Domain 1 - Access Controls Flashcards

Question

2 Models that use MAC?

Answer 1

Bell-LaPaula Confidentitiaity Biba Integrity

Answer 2

ATTRIBUTE-BASED ACCESS CONTROL Access control method where subject requests to perform operations on objects are granted or denied based on assigned attributes of the subject, assigned attributes of the object, environment conditions, and a set of policies.

Answer 3

Clark-Wilson formal model

Answer 4

Components are: Subjects, Objects and an AC Matrix. Objects are classified into a hierarchy of security levels based on sensitivity (low to high) Subjects assigned security levels called 'Clearance Levels'. AC Matrix - Relation between the sensitivity levels of Objects and Subjects. Defines permissions for each clearance level and object classification.

Answer 5

A given subject can read objects at the same or lower sensitivity level.

Answer 6

When a subject can read objects at the same or lower sensitivity level, but not higher.

Answer 7

1. Concerned only with confidentiality and makes no mention of other properties 2. Does not address important goals such as 'need to know' or the ability to restrict access to individual objects based on a subject's need to access them.

Answer 8

Bell-LaPadula Confidentiality Model

Answer 9

Lattice Based. Integrity model focusing on ensuring that the integrity of information is being maintained by preventing corruption. Core is a multilevel approach to integrity designed to prevent unauthorized subjects from modifying objects.

Answer 10

To Ensure that objects maintain their current state of integrity as subjects interact with them.

Answer 11

Assigns levels to subjects and objects depending on how trustworthy they are considered to be.

Answer 12

BLP - A subject cannot read/access an object of higher classification (No read up). BIBA - A Subject cannot observe an object of a lower integrity level (no read down)

Answer 13

BLP - Not used. BIBA - A subject cannot send logical service requests to an object of a higher integrity.

Answer 14

Authenticated Principals (Users) Programs Acting on Data (Transaction Processes) Data Items

Answer 15

Well-formed transactions (that maintain a consistent level of integrity between initial and end state. Also instills the Separation of Duties principals.

Answer 16

Multilevel Security Systems Systems in which information with various sensitivities or integrity requirements can be processed concurrently in a single system by users or actors with multiple levels of clearance or need to know.

Answer 17

'Chinese Wall' Principal is that users should not access the confidential information of both a client organization and one or more of it's competitors. Rare because the access control rules change based on subject behavior.

Answer 18

Concerned with how subjects and objects are created, how subjects are assigned rights or privileges, and how ownership of objects is managed. *Primarily concerned with how a model system controls subjects and objects at a very basic level where other models simply assumed such control.

Answer 19

1. Set of Objects 2. Set of Subjects 3. Set of Rights

Answer 20

Two Parts: 1. Process 2. Domain - Set of constraints controlling how subjects may access objects.

Answer 21

Also called Commands that subjects can execute to have an effect on other subjects or objects. 1. Create Object 2. Create Subject 3. Delete Object 4. Delete Subject 5. Read Access Right 6. Grant Access Right 7. Delete Access Right 8. Transfer Access Right

Answer 22

Very similar to Graham-Denning. Composed of a set of generic rights and a finite set of commands. Also concerned with Situations in which a subject should be restricted from gaining particular privileges.

Answer 23

1. Identify - Process used to allow the access control subject to provide information as to their identity. 2. Authenticate - Set of providing and validating identity within the access control system. 3. Authorize - Process where requests to access a particular resource should be granted or denied based on outcome of the authentication process.

Answer 24

1. User ID - Username and Password 2. PIN - Typically a 4 digit numerical combination created by the user. 3. Account Number - Typically an 8-16 unique numerical sequence assigned to an individual.

Answer 25

Solutions that provide a framework for managing AC Policies by role, interconnection with IT systems, workflows to sign-off

Answer 26

1. Something you know 2. Something you have 3. Something you are

Answer 27

Standard for landing contact readers (Smart Cards)

Answer 28

One time passwords. Could be from a token or hard word.

Answer 29

1. Synchronous - Time is synchronized between the token device and the authentication server. (RSA Token) 2. Asynchronous - Provides a new, one-time password with each use of the token. (SafeWord eToken PASS)

Answer 30

5 Step Process. 1. Authentication server presents a challenge request to subject 2. Subject enters the challenge into token device 3. Token calculates a correct response 4. Subject enters response to the challenge along with a password or PIN 5. Response & Password (or PIN) is verified by the authentication server.

Answer 31

Radio Frequency Identification Wireless, non-contact use of radio electromagnetic fields to transfer data for the purposes of automatically identifying and tracking tags attached to objects.

Answer 32

Crossing Signals. When two or more readers overlap, the tag is unable to respond to simultaneous queries.

Answer 33

Enable RFID tags to take turns in transmitting to a reader.

Answer 34

Technology that measure and analyze human body characteristics (DNA, fingerprints, voice patterns, facial pattern, hand movements)

Answer 35

Since Biometric data cannot be changed, data such as a user's facial characteristics and fingerprints are in the public domain and can be captured without consent or knowledge. Solution? Protocols should be in place to rely on proof of freshness of biometric data and cannot rely on its secrecy.

Answer 36

1. Enrollment | 2. Verification

Answer 37

Think in terms of Biometrics 1. On-Card Matching: User verification carried out via smart card 2. Off-Card Matching: User verification carried out via the system.

Answer 38

Two 1. Behavioral 2. Physiological

Answer 39

signature analysis, voice pattern recognition, and keystroke dynamics

Answer 40

3D analysis of a signature, using both the pressure and form of the signature. Also analyzes the series of movements such as acceleration, rhythm, pressure, and flow.

Answer 41

Creates a database of unique characteristics of the AC Subject's voice. Subject speaks into a microphone and an AC device compares the current voice pattern with the one in the database. * Inexpensive Methodology to implement, but because of high error rate, it is best if used to complement another more accurate technology (Iris Scanning)

Answer 42

-> Biology. As the subject ages, the characteristics of the voice naturally change. Same is true is subject is under stress (during an emergency) -> Inflection - Possible through altering of inflection during given phrase.

Answer 43

AC Subject's Keystrokes as in the Username and Password. Characteristics include but aren't limited to: - Length of time each key is held down Length of time between keystrokes Typing Speed Tendencies to switch between a numeric keypad and keyboard numbers Keystroke tendencies involved in capitalization *Lowest cost authentication mechanism. Cannot be used reliably in a single-factor or two-factor (using passphrase). Needs to be used with two-factor (Iris Scanning) **Provides continuous authentication

Answer 44

Accuracy can be affected by hand injuries, fatigue, arthritis, and even temperature

Answer 45

Fingerprint, Hand, Vascular, Eye, Facial Recognition Technology

Answer 46

Typically requires 7 characteristics or matching points. Human finger contains some 30-40 characteristics or matching points.

Answer 47

Biggest Challenge facing biometric technology, and fingerprint verification in particular, is the ability to carry out performance evaluations unambiguously and reliable. Solution FVC-onGoing, a web based automated evaluation system for fingerprint recognition algorithms.

Answer 48

Web-Based evaluation system, used mainly for fingerprint recognition algorithms. Test are carried out on a set of sequestered datasets, and results are reported online by using well-known performance indicators and metrics. FVC = Fingerprint Verification Competitions

Answer 49

Verification based on key points in Subject's hand. Hand Geometry measures dimensions on hands and fingers. Pros - Provides a proven reliable verification even with difficult environments, simple to operate Cons - Less accurate and requires large and expensive equipment.

Answer 50

'Ultimate Palm Reader' A picture of the veins in a person's hand or finger, including, thickness and location, which are determined to be unique for each Subject.

Answer 51

1. Difficult to Forge - Veins are inside hand, and veins are only registered is blood is flowing through them. 2. Contactless 3. Many and Varied Users - Used for ATMs, hospitals, and Universities in Japan. 4. Capable of 1:1 and 1:many matches

Answer 52

Oldest and most accurate biometric authentication methodologies. There is no known technology that can forge a retina scan. And retina scans on a dead subject will not create the same signature as that of a live one.

Answer 53

Based on scanning the granulatrity of the richly detailed color bands around the pupil. Bands are well defined at birth and change litte over the subject's lifetime. Maps nearly 247 variables.

Answer 54

Iris Scan maps the color bands on the Iris Retina Scan - Maps the blood vessels in the back of the eye.

Answer 55

1. Has proven to fall victim to scanned images | 2. Alcohol New ISO standard requires two images to be compared with an Iris scan.

Answer 56

Uses landmarks on the face, such as cheekbone, tip of nose, and eye socket orientation. Approx 80 separate characteristics, but systems usually measure 14-22.

Answer 57

FALSE REJECTION RATE Failure to recognize a legitimate user. Type 1 Error

Answer 58

FALSE ACCEPTANCE RATE Erroneous Recognition. Type 2 Error

Answer 59

Adjust the failure rates. However, decreasing one will increase the other.

Answer 60

CROSSOVER ERROR RATE The point where the accuracy rate equals the error rate of the other.

Answer 61

1:100,000,000

Answer 62

Specifies a format for the representation of a digitized sign or signature data.

Answer 63

Four 1. Static Password 2. Synchronous Dynamic Password 3. Asynchronous Password 4. Challenge Response

Answer 64

Device contains a password that is physically hidden (not visible to processor) but that is transmitted for each authentication. Vulnerable to replay attacks

Answer 65

A timer is used to rotate through various combinations produced by a cryptographic algorithm. Token and authentication server MUST have synchronized clocks.

Answer 66

A one-time password is generated without the use of a clock.

Answer 67

Using public key cryptography, it is possible to prove possession of a private key without revealing that key. The Authentication server encrypts a challenge with a public key; the device proves it possesses a copy of the matching private key by providing the decrypted challenge.

Answer 68

Typically a type of chip card. Fobs, SIMS used in GSM mobile phones, USB-based tokens are forms of these. Two types: Contact and Contactless Contact must be inserted into a reader. Contactless only requires proximity.

Answer 69

Two less known types of Smart Cards Dual-Interface Single Chip with both contact and non-contact interfaces. Possible to access the same chip using either interface with a high level of security. Hybrid - Has two chips, one with a contact interface, another with a contactless interface.

Answer 70

1. Knowledge based 2. Token based 3. Characteristic based

Answer 71

aka 'Split Knowledge' Built on the principal that ONE person should have access to information that would allow the person to determine the encryption key used to encrypt protected information more quickly than a brute-force attack. Collusion would require two people.

Answer 72

Periodically issues the challenge/response authentication queries with the user's token to determine if the user has physically left the area. Reduces risk that a user would walk away from a device before plugging out.

Answer 73

"Way to authenticate the website/page to the user. BoA adopted this early using PassMark. Example: ""Chose the pictures with the cars in it"""

Answer 74

The service or program where AC information is stored and where access control decisions are made. Once granted, what a user can do is controlled by the authorization matrix/table.

Answer 75

Matrix of AC objects, subjects, and their respective rights. Used in some DAC systems to provide a simple and intuitive UI for the definition of AC rules.

Answer 76

Lightweight Directory Access Protocol Application protocol used for querying and modifying directory services over TCP/IP.

Answer 77

Lightweight Directory Access Protocol Directory Is a logically and heirarchically organized gropu of objects and their respective attributes using LDAP Directory Tree.

Answer 78

Lightweight Directory Access Protocol [Directory] Tree Starts with the domain names at the top of the hierarchy followed by organizational boundaries, then groups followed by users and data, such as groups of documents.

Answer 79

Distinguished Name Part of the Directory Entry Formed by combining it's Relative Distinguished Name (RDN), one or more attributes of the entity itself, and the RDN of the superior entries reaching all the way up tot eh root of the DIT.

Answer 80

(NT Directory Services) Micrsoft Active Directory Domain Services Stores data and information within a central database. Provides things like LDAP, authentication, DNS based naming. Used for assignment of policies because of its many attributes, it is commonly used by separate services to facilitate software distribution with a network.

Answer 81

Single Sign On Primary Purpose is convenience of the user.

Answer 82

1. Single point of failure | 2. Single point of access

Answer 83

Developed at MIT Popular network authentication protocol for indirect (3rd party) authentication services. Provides strong authentication using secret-key cryptography.

Answer 84

It is an operational implementation of key distribution technology and affords a key distribution center, authentication service, and ticket granting service. Hosts, applications, and servers all have to be 'kerberized' to be able to communicate with the user and the ticket granting services

Answer 85

1. Authentication 2. Authorization 3. Confidentiality 4. Integrity 5. Nonrepudiation

Answer 86

Determines exactly who sent or received a message.

Answer 87

UDP: 53/88 TCP: 53/88

Answer 88

1. Internet 2. Intranet 3. extranet 4. DMZ

Answer 89

Demilitarized Zone Computer host or small network inserted in a 'neutral zone' between a companies private network and the outside public network. Prevents outside threats from having direct access to company data.

Answer 90

Intranet - Network based on TCP/IP and belonging to an organization, accessible only by the organization's members, employees, or other with authorization. Extranet - Network that allows controlled access from outside for specific business or educational purposes.

Answer 91

Series of trust relationships that authentication requests must follow between domains.

Answer 92

Unidirectional authentication path that is created between two domains. A trust B, so A can get to B, but B cannot get to A

Answer 93

Authentication requests between two domains in both directions. A trust B, and B trust A.

Answer 94

Determines whether a trust can be extended outside the two domains between which the trust was formed. Transitive Trust - Extend Trust Relationship Non-Transitive Trust - Deny Trust Relationships with other domains.

Answer 95

1. Authorization - Determines whether a user is permiteed to access desired resource. 2. Proofing - Verify's peoples identity before enterprise issues them accounts and credentials. 3. Provisioning - Automation of all procedures and tools to manage the lifecycle of an identity. 4. Maintenance - User management, password management, role/group management 5. Entitlement - Set of rules, defined by resource owner, for managing access to a resource, and for what purpose.

Answer 96

Generalized Framework AC by Adams and LaPadula RSBAC is based on this.

Answer 97

Internet Small Computer Systems Interface Transport Layer Protocol that works on top of TCP.

Answer 98

Kerberos SRP SPKM1/2 CHAP

Answer 99

SECURE REMOTE PASSWORD Secure password-based authentication and key-exchange protocol.

Answer 100

Simple Public-Key Mechanism Provides authentication, key establishment, data integrity, and dta confidentiality in an online distributed application enviroment using a public-key infastructure.

Answer 101

Challenge Handshake Authentication Protocol Used to periodically verify the identity of the peer using a three-way handshake.

Answer 102

1. AC Subject cannot request services from an AC Object that has a higher integrity level 2. AC Subject cannot modify an AC Object that has a higher integrity level 3. AC Subject cannot access an AC Object that has a lower integrity level

Answer 103

Anti-collision protocols for RFID tags to take turns in transmitting to a reader.

Answer 104

Voice pattern Keystroke dynamics Signature dynamics

Answer 105

FRR - Fales Reject Rate

Answer 106

FAR - False Acceptance Rate

Answer 107

VP - Identifies and Records a number of Data Points based on patterns. SR - Identifies Word sounds and matches the sounds to a prerecorded profile.

Answer 108

Control Physical and logical access to information, systems, devices, and facilities.