• Shuffle
    Toggle On
    Toggle Off
  • Alphabetize
    Toggle On
    Toggle Off
  • Front First
    Toggle On
    Toggle Off
  • Both Sides
    Toggle On
    Toggle Off
  • Read
    Toggle On
    Toggle Off
Reading...
Front

Card Range To Study

through

image

Play button

image

Play button

image

Progress

1/63

Click to flip

Use LEFT and RIGHT arrow keys to navigate between flashcards;

Use UP and DOWN arrow keys to flip the card;

H to show hint;

A reads text to speech;

63 Cards in this Set

  • Front
  • Back
User makes a claim as to his or her identity.
Identification
User proves his or her identity using one or more mechanisms.
Authentication
System makes decisions about what resources the user is allowed to access and the manner in which they may be manipulated.
Authorization
System keeps an accurate audit trail of the users activity.
Accounting
Entities that may be assigned permissions.
Subjects
Types of resources that subjects may access.
Objects
Relationships between subjects and the objects they may access.
Access permissions
Contains access control entities (ACEs) that correspond to access permissions.
Access control list (ACL)
Controls designed to prevent unwanted activity from occurring.
Preventative controls
Type of controls that provide a means of discovering unwanted activities that have occurred.
Detective controls
Controls that are mechanisms for bringing a system back to its original state prior to the unwanted activity.
Corrective controls
Control type used to discourage individuals from attempting to perform undesired activities.
Deterrent controls
Control type implemented to make up for deficiencies in other controls.
Compensatory controls
Four phases of access control.
Identification, authentication, authorization, accounting
Three important access control concepts.
Subjects, objects, access permissions
Five types of access controls.
Preventative, detective, corrective, deterrent, compensatory
Three categories of access control.
Administrative, logical/technical, physical.
Controls constituting policies, procedures, disaster recovery plans, awareness training, security reviews and audits, background checks, reviews of vacation history, separation of duties, and job rotation.
Administrative controls
Control type that restricts access to systems and the protection of information.
Logical/technical controls
Type of controls used to protect access to the physical facilities housing information systems.
Physical controls
States that the subjects of an access control system should have the minimum set of access permissions necessary to complete their assigned job functions.
Principle of least privilege
The ability to perform critical system functions should be divided among different individuals to minimize the risk of collusion.
Separation of duties
Users should only have access to information that they have a need to know to perform their assigned responsibilities.
Need to know
Users gain different access permissions as they move from position to position in an organization but old permissions are not revoked.
Privilege creep
Authorization of the subjects access to an object depends on labels which indicate a subjects clearance and the classification or sensitivity of the related object
Mandatory access control (MAC)
Access control type where the subject has authority to specify what objects can be accessible.
Discretionary access control (DAC)
Access control type where the Administrator determines which subjects can have access to certain objects based on an organizations security policy.
Non-discretionary access control (NDAC) also known as role based access control (RBAC)
Access control type where the administrator specifies upper and lower bounds of the authority for each subject and uses those boundaries to determine access permissions.
Lattice based access control (LBAC)
Four types of access control systems.
MAC, DAC, NDAC (RBAC), LBAC
A central authentication and/or authorization point for an enterprise.
Centralized access control system
A series of diverse access control systems at different points throughout the enterprise.
Decentralized access control systems
Technology that enables centralized authentication.
Single sign on (SSO)
Software used on a network to establish a users identity.
Kerberos
Three components of kerberos
Key distribution center (KDC), Authentication service (AS), Ticket granting service (TGS)
A public key based alternative to kerberos
SESAME
Three authentication factors.
Something you know, something you have, something you are
Using at least two authentication factors.
Two-factor authentication
The most commonly implemented authentication technique.
Passwords
Four different kinds of tokens
Static password, synchronous dynamic password, asynchronous dynamic password, challenge-response token
Token type where the owner authenticates himself to the token and the token authenticates the owner to the system.
Static password token
Token type where the token generates a new unique password at fixed time intervals, user enters a unique password and user name into the system, and the system confirms that the password and user name are correct and were entered during the allowed time interval.
Synchronous dynamic password token
Same as the synchronous dynamic password token except no time dependency.
Asynchronous dynamic password token
Token type where there is a system or workstation generated random number challenge, owner enters string into token with the proper PIN, and the token generates a response that is entered into the system.
Challenge-response token
The percentage of cases in which a valid user is incorrectly rejected by the system.
False rejection rate (FRR), also known as a Type I error
The percentage of cases in which an invalid user is incorrectly accepted by the system.
False acceptance rate (FAR), also known as a Type II error
The rate at which FRR=FAR for any given system.
Crossover error rate (CER)
Three evaluation factors for biometric techniques.
Enrollment time, throughput rate, acceptability
The amount of time that it takes to add a new user to a biometric system.
Enrollment time
The number of users that may be authenticated to a biometric system per minute.
Throughput rate
The likelihood that users will accept the use of a biometric technique.
Acceptability
Six types of attack.
Brute force, dictionary, spoofing, denial of service, man in the middle, sniffer.
The type of attack where the attacker simply guesses passwords until eventually succeeding.
Brute force attack
Type of attack where the attacker uses the password encryption algorithm to encrypt a dictionary of common words and then compares the encrypted words to the password file.
Dictionary attack
Type of attack where an individual or system poses as a third party.
Spoofing
Type of attack where the system is flooded with traffic so that it cannot provide service to legitimate users.
Denial of service (DoS)
Type of attack where the attacker can monitor all traffic occurring on the same network segment,
Sniffer
An effective way to assess the security of a system.
Penetration test
Two types of monitored environment for IDS.
Host based, network based
Two types of detection methodology for IDS.
Signature based, Anomaly based
IDS that resides on a single system and monitors the systems even log and audit trail for signs of unusual activity.
Host based IDS
IDS that performs real time monitoring in a passive manner by monitoring all of the traffic on a specific network segment,
Network based IDS
IDS that stores characteristics of an attack and then compares activity in a monitored environment to those characteristics.
Signature based IDS
IDS that measures user, system, and network behavior over an extended period of time to develop baselines.
Anomaly based IDS