Domain 1 Access Control Vocab Flashcards
(142 cards)
2
Q
Discretionary access control
A
gives subjects full control of objects they have been given access to, including sharing the objects with other subjects.
3
Q
Mandatory access control
A
system enforced access control based on subject’s clearances and object’s labels.
4
Q
Role-based access control
A
subjects are grouped into roles, and each defined role has access permissions based upon the role, not the individual.
5
Q
CIA Triad
A
confidentiality, integrity, and availability.
6
Q
Confidentiality
A
seeks to prevent the unauthorized disclosure of information; it keeps data secret. In other words, confidentiality seeks to prevent unauthorized read access to data.
7
Q
Integrity
A
seeks to prevent an authorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. There are two types of integrity: data integrity and system integrity. Data integrity seeks to protect information against unauthorized modification; system integrity seeks to protect a system such as Windows 2008 server operating system from unauthorized modification.
8
Q
Availability
A
ensures that information is available when needed. Systems need to be usable for normal business use. An example of an attack on availability would be a denial of service attack.
9
Q
DAD
A
Disclosure, Alteration, and Destruction. The opposing force to the CIA Triad.
10
Q
AAA
A
Authentication, Authorization, and accountability. Identification is understood with all three.
11
Q
Subjects, objects, access permissions
A
Three important access control concepts.
12
Q
Subjects
A
Entities that may be assigned permissions.
13
Q
Objects
A
Types of resources that subjects may access.
14
Q
Access permissions
A
Relationships between subjects and the objects they may access.
15
Q
Four phases of access control.
A
Identification, authentication, authorization, accounting
16
Q
Identification
A
User makes a claim as to his or her identity.
17
Q
Authentication
A
User proves his or her identity using one or more mechanisms. Providing an identity claim.
18
Q
Authorization
A
System makes decisions about what resources the user is allowed to access and the manner in which they may be manipulated. Allowing authenticated subjects access to a system
19
Q
Accountability
A
System keeps an accurate audit trail of the users activity.
20
Q
Non-Repudiation
A
a user cannot deny (repudiate) having performed a transaction. Authentication with integrity
21
Q
Defense in Depth or Layered Defense
A
applies multiple safeguards or controls to protect an asset. Multiple controls will increase your chances of security.
22
Q
Subject
A
an active entity on an information system.
23
Q
object
A
a passive data file.
24
Q
Three types of access control models
A
MAC, DAC, NDAC (RBAC),
25
Q
Mandatory access control (MAC)
A
Authorization of the subjects access to an object depends on labels which indicate a subjects clearance and the classification or sensitivity of the related object
26
Discretionary access control (DAC)
Access control type where the subject has authority to specify what objects can be accessible.
27
Non-discretionary access control (NDAC) also known as role based access control (RBAC)
Access control type where the Administrator determines which subjects can have access to certain objects based on an organizations security policy.
28
Task based access control
based on the tasks that each subject must perform. Focus on tasks rather than roles.
29
Content and Context-based access controls
adds additional criteria beyond identification and authentication: the actual content the subject is attempting to access.
30
Centralized access control
concentrates access control in one logical point for a system or organization.
31
Decentralized access control
allows IT admin to occur closer to the mission and operations of an organization.
32
Access Aggregation
Occurs as individual users gain more access to more systems. Authorization creep - gaining more entitlements without shedding the old ones.
33
RADIUS
Access Control Protocol. Remote Authentication Dial In User Service. Third party authentication system. Request for Comments 2865 and 2866. User Datagram Protocol ports 1812(authentication) 1813(accounting). AAA system comprised of three components: Authentication, authorization, and accounting. Request and response data is carried in Attribute-Value Pairs (AVPs).
34
Diameter
Successor to RADIUS. Uses Attribute-Valued Pairs but supports more. Used 32 bits. Uses single server to manage policies for many services.
35
TACACS and TACACS+
Terminal Access Controller Access Control System. Centralized access control system that requires users to send an ID and static reusable password for authentication. Uses UDP port 49 and may also use Transmission Control Protocol. TACACS+ is not backward compatible. TACACS+ encrypts all data below the header.
36
Labels
These are the security level assigned to objects - confidential, secret, top secret.
37
Clearance
a determination by senior security professional about whether a subject can be trusted to have access to objects with labels. Can you be trusted to access classified data.
38
Least Privilege
users should be granted the minimum amount of access (authorization) required to do their jobs, but no more. Need to know is more granular than lest privilege, as the user must need to know that specific piece of information before accessing it.
39
Separation of Duties
aka segregation of duties. Allows for an organization to maintain checks and balances among the employees with privileged access. No one person has total control over sensitive transactions.
40
Rotation of Duties
a process that requires different staff members to perform the same duties. Helps to mitigate collusion.
41
Formal Access approval
Documented approval from the data owner for a subject to access certain objects, requiring the subject to understand all the rules and requirements for accessing data and consequences should the data become lost, destroyed, or compromised.
42
Need to Know
Does the user need to know the specific data he may attempt to access. Based on each individual object.
43
Rule based access control
system uses a series of defined rules, restrictions, filters for accessing objects within a system. The rules form if/then statements
44
Access control list (ACL)
Contains access control entities (ACEs) that correspond to access permissions.
45
Six types of access controls.
Preventative, detective, corrective, recover, deterrent, compensatory
46
Preventative controls
Controls designed to prevent unwanted activity from occurring.
47
Detective controls
Type of controls that provide a means of discovering unwanted activities that have occurred.
48
Corrective controls
Controls that are mechanisms for bringing a system back to its original state prior to the unwanted activity.
49
Recovery
After a security incident, recovery controls may have to be taken in order to restore functionality to the system or organization
50
Deterrent controls
Control type used to discourage individuals from attempting to perform undesired activities.
51
Compensatory controls
Control type implemented to make up for deficiencies in other controls.
52
Credential Set
term used for a combination of both identification and authentication of a user
53
Three authentication factors.
Something you know, something you have, something you are
54
Passwords
The most commonly implemented authentication technique. Something you know.
55
Static password token
Token type where the owner authenticates himself to the token and the token authenticates the owner to the system.
56
Four different kinds of tokens
Static password, synchronous dynamic password, asynchronous dynamic password, challenge-response token
57
Static password
Reusable passwords that may or may not expire. They are typically user generated and work best when combined with another authentication type, such as a smart card or biometric control.
58
Pass phrases
Long static passwords, comprised of words or phrases in a sentence. easier to remember than just one word.
59
One time passwords
may be used for a single authentication. very secure but difficult to manage.
60
Dynamic Password
change at regular intervals. One draw back is their expense.
61
Strong Authentication
aka Multifactor Authentication. Requires that the user present more than one authentication factor. Like your ATM card and PIN.
62
Hashing
One way encryption using an algorithm and no key. It is impossible to reverse the algorithm.
63
Password Cracking
an attacker runs the hash algorithm forward many times selecting various possible passwords and comparing the output to the desired hash, hoping to find a match.
64
Password Hash storage
UNIX/Linux stored in the /etc./shadow file. MS security account management file or SAM.
65
Three categories of access control.
Administrative, logical/technical, physical.
66
Administrative controls
Controls constituting policies, procedures, disaster recovery plans, awareness training, security reviews and audits, background checks, reviews of vacation history, separation of duties, and job rotation.
67
Logical/technical controls
Control type that restricts access to systems and the protection of information.
68
Physical controls
Type of controls used to protect access to the physical facilities housing information systems.
69
Principle of least privilege
States that the subjects of an access control system should have the minimum set of access permissions necessary to complete their assigned job functions.
70
Separation of duties
The ability to perform critical system functions should be divided among different individuals to minimize the risk of collusion.
71
Need to know
Users should only have access to information that they have a need to know to perform their assigned responsibilities.
72
Six types of attack.
Brute force, dictionary, spoofing, denial of service, man in the middle, sniffer.
73
Brute force attack
The type of attack where the attacker simply guesses passwords until eventually succeeding. calculates output for every possible password. They use Rainbow Tables - a database that contains precomputed hashed output for most or all possible passwords.
74
Dictionary attack
Type of attack where the attacker uses the password encryption algorithm to encrypt a dictionary of common words and then compares the encrypted words to the password file.
75
Hybrid Attack
appends, pretends or changes characters in a words from dictionaries before hashing to attempt the fastest crack of complex passwords
76
salt
allows one password to hash in multiple ways
77
Spoofing
Type of attack where an individual or system poses as a third party.
78
Denial of service (DoS)
Type of attack where the system is flooded with traffic so that it cannot provide service to legitimate users.
79
Sniffer
Type of attack where the attacker can monitor all traffic occurring on the same network segment,
80
Token
an object that helps to prove and identity claim. Something you have!
81
Synchronous dynamic token
time or counters to synchronize a displayed token code with the code expected by the authentication server; the codes are then synchronized.
82
Asynchronous dynamic token
Not synchronized with a central server. The most common variety is challenge=response tokens. Challenge-response token authentication systems produce a challenge, or input for the token device. The user then manually enters the information into the device along with the user's PIN and the device produces an out put.
83
Two-factor authentication
Using at least two authentication factors.
84
Challenge-response token
Token type where there is a system or workstation generated random number challenge, owner enters string into token with the proper PIN, and the token generates a response that is entered into the system.
85
Biometrics
Something you are. uses physical characteristics as a means of identification or authentication.
86
Enrollment time, throughput rate, acceptability
Three evaluation factors for biometric techniques.
87
Enrollment time
The amount of time that it takes to add a new user to a biometric system.
88
Throughput rate
The number of users that may be authenticated to a biometric system per minute.
89
Acceptability
The likelihood that users will accept the use of a biometric technique.
90
False rejection rate (FRR), also known as a Type I error
The percentage of cases in which a valid user is incorrectly rejected by the system.
91
False acceptance rate (FAR), also known as a Type II error
The percentage of cases in which an invalid user is incorrectly accepted by the system.
92
Crossover error rate (CER)
The rate at which FRR=FAR for any given system.
93
Finger Prints
Most widely used biometric control available today. Smartcards can carry this info. the higher the minutiae the more FRRs one will get.
94
Retina Scan
Laser scan of the capillaries that feed the retina in the back of your eye. Requires a light beam to be enter your pupil. Exchange of body fluids possible. Rarely used due to privacy concerns and health issues.
95
Iris Scan
camera takes a picture of your iris the colored part of your eye. Non evasive
96
Hand Geometry
measurements are made from specific points on your hand
97
Key board dynamics
measurements are taken in regards to how one uses a keyboard. Hard to duplicate.
98
Dynamic signatures
Measurements are taken in how one signs their name.
99
voiceprint
measures the subjects tone of voice while saying specific words. voice can change due to illness.
100
Facial Scan
taking the picture of subject and comparing it to what is in the data base. high coast
101
Someplace you are
GPS, IP address, point of sale. all these things can help in authenticating an identity.
102
Single sign on (SSO)
A subject may authenticate once for access to multiple systems. Allows multiple systems to use a central authentication server (AS). This allows users to authenticate once and then access multiple different systems. It also allows sec admin to add, change, or revoke user privileges on one central system.
103
Single sign on (SSO) Benefits
1. Improved user productivity. 2. Improved developer productivity. 3. Simplified Administration.
104
Single sign on (SSO) Disadvantages
1 Difficult to retro fit. 2. unattended desktop can lead to a compromise of entire system. 3. It is a perfect single point of attack for denial of service.
105
Privilege creep
Users gain different access permissions as they move from position to position in an organization but old permissions are not revoked.
106
Kerberos
Software used on a network to establish a users identity. Third-party authentication system. Developed under Project Athena at MIT.
107
Kerberos Characteristics
Current version is 5.
108
Kerberos - Principal
Client (user) service.
109
Kerberos - Realm
Logical Kerberos network
110
Kerberos - Ticket
Data that authenticated a principal's identity
111
Kerberos - Credentials
a ticket or service key.
112
Kerberos - KDC
Key distribution center, which authenticates principals.
113
Kerberos - TGS
Ticket Granting Service
114
Kerberos - TGT
Ticket Granting Ticket Good for a specific lifetime - often 10 hrs.
115
Kerberos - C/S
Client/server, regarding communications between the two.
116
Kerberos Operational Steps
1. Principal contacts the KDC, which acts as an authentication server, to request authentication. 2. KDC sends principal a session key, encrypted with secret key. The KDC also sends a TGT encrypted with the TGS secret key. 3. principal decrypts the session key and uses it to print from the TGS.4 Seeing a valid session key, the TGS sends principal a C/S session key to use to print. The TGS also sends a service ticket, encrypted with the printer's key. 5. Principal connects to printer. Printer sees valid C/S session key. Knows that principal has permission and is authentic.
117
Kerberos Strengths
Kerberos mitigates replay attacks (where attackers sniff Kerberos credentials and replay them on the network) via timestamps. In addition to mutual authentication Kerberos is stateless. Any credentials issued by the KDC to TGS are good for the credentials lifetime, even if the KDC to TGS goes down.
118
Kerberos Weakness
KDC stores the keys of all principals. A compromise of the KDC can lead to the compromise of every key in the Kerberos realm. KDC and TGS are single points of failure. Kerberos is designed to mitigate a malicious network; a sniffer will provide little or no value. Kerberos does not mitigate a malicious local host, as plaintext keys may exist in the memory or cache.
119
Three components of Kerberos
Key distribution center (KDC), Authentication service (AS), Ticket granting service (TGS)
120
SESAME
(Secure European System for Applications in a multivendor Environment) A public key based alternative to Kerberos. SSO. Adds to Kerberos with asymmetric encryption. Uses Privilege Attribute Certificates (PAC) in place of Kerberos tickets.
121
Security Audit Logs
Logs within the system that access control mechanism to validate adequate performance.
122
Hackers
a malicious or inquisitive meddler who tries to discover information by poking around. Cracker is also used to identify one with malicious intent.
123
Black Hat
Hacker with malicious intent
124
White Hat
Hacker who may be testing the integrity of a system. Ethical and helpful sort.
125
Grey Hat
Hacker who exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the owners.
126
Script Kiddies
Those who attack a system with tools who have little or no understanding of.
127
Outsiders
Unauthorized attackers with no authorized privileged access to a system or organization. The outsider seeks to gain unauthorized access.
128
Insider attack
launched by an internal user who may be authorized to use the system that is attacked. Can be mistakes or malice that cause these.
129
Hacktivist
Hacker activist, someone who attackes computer systems for political reasons
130
Bot
a computer system running malware that is controlled via a botnet. Zombie can also be a term used for a bot.
131
Botnet
a central command and control network managed by humans called bot herders. Use IRC - internet relay chat - networks to provide command and control. May also use HTTP, or HTTPS, or propietary protocols.
132
Phisher
a malicious attacker who attempts to trick users into divulging account credentials or PII. Many attempt to steal online banking information.
133
Spear Phishing
target fewer users. High value targets many times executives. Use their full names, title, and other supporting information. AKA whaling or whale hunting
134
Vishing
voice phishing. VoIP systems to automate calls to thousands of targets in attempts to get them to divulge personal banking info.
135
Penetration test
An effective way to assess the security of a system.
136
social engineering
using the human mind to bipass security controls. i.e. emailing malware with the subject line, "CAT 5 Hurricane to hit Florida!"
137
zero knowledge or Black Box
Test is blind. Penetration tester begins with no external or trusted information and begins the attack with public information only
138
Full Knowledge or Crystal Box
provides internal informaiton to the tester, including network diagrams, policies and procedures, and sometimes reports from pervious penetration testers.
139
Partial knowledge
tester gets some info.
140
Penetration testing tools
open source - metasploit.org closed source - core impact and immunity canvas.
141
Vulnerablity Scanning or testing
using tools to scan a network or system for misnconfigurations, outdated software, lack of patching. Nessu or OpenVAS.
142
Security Audit
test against a published standard. i.e. Payment Card Industry Data Security Standard. PCI DSS for complinace.
143
Security Assessment
holistic approach to assessing the effectiveness of access control. View many controls over multiple domains: policies, proceedures, and admin controls; assessing the real world effectiveness of admin controls; change management; architectural review; penetration tests; vulnerablity assessments; security audits.
