Access Control Flashcards

1
Q

CIA Triad

A

Confidentiality, Integrity and Availability - Cornerstone concept of Information Security

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

DAD

A

Disclosure, Alternation and Destruction - The opposing forces to the CIA triad

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Confidentiality

A

CIA: prevention of unauthorized disclosure of information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Integrity

A

CIA: prevention of unauthorized changes to information.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Integrity - 2 types

A

Data Integrity and System Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

AAA

A

Authentication, Authorization and Accountability.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Subject/Object

A

A subject is an active entity on a system. An OBJECT is any passive data (e.g. data files).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Defense-in-Depth

A

Layer Defense. Implementation of multiple safeguards (controls) to reduce risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

DAC

A

Discretionary Access Control. Gives subjects full control of objects they have been given access to. Subject may give others access to their objects.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

MAC

A

Mandatory Access Control. SYSTEM-enforced control based on clearance and object labels. Example: security classification (Secret, Confidential, FOUO). Expensive and difficult to implement.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

RBAC

A

Role Based Access Control. Access is based on a user’s “role”. Example: administrator, nurse, backup-admin. Non-discretionary access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Centralized Access Control

A

Access Control at one logical point for a system or organization. Systems authenticate via third party authentication servers (e.g. SSO - single signon)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Decentralized Access Control

A

Local based control over multiple sites. AKA, “Distributed Access Control”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

RADIUS

A

Remote Authentication Dial-In User Service. This is an AAA system. Uses multiple servers. Encrypts only password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Diameter

A

Access control protocol. Successor to RADIUS. Uses AAA framework. Uses single server. Uses TCP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

TACACS & TACACS+

A

Terminal Access Controller Access Control System. Centralized access control system that requires users send and ID and static password for authentication. Uses UDP or TCP. Encrypts all authentication data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

PAP

A

Password Authentication Protocol. Sends password over wire in clear text - NOT SECURE.

18
Q

CHAP

A

Challenge Handshake Authentication Protocol. Use central location that challenges remote users. Protects against playback attacks. Mutual secret is stored by server and peer but not sent over wire.

19
Q

Microsoft AD Domains

A

Active Directory uses “domains” model for access control, Kerberos Authentication Protocol. Each domain has a separate authentication process and space.

20
Q

Access Control Defensive Categories (6)

A

Preventive, Detective, Corrective, Recovery, Deterrent, Compensation

21
Q

Administrative Access Control

A

Controls implemented by creating and following organization policy, procedures or regulations.

22
Q

Technical Access Control

A

Implemented using software, hardware or firmware. Examples: firewalls, routers or encryption.

23
Q

Physical Access Control

A

Implemented with physical devices such as locks, fences, gates, security guards, etc.

24
Q

Preventive Controls

A

Restrictions on what a user can do. ACL is one example. Also an example of an administrative preventive control is pre-employment or drug screenings

25
Q

Detective Controls

A

Controls that alert during of after a successful attack. Examples are IDS or security cameras that alert guards.

26
Q

Corrective Controls

A

Correcting a damaged system or process. Antivirus is both Detective and Corrective.

27
Q

Recovery Controls

A

Post-incident controls.Recovery means the system must be recovered (e.g. restored)

28
Q

Deterrent Controls

A

Used to “deter” a user from performing actions on a system. An example is a user login banner or a “Beware of Dog” sign.

29
Q

Compensating Controls

A

An additional security control used to compensate for weaknesses in other controls. Routine log reviews.

30
Q

Authentication Models (3)

A

Type 1 (something you know), Type 2 (something you have), Type 3 (something you are)

31
Q

Type 1 Authentication

A

Something you know. Passwords.

32
Q

Type 2 Authentication

A

Something you have. Token, keys, smarcards, etc.

33
Q

Synchronous Dynamic Token

A

Access code is dynamic, constantly changing. Server maintains record of each registered token and synchronizes codes for each.

34
Q

Asynchronous Dynamic Token

A

Use challenge/response tokens.

35
Q

Type 3 Authentication

A

Something you are. Biometrics

36
Q

Biometric Accuracy

A

FRR - False Reject Rate, FAR - False Accept Rate, CER - Crossover Error Rate

37
Q

Biometric Control Types

A

Fingerprints, Retinal Scan, Iris Scan, Hand Geometry, Keyboard Dynamics, Dynamic Signature, Voiceprint, Facial Scan

38
Q

SSO

A

Single Sign-on. Allows multiple systems to use a central authentication for access to multiple systems. Also provides centralized user management.

39
Q

Kerberos Components

A

Principal (client or service), Realm (kerberos network), Ticket, Credentials (ticket and service key), KDC - key distribution center, TGS - ticket granting service, TGT - Ticket Granting Ticket, C/S - Client/server

40
Q

SESAME

A

Secure European System for Application in a Multivendor Environment - A SSO system that support heterogeneous environments. Uses PACs (Privelege Attribute Certificates) instead of Kerberos tickets.

41
Q

Pen Test - Zero Knowledge

A

Aka, “black box”. Tester has no internal or trusted information. Attacks using public info only.

42
Q

Pen Test - Full Knowledge

A

Aka, “crystal-box”. Tester has internal information including network info, previous test results, etc.