Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
81 Cards in this Set
- Front
- Back
User makes a claim as to his or her identity.
|
Identification
|
|
User proves his or her identity using one or more mechanisms.
|
Authentication
|
|
System makes decisions about what resources the user is allowed to access and the manner in which they may be manipulated.
|
Authorization
|
|
System keeps an accurate audit trail of the users activity.
|
Accounting
|
|
Entities that may be assigned permissions.
|
Subjects
|
|
Types of resources that subjects may access.
|
Objects
|
|
Relationships between subjects and the objects they may access.
|
Access permissions
|
|
Contains access control entities (ACEs) that correspond to access permissions.
|
Access control list (ACL)
|
|
Controls designed to prevent unwanted activity from occurring.
|
Preventative controls
|
|
Type of controls that provide a means of discovering unwanted activities that have occurred.
|
Detective controls
|
|
Controls that are mechanisms for bringing a system back to its original state prior to the unwanted activity.
|
Corrective controls
|
|
Control type used to discourage individuals from attempting to perform undesired activities.
|
Deterrent controls
|
|
Control type implemented to make up for deficiencies in other controls.
|
Compensatory controls
|
|
Four phases of access control.
|
Identification, authentication, authorization, accounting
|
|
Three important access control concepts.
|
Subjects, objects, access permissions
|
|
Five types of access controls.
|
Preventative, detective, corrective, deterrent, compensatory
|
|
Three categories of access control.
|
Administrative, logical/technical, physical.
|
|
Controls constituting policies, procedures, disaster recovery plans, awareness training, security reviews and audits, background checks, reviews of vacation history, separation of duties, and job rotation.
|
Administrative controls
|
|
Control type that restricts access to systems and the protection of information.
|
Logical/technical controls
|
|
Type of controls used to protect access to the physical facilities housing information systems.
|
Physical controls
|
|
States that the subjects of an access control system should have the minimum set of access permissions necessary to complete their assigned job functions.
|
Principle of least privilege
|
|
The ability to perform critical system functions should be divided among different individuals to minimize the risk of collusion.
|
Separation of duties
|
|
Users should only have access to information that they have a need to know to perform their assigned responsibilities.
|
Need to know
|
|
Users gain different access permissions as they move from position to position in an organization but old permissions are not revoked.
|
Privilege creep
|
|
Authorization of the subjects access to an object depends on labels which indicate a subjects clearance and the classification or sensitivity of the related object
|
Mandatory access control (MAC)
|
|
Access control type where the subject has authority to specify what objects can be accessible.
|
Discretionary access control (DAC)
|
|
Access control type where the Administrator determines which subjects can have access to certain objects based on an organizations security policy.
|
Non-discretionary access control (NDAC) also known as role based access control (RBAC)
|
|
Access control type where the administrator specifies upper and lower bounds of the authority for each subject and uses those boundaries to determine access permissions.
|
Lattice based access control (LBAC)
|
|
Four types of access control systems.
|
MAC, DAC, NDAC (RBAC), LBAC
|
|
A central authentication and/or authorization point for an enterprise.
|
Centralized access control system
|
|
A series of diverse access control systems at different points throughout the enterprise.
|
Decentralized access control systems
|
|
Technology that enables centralized authentication.
|
Single sign on (SSO)
|
|
Software used on a network to establish a users identity.
|
Kerberos
|
|
Three components of kerberos
|
Key distribution center (KDC), Authentication service (AS), Ticket granting service (TGS)
|
|
A public key based alternative to kerberos
|
SESAME
|
|
Three authentication factors.
|
Something you know, something you have, something you are
|
|
Using at least two authentication factors.
|
Two-factor authentication
|
|
The most commonly implemented authentication technique.
|
Passwords
|
|
Four different kinds of tokens
|
Static password, synchronous dynamic password, asynchronous dynamic password, challenge-response token
|
|
Token type where the owner authenticates himself to the token and the token authenticates the owner to the system.
|
Static password token
|
|
Token type where the token generates a new unique password at fixed time intervals, user enters a unique password and user name into the system, and the system confirms that the password and user name are correct and were entered during the allowed time interval.
|
Synchronous dynamic password token
|
|
Same as the synchronous dynamic password token except no time dependency.
|
Asynchronous dynamic password token
|
|
Token type where there is a system or workstation generated random number challenge, owner enters string into token with the proper PIN, and the token generates a response that is entered into the system.
|
Challenge-response token
|
|
The percentage of cases in which a valid user is incorrectly rejected by the system.
|
False rejection rate (FRR), also known as a Type I error
|
|
The percentage of cases in which an invalid user is incorrectly accepted by the system.
|
False acceptance rate (FAR), also known as a Type II error
|
|
The rate at which FRR=FAR for any given system.
|
Crossover error rate (CER)
|
|
Three evaluation factors for biometric techniques.
|
Enrollment time, throughput rate, acceptability
|
|
The amount of time that it takes to add a new user to a biometric system.
|
Enrollment time
|
|
The number of users that may be authenticated to a biometric system per minute.
|
Throughput rate
|
|
The likelihood that users will accept the use of a biometric technique.
|
Acceptability
|
|
Six types of attack.
|
Brute force, dictionary, spoofing, denial of service, man in the middle, sniffer.
|
|
The type of attack where the attacker simply guesses passwords until eventually succeeding.
|
Brute force attack
|
|
Type of attack where the attacker uses the password encryption algorithm to encrypt a dictionary of common words and then compares the encrypted words to the password file.
|
Dictionary attack
|
|
Type of attack where an individual or system poses as a third party.
|
Spoofing
|
|
Type of attack where the system is flooded with traffic so that it cannot provide service to legitimate users.
|
Denial of service (DoS)
|
|
Type of attack where the attacker can monitor all traffic occurring on the same network segment,
|
Sniffer
|
|
An effective way to assess the security of a system.
|
Penetration test
|
|
Two types of monitored environment for IDS.
|
Host based, network based
|
|
Two types of detection methodology for IDS.
|
Signature based, Anomaly based
|
|
IDS that resides on a single system and monitors the systems even log and audit trail for signs of unusual activity.
|
Host based IDS
|
|
IDS that performs real time monitoring in a passive manner by monitoring all of the traffic on a specific network segment,
|
Network based IDS
|
|
IDS that stores characteristics of an attack and then compares activity in a monitored environment to those characteristics.
|
Signature based IDS
|
|
IDS that measures user, system, and network behavior over an extended period of time to develop baselines.
|
Anomaly based IDS
|
|
Common identification methods
|
User ID, account number, PIN number, badge, biometrics
|
|
Requires that the clock in the token remains in sync by 3-4 minutes with the clock in the authentication server
|
Time based synchronization
|
|
Synchronization through a counter that is incremented with each use
|
Event based synchronization
|
|
Token that uses challenge response technology
|
Asynchronous token device
|
|
Credit card shaped tokens containing one or more microprocessor chips
|
Smart card
|
|
Magnetic stripe cards that provide identification/authentication to applications
|
Memory card
|
|
Static biometric types
|
Fingerprint, palm print, hand geometry, retina scan, iris scan
|
|
Dynamic biometric types
|
Voice pattern, facial recognition, keystroke dynamics, signature dynamics
|
|
Three biometric device characteristics
|
Accuracy, acceptability, reaction time
|
|
Guides the implementation of certificate based authentication and ensures a consistent level of protection for the systems and data
|
Certificate policy (CP)
|
|
Allows a client to provide a username and password with an HTTP request
|
Basic authentication
|
|
HTTP authentication method that sends the password using an MD5 hash
|
Digest access authentication
|
|
HTTP authentication method that allows a users authenticated identity from his working environment to be used to access a server
|
Integrated windows authentication
|
|
User account creation and access authorization are performed by system administrators
|
Classic access control
|
|
HR department adds new staff to the user database and line managers authorize workers as they are assigned tasks
|
Common access control
|
|
A system that allows individuals to use the same credentials to log into the networks of more than one enterprise
|
Federated identity management (FIM)
|
|
Access is based on a list of rules that determine what accesses are granted
|
Rule based access control
|
|
Access is based on job functions that the user is assigned to perform
|
Role based access control (RBAC)
|