Domain 5 Flashcards

1
Q

Identification

A

Subjects claim an identity, and identification can be as simple as a username for a user.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Authentication

A

Subjects prove their identity by providing
authentication credentials such as the
matching password for a username.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Authorization

A

After authenticating subjects, systems
authorize access to objects based on their
proven identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Accountability

A

Auditing logs and audit trails record events including the identity of the subject that performed an action.

identification + authentication + auditing = ACCOUNTABILITY

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Primary Authentication Factors

A

Something you know (pin or password) type 1
Something you have (trusted) type 2
Something you are (biometric) type 3

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Multifactor Authentication

A

includes two or more authentication factors

more secure than using a single authentication factor.

-Passwords are the weakest form of authentication, password policies help increase their security by enforcing complexity and history requirements.

-Smartcards include microprocessors and
cryptographic certificates

  • Tokens create onetime passwords
  • Biometric methods identify users based on characteristics such as fingerprints.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

FAR

A

False acceptance rate occurs when an invalid subject is authenticated.

Type 2 biometric error (false positive)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

FRR

A

False rejection rate occurs when a valid subject is rejected.

Type 1 biometric error (false negative)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

CER

A

Crossover Error Rate

The crossover error rate identifies the accuracy of a biometric method.

It shows where the false rejection rate is equal to the false acceptance rate.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

SSO

A

Single Sign-On is a mechanism that allows subjects to authenticate once and access multiple objects without authenticating again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Common SSO methods/standards

A
— SAML
— OAuth 2.0
— OpenID
— Kerberos
— SESAME
— KryptoKnight
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

SAML

A

Security Assertion Markup Language

SSO Mechanism

Federated Identity Management

an XML based, open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.

Uses tokens

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

OAuth 2.0

A

is an open standard for authorization, commonly used as a way for Internet users to log into third party websites using their Microsoft, Google, Facebook, Twitter, One Network etc. accounts without exposing their password.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

OpenID

A

managed through OpenID foundation

is an open standard, It provides decentralized authentication, allowing users to log into multiple unrelated websites with one set of credentials
maintained by a third party service referred to as an OpenID provider.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

AAA Protocols

A

Several protocols provide centralized Authentication, Authorization, and Accounting services.

Network access or remote access systems use AAA protocols

RADIUS
TACACS+
Diameter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

RADIUS

A

AAA protocol

uses UDP and encrypts the password only.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

TACAS+

A

AAA protocol

uses TCP and encrypts the entire session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Diameter

A

AAA protocol

is based on RADIUS and improves many of the weaknesses of RADIUS, but Diameter is not compatible with RADIUS.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Identity and access provisioning lifecycle

A

Refers to account

creation
management
deletion

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Authorization Mechanisms

A

Access control models use many different types of authorization mechanisms, or methods to control who can access specific objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Implicit Deny

A

A basic principle of access control is
implicit deny and most authorization
mechanisms use it.

The implicit deny principle ensures that access to an object is denied unless access has been explicitly granted to a subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Access Control Matrix

A

a table that includes subjects, objects, and assigned privileges. When a subject
attempts an action, the system checks the access control matrix to determine if the
subject has the appropriate privileges to perform the action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Capability Tables

A

are another way to identify privileges assigned to subjects. They are different from ACLs in that a capability table is focused on subjects (such as users, groups, or roles).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Constrained Interface

A

use constrained interfaces or restricted interfaces to restrict what users can do or
see based on their privileges. Users with full privileges have access.

Applications constrain the interface using different methods.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Content-Dependent Control

A

restrict access to data based on the content within an object.

A database view is a content dependent control.

26
Q

Context-Dependent Control

A

require specific activity before granting
users access.

example: data flow for a transaction selling digital products

27
Q

DAC

A

Discretionary Access Control

every object has an owner, and the owner can grant or deny access to any other subjects.

28
Q

RBAC

A

Role Based Access Control

Instead of assigning permissions directly to users, user accounts are placed in roles and administrators assign privileges to the roles.

29
Q

Rule-based Access Control

A

applies global rules that apply to all subjects. Rules within this model are sometimes referred to as restrictions or filters

example: a firewall uses rules that allow or block traffic to all users equally.

30
Q

ABAC

A

Attribute Based Access Control

this model is its use of rules that can include multiple attributes.
This allows it to be much more flexible than a rule based access control model that applies the rules to all subjects equally.

often used by software defined networks (SDNs)

31
Q

MAC

A

Mandatory Access Control

uses of labels applied to both subjects and objects.

For example, if a user has a label of top secret, the user can be granted access to a top secret document. In this example, both the subject and the object have matching labels.

referred to as a lattice based model.

32
Q

Preventative Access Controls

A

deployed to stop unwanted or unauthorized activity from occurring

EXAMPLES: fences, locks, biometrics, mantraps, alarm systems, job rotation, data classification, penetration testing, access control methods

33
Q

Detective Access Controls

A

deployed to discover unwanted or unauthorized activity. Often are after the fact controls rather than real time controls.

EXAMPLES: security guards, guard dogs, motion detectors, job rotation, mandatory vacations, audit trails, intrusion detection systems, violation reports, honey pots, and incident investigations,

34
Q

Corrective Access Controls

A

deployed to restore systems to normal after an unwanted or unauthorized
activity has occurred. minimal capability to respond to access violations.

EXAMPLES: intrusion detection systems, antivirus solutions, alarms, mantraps, business continuity planning, and security policies,

35
Q

Deterrent Access Controls

A

deployed to discourage the violation of security policies. A deterrent control picks up where prevention leaves off.

EXAMPLES: locks, fences, security badges, security guards, mantraps,
security cameras, trespass or intrusion alarms, separation of duties, awareness training, encryption, auditing, and firewalls.

36
Q

Administrative Access Controls

A

policies and procedures defined by an organizations security policy to
implement and enforce overall access control. Focus on two areas: personnel and business practices (e.g., people and policies).

EXAMPLES: policies, procedures, hiring practices, background checks, data classification, security training, vacation history, reviews, work supervision, personnel controls, and testing.

37
Q

Logical/Technical Access Controls

A

the hardware or software mechanisms used to manage access to resources and systems and provide protection for those resources and systems.

EXAMPLES: encryption, smart cards, passwords, biometrics, constrained
interfaces, access control lists (ACLs), protocols, firewalls, routers, intrusion detection systems, and clipping levels.

38
Q

Physical Access Controls

A

barriers deployed to prevent direct contact with systems or portions of a facility.

EXAMPLES: guards, fences, motion detectors, locked doors, sealed windows, lights, cable protections, laptop locks, swipe cards, guard dogs, video cameras, mantraps, and alarms.

39
Q

Access Controls

A

deployed to provide options to other existing controls to aid in the enforcement and support of a security policy.

EXAMPLES: security policy, personnel supervision, monitoring, and work task procedures.

40
Q

Directive Access Controls

A

deployed to direct, confine, or control the actions of subject to force or encourage compliance with security policies.

EXAMPLES: security guards, guard dogs, security policy, posted notifications, escape route exit signs, monitoring, supervising, work task procedures, and awareness training.

41
Q

Recovery Access Controls

A

deployed to repair or restore resources, functions, and capabilities after a violation of security policies. more advanced or complex capability to respond to access violations than a corrective access control.

EXAMPLES: backups and restores, fault tolerant drive systems, server clustering, antivirus software, and database shadowing.

42
Q

Basic Elements of Risk

A

-Risk is the possibility or likelihood that a threat can exploit a vulnerability and
cause damage to assets.

  • Asset valuation identifies value of assets, threat modeling identifies threats against these assets.
  • Vulnerability analysis identifies weaknesses in an organization’s valuable assets.
43
Q

Dictionary Attacks

A

These are programs with built in dictionaries. They would use all dictionary
words to attempt and find the correct password, in the hope that a user would have used a standard dictionary word.

44
Q

Brute Force

A

This type of attack is attempting to break the password by trying all possible words.

45
Q

Spoofed logon screens

A

The last access control attack is to implement a fake logon screen, and when a user attempts to login, the logon screen will send the username and password to the hacker

46
Q

Sniffer Attacks

A

In a sniffer attack (or snooping attack) an attacker uses a packet capturing tool (such as a sniffer or protocol analyzer) to capture, analyze, and read data sent over a network.

Attackers can easily read data sent over a network in cleartext

47
Q

Spoofing Attacks

A

Spoofing is pretending to be something or someone else, and it is used in many types of attacks, including access control attacks. Attackers often try to obtain the credentials of users so that they can spoof the user’s identity.

Spoofing attacks include email spoofing, phone number spoofing, and IP spoofing.

48
Q

Social Engineering

A

an attempt by an attacker to convince someone to provide info (like a password) or perform an action they wouldn’t normally perform (such as clicking on a malicious link)

Social engineers often try to gain access to the IT infrastructure or the physical facility.

49
Q

Phishing

A

commonly used to try to trick users into giving up personal information (such as user accounts and passwords), click a malicious link, or open a malicious attachment.

50
Q

Spear Phishing

A

phishing that targets specific groups of users

51
Q

Whaling

A

phishing that targets high level executives.

52
Q

Vishing

A

phishing that uses VoIP technologies.

53
Q

Access Aggregation

A

is a type of attack that combines, or aggregates, non-sensitive information to learn sensitive information and is used in reconnaissance attacks.

54
Q

How to prevent password attacks (dictionary, brute force)

A

Passwords should be long, complex and changed periodically

There should be a strong password policy in place to enforce.

Also enforcing other measures such as account lockout after X logon attempts, etc.

55
Q

How to prevent spoofed logon screens

A

The Best prevention is to have secure endpoints, where these fake logon screens cannot be implemented

56
Q

TEMPEST

A

allows the electronic emanations that every monitor produces to be read from a
distance (effective on CRT monitors).

Shoulder surfing for newer monitor displays

57
Q

White Noise

A

broadcasting false traffic at all times to mask and hide the presence of real emanations.

58
Q

Ways to prevent theft, which reduces risk

A

RFID, Barcoding, and Inventory

represent the ability to prevent theft, which reduces risk.

59
Q

Kerberos

A
  • Single sign-on
  • common with active directory
  • primary purpose is authentication, as it allows users to prove their identity.
  • provides a measure of confidentiality and integrity using symmetric key encryption, but these are not its primary purpose.
  • does not include logging capabilities so it does not provide accountability.
  • susceptible to replay attacks
60
Q

The Kerberos logon process

A
  1. The user types a username and password into the client.
  2. The client encrypts the username with AES for transmission to the KDC.
  3. The KDC verifies the username against a database of known credentials.
  4. The KDC generates a symmetric key that will be used by the client and the Kerberos server. It encrypts this with a hash of the user’s password. The KDC also generates an encrypted time-stamped TGT.
  5. The KDC then transmits the encrypted symmetric key and the encrypted time-stamped TGT to the client.
  6. The client installs the TGT for use until it expires. The client also decrypts the symmetric key using a hash of the user’s password.
61
Q

Kerberos Components

A

Key Distribution System (KDC) contains authentication service and ticket granting service

Authentication Service (AS) issues

Ticket Granting Tickets (TGT) passed to

Ticket Granting Service (TGS) issues

Service Tickets (ST) sent by user to

Services (systems/applications)