CISSP Domain 1 Access Control Vocab

Question 1

Discretionary access control

Answer 1

gives subjects full control of objects they have been given access to, including sharing the objects with other subjects.

Question 2

Mandatory access control

Answer 2

system enforced access control based on subject’s clearances and object’s labels.

Question 3

Role-based access control

Answer 3

subjects are grouped into roles, and each defined role has access permissions based upon the role, not the individual.

Question 4

CIA Triad

Answer 4

confidentiality, integrity, and availability.

Question 5

Confidentiality

Answer 5

seeks to prevent the unauthorized disclosure of information; it keeps data secret. In other words, confidentiality seeks to prevent unauthorized read access to data.

Question 6

Integrity

Answer 6

seeks to prevent an authorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. There are two types of integrity: data integrity and system integrity. Data integrity seeks to protect information against unauthorized modification; system integrity seeks to protect a system such as Windows 2008 server operating system from unauthorized modification.

Question 7

Availability

Answer 7

ensures that information is available when needed. Systems need to be usable for normal business use. An example of an attack on availability would be a denial of service attack.

Question 8

DAD

Answer 8

Disclosure, Alteration, and Destruction. The opposing force to the CIA Triad.

Question 9

AAA

Answer 9

Authentication, Authorization, and accountability. Identification is understood with all three.

Question 10

Subjects, objects, access permissions

Answer 10

Three important access control concepts.

Question 11

Subjects

Answer 11

Entities that may be assigned permissions.

Question 12

Objects

Answer 12

Types of resources that subjects may access.

Question 13

Access permissions

Answer 13

Relationships between subjects and the objects they may access.

Question 14

Four phases of access control.

Answer 14

Identification, authentication, authorization, accounting

Question 15

Identification

Answer 15

User makes a claim as to his or her identity.

Question 16

Authentication

Answer 16

User proves his or her identity using one or more mechanisms. Providing an identity claim.

Question 17

Authorization

Answer 17

System makes decisions about what resources the user is allowed to access and the manner in which they may be manipulated. Allowing authenticated subjects access to a system

Question 18

Accountability

Answer 18

System keeps an accurate audit trail of the users activity.

Question 19

Non-Repudiation

Answer 19

a user cannot deny (repudiate) having performed a transaction. Authentication with integrity

Question 20

Least Privilege

Answer 20

users should be granted the minimum amount of access (authorization) required to do their jobs, but no more. Need to know is more granular than lest privilidge, as the user must need to know that specific pieve of information before accessing it.

Question 21

Defense in Depth or Layered Defense

Answer 21

applies multiple safegards or controls to protect an asset. Mulitple controls will increase your chances of secutiry.

Question 22

Subject

Answer 22

an active entity on an information system.

Question 23

object

Answer 23

a passive datafile.

Question 24

Access control list (ACL)

Answer 24

Contains access control entities (ACEs) that correspond to access permissions.

Question 25

Three types of access control modles

Answer 25

MAC, DAC, NDAC (RBAC),

Question 26

Mandatory access control (MAC)

Answer 26

Authorization of the subjects access to an object depends on labels which indicate a subjects clearance and the classification or sensitivity of the related object

Question 27

Discretionary access control (DAC)

Answer 27

Access control type where the subject has authority to specify what objects can be accessible.

Question 28

Non-discretionary access control (NDAC) also known as role based access control (RBAC)

Answer 28

Access control type where the Administrator determines which subjects can have access to certain objects based on an organizations security policy.

Question 29

Task based access control

Answer 29

based on the tasks that each subject must perform. Focus on tasks rather than roles.

Question 30

Content and Context-based access controls

Answer 30

adds additional criteria beyond identirfication and authentication: the actual content the subject is attempting to access.

Question 31

Centralized access control

Answer 31

concentrates access control in one logical point for a system or organization.

Question 32

Decentralized access control

Answer 32

allows IT admin to occure closer to the mission and operations of an organization.

Question 33

Single sign on (SSO)

Answer 33

A subject may authenticate once for access to multiple systems.

Question 34

Access Aggrigation

Answer 34

Occures as individual users gain more access to more systems. Authorization creep - gaining more entitlements without sheding the old ones.

Question 35

RADIUS

Answer 35

Access Control Proticol. Remote Authentication Dial In User Service. Third party authentication system. Request for Comments 2865 and 2866. User Datagram Protocol ports 1812(authentication) 1813(accounting). AAA system comprised of three components: Authentication, authorization, and accounting. Request and response data is carried in Attribute-Value Pairs (AVPs).

Question 36

Diameter

Answer 36

Successor to RADIUS. Uses Attribute-Valued Pairs but supports more. Used 32 bits. Uses single server to manage policies for many services.

Question 37

TACACS and TACACS+

Answer 37

Terminal Access Controller Access Control System. Centralized access control system that requires users to send an ID and static reusable password for authentication. Uses UDP port 49 and may also use Transmission Control Protocol. TACACS+ is not backward compatible. TACACS+ encrypts all data below the header.

Question 38

Five types of access controls.

Answer 38

Preventative, detective, corrective, deterrent, compensatory

Question 39

Preventative controls

Answer 39

Controls designed to prevent unwanted activity from occurring.

Question 40

Detective controls

Answer 40

Type of controls that provide a means of discovering unwanted activities that have occurred.

Question 41

Corrective controls

Answer 41

Controls that are mechanisms for bringing a system back to its original state prior to the unwanted activity.

Question 42

Deterrent controls

Answer 42

Control type used to discourage individuals from attempting to perform undesired activities.

Question 43

Compensatory controls

Answer 43

Control type implemented to make up for deficiencies in other controls.

Question 44

Three categories of access control.

Answer 44

Administrative, logical/technical, physical.

Question 45

Administrative controls

Answer 45

Controls constituting policies, procedures, disaster recovery plans, awareness training, security reviews and audits, background checks, reviews of vacation history, separation of duties, and job rotation.

Question 46

Logical/technical controls

Answer 46

Control type that restricts access to systems and the protection of information.

Question 47

Physical controls

Answer 47

Type of controls used to protect access to the physical facilities housing information systems.

Question 48

Principle of least privilege

Answer 48

States that the subjects of an access control system should have the minimum set of access permissions necessary to complete their assigned job functions.

Question 49

Separation of duties

Answer 49

The ability to perform critical system functions should be divided among different individuals to minimize the risk of collusion.

Question 50

Need to know

Answer 50

Users should only have access to information that they have a need to know to perform their assigned responsibilities.

Question 51

Privilege creep

Answer 51

Users gain different access permissions as they move from position to position in an organization but old permissions are not revoked.

Question 52

Kerberos

Answer 52

Software used on a network to establish a users identity.

Question 53

Three components of kerberos

Answer 53

Key distribution center (KDC), Authentication service (AS), Ticket granting service (TGS)

Question 54

SESAME

Answer 54

A public key based alternative to kerberos

Question 55

Three authentication factors.

Answer 55

Something you know, something you have, something you are

Question 56

Two-factor authentication

Answer 56

Using at least two authentication factors.

Question 57

Passwords

Answer 57

The most commonly implemented authentication technique.

Question 58

Four different kinds of tokens

Answer 58

Static password, synchronous dynamic password, asynchronous dynamic password, challenge-response token

Question 59

Static password token

Answer 59

Token type where the owner authenticates himself to the token and the token authenticates the owner to the system.

Question 60

Synchronous dynamic password token

Answer 60

Token type where the token generates a new unique password at fixed time intervals, user enters a unique password and user name into the system, and the system confirms that the password and user name are correct and were entered during the allowed time interval.

Question 61

Asynchronous dynamic password token

Answer 61

Same as the synchronous dynamic password token except no time dependency.

Question 62

Challenge-response token

Answer 62

Token type where there is a system or workstation generated random number challenge, owner enters string into token with the proper PIN, and the token generates a response that is entered into the system.

Question 63

False rejection rate (FRR), also known as a Type I error

Answer 63

The percentage of cases in which a valid user is incorrectly rejected by the system.

Question 64

False acceptance rate (FAR), also known as a Type II error

Answer 64

The percentage of cases in which an invalid user is incorrectly accepted by the system.

Question 65

Crossover error rate (CER)

Answer 65

The rate at which FRR=FAR for any given system.

Question 66

Enrollment time, throughput rate, acceptability

Answer 66

Three evaluation factors for biometric techniques.

Question 67

Enrollment time

Answer 67

The amount of time that it takes to add a new user to a biometric system.

Question 68

Throughput rate

Answer 68

The number of users that may be authenticated to a biometric system per minute.

Question 69

Acceptability

Answer 69

The likelihood that users will accept the use of a biometric technique.

Question 70

Six types of attack.

Answer 70

Brute force, dictionary, spoofing, denial of service, man in the middle, sniffer.

Question 71

Brute force attack

Answer 71

The type of attack where the attacker simply guesses passwords until eventually succeeding.

Question 72

Dictionary attack

Answer 72

Type of attack where the attacker uses the password encryption algorithm to encrypt a dictionary of common words and then compares the encrypted words to the password file.

Question 73

Spoofing

Answer 73

Type of attack where an individual or system poses as a third party.

Question 74

Denial of service (DoS)

Answer 74

Type of attack where the system is flooded with traffic so that it cannot provide service to legitimate users.

Question 75

Sniffer

Answer 75

Type of attack where the attacker can monitor all traffic occurring on the same network segment,

Question 76

Penetration test

Answer 76

An effective way to assess the security of a system.

Question 77

Two types of monitored environment for IDS.

Answer 77

Host based, network based

Question 78

Two types of detection methodology for IDS.

Answer 78

Signature based, Anomaly based

Question 79

Host based IDS

Answer 79

IDS that resides on a single system and monitors the systems even log and audit trail for signs of unusual activity.

Question 80

Network based IDS

Answer 80

IDS that performs real time monitoring in a passive manner by monitoring all of the traffic on a specific network segment,

Question 81

Signature based IDS

Answer 81

IDS that stores characteristics of an attack and then compares activity in a monitored environment to those characteristics.

Question 82

Anomaly based IDS

Answer 82

IDS that measures user, system, and network behavior over an extended period of time to develop baselines.