Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
146 Cards in this Set
- Front
- Back
|
access controls |
security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access. |
|
|
access |
the flow of information between a subject and an object. |
|
|
subject |
can be a user, program or process that accesses an object to accomplish a task. |
|
|
three main security principals |
Availability, Integrity, and Confidentiality |
|
|
availabilty |
information , systems and resources must be available to users in a timely manner so productivity will not be affected |
|
|
integrity |
information must be accurate, complete and protected from unauthorized modification. |
|
|
confidentiality |
the assurance that information is not disclosed to unauthorized individuals, programs or processes. |
|
|
Indentification |
describes a method of ensuring that a subject( user, program or process) is the entity it claims to be. |
|
|
authentication |
providing the correct password, pass phrase, cryptographic key, or PIN to gain access to a system after identifying yourself properly. |
|
|
authorization |
determining if an authenticated subject has been given the necessary rights and privileges to carry out it's requested actions. |
|
|
accountability |
The subject needs to be held accountable for the actions taken within a system or domain. The only way to ensure accountability is if the subject is uniquely identified and the subject's actions are recorded. |
|
|
Logical access controls (also know as technical access controls) |
technical tools used for identification, authentication, authorization, and accountability. They are software components that enforce access control measures for systems, programs, processes, and information. They can be embedded within operating systems, applications, add on security packages or database and telecommunication management systems. |
|
|
race condition |
a race condition is when processes carry out their tasks on a shared resource in an incorrect order. A race condition is possible when two or more processes use a shared resource, as in data within a variable. In software, when authentication and authorization steps are split into two functions, there is a possibility an attacker could use a race condition to force the authorization step to be completed before the authentication step. |
|
|
3 factors for authentication |
something a person knows, something a person has, and something a person is. They are commonly called authentication by knowledge, authentication by ownership, and authentication by characteristic. Strong authentication contains 2 out of 3 of these methods. |
|
|
Verification 1:1 |
the measurement of an identity against a single claimed identity |
|
|
examples of authentication by knowledge |
a password, PIN, mothers maiden name, or combination to a lock. |
|
|
examples of authentication by ownership |
a key, swipe card, access card, badge, |
|
|
examples of authentication by characteristic |
unique physical attribute - biometrics |
|
|
Mutual authentication |
when the two communicating entities must authenticate to each other before passing data |
|
|
Identification Component Requirements |
Each value should be unique, for user accountability. A standard naming scheme should be followed. The value should be nondescriptive of the users position or tasks. The value should not be shared between users. |
|
|
Identity Management |
a broad and loaded term that encompasses the use of different products to identify, authenticate, and authorize users through automated means. IdM allows organizations to create and manage digital identities life cycles (create, maintain, terminate) in a timely and automated fashion. |
|
|
examples of identity management solutions |
Directories - X.500 or LDAP, Active Directory Web access management Password Management Legacy Single sign-on Account management Profile Update |
|
|
Web access management |
software that controls what users can access when using a web browser to interact with web based enterprise assets. |
|
|
Cookie |
a cookie can be in the format of a text file stored on the user's hard drive(permanent) or it can be only held in memory(session). If the cookie contains any type of sensitive information, then it should only be held in memory and be erased once the session has completed. |
|
|
Password Management |
a technology that provides a secure and automated password management system. The most common approaches are: Password Synchronization Self service password reset assisted password reset |
|
|
Legacy Single Sign-On |
an SSO technology allows a user to authenticate one time and then access resources in the environment without needing to re-authenticate. |
|
|
account management |
Account Management deals with creating user accounts on all systems, modifying the account privileges when necessary, and decommissioning the accounts when they are no longer needed. |
|
|
Authoritative source |
The authoritative source is the "system of record" or the location where identity information originates and is maintained. It should have the most up to date and reliable identity information. |
|
|
Authoritative System of Record |
is a hierarchical tree like structure system that tracks subjects and their authorization chains. |
|
|
User provisioning |
Refers to the creation, maintenance, and deactivation of user objects and attributes as they exist in one or more systems, directories or applications, in response to business processes. |
|
|
Profile Update |
A profile is the data associated with the identity of a user. The profile should be centrally located for easier management. Users should be allowed to update nonsensative data themselves. Admins should be able to create, make changes, or delete these profiles in an automated fashion when necessary. |
|
|
Federation |
sharing identity and authentication information between companies using a trust relationship |
|
|
federated identity |
a portable identity and its associated entitlements, that can be used across business boundaries. It allows a user to be authenticated across multiple IT systems and enterprises. |
|
|
Digital Identity |
made up of a user's attributes, entitlements and traits. |
|
|
markup language |
a way to to structure text and data sets, and it dictates how these will be viewed and used. examples: xml, spml, saml, xacml |
|
|
extensible markup language (XML) |
a universal and foundational standard that provides a structure for other independent markup languages to be built from and still allow for interoperability. |
|
|
Service Provisioning Markup Language (SPML) |
allows for the exchange of provisioning data between applications, which could reside in one organization or many. SPML allows for the automation of user management and access entitlement configuration related to electronically published services across multiple provisioning systems. SPML is made up of three entities: Requesting Authority (RA) - the entity that ius making the request to setup a new account or make changes to an existing account Provisioning Service Provider (PSP) - the software that responds to the account rquests Provisioning Service Target (PST) - the entity that carries out the provisioning activities on the requested system. |
|
|
Security Assertion Markup Language (SAML) |
an XML standard that allows the exchange of authentication and authorization data to be shared between security domains. SAML provides the authentication pieces to federated identity management systems to allow business to business and business to Consumer transactions. SAML commonly uses the SOAP protocol for data tranmission - Simple Object Access Protocol |
|
|
service oriented architecture |
a way to provide independent services residing on different systems in different business domains in one consistent manner. |
|
|
Extensible Access Control Markup Language (XACML) |
used to express security policies and access rights to assets provided through web services and other enterprise applications. XACML is both an access control policy language and a processing model that allows for policies to be interpreted and enforced in a standard manner. |
|
|
Organization for the Advancement of Structured Information Standards (OASIS) |
This organization develops and maintains the standards for how various aspects of web based communication are built and maintained. |
|
|
Biometrics |
Verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification. |
|
|
Biometric processing speed |
From the time a user inserts data until she receives an accept or reject response should take five to ten seconds. |
|
|
Finger Scan technology |
extracts specific features from the fingerprint and stores just that information, which takes up less hard drive space and allows for quicker database lookups and comparisons. |
|
|
Palm Scan |
The palm holds a wealth of information and has many aspects that are used to identify an individual. |
|
|
Hand Geometry |
The shape of a person's hand defines hand geometry. This trait differs significantly between people and is used in some bio metric systems. |
|
|
Retina Scan |
scans the blood vessel pattern of the retina on the backside of the eyeball. |
|
|
IRIS scan |
The iris has unique patterns, rifts and colors. This is the most accurate of all the biometric systems. |
|
|
Signature Dynamics |
When a person signs a signature, usually they do so in the same manner and speed each time. Signing a signature produces electronic signals that can be captured by a biometric system. A digitized signature is not the same, and is not a biometric system. |
|
|
Keystroke Dynamics |
Keystroke Dynamics captures electrical signals when a person types a specified phrase. As a person types the phrase the biometric system captures the speed and motions of this action. |
|
|
Voice Print |
Peoples speech sounds and patterns have many subtle distinguishing differences. |
|
|
Facial Scan |
A system that scans a persons face and takes attributes and characteristics and compares this to a earlier scan. |
|
|
Hand Topography |
looks at different peaks and valleys of the hand, along with its overall shape and curvature. Is commonly not used by itself, but in conjunction with hand geometry. |
|
|
passwords |
one of the most commonly used authentication methods used today, they are also considered one of the weakest security mechanisms. This is because most passwords are easily guessed. |
|
|
Electronic monitoring |
Listening to network traffic to capture information, especially when a user is sending their password to an authentication server. |
|
|
Brute force attacks |
Performed with tools that cycle through many possible character, number and symbol combinations to uncover a password. |
|
|
Dictionary attacks |
Files of thousands of words are compared to the user's password until a match is found. |
|
|
Social Engineering |
an attacker falsely convinces an individual that they have the necessary authorization to access specific resources. |
|
|
Rainbow table |
An attacker uses a table that contains all possible passwords already in a hash format. |
|
|
Salts |
random values added to the encryption process to add more complexity and randomness. |
|
|
Password Aging |
set expiration dates for passwords and keeping a password history that disallows users from reusing their previous passwords. |
|
|
cognitive passwords |
fact or opinion based information used to verify an individuals identity. |
|
|
Captcha |
a skewed representation of characteristics a person must enter to prove that the subject is a human and not an automated tool as in a software robot. |
|
|
one time password (OTP) |
also called a dynamic password, is used for authentication purposes and is only good once. After the password is used, it is no longer valid, thus if a hacker obtained this password, it could not be reused. |
|
|
The token device |
also called a password generator, is usually a handheld device that has an LCD display and possibly a keypad. This hardware is separate from the computer the user is attempting to access. The token device and authentication server must be synchronized in some manner to be able to authenticate a user.
|
|
|
Type 1 error |
when a biometric system rejects an authorized individual (false rejection rate) |
|
|
Type 2 error |
when a biometric system accepts impostors who should be rejected (false acceptance rate) |
|
|
crossover error rate (CER) |
Also called equal error rate (EER). This is stated as a percentage and represents the point at which the false rejection rate equals the false acceptance rate. The rating is used to measure the systems accuracy. A CER of 3 will be more accurate than a CER of 4. |
|
|
clipping level |
an older term that just means threshold. If the number of acceptable failed login attempts is set to three, three is the threshold (clipping level) value. |
|
|
password checker |
a tool used by security professionals to test the strength of a password. Can also be called a password cracker if the same tool is used by a hacker. |
|
|
synchronous token device |
synchronizes with the authentication service by using time or a counter as the core piece of the authentication process. If the synchronization is time-based, the token device and the authentication service must hold the same time within their internal clocks. The time value on the token device and a secret key are used to create the one-time password, which is displayed to the user. If the token device and authentication service use counter-synchronization, the user will need to initiate the creation of the one-time password by pushing a button on the token device. This causes the token device and the authentication service to advance to the next authentication value. This value and a base secret are hashed and displayed to the user. The user enters this resulting value along with a user ID to be authenticated. In either time-or counter-based synchronization, the token device and authentication service must share the same secret base key used for encryption and decryption. Synchronous token-based one-time password generation can be time-based or counter-based. Another term for counter-based is event-based. Counter-based and event-based are interchangeable terms. Both token systems can fall prey to masquerading if a user shares his identification information (ID or username) and the token device is shared or stolen. The token device can also have battery failure or other malfunctions that would stand in the way of a successful authentication. However, this type of system is not vulnerable to electronic eavesdropping, sniffing, or password guessing. |
|
|
Asynchronous |
A token device using an asynchronous token– generating method employs a challenge/ response scheme to authenticate the user. In this situation, the authentication server sends the user a challenge, a random value, also called a nonce. The user enters this random value into the token device, which encrypts it and returns a value the user uses as a one-time password. The user sends this value, along with a username, to the authentication server. If the authentication server can decrypt the value and it is the same challenge value sent earlier, the user is authenticated. Both token systems can fall prey to masquerading if a user shares his identification information (ID or username) and the token device is shared or stolen. The token device can also have battery failure or other malfunctions that would stand in the way of a successful authentication. However, this type of system is not vulnerable to electronic eavesdropping, sniffing, or password guessing. |
|
|
Cryptographic Keys |
Another way to prove one’s identity is to use a private key by generating a digital signature. A private key is a secret value that should be in the possession of one person, and one person only. It should never be disclosed to an outside party. A digital signature is a technology that uses a private key to encrypt a hash value (message digest). The act of encrypting this hash value with a private key is called digitally signing a message. A digital signature attached to a message proves the message originated from a specific source and that the message itself was not changed while in transit. |
|
|
passphrase |
a sequence of characters that is longer and in some cases, taking place of a password during an authentication process. The user enters this phrase into an application, and the application transforms the value into a virtual password, making the passphrase the length and format that is required by the application. |
|
|
memory card |
holds information but cannot process information |
|
|
smart card |
holdings information and has the necessary hardware and software to process that information. There are two categories of smart cards - contact and contactless. |
|
|
contact smart card |
has a gold seal on the face of the card. When this card is fully inserted into a card reader, electrical fingers wipe against the card in the exact position that the chip contacts are located. This will supply power and data I/O to the chip for authentication purposes |
|
|
contactless smart card |
has an antenna wire that surrounds the perimeter of the card. When this card comes within an electromagnetic field of the reader, the antenna generates energy to power the internal chip and perform the authentication. |
|
|
smart card attacks |
attacks such as fault generation, side channel attacks, software attacks and microprobing are examples of attacks on smart cards |
|
|
fault generation attack |
The attacker reviews the result of an encryption function after introducing an error to the card, and also reviews the correct result, which the card performs when no errors are introduced. Analysis of these different results may allow an attacker to reverse engineer the encryption process, with the hope of uncovering the encryption key. |
|
|
side channel attack |
nonintrusive and are used to uncover sensitive information about how a component works, without trying to compromise any type of flaw or weakness. some examples are observing changes in power emissions during processing and observing frequencies emitted. |
|
|
software attacks |
also considered non invasive attacks. A smart card has software just like any device that does data processing, and there is the possibility of software flaws that can be exploited. The main goal of this attack is to input instructions into the card that will allow the attacker to extract information, which he can use to make fraudulent purchases. |
|
|
microprobing |
Microprobing uses needles and ultrasonic vibration to remove the outer protective material on the card's circuits. Once this is completed, data can be accessed and manipulated by directly tapping into the card's ROM chips. |
|
|
ISO/IEC standard 14443 |
outlines the following items for smart card standardization: ISO 14443-1 - Physical characteristics ISO 14443-3 - Initialization and anticollision ISO 14443-4 - Transmission protocol |
|
|
Radio Frequency Identifier (RFID) |
a technology that provides data communication through the use of radio waves. A common security issues is that data can be captured as it moves from the tag to the reader as most of these solutions are not encrypted |
|
|
Default to no access |
Access control mechanisms should default to no access as to provide the necessary level of security and ensure no security holes go unnoticed. |
|
|
Need to know principle |
is similar to the least privilege principle. It is based on the concept that individuals should be given access only to the information they absolutely require in order to perform their job duties |
|
|
authorization creep |
as employees work at a company over time and are give more and more access rights as they progress from one dept to another |
|
|
single sign on |
a system that allows a user to enter their credentials one time and be able to access all resources in primary and secondary network domains. |
|
|
Kerberos |
a single sign on technology that provides authentication functionality with the purpose of protecting a company's assets. It works in a client/server model and is based on symmetric key cryptography. Although it allows the use of passwords for authentication, it was designed specifically to eliminate the need to transmit passwords over the network. |
|
|
Key Distribution Center ( KDC) |
the most important component within a Kerberos environment. The KDC holds all users' and services secret keys. It provides an authentication service as well as key distribution functionality. The clients and services trust the integrity of the KDC, and this trust is the foundation of Kerberos security. |
|
|
ticket granting service |
a Kerberos service on the Key Distribution Center that generates a ticket that allows one principal to authenticate to another principal |
|
|
Kerberos Principal |
another term for users and services |
|
|
ticket granting ticket |
are used so the user does not have to enter his password each time he needs to communicate with another principal |
|
|
Kerberos secret key |
shared between the KDC and a principal and is static in nature |
|
|
Kerberos session key |
shared between two principals and is generated when needed and destroyed after the session is completed |
|
|
replay attack |
when an attacker captures and resubmits data with the goal of gaining unauthorized access to an asset |
|
|
Sesame |
a single sign on technology developed to extend Kerberos functionality and improve upon its weaknesses. It uses symmetric and asymmetric key cryptography. It also uses Privileged Attribute Certificates, which contain the subjects identity, access capabilities for the object, access time period, and lifetime of the PAC. |
|
|
PAC - Privileged Attribute Certificate |
a digitally signed certificate that is validated by a Privileged Attribute Server. It contains the subjects identity, access capabilities for the object, access time period, and lifetime of the PAC |
|
|
Security Domain |
resources within a domain are working under the same security policy and managed by the same group. |
|
|
Directory services |
provide users access to network resources transparently, meaning users dont need to know the exact location of the resources or the steps required to access them. Examples are LDAP, Novell Netware Directory Service(NDS), microsoft active directory. |
|
|
Thin Clients |
Terminals that rely upon a central server for access control, processing and storage. |
|
|
access control model |
a framework that dictates how subjects access objects. There are three main types: Discretionary, Mandatory, and role Based |
|
|
Discretionary Access Conrol |
access is restricted based on the authorization granted to the users. Object owners are allowed to specify what access to give to their objects in this model. Access control lists are used to enforce these access decisions. |
|
|
mandatory access control |
a much more structured and strict model based on security label system. Users are given a security clearance( secret, top secret, confidential) and the data is classified in the same way. The clearance and classification data are stored in the security labels, which are bound to the specific subjects and objects. |
|
|
role based access control |
uses a centrally administrated set of controls to determine how subjects and objects interact.The access control levels can be based upon the necessary operations and tasks a user needs to carry out to fulfill their responsibilities without an organization. |
|
|
Core RBAC |
This is the foundation of the RBAC model. Users roles, permissions, operations, and sessions are defined and mapped according to the security policy. |
|
|
Hierarchical RBAC |
this component allows the administrator to setup an organizational RBAC model that maps to the organizational structures and functional delineations required in a specific environment. |
|
|
Rule Based Access control |
uses specific rules that indicate what can and cannot happen between a subject and an object. |
|
|
constrained user interfaces |
restrict users access abilities by not allowing them to request certain functions or information, or to have access to specific system resources. Three major types exist: Menus and Shells, DataBase Views, and Physically constrained interfaces |
|
|
access control matrix |
is a table of subjects and objects indicating what actions individual subjects can take upon individual objects. |
|
|
capability table |
species the access rights a certain subject possesses pertaining to specific objects, in an access control matrix this is a row |
|
|
access control list |
used in several operating systems, applications and router configurations. They are lists of subjects that are authorized to access specific object, and they define what level of authorization is granted. ACL corresponds to the column of the access control matrix |
|
|
context dependent access control |
a system that is using context-dependent access control "reviews the situation" and then makes a decision. an example is a stateful firewall that can understand the context of what is going on when a tcp packet arrives and includes that as part of its access decision. |
|
|
content dependent access control |
access to objects is determined by the content within the object |
|
|
centralized access control administration |
one entity is responsible for overseeing access to all corporate resources. some examples are : Radius, TACAS, and Diameter |
|
|
Remote Authentication Dial In User Service RADIUS |
a network protocol that provides client/server authentication and authorization, and audits remote users. Uses UDP protocol. Only encrypts the password as its being transmitted, does not encrypt username, accounting and authorized services. |
|
|
Terminal Access Controller Access Control System TACACS |
combines its authentication and authorization processes; and uses fixed passwords for authentication |
|
|
TACACS+ |
separates authentication, authorization and auditing processes, and allows users to employ dynamic one time passwords. it is a totally different protocol from TACACS and not backward compatible with it. Uses the TCP protocol. Encrypts all data between the client and server. |
|
|
Diameter |
a protocol built to improve upon Radius. It has two portions - the base protocol that provides secure communication among diameter entities, feature discovery, and version negotiation. The second is extensions, which are built on top of the base protocol to allow various technologies (voip, mobile IP) to use diameter for authentication. |
|
|
Decentralized access control administration |
gives control of access to the people closer to the resources. It is often the functional manager who assigns access control rights to employees. |
|
|
access control layers |
consists of three broad categories: administrative, technical, and physical |
|
|
Administrative control components |
Policy and Procedures Personnel controls Supervisory structure security awareness training testing |
|
|
Physical control components |
Network segregation perimeter security computer controls work area separation data backups cabling control zone |
|
|
Technical control components |
System access Network Architecture Network access Encryption and protocols Auditing |
|
|
tempest |
a standard developed in the late 1950s to deal with electrical and electromagnetic radiation emitted from electrical equipment, mainly computers. |
|
|
white noise |
a countermeasure used to keep intruders from extracting information from electrical transmissions by sending a uniform spectrum of random electrical signals over the full spectrum so the bandwidth is constant and an intruder is not able to decipher real information from random noise or random information. |
|
|
Control Zone |
using material in your walls to contain electrical signals to protect against unauthorized access to data |
|
|
access control monitoring |
a method of tracking who attempts to access specific company resources |
|
|
intrusion detection systems |
designed to detect a security breach. It is the process of detecting an unauthorized use of, or attack upon, a computer, network, or telecomm infrastructure. IDS can be network based or host based. |
|
|
knowledge or signature based IDS (misuse detection systems) |
Signature based is also known as pattern matching. Models of how attacks are carried out are developed and called signatures. Each identified attach has a signature, which is used to detect an attack in progress or determine if one has occurred within the network. effectiveness depends on regularly updating the software with new signatures |
|
|
State based IDS |
Specific state changes (activities) take place with specific types of attacks. In a state based IDS the initial state is the state prior to the execution of an attack, and the compromised state is the state after successful penetration. The IDS has rules that outline which state transition sequences should sound an alarm. This type of IDS scans for attack signatures in the context of a stream of activity instead of just looking at individual packets. It can only identify known attacks and requires frequent updates of its signatures |
|
|
Statistical Anomaly Based IDS |
a behavioral based system. Behavioral based IDS products do not use predefined signatures, but rather are put in learning mode to build a profile of an environment's "normal" activities. This profile is built by continually sampling the environment's activities. The longer the IDS is put in learning mode, in most instances, the more accurate a profile it will build and the better protection it will provide. |
|
|
heuristic |
means to create new information from different data sources. |
|
|
protocol anomaly based IDS |
these types of IDS have specific knowledge of each protocol they will monitor. A protocol anomaly pertains to the format and behavior of a protocol. The IDS builds a model of each protocol's normal usage. it looks for anomalies that do not match the profiles built for the individual protocols. |
|
|
Traffic anomaly based IDS |
detect changes in traffic patterns, and in DOS attacks or a new service that appears on the network. A profile is built that captures the baselines of an environments ordinary traffic, all future traffic patterns are compared to that profile. this can detect unknown attacks
|
|
|
Rule based IDS |
is commonly associated with a expert system. An expert system is made up of a knowledge base, inference engine, and rule based programming. Knowledge is represented as rules, and the data to be analyzed are referred to as facts. IDS gathers data from a sensor or log, and the inference engine uses its reprogrammed rules on it. |
|
|
Honeypot |
a system setup to entice a would be attacker to attack it instead of authentic production systems. It contains no real company information, and thus will not be at risk if attacked. |
|
|
entrapment |
when an intruder is induced or tricked into committing a crime. |
|
|
Dictionary attack |
a program that hashes a list of dictionary words and compares the resulting message digest with the system password file that also stores the password in a one way hash format. If the hash values match, it means the password has been identified. |
|
|
brute force attacks |
also known as an exhaustive attack, it will try every possible combination until the correct one is found. War dialing to find a modem is a type of brute force attack. |
|
|
phishing |
a type of social engineering with the goal of obtaining personal information, credentials, credit card #s, or financial data. The attackers can send fake emails or crate fake websites and trick users to input their information into them. |
|
|
pharming |
using DNS poisoning to redirect users to a fake but legitimate looking website |
|
|
spear phishing |
a phishing attack targeted at a specific person |
|
|
threat modeling |
a process of identifying the threats that could negatively affect an asset and the attack vectors they would use to achieve their goals |
|
|
identity theft |
a situation where someone obtains key pieces of personal information and then uses that information to impersonate someone else. |
