Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
82 Cards in this Set
- Front
- Back
|
What is the security triad
|
Confidentiality
Integrity Availability |
|
|
AKA for security triad
|
CIA triad or AIC
|
|
|
Keeping information and communications private (trade secrets, personnel records)
|
Confidentiality
|
|
|
Keeping organization information accurate, without error, and without unauthorized modifications (modifying grades)
|
Integrity
|
|
|
Ensuring the the systems operate continuously and that authorized persons can access data they need.
|
Availability
|
|
|
What is access control
|
determining and assigning privileges to various resources, objects, data
|
|
|
What is reference monitor (RM)
|
component of some access control systems that determines if the subject can access the object
|
|
|
What implements RM in the OS
|
security kernel
|
|
|
Security principal that limits the need to know certain information.
|
Least Privilege
|
|
|
Security principal based on an individual's need to access classified data.Only access required info.
|
Need to know
|
|
|
Division of tasks between different people to complete a business process or work function
|
Separation of duties
|
|
|
Access control service types
|
I&A
Authorization Audit |
|
|
Identification and authentication provides a unique identifier for each authorized subject followed by a method to ensure identity of the subject
|
I&A
|
|
|
Determines the capabilities or rights of the subject when accesses the object
|
Authorization
|
|
|
Creates a log or record of activities on the system
|
Audit
|
|
|
Access Control Services Implementation
|
1. Identifying
2. Verifying 3. Evaluating 4. Audit trail 5. Review logs |
|
|
Access Control Category Functions
|
1. Preventative
2. Detective 3. Corrective 4. Deterrent 5. Recovery 6. Compensating |
|
|
Access Control Types
|
1. Administrative (rules/policies)
2. Physical (Locks/doors) 3. Technical (UserID lock out) |
|
|
Access Control Matrix
|
File and user and access for to each
|
|
|
Restricting access based on the identity of the subjects and/or groups they belong (User ID and pwd)
|
Discretionary Access Control (DAC)
|
|
|
Access Control List (ACL) - Discretionary Access Control (DAC)
|
list of permissions that is associated with each object.
|
|
|
Means of restriction access based on the sensitive of the information contained (Top Secret, Secret, Confidential) and the formal authorization of subjects to access the info. Owner can not override
|
Mandatory Access Control (MAC)
|
|
|
Non-Discretionary Access Control Techniques
|
1. RBAC
2. Rule Based 3. Content Dependent 4. Constrained interfaces 5. Time-Based |
|
|
RBAC - Role based
|
subjects access is based on job - SA moves to FLM
Good when high turnover |
|
|
Rule Based
|
Based on operational rules or restrictions
Firewalls |
|
|
Content Dependent
|
Limits based on the data inside (SSS#, payroll)
|
|
|
Constrained interfaces
|
Limits access by constraining the interface
|
|
|
Time-Based
|
Limits when an individual can access the system (only 8 to 5)
|
|
|
3 layer authentication
|
Something you know
Something you have Something you are |
|
|
Something you know
|
pwd
pass-phrase - aka virtual pwd PIN |
|
|
Something you have
|
Smart card
Badge credit card/strip card |
|
|
Something you are
|
biometrics
|
|
|
Types of Biometrics
|
fingerprint (physical)
hand print (physical) hand geometry (physical) Irus scan (physical) Retina scan (physical) voiceprint (behavioral) facial recognition (behavioral) |
|
|
Best type of Biometrics
|
Iris scan
|
|
|
Biometric errors
|
type 1 - false rejection - authorized individual is denied
type 2 - false acceptance rates (FAR) |
|
|
Strong/Two - factor authentication
|
Use more than one method of authentication
|
|
|
Single Sign On (SSO) methods
|
Kerberos
SESAME KryptoKnight |
|
|
Access Control Admin Methods
|
Centralized - one group of admins
Decentralized - SAs perform Hybrid |
|
|
Concept that indicates exposure to the chance of of damage or loss
|
Risk
|
|
|
Risk impacts/affects
|
loss of system
loss of power loss of network people processes practices |
|
|
DoS - software based access control attacks
|
Availability - attacks so it can no longer be accessed
*ping effect - are you there? are you there? |
|
|
Malicious software - software based access control attacks
|
Causes system failure - virus, worm, spyware
|
|
|
Brute Force- software based access control attacks
|
PWD attack - use an app to try every possible pwd
|
|
|
Dictionary- software based access control attacks
|
PWD attack - use predefined words from a dictionary
|
|
|
emanation- software based access control attacks
|
info is leaked due to natural process of electrons passing through wire- over a radio
*can use a Faraday cage |
|
|
Object reuse - software based access control attacks
|
reclaiming classified or sensitive info from media once thought to have been erased
|
|
|
Trapdoor and Backdoor- software based access control attacks
|
trapdoor - hidden entry point allows access bypassing identification and authentication.
backdoor- attacker creates a software mechanism to gain access |
|
|
spoofing- software based access control attacks
|
Attacker assumes an electronic identity to conceal true person
*IP, MAC, DNS *fake bank |
|
|
Sniffing - software-based access control attacks
|
uses monitoring software to monitor
|
|
|
Guessing - Human-based Access Control Attacks
|
guess the pwd through brute force or by using deduction
|
|
|
Shoulder surfing- Human-based Access Control Attacks
|
look over the shoulder
|
|
|
Dumpster diving- Human-based Access Control Attacks
|
looking in the trash
|
|
|
Theft- Human-based Access Control Attacks
|
steal info/resources
|
|
|
Social Engineering- Human-based Access Control Attacks
|
uses deception and trickery
*carry a big box and have people help open the door |
|
|
Spoofing- Human-based Access Control Attacks
|
if employed in a email, where various message headers are changed to conceal the originators identity.
|
|
|
IDS
|
Intrusion detection system
Software solutionn that identifes and addresses ptential attachsk on a computer or network |
|
|
IDS Modes
|
Monitoring
Prevention |
|
|
Types of IDS - Network
|
monitor network traffic and restrict (IPS) or alert (IDS) when unacceptable traffic is seen.
|
|
|
Types of IDS - Host based
|
Installed on a workstation or server - single device
|
|
|
Types of IDS - Signature based
|
uses a predefined set of rules to identify unacceptable traffic
|
|
|
Types of IDS - Anomaly based
|
uses a database of unacceptable traffic patterns - dynamic and create the database during a baseline
|
|
|
Types of IDS - Protocol based
|
Focus on a limited # of protocols instead of the entire network
|
|
|
Types of IDS - Application protocol based
|
similar to protocol based - analize specific application based traffic
|
|
|
Types of IDS - Hybrid
|
2 or more
|
|
|
Types of IDS - Passive/reactive
|
passive - Alerts when violations occur - reactive blocks
|
|
|
Penetration tests
|
Controlled use of attack methods to test the security of a system or facility. Used to verify that access control methods work
|
|
|
Penetration tests
|
1. can be done by internally security & external
2. Testers are given no info about the system (Black box) 3. Testers are given all info (white box) |
|
|
Penetration tests process
|
1. Reconnaissance involves collecting as much info about the target system as possible.
2 . Enumeration - gaining more detailed info. used to find all applications services running the web server. 3. Vulnerability analysis examines the available apps through the port #s 4. Vulnerability are exploited and system penetration occurs |
|
|
Penetration tests - network scanning
|
uses a port scanner to identify devices attacked to the target netork and to enumerate the applications hosted on the devices
*aka finger printing |
|
|
Penetration tests - social engineering
|
Attempts to get info from users.
|
|
|
Penetration tests - War dialing
|
Uses a modem and software to dial a range of phone #s to locate a computer system,
|
|
|
Penetration tests - War driving
|
Locates then attempts to penetrate wireless systems
|
|
|
Penetration tests - Vulnerability scanning
|
exploits known weaknesses in OSs and applications that were identified in recognizance and enumeration
|
|
|
Penetration tests - Blind testing
|
when the target org does not know the testing is happening
|
|
|
Penetration tests - Targeted testing
|
when the target org does know the testing is happening
|
|
|
Directories
|
LDAP
Directory service - allows admin to configure and manage AD - active directory Namespaces - idenfies and naming objects they manage - based on x.500 |
|
|
Web Access Management (WAM)
|
Controls what users can access on the web (log into a bank)
*external entities requesting access to internal object |
|
|
PWD management
|
pwd synchronization - reduces the complexity f keeping up with different pwds - reduces help desk calls
self - service pwd reset - reduces calls to help desk Assist pwd rest - also reduces help desk. includes another type of authentication |
|
|
Legacy single sign on
|
?
|
|
|
Account Management
|
/?
|
|
|
Profile update
|
?
|
|
|
Smart card attacks
|
Side channel attacks - non-intrusive
differential power analysis electromagnetic analysis timing |
