Domain 1 Access Control Vocab

Question 2

Discretionary access control

Answer 2

gives subjects full control of objects they have been given access to, including sharing the objects with other subjects.

Question 3

Mandatory access control

Answer 3

system enforced access control based on subject’s clearances and object’s labels.

Question 4

Role-based access control

Answer 4

subjects are grouped into roles, and each defined role has access permissions based upon the role, not the individual.

Question 5

CIA Triad

Answer 5

confidentiality, integrity, and availability.

Question 6

Confidentiality

Answer 6

seeks to prevent the unauthorized disclosure of information; it keeps data secret. In other words, confidentiality seeks to prevent unauthorized read access to data.

Question 7

Integrity

Answer 7

seeks to prevent an authorized modification of information. In other words, integrity seeks to prevent unauthorized write access to data. There are two types of integrity: data integrity and system integrity. Data integrity seeks to protect information against unauthorized modification; system integrity seeks to protect a system such as Windows 2008 server operating system from unauthorized modification.

Question 8

Availability

Answer 8

ensures that information is available when needed. Systems need to be usable for normal business use. An example of an attack on availability would be a denial of service attack.

Question 9

DAD

Answer 9

Disclosure, Alteration, and Destruction. The opposing force to the CIA Triad.

Question 10

AAA

Answer 10

Authentication, Authorization, and accountability. Identification is understood with all three.

Question 11

Subjects, objects, access permissions

Answer 11

Three important access control concepts.

Question 12

Subjects

Answer 12

Entities that may be assigned permissions.

Question 13

Objects

Answer 13

Types of resources that subjects may access.

Question 14

Access permissions

Answer 14

Relationships between subjects and the objects they may access.

Question 15

Four phases of access control.

Answer 15

Identification, authentication, authorization, accounting

Question 16

Identification

Answer 16

User makes a claim as to his or her identity.

Question 17

Authentication

Answer 17

User proves his or her identity using one or more mechanisms. Providing an identity claim.

Question 18

Authorization

Answer 18

System makes decisions about what resources the user is allowed to access and the manner in which they may be manipulated. Allowing authenticated subjects access to a system

Question 19

Accountability

Answer 19

System keeps an accurate audit trail of the users activity.

Question 20

Non-Repudiation

Answer 20

a user cannot deny (repudiate) having performed a transaction. Authentication with integrity

Question 21

Defense in Depth or Layered Defense

Answer 21

applies multiple safeguards or controls to protect an asset. Multiple controls will increase your chances of security.

Question 22

Subject

Answer 22

an active entity on an information system.

Question 23

object

Answer 23

a passive data file.

Question 24

Three types of access control models

Answer 24

MAC, DAC, NDAC (RBAC),

Question 25

Mandatory access control (MAC)

Answer 25

Authorization of the subjects access to an object depends on labels which indicate a subjects clearance and the classification or sensitivity of the related object

Question 26

Discretionary access control (DAC)

Answer 26

Access control type where the subject has authority to specify what objects can be accessible.

Question 27

Non-discretionary access control (NDAC) also known as role based access control (RBAC)

Answer 27

Access control type where the Administrator determines which subjects can have access to certain objects based on an organizations security policy.

Question 28

Task based access control

Answer 28

based on the tasks that each subject must perform. Focus on tasks rather than roles.

Question 29

Content and Context-based access controls

Answer 29

adds additional criteria beyond identification and authentication: the actual content the subject is attempting to access.

Question 30

Centralized access control

Answer 30

concentrates access control in one logical point for a system or organization.

Question 31

Decentralized access control

Answer 31

allows IT admin to occur closer to the mission and operations of an organization.

Question 32

Access Aggregation

Answer 32

Occurs as individual users gain more access to more systems. Authorization creep - gaining more entitlements without shedding the old ones.

Question 33

RADIUS

Answer 33

Access Control Protocol. Remote Authentication Dial In User Service. Third party authentication system. Request for Comments 2865 and 2866. User Datagram Protocol ports 1812(authentication) 1813(accounting). AAA system comprised of three components: Authentication, authorization, and accounting. Request and response data is carried in Attribute-Value Pairs (AVPs).

Question 34

Diameter

Answer 34

Successor to RADIUS. Uses Attribute-Valued Pairs but supports more. Used 32 bits. Uses single server to manage policies for many services.

Question 35

TACACS and TACACS+

Answer 35

Terminal Access Controller Access Control System. Centralized access control system that requires users to send an ID and static reusable password for authentication. Uses UDP port 49 and may also use Transmission Control Protocol. TACACS+ is not backward compatible. TACACS+ encrypts all data below the header.

Question 36

Labels

Answer 36

These are the security level assigned to objects - confidential, secret, top secret.

Question 37

Clearance

Answer 37

a determination by senior security professional about whether a subject can be trusted to have access to objects with labels. Can you be trusted to access classified data.

Question 38

Least Privilege

Answer 38

users should be granted the minimum amount of access (authorization) required to do their jobs, but no more. Need to know is more granular than lest privilege, as the user must need to know that specific piece of information before accessing it.

Question 39

Separation of Duties

Answer 39

aka segregation of duties. Allows for an organization to maintain checks and balances among the employees with privileged access. No one person has total control over sensitive transactions.

Question 40

Rotation of Duties

Answer 40

a process that requires different staff members to perform the same duties. Helps to mitigate collusion.

Question 41

Formal Access approval

Answer 41

Documented approval from the data owner for a subject to access certain objects, requiring the subject to understand all the rules and requirements for accessing data and consequences should the data become lost, destroyed, or compromised.

Question 42

Need to Know

Answer 42

Does the user need to know the specific data he may attempt to access. Based on each individual object.

Question 43

Rule based access control

Answer 43

system uses a series of defined rules, restrictions, filters for accessing objects within a system. The rules form if/then statements

Question 44

Access control list (ACL)

Answer 44

Contains access control entities (ACEs) that correspond to access permissions.

Question 45

Six types of access controls.

Answer 45

Preventative, detective, corrective, recover, deterrent, compensatory

Question 46

Preventative controls

Answer 46

Controls designed to prevent unwanted activity from occurring.

Question 47

Detective controls

Answer 47

Type of controls that provide a means of discovering unwanted activities that have occurred.

Question 48

Corrective controls

Answer 48

Controls that are mechanisms for bringing a system back to its original state prior to the unwanted activity.

Question 49

Recovery

Answer 49

After a security incident, recovery controls may have to be taken in order to restore functionality to the system or organization

Question 50

Deterrent controls

Answer 50

Control type used to discourage individuals from attempting to perform undesired activities.

Question 51

Compensatory controls

Answer 51

Control type implemented to make up for deficiencies in other controls.

Question 52

Credential Set

Answer 52

term used for a combination of both identification and authentication of a user

Question 53

Three authentication factors.

Answer 53

Something you know, something you have, something you are

Question 54

Passwords

Answer 54

The most commonly implemented authentication technique. Something you know.

Question 55

Static password token

Answer 55

Token type where the owner authenticates himself to the token and the token authenticates the owner to the system.

Question 56

Four different kinds of tokens

Answer 56

Static password, synchronous dynamic password, asynchronous dynamic password, challenge-response token

Question 57

Static password

Answer 57

Reusable passwords that may or may not expire. They are typically user generated and work best when combined with another authentication type, such as a smart card or biometric control.

Question 58

Pass phrases

Answer 58

Long static passwords, comprised of words or phrases in a sentence. easier to remember than just one word.

Question 59

One time passwords

Answer 59

may be used for a single authentication. very secure but difficult to manage.

Question 60

Dynamic Password

Answer 60

change at regular intervals. One draw back is their expense.

Question 61

Strong Authentication

Answer 61

aka Multifactor Authentication. Requires that the user present more than one authentication factor. Like your ATM card and PIN.

Question 62

Hashing

Answer 62

One way encryption using an algorithm and no key. It is impossible to reverse the algorithm.

Question 63

Password Cracking

Answer 63

an attacker runs the hash algorithm forward many times selecting various possible passwords and comparing the output to the desired hash, hoping to find a match.

Question 64

Password Hash storage

Answer 64

UNIX/Linux stored in the /etc./shadow file. MS security account management file or SAM.

Question 65

Three categories of access control.

Answer 65

Administrative, logical/technical, physical.

Question 66

Administrative controls

Answer 66

Controls constituting policies, procedures, disaster recovery plans, awareness training, security reviews and audits, background checks, reviews of vacation history, separation of duties, and job rotation.

Question 67

Logical/technical controls

Answer 67

Control type that restricts access to systems and the protection of information.

Question 68

Physical controls

Answer 68

Type of controls used to protect access to the physical facilities housing information systems.

Question 69

Principle of least privilege

Answer 69

States that the subjects of an access control system should have the minimum set of access permissions necessary to complete their assigned job functions.

Question 70

Separation of duties

Answer 70

The ability to perform critical system functions should be divided among different individuals to minimize the risk of collusion.

Question 71

Need to know

Answer 71

Users should only have access to information that they have a need to know to perform their assigned responsibilities.

Question 72

Six types of attack.

Answer 72

Brute force, dictionary, spoofing, denial of service, man in the middle, sniffer.

Question 73

Brute force attack

Answer 73

The type of attack where the attacker simply guesses passwords until eventually succeeding. calculates output for every possible password. They use Rainbow Tables - a database that contains precomputed hashed output for most or all possible passwords.

Question 74

Dictionary attack

Answer 74

Type of attack where the attacker uses the password encryption algorithm to encrypt a dictionary of common words and then compares the encrypted words to the password file.

Question 75

Hybrid Attack

Answer 75

appends, pretends or changes characters in a words from dictionaries before hashing to attempt the fastest crack of complex passwords

Question 76

salt

Answer 76

allows one password to hash in multiple ways

Question 77

Spoofing

Answer 77

Type of attack where an individual or system poses as a third party.

Question 78

Denial of service (DoS)

Answer 78

Type of attack where the system is flooded with traffic so that it cannot provide service to legitimate users.

Question 79

Sniffer

Answer 79

Type of attack where the attacker can monitor all traffic occurring on the same network segment,

Question 80

Token

Answer 80

an object that helps to prove and identity claim. Something you have!

Question 81

Synchronous dynamic token

Answer 81

time or counters to synchronize a displayed token code with the code expected by the authentication server; the codes are then synchronized.

Question 82

Asynchronous dynamic token

Answer 82

Not synchronized with a central server. The most common variety is challenge=response tokens. Challenge-response token authentication systems produce a challenge, or input for the token device. The user then manually enters the information into the device along with the user’s PIN and the device produces an out put.

Question 83

Two-factor authentication

Answer 83

Using at least two authentication factors.

Question 84

Challenge-response token

Answer 84

Token type where there is a system or workstation generated random number challenge, owner enters string into token with the proper PIN, and the token generates a response that is entered into the system.

Question 85

Biometrics

Answer 85

Something you are. uses physical characteristics as a means of identification or authentication.

Question 86

Enrollment time, throughput rate, acceptability

Answer 86

Three evaluation factors for biometric techniques.

Question 87

Enrollment time

Answer 87

The amount of time that it takes to add a new user to a biometric system.

Question 88

Throughput rate

Answer 88

The number of users that may be authenticated to a biometric system per minute.

Question 89

Acceptability

Answer 89

The likelihood that users will accept the use of a biometric technique.

Question 90

False rejection rate (FRR), also known as a Type I error

Answer 90

The percentage of cases in which a valid user is incorrectly rejected by the system.

Question 91

False acceptance rate (FAR), also known as a Type II error

Answer 91

The percentage of cases in which an invalid user is incorrectly accepted by the system.

Question 92

Crossover error rate (CER)

Answer 92

The rate at which FRR=FAR for any given system.

Question 93

Finger Prints

Answer 93

Most widely used biometric control available today. Smartcards can carry this info. the higher the minutiae the more FRRs one will get.

Question 94

Retina Scan

Answer 94

Laser scan of the capillaries that feed the retina in the back of your eye. Requires a light beam to be enter your pupil. Exchange of body fluids possible. Rarely used due to privacy concerns and health issues.

Question 95

Iris Scan

Answer 95

camera takes a picture of your iris the colored part of your eye. Non evasive

Question 96

Hand Geometry

Answer 96

measurements are made from specific points on your hand

Question 97

Key board dynamics

Answer 97

measurements are taken in regards to how one uses a keyboard. Hard to duplicate.

Question 98

Dynamic signatures

Answer 98

Measurements are taken in how one signs their name.

Question 99

voiceprint

Answer 99

measures the subjects tone of voice while saying specific words. voice can change due to illness.

Question 100

Facial Scan

Answer 100

taking the picture of subject and comparing it to what is in the data base. high coast

Question 101

Someplace you are

Answer 101

GPS, IP address, point of sale. all these things can help in authenticating an identity.

Question 102

Single sign on (SSO)

Answer 102

A subject may authenticate once for access to multiple systems. Allows multiple systems to use a central authentication server (AS). This allows users to authenticate once and then access multiple different systems. It also allows sec admin to add, change, or revoke user privileges on one central system.

Question 103

Single sign on (SSO) Benefits

Answer 103

1. Improved user productivity. 2. Improved developer productivity. 3. Simplified Administration.

Question 104

Single sign on (SSO) Disadvantages

Answer 104

1 Difficult to retro fit. 2. unattended desktop can lead to a compromise of entire system. 3. It is a perfect single point of attack for denial of service.

Question 105

Privilege creep

Answer 105

Users gain different access permissions as they move from position to position in an organization but old permissions are not revoked.

Question 106

Kerberos

Answer 106

Software used on a network to establish a users identity. Third-party authentication system. Developed under Project Athena at MIT.

Question 107

Kerberos Characteristics

Answer 107

Current version is 5.

Question 108

Kerberos - Principal

Answer 108

Client (user) service.

Question 109

Kerberos - Realm

Answer 109

Logical Kerberos network

Question 110

Kerberos - Ticket

Answer 110

Data that authenticated a principal’s identity

Question 111

Kerberos - Credentials

Answer 111

a ticket or service key.

Question 112

Kerberos - KDC

Answer 112

Key distribution center, which authenticates principals.

Question 113

Kerberos - TGS

Answer 113

Ticket Granting Service

Question 114

Kerberos - TGT

Answer 114

Ticket Granting Ticket Good for a specific lifetime - often 10 hrs.

Question 115

Kerberos - C/S

Answer 115

Client/server, regarding communications between the two.

Question 116

Kerberos Operational Steps

Answer 116

1. Principal contacts the KDC, which acts as an authentication server, to request authentication. 2. KDC sends principal a session key, encrypted with secret key. The KDC also sends a TGT encrypted with the TGS secret key. 3. principal decrypts the session key and uses it to print from the TGS.4 Seeing a valid session key, the TGS sends principal a C/S session key to use to print. The TGS also sends a service ticket, encrypted with the printer’s key. 5. Principal connects to printer. Printer sees valid C/S session key. Knows that principal has permission and is authentic.

Question 117

Kerberos Strengths

Answer 117

Kerberos mitigates replay attacks (where attackers sniff Kerberos credentials and replay them on the network) via timestamps. In addition to mutual authentication Kerberos is stateless. Any credentials issued by the KDC to TGS are good for the credentials lifetime, even if the KDC to TGS goes down.

Question 118

Kerberos Weakness

Answer 118

KDC stores the keys of all principals. A compromise of the KDC can lead to the compromise of every key in the Kerberos realm. KDC and TGS are single points of failure. Kerberos is designed to mitigate a malicious network; a sniffer will provide little or no value. Kerberos does not mitigate a malicious local host, as plaintext keys may exist in the memory or cache.

Question 119

Three components of Kerberos

Answer 119

Key distribution center (KDC), Authentication service (AS), Ticket granting service (TGS)

Question 120

SESAME

Answer 120

(Secure European System for Applications in a multivendor Environment) A public key based alternative to Kerberos. SSO. Adds to Kerberos with asymmetric encryption. Uses Privilege Attribute Certificates (PAC) in place of Kerberos tickets.

Question 121

Security Audit Logs

Answer 121

Logs within the system that access control mechanism to validate adequate performance.

Question 122

Hackers

Answer 122

a malicious or inquisitive meddler who tries to discover information by poking around. Cracker is also used to identify one with malicious intent.

Question 123

Black Hat

Answer 123

Hacker with malicious intent

Question 124

White Hat

Answer 124

Hacker who may be testing the integrity of a system. Ethical and helpful sort.

Question 125

Grey Hat

Answer 125

Hacker who exploits a security weakness in a computer system or product in order to bring the weakness to the attention of the owners.

Question 126

Script Kiddies

Answer 126

Those who attack a system with tools who have little or no understanding of.

Question 127

Outsiders

Answer 127

Unauthorized attackers with no authorized privileged access to a system or organization. The outsider seeks to gain unauthorized access.

Question 128

Insider attack

Answer 128

launched by an internal user who may be authorized to use the system that is attacked. Can be mistakes or malice that cause these.

Question 129

Hacktivist

Answer 129

Hacker activist, someone who attackes computer systems for political reasons

Question 130

Bot

Answer 130

a computer system running malware that is controlled via a botnet. Zombie can also be a term used for a bot.

Question 131

Botnet

Answer 131

a central command and control network managed by humans called bot herders. Use IRC - internet relay chat - networks to provide command and control. May also use HTTP, or HTTPS, or propietary protocols.

Question 132

Phisher

Answer 132

a malicious attacker who attempts to trick users into divulging account credentials or PII. Many attempt to steal online banking information.

Question 133

Spear Phishing

Answer 133

target fewer users. High value targets many times executives. Use their full names, title, and other supporting information. AKA whaling or whale hunting

Question 134

Vishing

Answer 134

voice phishing. VoIP systems to automate calls to thousands of targets in attempts to get them to divulge personal banking info.

Question 135

Penetration test

Answer 135

An effective way to assess the security of a system.

Question 136

social engineering

Answer 136

using the human mind to bipass security controls. i.e. emailing malware with the subject line, “CAT 5 Hurricane to hit Florida!”

Question 137

zero knowledge or Black Box

Answer 137

Test is blind. Penetration tester begins with no external or trusted information and begins the attack with public information only

Question 138

Full Knowledge or Crystal Box

Answer 138

provides internal informaiton to the tester, including network diagrams, policies and procedures, and sometimes reports from pervious penetration testers.

Question 139

Partial knowledge

Answer 139

tester gets some info.

Question 140

Penetration testing tools

Answer 140

open source - metasploit.org closed source - core impact and immunity canvas.

Question 141

Vulnerablity Scanning or testing

Answer 141

using tools to scan a network or system for misnconfigurations, outdated software, lack of patching. Nessu or OpenVAS.

Question 142

Security Audit

Answer 142

test against a published standard. i.e. Payment Card Industry Data Security Standard. PCI DSS for complinace.

Question 143

Security Assessment

Answer 143

holistic approach to assessing the effectiveness of access control. View many controls over multiple domains: policies, proceedures, and admin controls; assessing the real world effectiveness of admin controls; change management; architectural review; penetration tests; vulnerablity assessments; security audits.