Access Control Flashcards Preview

CISSP > Access Control > Flashcards

Flashcards in Access Control Deck (37):
0

Non-repudiation

It combines authentication and integrity.

Non-repudiation authenticates the identity of a user who performs a transaction and ensures the integrity of that transaction.

You must have both authentication and integrity to have non-repudiation.

1

Examples of MAC systems

include Honeywell’s SCOMP and Purple Penelope.

These systemswere developed under tight scrutiny of the U.S. and British governments.

Another example isthe Linux Intrusion Detection System(LIDS; see http://www.lids.org). Standard Linux is DAC;LIDS is a hardened Linux distribution that uses MAC.

2

Diameter

Improved AAA framework comparing to RADIUS. TCP.

It uses Attribute-Value Pairs but supports many more, which makes Diameter more flexible and allows support for mobile remote users.

uses a single server to manage policies for many services, as opposed to RADIUS, which requires many servers.

Uses TCP

3

RADIUS is considered

an AAA system comprised of three components: authentication, authorization, and accounting.

UDP 1812 (authentication) and 1813 (accounting)

RADIUS request and response data is carried in Attribute-Value Pairs (AVPs).

can make uses of both dynamic and static passwords. Since it uses the PAP and CHAP protocols.

4

TACACS

a centralized access control system that requires users to send an ID and static (reusable) password for authentication.

TACACS uses UDP port 49

RADIUS encrypts only the password (leaving other data, such as username, unencrypted). TACACS+ encrypts all data below the TACACS header.

5

TACACS+

allows two-factor authentication.

TACACSþis not backward compatible with TACACS.

TACACS +uses TCP port 49

RADIUS encrypts only the password (leaving other data, such as username, unencrypted). TACACS+ encrypts all data below the header.

6

Microsoft Trust Relationships

two categories: non-transitive and transitive.

Nontransitive trusts only exist between two trust partners.

Transitive trusts exist between two partners and all of their partner domains; for example, if A trusts B, in a transitive trust A will trust B and all of B’s trust partners.

8

Iris scan

a passive biometric control, high-accuracy and no exchange of bodily fluids.

9

Kerberos

uses symmetric encryption and provides mutual authentication of both clients and servers.

Based on key distribution model.

It protects against network sniffing and replay attacks using timestamps.

10

primary weakness of Kerberos

o KDC stores the keys of all principals (clients and servers). A compromise of the KDC (physical or electronic) can lead to the compromise of every key in the Kerberos realm.

o The KDC and TGS are also single points of failure

o Replay attacks are still possible for the lifetime of the authenticator.

o Kerberos system calls must be compiled, and that may cause a problem for some applications (legacy or off-the-shelf).

o Kerberos is designed to mitigate a malicious network. Kerberos does not mitigate a malicious local host

11

A few key points to remember about Kerberos tickets

 The user is authenticated once via a traditional log-on process and verified by means of message encryption to request and acquire service tickets.

 When the user is authenticated to the AS, it simply receives a TGT. This, in and of itself, does not permit access. Therefore, when the user obtains a TGT that only allows him to legitimately request access to a resource. It does not automatically mean he will receive that access.

 The possession of the ST signifies that the user has been authenticated and can be provided access

 Kerberos processes are extremely time sensitive and often require the use of Network Time Protocol (NTP) Daemons to ensure times are synchronized, otherwise this might result in DoS attack.

12

SESAME (Secure European System for Applications in a Multivendor Environment)

SESAME adds to Kerberos: heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation.”

addresses one of the biggest weaknesses in Kerberos: the plaintext storage of symmetric keys.

The use of public key cryptography for the distribution of secret keys.

12

SESAME - notes

o It uses Privilege Attribute Certificates (PACs) in place of kerberos’ tickets.
o The use of the Kerberos V5 protocol to access SESAME components.
o The use of public key cryptography for the distribution of secret keys.
o SESAME is subject to password guessing like Kerberos.

13

Examples of SSO(single sign on)

Scripts, directory services, thin clients, Kerberos, SESAME, NetSP, scripted access, and KrtyptoKnight

14

Examples of centralized access control (remote dial-in)

RADIUS, Diameter, TACACS and LDAP

15

What is an intrusive smart card attack in which the card is physically manipulated until the ROM chip can be accessed?

microprobing

16

The steps in the equipment life cycle are

1) Assessment
2) Procurement and Deployment
3) Management
4) Retirement

17

Capability tables

are attached to subjects (like users/processes) and their capabilities (like read, write, and update) against system objects (like, directories, and devices) and the ability to use those capabilities on those objects. It is a row within the matrix.

18

What do the columns in an access control matrix indicate?

the capabilities that multiple users have to a single resource

19

ACL's

are attached to objects, it describe who has access to the object and what type of access they have. It is a column within the matrix.

20

What is the term for a clearance in a mandatory access control environment?

a privilege

21

What is a smart card attack that allows a hacker to uncover the encryption key using reverse engineering?

fault generation

22

Which types of rules are used in the Clark-Wilson model?

certification rules and enforcement rules

23

IDS has three components

sensor, control/communication and enunciator (rely system alert notification).

24

Dynamic data exchange (DDE)

enables direct communication between two applications using interprocess communications (IPC) to exchange commands between themselves such as in the client/server model

25

Data Link Control (DLC)

a connectivity protocol that is used to connect IBM mainframe computers with LANs and in some earlier models, HP printers.

26

Access control decisions are often based on

organizational, social, or political considerations as well

27

Key items on RADIUS

can make uses of both dynamic and static passwords. Since it uses the PAP and CHAP protocols.

vulnerable to cryptographic attacks: a replay attack.

28

one to many means

identification

30

one-to-one means

authentication

31

Outsiders launch

most attacks

32

Insiders launch the most

successful attacks

33

what is Malnets?

are malware networks which typically consist of numerous infected web sites, desktops, laptops and increasingly mobile devices.

Web filtering, web proxy and user awareness are the best defenses against malnets.

34

What is Malvertisments ?

are web advertisements which appear to be legitimate yet direct users to download malware onto systems.

Use web filtering or web proxy technologies to block advertising.

35

Sensitive compartmented information (SCI)

is another label allowing additional control over highly sensitive information. These compartments require a documented and approved need to know in addition to a normal clearance such as top secret

36

What is fault generation attack means in smart card?

occur when normal physical conditions, such as temperature, clock frequency, voltage, etc, are altered in order to gain access to sensitive information on the smartcard.

37

What is common access card?

a worldwide smart card deployment by theDoD.

These cards are used for physical access control as well as with smart card readers to provide dual-factor authentication to critical systems.

CAC cards store data including cryptographic certificates as part of the DoD’s public key infrastructure (PKI).