Access Control Flashcards
(231 cards)
0
Q
Is a passive entity (system or process) a subject or an object?
A
Object
1
Q
Is an active entity (individual or process) a subject or object?
A
Subject
3
Q
Which type of control is used to reduce risk?
Preventative, deterrent, corrective, recovery, detective, compensating, directive
A
Preventative
4
Q
Which type of control identifies violations and incidents?
Preventative, corrective, detective, compensating, recovery, deterrent, directive
A
Detective
5
Q
Which type of control is used for re mediating violations and incidents and improving preventative and detective controls?
(Preventative, detective, deterrent, corrective, compensating, recovery, directive)
A
Corrective
6
Q
Which control is used for discouraging violations?
Preventative, corrective, deterrent, recovery, detective, compensating, directive
A
Deterrent
7
Q
Which type of control is used for restoring systems and information?
(Preventative, detective, deterrent, corrective, recovery, compensating, directive)
A
Recovery
7
Q
Which of these determines whether a subject can login?
Authentication, Authorisation, Accountability
A
authorisation
8
Q
Which control provides alternative ways of achieving a task?
Preventative, corrective, recovery, compensating, detective, deterrent, directive
A
Compensating
9
Q
Which of these determines what a subject can do? Ie access rights and permissions? (Authentication, authorisation, accountability)
A
Authorisation (or establishment)
10
Q
What is non-repudiation?
A
It means that a user can’t deny an action because their identity is positively associated with their actions
11
Q
Which of these determines what a subject did?
Authorisation, authentication, accountability
A
Accountability
12
Q
For the CISSP exam is an ATM card considered 2FA?
A
Yes
13
Q
How many characters does a password have to be for it not to be stored in AD or local SAM (Security Account Manager)?
A
15 or longer
14
Q
Biometrics: what is a one to one search?
A
Identify matched against an image file
15
Q
Biometrics: what is a one to many search?
A
Identity matched against a database of identities
16
Q
Which type of authentication system is a false reject rate or type 1 error used?
A
Biometric system
17
Q
Note for exam: is biometric authentication considered 2fa?
A
No
18
Q
What is a false reject rate (FRR) or type 1 error?
A
The percentage of authorised users to whom a system incorrectly denies access
19
Q
What is a false accept rate (far) or type 2 error?
A
The percentage of unauthorised users to whom the system incorrectly grants access
20
Q
In biometrics what is the crossover error rate (CER)?
A
The point at which the false accept rate equals the false reject rate
21
Q
Which of these is considered the most important in biometric system accuracy? (False accept rate, false reject rate, crossover error rate)
A
Crossover error rate
22
Q
CISSP answer: what is the most common difficulty about implementing a biometric system?
A
User acceptance
23
Q
Generally accepted standards for biometric systems Accuracy = Speed = Throughput = Enrolment time =
A
Accuracy = crossover error rate less than 10%
Speed = 5 seconds
Throughput = 6 to 10 per minute
Enrolment time = less than 2 mins
24
What is the difference between a finger scan system and finger print system?
Finger scan systems don't store an image of the finger print, but rather a digitised file describing its unique characteristics
25
What are the two benefits of a finger scan system over a finger print system?
- Less storage and processing resources
| - greater user acceptance as image of fingerprint not stored ie concerns with privacy
26
What is a hand geometry system?
Digitise image recording length, width, height and other unique characteristics of hand and fingers
27
Biometrics: what is the difference between a retina pattern and iris pattern?
Retina pattern records unique pattern in the vascular elements of the retina
Iris pattern records unique patterns of the colour portion surrounding the eye.
28
What is the most secure biometric system?
| Fingerprint/scan, hand geometry, iris pattern, retina pattern, signature, voice recognition, keystroke dynamics
Iris pattern
29
Two examples of one time passwords are:
- tokens
| - s/key protocol
30
What are the 3 general types of tokens?
- static password tokens
- synchronous dynamic password tokens
- asynchronous (challenge-response) dynamic password tokens
31
Which type of token is a digital certificate?
- static password token
- synchronous dynamic password token
- asynchronous dynamic password token (challenge-response)
Static password token
32
Which type of token uses fixed time intervals?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token (challenge-response)
synchronous dynamic password token
33
Which type of token uses challenge-response?
Static password token
Synchronous dynamic password token
Asynchronous dynamic password token
Asynchronous dynamic password token
34
Name a third party ticket based solution that uses SSO
Kerberos (symmetric key authentication protocol)
35
Basic Kerberos Operation
1. Client prompts subject for username/password. Using password client temporarily generates and stores secret key and sends username to the KDC (key distribution centre's) AS (authentication server)
2. AS verifies that user exists in KDC database. KDC Ticket Granting Service (TGS) generates a client/TGS session key encrypted with subject secret key. TGS generates Ticket Granting Ticket (TGT) consisting of subjects identification, client network address, time period of ticket and client /TGS session key. TGS encrypts TGT using secret key and sends client /TGS session ket and TGT to client.
3. Client decrypts client/TGS session key using secret key generated by subjects password, authenticates user and erases stored secret key. Client can't decrypt TGT which TGS encrypted using TGS secret key.
4. When subject requests access to object (server), it sends the TGT, object identifier (server name) and an Authenticator to the TGS on the KDC. Authenticator is separate msg containing client iD and time stamp and uses client/TGS session key to encrypt itself
5. TGS on KDC generates both client/server session keyhole to encrypts using client/TGS session key which consists on subject ID, Client Network Address, time stamp, client/server session key. TGS encrypts service ticket using secret key of object (server). TGS sends client/server session key and service ticket to client.
6. Client decrypts client /server session key using client/TGS session key. Client can't decrypt service ticket which TGS encrypted using secret key of object (server)
7. Client then communicates directly with server. Client sends service ticket and an Authenticator to server. Client encrypts Authenticator consisting of subject ID and time stamp using client/server session key that TGS generated. Server decrypts service ticket Using its secret key. Service ticket contains client/server session key which allows server to decrypt Authenticator. I'd subject ID and time stamp are valid (according to sub ID, client net add and valid period specified in service ticket) then comms between client/server is established. Client/server session key used for secure comms between subject and object
36
Two common issue with using SSO
- grants access to entire network and systems with single password
- doesn't always integrate well in different systems
37
In Kerberos, what is a session key?
A dynamic key that is generated when needed, shared between two principals and then deleted when no longer needed
38
In Kerberos, what is a secret key?
A static key used to encrypt a session key
39
What does SESAME stand for?
Secure European Systems and Applications in a Multi-Vendor environment
40
Which ticket based system uses symmetric and asymmetric cryptography to distribute secret keys and securely transmit data?
Kerberos or SESAME
SESAME
41
Which ticket based system uses public key cryptography to communicate between different organisations or security domains?
SESAME
42
Which ticket based system has the following security flaws? (Kerberos, SESAME, KryptoKnight)
- it uses an XOR function for encryption
- it performs authentication based on a small segment of a message instead of entire message
- it's key generation is not very random
- it's vulnerable to password guessing attacks
SESAME
43
Which ticket based system provides peer to peer relationships between the KDC and it's principals, provides two party authentication, key distribution and data integrity services?
(Kerberos, SESAME, KryptoKnight)
KryptoKnight
44
Which ticket based system can function at any layer of the OSI model and doesn't use clock synchronisation?
(Kerberos, SESAME, KryptoKnight)
KryptoKnight
45
What is a nonce?
A number used once, randomly generated that can only be used once to authenticate a session?
46
What are three examples of ticket based technologies that provide SSO services?
Kerberos, SESAME, KryptoKnight
47
Which two methodologies generally define access controls?
- centralised
| - decentralised
48
Remote Access Service (RAS) utilises the Point to Point Protocol (PPP). Which 3 types of centralised authentication types use this?
PAP - Password Authentication Protocol
CHAP - Challenge Handshake Authentication Protocol
EAP - Extensible Authentication Protocol
49
Which authentication protocol uses a two way handshake to authenticate with a peer to peer server?
PAP, CHAP or EAP
PAP
50
Which authentication protocol transfers passwords in clear text and is susceptible to replay and brute force attacks?
PAP, CHAP or EAP
PAP
51
Which two types of packets are used by a two way handshake?
Synchronise and Acknowledgement
52
Which authentication protocol uses a 3 way handshake?
| PAP, CHAP or EAP
CHAP
53
Which authentication protocol uses Shared Secrets?
| PAP, CHAP or EAP
CHAP
54
What enhancement to CHAP allows for a shared secret to be stored encrypted using a MD5 one way hash function.
MS-CHAP
55
Which authentication protocol utilises multiple authentication mechanisms including MD5-challenge, S/Key, generic token cards, digital certs, etc.
PAP, CHAP or EAP
EAP
56
Which authentication protocol does a wireless network commonly implement?
PAP, CHAP or EAP
EAP
57
Which Authentication protocol uses UDP at the Application Layer and allows for authentication, authorisation and accountability (AAA)?
RADIUS
58
What are the benefits of the next generation RADIUS protocol, Diameter?
- Uses TCP
- Uses Stream Control Transmission Protocol (SCTP)
- Uses IPSec or TLS rather than PAP or CHAP
59
What are the benefits of the authentication protocol TACACS (Terminal Access Controller Access Control System)?
Supports various authentication mechanisms and allows more granular authorisation parameters
60
LDAP, RAS (PAP, CHAP, EAP), RADIUS, Diameter, TACACS are all type of what system for remote access?
Centralised or decentralised?
Centralised
61
Which type of access control system would would describe a database or multi domain or trust environment?
Centralised or decentralised?
Decentralised
62
Data access controls fall into 2 categories. What are they?
Discretionary and mandatory
63
If an access control is Discretionary who determines the policy? owner or system.
Owner
64
File/data ownership and access right/permission are an important concept of which access control technique? Discretionary or Mandatory
Discretionary
65
What are the 3 basic access rights?
Read, Write and Execute
66
What is an access control list (ACL)?
Defines the access rights/permissions that a subject has on an object
67
ACL's and role based controls are techniques used for which type of access control? Discretionary or Mandatory.
Discretionary
68
The following are 3 disadvantages to using which type of access control method? Discretionary or Mandatory?
- lack of centralised admin
- reliance on resource owner defining controls
- difficult to audit due to large number of logs generated
Discretionary
69
Which type of access policy is determined by the system? Discretionary or Mandatory.
Mandatory
70
Sensitivity labels and Data Import/Export are two important concepts of which type of access control? discretionary or mandatory?
Mandatory
71
Which model users a mathematical structure that defines greatest lower bound and least upper bound values for a pair of elements, ie subject and object. (Could be used to determine least level of privilege to access a set of files. Rule-based or lattice-based?
Lattice-based
72
lattice-based is an access control methods for which type of access? Discretionary or Mandatory?
Mandatory
73
The following disadvantages are akin to which type of access control? Discretionary or mandatory?
- user frustration
- difficult to implement and program
- not flexible
Mandatory
74
Access Models: Which of these access models was purely developed for confidentiality? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.
Bell-La Padula
75
The basic premise of which access model is that information cannot flow downward? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model
Bell-La Padula
76
Which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) do the following two properties relate to:
- Simple Security Property (SS Property)
- *-Property (Star Property)
Bell-La Padula
77
Which property defines that a subject cannot read information from an object of a higher sensitivity label?
- Simple Security Property (SS Property)
- *-Property (Star Property)
Simple Security Property (SS Property)
78
Which property defines that a subject cannot write information to an object of a lower sensitivity label?
- Simple Security Property (SS Property)
- *-Property (Star Property)
*-Property (Star Property)
79
Access Models: Which of these access models addresses only the first goal of integrity? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model.
Biba
80
The following two properties represent which access model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)?
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
Biba
81
Which property defines that a subject cannot read information from an object that has a lower integrity level (no read down)
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
Simple Integrity Property
82
Which property defines that a subject cannot write information to an object with a higher integrity level (no write up)
- Simple Integrity Property
- *-integrity Property (Star Integrity Property)
*-integrity Property (Star Integrity Property)
83
Which two access control models use the lattice-based model? Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model
Biba and the Information Flow Model
84
Which access control model addresses all 3 goals of integrity? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Clark-Wilson
85
Which access control model (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model) identifies requirements for inputting data based on the following items and procedures?
- Unconstrained Data Item
- Constrained Data Item
- Integrity Verification Procedures
- Transformation procedures
Clark-Wilson
86
Which access control model ensures that objects and subjects do not see the actions of other objects and subjects on the same system, ie cannot see changes made? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Non-interference model
87
Which access control model provides access rights to subjects in a DAV system? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Access Matrix Model
88
Which access control model assigns security classes and values to objects and uses a security policy to direct the flow of information? (Bell-La Padula, Biba, Clark-Wilson, Non-interference model, Access Matrix model, Information Flow Model)
Information Flow Model
89
What is the difference between a brute force attack and a dictionary attack?
A dictionary attack uses a predefined work list
90
What is the best way to protect against brute force and dictionary attacks?
Protecting Security Account Databases and Password files.
91
What is the common name for a buffer or stack overflow attack?
Denial of Service Attack
92
Vulnerabilities in the IP protocol can be exploited by which type of attack?
Teardrop Attack
93
What is the best way to protect against a buffer/stack overflow/denial of service attack?
Identify and patch vulnerabilities in the system/network/applications.
94
What is the difference between a Man in the Middle Attack and Session Hi-jacking?
In session hi-jacking the attacker impersonates the intended recipient instead of modifying messages in transit
95
John the Ripper and LophtCrack are both commonly used for which type of attack?
Dictionary Attack
96
Using two factor authentication or an account lockout policy can protect against which types of attacks?
Brute Force and Dictionary Attacks
97
What four common tactics should be deployed to protect against Access Control Attacks?
Vulnerability Analysis
Threat Modelling
Asset Valuation
Access Aggregation
98
What is another name for ensuring a security specification is created and tested during the design phase to identify likely threats, countermeasures, vulnerabilities, etc?
Threat Modeling
99
What is another name for combining user access rights, permissions, privileges in single or multiple systems ie SSO?
Access Aggregation
100
Which pen test term defines the probing of a system to determine which TCP/IP ports are running on the system?
Port Scanning
101
Which pen test term defines the process of scanning an online application for an vulnerabilities or weaknesses?
Application Scanning
102
In which type of testing does a tester have no prior knowledge of the system he/she is testing?
- black box testing
- white box testing
- grey box testing
Black box testing
103
Which pen test term defines the process of scanning a network for any host computers?
Host Scanning
104
What is an allow by default policy?
allowing access to any information unless there is a specific need to restrict that access
105
A deny by default access control philospohy is commonly used by government/military organisations and commercial enterprises. What is this?
any access that is not specifically permitted is denied
106
What should be the first step for an access control strategy?
defining a core philosophy, ie allow by default or deny by default
107
What is a general 3 step process for determining access controls?
1. Defining resources
2. Determining users
3. Specifying the users' use of the resources
108
An organisation should have multiple access control strategies. True or False?
False
109
What should be the first element of an effective access control program?
to establish an access control policy and associated standards and procedures.
110
What is the primary objective of separation of duties?
to prevent fraud and errors
111
What should be the first action to employ separation of duties in a process or work function?
define the individual elements of the process
112
Which two factors must be addressed in determining the applicability of separation of duties?
- the sensitivity of the function under consideration
| - the elements within a process that lend themselves to distribution
113
What are 4 important concepts when defining user access control?
- Least Privilege: user or process given no more access privilege than necessary to perform a job/task/function
- Need to know: access to information based on job or business requirements
- Compartmentalisation: the process of separating groups of people and information from other groups.
- Security Domain: based on trust between resources or services in areas or systems that share a single security policy, ie a subject can only access an object in an equal or lower domain. uses a hierarchy.
114
What should be the first 2 steps when developing a information classification program?
1. Determine the program objectives
| 2. Establish organisational support
115
Who in the business is responsible for information classification?
Information Owner (normally someone in a business unit that understands the information in the area of their business.
116
What are the 4 common levels of information classification used by most organisations?
- Public (sometimes referred to as unclassified)
- Internal Use Only
- Confidential - trade secrets, privacy of individuals (may also be called top-secret, privileged, personal, sensitive, highly confidential)
- Restricted (if released could cause irreparable harm to the organisation) - only suitable for a select few individuals such as "C" level executives.
117
Which of the CIA principles should still be considered in relation to public classified information?
Availability
118
What does aggregate data mean in relation to information classification?
Data when taken alone is of low sensitivity, but when combined with other data is of high sensitivity.
119
Name 7 access control requirements that should be considered?
- Reliability: must give consistent results
- Transparency: must be transparent to end-user. the less user interaction the better
- Scalability: should ensure a system can accommodate future growth
- Integrity: ensuring only authorised personnel have access to administrative functions of the system.
- Maintainability: administrative effort required to maintain the application
- Authentication Data Security: user identities, passwords, access capabilities, etc. (data encryption, system & file level access controls, strong authentication for admin functions)
- Audibility: authentication requests, data access attempts, changes to privileges and exercise of administrative capabilities.
120
Which type of control is used to specify acceptable rules of behaviour?
(Preventative, deterrent, corrective, recovery, detective, compensating, directive)
Directive
121
What are the 7 main categories of access control?
```
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
122
```
A security policy can be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
Directive and deterrent
123
```
A user registration procedure would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
Preventative
124
```
Termination would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
Corrective
125
```
Supervision would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
Compensating
126
```
Job rotation would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
Compensating
127
```
Logging would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
Compensating
128
```
Keystroke Monitoring would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
Compensating
129
```
A fence would be considered which type of access control?
Directive
Deterrent
Recovery
Compensating
Preventative
Corrective
Detective
```
Preventative
130
Which type of control can cover all 7 access control categories?
CCTV
131
Categories of access controls can be implemented in what 3 ways?
Administrative (sometimes called management controls
Logical (sometimes called Technical controls)
Physical (sometimes called operational controls)
132
Maintaining an authorisation process and a record of all privileges is known as what?
Privilege Management
133
The ability to restrict access to systems based on a network wide policy is known as what? Involves querying a system to ensure it is adhering to established policies, ie AV on the system.
Network Access Control (NAC)
134
What is a race condition?
Where two or more processes are waiting for the same resource.
135
What is a hash?
A one-way mathematical function that cannot be reversed.
136
In relation to access permission what does (C) Change provide?
Read, write, execute and delete. may not change file permission.
137
What is non-discretionary access control?
based on the assignment of permission to read, write and execute files on a system, however unlike discretionary access controls, which allows the file owner to specify those permissions, non-discretionary access control requires the admin of a system to define and control the access rules for files in the system.
138
ACL's typically have two basic pieces of data. What are they?
a keyword pattern and an action taken if the keyword is matched.
139
An ACL in the form of a table is known as what?
An access control matrix
140
Rule based access are most commonly associated with which type of access control? DAC or MAC
DAC because the system owner typically develops the rules based on the organisation or processing needs.
141
Role based access control can be applied using both DAC and MAC. true or false?
True
DAC by owner
MAC by system
142
What are the 4 basic role based access control architectures?
- Non-RBAC: user granted access to data using ACL's. no role based model
- Limited RBAC: mapped to roles within an application (users of this system are also able to access non-RBAC based apps or data)
- Hybrid RBAC: role is applied to multiple apps where apps subscribe to the organisations role based model
- Full RBAC: all app access controlled by organisations role based model
143
What is content dependent access control?
access control based on value of data, ie data may be assigned a department number that only staff within that department can access. User access to a piece of data can change if the data is changed as opposed to the user role changing.
144
What type of access control is Constrained User Interface?
user restricted to specific functions on a system based on their role within that system. common on devices such as an ATM.
145
What is an advantage of using the Constrained User Interface access control model?
can limit the potential avenues of attack and system failure by limiting the processing options available to a user.
146
A database 'View' is a common example of which type of access control?
Constrained User Interface
147
What is a capability table?
Matches subject and their capabilities against system objects and the ability to use those capabilities on those objects.
148
What is temporal (time-based- isolation?
Activities performed at a given time for a pre-determined duration. can extend to system processing when certain jobs are only performed during certain times of the day.
149
What is an important caveat when using temporal access controls?
care must be taken if an organisation is spread across multiple time zones
150
The assertion of a unique identity for a person is known as what?
Identification
151
Binding a user to the appropriate controls based on based on that unique user instance is an objective of what? Identification, Authentication or Authorisation?
Identification
152
What is IAA in relation to access control?
Identification (provides uniqueness)
Authentication (provides validity)
Authorisation (provides control)
153
How many bits is a MAC address?
48bit represented in a hexadecimal format
154
Is a MAC address considered a strong identifier or authenticator?
No because most network-enabled devices allow the MAC to be stored in software instead of hardware meaning the MAC can be altered.
155
Should an IP address be used as an identifier alone?
No, because it is stored in software and can be altered.
156
What is a Radio Frequency Identification Tag (RFID)?
small label that can be embedded in objects such as passports, consumer goods, even humans.
157
How does an RFID tag work?
When the tag comes within the proximity of the reader, the reader reads the information from the tag and determines the identity of the object
158
What is the main concern with using RFID tags in passports?
Privacy concerns, because tags can be read from a distance, there are concerns that an individuals information may be taken without their consent.
159
Should an email address by used alone as a unique identifier?
No
160
What are the 3 essential security characteristics regarding identities?
Uniqueness
Non-descriptiveness
Secure issuance
161
What is the key difference between the Unix 'root' account and Windows Admin account?
Windows Admin account can be changed to a different name.
162
What is the goal of an identity management system?
to consolidate access right into an easily managed record of identity and access for each user in a system
163
In an identity management system, what is the best way of managing ID's for contractors, business partners, etc?
segment these users into their own group.
164
What is the benefit of using centralised identity management?
- can enforce organisation wide control over identity allocation. promotes consistency of policy. helps with leavers process
165
What is the main issue with using centralised identity management?
access needs of departments, regional office can be different. political or legal reasons also a factor depending on region.
166
What is the advantage and disadvantage of a de-centralised identity management system?
Advantage is that local managers have a better sense of user requirements in their area.
Disadvantage is that it's difficult to enforce a central policy. can also be more expensive and can cause conflicting rights on shared resources.
167
In authentication there are traditionally 3 factors. What is the 4th one?
Geo-location
168
In relation to Geo-location, what does the term apparent location mean?
An IP address is not a foolproof method of geo-location.
169
What are the 3 basic types of character passwords?
```
Standard Words
Combination passwords (includes numbers)
Complex passwords (includes non-alphanumeric)
```
170
What is a more secure alternative to a password when using single factor authentication?
Passphrase
171
What is a Graphical Password?
an image or sequence of images used as password
172
What two types of static authentication devices exist?
Memory cards and smart cards
173
What is the main difference between a memory card and smart card authentication device?
availability of processing power. a memory card can hold information but not process it whereas a smart card can do both
174
What is a common example of a memory card?
A swipe card
175
What is the main weakness with a memory card?
Data is stored unprotected
176
What is an ISO term for a smart card?
Integrated Circuit (IC) Card
177
What are the advantages of using a smart card over a memory card?
- can hold more data than memory cards
- can provide secure login, secure email, digital signatures, secure web/remote access, VPN, Hard disk encryption
- login process is done by reader instead of at host so the identifier and password is not exposed whilst in transit to the host.
178
What is a trusted path?
A communications channel through which all information passing through is deemed to be secure.
179
Which type of memory does a smart card use?
Electrically Erasable Programmable Read Only Memory (EEPROM)
180
What two types of smart cards are there?
Contact and contactless
181
List of typical smart card pinouts
```
Vcc - power connection
RST - reset line
CLK - clock signal (controls operation speed)
RFU - reserved for future use
GND - Ground Line
Vpp - Programming power
I/O - Input/Output line for comms with reader
RFU - Reserved for future use
```
182
What are the two types of biometrics?
Physiological and behavioural
183
What are the most common biometrics used?
Fingerprints
184
What is a vascular scan?
studies the veins in the user's hand or face
185
What are 3 types of behavioural biometrics?
Signature Dynamics
Keystroke Dynamics
Voice Pattern
186
What are 5 ways of protecting desktop sessions?
```
Screensavers
Timeouts
Automatic Logouts
Session/Login Management (multiple devices)
Schedule Limitations (time based)
```
187
Typical example of a login session to a banking website:
1. user navigates to website which starts session
2. users click's secure login which is then encrypted using SSL
3. user authenticates and information is passed through the encrypted session
4. user log's off an session is terminated.
188
Session hi-jacking is a form of which type of attack?
Man in the middle attack
189
What is arguably the most significant aspect of ensuring accountability in access control systems?
Culture of the organisation. must be supported at the top level of the organisation
190
What are the 4 most common directory technologies?
X500
the Lightweight Directory Access Protocol (LDAP)
Active Directory
X400
191
What are the characteristics of the X500 protocol?
- Developed by ITU-T and also known as ISO/IEC 9594
- originally developed for telecommunications companies
- consists of 4 protocols: DAP, DSP, DISP and DOP
- organised as a hierarchical database of information
192
Which of the following protocols is the primary one used by X500?
Directory Access Protocol (DAP)
Directory System Protocol (DSP)
Directory Information Shadowing Protocol (DISP)
Directory Operational Bindings Management Protocol (DOP)
DAP
193
What is the key field used by the X500 directory and what does it provide?
The Distinguished name (DN) which provides the full path through the X500 database where a particular entry may be found.
194
What is the opposite of DN in an X500 directory?
RDN (relative distinguished name) which provides the name of a specific entry without the full path component attached.
195
What is the main disadvantage of X500?
complex to implement and complicated to administer
196
Which protocol in the X500 suite is LDAP based on?
DAP
197
What is the main benefit of LDAP over X500?
provides a simpler implementation of directory services for enterprises that operates in a TCP/IP environment
198
What are the characteristics of LDAP?
- uses a hierarchical tree structure for directory entries and also supports DN and RDN concepts.
- Common attributes for a LDAP entry include the following: DN, CN, DC, OU
- operates in a client/server architecture
- typically runs over unsecured network connections using TCP port 389
- version 3 of the LDAP protocol supports the use of TLS to encrypt communications
- can also use SSL via TCP, port 636.
199
What is Active Directory?
An implementation of the LDAP protocol for Microsoft based environments
- provides authentication and authorisation capabilities on an enterprise wide level.
- can enforce organisational security and configuration policies.
- AD uses LDAP for its naming structure
- AD directories are organised into forests and trees
- Domains identified by DNS name and objects by OU's
200
What is a forest in relation to AD?
a collection of all the objects and their associated attributes
201
What is a tree in relation to AD?
logical groupings of one or more AD security domains within a forest.
202
What is X400?
predecessor to SMTP thats also known as Message Handling System (MHS)
203
What is Perimeter based web portal access?
LDAP integration with web based apps to provide authentication
204
In a Perimeter Bsed Web Portal Access solution, what handles the user authentication state?
WAM (Web Access Management)
205
What does a Federated Identity Management system provide?
authentication between different organisations that may share the same apps or users.
206
A Federated Identity Management System can provide two basic processes for linking the member organisations together. What are they?
Cross-certification model: each organisation must individually certify that every other participating organisation is worthy of trust.
Trusted third party or bridge model: participating organisations subscribe to standards and practicies of a third party that manages the verification
207
What is the benefit of a trusted third party model over a cross certification model?
Don't have to maintain individual trusts with every organisation. one organisation verifies all connecting organisations.
208
What is a "Once In-Unlimited Access" model?
Users authenticates once and then has access to all the resources participating in the model. could be used on a intranet.
209
What is a drawback of the "Once In-Unlimited Access" model?
an assumption on each participating system that user authentication and authorisation was properly handled before access was granted.
210
What are the 5 key types of logging that are the foundation of security auditing?
```
Network Events
System Events
Application Events
User Actions
Keystroke Activity
```
211
What is a Multi-Host Intrusion Detection System?
allows systems to share policy information and real-time attack data.
212
What is a drawback of using a Host IDS?
can be very invasive to the host OS and can consume a lot of memory on the host and interfere with processing.
213
What is Stateful Matching Intrusion Detection?
scans for attack signatures in the context of a stream of traffic or overall system behaviour rather than looking at individual packets or discrete behaviour
214
How can an attacker evade Stateful Matching Intrusion Detection?
by sending packets from multiple locations or with long wait period between each transmission. signatures must also be updated.
215
What is Protocol Anomaly Based Intrusion Detection?
identifies unacceptable deviation from expected behaviour of known protocols, ie HTTP.
216
What is a weakness of Protocol Anomaly Based Intrusion Detection?
if custom or non-standard protocols are used.
217
What is a Traffic Anomaly Based Intrusion Detection System?
identifies any unacceptable deviation from expected behaviour based on traffic structure.
218
What is a weakness of Traffic Anomaly Based Intrusion Detection System?
relies on the ability to establish normal patterns of traffic
219
What are the 3 fundamental components of IDS alarm capability?
Sensor: detection mechanism
Control and Communication: handling alert information
Enunciator: relay system - alert local resources
220
What is SIEM (Security Information and Event management)?
a group of technologies which aggregates information about access controls and selected system activity. real time reporting on events and incidents as they occur in network and information systems.
221
What are two types of spyware?
Malvertisements: web advertisements which appear legitimate
Malnets: infected nodes clustered together such as websites, desktop, laptops, etc. to launch further attacks.
222
What is the unused space in the cluster after where data has been written called?
Slack space
223
Why does deleting data from a disk or formatting a disk not remove the data?
In these scenarios information is simply removed from the FAT table signifying that those clusters are now available for use. Actual data still physically resides on the drive, waiting to be found or until new data has been written to the cluster. Data will remain in slack space until entire cluster is overwritten.
224
In what way can slack space be used by an attacker?
Attacker can use a tool that writes information only to the slack space from available clusters such as malicious code which will be hidden from the user.
225
What 3 things should a tool erase to ensure everything is deleted from a hard disk?
the data
the files directory entry
the files FAT entry
226
What is data mining?
The statistical analysis on general information in the absence of specific data
227
What is Access Aggregation?
the act of collecting additional roles and responsibilities in an organisation.
228
What is User Entitlement in relation to access control?
the action of provisioning resources to a user, ie mapped drives. Changing roles can aggregate this entitlement.
229
What are the steps in the Identity and Access Provisioning Lifecycle?
1. Provisioning
2. Review
3. Revocation
230
What is the first line of a defence in depth strategy?
Access Control
