Old - Domain 1: Access Control Flashcards

Question 1

Q

Subject

Answer

A

An active entity on an information system.

Question 2

Q

Object

Answer

A

A passive data file.

Question 3

Q

Discretionary Access Control (DAC)

Answer

A

Gives subject full control of objects they have been given access to, including sharing the objects with others.

Question 4

Q

Mandatory Access Control (MAC)

Answer

A

System-enforced access control based on subject’s clearances and object’s labels.

Question 5

Q

Role-based Access Control (RBAC)

Answer

A

Subjects are grouped in to roles, and each defined role has access permissions based upon the role, not the individual.

Question 6

Q

Purpose of Access Control?

Answer

A

To protect the confidentiality, integrity, and availability of data.

Question 7

Q

Opposite of CIA?

Answer

A

Disclosure, Alteration, Destruction (DAD)

Question 8

Q

Honeywell’s SCOMP, Purple Penelope, and Linux Intrusion Detection System (LIDS) are all examples of what type of access control system?

Answer

A

Mandatory Access Control (MAC) – List examples.

Question 9

Q

Examples of Non-discretionary Access Control?

Answer

A

Role Based Access Control
Task Based Access Control

–Are examples of what type of access control?

Question 10

Q

RBAC has what rules?

Answer

A

Role assignment
Role authorization
Transaction authorization

Question 11

Q

What are the 3 primary models for access control?

Answer

A

Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Non-discretionary Access Control (Such as RBAC)

Question 12

Q

Access provisioning lifecycle: Name the steps IBM has outlined.

Answer

A

Password policy compliance checking.
Notifying users to change pwd before it expires.
Identifying lifecycle changes (ex: inactive accounts).
Identifying new accounts that haven’t been used for 10 days after creation.
Identifying accounts that can be deleted (ex: suspended for 30 days).
Identifying all accounts belonging to a business partner or contractor and revoking access when no longer required.

Question 13

Q

Access aggregation (authorization creep)

Answer

A

Occurs as individual users gain more access to more systems. (sometimes through role or duty changes)

Question 14

Q

RADIUS

Answer

A

Remote Authentication Dial-In User Service

Question 15

Q

According to RFC 2865 RADIUS supports what codes?

Answer

A

Access-Request
Access-Accept
Access-Reject
Accounting-Request
Accounting-Response
Access-Challenge
Status-Server (Experimental)
Status-Client (Experimental)

Question 16

Q

Name the protocols & ports used by RADIUS.

Answer

A

UDP ports 1812 (authentication) & 1813 (accounting)

Formerly used 1645 (authentication) & 1646 (accounting)

Question 17

Q

Name the RFCs that RADIUS is described in.

Answer

A

RFC 2865 & 2866

Question 18

Q

RADIUS request and response data is carried in?

Answer

A

Attribute-Value Pairs (AVPs)

Question 19

Q

Diameter

Answer

A

Successor to RADIUS, designed to provide an improved AAA framework.

Question 20

Q

Differences between Diameter & RADIUS?

Answer

A

Radius uses 8 bits for AVP field, Diameter uses 32 bits.
Diameter uses single server to manage policies for many services, as opposed to RADIUS which requires many.
Diameter uses TCP, RADIUS uses UDP.

Question 21

Q

Name the RFC that Diameter is described in.

Question 22

Q

TACACS

Answer

A

The Terminal Access Controller Access Control System

Question 23

Q

TACACS ports?

Answer

A

UDP port 49 (may also use TCP)

Question 24

Q

RADIUS or TACACS+ more secure?

Answer

A

Radius encrypts only password, all other data is unencrypted. TACACS+ encrypts all data below TACACS+ header, so it is more secure then RADIUS.

Question 25

Q

TACACS+ port?

Answer

A

TCP port 49

Question 26

Q

Name RFC that PAP is described in.

Question 27

Q

PAP

Answer

A

Password Authentication Protocol (not a strong authentication method)

Question 28

Q

CHAP

Answer

A

The Challenge Handshake Authentication Protocol

Question 29

Q

Name the RFC that CHAP is described in.

Question 30

Q

Advantage of CHAP over PAP?

Answer

A

CHAP uses a shared secret that is known only to the authenticator and peer. This isn’t passed over the network so it can’t be captured using a sniffer.

Question 31

Q

Name the RFC that describes the Kerberos Authentication Protocol (Microsoft).

Question 32

Q

Trust (nontransitive)

Answer

A

Trust relationship exists only between two trust partners.

Question 33

Q

Trust (transitive)

Answer

A

Trust relationship exists between two partners and all of their partners.

Question 34

Q

Labels

Answer

A

Applied to objects in MAC.

Question 35

Q

Clearances

Answer

A

Applied to subjects in MAC.

Question 36

Q

Object labels used by many world governments?

Answer

A

Confidential, Secret, Top Secret.

Question 37

Q

Additional labels used by government?

Answer

A

Unclassified (data that is not sensitive)
Sensitive but unclassified (SBU)
For official use only (FOUO)
Sensitive compartmented information (SCI) - these compartments require a documented and approved need to know in addition to a normal clearance such as top secret.

Question 38

Q

Labels used by private sector companies?

Answer

A

Internal use only

- Company proprietary

Question 39

Q

Rule-based access control

Answer

A

System that uses a series of defined rules, restrictions, and filters for accessing objects.

Question 40

Q

Types of access control

Answer

A

Preventative
Detective
Corrective
Recovery
Deterrent
Compensating

Question 41

Q

Categories that each access control type can fall in to?

Answer

A

Administrative
Technical
Physical

Question 42

Q

Preventative controls

Answer

A

Access control type that stops actions from occurring.

Question 43

Q

Detective controls

Answer

A

Access control type that alerts during or after a successful attack.

Question 44

Q

Preventative control examples?

Answer

A

Physical - lock, mantrap
Technical - firewall
Administrative - Pre-employment drug screening

Question 45

Q

Detective control examples?

Answer

A

Physical - CCTV, light
Technical - IDS
Administrative - Post-employment random drug screenings.

Question 46

Q

Corrective controls

Answer

A

Access control type that works by correcting a damaged system or process.

Question 47

Q

Recovery controls

Answer

A

Access control type that is used to restore functionality to a system or organization after a security incident.

Question 48

Q

Deterrent controls

Answer

A

Access control type that discourages users from performing actions on a system.

Question 49

Q

Compensating controls

Answer

A

Access control type that is an additional security control put in place to make up for weaknesses in other controls.

Question 50

Q

Types of authentication methods?

Answer

A

Type 1 (something you know)
Type 2 (something you have)
Type 3 (something you are)
Type 4 (someplace you are)

Question 51

Q

Four types of passwords?

Answer

A

Static passwords
Passphrases
One-time passwords
Dynamic passwords

Question 52

Q

Static passwords

Answer

A

Reusable passwords that may or may not expire.

Question 53

Q

Passphrases

Answer

A

Long static passwords, comprised of words in a phrase or sentence.

Question 54

Q

One-time password

Answer

A

Used for a single authentication. Very secure but difficult to manage.

Question 55

Q

Dynamic passwords

Answer

A

Change at regular intervals. (SecurID Token Code)

-Very secure, but tokens are expensive

Question 56

Q

Strong authentication (multifactor authentication)

Answer

A

Requires user to present more than one authentication factor. (Ex: ATM card & Pin)

Question 57

Q

Hashing

Answer

A

One-way encryption using an algorithm and no key.

Question 58

Q

Password cracking

Answer

A

An attack where the attacker runs the hash algorithm forward many times, selecting various possible passwords and comparing the output to a desired hash, hoping to find a match.

Question 59

Q

Unix/Linux system passwords are stored where?

Answer

A

/etc/shadow file - only root has read access.

Question 60

Q

Windows system passwords are stored where?

Answer

A

Security account management file (SAM file)

-Both locally and on DC

Question 61

Q

fgdump

Answer

A

Tool to dump windows password hashes from memory.

Question 62

Q

Microsoft LAN Manager (LM)

Answer

A

Passwords are converted to uppercase before hashing. (Not as secure)

Question 63

Q

Dictionary attack

Answer

A

Uses a predefined list of words and then runs each word through a hash algorithm.

Question 64

Q

Brute force attack

Answer

A

Attacker calculates the hash outputs for every possible password.

Answer 61

A

Acts as a database that contains the precomputed hashed output for most or all possible passwords.

Answer 62

A

Appends, prepends, or changes characters in words from a dictionary before hashing, to attempt the fastest crack of complex passwords.

Answer 63

A

Allows one password to hash multiple ways. (ensures that the same password will encrypt differently when used by different users. (Makes rainbow tables highly ineffective)

Answer 64

A

Password history = 24 passwords
Maximum password age = 90 days
Minimum password age = 2 days
Minimum password length = 8 characters
Passwords must meet complexity requirements = true
Store password using reversible encryption = false

Answer 65

A

An object that helps prove an identity claim.

Answer 66

A

Use time or counters to synchronize a displayed token code with the code expected by the authentication server.

Answer 67

A

Serial number of authorized token
User it is associated with
Current time

Answer 68

A

Not synchronized with a central server. The most common variety is challenge-response tokens. These produce a challenge, or input for the token device. The user then manually enters the info into the device along with the user’s PIN, and the device produces an output. This output is then sent to the system for authentication.

Answer 69

A

Data storage required to represent biometric information. (1000 bytes or less is typical, much less for some systems such as hand geometry)

Answer 70

A

Rarely used due to health risks and unwarranted privacy issues. (press eye against an eyecup - potential exchange of bodily fluid)

Answer 71

A

Some staff may not have fingerprints or eyes, so appropriate biometric systems must be used.

Answer 72

A

The process of registering for a biometric system.

Answer 73

A

Process of authenticating to a biometric system.

Answer 74

A

False reject rate (FRR)
False accept rate (FAR)
Crossover error rate (CER)

Answer 75

A

Occurs when an authorized subject is rejected by the biometric system as unauthorized. (Type 1 Error)

Answer 76

A

Occures when an unauthorized subject is accepted as valid. (Type 2 Error)

Answer 77

A

Type 2 errors are worse.

Answer 78

A

Describes the point where the false reject rate (FRR) and the false accept rate (FAR) are equal.

Answer 79

A

Lower the data points tracked by the system (this will increase the FAR).

Answer 80

A

Higher FRR, lower FAR.

Answer 81

A

Higher FAR, lowever FRR.

Answer 82

A

Most widely used biometric control available today.

Answer 83

A

Mathematical representation of a fingerprint.

Answer 84

A

Minutiae - including whorls, ridges, and bifurcations.

Answer 85

A

Laser scan of the capillaries that feed the retina at the back of the eye.

Answer 86

A

Passive biometric control. A camera takes a picture of the iris (colored portion of the eye) and then compares the photogragh with the authentication db. (works through contact lens and glasses)

-Extremely accurate, passive, no exchange of bodily fluid

Answer 87

A

biometric control, measurements are taken from specific points on the subject’s hand. (records length, thickness, and surface area)

-Simply, as little as 9 bytes needed for storage

Answer 88

A

Refers to how hard a person presses each key and the rhythm with which the keys are pressed. (suprisingly inexpensive to implement)

Answer 89

A

Measures the process by which someone signs his or her name. (measuring time, pressure, loops in signature, beginning & ending points)

Answer 90

A

Measures the subject’s tone of voice while stating a specific sentence or phrase.

Vulnerable to replay attacks so must be combined with other access controls
Another issue is a person’s voice may change due to illness, resulting in false rejection.

Answer 91

A

Process of passively taking a picture of a subject’s face and comparing that picture to a list stored in a database.

-Not frequently used for authentication due to high cost, but is used by law enforcement

Answer 92

A

Describes location based access control using technologies such as GPS, IP address-based geo-location, or physical location for point-of-sale purchases.

Answer 93

A

Allows multiple systems to use a central authentication server (AS). This allows users to authenticate once and then access multiple different systems.

Answer 94

A

Improved user productivity - No multiple logins, less username/passwords to remember. Less calls to support.
Improved developer productivity - allows them to work with a common authentication framework or even not have to worry about authentication at all.
Simplified administration

Answer 95

A

Difficult to retrofit to existing applications
Unattended desktop - Malicious user could gain access to all applications.
Single point of attack - Central auth server is attractive target for hackers.

Answer 96

A

Refers to the policies, processes, and technologies that establish user identities and enforce rules about access to digital resources.

Answer 97

A

Creates a trusted authority for digital identities across multiple organizations. Participating institutions share identity attributes based on agreed-upon standards, facilitating authentication from other members of the federation and granting appropriate access to online resources.

Answer 98

A

OpenID or SAML

Answer 99

A

Developed under Project Athena at the Massechusetts Institute of Technology.

Answer 100

A

A network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communication over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity and secrecy using cryptography systems such as DES.

Answer 101

A

Principal - Client (user) or service
Realm - A logical Kerberos network
Ticket - Data that authenticates a principal’s identity
Credentials - A ticket and a service key
KDC - Key distribution center, which authenticates principals
TGS - Ticket granting service
TGT - Ticket granting ticket
C/S - Client/Server, regarding communications between the two

Answer 102

A

Uses symmetric encryption and provides mutual authentication of both clients and servers. It protects against network sniffing and replay attacks.

Answer 103

A

Kerberos principal Alice contacts the KDC, which acts as an authentication server, to request authentication.
The KDC sends Alice a session key, encrypted with Alice’s secret key. The KDC also sends a TGT, encrypted with the TGS secret key.
Alice decrypts the session key and uses it to request permission to print from the TGS.
Seeing Alice has a valid session key, the TGS sends Alice a C/S session key to use to print. The TGS also sends a service ticket, encrypted with the printer’s key.
Alice connects to the printer. The printer, seeing a valid C/S session key, knows Alice has permission to print and knows that Alice is authentic.

Answer 104

A

Good for a site-selected specific lifetime, often set to 10 hours (the length of a work day, plus a few). This allows a typical user to authenticate once and access network resources for the lifetime of the ticket.

Answer 105

A

Cannot be decrypted by Alice, only passed on to printer. This allows printer to trust what is receives from Alice without consulting KDC or TGS.

Answer 106

A

All keys are stored on a central server. If that is compromise all keys could be compromised.
KDC and TGS are single points of failure. If they go down no new credentials can be issued.
Replay attacks are still possible for the lifetime of the authenticator.
In kerberos 4, user may request session key for another user. Could then launch local password guessing attack on encrypted session key.
While kerberos can mitigate malicious network attacks, it does not mitigate local host attacks because plaintext keys may exist in memory or cache.

Answer 107

A

Signle sign-on system that supports heterogeneous environments. (Sequel to Kerberos)

Answer 108

A

Heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation. Of the improvements, public key encryption is the most compelling because it no longer requires plaintext storage of symetric keys.

Answer 109

A

Network security software/hardware
- AV logs
- IDS/IPS logs
- Remote access logs (VPN)
- Web proxy
- Vulnerability management
- Authentication servers
- Routers and firewalls
OS
- System events
- Audit records
Applications
- Client requests and server responses
- Usage info
- Significant operational actions

Answer 110

A

Logs not reviewed on regular and timely basis.
Audit logs and trails not stored long enough.
Logs are not standardized or viewable from a central location.
Log entries and alerts aren’t prioritized.
Audit records are only reviewed for the “bad stuff”

Answer 111

A

Unauthorized attackers with no authorized privileged access to a system or organization. They launch the majority of attacks but most a successfully mitigated.

Answer 112

A

MyFip worm that caused a lot of damage in 2005. Would search systems for certain file types and embed itself in them to transfer to other computers. US government suspect China was behind this.

Answer 113

A

Internal user who may be authorized to use the system that is attacked. Cause most high impact security incidents. Most successful attacks are caused by them.

Answer 114

A

Assault
Blackmail
Browsing of proprietary info
Computer abuse
Fraud/theft
Information bribery
Input of falsified, corrupt data
Interception
Malicious code
Sale of personal info
System bugs
System intrusion
System sabotage
Unauthorized system access

Answer 115

A

Computer running malware that is controlled via a botnet.

Answer 116

A

Contains a central command and control network, managed by humans called bot herders.

Answer 117

A

Managers of a botnet.

Answer 118

A

Malicious attacker that attempts to trick a user in to divulging personal information.

Answer 119

A

Similar to phishing but focuses on fewer, but higher value targets. These attacks are more targeted, typically referring to users by their full name, title, and other supporting information.

Answer 120

A

Attack that uses a modem to dial a series of phone numbers, looking for an answering modem carrier tone, then attempts to access the system.

Answer 121

A

Attack that uses the human mind to bypass security controls.

Answer 122

A

A blind pen test, in which the tester begins with no external or trusted information and begins the attack with public information only.

Answer 123

A

A pen test in which the tester is provided internal information before the test.

Answer 124

A

A test that is a mix between full knowledge and zero knowledge.

Answer 125

A

Planning
Reconnaissance
Scanning (also called enumeration)
Vulnerability assessment
Exploitation
Reporting

Answer 126

A

A dummy file containing no regulated or sensitive data that is placed on systems being targetted by pen testers. If they can read/write to this file they can prove the attack was successful.

Answer 127

A

This is a test against a published standard.

Answer 128

A

Holistic approach to assessing the effectiveness of access control.

Brainscape's Knowledge GenomeTM

Old - Domain 1: Access Control Flashcards

Brainscape's Knowledge Genome^TM