Network and Computer Security Flashcards
What does CIA stand for?
Confidentiality
Integrity
Availability
Define Identification
Associating an identity with a subject
Define Authentication
Verifying the validity of something
Define Authorization
Granting (or denying) the right or permission of a system entity to access an object
Define Access Control
Controlling the access of system entities (on behalf of subjects) to objects based on an access control policy
What are four widely used mechanisms for authentication?
- Something you know - Password/PIN
- Something you have - Smart card or one-time password
- Something you are - Biometric Characteristics/Facial Scan/Photograph
- Location
What do good systems include?
Allow for passwords and validate passwords securely
How to access systems securely that require a password
Allow passwords of arbitrary length
Store passwords hashed
Define Social Engineering
Tricking people into giving up private information or doing things they shouldn’t, usually by pretending to be someone they trust.
Define a Soft Token
A one-time use password
What is a bad example of a Hard Token?
UniCard as it could easily be duplicated
What is a Biometric Scan?
Uses characteristics of your body
- Fingerprint
- Retina scan
- Face scan
To authenticate your identity
What do Typical Access Control models focus on?
Authorization
- Specification of who is allowed to do what
- How to update/change permissions
Give an example of a simple access control model.
AC = Subject x Object x Request
List 4 key factors of access control models.
- Often depend on system state
- Subjects and permissions change over time
- Access rights might require completion of certain tasks or conditions
- Prone to implementation and configuration mistakes (bugs)
What does a security policy do?
Defines what is allowed (and/or forbidden)
- It is comparable to a set of laws
- Defined in terms of rules and/or requirements
What is a security model?
A framework that defines rules and guidelines for protecting data and resources in a system.
It helps ensure confidentiality, integrity, and availability by describing how users, processes, and systems interact securely. Examples include Bell-LaPadula.
What is a Role-based Access Control used for?
- Create roles for job functions in enterprises
- Assign users to roles
- Assign a set of permissions for each role
How is a RBAC formalized?
- A set ROLES
- A set USERS
- A relation UA ⊂ USER x ROLES
- A relation PA ⊂ ROLES x PERMISSION
What are key factors of a RBAC when it comes to changing/removing roles?
It uncommon to add/remove roles in organizations - they are more static
If people leave/change roles only one smaller, simpler table/relationship to update
- Employees leaving the company are much more in focus - don’t want them having permissions
What should be considered in a simple RBAC
- Role Hierarchies
- Who can change permission
- Context information
- User switching roles
What do most pratical RBAC applications use?
Extended/modified versions
- Role hierarchies
- Access control constraints (attributes)
What is widely used with RBAC?
XACML (attribute-based access control, very flexible)
What is a Hierarchical RBAC?
Extends RBAC with role hierarchy:
- A relation RH ⊂ ROLES x ROLES
- Describing the role hierarchy
What is Mandatory Access Control (MAC)?
Controls access to resources based on predefined policies.
Access is determined by a central authority, not by the owner or user of the data.
Used often in government or military systems.