Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
59 Cards in this Set
- Front
- Back
|
Access control is concerned with protecting?
|
- Confidentiality
- Integrity - Availability |
|
|
Confidentiality is?
|
The property that ensures information is not disclosed to unauthorized users: Prevention of Disclouser
|
|
|
Integrity is?
|
The property that ensures data has not been modified either in transit or while in storage: Prevention of Alteration
|
|
|
Availability is?
|
The property that ensures access to data when it is needed: Prevention of Destruction
|
|
|
Access Control Responsibility Role:
- Data owner |
- Ultimately responsible
- Final authority |
|
|
Access Control Responsibility Roles:
Data custodian |
- Acts on behalf of the data owner
- Maintains and administers security |
|
|
• Centralized control
|
- Single group in charge
- Could cause delays in response to remote business units |
|
|
• Decentralized control
|
- Controls map to individual business units
- Causes discrepancies across the organization - No consistent view |
|
|
(CHAP)
Challenge Handshake Authentication Protocol |
- Central location sends challenge to remote user
- User responds with encrypted hash of challenge - Password not sent in clear over link and messages are encrypted |
|
|
(TACACS)
Terminal Access Controller Access Control System |
- Requires user ID and static password
|
|
|
TACACS+
|
- Provides better protection
- Uses tokens for two-factor, dynamic password authentication. |
|
|
(PAP)
Password Authentication Protocol |
PAP is used by Point to Point Protocol to validate users before allowing them access to server resources.
- Unencrypted |
|
|
What are the three areas of security?
|
C - Confidentiality
I - Integrity A - Availability |
|
|
Which of the following critical areas of security represents the unauthorized
modification of information? |
Integrity
|
|
|
Which formula below accurately represents the equation for calculating the risk
associated with your critical assets? |
Risk = Threat x Vulnerability
|
|
|
Of the four core principles of network security, which one relates to
understanding which services are running on your system? |
Know thy system
|
|
|
Giving Bob, the accountant, access only to the Accounting application required
for his duties is an example of which core security principle? |
Principle of Least Privilege
|
|
|
Which principle is represented by an accountant creating a company's books and
an auditor reviewing the books for accuracy? |
Separation of Duties
|
|
|
Which access control measure method would be affected by an inaccessible
system administrator? |
Detective
|
|
|
Which of the following concepts relates most closely to the Principle of Least
Privilege? a) Authentication b) Identity c) Detection d) Separation of Duties |
Separation of Duties
|
|
|
If Dan, a user with level three clearance, attempts to read a document requiring a
level four clearance, he is violating which of the following access control techniques? a) The Star Property of the Bell-LaPadula Model b) The Simple Security Property of the Bell-LaPadula Model c) The Simple Integrity Property of the Biba Model d) The Super Simple Star Property of Biba Model |
The Simple Security Property of the Bell-LaPadula Model
|
|
|
Which of the following access control techniques requires the user to follow a
procedure to access protected data? a) The Clark-Wilson model b) The Biba model c) The Middleman model d) The Bell-LaPadula model |
The Clark-Wilson model
|
|
|
Which of the following characteristics makes the BIBA model the opposite of the
Bell LaPadula (BLP) model? a) No write down and no read up b) Read up but no write down c) No read down and no write up d) Write down but no read up |
No read down and no write up
|
|
|
In the process of employee termination, which access management activity most
effectively controls access? a) Account administration b) Account maintenance c) Account monitoring d) Account revocation |
d) Account revocation
|
|
|
Of the four ways a user can be authenticated, which presents the use of physical
human attributes in the process? a) Something you are b) Something you have c) Something you know d) Something you share |
Something you are
|
|
|
If you had a classified system located in the middle of the desert, which
authentication method would serve best? a) Something you have b) Something you know and are c) Something you share d) Someplace you are |
Someplace you are
|
|
|
What is the MOST influential factor in determining if a biometric solution is
feasible for a system? a) System size b) Usability c) Criticality d) Cost |
Cost
|
|
|
Which authentication method negotiates the validity of the user through tickets?
a) Single Sign On (SSO) b) System Generated Passwords (SGP) c) Challenge Handshake Authentication Protocol (CHAP) d) Kerberos |
Kerberos
|
|
|
Which password cracking technique will eventually figure out Jim's hard-to-guess
password? a) Hybrid attack b) Brute force attack c) Dictionary attack d) Long-term attack |
Brute force attack
|
|
|
Stateful inspection of packets is an example of which kind of access control?
a) Prevention b) Detection c) Suspension d) Eradication |
Prevention
|
|
|
Which are the three common methods used in password cracking?
a) Dictionary, hybrid, and brute force b) Word list, brute force, and distributed c) John the ripper, LOphtcrack, and hydra d) SAM, passwd, and shadow |
Dictionary, hybrid, and brute force
|
|
|
Which of the following are among the primary design types used for access
control systems today? a) Mandatory, discretionary, and role-based b) Interaction, fixed, and closed c) Subject-based, object-based, and file-based d) Mandatory, optional, and discretionary |
Mandatory, discretionary, and role-based
|
|
|
Which of the following access control techniques associates a group of users and their privileges with each
object? a) Role Based Access Control b) Token Based Access Control c) List Based Access Control d) User Based Access Control |
List Based Access Control
|
|
|
Which of the following is NOT an example of a Mandatory Access Control (MAC)
technique? a) Secure Communications Processor (SCOMP) b) SMURF c) Pump d) Purple Penelope |
SMURF
|
|
|
Which of the following access control techniques allows the user to feel
empowered and able to change security attributes? a) Discretionary Access Control b) Mandatory Access Control c) Optional Access Control d) User Access Control |
Discretionary Access Control
|
|
|
Which of the following control types is used to provide alternatives to other
controls? a) Compensating b) Deterrent c) Corrective d) Recovery |
Compensating
|
|
|
Your location is one of four commonly accepted items on which authentication
can be based. What are the other three? a) Something you say, type, or press b) Something you have, do, or know c) Something you do, know, type d) Something you know, have, or are |
Something you know, have, or are
|
|
|
What attribute of the Kerberos authentication process makes it so strong?
a) Encrypting the Ticket Granting Ticket (TGT) b) Mutual authentication c) Using a Ticket Distribution Center (TDC) and a Key Granting Server (KGS) d) User defined passwords |
Mutual authentication
|
|
|
Applying which principle represents one of the best ways to thwart internal
attacks using access control systems? a) Principle of Open Access b) Principle of Least Privilege c) Principle of Internal Suppression d) Principle of Trust |
Principle of Least Privilege
|
|
|
There are three primary areas of threat. Of the following items, which is NOT one
of those three areas? a) Threats to business goals b) Threats based on validated data c) Threats that are widely known d) Threats combined with risk |
Threats combined with risk
|
|
|
In terms of information security, what is a vulnerability?
a) A weakness in your systems that allows a threat to occur b) A threat to your security that creates a risk condition c) A combining of both a risk and a threat in the same system d) A risk to your system(s) that cannot be eliminated |
A weakness in your systems that allows a threat to occur
|
|
|
Which are the three generally accepted options for managing risk?
a) Eliminate, quarantine, or insure b) Accept, mediate, or delegate c) Accept, eliminate, or transfer d) Transfer, eliminate, or cogitate |
Accept, eliminate, or transfer
|
|
|
What is the principle that ensures data has not been modified either in transit or while in storage referred
to as? a) Non-repudiation b) Assurance c) Integrity d) Reliability |
Integrity
|
|
|
What is the principle that ensures information is not disclosed to unauthorized
users referred to as? a) Encryption b) Confidentiality c) Encapsulation d) Security |
Confidentiality
|
|
|
The assurance of access to data when it is needed is one of the three key
principles in information security. What is this principle called? a) Availability b) Guaranteed delivery c) Accessibility d) Connectivity |
Availability
|
|
|
Discretionary Access Control (DAC) is one of the many Access Control Models.
Which of the following items is NOT part of the Discretionary Access Control (DAC) model? a) An administrator decides whether a user should have access to an object b) Performed at the discretion of any administrator c) Strictly enforced by the system and cannot be overridden d) Owners can change security attributes |
Strictly enforced by the system and cannot be overridden
|
|
|
Lattice Security Model
|
- Deals with information flow
- Formalizes network security models - Shows how Information can or cannot flow |
|
|
Chinese Wall Security Model
|
(lBrewer and Nash)
- Deals with conflict of intrest - No information flow allowed that could lead to "conflit of intrest" (COI) |
|
|
Bell-LaPadula Security Model
|
- Deal with confidentiality
The are two main rules with BLP: • The Simple Security property, which is No Read Up (NRU) • The * property, which is No Write Down (NWD) |
|
|
BIBA
|
- Deals with integrity
• Simple integrity property: A user cannot write data to a higher integrity level than hers. • Integrity star property: A user cannot read data of a lower integrity level than hers. |
|
|
Clark-Wilson Security Model
|
• Deals with integrity
- Unauthorized users cannot make changes. - This model maintains internal and external consistency at the system level. - Authorized users cannot make unauthorized changes. |
|
|
COLLUSION
|
When more than one person controlling a component
portion collaborates with others to breach the security of a system. |
|
|
Rotation of Duties
|
Rotation of duties occurs when personnel are moved from one job to another at regular intervals.
This helps to detect and minimize fraud. |
|
|
Separation of Duties
|
Separation of duties is considered valuable in deterring fraud because fraud can occur if an
opportunity exists for collaboration between various job-related capabilities. |
|
|
Least Privilege
|
• Access control needs good
administration. • Availability versus security: The best security is no availability. • What is the need of the business? • Reduce the misuse of privilege. |
|
|
Subjects: Active
|
A subject is either a user or process.
|
|
|
Objects: Passive
|
An object is a passive entity that contains data. An object can be files, directories, pipes, devices,
sockets, ports, and so on. |
|
|
Rules: Filters
|
The standard rules for UNIX are Read, Write, and Execute. The standard rules for Windows NT 4 are
Read, Write, Execute, and No Access. The standard rules of NDS and Active Directory are more granular. In Windows 2000, there are about 30 rules, which are also known as permissions. Each rule has a positive and a negative. |
|
|
Labels: Sensitivity
|
Another set of rules with respect to sensitivity of both object and subject is labels
|
