Access Control Flashcards

1
Q

CIA

A

Confidentiality, Integrity, Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

Aceess controls protect against:

A

Threats such as unauthorized acess, inappropriate modification of data, and loss of confidentiality

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

DAD

A

Opposing forces of CIA. Disclosure, Alteration, Destruction

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Confidentiality

A

Seeks to prevent unauthorized read access. Example is PII

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Integrity

A

Seeks to prevent unauthorized modification of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Two types of Integrity

A

Data Integrity & System Integrity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Data Integrity

A

seeks to protect information against unauthorized modification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

System integrity

A

seeks to protect a system from unauthorized modification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Availability

A

ensures that information is available when needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

AAA

A

Authentication, Authorization, Accountability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Identity

A

a claim of who you are (like a username)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Authentication

A

proving an identity claim (like a password)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Authorization

A

actions you perform on a system once you have identified and authenticated. May include, read, write, execute files/programs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Accountability

A

holds users accountable tofr their actions. Typically done by logging and analyzing audit data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Non-Repudiation

A

user cannot deny having performed a transaction. You must have authentication and integrity to have non-repudiation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Least privilege

A

users should be granted the minimum amount of access (authorization) required to do their jobs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Need to know

A

user must need to know that spcific piece of information before accessing it (user must have a business need to access data)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Subject

A

an active entity on a system. Manipulate objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Object

A

Passive data on a system. Do not manipulate other objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Defense in Depth

A

applies multiple safeguards (called controls) to protect an asset

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which Access control model is the best?

A

none, each model is used for a specific information security purpose

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What are the primary Access Control Models?

A

Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Non-Discretionary Access Control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is DAC?

A

Discretionary Access Control?gives subjects full control of objects they have been given access to, includeing sharing the objects with other subjects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is MAC?

A

Mandatory Access Control?primarily for Gov’t/Military?system-enforced access control based on subject clearance level and object labels

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Two types of non-discretionary access control

A

Role-based Access Control (RBAC) and Task-based access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is RBAC?

A

Role-based Access Control: defines how info is access on a system based on the role of the subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Three rules of RBAC?

A
  1. Role Assignment 2. Role Authorization 3. Transaction Authorization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Task-based access control

A

based on the tasks each subject must perform (focuses on specific tasks rather than roles)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Content- and Context-dependent access controls

A

not full fledged access control methods in their own right, but are part of a defense in depth supporting role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Centralized access control

A

concentrates access control in one logical point for a system or organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Decentralized access control

A

IT administration to occur closer to the mission and operations of the organization. Also called distributed access control

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Identity Lifecycle Rules

A

* password policy compliance checking * notifying users to change passwords before they expire * ID lifecycle changes such as inactive accounts * ID new accounts not used for 10 days * ID suspended accounts * Id all accounts belonging to expired contract

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Access aggregation

A

Individual users gain more access to a system over time as jobs change and permissions aren’t removed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

What is RADIUS

A

Remote Authentication Dial-In User Service: considered an AAA system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is Diameter

A

successor to RADIUS; provided an improved AAA framework

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is TACACS and TACACS+

A

Terminal Access Controller Acces Control System: centralized access control system that requires users to send an ID and password for authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

PAP?

A

Password Authentication Protocol referred to not a strong authentication method. Sends password in clear text

37
Q

CHAP?

A

challenge handshake authentication protocol: provides protection against playback attacks; depends upon a secret known to authenticator and the peer

38
Q

3 concepts that affect access control?

A
  1. least privilege 2. separation of duties 3. rotation of duties
39
Q

separation of duties

A

checks and balances

40
Q

rotation of duties

A

requires different staff members to perform the same duty

41
Q

Describe 3 security labels used by Gov’t

A

Top Secret: Exceptionally Grave Damage Secret: Serious Damage Confidential: Damage

42
Q

Clearance

A

determinate whether or not a use can be trusted with a specific level of information

43
Q

Rule-Based Access Control

A

think firewalls. Uses a series of defined rules, restrictions and filters for accessing objects

44
Q

ACL

A

Access Control List: list of objects and the subjects that may access that object

45
Q

6 Access Control Types

A
  1. Preventative 2. Detective 3. Corrective 4. Recovery 5. Deterrent 6. Compensating
46
Q

3 Access Control Categories

A
  1. Administrative 2. Technical 3. Physical
47
Q

Admiministrative Access Control

A

also called directive; think paperwork

48
Q

Technical Access Control

A

implemented using software, hardware, or firmware?think buy/install something

49
Q

Physical Access Control

A

implemented with physical devices like doors, locks, guards, dogs, etc

50
Q

Preventative Access Control

A

prevent actions from happening; assigning of privileges on a system

51
Q

Detective Access Control

A

controls that alert during or after a successful attack; CCTV, bldg alarm system

52
Q

Corrective Access Control

A

work by correcting a damaged system or process; think antivirus software and HIDS, NIDS, HIPS, NIPS

53
Q

Recovery Access Control

A

restores functionality of a system and organization

54
Q

Deterrent Access Control

A

deters users from performing an action; think warning banners and “Beware of Dog” signs

55
Q

Compensating Access Control

A

security control put in place to compensate for a weakness in other controls

56
Q

3 types of authentication methods

A

Type 1 - Something you know Type 2 - Something you have Type 3 - Something you are

57
Q

Describe 4 types of passwords

A
  1. Static 2. Passphrases 3. One-Time Passwords 4. Dynamic passwords
58
Q

Strong Authentication

A

requires users to present more than 1 type of authentication factor

59
Q

Hashing

A

one-way algorithm used to verify the integrity of data; uses an algorithm and no key

60
Q

Dictionary Attack

A

uses words from a dictionary and runs words through hashing algorithm, then tries to match hash

61
Q

Brute-force attack

A

take more time, more effective; calculates the hash of every possible password

62
Q

Rainbow tables

A

database that contains the precomputed hashed output for more or all possible passwords

63
Q

Hybrid attack

A

appends, prepends, or changes characters in words from a dictionary attack before hashing

64
Q

Salt

A

allows 1 password to hash differnent ways by adding a salt before hashing

65
Q

Synchronous Dynamic Token

A

use time or counters to synchronize a displayed code with code expected by server

66
Q

Asynchronous Dynamic Token

A

not synchronized with central server; commonly challenge-response tokens

67
Q

Describe FRR, FAR, and CER

A

as False Reject goes down, False accept goes up. They cross as Crossover Error Rate

68
Q

Which biometric control has potential health issues

A

retina scan

69
Q

Someplace you are

A

potential use for GPS to allow/disallow service based on where the activity takes place. Think credit cards

70
Q

Single Sign on advantages

A
  • improved user and developer productivity - simplified admin
71
Q

single sign on disadvantages

A

-difficult to retrofit - unattended desktops - single point of attack

72
Q

FIdM

A

Federated Identity Management; applies SSO at a much wider scale from cross-org to Internet

73
Q

Kerberos

A

thid party authentication service that may be used to support SSO; uses KDC, TGS, TGT, Principal, Realm, Ticket, Credentials, C/S

74
Q

Principal

A

client (user) or service in Kerberos

75
Q

Realm

A

logical Kerberos network

76
Q

Ticket

A

data that authenticates a principal’s identity in kerberos

77
Q

Credentials

A

a ticket and a service key in kerberos

78
Q

KDC

A

Key distribution center which authenticates principals–pivotal piece of kerberos

79
Q

TGS

A

Ticket granting service

80
Q

TGT

A

ticket granting Ticket, good for a site-selected specific lifetime; allows typical uer to authenticate once and access network resources for the lifetime of the ticket

81
Q

C/S

A

client/server in kerberos

82
Q

Kerberos strengths

A

provides mutual authentication of client server; mitigates replay attacks via use of timestamps

83
Q

kerberos weaknesses

A

stores keys of all principals, replay attacks still possible

84
Q

SESAME

A

Secure European Ssytem for Application in a Multivender Environment; SSO supporting heterogeneous environment; addes to kerberos; uses Privilege Attribute Certificates (PAC)

85
Q

Security Audit Logs

A

easiest way to verify access control methods are working. Primarily a detective control

86
Q

5 distinct problems of audit logs

A
  1. logs not reviewed 2. logs/trails not stored long enough 3. logs not standardized or viewable 4. log entries/alerts not prioritized 5. logs reviewed only for “bad” stuff
87
Q

Types of attackers

A

hackers, black/white hats, script kiddies, outsiders, insiders, hacktivist, bots/botnets, phishers/spear phishers

88
Q

Zombie

A

aka bot (computer system running malware controlled via botnet)

89
Q

vishing

A

automated voice scripts over a VoIP network

90
Q

penetration testing

A

white hat hacker trying to see if a black hat hacker can get into the system

91
Q

types of penetration testing

A

zero-knowledge/black box, full-knowledge/crystal-box, partial-knowledge