Domain 5 Flashcards
__ access control assigns users to groups based on their organizational functions.
RBAC (Role-based Access Control)
__ aka __ is the percentage at which false rejection and false acceptance are equal. The lower this number, the more accurate the biometric device.
CER (Crossover Error Rate) aka EER (Equal Error Rate)
__ identification is checking to see if you’re in a general category of people e.g. 21 or above for alcohol at a liquor store.
Negative
__ identification is claiming to be a specific entity and matching up against that entity e.g. Eric boarding a flight.
Positive
__ is a laser scan of blood vessels in the eye and may be seen as intrusive since you need to press up against sensor and it can provide information concerning illness.
Retina pattern. ‘R’ is red, blood is red
__ is a passive scan of the eye. It is non-instrusive and can be scanned within a few feet.
Iris scan
__ is a trusted third-party scheme that uses tickets to allow a user to log on to a system once and use any available services without re-authenticating to many different servers.
Kerberos
__ is an authentication type that is accomplished through some form of token and is more expensive to implement since each user needs a token.
Something you have e.g. token, access card, cookie, magic stones. Could be stolen from adversary.
__ is an easy type of authentication to implement however it’s also easy for an attacker to guess e.g. a password / PIN.
Something you know
__ is an SSO authentication protocol invented at MIT.
Kerberos
__ is based on what object the subject is trying to access and the events preceding the access attempt e.g. a user might be limited to 100 connections a day, after 100 she will be denied access. Or there is a quota where the user can access the resource as long as her data limited is not exceeded.
Content-Dependent Access Control aka Context-based Access Control
__ is SSO that uses symmetric and asymmetric encryption.
SESAME (Secure European System for Applications in a Multi-Vendor Environment)
__ is SSO for the cloud, sometimes also called __.
IDaaS (Identity as a Service), Cloud Identity e.g. Microsoft account, formerly Windows Live ID
__ is the fluctuations in one’s voice that can uniquely identify the person.
Voice print
__ is the part of IAAA that is least privilege, then there is __ when there is too much access for one person, then there is __ to prevent collusion since people become friends over time.
authorization, separation of duties, rotation of duties
__ looks at the lines/shapes/depths/widths to come up with a geometric representation.
Hand geometry
__ rate is the percentage of authentic persons rejected as unidentified/unverified. It is a Type __ error.
FRR (False Reject Rate), Type 1 error. It’s when a legitimate user is not allowed in. Just upsetting a legit user so think Type I is less than Type II (FAR)
__ rate is the percentage of unenrolled/impostors accepts as authentic.
FAR (False Accept Rate), Type 2 error. It’s allowing someone in who shouldn’t be allowed in so think Type II is worse than Type 1 (FRR)
__ targets actions based on rules for subjects operating on objects.
RSBAC (Rule Set-Based Access Control)
A __ access control system where an administrator or data owner decides whether a user should have access to an object.
DAC (Discretionary Access Control)
A __ attack on passwords will always work, it is just a matter of time.
Brute force
A __ can be better than a password since it makes it easy for the user to remember but difficult for the adversary.
Passphrase
A __ is a central trusted credential source for SSO. An example is LDAP.
Directory Service, LDAP (Lightweight Directory Access Protocol)
A __ is a random number that is hashed along with the password. This makes rainbow tables impractical.
salt
A __ is always running to make sure a subject’s clearance is equal to or greater than the object’s classification.
reference monitor
A __ is when an owner authenticates himself to the token, then the token authenticates the owner to an information system e.g. having a USB stick in a computer to allow it to boot up
Static Password Token
A __ offers reasonable tradeoff between complexity and length, offering less entropy per character but more overall entropy due to length.
Passphrase
A __ token uses different challenges so responses are different and won’t be subject to a replay attack.
Challenge-Response Token
A normal password with or without an expiration time that is user-picked or system-generated, and is reusable.
Static password
A one-time password or __ password is ideal but also not scalable.
Dynamic (one time) password
Acceptable throughput rate is __ users per minute or __ seconds per subject.
10 users per minute, 6-10 seconds per subject
Account administration is sometimes also known as the __.
onboarding process
AD uses __ as the primary method of authentication.
Kerberos
An access control system that is not based on labels or at the discretion of an individual is __. A central authority determines the access.
Non-Discretionary Access Control is not based on labels (MAC) or discretion of individual (DAC) e.g. role-based, task-based
Draw ACM (‘Access Control Matrix - Drawing 4G’) aka capability table
e.g. objects across top, subjects down left side; R/W/RW in the cells where they meet. Difficult to scale
Draw out how Kerberos works
Refer to ‘Kerberos 1 - Quiz 5 Q40’ and ‘Kerberos 2 - D5 pg 40’
Examples of this form of authentication are: If you are in a government building you can decrypt data, otherwise you cannot; a bank may check your IP and make you register each time it changes; blocking IP address based on country.
Some place you are
Federated IdM standard that is a consumer-oriented integration.
OpenID, comprised of IdP (Identity Providers which are sources of identity info), RP (Relying Parties, sites that can use identity info from the IDp), Redirect URL (provided by IdP informing RP that subject been successfully authenticated
Federated IdM standard that is an enterprise-oriented integration.
SAML (Security Assertions Markup Language). Allowing your users to login with their Facebook account. Comprised of SP (Service Provider, apps that can leverage identity/auth assertions from IDP), IDP (Identity Provider, origin of identity that creates assertions accepted by the SP), Assertion Consumer Service (hosted by SP and is where the IDP will send assertions)
Fingerprints look at __ on the finger tip.
minutiae
Palm scans look at __ on the hand.
minutiae
For Kerberos every time you communicate with a new entity you have a new __ and at any given time only __ parties know the key which is how you do mutual authentication.
key pair, 2 parties; one person accessing one server uses 6 different keys
For the CIA triad, Kerberos addresses __ and __ but not __.
Confidentiality, Integrity but not Availability since there’s only one KDC (single point of failure) which has the secret keys for every entity on the network.
How often should a user change their password?
Before the time it takes an adversary to break it.
Ideally passwords would be managed using an individual password manager or centrally managed via SSO (implemented at corporate level)?
Centrally managed
If a generated password falls out of sync, this means you are likely using a __ password token.
Asynchronous Dynamic Password Token
If a system will only allow open enrollment for medical care during a certain period of time what type of access control is this?
Temporal (time-based) Isolation which falls under Non-Discretionary Access Control
If security is inserted directly into the protocol stack it would be the __ layer(s).
Presentation Layer 6
If Word runs as a process and reads a configuration file what is the subject and object.
Word is the subject, config file is the object
If you are using SSO from an untrusted network such as the internet or a high-risk area you must always use __.
Two factor authentication. Otherwise someone can get access to everything in your environment
In access control model terminology the __ are the filters such as Read, Write and Execute for Unix.. __ are another set of rules with respect to sensitivity.
rules, sensitivity
In access control model terminology the __ is the active entity (user, process or device) and the __ is the passive entity acted upon (files, directories, pipes, devices, sockets, ports).
subject, object
In biometric access control, __ is how long it takes to add a new user. The standard is __ seconds per person.
Enrollment time, 2 min or 120 sec
In biometrics, the __ is the recommend intrusive method. The __ is the recommended non-intrusive method.
fingerprint, iris
In Kerberos if you have 100 users and 30 servers, how many keys do you have?
130 because you have a key for every entity
In Kerberos, __ is used for authentication and __ is for authorization.
KDC (Key Distribution Center), TGS (Ticket Granting Server)
In MAC, applying a label to a subject is called a __. Applying a label to an object is called a __.
clearance, classification
In RBAC, __ is where users are granted access via ACLs. __ is where user access is mapped to applications. __ is where a user is assigned a role which is assigned access to applications or systems. __ is access controlled by roles and applied to applications and systems. It is determined on job function not application or system.
Non-RBAC, Limited RBAC, Hybrid RBAC, Full RBAC
In th eprocess of employee termination, which access management activity most effectively controls access?
account revocation
In the __ access control model every subject and object gets a label and any time the subject tries to access the objects, the __ checks access and either approves or denies it.
MAC (Mandatory Access Control), Reference Monitor
It is critical that the screensaver locks the screen within __ minutes and does an automatic logoff within __ minutes.
5 min, 10 min. Can also have a physical card strapped to the person like a server at a restaurant.
Kerberos uses tickets, SESAME uses __.
PACs (Privileged Attribute Certificate)
__ is SSO that uses symmetric encryption for mutual authentication.
Kerberos
Revocation in terms of the access provisioning lifecycle is sometimes known as the __.
Offboarding process. It includes the removal of access when necessary.
SSO across multiple organizations e.g. logging in with Facebook credentials to other sites is called __.
Federated IdM (Identity Management)
The most trusted entity in Kerberos is the __.
KDC (Key Distribution Center)
The type of access control standard in most systems is __.
DAC (Discretionary Access Control)
This type of authentication does not change and can cause privacy concerns.
Something you are. Implemented through biometrics.
To catch advanced attacks you look for a __ such as a zero day attack.
Anomoly since it is unknown
To catch traditional attacks you look for a __ which is a pattern of activity for known attacks.
Signature
Two factor authentication is always better than single factor authentication. True or False
False. Two factor is only better if there is an overlapping element e.g. something you have and know is better than just something you have. However biometrics may be better than something you have and know. It depends on the question e.g. if there is a requirement to use a physical attribute choose something you are.
Using a __, a password is only generated when you’re ready to authenticate e.g. Symantec VIP.
Asynchronous Dynamic Password Token
What attribute of the Kerberos authentication process makes it so strong?
Mutual authentication
What is one of the best methods for maintaining access?
put expiration dates on it like you would a license, credit card, passport
What is the most critical criteria in making a decision?
COST since executive will always ask HOW MUCH and if you can’t afford it, it’s not worth looking at anything else. Reliability and user friendliness are secondary components.
What type of token generates a new, unique token code at fixed time intervals?
Synchronous Dynamic Password Token. Synchronous means ‘same time’
With a __ your token and server are synchronized so every 60 seconds, the passwords are generarted whether you’re using it or not e.g. Google Authenticator
Synchronous Dynamic Password Token. Synchronous means ‘same time’
You can only submit your time card after 3pm on Friday. This is a type of __.
Temporal (time-based) Isolation which falls under Non-Discretionary Access Control
A type of system where all objects are secret and all subjects are secret would be a __ system. What type of access control is typically used here.
Dedicated system (dedicated to a single classification), DAC is typically used here because if someone inadvertently gives access to someone you shouldn’t, it’s low risk since all files and users are at the same level.
Type of computer system where objects are at different levels but subjects are at the highest level. Which access control method is typically used here.
System high (e.g. data is at unclassified, confidential, secret; all users accessing the system are at secret). DAC is typically used here since if someone inadvertently gives the wrong access to a user, the user still has the proper clearance so low risk.
A __ environment is where there are different levels of data and different levels of users that can access the system (e.g. unclassified, secret, top secret data and users with unclassified, secret, top secret clearance). What type of access control should be used here?
MLS (multi-level secure system), must use MAC here to ensure the right clearance accesses the right classification. You cannot use DAC since if someone makes a mistake there would be a breach of security e.g. secret user accessing top secret content.
Something you do is a subcategory of __.
Something you are (biometrics). Something you do would be signing your name or typing text on your keyboard.
