Security & Access Management Flashcards
SPF
Sender Policy Framework
- Email authentication method designed to detect forging sender addresses during the delivery of the email
- Limited to detecting a forged sender claim in the envelope of the email
DAC
Discretionary Access Control
An access control model where all objects (files and folders) have owners and owners can modify permissions for the objects.
MS NTSF uses the DAC model.
MAC
Mandatory Access Control
- Non-discretionary access control policy where the computer system (vs. owner) determines the access control for an object
- Uses labels (sometimes referred to as sensitivity labels or security labels) to determine access
- Security administrator assign labels to subjects (users) and objects (files folders devices or network connection)
- When the labels match the system can grant a subject access to an object.
- When the labels don’t match access is blocked
- Data labels create trust levels for all subjects and objects
- Implemented through the Rule-based and Lattice-based access control methods.
MFA
Multifactor Authentication
Type of authentication that uses methods from more than one factor of authentication.
CSO
Chief Security Officer
The executive responsible for an organization’s entire security posture both physical and cyber and has the big picture view of the company’s operational risk.
Similar to ISSO and generally reports to the CIO.
SSO
Single Sign-On
- Ability of user to logon or access multiple systems by providing credentials only once
- Increases security because user only needs to remember one set of credentials and is less likely to write them down
RBAC/Rule-BAC
Rule-Based Access Control (AKA Rule-BAC)
- Access is controlled by a set of approved instructions (rules) such as an access control list (ACL)
- Rules can be parameters such as allowing access only from certain IP addresses or denying access from certain IP addresses or something more specific.
- Some systems use rules that trigger a response to an event such as the response to an attack or situation where a user needs additional permissions
ID
Identification
An assigned user identifier (ID) to a human being or other system user.
EER
Equal Error Rate
A statistic used to show biometric performance, typically when operating in the verification task.
The EER is the location on a ROC or DET curve where the false acceptance rate and false rejection rate are equal.
The lower the EER value, the higher the accuracy of the biometric system.
AAA
Authentication, Authorization, & Accounting
A common security framework for mediating network and application access.
- Authentication - verifies access
- Authorization - determines if a user should have access
- Accounting - tracks access with logs
RBAC/Role-BAC
Role-Based Access Control
- Uses roles to manage rights and permissions of users
- Users are assigned to roles and network objects are configured to allow access only to specific roles
- Roles are created independently of user accounts
- Model is used by the majority of enterprises with 500+ employees.
HSM
Hardware Security Module
A removable or external device that can generate store and manage RSA keys used in asymmetric encryption.
Compare with TPM.
FRR
False Rejection Rate
A metric for biometric devices that describes the percentage of authorized users who were incorrectly rejected by a biometric system.
CAC
Common Access Card
A specialized smart card used by DOD.
It includes photo identification and that provides confidentiality, integrity, authentication, and non-repudiation.
HOTP
HMAC-based One-Time Password
- An open standard for creating one-time passwords.
- It combines a secret key and a counter and then uses HMAC to create a hash of the results.
- Generates a one-time password using a hash-based authentication code to verify the authenticity of the message.
- AKA event-based one-time password
NGAC
Next Generation Access Control
- Flexible access control framework that it can be molded to support combinations of diverse access control policies.
- Enables a systematic, policy-consistent approach to access control, granting or denying users administrative capabilities with a high level of granularity.
- Developed by NIST
TOTP
Time-based One-Time Password
- Open source standard similar to HOTP
- Uses a timestamp instead of a counter
- One-time passwords created with TOTP expire after 30 seconds
SAML
Security Assertions Markup Language
- Open standard for exchanging authentication and authorization data between parties
- XML-based markup language for security statements that service providers use to make access-control decisions
- SAML provides SSO for web-based applications
- Provides identification and authentications of users
IdP
Identity Provider
- System entity that creates maintains and manages identity information for principals
- Also provides authentication services to relying applications within a federation or distributed network.
IAM (IdAM)
Identity and Access Management
A collective term that covers products, processes, and policies used to manage user identities and regulate user access within an organization.
Access and users are vital concepts:
- Access - refers to actions permitted to be done by a user such as view, create, or change a file.
- Users could be employees, partners, suppliers, contractors, or customers.
A framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.
A security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks operating systems and applications.
AKA Identity Management (IdM)
FAR
False Acceptance Rate
A metric for biometric devices that describes the percentage of unauthorized users who were incorrectly authenticated by a biometric system
NTLM
New Technology LAN Manager
A suite of protocols created by Microsoft that provide confidentiality integrity and authentication within Windows systems.
PAP
Password Authentication Protocol
An older authentication protocol where passwords or PINs are sent across a network in cleartext.
ABAC
Attribute-Based Access Control
An access control model that grants access to resources based on attributes assigned to subjects and objects
AKA Policy-based access control
PIV
Personal Identity Verification
A smart card that meets the standards for FIPS 201 in that it is resistant to tampering and provides quick electronic authentication of the card’s owner.
CER
Cross-over Error Rate
- Used to measure the accuracy of a biometric system.
- Describes the point where the false reject rate (FRR) and false accept rate (FAR) are equal.
- A low CER signifies a highly accurate biometric system.
HA
High Availability
The property that defines how closely systems approach the goal of providing data availability 100% of the time while maintaining a high level of system performance.
OAuth
Open Authorization
- Open standard for access delegation
- Commonly used as a way for Internet users to grant websites or applications access to their information on other websites but without giving them the passwords.
- Used by Amazon, Google, Facebook, Microsoft, Twitter
- Designed to work with HTTP, OAuth allows access tokens to be issued to third-party clients by an authorization server with the approval of the resource owner.
OTP
One Time Password
- A password that is generated for use in one specific session and becomes invalid after the session ends.
- Also known as a one-time PIN or dynamic password.
NAC
Network Access Control
- System that inspects clients to ensure they are healthy.
- Agents inspect clients
- Agents can be:
- Permanent
- Dissolvable (agentless)