Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
27 Cards in this Set
- Front
- Back
• Access is a flow of information between a subject and an object.
|
• A subject is an active entity that requests access to an object, which is a passive
entity. |
|
• A subject can be a user, program, or process.
|
• Confidentiality is the assurance that information is not disclosed to
unauthorized subjects. |
|
• Some security mechanisms that provide confidentiality are encryption, logical
and physical access control, transmission protocols, database views, and controlled traffic flow. |
• Identity management solutions include directories, web access management,
password management, legacy single sign-on, account management, and profile update. |
|
• Password synchronization reduces the complexity of keeping up with different
passwords for different systems. |
• Self-service password reset reduces help-desk call volumes by allowing users to
reset their own passwords. |
|
• Assisted password reset reduces the resolution process for password issues for
the help-desk department. |
• IdM directories contain all resource information, users’ attributes,
authorization profiles, roles, and possibly access control policies so other IdM applications have one centralized resource from which to gather this information. |
|
• An automated workflow component is common in account management
products that provide IdM solutions. |
• User provisioning refers to the creation, maintenance, and deactivation of
user objects and attributes, as they exist in one or more systems, directories, or applications. |
|
• The HR database is usually considered the authoritative source for user
identities because that is where it is first developed and properly maintained. |
• There are three main access control models: discretionary, mandatory, and
nondiscretionary. |
|
• Discretionary access control (DAC) enables data owners to dictate what
subjects have access to the files and resources they own. |
• Mandatory access control (MAC) uses a security label system. Users have
clearances, and resources have security labels that contain data classifications. MAC compares these two attributes to determine access control capabilities. |
|
• Nondiscretionary access control uses a role-based method to determine access
rights and permissions. |
• Role-based access control is based on the user’s role and responsibilities
within the company. |
|
• Three main types of restricted interface measurements exist: menus and shells,
database views, and physically constrained interfaces. |
• Access control lists are bound to objects and indicate what subjects can use
them. |
|
• A capability table is bound to a subject and lists what objects it can access.
|
• Access control can be administered in two main ways: centralized and
decentralized. |
|
• Some examples of centralized administration access control technologies are
RADIUS, TACACS+, and Diameter. |
• A decentralized administration example is a peer-to-peer working group.
|
|
• Examples of administrative controls are a security policy, personnel controls,
supervisory structure, security-awareness training, and testing. |
• Examples of physical controls are network segregation, perimeter security,
computer controls, work area separation, data backups, and cable. |
|
• Examples of technical controls are system access, network architecture,
network access, encryption and protocols, and auditing. |
• Access control mechanisms provide one or more of the following
functionalities: preventive, detective, corrective, deterrent, recovery, or compensative. |
|
• For a subject to be able to access a resource, it must be identified, authenticated,
and authorized, and should be held accountable for its actions. |
• Authentication can be accomplished by biometrics, a password, a passphrase,
a cognitive password, a one-time password, or a token. |
|
• A Type I error in biometrics means the system rejected an authorized
individual, and a Type II error means an imposter was authenticated. |
• A memory card cannot process information, but a smart card can.
|
|
• Access controls should default to no access.
|
• Least-privilege and need-to-know principles limit users’ rights to only what is
needed to perform tasks of their job. |
|
• Single sign-on technology requires a user to be authenticated to the network
only one time. |
• Single sign-on capabilities can be accomplished through Kerberos, SESAME,
domains, and thin clients. |
|
• In Kerberos, a user receives a ticket from the KDC so they can authenticate to a
service. |
• The Kerberos user receives a ticket granting ticket (TGT), which allows him to
request access to resources through the ticket granting service (TGS). The TGS generates a new ticket with the session keys. |
|
• Types of access control attacks include denial of service, spoofing, dictionary,
brute force, and wardialing. |
• Audit logs can track user activities, application events, and system events.
|
|
• Keystroke monitoring is a type of auditing that tracks each keystroke made by
a user. |
• Audit logs should be protected and reviewed.
|
|
• Object reuse can unintentionally disclose information.
|
• Just removing pointers to files is not always enough protection for proper
object reuse. |
|
• Information can be obtained via electrical signals in airwaves. The ways to
combat this type of intrusion are TEMPEST, white noise, and control zones. |
• User authentication is accomplished by what someone knows, is, or has.
|
|
• One-time password-generating token devices can use synchronous or
asynchronous methods. |
• Strong authentication requires two of the three user authentication attributes
(what someone knows, is, or has). |
|
• Kerberos addresses privacy and integrity but not availability.
|
• The following are weaknesses of Kerberos: the KDC is a single point of failure;
it is susceptible to password guessing; session and secret keys are locally stored; KDC needs to always be available; and there must be management of secret keys. |
|
• IDSs can be statistical (monitor behavior) or signature-based (watch for
known attacks). |
• Degaussing is a safeguard against disclosure of confidential information
because it returns media back to its original state. |
|
• Phishing is a type of social engineering with the goal of obtaining personal
information, credentials, credit card number, or financial data. |
• Phishing is a type of social engineering with the goal of obtaining personal
information, credentials, credit card number, or financial data. |