01 - Flash Cards

Question 1

Information

Answer 1

• Organization’s information is a term that refers to all the information pertaining to the organization.

Question 2

System

Answer 2

• In this context, systems refer to IT systems used to provide services.

Question 3

Devices

Answer 3

• Broad term that may refer to computing systems, servers, laptops, smartphones and external devices such as printers.

Question 4

Subject

Answer 4

• Active entities such as users that access passive object to gain information from or about an object.

Question 5

Object

Answer 5

• Passive entities such as files and databases that provide subject with information.

Question 6

CIA Triad

Answer 6

• Confidentiality
• Integrity
• Availability

Question 7

Confidentiality

Answer 7

• Is a concept that encompasses a set of measures used to protect the secrecy of data, resources, and objects.

Question 8

Integrity

Answer 8

• Ability to protect reliability and correctness of data/information.

Question 9

Availability

Answer 9

• Refers to uninterrupted access to objects to all authorized subjects.

Question 10

Types of Access Control

Answer 10

• Preventive Access Control
• Detective Access Control
• Corrective Access Control
• Deterrent Access Control
• Directive Access Control
• Compensating Access Control
• Administrative Access Control
• Logical/Technical Control
• Physical Control

Question 11

Preventive Access Control

Answer 11

• Type of control that attempts to prevent incidents before they occur – for example firewall or a guard.

Question 12

Detective Access Control

Answer 12

• Type of control that identifies security violations after they have occurred –for example motion detectors.

Question 13

Corrective Access Control

Answer 13

• Type of controls that change the environment after an incident has occured in order to to return it to normal – for example antivirus programs.

Question 14

Deterrent Access Control

Answer 14

• Type of a control that attempts to discourage specific action from happening- for example security cameras or a security policy.

Question 15

Directive Access Control

Answer 15

• Type of administrative control that provide guidelines – for example monitoring and supervision.

Question 16

Compensating Access Control

Answer 16

• Type of a control that provides an alternative when it is not possible to use a primary control.

Question 17

Administrative Access Control

Answer 17

• Type of controls that are stated in organization’s security policy – for example background checks and training efforts.

Question 18

Logical/Technical Control

Answer 18

• Hardware and software mechanisms used to manage access and to provide protection for systems.

Question 19

Physical Control

Answer 19

• Type of control one can physically touch – for example fences and guards.

Question 20

Identification

Answer 20

• Term that refers to a subject claiming an identity.

Question 21

Authentication

Answer 21

• Term that refers to verifying subject’s identity by comparing it against a database such as user accounts.

Question 22

Authorization

Answer 22

• Term that refers to granting access to specific resources based on a proven identity.

Question 23

Accountability

Answer 23

• Term that refers to subjects responsibility for their actions once an audit is under way.

Question 24

Authentication Factors Types

Answer 24

• Type 1
• Type 2
• Type 3

Question 25

Authentication Type 1

Answer 25

* Something you know -- for example a pin or a password.

Question 26

Authentication Type 2

Answer 26

* Something you have -- for example a token or a smart card.

Question 27

Authentication Type 3

Answer 27

* Something you are or you do -- for example fingertips or keystrokes.

Question 28

Context- Aware Authentication

Answer 28

* Context-aware authentication is the use of situational information (such as identity, location, time, type of device) to improve information security.

Question 29

Passwords

Answer 29

* Most common authentication technique that belong to Type 1 authentication.

Question 30

Strong Password Policy Settings

Answer 30

* Maximum age * Password lengths * Password complexity

Question 31

Password History

Answer 31

* Password history remembers a certain number of passwords and prevents a user from reusing previous passwords.

Question 32

Password Phrase

Answer 32

* Passphrase is a string of characters that has a unique meaning to a user -- for example "I am awesome."

Question 33

Cognitive Passwords

Answer 33

* Series of questions about the facts that only a subject would know.

Question 34

Smartcards

Answer 34

* Cards that have an embedded circuit chip and contain information about an authorized user. * This information is used for identification and authentication.

Question 35

Tokens

Answer 35

* Password generating device that users carry with them.

Question 36

Token Types

Answer 36

* Synchronous Dynamic * Asynchronous Dynamic

Question 37

HOTP

Answer 37

* HMAC includes a hash function used by HMAC-based One Time Password in order to create onetime passwords..

Question 38

TOTP

Answer 38

* Time-based One-Time Password uses a timestamp and it is valid for a certain time like 30 seconds. The password expires if the user does not use it within the frame.

Question 39

Biometrics

Answer 39

* Face scans * Retina scans * Iris scans * Palm scans * Hand geometry * Heart/pulse patterns * Voice pattern recognition * Signature dynamics * Keystroke patterns

Question 40

Biometric Factor Error Ratings

Answer 40

* False Rejection Rate - valid subject is not authenticated * False Acceptance Rate - invalid subject is authenticated

Question 41

Multifactor Authentication

Answer 41

* Authentication method that uses 2 or more factors to provide authentication.

Question 42

Device Authentication

Answer 42

* Fingerprinting, 802.1x, user logs...

Question 43

Service Authentication

Answer 43

* Usually refers to username and password.

Question 44

Identity Management Implementation

Answer 44

* Centralized access control * Decentralized access control

Question 45

Single Sign-On

Answer 45

* Centralized access control method that allows a user to be authenticated once and be able to use multiple resource without authenticating again.

Question 46

LDAP

Answer 46

* Lightweight Directory Access Protocol is a directory for network services and assets.

Question 47

Kerberos

Answer 47

* It is a computer network authentication protocol developed by MIT that offers sign on solution for users and provides protection for logon credentials.

Question 48

Kerberos elements

Answer 48

* Key Distribution Center * Kerberos Authentication Server * Ticket Granting Ticket * Ticket

Question 49

Hypertext Markup Language (HTML)

Answer 49

* It is a major markup language used to display web pages on the internet.

Question 50

Extensible Markup Language (XML)

Answer 50

* It is a language commonly used by data-exchange services to send information between otherwise incompatible systems.

Question 51

Service Provisioning Markup Language

Answer 51

* XML-based language that facilitates the exchange of provisioning information among applications and organizations, corporations, or agencies.

Question 52

Extensible Access Control Markup Language

Answer 52

* It is an open standard XML-based language designed to express security policies and access rights to information for web services, digital rights management, and enterprise security applications.

Question 53

OAuth 2.0

Answer 53

* It is an open standard used for access delegation.

Question 54

OpenID

Answer 54

* It is an open standard and decentralized authentication protocol maintained by the OpenID Foundation.

Question 55

OpenID Connect

Answer 55

* It simple identity layer on top of the OAuth 2.0 protocol autorization framework.

Question 56

Scripted Access

Answer 56

* Logon script meant to establish communication links by providing automated process to transmit credentials at the start of a logon session.

Question 57

Credential Management System

Answer 57

* Storage space for users to keep their credentials when SSO is not available.

Question 58

AAA Protocols

Answer 58

* Authentication, Authorization and Accounting -- term used to refer to a family of protocols that mediate network access such as RADIUS and Diameter

Question 59

RADIUS

Answer 59

* Remote Authentication Dial-In User Service is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate users and authorize their access to the requested system or service.

Question 60

Diameter

Answer 60

* Enhanced version of RADIUS that supports a wide range of protocols including traditional IP, Mobile IP, Voice over IP.

Question 61

TACACS+

Answer 61

* Terminal Access Controller Access-Control System refers to a family of related protocols handling remote authentication and related services for networked.

Question 62

Identity and access provisioning lifecycle

Answer 62

* It is a concept that refers to creation, management, and deletion of accounts.

Question 63

Provisioning

Answer 63

* In the context of setting a new account, provisioning refers to assigning appropriate privileges with an account.

Question 64

Account Review

Answer 64

* Review process should be done regularly to ensure that security policies are being followed.

Question 65

Account Revocation

Answer 65

* It is key to revoke accounts for terminated employees due to a risk of a sabotage. * Many systems set expiration dates for specific accounts.