Chapter 3 - Access Control

Question 0

Access

Answer 0

The flow of information between subject and object

Question 1

Access control

Answer 1

Used to restricted access and for authentication of access and ensures AIC on the data

Question 2

Subject

Answer 2

The requesting entity of an object

Question 3

Object

Answer 3

A passive entity that holds information

Question 4

Identification

Answer 4

Proving someone is who they say they are

Question 5

Authentication

Answer 5

A second piece to the credential set

Question 6

Authorization

Answer 6

Being granted access based on your authenticated identity

Question 7

Accountability

Answer 7

Now that you have been authorized, you are now responsible

Question 8

Logical access controls

Answer 8

Boolean operator controls, if authorized than access

Question 9

Race Condition

Answer 9

Running authorization independent of authentication

Process 1 then 2

Hacker just runs two

Question 10

What are the factors of authentication?

Answer 10

Something a person knows, has, or is

Question 11

Verification ratio

Answer 11

Used to see how many people are authenticated by the same token

Question 12

Auth by knowledge

Answer 12

A password, a pin, a combination

Question 13

Auth by ownership

Answer 13

Key, badge, access card

Question 14

Auth by characteristic

Answer 14

Biometrics

Question 15

Strong auth

Answer 15

2 factor auth

Question 16

Mutual auth

Answer 16

This is when each side authenticates the other

Question 17

IdM

Answer 17

Identity management - controlling identitity in an environment for accountability

Question 18

IDM meta directories

Answer 18

A virtual directory to aggregate identity data stored from HR/SQL/AD etc

This is primarily useful for non-ldap integrated systems

Question 19

What makes up X.500?

Answer 19

Directory structure standard

Must have a parent child tree
Each entry unique
Attributes defined in schema
Unique IDS called distinguished names

Question 20

Virtual directory

Answer 20

Similar to meta directories except it doesn’t know the answer .. It points to one

Question 21

WAM

Answer 21

Web access management

Web server receives auth req
Web server gets access approval
Sends back a session cookie
Browser used cookie in further security context

Question 22

Cookie

Answer 22

Browser side data storage

Permanent- stored on the hard drive for later usage and access

Session- temporary token stored in memory for use with session state

Question 23

Single sign on

Answer 23

Sign in once, as long as you use the cookie the server just sent to authenticate you are allowed

Question 24

Password synchronization

Answer 24

Reduces number of passwords known by changing the multiple systems to the same password

Question 25

Self-service password reset

Answer 25

Reduces help desk volume by allowing users to reset own password, or security questions and a click the link email

Question 26

Assisted password reset

Answer 26

Two person password reset, ie. an authenticated help desk person changes it to changemenow and then the user is forced to reset that

Question 27

What is an example of a bad security question ?

Answer 27

What is your mothers maiden name?

This is public information

Question 28

Single sign on

Answer 28

One authentication to rule them all!

Question 29

Account management

Answer 29

Automated construction and destruction of accounts on all necessary systems

Question 30

Authoritative source

Answer 30

The location of a record where it was written

Question 31

Identity repository

Answer 31

The centralized location of information regarding accounts

Question 32

Authoritative system of record

Answer 32

A hierarchy that tracks changes to an environment

Question 33

User provisioning

Answer 33

From hired to fired what happens to your account

Question 34

Self-service

Answer 34

Users can change their own information

Question 35

Federated

Answer 35

If you trust that guy, send me his authenticated session

Question 36

Digital identity

Answer 36

Made of

Attributes
Entitlements
Traits

Question 37

Federated identity

Answer 37

This is the authenticated token being passed around

Question 38

Web portal

Answer 38

A site that contains multiple website feeds

Yahoo
Msn

Question 39

Portlet

Answer 39

This is an individual module that displays website information on a web portal

Question 40

XML

Answer 40

Extensible markup language

Used to standardize a way of communicating between platforms

Question 41

SPML

Answer 41

Service provisioning markup language

Request authority
Provisioning service provider
Provisioning service target

Question 42

SAML

Answer 42

Security assertion markup language

Used for passing authentication in a unified format

Question 43

Web services

Answer 43

This is any site that provides a service

Question 44

SOAP

Answer 44

Simple object access protocol

A means to transmit markup language

Question 45

XACML

Answer 45

Extensible access control markup language

Used to communicate acl between services

Question 46

Extensible

Answer 46

Means standardized really

Question 47

OASIS

Answer 47

Organization keeping all the XML standards

Question 48

What makes XML standards different?

Answer 48

The schema

Question 49

What are the error types in biometrics?

Answer 49

1 - Failed on an authorized person

2 - Allowed an unauthorized person

Question 50

Crossover error rate or equal error rate?

Answer 50

The point where error % of both types match. 3% is better than 4%

Question 51

What causes type 2 errors to switch over to type 1 errors?

Answer 51

Sensitivity

Question 52

Replay attack?

Answer 52

When information is gather now and used later, ie a stolen password

Question 53

What ways can you steal a password?

Answer 53

Electronic monitoring
Access the password database
Brute force attack
Dictionary attack
Social engineering
Rainbow table (hash table)

Question 54

What is last login messaging for?

Answer 54

To point out to the user when he last attempted a login to the system.

Question 55

Clipping level

Answer 55

Threshold

Question 56

What is the most effective way to steal passwords?

Answer 56

Rainbow tables

Question 57

How does someone make a password hash secure?

Answer 57

Salts - random characters entered into a password before hashing

Question 58

Cognitive passwords

Answer 58

Fact or opinion based question and answer

Question 59

Two types of synchronous tokens for one time password

Answer 59

Time synchronous
Counter synchronous

Encryption key is on device

Question 60

Counter-based is also called?

Answer 60

Event based

Question 61

Asynchronous token

Answer 61

Challenge is sent from server, token makes a password out of it using an algorithm and generates a OTP

Question 62

Digital signatures

Answer 62

Used to authenticate by pki

Question 63

Pass phrase

Answer 63

LongPhraseThatIsHardTocrackAndStealFrom

Question 64

Authentication memory card

Answer 64

A read only verification of who you are

An ATM card is used with a pin, the ATM card is a memory card

Question 65

Contact vs contact less smart card

Answer 65

Contact has a electrical contact pad that sends and receives IO

Contact less has an antenna that gets the IO

Question 66

What is fault generation?

Answer 66

Generating faults in a system to see of it feeds back any useful data

Question 67

Side channel attack

Answer 67

An attack where they are simple trying to figure out how it works..

Ie using electromagnets to see what kind of response a smart card gives you

Question 68

Microprobing

Answer 68

Tampering with a chip using ultrasonic and needleless techniques to get directly to the embedded ROM

Question 69

ISO 14443

Answer 69

Smart card standardization

Question 70

RFID

Answer 70

Radio frequency id

Low security due to low processing capabilities

Question 71

What can be used to set access controls?

Answer 71

Role
Group
Location
Time
Transaction type

Question 72

Kerberos

Answer 72

Authentication methodology using shared secret keys

Question 73

KDC

Answer 73

Key distribution center - used to create and store the shared Kerberos keys

Question 74

Principles

Answer 74

Users, applications or services

Each one has it’s own shared secret

Question 75

How do tickets work?

Answer 75

A ticket granting service issues a ticket that is used to pass from one principle to another

Question 76

How does Kerberos work?

Answer 76

1. User sends cress for auth…
2. KDC sends password in a tgt
3. Users entered password is used to get the tgt client side
4. Access to another principle is request
5. Tgt is generated with both principles passwords and tgt’s
6. User pinciple sends sends this to the other principle which verifies it’s tgt and grants or denies access to user

Question 77

How is SESAME and Kerberos different?

Answer 77

Kereberos is strictly symetrical and SESAME is both asymetrical and symetrical

SESAME uses PACs to Kerberos Tickets

Question 78

GSS-API

Answer 78

Standard API used to programmatically use these authentication mechanisms in applications

Question 79

Thin client

Answer 79

A machine that stored no data

Question 80

Discretionary access control

Answer 80

I made it, I can access it, I control it

This is the windows model and allows for systems to runas a user context

Question 81

Non discretionary access?

Answer 81

A group policy is non discretionary because it is forced on the user

Question 82

Security or sensitivity labels

Answer 82

In a mandatory access model it is a security level assigned to a document. If you have that level of clearance the you can see it. For granularity the is also a need to know check

Question 83

Role based access control

Answer 83

The permissions are set to groups defined by job function rather than department or specific person

Question 84

What is the difference between static an dynamic separation of duties ?

Answer 84

Static is if part of x role than cannot be part of y as a member

Dynamic means the session itself and disallows the y functionality if logged in as x

Question 85

Rule based access

Answer 85

This is access based strictly on if then statements

Question 86

Constrained UI

Answer 86

Limiting the user interface to only what you want them to be able to do

Question 87

What is capability and acl?

Answer 87

Capability is what a user can do and acl is what an object allows

Question 88

Content dependent access

Answer 88

Packet sniffing web traffic is a great example, access decisions are based on the content you are trying to receive

Sensitivity based decisions

Question 89

Context dependent access

Answer 89

Access control that understand order of operations .. A firewall understand SYN must come before SYN/ACK

This prevents complex knowledge attacks. User can see A and B or A and C but not ABC

Question 90

AAA

Answer 90

Authentication, authorization, auditing

Question 91

Radius vs tacacs+

Answer 91

Radius is in clear, does not comply with AAA and uses UDP

Tacacs+ uses encryption complies with AAA and uses TCP

Question 92

Diameter

Answer 92

Twice the radius, it is a AAA protocol diversified for our complex protocol rich world. It is peer based rather than server client and superior in all ways

Question 93

Access control layers

Answer 93

Administrative
Technical
Physical

Question 94

Audit reduction tool

Answer 94

Used to parse out on specific information to reduce logs

Question 95

SEM/SIEM

Answer 95

Security event manager used for audit control

Question 96

Scrubbing

Answer 96

Deleting log events that show an attackers presence

Question 97

Object reuse

Answer 97

Thumb drives should be cleaned with 1/0 before someone else uses it, for example

Question 98

Emanation security

Answer 98

Electronics emanate electro-magnetic waves that can be caught and recreated

Question 99

TEMPEST

Answer 99

Used as a standard to shield electronics from emanating

Question 100

White noise

Answer 100

Random interference that overwhelms and overpowers useful information

Question 101

Faraday cage

Answer 101

A shielding

Question 102

Network IDS

Answer 102

Wire shark with NIC in promiscuous mode

Question 103

Host based IDS

Answer 103

Inner system object monitoring

Question 104

Types of IDS monitors

Answer 104

Signature - pattern/stateful

Anomalies - statistical/protocol/traffic/rule

Question 105

What is a signature?

Answer 105

A pattern

Question 106

What is being in the zoo

Answer 106

A virus that has not been released yet

Question 107

Misdirecting IDS

Answer 107

Send IDS systems on a goose chase while you sneak in the other way

Question 108

What is the difference between false positive and negative

Answer 108

Positive- flagging good traffic as bad

Negative- flagging bad traffic as good

Question 109

Icmp attacks

Answer 109

Icmp loaded with variables and payload

Question 110

Signature based IDS

Answer 110

Pattern matching
Stateful matching - compares sequences

Signatures must be updated
Cannot identify new attacks

Question 111

Anomaly based IDS

Answer 111

Behavior based on normal baseline
Can detect new attacks
Called behavioral/heuristic

Statistical - baseline vs now
Protocol - that packet is malformed
Traffic - why is this bandwidth spiking

Question 112

Rule based IDS

Answer 112

If/then rules
AI inference possible
Demanding
Cannot detect new attacks

Question 113

What makes a honeypot a legal issue?

Answer 113

The use of entrapment instead of enticement

Enticing - ports open, web page without ssl etc
Entrapment - giving a download link to the hacker and then charging him for hacking when all he did was use your link

Question 114

Sniffer

Answer 114

Used to analyze promiscuous packets on the network

Question 115

What is another name for hashing

Answer 115

Message digest

Question 116

Dictionary attack

Answer 116

Using known words vs a password to resolve the password

Question 117

Brute force

Answer 117

Trying every combination until a response is received

Question 118

What is a war dialer?

Answer 118

A phone dialer users to discover dialup modems

Question 119

Phishing

Answer 119

Sending requests for information through tricky websites and emails

Cannot trust the URL, JavaScript can replace with a legitimate site name

Question 120

Pharming

Answer 120

The use of fake web sites to pass credentials to, often using DNS poisoning

Question 121

DNS poisoning

Answer 121

Modifying the DNS response your machine receives to redirect to a black server

Question 122

Why is feeling secure with a solution dangerous?

Answer 122

Because you stop looking for security flaws

Question 123

Identity theft

Answer 123

Using someone’s identity to make non legitimate purchases, or generate false criminal records and warrants