Access Control Flashcards Preview

CISSP > Access Control > Flashcards

Flashcards in Access Control Deck (37):


It combines authentication and integrity.

Non-repudiation authenticates the identity of a user who performs a transaction and ensures the integrity of that transaction.

You must have both authentication and integrity to have non-repudiation.


Examples of MAC systems

include Honeywell’s SCOMP and Purple Penelope.

These systemswere developed under tight scrutiny of the U.S. and British governments.

Another example isthe Linux Intrusion Detection System(LIDS; see Standard Linux is DAC;LIDS is a hardened Linux distribution that uses MAC.



Improved AAA framework comparing to RADIUS. TCP.

It uses Attribute-Value Pairs but supports many more, which makes Diameter more flexible and allows support for mobile remote users.

uses a single server to manage policies for many services, as opposed to RADIUS, which requires many servers.

Uses TCP


RADIUS is considered

an AAA system comprised of three components: authentication, authorization, and accounting.

UDP 1812 (authentication) and 1813 (accounting)

RADIUS request and response data is carried in Attribute-Value Pairs (AVPs).

can make uses of both dynamic and static passwords. Since it uses the PAP and CHAP protocols.



a centralized access control system that requires users to send an ID and static (reusable) password for authentication.

TACACS uses UDP port 49

RADIUS encrypts only the password (leaving other data, such as username, unencrypted). TACACS+ encrypts all data below the TACACS header.



allows two-factor authentication.

TACACSþis not backward compatible with TACACS.

TACACS +uses TCP port 49

RADIUS encrypts only the password (leaving other data, such as username, unencrypted). TACACS+ encrypts all data below the header.


Microsoft Trust Relationships

two categories: non-transitive and transitive.

Nontransitive trusts only exist between two trust partners.

Transitive trusts exist between two partners and all of their partner domains; for example, if A trusts B, in a transitive trust A will trust B and all of B’s trust partners.


Iris scan

a passive biometric control, high-accuracy and no exchange of bodily fluids.



uses symmetric encryption and provides mutual authentication of both clients and servers.

Based on key distribution model.

It protects against network sniffing and replay attacks using timestamps.


primary weakness of Kerberos

o KDC stores the keys of all principals (clients and servers). A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the Kerberos realm.

o The KDC and TGS are also single points of failure

o Replay attacks are still possible for the lifetime of the authenticator.

o Kerberos system calls must be compiled, and that may cause a problem for some applications (legacy or off-the-shelf).

o Kerberos is designed to mitigate a malicious network. Kerberos does not mitigate a malicious local host


A few key points to remember about Kerberos tickets

 The user is authenticated once via a traditional log-on process and verified by means of message encryption to request and acquire service tickets.

 When the user is authenticated to the AS, it simply receives a TGT. This, in and of itself, does not permit access. Therefore, when the user obtains a TGT that only allows him to legitimately request access to a resource. It does not automatically mean he will receive that access.

 The possession of the ST signifies that the user has been authenticated and can be provided access

 Kerberos processes are extremely time sensitive and often require the use of Network Time Protocol (NTP) Daemons to ensure times are synchronized, otherwise this might result in DoS attack.


SESAME (Secure European System for Applications in a Multivendor Environment)

SESAME adds to Kerberos: heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation.”

addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys.

The use of public key cryptography for the distribution of secret keys.


SESAME - notes

o It uses Privilege Attribute Certificates (PACs) in place of kerberos’ tickets.
o The use of the Kerberos V5 protocol to access SESAME components.
o The use of public key cryptography for the distribution of secret keys.
o SESAME is subject to password guessing like Kerberos.


Examples of SSO(single sign on)

Scripts, directory services, thin clients, Kerberos, SESAME, NetSP, scripted access, and KrtyptoKnight


Examples of centralized access control (remote dial-in)



What is an intrusive smart card attack in which the card is physically manipulated until the ROM chip can be accessed?



The steps in the equipment life cycle are

1) Assessment
2) Procurement and Deployment
3) Management
4) Retirement


Capability tables

are attached to subjects (like users/processes) and their capabilities (like read, write, and update) against system objects (like, directories, and devices) and the ability to use those capabilities on those objects. It is a row within the matrix.


What do the columns in an access control matrix indicate?

the capabilities that multiple users have to a single resource



are attached to objects, it describe who has access to the object and what type of access they have. It is a column within the matrix.


What is the term for a clearance in a mandatory access control environment?

a privilege


What is a smart card attack that allows a hacker to uncover the encryption key using reverse engineering?

fault generation


Which types of rules are used in the Clark-Wilson model?

certification rules and enforcement rules


IDS has three components

sensor, control/communication and enunciator (rely system alert notification).


Dynamic data exchange (DDE)

enables direct communication between two applications using interprocess communications (IPC) to exchange commands between themselves such as in the client/server model


Data Link Control (DLC)

a connectivity protocol that is used to connect IBM mainframe computers with LANs and in some earlier models, HP printers.


Access control decisions are often based on

organizational, social, or political considerations as well


Key items on RADIUS

can make uses of both dynamic and static passwords. Since it uses the PAP and CHAP protocols.

vulnerable to cryptographic attacks: a replay attack.


one to many means



one-to-one means



Outsiders launch

most attacks


Insiders launch the most

successful attacks


what is Malnets?

are malware networks which typically consist of numerous infected web sites, desktops, laptops and increasingly mobile devices.

Web filtering, web proxy and user awareness are the best defenses against malnets.


What is Malvertisments ?

are web advertisements which appear to be legitimate yet direct users to download malware onto systems.

Use web filtering or web proxy technologies to block advertising.


Sensitive compartmented information (SCI)

is another label allowing additional control over highly sensitive information. These compartments require a documented and approved need to know in addition to a normal clearance such as top secret


What is fault generation attack means in smart card?

occur when normal physical conditions, such as temperature, clock frequency, voltage, etc, are altered in order to gain access to sensitive information on the smartcard.


What is common access card?

a worldwide smart card deployment by theDoD.

These cards are used for physical access control as well as with smart card readers to provide dual-factor authentication to critical systems.

CAC cards store data including cryptographic certificates as part of the DoD’s public key infrastructure (PKI).