Domain 1 Questions

Question 1

WHAT IS acess subject object

Answer 1

Access is the flow of information between a subject and an object. A subject is an active entity that requests access to an object or the data within an object. A subject can be a user, program, or process that accesses an object to accomplish a task. When a program accesses a file, the program is the subject and the file is the object. An object is a passive entity that contains information. An object can be a computer, database, file, computer program, directory, or field contained in a table within a database. When you look up information in a database, you are the active subject and the database is the passive object. Figure 4-1 illustrates subjects and objects.

Question 2

what is first step in security

Answer 2

So, the first step in protecting data’s confidentiality is to identify which information is sensitive and to what degree, and then implement security mechanisms to protect it properly.

Question 3

what is identification

Answer 3

Identification describes a method of ensuring that a subject (user, program, or process) is the entity it claims to be. Identifica-tion can be provided with the use of a username or account number

Question 4

how are you authorized

Answer 4

To be properly authenticated, the subject is usually required to provide a second piece to the credential set. This piece could be a password, passphrase, cryptographic key, personal identifica-tion number (PIN), anatomical attribute, or token

Question 5

what is a race condition

Answer 5

exploit. A race condition occurs when two or more processes use the same resource and the se-quences of steps within the software can be carried out in an improper order, something which can drastically affect the output. So, an attacker can force the authorization step to take place before the authentication step and gain unau-thorized access to a resource.

Question 6

what are the 4 steps for an object to acces an object

Answer 6

identification,authent,authorize,account

Question 7

what are logical access controls

Answer 7

Logical access controls are tools used for identification, authentication, authorization, and accountability. They are software components that enforce access control measures for systems, programs, processes, and information. The logical access controls can be embedded within operating systems, applications, add-on security packages, or data-base and telecommunication management systems. It can be challenging to synchro-nize all access controls and ensure all vulnerabilities are covered without producing overlaps of functionality.

Question 8

Name the 2 steps of authentication

Answer 8

An individual’s identity must be verified during the authentication process. Authen-tication usually involves a two-step process: entering public information (a username, employee number, account number, or department ID), and then entering private in-formation (a static password, smart token, cognitive password, one-time password, PIN, or digital signature)

Question 9

What is a cognitive password

Answer 9

NOTE A cognitive password is based on a user’s opinion or life experience. The password could be a mother’s maiden name, a favorite color, or a dog’s name.

Question 10

What is verification 1:1

Answer 10

measurement of an identity against a single claimed id

Question 11

Give example of verification 1:n

Answer 11

fingerprints - you find one and comapre it to a database of many

Question 12

what is the least expensive authentication

Answer 12

something you know is least expensive to implement - but another person may acquire what you know

Question 13

what si calssified as strong authentication?

Answer 13

using 2 out of the 3 methods - something you have, something you know, something you is

Question 14

what type of system provides what a person is?

Answer 14

biometrics

Question 15

what is two factor authentication

Answer 15

it is the same as strong authentication using 2 our of the 3 methods

Question 16

when creating secure identities what 3 key aspects should be included

Answer 16

uniqueness, non descriptive, issuance

Question 17

what is uniqueness and why is it important

Answer 17

identifiers that are specific to an individual and it is important for accountability

Question 18

what is non descriptive

Answer 18

accounts should be non descriptive - they should not include the purpose of the account - no CEO, Backup Operator, etc. The naming scheme chould also be standard

Question 19

what is issueance

Answer 19

elements provided by another authority as a means to prove identitiy - id cards

Question 20

what is identity management

Answer 20

broad term emcompasses different products to identify automate and

Question 21

name some IDM technologies

Answer 21

directories - web access management - password management - legacy single sign on -

Question 22

directories that pertain to a networks resources and users are usually built on

Answer 22

x.5 standard and a protocol like lightweight directory access protocol LDAP

Question 23

objects in a directory are managed by a

Answer 23

directory service - allows the admin to configure and manage how ident, authorize,access take place

Question 24

Walk through the log in process on a windows box

Answer 24

log into a domain controller, which has a database called active directory which organizes the network and carries out user access control functionality

Question 25

what is the difference between SSO and password sync

Answer 25

SSO software intercepts login prompts from network systems and fills in the necessary info (username and passowrd) Password Sync - lets the user have one password between multiple systems

Question 26

What is provisioning?

Answer 26

User provisioning is the creation, maint, and deactiv of user objects and attributes

Question 27

what is the system of HR reffered to when provisioning?

Answer 27

authoritative source

Question 28

what are the 3 factors for authentication

Answer 28

shomething you have, something you know, something you are

Question 29

what are subjects

Answer 29

users, programs and process

Question 30

what is identification

Answer 30

a method to ensure that a subject is the entity that it claims to be - identification is the username and account

Question 31

if identification is the subjects username and or account what is authentication

Answer 31

the password, token , key, pin

Question 32

what is a federated identity

Answer 32

portable identitiy and its entitlements to be used across business bounderies

Question 33

what is spml

Answer 33

service provisioning markup language - allows company interfaces to pass service requests and allow access to the services

Question 34

the company that send the authorization of data is

Answer 34

producer of assertations the receiver is the consumer of assertations

Question 35

name a behavioral biometric

Answer 35

signing a signature - physiological is what you are - behavioral is what you do.

Question 36

what is sesame

Answer 36

ticket based system built by european computer mfg assoc - weaknessbasis authentication on small part of msg, key is not very random

Question 37

what is kyrpto knight

Answer 37

created by ibm it is ticket service - it is compact and flexible unlike kerbos it does not require clock sync

Question 38

kerbos krypto knight and sesame are all

Answer 38

ticket based technologies based on sso

Question 39

namme the two general cats of access control

Answer 39

centralized and decentralized

Question 40

nname 4 centralized access contl protocooals

Answer 40

LDAP,RAS, PAP,CHAP, EAP,RADIUS,TACACS

Question 41

what doees LDAP sttannd for

Answer 41

lightweight directory access protocol -

Question 42

What is RAS

Answer 42

Remote Access Serverices Protocol utilize POINT to POINT protocol to encapsulate packets and establish dialin connections over seriel links

Question 43

RAS uses PPP ther are 3 flaovors of PPP what are they?

Answer 43

PAP - Password Authentication Protocol--(a 2 way handshake to authenticate a peeer on a server TRANSMITS PASSWORDS in CLEAR ttext

Question 44

RAS - PPP - # flavors of PPP - 1 is PAP what are other 2

Answer 44

CHAP Challenge Handshake Authentication Protocol a 3 way handshake - peer and server have shared secret key in plain text preconfig and storred

Question 45

What dos MS chap allow you to do

Answer 45

allows the shared secret to be stored in encrypted form

Question 46

EAP

Answer 46

Extensible Authentication Protocol - flexibility to PPP authentication by implementing variouss authentication mechanisms (Wireless Networks use EAP)

Question 47

RADIUS - what is it

Answer 47

centralize access control protocol remote authentication dail in user service- open source client server

Question 48

Why is RADIUS faster protocol ?

Answer 48

It uses UDP packets for transport - it is fast but not as reliable

Question 49

Where s radius usually deployed

Answer 49

ISPs and corporate remote access services and VPNs

Question 50

What one was originally buit for militry

Answer 50

TACACAS

Question 51

Whhat type of access control systems are used by large distributed corps

Answer 51

decentralized access cntrol systems

Question 52

giive some examples of decenntralizeed accceess control systtems

Answer 52

multiple domains and trauststypically a large company

Question 53

what is a domain?

Answer 53

collection of users computers and resources that have a common security policy and administration

Question 54

Name the 2 general categories of access control

Answer 54

system access and data access`

Question 55

what is the difference between synchronos and asynchronos tokens

Answer 55

synchronous - continuously generated

Question 57

name 2 centralized access control models that support tokens

Answer 57

RADIUS and Terminal ACCESS Controller ACCESS Control SYSTEMS

Question 58

What is discretionary access control

Answer 58

access policy is determined by the owner of the policy

Question 59

what are the 3 basic types of permissions

Answer 59

read, write, execute

Question 60

under discretionary access control what is an acl

Answer 60

access control list - rights and persmissions are set to a given subject

Question 61

is role based a discretionary access control?

Answer 61

yes

Question 62

name some of the drawbacks of discretionary access controls using ACL or role based

Answer 62

lack of centralization, depend on security concious owners

Question 63

what determines the access policy in madatory access control

Answer 63

the system - all subjects and objects have labels

Question 64

in order to access an object under the MAC with lables you must have a sensitivity rating --- or --- than the requested object

Answer 64

higher or equal to

Question 65

Rule based access control is a type of

Answer 65

MAC

Question 66

what is a lattice based access control

Answer 66

math model structure that defines greates lower and least upp values for a pair of elements

Question 67

Name the 2 baic categories of access control models

Answer 67

data access and system access

Question 68

what is the bell la padula

Answer 68

only addresses confidentiality

Question 69

what are the 2 basic features of bel la padula No __ __ and NO __ __

Answer 69

No Read UP and No Write Down

Question 70

What is BIBA

Answer 70

Biba is integrity mnodel it is bell la padula upside down

Question 71

so what are the rules with Biba

Answer 71

it is a lattice security model - no read down and no write up

Question 72

what is clark wilson

Answer 72

data cannot be directly accessed by the user - instead it is accessed by the application

Question 73

list ways passwords get compromised

Answer 73

_ Access the password file Usually done on the authentication server. The password file contains many users' passwords and, if compromised, can be the source of a lot of damage. This file should be protected with access control mechanisms and encryption

Question 74

Brute Force

Answer 74

._ Brute force attacks Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password.

Question 75

Dictionary Attack

Answer 75

_ Dictionary attacks Files of thousands of words are compared to the user's password until a match is found

Question 76

Social Engineering

Answer 76

_ Social engineering An attacker falsely convinces an individual that she has the necessary authorization to access specific resources.

Question 77

Rainbow table

Answer 77

_ Rainbow table An attacker uses a table that contains all possible passwords already in a hash format.

Question 78

what is a salt

Answer 78

alts are random values added to the encryption process to add more complexity. The more randomness entered into the encryption process, the harder it is for the bad guy to decrypt and uncover your password. The use of a salt means that the same password can be encrypted into sev-eral thousand different formats. This makes it much more difficult for an attacker to uncover the right format for your system.

Question 79

What is a cognitive password

Answer 79

Cognitive passwords are fact- or opinion-based information used to verify an individ-ual's identity. A user is enrolled by answering several questions based on her life experi-ences. Passwords can be hard for people to remember, but that same person will not likely forget her

Question 80

what is a otp

Answer 80

One-time password generating tokens come in two gen-eral types: synchronous and asynchronous. The token device is the most common implementation mechanism for OTP and generates the one-time password for the user to submit to an authentication server. The following sections explain these concepts.

Question 81

What is a synchronos token device?

Answer 81

Synchronous A synchronous token device synchronizes with the authentication ser-vice by using time or a counter as the core piece of the authentication process. If the synchronization is time-based, the token device and the authentication service must hold the same time within their internal clocks.

Question 82

What is asynchronos

Answer 82

In this situation, the authentication server sends the user a challenge, a random value also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value the user uses as a one-time password. The user sends this value, along with a username, to the authentication server.

Question 83

what is a passphrase

Answer 83

A passphrase is a sequence of characters that is longer than a password (thus a "phrase") and, in some cases, takes the place of a password during an authentication process. The user enters this phrase into an application and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application

Question 84

What is the difference between a smart card and memeory card

Answer 84

A smart card has the capability of processing information because it has a micro-processor and integrated circuits incorporated into the card itself. Memory cards do not have this type of hardware and lack this type of functionality. The only function they can perform is simple storage.

Question 85

What are t he attributes of a contactless smart card

Answer 85

The contactless smart card has an antenna wire that surrounds the perimeter of the card. When this card comes within an electromag-netic field of the reader, the antenna within the card generates enough energy to power the internal chip.

Question 86

Name the 2 types of contactless smartcards

Answer 86

wo types of contactless smart cards are available: hybrid and combi. The hybrid card has two chips, with the capability of utilizing both the contact and contactless formats. A combi card has one microprocessor chip that can communicate to contact or contactless readers.

Question 87

What is Kerberos

Answer 87

Kerberos is an example of a single sign-on system for distributed environments, and is a de facto standard for heterogeneous networks.

Question 88

What type of access control is Role Based

Answer 88

A role-based access control (RBAC) model, also called nondiscretionary access con-trol, uses a centrally administrated set of controls to determine how subjects and ob-jects interact. This type of model lets access to resources be based on the role the user

Question 89

What is an access control matrix

Answer 89

individual subjects can take upon individual objects. Matrices are data structures that programmers implement as table lookups that will be used and enforced by the operat-ing system.

Question 90

What is a capability table

Answer 90

A capability table specifies the access rights a certain subject possesses pertaining to specific objects. A capability table is different from an ACL because the subject is bound to the capability table, whereas the object is bound to the ACL

Question 91

What is the differnece between ACl and ACM

Answer 91

ACLs map values from the access control matrix to the object. Whereas a capability corresponds to a row in the access control matrix, the ACL corresponds to a column of the matrix.

Question 92

What are the 2 administration methods of access control

Answer 92

centralized and decentralized

Question 93

Radius is a remote centralized access control system - what does it do

Answer 93

Remote Authentication Dial-In User Service (RADIUS) is a network protocol and provides client/server authentication and authorization, and audits remote users.

Question 94

How does RADIUS work

Answer 94

The access server requests the remote user's logon credentials and passes them back to a RADIUS server, which houses the user-names and password values. The remote user is a client to the access server, and the access server is a client to the RADIUS server.

Question 95

Use ISP example to explain Radius (pg222)

Answer 95

The access server and customer's software negotiate, through a handshake procedure, and agree upon an authentication protocol (PAP, CHAP, or EAP). The customer provides to the access server a username and password. This communica-tion takes place over a PPP connection. The access server and RADIUS server commu-nicate over the RADIUS protocol. Once the authentication is completed properly, the customer's system is given an IP address and connection parameters, and is allowed access to the Internet. The access server notifies the RADIUS server when the session starts and stops, for billing purposes.

Question 96

Explain the differences between TACAS+ and RADIUS

Answer 96

TACAS+ uses TCP as its transport and Radius uses UDP

Question 97

Another difference

Answer 97

Radius only encrypts the password - the username and authority are clear text - TACAS + encrypts all

Question 98

What are easier to tamper with Smartcards or memory cards?

Answer 98

memory cards

Question 99

What ISO are smartcards standardized under

Answer 99

ISO 14443

Question 100

What does tempest deal with

Answer 100

how to develop countermeasures to control signals emitted by equipment - it surpresses signals

Question 101

what is a networked based IDS

Answer 101

uses sensors installed on host computers or appliances with a nic in promiscuous mode

Question 102

what is a host based IDS

Answer 102

installed on workstations or servers usually used to make sure users do not delet system files

Question 103

what is the big difference between HIDS and NIDS

Answer 103

NIDS - look at network traffic 0 HIDS looks at the computer itself

Question 104

name the 2 types of hids and nids

Answer 104

signature based and anomaly based

Question 105

what is more popular signature or anomoly

Answer 105

signature

Question 106

what is the problem with signature

Answer 106

you need updates so it is weak against new threats

Question 107

what is a state in ids

Answer 107

a snapshot of the systems values in a volatile semiperm and perm memory locations

Question 108

what type of an ids is a stat anomoly based system

Answer 108

behavior based - they learn a profile

Question 109

what is the benefit of a stat anomoly

Answer 109

it recognizes new attackes

Question 110

what is a draw back of a stat based

Answer 110

false positives