Access Control Flashcards

1
Q

What are two types of Integrity?

A

Data Integrity & System Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is the opposite of the CIA triad?

A

Disclosure, Alteration, & Destruction (DAD)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What must occur before Authentication, Authorization, & Accountability(AAA)?

A

Identification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What combines authentication and integrity?

A

Non-repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What means users should be granted the minimum amount of access(authorization) required to do their jobs?

A

Least privilege

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is more granular than Least privilege?

A

Need to know

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An active entity that accesses a passive entity is known as?

A

Subject(active) and object(passive)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What applies multiple controls to reduce risk on an asset?

A

Defense-in-depth

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the three primary access control models?

A

Mandatory, Discretionary, and Non-discretionary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are two types of Non-discretionary access control models?

A

Role based and task based

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a list of objects and for each entry describes what a subject can do?

A

Access Control List(ACL)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is a one logical point for controlling access through a third party system? Provides a central point for AAA and an example would be Single Sign On(SSO)

A

Centralized access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

______ _________ occurs as individual users gain more access to systems. This can happen intentionally(SSO) or unintentionally which would result in _______ ________.

A

Access Aggregation, Authorization Creep

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What is the following?
A client/server protocol
Runs in the application layer Uses UDP port 1812(authentication) and 1813(accounting)
Considered a AAA system

A

Remote Authentication Dial-In User Service(RADIUS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is the successor to RADIUS?

A

Diameter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is the following?
Requires user to send an ID and static(reusable) password for authentication
Goes over UDP or TCP port 49

A

TACACS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What does TACACS+ offer over TACACS?

A

Provides better password protection through two factor authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Why is PAP insecure?

A

When user enters password, it goes over the network in cleartext thus allowing someone to sniff it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What does CHAP protect against? What does it depend on?

A

Playback attacks. It depends on a secret only known to the authenticator and peer. This secret is not sent over the link.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Access Control categories fall into what?

A

Administrative(Directive), Technical(Logical), Physical

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is a combination of both the identification and authentication of a user?

A

Credential set

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What are the three basic types of authentication methods?

A

Type 1(Something you know) Type 2(Something you have) Type 3(Something you are)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is it when the user is required to provide more than one authentication factor?

A

Strong Authentication or multi factor authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is often the weakest form of authentication?

A

Type 1(Something you know)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What are the four types of passwords?

A

Static
Passphrases
One-time
Dynamic

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Reusable passwords that may or may not expire, work best when combined with another authentication type such as smart card or biometrics?

A

Static passwords

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Can be made stronger using nonsense words like XYZZY, described as long static passwords?

A

Passphrases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Used for single authentication, very secure, difficult to manage, impossible to reuse?

A

One time password

29
Q

This password changes at regular intervals, user could combine their static PIN with a token to create the password, token is expensive?

A

Dynamic passwords

30
Q

What is it called when an attacker runs a hash algorithm forward many times selecting different passwords to produce a matching hash?

A

Password cracking

31
Q

This type of attack uses a predefined list of words to run the hash algorithm through in hopes to generate a matching hash?

A

Dictionary attack

32
Q

This attack appends, prepends, or changes characters in words from a dictionary before hashing attempting to quickly crack complex passwords?

A

Hybrid attack

33
Q

This attack takes more time by calculating hash outputs for every possible password but is more effective?

A

Brute Force attack

34
Q

This attack is a precomputed compilation of passwords(or plaintext) and matching hashes(or ciphertext) that can quickly crack almost all hashes?

A

Rainbow table

35
Q

A ______ value ensures that the same password will encrypt differently when used by different users. This makes Rainbow tables far less effective depending on the length?

A

Salt

36
Q

An object that helps prove an identity claim?

A

Token

37
Q

_________ _________ ______ use time or counters to synchronize a displayed token code expected by the authentication server: the codes are synchronized.

A

Synchronous dynamic tokens

38
Q

A challenge response token authentication system requires a user to enter information into to produce an output which is sent to the system, this is also known as?

A

Asynchronous dynamic token

39
Q

Biometrics may be used to establish what?

A

An Identity or to Authenticate

40
Q

What describes the process of registering with a biometric system(ex. Creating an account for the first time)?

A

Enrollment

41
Q

What describes the process of authenticating to a biometric system(Also called a biometric system response time)?

A

Throughput

42
Q

False rejection errors are also known as?

A

Type-I error

43
Q

False acceptance errors are known as?

A

Type-II error

44
Q

What type of biometric accuracy error is the worst?

A

FARs(Type II errors) are worse than FRRs (Type I errors)

45
Q

Used to describe the overall accuracy of a biometric system(Also known as the Equal Error rate)?

A

Crossover Error rate(CER)

46
Q

When the sensitivity of a biometric system increases what also increases and what drops?

A

FRRs increase and FARs will drop

47
Q

The most widely used biometric control, stored in smart cards, and data(minutiae) must be small enough for authentication?

A

Fingerprints

48
Q

Scans the blood vessels in a eye, most intrusive, and rarely used due to the health risks/invasion of privacy issues involved?

A

Retina Scan

49
Q

This biometric control include high accuracy, passive scanning, no health risks?

A

Iris Scan

50
Q

Measurements are taken from specific points on the subject’s hand(Fairly simple, stores info as small as 9 bytes)?

A

Hand geometry

51
Q

Refers to how hard a user presses a key and the rhythm at which they are pressed(cheap to implement and can be effective)?

A

Keyboard dynamics

52
Q

Similar to keyboard dynamics, measures the handwriting of the subject while they sign their name?

A

Dynamic signature

53
Q

This uses measurements of a subject’s tone of voice while stating a specific sentence/phrase(Vulnerable to replay attacks, requires compensating controls to make secure)?

A

Voiceprint

54
Q

What is the process of passively taking a picture of a subject’s face and comparing that picture to a list stored in a database?(High cost)

A

Facial scan or facial recognition

55
Q

Considered to be the fourth type of authentication(through the use of GPS or IP based geolocation or the physical location for a point of sale purchase)?

A

Someplace you are

56
Q

This allows multiple systems to use a central authentication server to authenticate once and then access multiple, different systems?

A

Single Sign On(SSO)

57
Q

Applies SSO on a much wider scale(May use OpenID or SAML)

A

Federated Identity Management(FIdM), also known as Identity Management

58
Q

What is a third party authentication service used to support SSO?

A

Kerberos

59
Q

Kerberos uses ________ encryption and provides ________ authentication of both client and servers. It protects against _______ ________ and _______ ________.

A

Symmetric, mutual, network sniffing, replay attacks

60
Q

The authenticator within Kerberos provides a requested service to the client after validating which of the following?

A

Timestamp

61
Q

Like the Kerberos protocol, SESAME is also subject to what kind of attack?

A

Password Guessing

62
Q

What are some drawbacks of Kerberos?

A

Central server as a single point of failure, stores symmetric keys in plaintext, not scalable

63
Q

How is SESAME different from Kerberos?

A

Supports heterogeneous environments, scalability of public key systems, and use of PACs instead of tickets

64
Q

A security assessment may include what kind of ‘narrow’ tests?

A

Penetration test, vulnerability assessment, security audit

65
Q

The pen tester begins with no external or trusted information and begins the attack with public information only?

A

Zero-Knowledge

66
Q

Internal information is provided to the pen tester including network diagrams, policies and procedures, and sometimes reports from previous pen tests?

A

Full-Knowledge

67
Q

Scans a network or system for a pre-defined list of vulnerabilities such as system misconfigurations, outdated software, or lack of patching?

A

Vulnerability scanning(or vulnerability testing)

68
Q

What is a test against a published standard?

A

Security Audit

69
Q

What is a holistic approach to assessing the effectiveness of access controls?

A

Security Assessment