Domain 5: Identification and Authentication Flashcards
Subject
Active Entity
Object
Passive Entity
Three Primary Control Types of Access Controls
Preventative, Detective, and Corrective
4 “Other” Control Types of Access Controls
Deterrent, Recovery, Directive, Compensating
Preventative Controls
attempts to stop and unwanted activity
Detective Controls
discover activity after the fact
Corrective Controls
modify environment to return to normal
Deterrent Controls
discourage unwanted activity
Recovery Controls
repair or restore resources, more complex than corrective
Directive Controls
direct the actions of subjects to force compliance
Compensating Controls
alternative when the primary control doesn’t work
Three Types Of Controls (based on how they are implemented)
Administrative, Logical/Technical, Physical
Identification
process of a subject claiming an identitiy
Authentication
verifies the identity of the sybject
Authorization
Subjects are granted access to objects based on idenitity
Accountability
provided through auditing
Type 1 Authentication Factor
Something you know
Type 2 Authentication Factor
Something you have
Type 3 Authentication Factor
Something you are or do
Cognitive Password
Series of questions
Synchronous vs Asynchronous Dynamic Password
Synchronous is time based (changes every 60 seconds(, Asynchronous changes after it is used
Type 1 Error
valid subject is not authenticated, false rejection
Type 2 Error
invalid subject is authenticated, false acceptance
Centralized Access Control
all authorization verification is performed by a single entity within a system
Decentralized Access Control
various entities perform authentication verification
SSO
a centralized access control technique that allows a subject to be authenticated only once on a system and access multiple resources
LDAP
centralized access control system, directory service for network services and assets
Most commons and well-known ticket system
Kerberos
Kerberos Architecture
Key Distribution Center, Kerberos Authentication Server, Ticket-Granting Ticket.
Permissions
access granted for an object and determines what you can do with it
Rights
the ability to take an action on an object
Privileges
combination of rights and permissions
Implicit Deny
access to an object is denied unless explicitly granted
Access Control Matrix
table that includes subjects, objects, and assigned privileges
Capability Tables
identify privileges assigned to subjects
Constrained Interface
restricts what users can do or see based on privileges (disabled capabilities may be grayed out)
Context-Dependent Control
requires specific activities before granting user access - ex: data flow for online transactions
Content-Dependent Control
restrict access based on the content within an object (database view)
DAC
allows data owner, creator, or custodian of an object to control access to it
RBAC
define a subject’s ability to access an object based on their role
TBAC
each user is assigned an array of tasks
RuBAC
uses a set of rules to determine access (global rules)
ABAC
Attribute based, uses multiple attributes for rules
MAC
relies on classification lables
Hierarchical Environment
ordered structure of classifications: TS, S, UC
Compartmentalized Environment
no relationship between domains
Hybrid Environment
Clearance + need to know
What are the key steps in a risk management process?
Identifying assets, threats, and vulnerabilities
Threat Modeling
identifying, understanding, and categorizing threats
Three Threat Modeling Approaches
Focus on Assets, Focus on Attackers, Focus on Software
Advanced Persistent Threat
group of attackers working together, advanced skills and motivation
Access-Aggregation
collecting multiple pieces of nonsensitive information and combining to learn sensitive info
Dictionary Attack
use every possible password in a predefined database
Birthday Attack
focuses on finding collusion
Rainbow Table Attack
uses large databases of precomputed hashes
Sniffing
captures packets sent over a network
Spoofing
pretending to be something else
