Identity and Access Management (IAM) Flashcards
access
ability to make use of any information system resources
access authority
entity responsible for monitoring and granting access privileges for other authorized entities
access control
mediation of subject and object interactions
access control list
object based description of a single resource and the permission of each subject
access control matrix
object based description of a system or multiple resources
access control triple
type of access control specification in which a user, program, and data items are listed for each allowed operation
access level
hierarchical portion of the security level used to identify data sensitivity and user clearance or authorization. Note: The access level and the non-hierarchical categories form the sensitivity label of an object.
access period
segment of time, generally expressed on a daily or weekly basis, during which access rights prevail
access time minimization
risk-reducing principle that attempts to avoid prolonging access time to specific data or to the system beyond what is needed to carry out requisite functionality
access type
nature of an access right to a particular device, program, or file (read, write, execute, append, modify, delete, or create)
accessibility
ability to obtain the use of a computer system or a resource or the ability and means necessary to store data, retrieve data, or communicate with a system
accountability
responsibility of a user for the actions taken by their account which requires unique identification
account management
process of requesting, establishing, issuing, and closing user accounts
Administrative
control type- that is communication based, typically written or oral. Paperwork, cannot hurt adversary.
Attribute -based Access Control (ABAC)
Policy a function of a subject’s characteristics
Authentication
binary decision by a system of permitting or denying access to the entire system
Authorization
granular decision by a system of permitting or denying access to a particular resource on the system
Blind testing
evaluation of a system without prior knowledge by the tester
Capability Tables
subject based description of a system or a collection of resources
Compartmentalize
to segregate for the purposes of labeling
Compensating
control category - more than one control on a single asset
Content Dependent Access Control
system mediation of access with the focus on the context of the request
Control
tool which mediates access
Control category
most granular organization of controls
Control type
less granular organization of controls
Corrective
control category- to restore to a previous state by removing the adversary and or the results of their actions
Denial of Service
consume resources to a point of exhaustion, loss of availability
Detective
control category- to record an adversary’s actions
Deterrent
control category- to discourage an adversary from attempting to access
Directive
control category- to give instructions or inform
Discretionary
owner directed mediation of access
Domain
sphere of influence
Double blind testing
of a system without prior knowledge by the tester or the tested
Extended TACACS (XTACACS)
a client/server protocol developed in 1990 by Cisco. Separates authentication, authorization, and accounting.
Identification
to assert or claim credentialing to an authentication system
Intrusion Detection Systems
controls for logging and alerting
Intrusion Prevention Systems
controls for termination of attempt to access object
Kerberos
authentication protocol which only uses symmetric session keys between principals distributed by a 3rd party using different preshared symmetric keys
Keystroke Logging
recording activities at the keyboard level. Threat adversarial.
Labeling
to set the clearance of a subject or the classification of an object
Least privilege
just enough access to do the job
Mandatory
system directed mediation of access with labels
Marking
physical description on the exterior of an object that communicates the existence of a label
Masquerading
claiming another’s identity at a physical level. Threat adversarial
Need-to-know
requirement of access to data for a clearly defined purpose
Non-discretionary
system directed mediation of access without labels and not reprogrammable at run time, typically refering to physical devices, not technical systems.
Object
passive system resource
Password cracking
to reveal authentication credentials. Threat adversarial
Penetration testing
authorized security personnel using the tools and techniques of attackers to determine vulnerabilities of systems for the purpose of remediation planning
Permission
authorization for a subject to interact with an object
Physical
control type- tangible barrier to entry. Will hurt adversary.
Preventive
control category- to stop the adversary before system access
Privacy-Aware Role Based Access Control
system mediation of access with the focus on the object’s privacy
RADIUS
Remote Authentication Dial in User Service - a client/server protocol that provides authentication and authorization for remote users. Provides accounting capabilities. Transport uses UDP. Encryption for Password only. Authentication and authorization is combined.
Recovery
control category- to restore to a previous state with some data loss
Risk-adaptive access control (RAdAC)
Policy changes dynamically based on the risk environment
Role Based Access Control
system mediation of access with the focus on the function or role of the subject
Rule Based Access Control
system mediation of access with the focus on the function either group concept or source & destination
SESAME
authentication protocol which uses both asymmetric and symmetric keys
Shoulder Surfing
to physically view another’s keyboard and monitor activities. Threat adversarial
Single Sign-On
one account is used for many resources. Authentication services threat.
Social Engineering
to convince another to take an inappropriate action through manipulation. Threat adversarial
Spoofing
claiming another’s identity at a technical level. Threat adversarial
Subject
active system entity
TACACS
Terminal Access Controller Access Control System - a client/server protocol that was developed to control who could use dial-up lines.
TACACS+
Terminal Access Controller Access Control System Plus - a Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers. Transport uses TCP. Encryption for entire body of packet. Authentication and authorization is separated.
Targeted testing
narrow scope examination of a system
Technical (Logical)
control type - hardware and or software mechanisms which require system interaction to gain access. Adversary must choose to interact.
Temporal Isolation
system mediation of access with the focus on the time of day
Trojan Horse
an application with a secondary purpose or execution unknown to the user, which uses the account of the user to gain access or control of a system
Authentication Services (Controls)
Proper registration/enrollment
Protect databases
2FA
Account expirations
Password manager/vault
Authentication Services (Threats)
User Password Management
Adversarial
Single Sign On
