Access Control Flashcards
What are two types of Integrity?
Data Integrity & System Integrity
What is the opposite of the CIA triad?
Disclosure, Alteration, & Destruction (DAD)
What must occur before Authentication, Authorization, & Accountability(AAA)?
Identification
What combines authentication and integrity?
Non-repudiation
What means users should be granted the minimum amount of access(authorization) required to do their jobs?
Least privilege
What is more granular than Least privilege?
Need to know
An active entity that accesses a passive entity is known as?
Subject(active) and object(passive)
What applies multiple controls to reduce risk on an asset?
Defense-in-depth
What are the three primary access control models?
Mandatory, Discretionary, and Non-discretionary
What are two types of Non-discretionary access control models?
Role based and task based
What is a list of objects and for each entry describes what a subject can do?
Access Control List(ACL)
What is a one logical point for controlling access through a third party system? Provides a central point for AAA and an example would be Single Sign On(SSO)
Centralized access control
______ _________ occurs as individual users gain more access to systems. This can happen intentionally(SSO) or unintentionally which would result in _______ ________.
Access Aggregation, Authorization Creep
What is the following?
A client/server protocol
Runs in the application layer Uses UDP port 1812(authentication) and 1813(accounting)
Considered a AAA system
Remote Authentication Dial-In User Service(RADIUS)
What is the successor to RADIUS?
Diameter
What is the following?
Requires user to send an ID and static(reusable) password for authentication
Goes over UDP or TCP port 49
TACACS
What does TACACS+ offer over TACACS?
Provides better password protection through two factor authentication
Why is PAP insecure?
When user enters password, it goes over the network in cleartext thus allowing someone to sniff it.
What does CHAP protect against? What does it depend on?
Playback attacks. It depends on a secret only known to the authenticator and peer. This secret is not sent over the link.
Access Control categories fall into what?
Administrative(Directive), Technical(Logical), Physical
What is a combination of both the identification and authentication of a user?
Credential set
What are the three basic types of authentication methods?
Type 1(Something you know) Type 2(Something you have) Type 3(Something you are)
What is it when the user is required to provide more than one authentication factor?
Strong Authentication or multi factor authentication
What is often the weakest form of authentication?
Type 1(Something you know)
What are the four types of passwords?
Static
Passphrases
One-time
Dynamic
Reusable passwords that may or may not expire, work best when combined with another authentication type such as smart card or biometrics?
Static passwords
Can be made stronger using nonsense words like XYZZY, described as long static passwords?
Passphrases
Used for single authentication, very secure, difficult to manage, impossible to reuse?
One time password
This password changes at regular intervals, user could combine their static PIN with a token to create the password, token is expensive?
Dynamic passwords
What is it called when an attacker runs a hash algorithm forward many times selecting different passwords to produce a matching hash?
Password cracking
This type of attack uses a predefined list of words to run the hash algorithm through in hopes to generate a matching hash?
Dictionary attack
This attack appends, prepends, or changes characters in words from a dictionary before hashing attempting to quickly crack complex passwords?
Hybrid attack
This attack takes more time by calculating hash outputs for every possible password but is more effective?
Brute Force attack
This attack is a precomputed compilation of passwords(or plaintext) and matching hashes(or ciphertext) that can quickly crack almost all hashes?
Rainbow table
A ______ value ensures that the same password will encrypt differently when used by different users. This makes Rainbow tables far less effective depending on the length?
Salt
An object that helps prove an identity claim?
Token
_________ _________ ______ use time or counters to synchronize a displayed token code expected by the authentication server: the codes are synchronized.
Synchronous dynamic tokens
A challenge response token authentication system requires a user to enter information into to produce an output which is sent to the system, this is also known as?
Asynchronous dynamic token
Biometrics may be used to establish what?
An Identity or to Authenticate
What describes the process of registering with a biometric system(ex. Creating an account for the first time)?
Enrollment
What describes the process of authenticating to a biometric system(Also called a biometric system response time)?
Throughput
False rejection errors are also known as?
Type-I error
False acceptance errors are known as?
Type-II error
What type of biometric accuracy error is the worst?
FARs(Type II errors) are worse than FRRs (Type I errors)
Used to describe the overall accuracy of a biometric system(Also known as the Equal Error rate)?
Crossover Error rate(CER)
When the sensitivity of a biometric system increases what also increases and what drops?
FRRs increase and FARs will drop
The most widely used biometric control, stored in smart cards, and data(minutiae) must be small enough for authentication?
Fingerprints
Scans the blood vessels in a eye, most intrusive, and rarely used due to the health risks/invasion of privacy issues involved?
Retina Scan
This biometric control include high accuracy, passive scanning, no health risks?
Iris Scan
Measurements are taken from specific points on the subject’s hand(Fairly simple, stores info as small as 9 bytes)?
Hand geometry
Refers to how hard a user presses a key and the rhythm at which they are pressed(cheap to implement and can be effective)?
Keyboard dynamics
Similar to keyboard dynamics, measures the handwriting of the subject while they sign their name?
Dynamic signature
This uses measurements of a subject’s tone of voice while stating a specific sentence/phrase(Vulnerable to replay attacks, requires compensating controls to make secure)?
Voiceprint
What is the process of passively taking a picture of a subject’s face and comparing that picture to a list stored in a database?(High cost)
Facial scan or facial recognition
Considered to be the fourth type of authentication(through the use of GPS or IP based geolocation or the physical location for a point of sale purchase)?
Someplace you are
This allows multiple systems to use a central authentication server to authenticate once and then access multiple, different systems?
Single Sign On(SSO)
Applies SSO on a much wider scale(May use OpenID or SAML)
Federated Identity Management(FIdM), also known as Identity Management
What is a third party authentication service used to support SSO?
Kerberos
Kerberos uses ________ encryption and provides ________ authentication of both client and servers. It protects against _______ ________ and _______ ________.
Symmetric, mutual, network sniffing, replay attacks
The authenticator within Kerberos provides a requested service to the client after validating which of the following?
Timestamp
Like the Kerberos protocol, SESAME is also subject to what kind of attack?
Password Guessing
What are some drawbacks of Kerberos?
Central server as a single point of failure, stores symmetric keys in plaintext, not scalable
How is SESAME different from Kerberos?
Supports heterogeneous environments, scalability of public key systems, and use of PACs instead of tickets
A security assessment may include what kind of ‘narrow’ tests?
Penetration test, vulnerability assessment, security audit
The pen tester begins with no external or trusted information and begins the attack with public information only?
Zero-Knowledge
Internal information is provided to the pen tester including network diagrams, policies and procedures, and sometimes reports from previous pen tests?
Full-Knowledge
Scans a network or system for a pre-defined list of vulnerabilities such as system misconfigurations, outdated software, or lack of patching?
Vulnerability scanning(or vulnerability testing)
What is a test against a published standard?
Security Audit
What is a holistic approach to assessing the effectiveness of access controls?
Security Assessment
