5. Identity And Access Mangement Flashcards
What does IAAA stand for?
Identification, Authentication, authorization, and Accounting
Define identity and access management
Services/policies/procedures for managing a digital identity.
What is the regulation that dictates that security controls must be audited annually?
Sarbanes-Oxley (SOX)
Define authorization
Confirms that the Authenticated entity (user) has the privileges and permissions necessary to access what they want to access.
What are CRUD operations?
Create, Read, Update and Delete
What should privileges always be based on?
Least privilege.
Define accountability
Tracing an action to a subject (user).
- also known as auditing.
What must accountability include to be legitimate?
- Identify the subject
- The action
- Object on which the action was performed
- Timestamp
What is DAC?
Discretionary Access Control
- security of objects is at the owners control and granted through an ACL.
- identity based
- common on commercial products and all client based systems.
What is MAC?
Mandatory Access Control
- data owner cannot grant access
- OS makes granting choice based on security label system.
- subjects label must dominate the objects label.
- rules are configured by security officer and enforced by OS.
What is RBAC?
Role Based Access Control.
- good at fixing authorization creep.
What can you authenticate your identity with?
- Something you know
- Something you have
- Something you are
Having two of these is called Strong Authentication, or Two-factor.
What are static biometric measures?
Biometric markers that do not change.
I.e. your fingerprint, hand geometry, iris, retina pattern.
What are dynamic biometrics?
Biometrics that are based on your behavioral traits.
I.e. voice, gait, signature, keyboard cadence, etc.
What is a type 1 accuracy error?
FRR - false rejection rate
Legitimate user is barred from access.
Usually happens when system identifies too much info.
What is a type 2 accuracy error?
FAR - false acceptance rate
An imposter is allowed in.
Happens when system does not evaluate enough info.
What is the CER?
Crossover Error Rate.
When FRR and FAR are the same. This is an accurate description of how accurate the system is.
Lower value is better.
What is AS?
Authentication Server
A part of the Kerberos SSO.
It allows authentication of the user and issues a TGT.
What is a TGT?
Ticket granting token
What is a TGS?
Ticket Granting Server.
Where a TGT is exchanged for a ticket to a particular user for access to a particular service.
What is a KDC?
Key Distribution Center
Part of the Kerberos SSO, the KDS runs the TGS and AS.
What are Rule Based Access Controls?
Specific rules indicate what can and cannot transpired between a subject and object.
Also called non-discretionary
What are Constricted User Interfaces?
Restrict users access by not allowing them to see certain data or have certain functionality.
Has a menu
Think of the kiosks at work.
What are Content Dependent Access Controls?
Access is determined by the type of data.
I.e email filters looking for SSN length numbers.
What are context dependent Access Controls?
System reviews a situation then makes a decision based on access.
I.e. a firewall
What does RADIUS stand for?
Remote Authentication Dial-in User Service.
Authentication protocol that authenticates and authorized users.
Protected communication between server and client.
What protocol does RADIUS use?
UDP
TACACS+ and Diameter user TCP.
What are the steps to protect Emanation Security?
Faraday Cages
White Noise generators
Control Zones
