Acc Ctrl Flashcards
3 primary types of access control
preventive, detective, and corrective.
secondary types of access control
There are also four other access control types, commonly known as deterrent, recovery, directive, and compensation access controls
process by which a subject professes an identity and accountability is initiated
Identification
process of verifying or testing that a claimed identity is valid
Authentication
indicates who is trusted to perform specific operation
Authorization
which AAA protocol is done via auditing, logging, and monitoring, ensures that subjects can be held accountable for their actions. Auditing is the process of tracking and recording subject activities within logs
Accountability
RSA token is what kind of token (sync/async, static/dynamic)?
is a synchronous dynamic password token. It generates passwords at fixed time intervals, such as every 60 seconds
(sync or async) dynamic password token does not use a clock; it generates passwords based on an occurrence of some event. These tokens often generate a password after the user enters a PIN into the token device.
asynchronous
Which access control model? Every object has an owner, owners have full control over their objects. Permissions are maintained in an ACL, and owners can easily change permissions.
Discretionary access control (DAC)
Which access control model? Access does not focus on user identity. Instead, a static set of rules governing the whole environment is used to manage access
Non-Dac
Rule-based access controls and lattice-based access controls are both considered ….
non-dac
Which access control model?relies upon the use of classification labels. Each classification label represents a security domain, or a realm of security.
MAC
SSO solution for login, symmetric key crypto, AES encryption protocol. Provides confidentiality AND integrity for authentication.
Kerberos
AAA protocols
provide authentication, authorization, and accounting (sometimes ID is included). typically used for VPN and other centralized access controls.
3 common AAA protocols are …
RADIUS, TACACS+, and Diameter.
various TYPES of access control (7):
Preventive, Detective, corrective, recovery, directive, compensation, recovery.
birthday attack
birthday attack focuses on finding collisions. similar to finding two pswds with same hash. Ex = 50 ppl in room, 2 will have same bday.
a variant of phishing that uses the phone system or VoIP. A common attack uses an automated call to the user explaining a problem with a credit card account.
Vishing
name 4 different password attacks:
dictionary attacks, brute-force attacks, rainbow table attacks, and sniffer attacks
What attack uses….all possible combinations of keyboard characters used.
brute-force
What attack uses…. a predefined list of possible passwords possibly used
dictionary attack.
Sym or Asym…..cryptosystems use a shared secret key available to all users of the cryptosystem.
symmetric
Sym or Asym … cryptosystems utilize individual combinations of public and private keys for each user of the system
Asymmetric
AND function
returns TRUE only when X&Y are TRUE. 1+1=1, else 0
OR function
returns FALSE when X&Y are FALSE. 0-0=0, else 1.
NOT operation (~ or !)
opposite.
XOR ⊕ function
return TRUE is both are same.
Cipher that uses an encryption algorithm to rearrange the letters of a plaintext message, forming the ciphertext message
Transposition
Ciphers that use the encryption algorithm to replace each character or bit of the plaintext message with a different character
Subsititution
one time pad
powerful type of substitution cipher. One-time pads use a different substitution alphabet for each letter of the plaintext message. (EX:ceasar, Vigenere)
Cipher where the encryption key is as long as the message itself and is often chosen from a common book
book cipher or running key cipher
A kind of cipher that operate on “chunks,” or blocks, of a message and apply the encryption algorithm to an entire message block at the same time.
Block cipher
A kind of cipher that operate on one character or bit of a message (or data stream) at a time.
Steam cipher
Asymmetric key encryption
integrity, authentication, and non-repudiation. + /- of users easy, .regen of key incases of compromise is easy and fast
Common Symmetric Cryptosystems
Data Encryption Standard (DES), Triple DES (3DES), International Data Encryption Algorithm (IDEA), Blowfish, Skipjack, and the Advanced Encryption Standard (AES)
AES cipher
The AES cipher allows the use of three key strengths: 128 bits, 192 bits, and 256 bits.
Diffie-Hellman
symetric key encryption used when offiline distribution nor public key encrypt are sufficient. Diffie-Hellman is an algo where 2 parties provide random values and extract key from: “K = S^r mod p”
zero knowledge proof
Zero-knowledge proof is a communication concept. A specific type of information is exchanged but no real data is transferred, as with digital signatures and digital certificates.
importance of key importance
Modern cryptosystems utilize keys that are at least 128 bits long to provide adequate security. It’s generally agreed that the 56-bit key of the Data Encryption Standard (DES) is no longer sufficiently long enough to provide security.
4 modes of DES:
Electronic Codebook (ECB), Cipher Block Chaining (CBC) mode, Cipher Feedback (CFB), and Output Feedback (OFB) mode. ECB is least secure.
AES
Utilizes the Rijndael algorithm The US government standard Uses key lengths of 128, 192, and 256 bits and a fixed block size of 128 bits Better than older DES algorithm.
Take-Grant
Take-Grant model may also adopt a create rule and a remove rule to generate or delete rights. The key to this model is that using these rules allows one to figure out when rights in the system can change and where leakage (i.e., unintentional distribution of permissions) can occur.
Access control matrix
table of subj and objs. col= acl.row= capability
Goguen-Meseguer model
is an integrity model. The Goguen-Meseguer model is based on predetermining the set or domain—a list of objects that a subject can access. This model is based on automation theory and domain separation.
Sutherland model
the model is based on the idea of defining a set of system states, initial states, and state transitions. Through the use of and limitations to only these predetermined secure states, integrity is maintained and interference is prohibited
Biba
integrity model. No write down. No read up.
Phishing
Phishing is a type of social engr whose goal is to obtain PII.
Pharming
Pharming redirects victims to a fake website that looks legitimate and carries out DNS poisoning (in which a DNS server resolves a host name into an incorrect IP addy).
Authentication vs Authorization.
They are close in meaning but Authentication is the PROCESS of verifying id of subj requesting access. Authorization is the ACTION of granting permission
Collusion (not to be confused with collision)
Collusion (not to be confused with collision)
Practice of separation of duties to force 2 or more employees to work together in efforts to avoid fraud.
x.500 std
Most directories follow a hierachical db format, based on the x.500 std. The primary cocept of it is that there is a single Directory Info Tree, a hierarchical org of entries which is distributed across 1 or more servers, called directory sys agents.
Tunneling
Tunneling is an attack that utilizes low-level funct to infiltrate a sys.
T or F?
Smurf attacks is a DOS attack.
True
ICMP ECHO attack
The attacker changes an ICMP ECHO request packet’s source IP addy to that of victim which will flood the victim with replies and overwhelm it
Something you know, are and have are 3 possible factors of …
Authentication!!!
FACT: Meta-directory gathers ness info from multiple sources and stores them in a central dir. A virtual dir can also serve same purpose.
n/a
Capacity to process info with Memory cards vs Smart cards
Memory card = holds info ONLY
Smart card = holds info and process info.
Security assertion Mark up language
SAML allows the exchange of authentication and authorization data to be shared between security domain. Most used for SSO and a web-based environment
What single sign-on technology is based upon symmetric cryptography thus not needing PKI
Kerberos
Which single sign-on technology is based upon public-key crypto and thus requires PKI
Sesame
SPML
The service provisioning markup language allows company and effaces to pass service request and receive company prevision access to the services of the sending and receiving companies need to befalling XML standard which will allow this type of vendor clarity to take place
Security event management software
Security event management software allows the network traffic to confute holistically by gathering Log data centrally and analyzing
Your organization has become worried about recent attempts to gain unauthorized access to the R&D facility. Therefore, you have been asked to implement a system that will require individuals to present a password and enter a PIN at the security gate before gaining access. What is this type of system called? A. Authorization B. Two-factor authentication C. Authentication D. Three-factor authentication
C. Authenticatoin
Which style of authentication is not susceptible to a dictionary attack? A. CHAP B. LEAP C. WPA-PSK D. PAP
D. PAP
Which of the following types of copper cabling is the most secure against eavesdropping and unauthorized access? A. Single-mode fiber B. Multimode fiber C. Category 6 cabling D. 802.11g wireless
C. Cat 6 cabling
Auditing is considered what method of access control? A. Preventive B. Technical C. Administrative D. Physical
C. Administrative
Which of the following is not an example of a single sign-on service? A. RADIUS B. Kerberos C. SESAME D. KryptoKnight
A. RADIUS
Christine, a newly certified CISSP, has offered to help her brother-in-law, Gary, at his small construction business. The business currently has 18 computers configured as a peer-to-peer network. All users are responsible for their own security and can set file and folder privileges as they see fit. Which access control model best describes the configuration at this organization? A. Discretionary B. Mandatory C. Role-based D. Nondiscretionary
A. Discretionary
You are approached by a junior security officer who wants to know what CVE stands for. What do you tell him? A. Critical Vulnerability and Exploits B. Common Vulnerabilities and Exposures C. Chosen Vulnerabilities and Exploits D. Common Vulnerabilities and Exploits
B. Common Vulnerabilities and Exposures
Various operating systems such as Windows use what to control access rights and permissions to resources and objects? A. RBAC B. MITM C. ABS D. ACL
D. ACL
Kerberos has some features that make it a good choice for access control and authentication. One of these items is a ticket. What is a ticket used for? A. A ticket is a block of data that allows users to prove their identity to an authentication server. B. A ticket is a block of data that allows users to prove their identity to a service. C. A ticket is a block of data that allows users to prove their identity to a ticket-granting server. D. A ticket is a block of data that allows users to prove their identity to the Kerberos server.
B. A ticket is a block of data that allows users to prove identity to a service.
What type of cryptography does SESAME use to distribute keys? A. Public key B. Secret key C. SHA hashing algorithm D. None; it uses clear text.
A. Public Key
Your coworkers are having a heated discussion about access control models and their differences. To help them move on to more productive endeavors, you offer to answer their question. Specifically, they want to know what the driving force was behind the development of the Biba model. What do you tell them? A. The Biba model addressed the fact that the Bell-LaPadula model would allow a user with a higher security level rating to write to a subject’s information with a higher security level. B. The Biba model addressed the fact that the Bell-LaPadula model would allow a user with a lower security level rating to write to a subject’s information with a higher security level. C. The Biba model addressed the fact that the Clark-Wilson model would allow a user with a lower security level rating to write to a subject’s information with a lower security level. D. The Biba model addressed the fact that the Clark-Wilson model would allow a user with a higher security level rating to write to a subject’s information with a lower security level.
B. Biba model addressed the fact that Bell would allow a user with lower sec level to write to sub with higher level.
What are three types of Anomaly based ips
Statistical, protocol, and traffic
Which of the following access control models addresses integrity? A. Brewer Nash B. Biba C. Bell-LaPadula D. PERT
b
difficulty remembering all their passwords as they complete their daily activities. What would be the best solution? A. Lower the passwords’ complexity requirements B. Implement harsher penalties C. Add assisted user reset capabilities D. Use single sign-on
d
How do you lower type 1 errors on biometric devices? A. By increasing type 2 errors B. By decreasing type 2 errors C. By increasing precision D. By decreasing CER
a
A Privilege Attribute Certificate (PAC) is a component of SESAME and acts as the ticket similar to Kerberos.
True
is the best way to store passwords? A. In a one-way encrypted file B. Using symmetric encryption C. Using asymmetric encryption D. By means of a digital signature
a
Which of the following best describes a Zephyr chart? A. A means of establishing the accuracy of a biometric systems B. A means of comparing different biometric systems C. A means of comparing type II and type III authentication systems D. A chart used to examine the accuracy of IDSs and IPSs
b
Being asked what your maiden name is, what city you were born in, and what your pet’s name is is an example of what? A. Single sign-on (SSO) B. Self-service password reset C. Centralized authentication D. Assisted passwords
b
Nondiscretionary access control includes which of the following? A. Role- and task-based B. Rule-based and mandatory C. Labeled and mandatory D. None of the above, because there are no subcategories
a
Which of the following best describes a federated identity? A. Simply another term for SSO B. It is restricted to use within a specific domain or area of the network. C. Type I authentication (something you know) D. It is portable and can be used across business boundaries.
d
What is a trust? A. A one-way-only bridge established between two domains B. A two-way-only bridge established between two domains C. A security bridge that is established after a valid authentication D. A security bridge that is established between two domains
d
Which biometric system examines the colored portion of the eye that surrounds the pupil? A. Iris B. Retina C. Fovea D. Optic disk
a
The Privilege Attribute Certificate (PAC) is a component of what? A. TACACS B. Kerberos C. RADIUS D. SESAME
d
Triple model to ensure info INTEGRITY with enforcement of rules and certification rules. “seperation of duties”. Relies on auditing to ensure accountability. What access ctl model/theory?
Clark-Wilson
What access ctl model/theory focuses on INTEGRITY via secure creation/del of subj & obj
goguen-meseguer and sutherland
A system to require a passowrd and pin at the gate before being granted access is what type of system? A. Authorization, B. 2 factor Authorization, C. Authentication, D. 3-factor Authentication
C. Authentication
Which biometric system examines the colored poriton of the eye that surrounds the pupil???
This Iris is the colored portion of the eye.
Provide the formula to calculate Anualized Loss Expected?
ALE = SLE (or AV x EF) multiplied by ARO
Define Delphi technique
an anonymous feedback and response process used to arive at a concensus.
Trusted Computer System Evaluation Criteria (TCSEC) is DoD std for computer security requirements. The TCSEC was used to evaluate, classify and select computer systems being considered for the processing, storage and retrieval of sensitive or classified information. What color book in the rainbow series?
ORANGE
What are the levels of TCSEC and what do they represent?
The TCSEC defines four divisions: D, C, B and A where division A has the highest security. D= minimal protections C= discretionary protection B= mandatory protection A= verified protection
Threat Events
Threat events are accidental or intentional exploitations of vulnerabilities.
Documentation Reviews
A portion of the documentation review is the logical and practical investigation of business processes and organizational policies.
You’ve performed a basic quantitative risk analysis on a specific threat/vulnerability/risk relation. You select a possible countermeasure. When performing the calculations again, which of the following factors will change? a: exposure factor b: single loss expectancy c: asset value d: ARO
D: ARO. A countermeasure directly affects the annualized rate of occurrence, primarily because the countermeasure is designed to prevent the occurrence of the risk, thus reducing its frequency per year.
Which of the following is a primary purpose of an exit interview?
To review NDA
What is the primary goal of access control?
Access control mechanisms help to prevent losses, including any loss of confidentiality, loss of availability, or loss of integrity. Subjects authenticate on a system and objects are accessed. A first step in access control is the identification and authentication of subjects, but access control also includes authorization and accountability.
What type of access controls are hardware or software mechanisms used tomanage access to resources and systems and to provide protection for those resources and systems? A. Administrative B. Logical/techinal C. Physical
Logical/technical access controls are the hardware or software mechanisms used to manage access to resources and systems and to provide protection for those resources and systems. Administrative controls are managerial controls and physical controls use physical items to control physical access. A preventive control attempts to prevent security incidents.
All of the following are needed for system accountability except for one. Which one is not needed? A. ID B. Authentication C. Auditing D. Authorization
Authorization!
What is an ACL based on? A: An Obj B: A Subj C: A Role
Answer is A An ACL is based on an object and includes a list of subjects that are granted access. A capability table is focused on a subject and includes a list of objects the subject can access. Roles and accounts are examples of subjects and may be included in an ACL, but they aren’t the focus.
Which is not used to support single sign on? A: Kerberos B: Federated Identity Mgmt Sys C: TACACS+ D: SPML
TACACS+ is a centralized authentication service used for remote access clients but not for single sign-on. Kerberos and federated identity management systems are used to support single sign-on. Service Provisioning Markup Language (SPML) is a language used with some federated identity systems.
Which of the following is the best hoice to support federated id mgmt sys? A: Kerberos B: HTML C: XML (extensible markup lang) D: SPML
SPML is an XML-based framework used to exchange user information for single sign-on (SSO) between organizations within a federated identity management system. Kerberos supports SSO in a single organization, not a federation. HTML only describes how data is displayed. XML could be used, but it would require redefining tags already defined in SPML.
What is a passive, noninvasive attack to observe the operation of a device. Methods include power monitoring, timing, and fault analysis attacks.
A side-channel attack
Define Whaling
Whaling is a type of phishing attack that targets high-level executives.
Clipping
Clipping is a form of nonstatistical sampling that reduces the amount of logged data based on a clipping-level threshold
Remember: Audit trails are a passive form of detective security control. Administrative controls are management practices. Corrective controls can correct problems related to an incident, and Physical controls are controls that you can physically touch.
..
Which of the following is the least resistant to EMI? A; Thinnet B: 10Base-T UTP C: 10Base5 D: Coaxial cable
10Base-T UTP is the least resistant to EMI because it is unshielded. Thinnet (10Base2) and thicknet (10Base5) are each a type of coaxial cable, which is shielded against EMI.
Which of the following is not an example of network segmentation? A: Intranet B: DMZ C: Extranet D: VPN
A VPN is a secure tunnel used to establish connections across a potentially insecure intermediary network. Intranet, extranet, and DMZ are examples of network segmentation.
What is a TCP wrapper?
A TCP wrapper is an application that can serve as a basic firewall by restricting access based on user IDs or system IDs.
Fact: Stateful inspection firewalls are able to grant a broader range of access for authorized users and activities and actively watch for and block unauthorized users and activities. Stateful inspection AKA 3rd Gen Firewalls
..
switches are smart
A switch is an intelligent hub. It is considered to be intelligent because it knows the addresses of the systems connected on each outbound port.
