Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
104 Cards in this Set
- Front
- Back
|
AAA
|
* Authentication
* Authorization * Accountability |
|
|
On what factors can you base authentication?
|
* Something you know
* Something you have * Something you are |
|
|
What is the difference between IDENTIFICATION and AUTHENTICATION?
|
* Identification is the act of claiming a specific identity.
* Authentication is the act of verifying that identity. |
|
|
What are general problems with the use of PASSWORDS and PASSPHRASES?
|
* INSECURE (due to human nature and possibly transmission)
* EASILY BROKEN (e.g., brute-force and dictionary attacks) * INCONVENIENT (users may elect to choose easy passwords, or password managers) * REFUTABLE (do not provide proof of user's identity) |
|
|
What administrative settings should you CONFIGURE for PASSWORDS?
|
* LENGTH (min of 8-12 chars)
* COMPLEXITY (lcase, ucase, numbers, and symbols) * AGING * HISTORY (usually 5) * LIMITED ATTEMPTS * LOCKOUT DURATION (commonly 30min) * LIMITED TIME PERIODS (uncommon) * SYSTEM MESSAGES (e.g., login banner, last username, last successful login) |
|
|
FRR
|
FALSE REJECTION RATE,or TYPE I ERROR is the percentage of AUTHORIZED users to whom the system INCORRECTLY DENIES ACCESS.
|
|
|
FAR
|
FALSE ACCEPTANCE RATE or TYPE II ERROR is the percentage of UNAUTHORIZED users to whom the system INCORRECTLY GRANTS ACCESS.
|
|
|
CER
|
CROSSOVER ERROR RATE is the point at which the FAR (TYPE II) = FRR (TYPE I).
You can ADJUST the FAR and FRR by changing a system's sensitivity; concordantly, CER is considered the most important metric of biometric system accuracy. |
|
|
What are necessary factors for an effective biometrics access control?
|
* Accuracy
* Speed & Throughput * Data storage requirements * Reliability * Acceptability |
|
|
What are common types of PHYSIOLOGICAL biometric access control systems?
|
* Fingerprint recognition
* Finger scan * Hand geometry * Retina pattern * Iris pattern |
|
|
What are common types of BEHAVIORAL biometric systems?
|
* Voice recognition
* Signature dynamics * Keystroke or typing dynamics |
|
|
What is a TOKEN?
|
TOKENS are access control devices (e.g., smart cards, magnetic cards, software):
* STATIC * SYNCHRONOUS DYNAMIC * ASYNCHRONOUS (CHALLENGE-RESPONSE) |
|
|
How does KERBEROS work?
|
1. The client prompts the subject (e.g., user) for identification and authentication (e.g., username & password). Using this info, the client temporarily generates a secret key for the subject using a 1-way hash and then sends only the subject's identification (e.g., username) to the KEY DISTRIBUTION CENTER (KDC) AUTHENTICATION SERVER (AS). The password/secret key IS NOT sent to the KDC.
2. The AS on the KDC verifies that the SUBJECT (PRINCIPAL) exists in the KDC database. The KDC TICKET GRANTING SERVICE (TGS) generates a CLIENT/TGS SESSION KEY encrypted with the subject's secret key, which only the TGS and client know. The TGS also generates a TICKET GRANTING TICKET (TGT), consisting of the subject's identification, the client network address, the valid period of the ticket, and the CLIENT/TGS SESSION KEY. The TGS encrypts the TGT by using its secret key, which only the TGS knows, then sends the CLIENT/TGS SESSION KEY and TGT back to the client. 3. The client decrypts the CLIENT/TGS SESSION KEY using the stored secret key that it generated using the subject's password, authenticates the subject (user), and then erases the stored key to avoid possible compromise. The client can't decrypt the TGT, which the TGS encrypted using the TGS secret key. 4. When the subject requests access to a specific object (e.g., server, also called a principal), it sends the TGT, the object identifier (e.g., server name), and an authenticator to the TGS on the KDC. The authenticator is a separate message that contains the client ID and a timestamp, and uses the Client/TGS Session Key to encrypt itself. 5. The TGS on the KDC generates both a Client/Server Session Key (encrypts it using the Client/TGS Session Key) and a Service Ticket (subject's identification, client network address, valid period of the ticket, and Client/Server Session Key). The TGS encrypts the Session Ticket by using the secret key of the requested object (server), which only the TGS and the object know. The TGS then sends the Client/Server Session Key and Service Ticket back to the client. 6. The client decrypts the Client/Server Session Key using the Client/TGS Session Key. The client can't decrypt the Service Ticket (the TGS encrypted using the secret key of the requested object). 7. The client can communicate directly with the requested object (server). The client sends the Service Ticket and an authenticator (subject's identification and a timestamp) by using the Client/Server Session Key that the TGS genereated. The object (server) decrypts the Service Ticket using the secret key). |
|
|
In KERBEROS, what is a SESSION KEY?
|
In KERBEROS, a SESSION KEY is a DYNAMIC KEY that is generated when needed, shared between two principals, and then destroyed when no longer needed. A SECRET KEY (a STATIC KEY) is used to encrypt a SESSION KEY.
|
|
|
What are examples of ticket-based authentication technologies that provide SSO?
|
* Kerberos
* SESAME * KryptoKnight |
|
|
What are examples of CENTRALIZED ACCESS CONTROLS?
|
* LDAP
* RAS * RADIUS * Diameter * TACACS |
|
|
What are examples of DECENTRALIZED ACCESS CONTROLS?
|
* Multiple domains and trusts
* Databases |
|
|
What is LDAP? What are examples of LDAP?
|
LDAP is LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL. It is an IP PROTOCOL and a DATA MODEL. Examples include:
* Active Directory * CA eTrust Directory * Apache Directory Server * Novel eDirectory * IBM SecureWay and Trivoli Directory Server * Sun Directory Server * OpenLDAP * tinyldap |
|
|
What is RAS? What are related examples of protocols?
|
RAS is REMOTE ACCESS SERVER. It uses POINT-TO-POINT PROTOCOL (PPP) to encapsulate IP packets. PPP protocols include:
* PAP * CHAP * EAP |
|
|
What is PPP?
|
PPP is POINT-TO-POINT PROTOCOL. Authentication protocols for PPP include:
* PAP * CHAP * EAP |
|
|
What is PAP?
|
PAP is PASSWORD AUTHENTICATION PROTOCOL. It is used by POINT-TO-POINT PROTOCOL (PPP).
* Transmits passwords in CLEARTEXT * 2-way handshake |
|
|
What is a 2-way handshake?
|
1. Establish a connection by sending an initial TCP SYN (SYNCHRONIZE) packet to each other
2. Each device sends an ACK (ACKNOWLEDGE) when they receive the other's SYN. |
|
|
What is CHAP?
|
CHAP is CHALLENGE HANDSHAKE AUTHENTICATION PROTOCOL. It is used by POINT-TO-POINT PROTOCOL (PPP).
* 3-way handshake * Peer and server preconfigured with a shared secret stored in plain text. In MSCHAP, the shared secret is encrypted * The peer uses the secret to calculate the response to a server challenge by using an MD5 1-way hash |
|
|
What is EAP?
|
EAP is EXTENSIBLE AUTHENTICATION PROTOCOL. It is used by POINT-TO-POINT PROTOCOL (PPP).
* Adds flexibility to PPP (e.g., MD5 challenge, S/Key, generic token card, digital certificates) * Often implemented by wireless networks |
|
|
What is RADIUS?
|
RADIUS is REMOTE AUTHENTICATION DIAL-IN USER SERVER PROTOCOL.
* Provides authentication, authorization, and accountability (AAA) services * Uses UDP * Passwords between RADIUS client and RADIUS server are encrypted, but not necessarily between user client and RADIUS client (e.g., if PAP is selected). |
|
|
What is Diameter?
|
Diameter is meant to be the next-generation of RADIUS.
* Uses TCP * Not as common as RADIUS |
|
|
What is TACACS?
|
TACACS is TERMINAL ACCESS CONTROLLER ACCESS CONTROL SYSTEM.
* Provides AAA services * TACACS+ is the most common implementation of TACACS * TACACS+ is on TCP 49 * Supports many authentication mechanisms (PAP, CHAP, MS-CHAP, EAP, token card, Kerberos) * TACACS+ can use dynamic passwords * TACACS uses static passwords |
|
|
What is the difference between a DISCRETIONARY and MANDATORY access control?
|
A DISCRETIONARY ACCESS CONTROL (DAC) is an access policy determined by the OWNER of the item to be accessed.
A MANDATORY ACCESS CONTROL (MAC) is an access policy determined by the SYSTEM. |
|
|
What are ACLs?
|
ACLs are ACCESS CONTROL LISTS, which provide a flexible method for applying DISCRETIONARY ACCESS CONTROLS.
|
|
|
What is a ROLE-BASED ACCESS CONTROL?
|
A ROLE-BASED ACCESS CONTROL is a method for implementing DISCRETIONARY ACCESS CONTROL in which GROUP MEMBERSHIP is assigned based on organization or functional roles.
|
|
|
What are disadvantages of DISCRETIONARY ACCESS CONTROLS?
|
* Lack of centralized administration
* Dependence on security-conscious resource owners * Often defaults to full access if owner doesn't explicitly set permissions * Difficulty in auditing |
|
|
In MANDATORY ACCESS CONTROL (MAC), what are SENSITIVITY LABELS?
|
All subjecs and objects in a MANDATORY ACCESS CONTROL (MAC) based system must have SENSITIVITY LABELS, which specifies the level of trust required for access (e.g., user may need Top Secret access).
|
|
|
What are the key points of BELL-LA PADULA? What is the purpose?
|
* SIMPLE SECURITY PROPERTY (SS PROPERTY) -- No read up "NRU"
* *-PROPERTY (STAR PROPERTY) -- No write down "NWD" The purpose is to address CONFIDENTIALITY. |
|
|
What are the key points of BIBA aka BELLA-LA PADULA UPSIDE-DOWN? What is the purpose?
|
* SIMPLE INTEGRITY PROPERTY -- No read down
* *-INTEGRITY PROPERTY (STAR INTEGRITY PROPERTY) -- No write up The purpose is to address INTEGRITY |
|
|
What are the key points of CLARK-WILSON INTEGRITY MODEL? What is the purpose?
|
* UNCONSTRAINED DATA ITEM (UDI)
* CONSTRAINED DATA ITEM (CDI) * INTEGRITY VERIFICATION PROCEDURES (IVP) * TRANSFORMATION PROCEDURES (TP) The purpose is to address INTEGRITY |
|
|
What is the NONINTERFERENCE MODEL?
|
The NONINTERFERENCE MODEL ensures that objects and subjects don't see the actions of different objects and subjects on the same systems, and that those actions don't interfere with them.
For example, if a user with a higher level of access made a change to a file, a user with a lower level of access won't see those changes and won't be able to deduce any information for those changes. |
|
|
What is the ACCESS MATRIX MODEL?
|
An ACCESS MATRIX MODEL provides object access writes (READ/WRITE/EXECUTE or R/W/X) to subjects in a DAC system.
An ACCESS MATRIX MODEL consists of ACCESS CONTROL LISTS (ACLs) and CAPABILITY LISTS. |
|
|
What is the INFORMATION FLOW MODEL?
|
An INFORMATION FLOW MODEL is a LATTICE-BASED MODEL in which the system assigns objects a security class and value, and a security policy controls their direction of flow.
|
|
|
What are some ACCESS CONTROL ATTACKS?
|
* Brute-force / dictionary attack
* Buffer / stack overflow * Man-in-the-Middle attacks * Packet sniffing * Session hijacking * Social engineering |
|
|
What are COUNTERS to ACCESS CONTROL ATTACKS?
|
* Threat modeling
* Asset valuation * Vulnerability analysis * Access aggregation |
|
|
What is PORT SCANNING?
|
PORT SCANNING determines which TCP/IP service ports are running.
|
|
|
What is APPLICATION SCANNING?
|
APPLICATION SCANNING determines whether an online application has weaknesses that could be exploited.
|
|
|
What is BLACK BOX TESTING?
|
BLACK BOX TESTING is where the tester has NO PRIOR KNOWLEDGE of the system.
|
|
|
What is WHITE BOX TESTING?
|
WHITE BOX TESTING is where the tester has COMPLETE KNOWLEDGE of the system.
|
|
|
What is GREY BOX TESTING?
|
GREY BOX TESTING is where the tester has SOME KNOWLEDGE of the system.
|
|
|
What is HOST SCANNING?
|
HOST SCANNING determines which network hosts are on the network.
|
|
|
What is OPERATING SYSTEM (OS) DETECTION?
|
OPERATING SYSTEM (OS) DETECTION determines what the host OS and possibly what the version is.
|
|
|
General-purpose control types include all the following except:
A. Detective B. Mandatory C. Prevative D. Compensating |
B. Mandatory
|
|
|
Violation reports and audit trails are examples of what type of control?
A. Detective technical B. Preventive technical C. Detective administrative D. Preventive administrative |
A. Detective technical
|
|
|
"A user cannot deny an action" describes the concept of
A. Authentication B. Accountability C. Non-repudiation D. Plausible deniability |
C. Non-repudiation
|
|
|
Unauthorized users that are incorrectly granted access in biometric systems are described as
A. False Reject Rate (Type II error) B. False Accept Rate (Type II error) C. False Reject Rate (Type I error) D. False Accept Rate (Type I error) |
B. False Accept Rate (Type II error)
|
|
|
All the following devices and protocols can be used to implement one-time passwords except
A. Tokens B. S/Key C. Diameter D. Kerberos |
D. Kerberos, which relies on static secrets
|
|
|
Which of the following PPP authentication protocols transmits passwords in clear text?
A. PAP B. CHAP C. MS-CHAP D. FTP |
A. PAP
|
|
|
Which of the following is not considered a method of attack against access control systems?
A. Brute force B. Dictionary C. Denial of Service D. Buffer overflow |
B. Denial of Service
|
|
|
Sensitivity labels are a fundamental component in which type of access control systems?
A. Mandatory access control B. Discretionary access control C. Access control lists D. Role-based access control |
A. Mandatory access control
|
|
|
Which of the following access control models address availability issues?
A. Bell-La Padula B. Biba C. Clark-Wilson D. None of the above |
D. None of the above
|
|
|
What are the 7 layers of the OSI MODEL?
|
PLEASE DON'T TOUCH STEVE'S PET ALLIGATOR
7-Application 6-Presentation 5-Session 4-Transport 3-Network 2-Data Link 1-Physical |
|
|
In the OSI model, what is DATA ENCAPSULATION?
|
DATA ENCAPSULATION wraps protocol information from the layer immediately above in the data section of the layer immediately below it. Each layer communicates only with adjacent layers.
|
|
|
In the OSI model, what is the PHYSICAL LAYER (LAYER 1)?
|
The PHYSICAL LAYER (LAYER 1) sends and receives bits across the network cabling. It specifies the electrical, mechanical, and functional requirements of the network:
* Network topology * Cabling and connectors * Interface types * Process for converting bits to electrical or light signals |
|
|
What are some NETWORK TOPOLOGIES?
|
* Star
* Mesh * Ring * Bus |
|
|
What is BIT ERROR RATIO (BER)?
|
BIT ERROR RATIO (BER) is the ratio of incorrectly received bits to total bits over a specified period of time.
|
|
|
What is UNSHIELDED (UTP) for TWISTED-PAIR CABLES?
|
UTP cabling is cheaper and easier to work with, but is susceptible to noise.
|
|
|
What is SHIELDED (STP) for TWISTED-PAIR CABLES?
|
STP cabling is used when noise is a problem or security is a concern.
|
|
|
What is TEMPEST?
|
TEMPEST is a US Mil term referring to the study of E/M emissions from computers and related equipment.
|
|
|
What TERMINATORS are used with TWISTED-PAIR CABLES?
|
RJ-type TERMINATORS, including:
* RJ-11 for analog phone lines * RJ-45 for LANs * RJ-49 for ISDN lines and WAN interfaces |
|
|
What are advantages of FIBER-OPTIC cables?
|
* Most reliable
* High speeds * Long distances * Resistance to interception and interference |
|
|
What TERMINATORS are used with FIBER-OPTIC cables?
|
FIBER-OPTIC cables are terminated with:
* SC-type * ST-type * LC-type |
|
|
Ethernet designations, such as 10Base-T or 100Base-TX, refer to the ______________ of the cable and the __________________.
|
Ethernet designations, such as 10Base-T or 100Base-TX, refer to the SPEED of the cable and the SIGNALING TYPE (BASEBAND). The last part of the designation is less strictly defined. It may refer to the approximate maximum length (e.g., 10Base-5) the type of connector (e.g., 100Base-TX), or the type and speed of the connector (e.g., 1000Base-T/GbE).
|
|
|
The interface between DATA TERMINAL EQUIPMENT (DTE) and DATA COMMUNICATIONS EQUIPMENT (DCE) is specified at the _______________ LAYER of the OSI MODEL.
|
The interface between DATA TERMINAL EQUIPMENT (DTE) and DATA COMMUNICATIONS EQUIPMENT (DCE) is specified at the PHYSICAL LAYER of the OSI MODEL.
|
|
|
A __________ is a non-intelligent device that simply amplifies a signal to compensate for ATTENUATION (signal loss) so that one can extend the length of the cable segment.
|
A REPEATER is a non-intelligent device that simply amplifies a signal to compensate for ATTENUATION (signal loss) so that one can extend the length of the cable segment.
|
|
|
The __________ LAYER ensures that messages are delivered to the proper device across a PHYSICAL NETWORK LINK.
|
The DATA LINK LAYER ensures that messages are delivered to the proper device across a PHYSICAL NETWORK LINK.
|
|
|
The ___________ LAYER formats messages from layers above into FRAMES for transmission, handles point-to-point synchronization and error control, and can perform link encryption.
|
The DATA LINK LAYER formats messages from layers above into FRAMES for transmission, handles point-to-point synchronization and error control, and can perform link encryption.
|
|
|
The DATA LINK LAYER consists of which 2 sub-layers?
|
1. LOGICAL LINK CONTROL (LLC) -- above
2. MEDIA ACCESS CONTROL (MAC) -- below |
|
|
The LOGICAL LINK CONTROL (LLC) sub-layer performs which 3 functions?
|
1. Provide an interface for MAC sub-layer by using SOURCE SERVICE ACCESS POINTS (SSAPs) and DESTINATION SERVICE ACCESS POINTS (DSAPs)
2. Manages the control, sequencing, and acknowledgement of frames being passed up to the Network Layer or down to the Physical Layer 3. Responsible for timing and flow control. |
|
|
What is FLOW CONTROL?
|
FLOW CONTROL monitors the flow of data between devices to ensure that a receiving device, which may not necessarily be operating at the same speed as the transmitting device, isn't overwhelmed.
|
|
|
The LOGICAL LINK CONTROL (LLC) and MEDIA ACCESS CONTROL (MAC) are sub-layers of ___________?
|
The LOGICAL LINK CONTROL (LLC) and MEDIA ACCESS CONTROL (MAC) are sub-layers of the DATA LINK LAYER.
|
|
|
The MEDIA ACCESS CONTROL (MAC) sub-layer performs which 3 functions?
|
1. ERROR CONTROL using a CYCLIC REDUNDANCY CHECK (CRC), or checksum
2. MAC ADDRESSES 3. CONTROL MEDIA ACCESS (e.g., CONTENTION, TOKEN-PASSING, POLLING) |
|
|
What is a CYCLIC REDUNDANCY CHECK (CRC)?
|
A CYCLIC REDUNDANCY CHECK (CRC) is a checksum used to create a message profile. It is recalculated by the receiving device. If the calculated CRC doesn't match the received CRC, then the packet is dropped and a request to re-send is transmitted.
|
|
|
A MAC address is a _________ bit address. The first ______ bits identify ____________. The second _______ bits identify ___________.
|
A MAC address is a 48 bit address. The first 24 bits identify the manufacturer or vendor. The second 24 bits identify the device.
|
|
|
What are 3 types of CONTROLS MEDIA ACCESS?
|
1. CONTENTION
2. TOKEN-PASSING 3. POLLING |
|
|
Individual devices must vie for control of the physical medium. This type of network is __________.
|
CONTENTION
|
|
|
Individual devices must wait for a special frame before they transmit data across the physical network medium. This type of network is considered deterministic. This type of network is ___________.
|
TOKEN-PASSING
|
|
|
Individual devices (secondary hosts) are polled by a primary host to see whether they have data to be transmitted. Secondary hosts can't transmit until permission is granted by the primary host. This type of network is ____________.
|
POLLING
|
|
|
POLLING networks are typically used in _____________ environments.
|
MAINFRAME
|
|
|
A TOKEN-PASSING network is considered ___________ because transmission delay can be reliably calculated, and collisions don't occur.
|
DETERMINISTIC
|
|
|
Common LAN protocols include?
|
* ARCnet
* Ethernet * Token-Ring * Fiber Distributed Data Interface (FDDI) * Address Resolution Protocol (ARP) * Reverse Address Resolution Protocol (RARP) |
|
|
ARCnet transports data using _________ media access method. It is implemented in a ___________ topology using __________ cable.
|
ARCnet transports data using TOKEN-PASSING media access method. It is implemented in a STAR topology using COAX cable.
|
|
|
ETHERNET transports data using ___________.
|
ETHERNET transports data using CSMA/CD.
|
|
|
At what speeds do TOKEN-RING networks operate?
|
* 4 Mbps
* 16 Mbps |
|
|
ADDRESS RESOLUTION PROTOCOL (ARP) maps __________ to _________.
|
ADDRESS RESOLUTION PROTOCOL (ARP) maps NETWORK LAYER IP ADDRESSES to MAC ADDRESSES.
|
|
|
ADDRESS RESOLUTION PROTOCOL (ARP) discovers physical addresses of attached devices by broadcasting ___________.
|
ADDRESS RESOLUTION PROTOCOL (ARP) discovers physical addresses of attached devices by broadcasting ARP QUERY MESSAGES.
|
|
|
REVERSE ADDRESS RESOLUTION PROTOCOL (RARP) maps ___________ to ____________.
|
REVERSE ADDRESS RESOLUTION PROTOCOL (RARP) maps MAC ADDRESSES to IP ADDRESSES.
|
|
|
ARP and RARP are LAYER __ protocols.
|
ARP and RARP are LAYER 2 protocols.
|
|
|
LAN data transmissions are classified as ________, _______, and _______.
|
LAN data transmissions are classified as:
* UNICAST * MULTICAST * BROADCAST |
|
|
UNICAST
|
Packets are sent from the source to a single destination device using a specific destination IP address.
|
|
|
MULTICAST
|
Packets are copied and set from the source to multiple destination devices using a special multicast IP address that the destination stations have been specifically configured to use.
|
|
|
BROADCAST
|
Packets are copied and set from the source to every device on a destination network using a broadcast IP address.
|
|
|
802.11a
|
54 Mbps
5 GHz |
|
|
802.11b
|
11 Mbps
2.4 GHz |
|
|
802.11g
|
54 Mbps
2.4 GHz |
|
|
802.11n
|
600 Mbps
5 GHz or 2.4 GHz |
|
|
____________ defines 802 networking standards.
|
IEEE defines 802 networking standards.
|
|
|
POINT-TO-POINT LINKS
|
These links provide a single, pre-established WAN communications path from the customer's network, accross a carrier network, to a remote network. These include:
* Layer 2 Forwarding Protocol (L2F) * Layer 2 Tunneling Protocol (L2TP) * Point-to-Point Protocol (PPP) * Point-to-Point Tunneling Protocol (PPTP) * Serial Line IP (SLIP) |
|
|
DATA OVER CABLE SERVICES INTERFACE SPECIFICATION (DOCSIS)
|
DATA OVER CABLE SERVICES INTERFACE SPECIFICATION (DOCSIS) is a communication protocol for transmitting high speed data over an existing cable TV system.
|
