Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
77 Cards in this Set
- Front
- Back
|
Access Controls include the following processes:
|
Identification
Authentication Authorization Auditing |
|
|
What are the AAA's of access control?
|
Authentication
Authorization Auditing |
|
|
Define the "Identification" access control process.
|
Identification identifies the subject. Examples include a username or a user ID number.
|
|
|
Define the "Authentication" access control process.
|
Authentication is the process of validating a subject's identity. It includes the identification process, the user providing input to prove identity, and the system accepting that input as valid.
|
|
|
Define the "Authorization" access control process.
|
Authorization is the granting or denying a subject's access to an object based on the level of permissions or the actions allowed on the object.
|
|
|
Define the "Auditing" access control process.
|
Auditing (also referred to as accounting) is maintaining a record of a subject's activity within the information system.
|
|
|
List the access control classifications.
|
Preventive
Detective Corrective Deterrent Recovery Compensative Administrative Technical Physical |
|
|
Define a Preventive access control.
|
Preventive access controls deter intrusion or attacks, for example, separation of duties or dual-custody processes.
|
|
|
Define Detective access controls.
|
Detective access controls search for details about the attack or the attacker, for example, intrusion detection systems.
|
|
|
Define Corrective access controls.
|
Corrective access controls implement short-term repairs to restore basic functionality following an attack.
|
|
|
Define Deterrent access controls.
|
Deterrent access controls discourage continued or escalations of attacks during an attack.
|
|
|
Define Recovery access controls.
|
Recovery access controls restore the system to normal operations after the attack and short-term stabilization period.
|
|
|
Define Compensative access controls.
|
Compensative access controls are alternatives to Primary access controls.
|
|
|
Define Administrative access controls.
|
Administrative controls are policies that describe accepted practices. Examples are directive policies and employee awareness training.
|
|
|
Define Technical access controls.
|
Technical controls are computer mechanisms that restrict access. Examples are encryptions, one-time passwords, access control lists, and firewall rules.
|
|
|
Define Physical access controls.
|
Physical controls restrict physical access. Examples are perimeter security, site location, networking cables, and employee segregation.
|
|
|
On a computer network, what is an example of a Directory Service?
What type of classifications of access control does a directory service fall under? |
A Directory Service is an example of a technical access control system.
Examples: Active Directory for Microsoft Windows networks. Novell's eDirectory for NetWare, Linux, and Windows networks. LDAP |
|
|
How does a Directory Service satisfy the Access control process?
|
Identification is performed during logon by supplying a valid unique account for each subject.
Authentication is performed during logon by supplying the password or other requirements for proving identity. Authorization to use network resources, such as files, printers, or computers, is controlled by identifying permissions or rights. Auditing is performed by the operating system as it tracks actions taken by subjects on objects. |
|
|
In the Bell-LaPadula model, how does the * property differ from the strong * property?
|
- Star property (* property) imposes a no write down rule. Subjects cannot modify objects at lower classification levels.
-Strong star property (strong * property) imposes a no write up or read down rule. The strong * property contains subjects in one layer, bounded by upper and lower constraints |
|
|
Which academic model(s) address confidentiality? Integrity?
|
- Integrity: Biba, Clark-Wilson, Brewer and Nash Module/Chinese Wall, Lipner, Lee-Shockley, Jueneman
- Confidentiality: Bell-LaPadula, Brewer and Nash Module/Chinese Wall |
|
|
Which academic model addresses conflict of interest?
|
Brewer and Nash Module/Chinese Wall
|
|
|
Which model(s) are examples of Mandatory Access Control (MAC)?
|
Bell-LaPadula, Biba
|
|
|
What are the integrity goals included in the Clark-Wilson model?
|
- No unauthorized user can make changes.
- No authorized user can make unauthorized changes. - Consistency must be maintained (internal and external). |
|
|
What are the requirements for the Clark-Wilson model?
|
- Identification and authentication of subjects.
- Restriction of the programs that can manipulate objects. - Restriction of the programs that subjects can execute. - Maintenance of an audit log. - Certification of the system to work properly. |
|
|
How does role-based access control differ from rule-based access control?
|
- Rule-Based: Rule Based Access Control (RBAC) introduces acronym ambiguity by using the same four letter abbreviation (RBAC) as Role Based Access Control.
Under Rules Based Access Control, access is allowed or denied to resource objects based on a set of rules defined by a system administrator. As with Discretionary Access Control, access properties are stored in Access Control Lists (ACL) associated with each resource object. When a particular account or group attempts to access a resource, the operating system checks the rules contained in the ACL for that object. Examples of Rules Based Access Control include situations such as permitting access for an account or group to a network connection at certain hours of the day or days of the week. As with MAC, access control cannot be changed by users. All access permissions are controlled solely by the system administrator. - Role-Based: Role Based Access Control (RBAC), also known as Non discretionary Access Control, takes more of a real world approach to structuring access control. Access under RBAC is based on a user's job function within the organization to which the computer system belongs. Essentially, RBAC assigns permissions to particular roles in an organization. Users are then assigned to that particular role. For example, an accountant in a company will be assigned to the Accountant role, gaining access to all the resources permitted for all accountants on the system. Similarly, a software engineer might be assigned to the developer role. Roles differ from groups in that while users may belong to multiple groups, a user under RBAC may only be assigned a single role in an organization. Additionally, there is no way to provide individual users additional permissions over and above those available for their role. The accountant described above gets the same permissions as all other accountants, nothing more and nothing less. |
|
|
How does explicit deny differ from explicit allow?
|
- Explicit deny ACE: An ACE applied directly to the resource that denies access. An explicit deny will always override all other permissions.
- Explicit allow ACE: An ACE applied directly to the resource that grants access. An explicit allow will always override an inherited deny but will always be overridden by explicit deny ACEs. |
|
|
Which form of authentication is generally considered the strongest?
|
Multi-Factor Authentication
|
|
|
What is the difference between synchronous and asynchronous token devices?
|
Synchronous tokens show a value dependent on the time. They are "Synchronized" with a server so that values can be verified.
Asynchronous devices use an entered pin/code to have a value generated. During authentication the prompted pin/code is given and a return value generated by the device is expected for authentication. |
|
|
What is the difference between strong authentication and two-factor authentication?
|
"Strong Authentication" Is the use of two forms of authentication not necessarily from different Authentication factors. I.e. Something you know, Something you have and Something you are.
|
|
|
How do behavioral biometric systems work? What types of information do they use for authentication?
|
Behavioral Biometric systems are characterized by a behavioral trait that is learned and acquired over time
|
|
|
What are the components of a strong password policy?
|
- Requires passwords 8 characters or longer
- Prevents the use of the username or a dictionary word (or common variations) in the password - Requires the use of numbers and symbols - Forces periodic password changes and prevents the use of previous passwords |
|
|
What additional benefits does SESAME provide over Kerberos?
|
Supports access control (through access control lists) asymmetric keys, PKI systems, and auditing.
|
|
|
What are the main advantages of SSO authentication? Disadvantages?
|
Advantages:
- It is a more efficient logon process. users only need to type their user ID and password once. - The user can create stronger passwords because there aren't so many passwords to remember. - The need for multiple passwords and change synchronization is avoided. - Access to all authorized resources with a single instance of authentication through a single set of user credentials. - Inactivity timeout and attempt thresholds are applied closer to the user point of entry. - Improved effectiveness of disabling all network and computer accounts for terminated users because of SSO's ability to add and delete accounts across the entire network from a centralized database and one user interface. Disadvantages: - Once a user's ID and password are compromised int he system, an intruder can access all of the resources authorized for the user without constraint. - The system security policy must be followed to ensure access granted and/or limited to appropriate users. - Implementation with microcomputer systems is difficult and can prevent full implementation. - Ticket schemes do not scale very well. - SSO presents a single point of failure. |
|
|
What is the relationship between keys and subjects in Kerberos?
|
I think this is the answer. Key = Ticket generated by Key Distribution Center (KDC)
- Users authenticate to a central entity called a Key Distribution Center (KDC). - The Ticket Granting Service 9TGS) on the KDC gives authenticated users a 'ticket'/'key'. This ticket identifies the user as an authenticated user. The ticket also includes a time stamp. For this reason, a Kerberos solution requires time synchronization on the network to ensure accurate time stamps. - When the user attempts to access a resource, the ticket is checked to see if access is allowed. |
|
|
In what ways are HAVAL different from SHA-1? Which method provides greater security?
|
.
|
|
|
What service or function is provided by hashes?
|
Allows data integrity validation
|
|
|
What is collision and why is this condition undesirable in a hashing algorithm?
|
A collision is when two separate bits of information produce the same hash when passed through a hashing algorithm. This can be used for password exploitation as it allows users to generate the requested hash while not know the actual text/data
|
|
|
How are hashes used in digital signatures?
|
Digital signature includes the information's Hash so that the receiver can verify that the information has not been altered.
|
|
|
How do digital signatures provide confidentiality, integrity validation, strong authentication, and non-repudiation?
|
Confidentiality: Can be used to encrypt information
Integrity Validation: Included Hash value allows receiver to compare hash and verify data Integrity. Strong Authentication: Digital signatures allow for the verification of senders information. Non-repudiation: Only one person can digitally sign with personal key. So you know who signed the information and they can't deny it. |
|
|
Why is high amplification an indicator of a good hashing algorithm?
|
Assists with obscuring what the original information was as slight variations in text cause large differences in the hash.
|
|
|
How does a dictionary attack differ from a brute force attack?
|
Dictionary attack uses a list of known passwords. If the password is not on the list, it will not be cracked.
Brute Force attacks use all possible combinations. Takes an extremely long time but will always eventually succeed. |
|
|
How does having chosen plaintext enhance an attacker's chances of breaking the code over having known plaintext only?
|
Allows the attacker to see how changes in text effect the cipher text.
|
|
|
Why are strong passwords a good countermeasure for a dictionary attack?
|
Most likely the Dictionary will not include the strong password.
|
|
|
When is the most probable time for a chosen plaintext attack to occur?
|
Lunch Time, Midnight attack. Generally when the user is away from keyboard.
|
|
|
What is the goal of a replay attack?
|
By sending the same information stream you hope to access restricted resources
|
|
|
What functions are performed by the Data Link layer?
|
Raw transmital of information. Hubs, switches, mac address based routing. Ethernet frames.
|
|
|
Which devices operate at the Network Layer?
|
Routers, Most firewalls
|
|
|
How does the TCP/IP Network Access layer relate to the OSI model?
|
TCP is on the Transport layer
IP is on the network layer |
|
|
What are the three categories of port ranges?
|
Known: 0 - 1023
Registered: 1024 - 49,151 Dynamic: 49,152 - 65,353 Well Known, Assigned to specific protocols and services: 0-1023 Registered, ICAN can assign a specific port for a newly created network service: 1024 - 49151 Dynamic, (Private or High), Assigned when a network service establishes contact and released when not in use: 49,152 - 65,535 |
|
|
How do peer-to-peer networks differ from client/server networks? What are the strengths of each?
|
Peer-to-peer have multiple points of failure. All nodes can communicate with each other. More fault tolerant. Client/Server, clients have to register but single point of failure. Easier administration.
|
|
|
Name the IPv4 Private Address Ranges
|
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255 |
|
|
Name the following ports: 20, 21
|
File Transfer Protocol (FTP)
|
|
|
Name the following port: 22
|
Secure Shell (SSH)
|
|
|
Name the following port: 23
|
Telnet
|
|
|
Name the following port: 25
|
Simple Mail Transfer Protocol (SMTP)
|
|
|
Name the following port: 50, 51
|
IPSec
|
|
|
Name the following port: 53
|
Domain Name Server (DNS)
|
|
|
Name the following port: 67, 68
|
Dynamic Host Configuration Protocol (DHCP)
|
|
|
Name the following port: 69
|
Trivial File Transfer Protocol (TFTP)
|
|
|
Name the following port: 80
|
HyperText Transfer Protocol (HTTP)
|
|
|
Name the following port: 110
|
Post Office Protocol (POP3)
|
|
|
Name the following port: 119
|
Network News Transport Protocol (NNTP)
|
|
|
Name the following port: 123
|
NTP, Network Time Protocol
|
|
|
Name the following port: 135-139
|
NetBIOS
|
|
|
Name the following port: 143
|
Internet Message Access Protocol (IMAP4)
|
|
|
Name the following port: 161
|
Simple Network Management Protocol (SNMP)
|
|
|
Name the following port: 389
|
LDAP, Lightweight Directory Access Protocol
|
|
|
Name the following port: 443
|
HTTP with Secure Sockets Layer (SSL)
|
|
|
Describe a Generation one Firewall:
|
The packet filtering firewall:
- Operates at OSI layer 3 (Network layer). - Uses ACLs or filter rules to control traffic. - Filters packets based on IP addresses, ports, and service protocols. - Offers high performance because it only examines addressing information in the packet header. - Is not very intelligent thus it is subject to DoS and buffer overflow attacks. |
|
|
Describe a Generation Two Firewall
|
The application layer firewall (also referred to as a proxy firewall):
- Operates at OSI Layer 7 (Application layer). - Causes a break known as an air gap between the client and the source server. The firewall then acts as a proxy between the server and the client. - Examines the entire message content (not just individual packets). - Can implement restrictions based on individual users. - Can cache the frames that have been authenticated to optimize subsequent connections. - Is the slowest form of firewall because entire messages are reassembled at the Application layer. - Uses access controls to control both inbound and outbound traffic. The circuit proxy filter: - Operates at OSI Layer 5 (Session layer). - Is very comparable to the packet filtering firewall, but it breaks the connections and acts as a proxy between the server and the client. - Ensures that the TCP three-way handshake process occurs only when appropriate. - Verifies sequencing of session packets. |
|
|
Describe a Generation three Firewall:
|
The stateful inspection firewall:
- Operates at OSI layer 3 (Network layer) and 4 (Transport layer). - Allows only valid packets within approved sessions. - Malicious activities, suspect commands, and questionable activity patterns can be detected and blocked. - Requires significant system capabilities to process the content of packets. - Operates faster than an application level gateway because it does not examine packets beyond the Network layer. |
|
|
Describe a Generation four Firewall:
|
The dynamic packet filtering firewall:
-Is a combination of the generation one packet filter and the generation two stateful inspection firewalls. - Opens and closes the ports dynamically if the inbound response is a stateful response to an internal requested frame. |
|
|
Describe a Generation five Firewall:
|
The kernel proxy filtering firewall:
- Operates at ring zero of the operating system whereas all other generations operate at ring 3. - Is much stronger and faster than the earlier-generation firewalls. |
|
|
Describe a "Screened host" firewall deployment type.
|
A screened host places a firewall between the Internet and LAN. The firewall directs all traffic to an application gateway server. Traffic must pass through filters in the application server to reach the LAN.
|
|
|
Describe a "TCP wrapper" firewall deployment type.
|
A TCP wrapper is a host-based network ACL system (i.e. daemon or network service) that intercepts connection requests. If the connection request is authorized, the request is passed on to the inetd daemon that processes and supports the requested communication. TCP wrappers are mainly found on UNIX and Linux systems.
|
|
|
Describe a "Screened subnet" firewall deployment type.
|
subnet A screened subnet places two firewalls between the Internet and the LAN. A buffer zone, or demilitarized zone (DMZ), is placed between the two firewalls.
- The DMZ is created using two firewall devices--one connected to the public network and one connected to the private network. You can also create a screened subnet using a single device with three network cards--one connected to the public network, one connected to the private network, and one connected to the screened subnet. - Publicly-accessible resources (servers) are placed inside the screened subnet. Examples of publicly-accessible resources include Web, FTP, or e-mail servers. - Packet filters on the outer firewall allow traffic directed to the public resources inside the DMZ. Packet filters on the inner firewall prevent unauthorized traffic from reaching the private network. - If the firewall managing traffic into the DMZ fails, only the servers in the DMZ are subject to compromise. The LAN is protected by default. |
|
|
Describe a "Bastion" or "Sacrificial Host" firewall deployment type.
|
In a broad sense, a bastion host is any host that is exposed to attack and that has been hardened (or fortified) against those attacks. The bastion host is sometimes referred to as a sacrificial host because it is assumed that it will be subject to attack. The term has been applied to the following types of devices
- A host that is exposed on the network and is not protected by a firewall device. - The device that provides the firewall service to the screened network behind it. Attacks must pass through the bastion host before they are allowed inside the screened subnet. - A honey pot device that is purposefully exposed to attack in order to distract attackers. The following actions should be taken to harden a bastion host: - Fully patch your bastion host on the operating system and on applications. - Run current versions of anti-virus and anti-spyware software. - Include a personal firewall. - Uninstall any unnecessary applications or utilities. - Disable and lock down all unnecessary services and ports. - Tighten security on the registry and the user database. - Add IP filters. - Run lock down facilities such as IIS lock down and URLScan. |
