Week 4: Overview of Security Concepts Flashcards

1
Q

Access Control refers to

A

any hardware, software, or organizational/administrative policyor procedurethat

grants or restricts access

monitors and records attempts to access

identifies users attempting to access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The transfer of information from an object to a subject is called

A

access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

subject

A

The subject(e.g. user) is the active element

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

object

A

The object(e.g. database) is the passive element

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

These three essential security principles are known as the

A

CIA Triad
Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Confidentiality

A

Confidentiality ensures that only authorized subjects can access objects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Integrity

A

Integrityensures that unauthorized or unwanted changes to objects are denied

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Availability

A

Availabilityensures that authorized requests for objects are granted as quickly as system and network parameters allow

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

The term access control describes

A

The term access control describes a broad range of controls used to enforce these security principles (CIA)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Access controls can be divided into the following seven categories of function or purpose

A
  1. Preventive
  2. Deterrent
  3. Detective
  4. Corrective
  5. Recovery
  6. Compensation
  7. Directive
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

preventive access control

A
stop unwanted or unauthorized activity from occurring
–
Examplesof preventive access controls include
•
fences and locks
•
separation of duties and job rotation
•
data classification
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

deterrent access control

A

A deterrent access control is deployed to discourage violation of security policies

A deterrent implies certain consequences in the event of an attempted or successful violation

Examplesof deterrent access controls include
security guards & security cameras
trespass or intrusion alarms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

detective access control

A

A detective access control is deployed to discover unwanted or unauthorized activity

Often detective controls operate after the fact

Examplesof detective access controls include
security guards, guard dogs
motion detectors
review of recordings captured by security cameras
audit trails
honeypots or honeynets
intrusion detection systems
incident investigations
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

corrective access control

A

A corrective access control is deployed to restore systems after an unwanted or unauthorized activity has occurred

Usually corrective controls have only minimal capability to respond to access violations

Examplesof corrective access controls include
antivirus solutions
terminating access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

recovery access control

A

A recovery access control is deployed to repair or restore functions and capabilities after a violation of security policies

Recovery controls have more advanced or complex capabilities to respond to access violations than corrective access controls

Examplesof recovery access controls include
backups and restores
fault-tolerant systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

compensation access control

A

A compensation access control is deployed to provide various options to other existing controls to aid in the enforcement and support of security policy
Examplesof compensation access controls include
personnel supervision, monitoring, and work task procedures

Can also include controls used instead of more desirable controls
For example, if a guard dog cannot be deployed due to proximity to residential areas, a motion detector with a spotlight and a barking sound playback device can be used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

directive access control

A

A directive access control is deployed to direct or control the actions of subjects to force or encourage compliance with security policies

Examplesof directive access controls include
security guards and posted notifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Types of Access Control Implementation

A

Administrative access controls
Logical/technical access controls
Physical access controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Administrative access controls

A

The proceduresdefined by an organization’s security policy to implement and enforce overall access control

Hiring practices, background checks, and security training
Data classification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Logical/technical access controls

A

The hardware or software mechanisms used to manage access to resources and systems
Intrusion detection systems
Encryption, smart cards, passwords, and biometrics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Physical access controls

A

The physical barriers deployed to prevent direct contact with systems or areas within a facility

Guards, fences and locks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Several steps lead up to the ability to hold a person accountable for online actions

A
Identification
Authentication
Authorization
Auditing
Accountability / Monitoring
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Identification

A

Identificationis the process by which a subject professes an identity

A user provides a username, a logon ID, a personal identification number (PIN), or a smart card to represent an identification process

Providing a process ID number also represents an identification process

Once a subject has identified itself, the claimed identity becomes accountable for any further actions undertaken by that subject

IT systems track activity by identities, not by subjects themselves

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Authentication

A

Authenticationis the process of verifying that a claimed identity is valid

Requires that a subject provide additional information that must correspond exactly to the identity professed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Three factors of authentication

A

Type 1. Something you know: any string of characters you have memorized and can reproduce on a keyboard when prompted
passwords, PINs, lock combinations, passphrases

Type 2. Something you have: a physical device that you possess and must have on your person at the time of authentication
smart cards, tokens, memory cards, physical location

Type 3: Something you are (biometrics): a physical characteristic of your person
fingerprints, iris patterns, hand geometry, writing a signature

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Strong authentication requires

A

two or more factors

When two of the same factors are used together, the system is no more secure than it would be if just one factor was used, as a single type of attack could compromise both instances

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Authorization

A

The process of authorization ensures that the requested activity or object access is possible given the rights and privileges assigned to the authenticated identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

access control matrix

A

For authorization: In most cases, the system evaluates an access control matrix that compares the subject, the object, and the intended activity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Auditing

A

Auditingis the process by which online activities of user accounts and processes are tracked and recorded

Auditing produces audit trails, which can be used to reconstruct events and to verify whether a security policy was violated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

NIST Audit Documents

A

Minimum Security Requirements for Federal Information and Information Systems (FIPS 200)

Minimum Security Requirements for Multi-User Operating Systems (NIST IR 5153)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Requirements for audit data recording

A

Create, retain, and protect audit recordsto the extent needed to enable the monitoring, investigation, and reporting of unlawful, or unauthorized activity

Ensure that the actions of individual information system users can be uniquely tracedto those users so they can be held accountable for their actions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

A subject must provide an ___ to a system to start the authentication process

A

identity

A subject’s identity is typically considered public information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Authentication verifies the ____ of the subject by comparing one or more factors against a database of valid identities

A

identity

Authentication factors are typically considered private information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Passwords

A

The most common, but weakest, authentication technique

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Password types

A

Static vs. dynamic

  • Static passwords always remain the same
  • Dynamic passwords change after a specified interval of time or use
One-time or single-use passwords
Passphrases
Cognitive passwords (security questions)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

One-time or single-use passwords

A

Dynamic passwords that change every time they are used

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Passphrases

A

Strings of characters usually much longer than a password

38
Q

Cognitive passwords (security questions)

A

Questions about facts that only a subject should know

39
Q

Password Security

A

Never allow clear text transmission

Use strong one-way storage (i.e. hashing)

Password audit your own systems
-Use password verification and password-cracking tools against your own password file and require that discovered passwords be changed

Disable inactive accounts, delete old ones

Train users
-Protects from social engineering attacks

Change passwords based on sensitivity of data

Define and enforce a password policy
-Example: Minimum length, three or four character types
-Protects from brute-force and dictionary attacks
22

40
Q

biometric factor

A

A biometric factor is a behavioral or physiological characteristic that is unique to a subject

Biometric factors can be used both as an identification and an authentication technique

41
Q

Tokens

A

Type 2 Factor

Tokens(or smart tokens) are password-generating devices that subjects must carry with them

42
Q

Static Tokens

A

swipe card, a smart card, or a USB RAM dongle

43
Q

Synchronous dynamic password tokens

A

Generate passwords at fixed time intervals. Require synchronizing the clock on an authentication server with the clock on the token device

44
Q

Asynchronous dynamic password tokens

A

Generate passwords based on occurrence of some event

45
Q

Challenge-response tokens

A

Generate passwords based on instructions (challenges) from the authentication system

46
Q

Single sign-on (SSO)

A

Single sign-on (SSO) is a mechanism that allows a subject to be authenticated only once on a system yet remain able to access multiple resources without repeated authentication prompts

Examplesof SSO mechanisms
Kerberos
SESAME
KryptoKnight
Directory services
47
Q

Kerberos

A

Relies on AES symmetric-key (private-key) cryptography

Provides end-to-end security for authentication traffic between clients and the key distribution center (KDC)

Relies on a trusted server hosting the functions of the KDC, a ticket-granting service (TGS), and an authentication service (AS)

An exchange of tickets (cryptographic messages) between clients, network servers, and the KDC

48
Q

Kerberos Login Process

A
  1. The user types a username and password into the client
  2. The client encrypts the credentials with AES for transmission to the KDC
  3. The KDC verifies the user credentials
  4. The KDC generates a ticket granting ticket (TGT) by hashing the user’s password
  5. The TGT is encrypted with AES for transmission to the client
  6. The client installs the TGT for use until it expires
49
Q

Kerberos Service Access Process

A

1.The client sends its TGT back to the KDC with a request for access to a server or service
2.The KDC verifies the validity of the TGT and verifies that the user has sufficient privileges to access the requested resource
3.A service ticket (ST) is generatedand sent to the client
4.The client sends the ST to the serveror service host
5.The server verifies the validityof the ST with the KDC
6.Once identity and authorization is verified, Kerberos activity is complete
–The server or service host then opens a session with
the client

50
Q

There are two primary categories of access control techniques

A

Discretionary Access Control (DAC)

Nondiscretionary Access Control
•Mandatory Access Control (MAC)
•Role Based Access Control (RBAC)
•Task Based Access Control (TBAC)

51
Q

Discretionary Access Controls

A

Allow the owner or creator of an object to control and define subject access to that object

Access control is based on the discretion (in other words, a decision) of the owner

Access is granted or denied based on the identity of the subject (which is typically the user account name)

Often implemented using access control lists (ACLs)
-Each ACL defines the types of access granted or restricted to individuals or grouped subjects

52
Q

Nondiscretionary Access Controls

A

Used in a rule-based system in which a set of rules, restrictions, or filters determines what can and cannot occur on the system

Access is not based on administrator or owner discretion and does not focus on user identity

Rule-based access control systems are more appropriate for environments that experience frequent changes to data permissions

Rule-based systems can implement sweeping changes just by changing centralized rules

53
Q

Nondiscretionary Access Control Types

A

–Mandatory Access Control (MAC)
–Role Based Access Control (RBAC)
–Task Based Access Control (TBAC)

54
Q

Mandatory Access Controls (MAC)

A

Rely upon the use of classification labels

Subjects are labeled by their level of clearance
Objects are labeled by their level of classification or sensitivity

55
Q

Classifications within a MAC environment are of three types:

A

Hierarchical environments relate various classification labels in an ordered structure. Clearance in one level grants the subject access to objects in that level as well as in lower levels

Compartmentalized environments require the subject to have specific clearance for each of its independent security domains

Hybrid environments combine hierarchical and compartmentalized concepts so that each hierarchical level may contain isolated subdivisions

56
Q

Systems that employ role-based (RBAC) or task-based (TBAC) access controls define a subject’s ability to access an object via

A

–subject roles (job descriptions)
–tasks(work functions).

Role-based access controls are useful in volatile environments with frequent personnel changes because access does not depend on subject identities

57
Q

Access control administration

A

Access control administrationis the set of tasks and duties assigned to an administratorto manage

Account Administration
–Creating, maintaining, and closing user accounts

Account, Log, and Journal Monitoring
–Monitoring online activities

Access Rights and Permissions
–Assigning access to objects
–Principle of least privilege

58
Q

user

A

A user is any subject who accesses objects on a system

59
Q

owner

A

An owner is the person who has final responsibility for classifying and protecting objects

60
Q

custodian

A

A custodian is a subject who has been assigned the day-to-day responsibility of properly storing and protecting objects

61
Q

Monitoring

A

Is a programmatic means by which subjects are held accountable for their actions while authenticated on a system

Is a process by which unauthorized or abnormal activities may be detected on a system

Can help reconstruct events, provide evidence for prosecution, and produce problem reports and analysis

62
Q

Intrusion Detection System (IDS)

A

An Intrusion Detection System (IDS)is a tool that automates the inspection of audit logs and real-time system events
–Primarily used to detect intrusion attempts
–Also used to detect system failures
–Watch for violations of confidentiality, integrity, and availability (CIA)

63
Q

The goal of an IDS is to

A

–provide perpetrator accountability for intrusion activities

–enable timely and accurate response to intrusions

64
Q

In general, IDSs can recognize

A

–attacks that come from external connections (such as the Internet)
–viruses and malicious code
–trusted internal subjects attempting to perform unauthorized activities
–unauthorized access attempts from trusted locations

65
Q

IDS Event Response

A

IDSs have only limited capability to stop or prevent attacks
-Typical responses include blocking ports, protocols, or source addresses

When an IDS discovers a violation, it records details of the issue and discards the malicious packets

An IDS shoud be considered one of many components that a defense-in-depthapproach employs to protect a network

66
Q

Host-Based IDS (HIDS)

A

Watches for suspicious activity on a single computer system

Can examine events in much greater detail than a network-based IDS

67
Q

Network-Based IDS (NIDS)

A

Watches for suspicious activity occurring on the network medium

A single NIDS can monitor a large network if installed on its backbone

NIDSs are installed onto dedicated single-purpose computers

68
Q

Knowledge-Based IDS

A

(or signature-based)

Uses a signature database

Attempts to match all monitored events to signatures in the database

If a match is found, the IDS assumes that an attack is taking place

Effective only against known attack methods

69
Q

Behavior-Based IDS

A

(or anomaly detection)

Learns about the normal activities on a system by watching and tracking events

Once it has accumulated enough data about normal activity, it can detect abnormal and possibly malicious activities or events

The primary drawback is that it produces many false alarms

70
Q

Honeypots

A

Honeypots attract intruders by presenting unpatched and unprotected security vulnerabilitiesas well as by hosting attractive but faux data

71
Q

Vulnerability scanners

A

Vulnerability scanners are used to test a system for known security vulnerabilities and weaknesses

A vulnerability scanner is only as useful as its database of security issues

Use of vulnerability scanners in cooperation with IDSs

72
Q

penetration

A

A penetrationoccurs when an attack is successfuland an intruder is able to breach the perimeter of a computer system

73
Q

Penetration testing

A

Penetration testing is one common method to test the strength of security measuresand discover all detectable weaknesses in the security perimeter

Penetration testing should be performed only with the consent and knowledge of management and security staff
–Performing unapproved security testing could
•cause productivity losses
•trigger emergency response teams
•potentially earn jail time

74
Q

Firewall and where it’s deployed

A

A firewall is a network device used to filter trafficand is deployed
–between a private network and a link to the Internet
–between departments within an organization

75
Q

Firewall filters

A

Firewalls filter traffic based on a set of rules, also called filtersor access control lists,distinguishing authorized traffic from unauthorized traffic

76
Q

Firewall types

A

Static packet filtering firewall
Application level gateway (proxy) firewall
Circuit level gateway (circuit proxy) firewall
Statefulinspection firewall

77
Q

Static packet filtering firewall

A

Filters traffic by examining a message header
Operate at Layer 3
Easily circumvented through spoofing

78
Q

Application level gateway (proxy) firewall

A

Filters traffic based on content and address
Each type of application must have its own proxy
Operates at Layer 7
Negatively affects network performance

79
Q

Circuit level gateway (circuit proxy) firewall

A

Used to establish communication sessions between trusted partners

Permits or denies forwarding decisions based solely on the endpoint designations of the communication circuit (source and destination addresses and service port numbers)

Operates at Layer 5

80
Q

Stateful inspection firewall

A

Filters based on content and context of traffic

Source and destination addresses, application usage, source of origin, and relationship between current packets and the previous packets

Operates at Layers 3 and 4

81
Q

Denial-of-service (DoS)

A

Denial-of-service (DoS)attacks prevent a system from processing or responding to legitimate traffic or requests

82
Q

There are several types of DoS flood attacks

A

A single attacking system flooding a victim with a steady stream of packets

Distributed Denial of Service (DDoS)
-DDoSattacks can be stopped by blocking packets from the compromised systems, but this can also result in blocking legitimate traffic because the sources of the flood packets are victims themselves

Distributed Reflective Denial of Service (DRDoS)

SYN-Flood

Smurf

83
Q

Distributed Reflective Denial of Service (DRDoS)

A

DRDoSattacks take advantage of the normal operation mechanisms of key Internet services, such as router update protocols (e.g., smurfattacks)

Numerous update/control packets are sent to various servers/routers with a spoofed source address for the intended victim, which will receive the response packets

84
Q

SYN-Flood

A

A SYN flood occurs when numerous SYN packets are sent to a server but the sender never replies to the server’s SYN/ACK with the final ACK

The server waits for the client’s ACK, holding open a session and consuming system resources

85
Q

Smurf Attack

A

Occurs when an amplifying server or networkis used to flood a victim with useless data

An amplifying server or network is any system that generates multiple response packets, such as Internet Control Message Protocol (ICMP) echo packets, from a single submitted packet

A common smurf attack method is to send a message to the broadcast address for a subnet or network with the victim’s spoofed address
–Every node on that network produces one or more response packets for the victim

If the amplification network can produce sufficient response packet volume, the victim will experience a DoS

Countermeasures for smurf attacks include disabling directed broadcasts on all network border routers

86
Q

Spoofing Attacks

A

Spoofing is the art of pretending to be something you’re not

Spoofing attacks consist of replacing a valid source and/or destination IP address with false ones

grants attackers the ability to hide their identities

Countermeasures:

  • enabling source/destination verification on routers
  • employing an IDS to detect and block attacks
87
Q

Man-in-the-Middle

A

A man-in-the-middle attack occurs when a malicious user is able to gain a position between the two endpoints of an ongoing communication

88
Q

sniffer attack(or snooping attack)

A

Attackers sniffing the traffic between two parties

89
Q

store-and-forward or proxy mechanism

A

Attackers positioning themselves in the line of communication where they act as a store-and-forward or proxy mechanism

To perform this type of attack, the attacker must alter routing information to impersonate a server from the perspective of the client and to impersonate the client from the perspective of the server

The attacker is invisible to both ends of the communication link

90
Q

Spamming Attacks

A

Spam is the term that describes unsolicited email, newsgroup, or discussion forum messages
–As innocuous as an advertisement
–As malignant as floods of unrequested messages with viruses or Trojan horses attached

Also considered a type of DoS