Domain 5! Flashcards
All cards done 10/15/18
What are the 3 types of authentication factors? (in order from 1 to 3)
1) Something you KNOW (a password)
2) Something you HAVE (a Token)
3) Something you ARE/DO (biometrics)
What are some examples of Type 3 (biometrics) authentication factors that are considered, “something you ARE?” (there are 6)
1) Fingerprints
2) Face Scan
3) Retina Scan
4) Iris Scan
5) Palm Scan
6) Hand Geometry
What is a Biometrics Type 1 Error?
Type 1 Error is a False Negative. This occurs when a valid subject is not authenticated.
What is a Biometrics Type 2 Error?
Type 2 Error is a FALSE POSITIVE. This occurs when an invalid subject is authenticated.
What are some examples of Type 3 (biometrics) authentication factors that are considered “something you DO?” (there are 4)
1) Heart/Pulse Patterns
2) Voice Pattern Recognition
3) Signature Dynamics
4) Keystroke Patterns
What is a False Acceptance Rate (FAR)?
FAR is the ratio of Type 2 Errors to valid authentications.
What is a False Rejection Rate (FRR)?
FRR is the ratio of Type 1 Errors to valid authentications.
What is a Crossover/Equal Error Rate (CER/ERR)?
CER/ERR is used to compare the overall quality of biometric devices.
What is Centralized Access Control?
Centralized Access Control is when all authorization verification is performed by a single entity within a system
What is Decentralized Access Control?
Decentralized Access Control is when various entities located throughout the system perform authorization verification.
Name a few SSO Mechanisms (name 3).
LDAP, PKI, and Kerberos
How should you think of LDAP as an SSO Mechanism?
Think of LDAP as a telephone directory for network services and assets.
Describe PKI as an SSO Mechanism.
PKI uses LDAP when integrating digital certificates into transmissions.
Describe Kerberos as an SSO Mechanism.
Kerberos is the most common/well-known ticket system. Ticket authentication employs a third-party entity to prove identification and provide authentication.
What does Kerberos provide regarding CIA?
Kerberos provides Confidentiality & Integrity.
What 2 attacks does Kerberos help prevent?
Kerberos helps prevent Replay & Eavesdropping attacks.
Name the 4 Kerberos Elements.
1) Key Distribution Center (KDC)
2) Kerberos Authentication Server
3) Ticket-Granting Ticker
4) Ticket
Describe Kerberos’ Key Distribution Center.
The KDC is the trusted third party that provides authentication services.
Describe the Kerberos Authentication Server/
The Kerberos Authentication Server hosts the functions of the KDC.
Describe the Kerberos Ticket-Granting Ticket.
The Ticket-Granting Ticket provides proof that a subject has authenticated through KDC and is authorized access.
Describe the Kerberos Ticket.
The Ticket is an encrypted message that provides proof that a subject is authorized to access an object.
What is Implicit Deny?
Implicit Deny is (an Authorization Mechanism) when access to an object hasn’t been explicitly granted, then access is (implicitly) denied.
What is a Permission?
A Permission is the access granted for an object and determine what you can do w/it
What is a Right?
A Right refers to the ability to take an action on an object
What is a Privilege?
A Privilege is a combination of rights and permissions.
What Authorization Mechanism consults a table that consists of subjects, objects, and assigned privileges?
An Access Control Matrix
What Authorization Mechanism is subject focused and identifies privileges assigned to subjects?
Capability Tables
What Authorization Mechanism is object focused and identifies all of the users that are authorized access to specific objects?
An Access Control List (ACL)
What Authorization Mechanism consists of applications that use constrained/restricted interfaces to restrict what users can do or see based on their privilege?
Constrained Interface
What Authorization Mechanism restricts access to data based on the content within an object? Ex: a database view
Content-Dependent Control
What Authorization Mechanism requires specific activity before granting users access? Ex: users must put item in cart before making purchase.
Context-Dependent Control
What strategy uses multiple layers or levels of access controls to provide layered security such as physical, administrative, and technical/logical controls? Organizations implement access controls using this strategy.
Defense-In-Depth
Which Access Control model has owners, creators, or custodians that control the access to objects? *It also uses ACL’s which makes it more flexible.
Discretionary Access Controls (DAC)
Which Access Control model is centrally managed; meaning, it has administrators controlling access to objects?
Nondiscretionary Access Controls (Non-DAC). Central management makes it easy to manage.
What Access Control Model is based on a subjects role or task assignment?
Role-Based Access Control
What Access Control Model enforces Least-Privilege by preventing Privilege Creep?
Role-Based Access Control
What Access Control Model uses a set of rules to determine what can and cannot occur on a system? Ex: a firewall
Rule-Based Access Control
What Access Control Model uses policies that include multiple attributes for rules? Hint: this model is an advanced implementation of Rule-BAC.
ABAC; Attribute-based Access Control
What Access Control Model relies on the use of classification labels for all subjects and objects to determine access?
MAC; Mandatory Access Controls
What are the three MAC Model Environments?
1) Hierarchical
2) Compartmentalized
3) Hybrid
What Access Control model enforces NTK?
MAC
Which Access Control model is more scalable or flexible because it uses multiple ACLs to assign permissions?
a) DAC
b) MAC
DAC is more scalable/flexible b/c its managed by custodians that customize permissions for each subject.
Which Access Control model is more secure?
a) DAC
b) MAC
MAC
What MAC Model Environment relates various classification labels in order from low to high security?
a) Hierarchical
b) Compartmentalized
c) Hybrid
Hierarchical
In which MAC Model Environment does each security domain represent a separate isolated compartment where there is no relationship between one domain and another?
a) Hierarchical
b) Compartmentalized
c) Hybrid
Compartmentalized
Which MAC Model Environment combines both hierarchical and compartmentalized so that each hierarchical level may contain numerous subdivisions that are isolated from the rest of the domain?
a) Hierarchical
b) Compartmentalized
c) Hybrid
Hybrid
What are the 3 steps early in the risk management process that help to understand attacks that may occur?
1) Identify Assets
2) Identify Threats
3) Identify Vulnerabilities
What is it called when asset value is identified in order to prioritizing the asset?
Asset Valuation
What is Threat Modeling?
Threat Modeling is the process of identifying, understanding and categorizing potential threats.
What are the 3 Threat Modeling approaches?
1) Asset Focused - identifies threats to assets
2) Attacker Focused - identifies potential attackers & the threats they pose
3) Software Focused - identifies potential threats to software the org develops
What attack collects non-sensitive information and combines (aggregating) it to learn sensitive info?
Access Aggregation Attack
What is considered a Strong Password?
8 Character minimum with a combination of at least 3 of the below: • Uppercase • Lowercase • Numbers • Special Characters
What attack attempts discover password by using every possible password in a predefined database or list of common or expected passwords?
Dictionary Attack
What attack systematically attempts all possible combinations of letters, numbers, and symbols?
Brute-Force Attack
What attack attempts a dictionary attack and then performs a type of brute-force attack with a one-upped constructed password?
Hybrid-Attack
What attack focuses on finding collisions?
Birthday Attack
What can reduce the success rate of Birthday Attacks?
Salts & Hashing algorithms
What attack is it when the attacker guesses a password, hashes it, and then puts both the guessed password and the hash into the rainbow table?
Rainbow Table Attack
What is a Rainbow Table?
A Rainbow Table is a large database of pre-computed hashes.
What attack is when an attacker uses a sniffer to capture information transmitted over a network?
Sniffer Attack
In which attack does an attacker pretend to be someone or something else?
Spoofing Attack
What attack tricks users into giving up sensitive information, opening an attachment, or clicking a link?
Phishing Attack
What attack is a phishing variant that targets a specific groups of users?
Spear Phishing
What attack is a phishing variant targets senior executives within a company?
Whaling
What attack is a phishing variant that uses VoIP or the phone system (automated calls)?
Vishing
