Security & Access Management

Question 1

SPF

Answer 1

Sender Policy Framework

• Email authentication method designed to detect forging sender addresses during the delivery of the email
• Limited to detecting a forged sender claim in the envelope of the email

Question 2

DAC

Answer 2

Discretionary Access Control

An access control model where all objects (files and folders) have owners and owners can modify permissions for the objects.

MS NTSF uses the DAC model.

Question 3

MAC

Answer 3

Mandatory Access Control

• Non-discretionary access control policy where the computer system (vs. owner) determines the access control for an object
• Uses labels (sometimes referred to as sensitivity labels or security labels) to determine access
• Security administrator assign labels to subjects (users) and objects (files folders devices or network connection)
  
  • When the labels match the system can grant a subject access to an object.
  • When the labels don’t match access is blocked
• Data labels create trust levels for all subjects and objects
• Implemented through the Rule-based and Lattice-based access control methods.

Question 4

MFA

Answer 4

Multifactor Authentication

Type of authentication that uses methods from more than one factor of authentication.

Question 5

CSO

Answer 5

Chief Security Officer

The executive responsible for an organization’s entire security posture both physical and cyber and has the big picture view of the company’s operational risk.

Similar to ISSO and generally reports to the CIO.

Question 6

SSO

Answer 6

Single Sign-On

• Ability of user to logon or access multiple systems by providing credentials only once
• Increases security because user only needs to remember one set of credentials and is less likely to write them down

Question 7

RBAC/Rule-BAC

Answer 7

Rule-Based Access Control (AKA Rule-BAC)

• Access is controlled by a set of approved instructions (rules) such as an access control list (ACL)
• Rules can be parameters such as allowing access only from certain IP addresses or denying access from certain IP addresses or something more specific.
• Some systems use rules that trigger a response to an event such as the response to an attack or situation where a user needs additional permissions

Question 8

ID

Answer 8

Identification

An assigned user identifier (ID) to a human being or other system user.

Question 9

EER

Answer 9

Equal Error Rate

A statistic used to show biometric performance, typically when operating in the verification task.

The EER is the location on a ROC or DET curve where the false acceptance rate and false rejection rate are equal.

The lower the EER value, the higher the accuracy of the biometric system.

Question 10

AAA

Answer 10

Authentication, Authorization, & Accounting

A common security framework for mediating network and application access.

• Authentication - verifies access
• Authorization - determines if a user should have access
• Accounting - tracks access with logs

Question 11

RBAC/Role-BAC

Answer 11

Role-Based Access Control

• Uses roles to manage rights and permissions of users
• Users are assigned to roles and network objects are configured to allow access only to specific roles
• Roles are created independently of user accounts
• Model is used by the majority of enterprises with 500+ employees.

Question 12

HSM

Answer 12

Hardware Security Module

A removable or external device that can generate store and manage RSA keys used in asymmetric encryption.

Compare with TPM.

Question 13

FRR

Answer 13

False Rejection Rate

A metric for biometric devices that describes the percentage of authorized users who were incorrectly rejected by a biometric system.

Question 14

CAC

Answer 14

Common Access Card

A specialized smart card used by DOD.

It includes photo identification and that provides confidentiality, integrity, authentication, and non-repudiation.

Question 15

HOTP

Answer 15

HMAC-based One-Time Password

• An open standard for creating one-time passwords.
• It combines a secret key and a counter and then uses HMAC to create a hash of the results.
• Generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
• AKA event-based one-time password

Question 16

NGAC

Answer 16

Next Generation Access Control

• Flexible access control framework that it can be molded to support combinations of diverse access control policies.
• Enables a systematic, policy-consistent approach to access control, granting or denying users administrative capabilities with a high level of granularity.
• Developed by NIST

Question 17

TOTP

Answer 17

Time-based One-Time Password

• Open source standard similar to HOTP
• Uses a timestamp instead of a counter
• One-time passwords created with TOTP expire after 30 seconds

Question 18

SAML

Answer 18

Security Assertions Markup Language

• Open standard for exchanging authentication and authorization data between parties
• XML-based markup language for security statements that service providers use to make access-control decisions
• SAML provides SSO for web-based applications
• Provides identification and authentications of users

Question 19

IdP

Answer 19

Identity Provider

• System entity that creates maintains and manages identity information for principals
• Also provides authentication services to relying applications within a federation or distributed network.

Question 20

IAM (IdAM)

Answer 20

Identity and Access Management

A collective term that covers products, processes, and policies used to manage user identities and regulate user access within an organization.

Access and users are vital concepts:

• Access - refers to actions permitted to be done by a user such as view, create, or change a file.
• Users could be employees, partners, suppliers, contractors, or customers.

A framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.

A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks operating systems and applications.

AKA Identity Management (IdM)

Question 21

FAR

Answer 21

False Acceptance Rate

A metric for biometric devices that describes the percentage of unauthorized users who were incorrectly authenticated by a biometric system

Question 22

NTLM

Answer 22

New Technology LAN Manager

A suite of protocols created by Microsoft that provide confidentiality integrity and authentication within Windows systems.

Question 23

PAP

Answer 23

Password Authentication Protocol

An older authentication protocol where passwords or PINs are sent across a network in cleartext.

Question 24

ABAC

Answer 24

Attribute-Based Access Control

An access control model that grants access to resources based on attributes assigned to subjects and objects

AKA Policy-based access control

Question 25

PIV

Answer 25

Personal Identity Verification

A smart card that meets the standards for FIPS 201 in that it is resistant to tampering and provides quick electronic authentication of the card’s owner.

Question 26

CER

Answer 26

Cross-over Error Rate

• Used to measure the accuracy of a biometric system.
• Describes the point where the false reject rate (FRR) and false accept rate (FAR) are equal.
• A low CER signifies a highly accurate biometric system.

Question 27

HA

Answer 27

High Availability

The property that defines how closely systems approach the goal of providing data availability 100% of the time while maintaining a high level of system performance.

Question 28

OAuth

Answer 28

Open Authorization

• Open standard for access delegation
• Commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
• Used by Amazon, Google, Facebook, Microsoft, Twitter
• Designed to work with HTTP, OAuth allows access tokens to be issued to third-party clients by an authorization server with the approval of the resource owner.

Question 29

OTP

Answer 29

One Time Password

• A password that is generated for use in one specific session and becomes invalid after the session ends.
• Also known as a one-time PIN or dynamic password.

Question 30

NAC

Answer 30

Network Access Control

• System that inspects clients to ensure they are healthy.
• Agents inspect clients
• Agents can be:
  
  • Permanent
  • Dissolvable (agentless)