text and emails? Does it have to go to something else or is it okay that you 265 00:39:49.080 --> 00:39:56.580 enter it all like on the same device? Like the same portal like at the same time? 266 00:39:57.300 --> 00:40:09.540 Okay so it is less dependent on things like the media or devices and it's much more dependent on 267 00:40:10.140 --> 00:40:18.960 is this, are they giving you something you are, something you have, or something you know? 268 00:40:18.960 --> 00:40:25.320 Let's talk about a PIN and we've all come across this in various applications. 269 00:40:25.920 --> 00:40:32.940 Probably one of the more obvious is uh I don't know, a credit card pin number or perhaps a debit 270 00:40:32.940 --> 00:40:40.440 card and number and so which category would a PIN number fall into. Is it something you are, 271 00:40:41.400 --> 00:40:47.520 is it something you have, or is it something you know? Something you have? Okay, 272 00:40:50.580 --> 00:40:56.460 So Seth? Well I've got something you know actually, I'm sorry, okay, I feel like it's a 273 00:40:56.460 --> 00:41:02.580 little bit of both because you have it and you know. Okay, I'm guessing. I think it is no. 274 00:41:03.660 --> 00:41:12.000 Let's start with that determining which it is because I think 275 00:41:12.000 --> 00:41:19.140 it's pretty clear it's not something that we are, but the the confusion seems to be around 276 00:41:19.140 --> 00:41:25.860 is it something you have or is it something you know? And you know if you think about it from the 277 00:41:25.860 --> 00:41:33.960 point of view if you when I say pin number if you see your debit card right that kind of makes you 278 00:41:33.960 --> 00:41:46.800 think in your mind that it's something you have okay but you have the credit car. The PIN 279 00:41:47.400 --> 00:41:55.920 is knowledge that you've created in other words I mean most often we choose our own maybe not 280 00:41:55.920 --> 00:42:02.100 initially right if it has to have something they might you know the organization might give 281 00:42:02.100 --> 00:42:07.800 you your PIN and go here and remember to change this but a PIN is really something we know 282 00:42:09.420 --> 00:42:17.460 So is it only something we have if it's tangible yeah okay. 283 00:42:21.240 --> 00:42:24.960 So your Social Security card or your social security number isn't something you have; that’s 284 00:42:25.860 --> 00:42:27.660 something you know? So that's correct 285 00:42:29.940 --> 00:42:36.420 because they're both knowledge-based items. So then the answer is no, 286 00:42:37.620 --> 00:42:44.280 right? too different? So it's easy to understand that it's not something you are 287 00:42:46.500 --> 00:42:51.000 the difference again is between have and something you know. 288 00:42:54.720 --> 00:43:04.560 So these are both something you know so what do you think the correct answer is at this point? 289 00:43:07.080 --> 00:43:14.040 The second one? The second choice says no because it is not requiring the user 290 00:43:14.040 --> 00:43:23.040 to present more than two different credentials. Well multi-factor really means two or more. 291 00:43:26.400 --> 00:43:31.260 But wouldn't it be the last one because it's authentic authentication. Yeah that's correct. 292 00:43:31.260 --> 00:43:38.220 I just re-read that I'm so sorry. No, that's fine, that's fine so that's the real problem 293 00:43:38.220 --> 00:43:44.160 here. It’s not multi-factor because you're not using different authentication types 294 00:43:44.160 --> 00:43:49.320 They're both the same and they have to be different to be multi-factor. 295 00:43:50.100 --> 00:43:53.760 All right let's move on. 296 00:43:57.300 --> 00:44:04.380 This question involves geotagging. Which of the following is the best example of geotagging? 297 00:44:05.160 --> 00:44:15.420 Number one - A user takes a photo that gets GPS coordinates embedded into it; number two, Someone 298 00:44:15.420 --> 00:44:22.860 can locate a person's location in real time by tracking the coordinates of their mobile device; 299 00:44:23.640 --> 00:44:30.720 or number three, A device that can report its location very accurately while outdoors; 300 00:44:31.440 --> 00:44:39.360 or number four, A storefront that can send push notifications when you are driving past it. 301 00:44:39.360 --> 00:44:48.300 Which of those choices is geotagging. The first one? The first one. Okay anybody else? 302 00:44:53.160 --> 00:45:00.720 Okay so yeah Seth you're correct; it is the first name. What is the second one an example of? 303 00:45:11.640 --> 00:45:22.620 Okay so the term we would use for the second one is geolocating. First one’s 304 00:45:22.620 --> 00:45:28.020 geotagging; second one is geolocating. What about the third one? This is pretty common. 305 00:45:31.920 --> 00:45:38.880 You're out taking a long hike or trip through the the wilderness 306 00:45:40.020 --> 00:45:41.820 it's a good idea to have one of these. 307 00:45:43.200 --> 00:45:52.860 GPS? Yes this is describing Global Positioning System because a device that can report 308 00:45:52.860 --> 00:45:58.680 its location accurately outdoors is a global positioning device. And how about the fourth one? 309 00:46:06.540 --> 00:46:17.100 The term here that the fourth description is um is for is called Geotargeting. 310 00:46:17.820 --> 00:46:32.340 So geotagging, geolocation, global positioning and geotargeting. Let's move on. 311 00:46:41.160 --> 00:46:49.680 On Premises to Cloud: Companies are starting to ship from using on-premises authorization solutions 312 00:46:50.880 --> 00:47:02.100 to public cloud provider auth services solutions. How might the change in processes be depicted? 313 00:47:03.780 --> 00:47:09.600 Your first choice, A company's network that was open to partners, suppliers, 314 00:47:09.600 --> 00:47:15.060 and customers is now open to a well-defined group of employees; 315 00:47:16.680 --> 00:47:24.840 or the administration of accounts and devices change from being decentralized to centralized; 316 00:47:25.980 --> 00:47:32.940 or businesses start using full-disk encryption with cloud-based virtual machines instead of 317 00:47:32.940 --> 00:47:41.760 an on-premises virtual machines finally many organizations originally used LDAP technologies 318 00:47:43.020 --> 00:47:46.260 but are now using some type of federation technology. 319 00:47:48.120 --> 00:47:59.820 So the game is pretty much the same here when I take certification exams or any kind 320 00:47:59.820 --> 00:48:05.220 of assessment and especially if it's in this format I usually look for something 321 00:48:05.220 --> 00:48:11.400 that can be eliminated pretty quickly. So do you see anything like that here? 322 00:48:18.840 --> 00:48:22.320 Okay do you think it has anything to do with full disk encryption? 323 00:48:24.900 --> 00:48:28.560 As we're kind of talking - we're not kind of talking - the question’s talking about 324 00:48:28.560 --> 00:48:38.640 on-premises authorization versus cloud provider or off-premises. 325 00:48:45.780 --> 00:48:55.680 Okay so the third answer is the one that jumps out as not really having anything to do with this. 326 00:49:01.260 --> 00:49:01.860 Okay 327 00:49:03.960 --> 00:49:06.660 so that leaves us with one, two, or four. 328 00:49:15.720 --> 00:49:16.680 Okay what do you think? 329 00:49:19.500 --> 00:49:20.280 Can we… 330 00:49:22.740 --> 00:49:25.740 Thank you I'm sorry go ahead. 331 00:49:28.020 --> 00:49:34.620 Does number one need to be eliminated as well? Okay so company’s network that was 332 00:49:34.620 --> 00:49:39.480 open to Partners suppliers and customers is now open to a well-defined group of employees. 333 00:49:40.620 --> 00:49:45.720 I don't think that really matters because you can do the same thing whether it's on premises 334 00:49:45.720 --> 00:49:53.820 or using cloud providers so good number one can be eliminated that leaves us with two or four. 335 00:50:04.380 --> 00:50:14.940 So if if if these services are provided on premises… So it's two? 336 00:50:15.720 --> 00:50:19.980 What I was going to say was if they're provided on premises or off 337 00:50:21.360 --> 00:50:28.260 I mean as far as being a decentralized or a centralized service 338 00:50:31.620 --> 00:50:39.900 it's probably not going to be that right because if it's a centralized service and let's say you 339 00:50:39.900 --> 00:50:52.440 know um some type of AAA service on a server okay and you know whether it be TACACS or RADIUS 340 00:50:53.880 --> 00:50:59.220 if either of the solutions let's say they're centralized 341 00:51:01.740 --> 00:51:06.540 would that necessarily change because we went off premises to the cloud? 342 00:51:09.720 --> 00:51:17.880 So that answer is kind of weak the best answer is the fourth answer and especially when 343 00:51:17.880 --> 00:51:26.040 they start talking about Federation technology because these type of services are what we 344 00:51:26.040 --> 00:51:30.960 would call and what the Security+ exam expects you to know as federated services 345 00:51:31.920 --> 00:51:41.040 and especially when it comes to this this type of authentication and authorization and so the 346 00:51:41.040 --> 00:51:48.360 question is really describing federation services um and specific that generate access tokens 347 00:51:48.360 --> 00:51:55.680 to provide access anywhere across the internet because that's what the cloud services get us. 348 00:51:57.840 --> 00:51:58.500 All right. 349 00:52:10.500 --> 00:52:15.000 SNMPv3 authentication allows 350 00:52:15.000 --> 00:52:21.780 the use of which hashing algorithm below? Your choices are MD5, SHA, 351 00:52:22.920 --> 00:52:25.080 Both A and B; or None. 352 00:52:26.160 --> 00:52:30.600 This is pretty much a straight-up knowledge-based question so what do you think? 353 00:52:38.580 --> 00:52:45.900 Somebody take a guess at it. One, two, three, or four? Three? 354 00:52:48.660 --> 00:52:56.340 Both are correct and again it's almost straight-up knowledge-based. It’s 355 00:52:56.340 --> 00:53:02.700 something that you just have to know it can use either MD5 or SHA. 356 00:53:04.500 --> 00:53:11.220 It's also probably useful to know that both of those can be brute force to recover 357 00:53:11.220 --> 00:53:19.980 a clear-text password so not exactly the strongest type of security.