Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Studying > Domain 5 > Flashcards

Domain 5 Flashcards

1
Q

What is the access provisioning lifecycle?

A
  • Account administration uses best-practice recommendations to only set up accounts for people who require them.
  • Maintenance includes reviewing account data for errors and inconsistencies
  • Monitoring includes auditing access authorizations and failures
  • Revocation includes the removal of access when necessary
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is AAA?

A

1) Authentication - providing a password. Identity is who you are and you prove this with an ID/username
2) Authorization (user entitlement) - look at what access rights you have
3) Accountability (accountable) - actions individual users carry out. Depends upon proper ID of individuals. account sharing would negate this.

Entitlements means authorization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is an identity?

A
  • Identifies someone (e.g., username/ logon ID)
  • fairly weak in terms of enforcement
  • broken down into
    • — positive identification
    • — negative identification
  • Key criteria
    • — issuing of identity
    • — naming standards
    • — non-descriptive
    • — tracking and auditing
    • — unique
    • — not shared
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Authentication?

A
  • Proves the identity claim (passwords)
  • Validates the identity of a user
  • Involves a stronger measure than identification
  • Usually requires a key piece of information that only the user would know

NIST says stop changing passwords on a routine basis

Based on:

  • something you know - password, PIN, etc. simplest to implement
  • something you have - token, more expensive to implement
  • something you are - biometrics, high cost and can cause privacy issues
  • someplace you are - requiring local physical console access in a secure location. Can be based on GPS devices or IP based geo location
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What is authorization?

A
  • Authorization defines what someone can do once they are authenticated
  • Most systems do a poor job of authorization
  • Authorization is tied closely to the principle of least privilege
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the characteristics of passwords?

A
  • ideal case - one time password
  • static password
    • — normal passwords with or without expiration time - re-usable
    • — user picked
    • — system generated
  • dynamic password
    • — change every time password generating device is used (one time)
  • account lockout
    • — number of failed attempts
    • — within a certain time frame
    • — lock for a specified amount of time
  • something you know
  • often one of the weakest components of info sec
  • password spraying - trying many passwords across many users - lockout wont work because by the time you go back to the same user you wont lockout
  • password guessing - trying many passwords against one user

Passphrase = long password comprised of multiple words where spaces are optional. Compared to strong passwords, passphrases have less entropy per character, but have more overall entropy due to length. They are better than passwords.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What are types of password attacks?

A

1) Password guessing - simply attempting to authenticate as a user by guessing their password
2) Password cracking - an attempt to determine clear text password based on stolen password hashes
- — dictionary - uses a word list, hashing each entry to see if one matches the stolen hashes. Already has the password hashes
- — hybrid attack - begins with a wordlist and then adds or changes characters (e.g., banana 1; banana 2; banana 3)
- — brute force - attempts every possible password, eventually successful
- — rainbow tables - pre-computation brute force attack that calculates password hashes in advance of hash theft - crack the hash in advance and save it and then have a database and look them up later on - works when there is no salts. only if octopus always creates the same hash

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are salts?

A

a salt is a random number that is hashed along with the password.

  • ensure that identical passwords will likely result in different hashes
  • hash is different because the salt is different
  • salts make pre-computation attacks impractical
  • they make rainbow tables ineffective
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is a rainbow table?

A

It acts as a database that contains the pre-computed hashed output for most possible passwords.
—- they are not always complete: they may not include all possible password/hash combinations

Salts make rainbow tables ineffective

They use a space/time trad-off. you can save space (storage of the password/hash pairs) if you are willing to spend time (CPU time required to inflate chains of passwords/hashes). The behind the scenes details of the space/time tradeoff are fascinating

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is MFA?

A

two factor or strong authentication
- uses two different methods together to authenticate an individual

MFA can use tokens:

  • tokens are smart cards which employ a chip that allows for processing and storage of keys/certs
    • — counter-based - asynchronous dynamic password used only once. one time passcode is generated but there is not time window constraint for using the password. New passwords are genearted upon use rather than simply because a certain amount of time has passed. Can be pre generated and used at some later date
    • — time based - synchronous dynamic password tokens - synchronous means same time. The dynamic password is constantly changing. Once the timer has expired, a brand new password will be generated and required for submission
  • Though historically hardware based, both software based and out of band approaches are common
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are biometrics?

A

Identifying people by their physical traits.

They can be used to authenticate a person’s identity claim.

It is used for authentication much more than identification. “Who you are” means that the likelihood of misplacing the authentication device is much lower.

The trait must be individually unique

Concerns:

  • how intrusive is it?
  • can it resist forgery or counterfeiting?
  • Reliability and accuracy are critical measures when selecting a biometric device
  • the information is not properly protected and it is possible for someone to steal a biometric - this can be a critical problem because a user cannot change their biometric signature
  • timeliness - initial enrollment time is a few minutes
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What are biometric identifiers?

A
  • Fingerprint - capture minutiae of fingerprint
  • Palm scan
  • Hand Geometry - includes many characteristics of the hand such as thickness, width, length and so on
  • Voiceprint
  • Retina Pattern - measures the blood vessels of the eye - intrusive - laser scan, must press eye against device, may provide illness information - its uncomfortable - dont want something that allows disease to spread - not the best
  • Iris scan - using a camera, that recognizes an individuals eyes - not intrusive - color of your eye but color doesnt matter its looking at patterns
  • Facial recognition - matches an individual’s facial patterns with the patterns stored in a database

**The best is usually fingerprint or iris depending but mostly iris because it can be done across the room and without someone knowing and your iris are unique between your own two eyes. Fingerprint advantages - inexpensive. On a laptop, fingerprint is better because its on a laptop and you own it and its the most affordable (remember cost)

The reason for different methods is based on reliability, cost and human factors

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What are the error rates for biometric performance?

A

1) False Reject Rate (FRR)
- type 1 error
- likelihood people that should have successfully authenticated being rejected
- legitimate user is rejected

2) False accept rate (FAR)
- Type II error
- Likelihood unauthorized individuals are authenticated
- illegitimate users are accepted
- 2 is WORSE than 1 - prefer #1

3) Crossover Error Rate (CER)
- Used to compare accuracy of different devices
- Point where FRR and FAR are equal
- Also known as the equal error rate (EER)

IF you have a 2% Crossover error rate, the system is considered 98% accurate**

You tune the sensitivity level to determine FRR and FAR. Where they crossover is CER. The more sensitive, the more FRR you get but less FAR you get. The less sensitive, the more FAR you get but the less FRR

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are some biometric issues?

A

1) Key factors in selecting biometrics?
- reliability (FAR, FRR, CER/ERR)
- user friendliness / acceptance
- cost

2) Additional factors:
- enrollment time - time to register by providing samples of biometric characteristics
- Acceptable enrollment time is around 2 minutes**
- throughput time
- rate at which individuals, once enrolled, can be processed and identified or authenticated by a system
- acceptable throughput rates are in the range of 10 subjects per minute or 1 every 6 seconds***

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is single sign on? and what are the types?

A

Intended to greatly simplify authentication and decrease the amount of needed passwords.

Types:

1) Kerberos
2) SESAME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is Kerberos?

A

Kerberos is a symmetric key authentication system that allows clients to securely access networked services. It its a third party authentication service that may be used to support SSO.

  • time limited tickets are provided to allow access
  • commonly used for single sign on

Encryption algorithms:
- Kerberos v4 employed DES; Kerberos v5 added Triple DES and RC4

Two key services:

  • key distribution center (KDC) - access to all keys, issues TGTs
  • Ticket granting service (TGS) - issues service tickets
  • ***mutual authentication is a key benefit of Kerberos - one of the best things of kerberos
  • lets say you have a bad KDC - it doesnt know your password so it wont be able to send you a session key with a legitimate password.
17
Q

How does Kerberos work?

A

Notes:
- Key distribution center must know all users plain text passwords.

1) Identification - Alice has her password, a key. Alice wants to print on a printer called Bob. Alice goes and identifies herself.
2) Authentication - KDC encrypts a key with Alices password, this is key of Alice. Alice holds the session key encrypted with her own passowrd.
3) She now has a valid session key. Also sends a TGT which Alice cannot decrypt but holds as an encrypted object. Alice uses the session to encrypt an authenticator. IF the TGS can decrypt the authenticator then it authenticates Alice
4) Authorization - Alice gets authorized to print

TGT = ticket granting ticket

KDS and TGS do not need to talk to each other. they can be on different servers. They can be on the same but you dont need to.

Tickets have a lifetime of about 8-10 hours** a work day

18
Q

What are the attacks on Kerberos?

A

1) KDC has passwords in plaintext - logical and physical security is paramount
2) denial of service / availability - KDC and TGS are single points of failure
3) Replay attacks - tickets can be copied and replayed, within a certain time window
4) password attacks / compromise - kerberos security depends upon only the KDC and user knowing the password

If you could re-build Kerberos today you would make it asymmetric

19
Q

What is SESAME?

A

European version of Kerberos

Distributed access controls with symmetric and asymmetric necryption

20
Q

What are directory services?

A

SSO needs a central trusted credential source
- directory services fir the mold nicely

It is the single source that can integrate with many and varied applications. SSO needs a central trusted credential source.

MS Directory LDAP is most popular

21
Q

Why do we need screensavers and timeout controls?

A

Systems that display sensitive data should enable a screensaver or log off automatically after a set period of inactivity.

Common control - screensaver after 5 minutes and automatic log off after 10 minutes. - no hard and fast rule on this but depends on sensitivity of the system, location of the computer, regulatory mandates, etc.

22
Q

What is federated identity management?

A

Single Sign-On is usually associated with authentication credentials within one enterprise. Federated identity management takes things beyond a single enterprise so that users cross multiple organizations can all authenticate an an application or service.

How can identity claims be made, properly authenticated, and then ultimately authorized with users across disparate organizations? Federated IdM helps address these very issues with two predominant Federated IdM standards which are OpenID and SAML

23
Q

What is SAML?

A

Security assertions markup language (SAML) is an enterprise oriented federated identity management platform.
- provides a standards based means of allowing for communication of identity and authentication information

Allows users to leverage existing identity providers for authentication to disparate service providers. It also allows the communication of attributes that can be used for authorization, not just authentication by XACML

24
Q

What are SAML terms and concepts?

A
  • Service Provider (SP) - applications that can leverage identity/auth assertions from IdP
  • Identity Provider (IdP) - the origin of the identity that creates assertions accepted by the SP
  • Assertion Consumer Service - hosted by the SP and is where the IdP will send the assertions
  • Simple SAML Authentication Flow
    • — User agent requests resources from SP
    • — User is authenticated via IdP
    • — User is granted access to resource at SP

Can go online and sign in with a common login - this is private companies

25
Q

What is OPENID?

A

You can log into to a website using your google ID

OpenID is considered to be more consumer oriented than SAML

  • Identity providers (IdP) - the sites that are sources of identity information
  • Relying Parties (RP) - the sites that can use identity information from the IdP
  • Redirect URL - the IdP provides a redirect URL informing the RP that the subject has been successfully authenticated

Security Issues:

  • more popular it is the more targetd it will be
  • phishing attacks can happen by using a fake IdP page
  • potential for replay attack using redirect URL
  • SSO aspect can make it well suited for CSRF attacks against RPs
  • Many IdPs do not use https by default for their identifier
26
Q

What is Identity as a service?

A

IDaaS - SSO for the cloud

  • sometimes called cloud identity
  • dual factor authentication and encryption are critical components of IDaaS
27
Q

What are the key terms used in access control?

A
  • Subjects: Active - a user, process or device. O/S subjects fall into two major groups: built-in and user-defined. built-in can take many forms but they are defined at the time the OS is designed. User-defined can encompass the built in subjects but admins tend to use them as the business need arises
  • Objects: Passive - entity that contains data. Files, directories, pipes, devices, sockets, ports, etc.
  • Rules: Filters - read, write, execute.
  • Labels: Sensitivity - data has classification labels. Not all systems have labels. They are not permissions. It indicates the level of sensitivity of an object.
  • Interaction - rules are evaluated to allow interaction which is dictated by policy. ensure that interctions between the subject and the object are verifiable, tamper proof and irrevocable.
28
Q

What is the access control matrix?

A

The access control matrix provides a simple accounting of individual subjects and their entitlements with respect to individual objects

  • Access control lists (ACLs) are closely related, but distinct from the access control matrix
  • subjects as rows and objects as columns is the access control matrix. The access control matrix is closely related to Acees Control List and Capability table.
  • The ACL is object based accounting of access.
  • The capbility table is access control from the point of the subjects. it comprises the rows of an access control matrix - e.g., what is kims capabilities in the system (read, write, none, read/write).
    • — It is tied to one user
    • — Adding permissions for programs launched by a user
    • — Controlling access based on objects, rights and capabilities in order to manage, track or apply additional controls
29
Q

What are types of access control models?

A

1) Mandatory (MAC) - controls access by the system. System enforced. Requires a lot of work to maintain because all the data has a classification and all users have a clearance. Users must have the appropriate clearance to access data classified a certain way. Users cannot give their clearance to another person. Security administrators determine and grant permission. Users cannot choose permission.
* ***write down trojan - stealing information - cannot happen because of the environment
- — STRENGTHS: not subject to user error - stricter controls, controls on multi-systems, helps prevent leakage, controlled by system
- — WEAKNESSES: Protects info only in digital form, assumes trusted admins, assumes proper levels applied to users, assumes users dont share accounts, assumes proper physical secrutiy in place

2) Discretionary (DAC) - consists of something the user can manage, such as a username or password. For example, a user might choose to give a document password to someone without notifying the admin
- owner can change security attributes
- default permissions are set in an ACL. However, a user can change the access permission in an admin function if they have access. DAC combines user and admin roles
- — STRENGTHS - it is dynamic and fast; can be give access as needed without cumbersome background investigations and accommodate changing business needs; users granted full control over objects they create; allows for distributing the administration of access control to users that are close to the data
- — WEAKNESSES - users will make mistakes or are not always trustworthy. This can lead to unauthorized access being granted, leakage of data, etc. can lose data modify or delete data.

3) Non-discretionary - consists of central authority determining which orjects a subject can access based on the security policy.
- — Rule Based Access Control
- — Role Based Access Control (RBAC)
- — Attribute Based Access Control (ABAC)

30
Q

What is RBAC?

A

Admins assign users into roles which identifies users as members of a specific group, based on their capabilities, work requirements and responsibilities.

  • Non-RBAC: user granted access via ACL - not using RBAC at all
  • Limited RBAC: User access mapped to applications - you have only local accounts, no active directory. No SSO just local credentials
  • Hybrid RBAC: user assigned a role that is assigned access to applications or systems. mix of limited and full. Things that cannot use AD dont use local and those that can use AD
  • Full RBAC: Have full SSO through active directory - controlled by roles and applied to applications and systems. fully developed
31
Q

What is ABAC?

A

Attribute based access control (ABAC)
- Subjects request to perform operations on objects and are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies that are specified in terms of those attributes and conditions.

Access based exclusively on identity or role is cumbersome. ABAC makes decisions based on subject/object attributes

Attributes:

  • role
  • classification
  • clearance level
  • personal owned device
  • MFA token authentication

ABAC Environmental Conditions

  • Access origin
  • time of day
  • geolocation
32
Q

What are some additional forms of access control?

A

Content dependent - based on actual content (e.g., you have access to the internet but not to certain sites based on the content).

Context dependent - access decisions will not be based solely on the identity. It is based on what you are trying to access and the events preceding the access attempt. e.g., limited to 100 connections a day

33
Q

What is CAPTCHA

A

It is a mechanism for enforcing context dependent - wavy and messed up text you have to type to prove you are not a robot. Or ask how many street lights are in a picture to show you arent a robot.

Stop malware or automated processes from logging in.

34
Q

What is constrained user interface?

A

Limits attack surface by limiting what you can see or enter. Restrictions based on roles or privileges.

E.g., limited menu options in an app such as a hotel kiosk that prints boarding passes only

35
Q

What is temporal (Time based) isolation?

A

E.g., Payroll system - runs in two modes to enter time, but at 9am you can no longer enter time cards but it opens the system again at 12pm.

Changes temporally in time. When it is done running payroll it accepts new time submissions but freezes it while you are running payroll.

Set of processes running on the same node without interference’s among other processes.

Restrictions are managed based on time periods

Studying (9 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions