Boojong Flashcards
1
Q
What is Access Control?
A
The process of granting or denying specific requests to obtain and use information and enter specific facilities
2
Q
What are the principles of Access Control?
A
- To prevent unauthorised users from gaining access to resources
- To prevent legitimate users to access resources in an unauthorised manner
- To enable legitimate users to access resources in authorised manner
3
Q
What is Authentication?
A
Verification that the credentials of a user or other system entity are valid
4
Q
What is Authorsiation?
A
The granting of a right or permission to a system entity to access a system resource
5
Q
What is Audit?
A
An independent review and examination of system record and activities
6
Q
What is a Subject?
A
- An entity capable of accessing objects
- A process that represents a user or application actually gains access to an object
- Three classes of subject: owner, group, world
7
Q
What is an Object?
A
- A resource to which access is controlled
- An entity used to contain and/or receive information
8
Q
What is access rights?
A
- The way in which a subject may access an object
- Read, write, execute, delete, create and search
9
Q
What are the main models of access control?
A
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Role-based Access Control (RBAC)
- Attribute-based Access Control (ABAC)
10
Q
How does Discretionary Access Control work (DAC)?
A
- Identity-based Controls
- Every object has an owner and a discretionary access control list (DACL)
- DACLs form an access matrix
11
Q
What are the principles behind DAC?
A
- Users own resources and control their access
- Owner may change object’s permissions at its discretion
- Owners may also be able to transfer ownership to other users
12
Q
What are issues around DAC?
A
- Flexible, but open to mistakes, negligence or abuse
- Managing the policies for a large system is a complex task
- Difficult to understand the correct accesses are provided to the right users
- The objects and subjects change frequently, thus, their permissions do as well
- Access matrix represents explicit relation between each individual subject and object, it grows very large very quickly
13
Q
How does MAC work?
A
Classification of subjects and objects by security levels
- Every subject has a profile, which includes their clearance and their need-to-know
- Every object has a security label composed of two parts classification and a category
14
Q
What are the principles behind of MAC?
A
- Classification of subjects and objects by security levels
- MAC policies often identified with multi-level security policies
- MAC requires careful planning and continuous monitoring too keep all resource objects’ and users’ classifications up to date
- MAC helps prevent data leakage, making it suitable for environments where information confidentiality and integrity are critical
15
Q
How does MAC differ to DAC?
A
- More rigid than DAC but also more secure
- Mandatory because subjects may not transfer access rights
- Shifts power from users to system owner
16
Q
How does Role-Based Access Control (RBAC) work?
A
- Access is based on user’s role in the organisation
- The administrator associates various permissions to each role
- Each user is assigned at least one role and inherits the permissions associated to the role(s)
17
Q
What are the advantages of RBAC?
A
- Increases abstraction in policies
- Policies become more manageable
- Reduces user administration
- Easy to adult
- Higher flexibility and scalability
18
Q
What are the different types of RBAC?
A
- Base model
- Role hierarchies
- Constraints
- Consolidated model
19
Q
How does Role hierarchies work in RBAC?
A
- Enable one role to inherit permissions from another role
20
Q
How does Constrain work in RBAC?
A
Restrict the ways in which components of an RBAC may be configured
21
Q
How does the consolidated model work for RBAC?
A
Consolidates model combines role hierarchies and constrains
22
Q
What are the different types of constrains in RBAC?
A
- Mutually exclusive roles
- Cardinality
- Prerequisite roles
23
Q
What are Attributes?
A
Characteristics that define specific aspects of the subject, object, environment conditions and/or requested operations
24
Q
How does Attribute-Based Access Control (ABAC)?
A
Access control by evaluating rules against attributes of entities, operations, and the environment relevant to a request
25
What are the advantages of ABAC?
- Dynamic
- Contextual
- Fine-grained
26
What are the disadvantages of RBAC?
- Role explosion
- Doesn't address fine-grained access control
- May require periodic role review
27
What are the disadvantages of ABAC?
- Complex to implement
- Requires detailed attribute definitions
- Difficult to scale
28
What is Cryptography?
Cryptology is the practice and study of techniques for secure communication in the presence of adversarial behaviour
29
What is Symmetric Encryption?
The same key is used to encrypt and decrypt a piece of information
30
What is Asymmetric Encyrption?
- Use a Private Key (Secret) and Public Key
- Sender encrypts a piece of information with the public key
- The recipient decrypts with its private key
31
What is a Digital Signature?
- Sender encrypts a piece of information with his private key
- The recipient decrypts with the sender public key
32
What is Diffie-Hellman Key Exchange Protocol?
Its purpose to enable to users to securely exchange a key that can be used for subsequent symmetric encryption
33
What are the four general means of user authentication?
- Something the individual knows
- Something the individual possess
- Something the individual is
- Something the individual does
34
How does Password-based Authentication work?
- A user provides a username and a password
- The system compares the password to a previously stored password in a password file
35
What are the drawbacks of passwords?
- Predictable Passwords
- Password Reuse
- Data Breach
36
What are tokens?
Objects that a user possesses for the purpose of user authentication
37
What are example of tokens and how do they work?
- Memory cards: can only store data, not process data
- Smart cards: have a microprocessor
38
What are the drawbacks of Tokens?
- Requires special reader
- Token loss
- User dissatisfaction
39
What is Biometric Authentication?
Based on unique physical characters
- Static: Fingerprints, hand geometry, facial characteristics and retinal and iris patterns
- Dynamic: voiceprint and signature
Relying on pattern recognition
40
What are the drawback of Biometric?
- False match
- False nonmatch
- The concept of accuracy does not apply to passwords and tokens
41
What is Two-factor authentication (2FA)?
Requires users provide two pieces of evidence
42
What are Brute Force Attacks?
Exhaustive search, trying all possible combinations up to a certain length
43
What are Online Dictionary Attacks?
- Intelligent search, tries passwords associated to the user and popular passwords
44
What are some counter measures to dictionary and brute force attacks?
- Password Policies
- Machine-generated passwords
- Changing passwords
Stronger:
- Lockout Mechanics
- Throttling
- Protective monitoring
- Password blacklisting
45
What is a Rainbow Table?
A precomputed table with the association
46
Why do we use Rainbow Tables?
- Good trade-off between space and time
- Storing all possible couples requires a huge amount of space
- With a rainbow table, you store only 2 passwords for each row and compute few hashes
47
What is Password Salting?
- To avoid a reverse password attack
- Add a random salt (append/prepend) to the password
- Compute the has of the password + salt
- Store the has of the salted password and the salt
48
What are the benefits of Password Salting?
- It prevents duplicate passwords from being visible in the password file
- It greatly increases the difficulty of offline dictionary attacks
49
What is John the Ripper (JTR or John)?
A fast brute-force/dictionary password cracker
50
What is confidentiality?
Confidentiality presumes a notion of authorised party, or more generally, a security policy saying who or what can access our data
51
What is privacy?
Pertains to confidentiality for individuals, whereas secrecy pertains to confidentiality for organisations.
52
What is Anonymity?
A condition in which your true identify is not known
53
What are the 4 basic groups of harmful activities?
- Information Collection
- Information Processing
- Information Dissemination
- Invasions
54
What are the types of information collection?
- Surveillance
- Interrogation
55
What are the types of Information Processing?
- Aggregation
- Identification
- Insecurity
- Secondary Use
- Exclusion
56
What are the types of Information Dissemination?
- Breach to Confidentiality
- Exposure
- Appropriation
- Distortion
- Disclosure
- Increased Accessibility
- Blackmail
57
What are the types of Invasions?
- Intrusions
- Decisional Interference
58
What are Privacy Enhancing Technologies (PETs)?
Tools, mechanism, or architectures that aim to mitigate privacy concerns
59
What are the main privacy research paradigms?
- Privacy as Confidentiality
- Privacy as Control
- Privacy as Practice
60
What are some examples of PETs?
- Communication Anonymisers
- Enhanced Privacy (EPID)
- Zero-knowledge Proof
- Homomorphic Encryption
- Secure Multi-Party Computation
- Differential Privacy
- Federated Learning
61
What is Anonymity?
- A condition in which your true identity is not known
62
Why are VPNs useful?
- To access sensitive service or data in a company from the outside
- To anonymise the traffic
- To simulate your current position to a VPN server
63
What are Mix Networks?
A chain of proxy servers, known as mixes, is used to create hard-to-trace communications
64
How can the destination respond to the sender in a mix network?
- During path establishment, the sender places keys at each mix along the path
- Data is re-encrypted as it travels the reverse path
65
How does The Onion Router improve on mix networks?
- Takes bandwidth into account when selecting relays (mixes)
- Introduces hidden services (only accessible via Tor overlay)
66
What is Perfect Forward Secrecy (PFS)?
Minimises the risk posed to personal information in the even of an encryption key breach
67
What do Directory servers do?
Maintain the status of the Tor nodes
68
What do Entry (Guard) Nodes do in Tor?
- Known the identify of the sender
69
What do Relay nodes do in Tor?
Route the messages
70
What do Exit nodes do in Tor?
Know the identity of the receiver and can see your traffic if it is not encrypted
71
What is a Digital Certificate?
- Binds a user/company identity to its public key
- Standard: X.509
72
What are Digital Certificates used for?
- Secure e-mail
- Virtual Private Networks
- Wi-Fi
- Web servers (SSL/TLS)
- Network Authentication
- Code Signing
73
What is Public Key Infrastructure (PKI)?
- The set of hardware, software, people, processes, policies and procedures
- Needed to create, manage, store, distribute and revoke digital certificates based on asymmetric cryptography
74
What are the Key Players of PKI?
- Certification Authorities (CA)
- Registration Authorities (RA)
- PKI Repositories
- PKI Users
75
What is Certification Authority (CA)?
- Responsible for issuing, revoking and distributing public key certificates
- Certificates are signed with a CA's private key
- Important to protect CA's private key
- Often a trusted-third party
76
What is Registration Authority (RA)?
- Performs functions for CA but does not issue certificates directly
77
What functions do Registration Authority do?
- Identification and authentication of certificate applicants
- Approval or rejection of certificate applications
- Initiating certificate revocations or suspensions
- Processing subscriber requests to revoke or suspend their certificates
- Approving or rejecting requests by subscribers to renew or re-key their certificates
78
What are PKI Repositories?
- Means of storing and distributing certificates and certificate revocation lists (CRLs) and managing updates to certificates
- Allow relying parties to retrieve certificates and CRLs
79
How does Certificate Issuance work?
- RA verifies subject information
- Generate Public - Private Key Pair
- CA issues the certificate
80
How does Certificate Usage work?
- Fetch the certificate
- Fetch certificate revocation list (CRL)
- Check the certificate against CRL
- Check the signature using the certificate
81
What reasons would there be to revoke a certificate?
- Expiration
- Compromised private key
- Human Resources reason
- Company changes name, physical address, DNS
82
What is the Certificate Revocation list (CRL)?
- A list of certificates which are no longer valid
- Published regularly by the CA in the PKI repository
- Also sent to any relying party who has subscribed
83
What are the problems with the CRL?
- Not issued frequently enough to be effective against an attacker
- Expensive to distribute
- Vulnerable to simple DoS attacks
84
What is X.509?
The most widely accepted format for public key certificates
85
How does the X.509 CRL work?
Each revoked certificate entry contains a serial number of a certificate and the revocation date
86
Why isn't X.509 CRL used more?
- Due o to overheads in retrieving and storing these lists
87
