Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CompTIA Security+ SY0-501 - Based on Objectives X > 4.3 Given a scenario, implement identity and access management controls. > Flashcards

4.3 Given a scenario, implement identity and access management controls. Flashcards

1
Q

Access Control Models

A

.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access Control Models - MAC

A

With the mandatory access control (MAC) model, each individual (known as a subject) is assigned a clearance level such as restricted, secret, or top secret. The data and other assets in the organization are assigned classification labels that represent the sensitivity of the information. Examples of classification labels are public, confidential, secret, top secret, and unclassified, to name a few.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Control Models - DAC

A

Overview:
Discretionary access control (DAC) involves configuring permissions on a resource

Detail:
Discretionary access control, also known as DAC, is a model that decides who gets access to a resource based on a discretionary access control list (DACL). A DACL is a listing of users or groups (known as security principals) who are granted access to a resource, and the DACL typically determines what type of access the user has. That is, the DACL is the permissions assigned to a file. Each entry in the DACL is known as an access control entry (ACE).

In Microsoft environments, each security principal, such as a user account, computer account, or group, has a security identifier (SID) assigned to it. When a user logs on to the network, part of the authentication process is to generate an access token for the user (this is known as a logical token). The access token contains the user account SID, plus any SIDs for groups the user is a member of.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Access Control Models - ABAC

A

Attribute-based access control (ABAC) is an access control model that involves assigning attributes, or properties, to users and resources and then
using those attributes in rules to define which users get access to which resources. For example, you could configure a rule that specifies if the user has a Department attribute of Accounting and a City attribute of Boston, then they can access the file. This is different than RBAC or GBAC in the sense that those models only check whether the user is in the role or group.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Access Control Models - Role-based Access Control

A

Role-based access control involves placing users into containers (known as roles) and those roles are assigned privileges to perform certain tasks. When a user is placed in the role, they inherit any capabilities that the role has been assigned.

A number of applications use RBAC, such as Microsoft SQL Server and Microsoft Exchange Server. The following exercise shows how you can grant someone administrative access to a SQL Server by placing them in the sysadmin role.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Access Control Models - Rule-based Access Control

A

Rule-based access control, also known as RBAC, involves configuring rules on a system or device that allow or disallow different actions to occur. For example, a router uses RBAC to determine what traffic can enter or leave the network by checking rules in an ACL configured on the router.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Physical Access Control

A

A hacker can easily bypass the security of a system if the hacker can physically get to a system or server. Any security features of the operating systems are only valid if the operating system is running, so most hackers who wish to bypass the security of the operating system simply boot off a live DVD.

In order to prevent this from happening, you need to implement physical security within the organization to ensure that you control who gains physical access to the systems. Remember for the exam that physical security is an important method to help keep unauthorized individuals from gaining access to critical systems and networks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Physical Access Control - Proximity Cards

A

Proximity cards are small credit card-sized cards that activate when they are in close proximity to a card reader. Many organizations use these for access points, such as the entry to a building or the entry to a controlled area within a building. The door uses an electronic lock that only unlocks when the user passes the proximity card in front of a card reader.

Bonus:
A proximity reader is a sensor device that reads the access code from a token or card. The two major types of proximity readers are user-activated and system-sensing. With a user-activated proximity reader, the employee keys in a code or swipes the access card by the sensor to gain access to the facility. A system-sensing proximity reader continuously sends out an interrogating signal that the user’s access device responds to by sending the access code to the sensor for the door to unlock. Key fobs are token devices that are also used with proximity readers so that users can just wave the token over the reader to gain access to the facility.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Physical Access Control - Smart Cards

A

Smart cards are credit card-sized cards that have an embedded microchip and a certificate. Users insert the smart card into a smart card reader, similar to how someone would insert a credit card into a credit card reader. The smart card reader reads the information on the card, including the details from the certificate, which provides certificate-based authentication.

Certificates, in more detail, but as an introduction, they are digital files that support cryptography for increased security. The embedded certificate allows the use of a complex encryption key and provides much more secure authentication than is possible with a simple password.

Additionally, the certificate can be used with digital signatures and data encryption. The smart card provides confidentiality, integrity, authentication, and non-repudiation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Biometric Factors

A

Biometrics is the process of authenticating to a system or network by using a physical characteristic of yourself such as a fingerprint, retina pattern, or voice pattern. Biometrics offers the highest level of security as it relates to authentication, but is not as common as a simple username and password–type authentication due to the expense.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Biometric Factors - Fingerprint Scanner

A

A fingerprint scanner scans your fingerprint and compares it with the system-stored fingerprint that you previously submitted during enrollment. A similar system is a palm scanner.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Biometric Factors - Retinal Scanner

A

A retinal scanner scans the pattern of blood vessels around the retina of your eye and compares it with the system-stored image.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Biometric Factors - Iris Scanner

A

An iris scanner scans the colored part of your eye that surrounds the pupil and compares it with the system-stored image

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Biometric Factors - Voice Recognition

A

A voice-recognition system requires you to speak and verifies your voice pattern based on the system-stored sample you previously submitted.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Biometric Factors - Facial Recognition

A

A facial-recognition system verifies features of your face based on your system-stored digital image.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Biometric Factors - False Acceptance Rate (Type II)

A

A type II error is the opposite of a type I error in that it allows someone to access the system who is not authorized to access the system. This type of error is known as the false acceptance rate (FAR).

17
Q

Biometric Factors - False Rejection Rate (Type I)

A

A type I error is known as the false rejection rate (FRR) and occurs when the biometric system fails to authenticate someone who is authorized to access the system.

18
Q

Biometric Factors - Crossover Error Rate

A

Biometric devices are sometimes rated by the percentage of errors that occur using a value known as the crossover error rate (CER). The CER is a number representing when the number of type I errors equals the number of type II errors. For example, if 5 out of 100 authentication attempts are type I errors and 5 out of 100 authentication attempts are type II errors, then the CER is 5. The lower the CER value, the more accurate the biometric system is.

19
Q

Tokens

A

.

20
Q

Tokens - Hardware

A

A small device that is typically used to identify an
individual and is used in the authentication process. Of the different types of hardware tokens, the most popular is a device that displays a random number on it for 30 to 60 seconds (see Figure 10-2). The user enters that random number along with their username and password in order to log on.

Note that hardware tokens can also be physical objects that users need to have in their possession to gain access to a building, such as a card or device attached to a keychain that is swiped past an electronic reader to enter an area of the building.

21
Q

Tokens - Software

A

Very similar to a hardware token except that it is

software (an app) stored on a computing device instead of being its own separate hardware device.

22
Q

Tokens - HOTP/TOTP

A

HOTP
HMAC-based One-Time Password is a Hash-based Message Authentication Code (HMAC) algorithm used to generate passwords.

TOTP
Time-based One-Time Password is an algorithm used by authentication systems that involves passwords being generated based on the current time.

23
Q

Certificate-based Authentication

A

Certificate-based authentication requires the user or client computer to authenticate to the network by presenting a Public Key Infrastructure (PKI) client-side certificate to the authentication system.

The authentication system verifies the certificate by checking the following:

  1. Is the certificate from a trusted certificate authority (CA)?
  2. Has the certificate validation period expired?
  3. Has the certificate been revoked?
24
Q

Certificate-based Authentication - PIV/CAC/Smart Card

A

CAC
A Common Access Card (CAC) is a specialized type of smart card ** used by the U.S. Department of Defense. ** In addition to including the capabilities of a smart card, it also includes a picture of the user and other readable information. Users can use the CAC as a form of photo identification to gain access into a secure location. For example, they can show their CAC to guards who are protecting access to secure areas. Once inside the secure area, users can use the CAC as a smart card to log on to computers.

PIV
a Personal Identity Verification (PIV) card is a specialized type of smart card ** used by U.S. federal agencies. ** It also includes photo identification and provides confidentiality, integrity, authentication, and non-repudiation for the users, just as a CAC does.

CACs and PIVs both support dual-factor authentication (sometimes called two-factor authentication) because users generally log on with the smart card and by entering information they know such as a password. Additionally, just as with smart cards, these cards include embedded certificates used for digital signatures and encryption.

25
Q

Certificate-based Authentication - IEEE 802.1X

A

When looking to control which devices can be used to connect to a wireless network or wired LAN, you can use 802.1X with the Extensible Authentication Protocol over LAN (EAPOL).

802.1X Stages of Communication
When preparing for the Security+ certification exam, it is important to know the stages of 802.1X communication and the protocols used at each stage. The following are
the stages of communication between the 802.1X components:

  1. EAPOL Start
    Communication starts with the client machine, or supplicant, sending an EAPOL Start message. This is a layer-2 frame requesting access to the switch or wireless access point.
  2. EAPOL Identity Request
    The switch or wireless access point, also known as the authenticator, sends an EAPOL frame back to the supplicant requesting the supplicant identify itself.
  3. EAPOL Identity Response
    The supplicant sends an EAPOL response message that includes its authentication information. This could be a username and password or it could be a certificate.
  4. Credentials sent
    The authenticator uses RADIUS to send an IP packet containing the credentials to the authentication server.
  5. RADIUS Access: Accept/Reject
    The authentication server sends back a RADIUS Access message to the authenticator that includes either an accept or reject status. If the credentials were verified, it sends an Access-Accept message, and if the credentials were incorrect, it sends an Access-Reject message.
  6. EAPOL Success/Fail
    Finally, the authenticator sends an EAPOL message to the supplicant with a success or fail status. With a Success message, the client system is granted access to the network.
26
Q

File System Security

A

Windows - NTFS Permissions
Read
I consider the Read permission to be the minimal level of access I would grant, and it actually includes the Read, List Folder Contents, and Execute permissions.

Modify
The Modify permission gives all the permissions for Read, but also allows someone to modify the file, delete the file, and create new files if the permission is assigned to a folder.

Full Control
This permission allows the person to perform all tasks of the Modify permission, but also allows them to change permissions and take ownership of files.

Linux - chmod
You can control access to files in Linux by using the chmod command. When using the chmod command, each of the three permissions for files and folders in Linux has a numerical value associated with it:
Read (R): 4
Write (W): 2
Execute (X): 1

Three entities can have these three permissions to a file or folder: the file owner, a group, and everyone else. To change the permission, you can use the chmod (change mode) and modify the permission by placing a number to represent the desired permission for each of the three placeholders.

27
Q

Database Security

A

The new Security+ certification exam expects you to understand aspects of database security. A database is a system that stores a wealth of information about a company or entity. The database typically stores sensitive information that needs to be secured, and we as security folks have to control who has access to that information. There are a number of steps we can take to secure our database environment:
1. Roles (db_owner, db_securityadmin, db_datareader, …)
2. Permissions (can SELECT, but can’t DELETE, e.g)
3. Encryption (Sensitive data must be encrypted)
4. Auditing
One of the key points to remember when implementing security is that you want to plan for auditing. When planning auditing of the database, ask yourself, “Is there anything I want to know about when it happens?” For example, do you want to know when someone looks at the data? Do you want to know when someone modifies or updates information in the database? Do you want to know when someone deletes a record from the database? You can configure auditing in the database to track all of these activities.

28
Q

Bonus - Access Control Models - MAC - Common Sensitivity Levels for Government Organizations

A

Top secret
The highest sensitivity label. Information classified as top secret could cause grave damage to national security if leaked to the public.

Secret
The second-highest sensitivity label. Information classified as secret could cause serious damage to national security if leaked to the public.

Confidential The third-highest sensitivity label. information classified as confidential could cause damage to national security if leaked to the public.

Restricted
Information assigned this classification label could cause an undesirable outcome if exposed to the public.

Unclassified
Any information not assigned a classification label is considered unclassified and is suitable for public release.

29
Q

Bonus - Access Control Models - MAC - Common Sensitivity Levels for Business Sector

A

Confidential
The highest sensitivity label. Information classified as confidential could cause grave damage to the organization if leaked to the public.

Private
The second-highest sensitivity label. Information classified as private could cause serious damage to the organization if leaked to the public.

Sensitive
Information assigned this classification label could cause an undesirable outcome if exposed to the public.

Public
Information assigned this classification label is suitable for public release.

CompTIA Security+ SY0-501 - Based on Objectives X (45 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions