IAM Flashcards
ability to make use of any information system resources
access
entity responsible for monitoring and granting access privileges for other authorized entities
access authority
mediation of subject and object interactions
access control
object based description of a single resource and the permission of each subject
access control list
object based description of a system or multiple resources
access control matrix
type of access control specification in which a user, program, and data items are listed for each allowed operation
access control triple
hierarchical portion of the security level used to identify data sensitivity and user clearance or authorization. Note: The access level and the non-hierarchical categories form the sensitivity label of an object.
access level
segment of time, generally expressed on a daily or weekly basis, during which access rights prevail
access period
risk-reducing principle that attempts to avoid prolonging access time to specific data or to the system beyond what is needed to carry out requisite functionality
access time minimization
nature of an access right to a particular device, program, or file (read, write, execute, append, modify, delete, or create)
access type
ability to obtain the use of a computer system or a resource or the ability and means necessary to store data, retrieve data, or communicate with a system
accessibility
responsibility of a user for the actions taken by their account which requires unique identification
accountability
process of requesting, establishing, issuing, and closing user accounts
account management
that is communication based, typically written or oral. Paperwork, cannot hurt adversary.
Administrative - control type
Policy a function of a subject’s characteristics
Attribute -based Access Control (ABAC)
binary decision by a system of permitting or denying access to the entire system
Authentication
granular decision by a system of permitting or denying access to a particular resource on the system
Authorization
evaluation of a system without prior knowledge by the tester
Blind testing
subject based description of a system or a collection of resources
Capability Tables
to segregate for the purposes of labeling
Compartmentalize
more than one control on a single asset
Compensating - control category
system mediation of access with the focus on the context of the request
Content Dependent Access Control
tool which mediates access
Control
most granular organization of controls
Control category
less granular organization of controls
Control type
to restore to a previous state by removing the adversary and or the results of their actions
Corrective - control category
consume resources to a point of exhaustion, loss of availability
Denial of Service
to record an adversary’s actions
Detective - control category
to discourage an adversary from attempting to access
Deterrent - control category
to give instructions or inform
Directive- control category
owner directed mediation of access
Discretionary
sphere of influence
Domain
of a system without prior knowledge by the tester or the tested
Double blind testing
a client/server protocol developed in 1990 by Cisco. Separates authentication, authorization, and accounting.
Extended TACACS (XTACACS) - Terminal Access Controller Access Control System
to assert or claim credentialing to an authentication system
Identification
controls for logging and alerting
Intrusion Detection Systems
controls for termination of attempt to access object
Intrusion Prevention Systems
authentication protocol which only uses symmetric session keys between principals distributed by a 3rd party using different preshared symmetric keys
Kerberos
recording activities at the keyboard level
Keystoke Logging. Threat adversarial
to set the clearance of a subject or the classification of an object
Labeling
just enough access to do the job
Least privilege
system directed mediation of access with labels
Mandatory
physical description on the exterior of an object that communicates the existence of a label
Marking
claiming another’s identity at a physical level
Masquerading. Threat adversarial
requirement of access to data for a clearly defined purpose
Need-to-know
system directed mediation of access without labels and not reprogrammable at run time, typically referring to physical devices, not technical systems.
Non-discretionary
passive system resource
Object
to reveal authentication credentials
Password cracking. Threat adversarial
authorized security personnel using the tools and techniques of attackers to determine vulnerabilities of systems for the purpose of remediation planning
Penetration testing
authorization for a subject to interact with an object
Permission
tangible barrier to entry. Will hurt adversary.
Physical - control type
to stop the adversary before system access
Preventive - control category
system mediation of access with the focus on the object’s privacy
Privacy-Aware Role Based Access Control
a client/server protocol that provides authentication and authorization for remote users. Provides accounting capabilities. Transport uses UDP. Encryption for Password only. Authentication and authorization is combined.
RADIUS - Remote Authentication Dial in User Service
to restore to a previous state with some data loss
Recovery - control category
Policy changes dynamically based on the risk environment
Risk-adaptive access control (RAdAC)
system mediation of access with the focus on the function or role of the subject
Role Based Access Control
system mediation of access with the focus on the function either group concept or source & destination
Rule Based Access Control
authentication protocol which uses both asymmetric and symmetric keys
SESAME
to physically view another’s keyboard and monitor activities
Shoulder Surfing. Threat adversarial
one account is used for many resources
Single Sign-On
to convince another to take an inappropriate action through manipulation
Social Engineering. Threat adversarial
claiming another’s identity at a technical level
Spoofing. Threat adversarial
active system entity
Subject
a client/server protocol that was developed to control who could use dial-up lines.
TACACS - Terminal Access Controller Access Control System
a Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers. Transport uses TCP. Encryption for entire body of packet. Authentication and authorization is separated.
TACACS+ - Terminal Access Controller Access Control System Plus
narrow scope examination of a system
Targeted testing
hardware and or software mechanisms which require system interaction to gain access. Adversary must choose to interact.
Technical (Logical) - control type
system mediation of access with the focus on the time of day
Temporal Isolation
an application with a secondary purpose or execution unknown to the user, which uses the account of the user to gain access or control of a system
Trojan Horse
Authentication Services (Controls)
Proper registration/enrollment
Protect databases
2FA
Account expirations
Password manager/vault
Authentication Services (Threats)
User Password Management
Adversarial
Single Sign On