Week 4: Overview of Security Concepts Flashcards

1
Q

Access Control refers to

A

any hardware, software, or organizational/administrative policyor procedurethat

grants or restricts access

monitors and records attempts to access

identifies users attempting to access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The transfer of information from an object to a subject is called

A

access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

subject

A

The subject(e.g. user) is the active element

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

object

A

The object(e.g. database) is the passive element

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

These three essential security principles are known as the

A

CIA Triad
Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Confidentiality

A

Confidentiality ensures that only authorized subjects can access objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Integrity

A

Integrityensures that unauthorized or unwanted changes to objects are denied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Availability

A

Availabilityensures that authorized requests for objects are granted as quickly as system and network parameters allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The term access control describes

A

The term access control describes a broad range of controls used to enforce these security principles (CIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Access controls can be divided into the following seven categories of function or purpose

A
  1. Preventive
  2. Deterrent
  3. Detective
  4. Corrective
  5. Recovery
  6. Compensation
  7. Directive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

preventive access control

A
stop unwanted or unauthorized activity from occurring
–
Examplesof preventive access controls include
•
fences and locks
•
separation of duties and job rotation
•
data classification
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

deterrent access control

A

A deterrent access control is deployed to discourage violation of security policies

A deterrent implies certain consequences in the event of an attempted or successful violation

Examplesof deterrent access controls include
security guards & security cameras
trespass or intrusion alarms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

detective access control

A

A detective access control is deployed to discover unwanted or unauthorized activity

Often detective controls operate after the fact

Examplesof detective access controls include
security guards, guard dogs
motion detectors
review of recordings captured by security cameras
audit trails
honeypots or honeynets
intrusion detection systems
incident investigations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

corrective access control

A

A corrective access control is deployed to restore systems after an unwanted or unauthorized activity has occurred

Usually corrective controls have only minimal capability to respond to access violations

Examplesof corrective access controls include
antivirus solutions
terminating access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

recovery access control

A

A recovery access control is deployed to repair or restore functions and capabilities after a violation of security policies

Recovery controls have more advanced or complex capabilities to respond to access violations than corrective access controls

Examplesof recovery access controls include
backups and restores
fault-tolerant systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

compensation access control

A

A compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of security policy
Examplesof compensation access controls include
personnel supervision, monitoring, and work task procedures

Can also include controls used instead of more desirable controls
For example, if a guard dog cannot be deployed due to proximity to residential areas, a motion detector with a spotlight and a barking sound playback device can be used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

directive access control

A

A directive access control is deployed to direct or control the actions of subjects to force or encourage compliance with security policies

Examplesof directive access controls include
security guards and posted notifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Types of Access Control Implementation

A

Administrative access controls
Logical/technical access controls
Physical access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Administrative access controls

A

The proceduresdefined by an organization’s security policy to implement and enforce overall access control

Hiring practices, background checks, and security training
Data classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Logical/technical access controls

A

The hardware or software mechanisms used to manage access to resources and systems
Intrusion detection systems
Encryption, smart cards, passwords, and biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Physical access controls

A

The physical barriers deployed to prevent direct contact with systems or areas within a facility

Guards, fences and locks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Several steps lead up to the ability to hold a person accountable for online actions

A
Identification
Authentication
Authorization
Auditing
Accountability / Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Identification

A

Identificationis the process by which a subject professes an identity

A user provides a username, a logon ID, a personal identification number (PIN), or a smart card to represent an identification process

Providing a process ID number also represents an identification process

Once a subject has identified itself, the claimed identity becomes accountable for any further actions undertaken by that subject

IT systems track activity by identities, not by subjects themselves

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Authentication

A

Authenticationis the process of verifying that a claimed identity is valid

Requires that a subject provide additional information that must correspond exactly to the identity professed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Three factors of authentication
Type 1. Something you know: any string of characters you have memorized and can reproduce on a keyboard when prompted passwords, PINs, lock combinations, passphrases Type 2. Something you have: a physical device that you possess and must have on your person at the time of authentication smart cards, tokens, memory cards, physical location Type 3: Something you are (biometrics): a physical characteristic of your person fingerprints, iris patterns, hand geometry, writing a signature
26
Strong authentication requires
two or more factors When two of the same factors are used together, the system is no more secure than it would be if just one factor was used, as a single type of attack could compromise both instances
27
Authorization
The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity
28
access control matrix
For authorization: In most cases, the system evaluates an access control matrix that compares the subject, the object, and the intended activity
29
Auditing
Auditingis the process by which online activities of user accounts and processes are tracked and recorded Auditing produces audit trails, which can be used to reconstruct events and to verify whether a security policy was violated
30
NIST Audit Documents
Minimum Security Requirements for Federal Information and Information Systems (FIPS 200) Minimum Security Requirements for Multi-User Operating Systems (NIST IR 5153)
31
Requirements for audit data recording
Create, retain, and protect audit recordsto the extent needed to enable the monitoring, investigation, and reporting of unlawful, or unauthorized activity Ensure that the actions of individual information system users can be uniquely tracedto those users so they can be held accountable for their actions
32
A subject must provide an ___ to a system to start the authentication process
identity A subject's identity is typically considered public information
33
Authentication verifies the ____ of the subject by comparing one or more factors against a database of valid identities
identity Authentication factors are typically considered private information
34
Passwords
The most common, but weakest, authentication technique
35
Password types
Static vs. dynamic - Static passwords always remain the same - Dynamic passwords change after a specified interval of time or use ``` One-time or single-use passwords Passphrases Cognitive passwords (security questions) ```
36
One-time or single-use passwords
Dynamic passwords that change every time they are used
37
Passphrases
Strings of characters usually much longer than a password
38
Cognitive passwords (security questions)
Questions about facts that only a subject should know
39
Password Security
Never allow clear text transmission Use strong one-way storage (i.e. hashing) Password audit your own systems -Use password verification and password-cracking tools against your own password file and require that discovered passwords be changed Disable inactive accounts, delete old ones Train users -Protects from social engineering attacks Change passwords based on sensitivity of data Define and enforce a password policy -Example: Minimum length, three or four character types -Protects from brute-force and dictionary attacks 22
40
biometric factor
A biometric factor is a behavioral or physiological characteristic that is unique to a subject Biometric factors can be used both as an identification and an authentication technique
41
Tokens
Type 2 Factor Tokens(or smart tokens) are password-generating devices that subjects must carry with them
42
Static Tokens
swipe card, a smart card, or a USB RAM dongle
43
Synchronous dynamic password tokens
Generate passwords at fixed time intervals. Require synchronizing the clock on an authentication server with the clock on the token device
44
Asynchronous dynamic password tokens
Generate passwords based on occurrence of some event
45
Challenge-response tokens
Generate passwords based on instructions (challenges) from the authentication system
46
Single sign-on (SSO)
Single sign-on (SSO) is a mechanism that allows a subject to be authenticated only once on a system yet remain able to access multiple resources without repeated authentication prompts ``` Examplesof SSO mechanisms Kerberos SESAME KryptoKnight Directory services ```
47
Kerberos
Relies on AES symmetric-key (private-key) cryptography Provides end-to-end security for authentication traffic between clients and the key distribution center (KDC) Relies on a trusted server hosting the functions of the KDC, a ticket-granting service (TGS), and an authentication service (AS) An exchange of tickets (cryptographic messages) between clients, network servers, and the KDC
48
Kerberos Login Process
1. The user types a username and password into the client 2. The client encrypts the credentials with AES for transmission to the KDC 3. The KDC verifies the user credentials 4. The KDC generates a ticket granting ticket (TGT) by hashing the user’s password 5. The TGT is encrypted with AES for transmission to the client 6. The client installs the TGT for use until it expires
49
Kerberos Service Access Process
1.The client sends its TGT back to the KDC with a request for access to a server or service 2.The KDC verifies the validity of the TGT and verifies that the user has sufficient privileges to access the requested resource 3.A service ticket (ST) is generatedand sent to the client 4.The client sends the ST to the serveror service host 5.The server verifies the validityof the ST with the KDC 6.Once identity and authorization is verified, Kerberos activity is complete –The server or service host then opens a session with the client
50
There are two primary categories of access control techniques
Discretionary Access Control (DAC) Nondiscretionary Access Control •Mandatory Access Control (MAC) •Role Based Access Control (RBAC) •Task Based Access Control (TBAC)
51
Discretionary Access Controls
Allow the owner or creator of an object to control and define subject access to that object Access control is based on the discretion (in other words, a decision) of the owner Access is granted or denied based on the identity of the subject (which is typically the user account name) Often implemented using access control lists (ACLs) -Each ACL defines the types of access granted or restricted to individuals or grouped subjects
52
Nondiscretionary Access Controls
Used in a rule-based system in which a set of rules, restrictions, or filters determines what can and cannot occur on the system Access is not based on administrator or owner discretion and does not focus on user identity Rule-based access control systems are more appropriate for environments that experience frequent changes to data permissions Rule-based systems can implement sweeping changes just by changing centralized rules
53
Nondiscretionary Access Control Types
–Mandatory Access Control (MAC) –Role Based Access Control (RBAC) –Task Based Access Control (TBAC)
54
Mandatory Access Controls (MAC)
Rely upon the use of classification labels Subjects are labeled by their level of clearance Objects are labeled by their level of classification or sensitivity
55
Classifications within a MAC environment are of three types:
Hierarchical environments relate various classification labels in an ordered structure. Clearance in one level grants the subject access to objects in that level as well as in lower levels Compartmentalized environments require the subject to have specific clearance for each of its independent security domains Hybrid environments combine hierarchical and compartmentalized concepts so that each hierarchical level may contain isolated subdivisions
56
Systems that employ role-based (RBAC) or task-based (TBAC) access controls define a subject’s ability to access an object via
–subject roles (job descriptions) –tasks(work functions). Role-based access controls are useful in volatile environments with frequent personnel changes because access does not depend on subject identities
57
Access control administration
Access control administrationis the set of tasks and duties assigned to an administratorto manage Account Administration –Creating, maintaining, and closing user accounts Account, Log, and Journal Monitoring –Monitoring online activities Access Rights and Permissions –Assigning access to objects –Principle of least privilege
58
user
A user is any subject who accesses objects on a system
59
owner
An owner is the person who has final responsibility for classifying and protecting objects
60
custodian
A custodian is a subject who has been assigned the day-to-day responsibility of properly storing and protecting objects
61
Monitoring
Is a programmatic means by which subjects are held accountable for their actions while authenticated on a system Is a process by which unauthorized or abnormal activities may be detected on a system Can help reconstruct events, provide evidence for prosecution, and produce problem reports and analysis
62
Intrusion Detection System (IDS)
An Intrusion Detection System (IDS)is a tool that automates the inspection of audit logs and real-time system events –Primarily used to detect intrusion attempts –Also used to detect system failures –Watch for violations of confidentiality, integrity, and availability (CIA)
63
The goal of an IDS is to
–provide perpetrator accountability for intrusion activities | –enable timely and accurate response to intrusions
64
In general, IDSs can recognize
–attacks that come from external connections (such as the Internet) –viruses and malicious code –trusted internal subjects attempting to perform unauthorized activities –unauthorized access attempts from trusted locations
65
IDS Event Response
IDSs have only limited capability to stop or prevent attacks -Typical responses include blocking ports, protocols, or source addresses When an IDS discovers a violation, it records details of the issue and discards the malicious packets An IDS shoud be considered one of many components that a defense-in-depthapproach employs to protect a network
66
Host-Based IDS (HIDS)
Watches for suspicious activity on a single computer system Can examine events in much greater detail than a network-based IDS
67
Network-Based IDS (NIDS)
Watches for suspicious activity occurring on the network medium A single NIDS can monitor a large network if installed on its backbone NIDSs are installed onto dedicated single-purpose computers
68
Knowledge-Based IDS
(or signature-based) Uses a signature database Attempts to match all monitored events to signatures in the database If a match is found, the IDS assumes that an attack is taking place Effective only against known attack methods
69
Behavior-Based IDS
(or anomaly detection) Learns about the normal activities on a system by watching and tracking events Once it has accumulated enough data about normal activity, it can detect abnormal and possibly malicious activities or events The primary drawback is that it produces many false alarms
70
Honeypots
Honeypots attract intruders by presenting unpatched and unprotected security vulnerabilitiesas well as by hosting attractive but faux data
71
Vulnerability scanners
Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses A vulnerability scanner is only as useful as its database of security issues Use of vulnerability scanners in cooperation with IDSs
72
penetration
A penetrationoccurs when an attack is successfuland an intruder is able to breach the perimeter of a computer system
73
Penetration testing
Penetration testing is one common method to test the strength of security measuresand discover all detectable weaknesses in the security perimeter Penetration testing should be performed only with the consent and knowledge of management and security staff –Performing unapproved security testing could •cause productivity losses •trigger emergency response teams •potentially earn jail time
74
Firewall and where it's deployed
A firewall is a network device used to filter trafficand is deployed –between a private network and a link to the Internet –between departments within an organization
75
Firewall filters
Firewalls filter traffic based on a set of rules, also called filtersor access control lists,distinguishing authorized traffic from unauthorized traffic
76
Firewall types
Static packet filtering firewall Application level gateway (proxy) firewall Circuit level gateway (circuit proxy) firewall Statefulinspection firewall
77
Static packet filtering firewall
Filters traffic by examining a message header Operate at Layer 3 Easily circumvented through spoofing
78
Application level gateway (proxy) firewall
Filters traffic based on content and address Each type of application must have its own proxy Operates at Layer 7 Negatively affects network performance
79
Circuit level gateway (circuit proxy) firewall
Used to establish communication sessions between trusted partners Permits or denies forwarding decisions based solely on the endpoint designations of the communication circuit (source and destination addresses and service port numbers) Operates at Layer 5
80
Stateful inspection firewall
Filters based on content and context of traffic Source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets Operates at Layers 3 and 4
81
Denial-of-service (DoS)
Denial-of-service (DoS)attacks prevent a system from processing or responding to legitimate traffic or requests
82
There are several types of DoS flood attacks
A single attacking system flooding a victim with a steady stream of packets Distributed Denial of Service (DDoS) -DDoSattacks can be stopped by blocking packets from the compromised systems, but this can also result in blocking legitimate traffic because the sources of the flood packets are victims themselves Distributed Reflective Denial of Service (DRDoS) SYN-Flood Smurf
83
Distributed Reflective Denial of Service (DRDoS)
DRDoSattacks take advantage of the normal operation mechanisms of key Internet services, such as router update protocols (e.g., smurfattacks) Numerous update/control packets are sent to various servers/routers with a spoofed source address for the intended victim, which will receive the response packets
84
SYN-Flood
A SYN flood occurs when numerous SYN packets are sent to a server but the sender never replies to the server’s SYN/ACK with the final ACK The server waits for the client’s ACK, holding open a session and consuming system resources
85
Smurf Attack
Occurs when an amplifying server or networkis used to flood a victim with useless data An amplifying server or network is any system that generates multiple response packets, such as Internet Control Message Protocol (ICMP) echo packets, from a single submitted packet A common smurf attack method is to send a message to the broadcast address for a subnet or network with the victim’s spoofed address –Every node on that network produces one or more response packets for the victim If the amplification network can produce sufficient response packet volume, the victim will experience a DoS Countermeasures for smurf attacks include disabling directed broadcasts on all network border routers
86
Spoofing Attacks
Spoofing is the art of pretending to be something you’re not Spoofing attacks consist of replacing a valid source and/or destination IP address with false ones grants attackers the ability to hide their identities Countermeasures: - enabling source/destination verification on routers - employing an IDS to detect and block attacks
87
Man-in-the-Middle
A man-in-the-middle attack occurs when a malicious user is able to gain a position between the two endpoints of an ongoing communication
88
sniffer attack(or snooping attack)
Attackers sniffing the traffic between two parties
89
store-and-forward or proxy mechanism
Attackers positioning themselves in the line of communication where they act as a store-and-forward or proxy mechanism To perform this type of attack, the attacker must alter routing information to impersonate a server from the perspective of the client and to impersonate the client from the perspective of the server The attacker is invisible to both ends of the communication link
90
Spamming Attacks
Spam is the term that describes unsolicited email, newsgroup, or discussion forum messages –As innocuous as an advertisement –As malignant as floods of unrequested messages with viruses or Trojan horses attached Also considered a type of DoS