Chapter 4: Access Control, Authentication, and Authorization Flashcards
Identification
Finding out who someone is
Authentication
Verifying identification
Out-of-band Authentication
The system you are authenticating gets info from public records and asks you questions to help authenticate you.
SFA
Single Factor Authentication
Mutual Authentication
Multiple parties authenticating each other
Layered Security/Defense in Depth
You should implement multiple layers of security
Operational Security
- Focuses on how an organization achieves its goals.
- Everything not related to design or physical security.
Security Token
- Similar to certificates, it is a small piece of data that holds a sliver of info about the user.
- Authentication system creates the token every time a user connects or when a session begins, and deletes it when they end.
Federation
A collection of computer networks that agree on standards of operation.
Federated Identity
Allows a user to have a single identity that they can use across different business units or businesses
Transitive Access
If A trusts B and B trusts C then A trusts C
Shiva Password Authentication Protocol (SPAP)
Like PAP, but encrypts username and password
Challenge Handshake Authentication Protocol (CHAP)
- Designed to stop man-in-the-middle attacks
- Periodically asks the client for authentication
Time-Based One-Time Password (TOTP)
Uses a time-based factor to create unique passwords
Usual minimum password length
8 characters
Generic Account
An account that is shared
SLIP
One of the first remote authentication protocols, which should not be used now
PPP
- No data security, but uses CHAP
- Authentication handled by Link Control Protocol (LCP)
- Encapsulates network traffic with Network Control Protocol (NCP)
RADIUS server
Allows authentication of remote and other network connections
TACACS+
Similar to RADIUS, authentication
Security Assertion Markup Language (SAML)
Open standard based on XML used for authentication and authorization
Lightweight Directory Access Protocol (LDAP)
Allows queries to be made of directories
Key Distribution Center (KDC)
- Authenticates a user, program, or system and provides it with a ticket used to show it has been authenticated.
- Used in Kerberos
Ticket Granting Ticket (TGT)
The ticket given by the KDC, listing the privileges of the user.
Mandatory Access Control (MAC)
- All access is predefined
- Considered most secure
Discretionary Access Control (DAC)
Incorporates some flexibility, allowing someone with certain permissions to allow someone without the permissions to see stuff
Role-Based Access Control (RBAC)
Implements access by job function or by responsibility.
Rule-Based Access Control (RBAC)
Use an ACL to deny all but those who appear in a list, or deny only those that appear in a list.
Access Review
A process to determine whether a user’s access level is still appropriate.
Continuous Monitoring
Ongoing audits of what resources a user actually accesses
Thin Clients
Don’t provide any disk storage or removable media, and rely on servers to use applications and data.
Common Access Card (CAC)
Issued by the DoD as a general identification/authentication card.
Personal Identity Verification Card (PIVC)
A card specific to that one person, used in high up government stuff.
3 Firewall Rules
1) Block the connection
2) Allow the connection
3) Allow the connection only if it is secured
802.1X
- Port-based security
- AKA EAP over LAN (EAPOL)
Loop Protection
Intended to prevent broadcast loops
Spanning Tree Protocol (STP)
Intended to ensure loop-free bridged Ethernet LANs
Network Bridging
- When a device has multiple NICs and the opportunity presents itself to jump between them.
- We don’t want it on common man’s machines, so disable it!
Trusted Operating System (TOS)
Any OS that meets the government’s requirements for security.
Common Criteria (CC)
Security evaluation criteria specified by the collaboration between a few countries.
Evaluation Assurance Level (EAL)
How the criteria is broken down in CC
EAL 1
Wants assurance that the system will operate correctly, but not very concerned with security
EAL 2
Requires product developers to use good design practices.
EAL 3
Requires conscientious development efforts to provide moderate levels of security
EAL 4
- Requires positive security engineering based on good commercial development practices.
- The recommended level for commercial systems
EAL 5
Requires special design considerations for high levels of security
EAL 6
High levels of protection against significant risks
EAL 7
Extremely high levels of security requiring extensive testing
Type 7
Weak encryption password type used in routers
MD5
The stronger password type used in routers