Chapter 3 - Access Control Flashcards
(124 cards)
0
Q
Access
A
The flow of information between subject and object
1
Q
Access control
A
Used to restricted access and for authentication of access and ensures AIC on the data
2
Q
Subject
A
The requesting entity of an object
3
Q
Object
A
A passive entity that holds information
4
Q
Identification
A
Proving someone is who they say they are
5
Q
Authentication
A
A second piece to the credential set
6
Q
Authorization
A
Being granted access based on your authenticated identity
7
Q
Accountability
A
Now that you have been authorized, you are now responsible
8
Q
Logical access controls
A
Boolean operator controls, if authorized than access
9
Q
Race Condition
A
Running authorization independent of authentication
Process 1 then 2
Hacker just runs two
10
Q
What are the factors of authentication?
A
Something a person knows, has, or is
11
Q
Verification ratio
A
Used to see how many people are authenticated by the same token
12
Q
Auth by knowledge
A
A password, a pin, a combination
13
Q
Auth by ownership
A
Key, badge, access card
14
Q
Auth by characteristic
A
Biometrics
15
Q
Strong auth
A
2 factor auth
16
Q
Mutual auth
A
This is when each side authenticates the other
17
Q
IdM
A
Identity management - controlling identitity in an environment for accountability
18
Q
IDM meta directories
A
A virtual directory to aggregate identity data stored from HR/SQL/AD etc
This is primarily useful for non-ldap integrated systems
19
Q
What makes up X.500?
A
Directory structure standard
Must have a parent child tree
Each entry unique
Attributes defined in schema
Unique IDS called distinguished names
20
Q
Virtual directory
A
Similar to meta directories except it doesn’t know the answer .. It points to one
21
Q
WAM
A
Web access management
Web server receives auth req
Web server gets access approval
Sends back a session cookie
Browser used cookie in further security context
22
Q
Cookie
A
Browser side data storage
Permanent- stored on the hard drive for later usage and access
Session- temporary token stored in memory for use with session state
23
Q
Single sign on
A
Sign in once, as long as you use the cookie the server just sent to authenticate you are allowed
24
Password synchronization
Reduces number of passwords known by changing the multiple systems to the same password
25
Self-service password reset
Reduces help desk volume by allowing users to reset own password, or security questions and a click the link email
26
Assisted password reset
Two person password reset, ie. an authenticated help desk person changes it to changemenow and then the user is forced to reset that
27
What is an example of a bad security question ?
What is your mothers maiden name?
| This is public information
28
Single sign on
One authentication to rule them all!
29
Account management
Automated construction and destruction of accounts on all necessary systems
30
Authoritative source
The location of a record where it was written
31
Identity repository
The centralized location of information regarding accounts
32
Authoritative system of record
A hierarchy that tracks changes to an environment
33
User provisioning
From hired to fired what happens to your account
34
Self-service
Users can change their own information
35
Federated
If you trust that guy, send me his authenticated session
36
Digital identity
Made of
Attributes
Entitlements
Traits
37
Federated identity
This is the authenticated token being passed around
38
Web portal
A site that contains multiple website feeds
Yahoo
Msn
39
Portlet
This is an individual module that displays website information on a web portal
40
XML
Extensible markup language
Used to standardize a way of communicating between platforms
41
SPML
Service provisioning markup language
Request authority
Provisioning service provider
Provisioning service target
42
SAML
Security assertion markup language
Used for passing authentication in a unified format
43
Web services
This is any site that provides a service
44
SOAP
Simple object access protocol
A means to transmit markup language
45
XACML
Extensible access control markup language
Used to communicate acl between services
46
Extensible
Means standardized really
47
OASIS
Organization keeping all the XML standards
48
What makes XML standards different?
The schema
49
What are the error types in biometrics?
1 - Failed on an authorized person
| 2 - Allowed an unauthorized person
50
Crossover error rate or equal error rate?
The point where error % of both types match. 3% is better than 4%
51
What causes type 2 errors to switch over to type 1 errors?
Sensitivity
52
Replay attack?
When information is gather now and used later, ie a stolen password
53
What ways can you steal a password?
```
Electronic monitoring
Access the password database
Brute force attack
Dictionary attack
Social engineering
Rainbow table (hash table)
```
54
What is last login messaging for?
To point out to the user when he last attempted a login to the system.
55
Clipping level
Threshold
56
What is the most effective way to steal passwords?
Rainbow tables
57
How does someone make a password hash secure?
Salts - random characters entered into a password before hashing
58
Cognitive passwords
Fact or opinion based question and answer
59
Two types of synchronous tokens for one time password
Time synchronous
Counter synchronous
Encryption key is on device
60
Counter-based is also called?
Event based
61
Asynchronous token
Challenge is sent from server, token makes a password out of it using an algorithm and generates a OTP
62
Digital signatures
Used to authenticate by pki
63
Pass phrase
LongPhraseThatIsHardTocrackAndStealFrom
64
Authentication memory card
A read only verification of who you are
An ATM card is used with a pin, the ATM card is a memory card
65
Contact vs contact less smart card
Contact has a electrical contact pad that sends and receives IO
Contact less has an antenna that gets the IO
66
What is fault generation?
Generating faults in a system to see of it feeds back any useful data
67
Side channel attack
An attack where they are simple trying to figure out how it works..
Ie using electromagnets to see what kind of response a smart card gives you
68
Microprobing
Tampering with a chip using ultrasonic and needleless techniques to get directly to the embedded ROM
69
ISO 14443
Smart card standardization
70
RFID
Radio frequency id
Low security due to low processing capabilities
71
What can be used to set access controls?
```
Role
Group
Location
Time
Transaction type
```
72
Kerberos
Authentication methodology using shared secret keys
73
KDC
Key distribution center - used to create and store the shared Kerberos keys
74
Principles
Users, applications or services
Each one has it's own shared secret
75
How do tickets work?
A ticket granting service issues a ticket that is used to pass from one principle to another
76
How does Kerberos work?
1. User sends cress for auth...
2. KDC sends password in a tgt
3. Users entered password is used to get the tgt client side
4. Access to another principle is request
5. Tgt is generated with both principles passwords and tgt's
6. User pinciple sends sends this to the other principle which verifies it's tgt and grants or denies access to user
77
How is SESAME and Kerberos different?
Kereberos is strictly symetrical and SESAME is both asymetrical and symetrical
SESAME uses PACs to Kerberos Tickets
78
GSS-API
Standard API used to programmatically use these authentication mechanisms in applications
79
Thin client
A machine that stored no data
80
Discretionary access control
I made it, I can access it, I control it
This is the windows model and allows for systems to runas a user context
81
Non discretionary access?
A group policy is non discretionary because it is forced on the user
82
Security or sensitivity labels
In a mandatory access model it is a security level assigned to a document. If you have that level of clearance the you can see it. For granularity the is also a need to know check
83
Role based access control
The permissions are set to groups defined by job function rather than department or specific person
84
What is the difference between static an dynamic separation of duties ?
Static is if part of x role than cannot be part of y as a member
Dynamic means the session itself and disallows the y functionality if logged in as x
85
Rule based access
This is access based strictly on if then statements
86
Constrained UI
Limiting the user interface to only what you want them to be able to do
87
What is capability and acl?
Capability is what a user can do and acl is what an object allows
88
Content dependent access
Packet sniffing web traffic is a great example, access decisions are based on the content you are trying to receive
Sensitivity based decisions
89
Context dependent access
Access control that understand order of operations .. A firewall understand SYN must come before SYN/ACK
This prevents complex knowledge attacks. User can see A and B or A and C but not ABC
90
AAA
Authentication, authorization, auditing
91
Radius vs tacacs+
Radius is in clear, does not comply with AAA and uses UDP
Tacacs+ uses encryption complies with AAA and uses TCP
92
Diameter
Twice the radius, it is a AAA protocol diversified for our complex protocol rich world. It is peer based rather than server client and superior in all ways
93
Access control layers
Administrative
Technical
Physical
94
Audit reduction tool
Used to parse out on specific information to reduce logs
95
SEM/SIEM
Security event manager used for audit control
96
Scrubbing
Deleting log events that show an attackers presence
97
Object reuse
Thumb drives should be cleaned with 1/0 before someone else uses it, for example
98
Emanation security
Electronics emanate electro-magnetic waves that can be caught and recreated
99
TEMPEST
Used as a standard to shield electronics from emanating
100
White noise
Random interference that overwhelms and overpowers useful information
101
Faraday cage
A shielding
102
Network IDS
Wire shark with NIC in promiscuous mode
103
Host based IDS
Inner system object monitoring
104
Types of IDS monitors
Signature - pattern/stateful
| Anomalies - statistical/protocol/traffic/rule
105
What is a signature?
A pattern
106
What is being in the zoo
A virus that has not been released yet
107
Misdirecting IDS
Send IDS systems on a goose chase while you sneak in the other way
108
What is the difference between false positive and negative
Positive- flagging good traffic as bad
| Negative- flagging bad traffic as good
109
Icmp attacks
Icmp loaded with variables and payload
110
Signature based IDS
Pattern matching
Stateful matching - compares sequences
Signatures must be updated
Cannot identify new attacks
111
Anomaly based IDS
Behavior based on normal baseline
Can detect new attacks
Called behavioral/heuristic
Statistical - baseline vs now
Protocol - that packet is malformed
Traffic - why is this bandwidth spiking
112
Rule based IDS
If/then rules
AI inference possible
Demanding
Cannot detect new attacks
113
What makes a honeypot a legal issue?
The use of entrapment instead of enticement
Enticing - ports open, web page without ssl etc
Entrapment - giving a download link to the hacker and then charging him for hacking when all he did was use your link
114
Sniffer
Used to analyze promiscuous packets on the network
115
What is another name for hashing
Message digest
116
Dictionary attack
Using known words vs a password to resolve the password
117
Brute force
Trying every combination until a response is received
118
What is a war dialer?
A phone dialer users to discover dialup modems
119
Phishing
Sending requests for information through tricky websites and emails
Cannot trust the URL, JavaScript can replace with a legitimate site name
120
Pharming
The use of fake web sites to pass credentials to, often using DNS poisoning
121
DNS poisoning
Modifying the DNS response your machine receives to redirect to a black server
122
Why is feeling secure with a solution dangerous?
Because you stop looking for security flaws
123
Identity theft
Using someone's identity to make non legitimate purchases, or generate false criminal records and warrants
