Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
71 Cards in this Set
- Front
- Back
In Access control, what are the 3 general control types? |
1. Administrative (Management)
2. Technical (Logical/Administrators) 3. Physical |
|
Regarding access control, what are: Subject, Object, Access, Access Control? |
Subject: entity requesting access
Object: passive entity containing information Access: ability to interact or "do something" Access Control: security features that control subject/object interactions |
|
Access can be controlled by a __________ or a ______
|
System, Facility
|
|
What are the steps of subject's access control? |
1. Subject ID 2. Subject Authentication 3. Authorization to interact 4. Log |
|
Regarding Account Management, what is the central repository, and what standard does it use? |
LDAP (Lightweight Directory Access Protocol), x.500 |
|
What is the most common system used for authentication? |
passwords |
|
What is clipping or a clipping level? |
An administrator can set operating parameters that allow a certain number of failed logon attempts to be accepted before a user is locked out |
|
Who published X.500? |
ISO |
|
_______ adapts the x.500 directory to work over TCP/IP |
LDAP |
|
What starts authentication of a user? |
User or system claims identity (Step 1) |
|
LDAP is a ____________ type structure. The Distinguished Name or ________ must be unique. |
Tree, Leaf |
|
What is the system that is most commonly used for Single Sign on? |
Kerberos
|
|
What is Kerberos? |
A Single Sign on Technology
Authentication server authorizes user to request ticket. Ticket granting services (TGS) issues secure time-stamped ticket. Subject shows ticket to object to request access (based on an ACL.) |
|
Kerberos Server is called _________________ (KDC) and is a _________ authentication technology for "realms". |
Key Distribution Center, ticket-based (NOT PKI!!!) |
|
In Kerberos, what does the Authentication Server (AS) do? |
authorizes user to request ticket |
|
In Kerberos, what does TGS (Ticket Granting Service) do? |
secures and issues tickets to authenticated users |
|
In Kerberos, what is a defined area? |
A Realm |
|
In Kerberos, a ________ is shown by a Subject to an Object in the defined realm to request access. |
ticket |
|
What do Europeans use for single sign on? (Instead of Kerberos) |
SESAME (Secure European System for Applications in a Multi-vendor Environment) |
|
What are the four types of authentication? |
1. something you are 2. something you have 3. something you are 4. somewhere you are (such as an IP address) |
|
CAPTCHA is an example of? |
Graphical Interpretation which can be read by humans, but not machines. |
|
What is a token pin device? |
Small token generating device. Coupled with a password for entry. (SecureID) |
|
What is it called when a user enters a value and PIN, then is given a new value to enter by a token device? |
Challenge-response scheme (One-Time Password) OTP |
|
What is micro-probing? |
An attack on smart cards |
|
In biometrics, what are type 1 and type 2 errors? |
Type 1: False Reject rate (FRR) Type 2: False Accept Rate (FAR) |
|
Biometrics can be 1:1 or 1:many. What does that mean? |
1:1 - user is identified against specific criteria 1:many - user is identified against large database of possibilities |
|
Which is more secure, retina or iris scanning? |
Retina. (Iris is cheaper) |
|
During authorization, which comes first, authorization or authentication? |
Authentication. |
|
___________ is the process of comparing a subject's credentials and permissions to an access criteria. |
Authentication |
|
According to User Session Management, what is a good practice after user locks computer. What is the system vulnerable to, if not. |
Need to re-authenticate when logging back in. TOC/TOU attack. |
|
Regarding wireless networking, what are the three types of authentication? |
1. Open system (no password) (cafes) 2. Pre-shared key (WEP or WPA) (hotels) 3. Enterprise (meaning individual authorization/passwords) (work) |
|
What are the two wireless networking Enterprise level password/authentication servers? |
RADIUS, TACACS (Authenticate remote users; also for VPN) |
|
What is Leeching? |
Stealing access to a WAP. Still an issue with WPA and WPA2 |
|
What are Rogue access points (evil twins)? |
They are unauthorized WAPs.
|
|
IEEE802.1x Enterprise authentication, authenticates individual users with ____________. What protocol extends the strength of the authentication? |
MSCHAP (Microsoft Challenge Handshake Authentication Protocol), EAP (Extensible Authentication Protocol) |
|
What is the most popular use of EAP (Extensible Authentication Protocol)? |
PEAP (Protected Extensible Authentication Protocol) |
|
What is MSCHAPV2? |
The most common use of CHAP. |
|
IEEE802.1x is ________-based security |
Port |
|
Regarding access controls, what does AAA =? |
Authentication, Authorization and Auditing (e.g. RADIUS, Kerberos, TACACS+ |
|
What is the authentication protocol that was originally used for dial-up, but now primarily for wifi and VPN? |
RADIUS (Remote Authentication Dial-in User Service) |
|
What is another name for a user in RADIUS systems? What does the "client" do? |
Supplicant, forwards credentials to RADIUS server |
|
What is the big difference between RADIUS and TACACS? |
TACACS is more secure, as it uses PKI credentials to protect data traffic. (RADIUS does not)
|
|
Which is more secure, Kerberos or RADIUS? |
Kerberos RADIUS can send unprotected data, unless using the local (user-created) encryption key. (Note: not as secure, because encryption key is permanent until changed) |
|
MSCHAP is good, but it only supports hashed passwords for authentication. If you want stronger authentication, you need either ________ or _________. |
EAP or PEAP |
|
In 802.1x (Port based Security), the __________ requests access from the Client. Then, the client uses _____ to send back a challenge. The challenge (username/password) is then sent by the client to the _________ for authentication. |
Supplicant, CHAP or EAP, Authentication Server |
|
Nextgen RADIUS is called __________? |
DIAMETER |
|
What authentication is used below? 1. Telecommuters using VPN: 2. Site to Site VPN (Routers or conentrators): 3. Telecommuters browser: 4. Dial-Up |
1. L2TP / IPSec 2. L2TP / IPSec 3. Browser/TLS - MSCHAPV2 4. CHAP |
|
Networks may have ______________ technology that authenticates system "health" before they are allowed access to the network
|
Network Access Control (NAC)
|
|
These 2 products gather logs from various devices (servers, firewalls, routers, etc.) and attempt to correlate the log data and provide analysis capabilities.
|
SIEM (Security Information and Event Management) and SEM (Security Event Management) |
|
____________ is a new system for near real-time threat notification of logged security violations. |
SIEM (Security Information Event Management) |
|
______products are similar to IDS, but they generate alerts based on analysis of log data generated by various systems. |
SIEMs |
|
This is a best practice that is performed on monitored objects to see the results of the action. (a system or reaction test of sorts) |
Synthetic Transaction |
|
Utilizing cloud based access control, what is IDaaS? |
(IDaaS) Identity as a Service. Hiring a trusted third party to aid in managing identification and authentication of subjects. |
|
What provides: Single Sign On to access cloud services, uses Federated Identity (tokenization) and centrally managed controls that are transparent to users? |
Identity as a Service (IDaaS) |
|
In IDaas, _____________ shares only a token with the IDaaS agent. |
Active Directory (AD) |
|
What is Federated Identity? |
It is used to implement Single Sign On (SSO) using browsers. only passes tokens to outside systems. (number, not username - passes no PII) |
|
What is SAML (Security Assertion Markup Language)? |
(SAML) This is the language used to exchange the assertion tickets) Allows for the exchange of authentication and authorization data to be shared between security domains. It is an XML web-based standard. (No PKI Trust between disparate systems) |
|
In Federated Identity Management, what does IdP (Identity Provider) control? |
The user database, called the credential store |
|
What is OAuth 2.0? |
An authorization framework giving limited access to HTTP. Not a physical token, but numeric ID. (Baaaaad) |
|
In Centralized Access Control, what are the 4 main models (frameworks that dictate how subjects interact with and access objects) |
DAC, MAC, Rule-BAC, Role-BAC |
|
What is DAC? |
Discretionary Access Control (DAC) - Data owner/creator specifies who can access resources. Inappropriate for corporate environment. Commonly used with SharePoint |
|
What is MAC? |
Mandatory (Military) Access Control (MAC) - Lattice-based inflexible model utilizes security labels (Bell La Padula) Used for Classified data |
|
What is Role-Based Access Control? |
Allows access to objects based on the single role of a user (such as a doctor in a hospital). Users are assigned to roles. Rights are assigned to roles. Separation of duties |
|
What is Rule-Based Access Control? |
Dynamic model based on if/then evaluation against a rule set (such as an ACL) Like Routers & L3 switches based on VLAN Tags |
|
Difference between Content and Context dependent access control? |
Content (Static - based on content within the object) Context (access determined by sequence of events that preceded access attempt) |
|
In Access Control Administration, 1. What is Centralized Access Control? 2. What is decentralized Access Control? 3. What is Hybrid Access Control? |
1. One entity controlling provisioning and access management. 2. Control given to people closer to resource 3. Combination of both of the above |
|
What is Pass The Hash? |
Bad guy steals and reuses hashes. (replay) |
|
What type of access control is utilized by Bell La Padula? (used by DoD) |
Mandatory Access Control (MAC) |
|
What is the most common log storage solution? |
Syslog |
|
What are the following Access Provisioning Models? 1. Role Based 2. Request Based 3. Hybrid |
1. automatic based on user's role 2. starts from scratch based on mgrs request (supports DAC and MAC) 3. combination of the above |
|
What are the 3 steps in Identity and Access Provisioning Lifecycle? |
1. Provisioning 2. Review 3. Revocation |