Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
196 Cards in this Set
- Front
- Back
|
Collection of mechanisms that work together to protect the assets of the enterprise
-most prevasive and omnipresent aspect of information security |
Access Control(s)
|
|
|
Access controls apply to:
|
Facilities, Support systems, information systems, personnel-mgmt,users,customers,business partners
|
|
|
Access controls enable management to:
|
1)Specify which users can access a system
2)Specify what resources they can access 3) Specify what operations they can perform 4) Provide individual accountability |
|
|
T/F each new user or community increases the threat profile of an org
|
True
|
|
|
What identifies what resources are necessary for a person to access (Determining Resources)?
|
The user's role
|
|
|
Specifying use determines
|
level of authorization
|
|
|
the ability for the organization to hold people responsible for their actions
|
Individual accountability
|
|
|
A comprehensive access control strategy will include
|
the monitoring and secure logging of identification, authentication, and authorization processes and accountability of user actions and attempted actions by auth'd users w/o privs
|
|
|
What is the first element of access control?
|
to establish an access control policy
|
|
|
Access Control policy does what?
|
specifies how users are id'd, auth'd, and level of access granted to resources
|
|
|
Which privs users will be given to access resources will be specified where?
|
Access Control policy
|
|
|
The access control policy is usually based on what two standards of practice?
|
1) Separation of duties
and 2) least privilege *also sensitivity of data |
|
|
Primary objective of separation of duties? (ie disseminating taks ans associate privileges for specific process among multiple users)
|
Prevention of fraud and errors
|
|
|
first action req'ed to employ separation of duties:
|
Defining elements of a process or work function
|
|
|
Second step of employing separation of duties:
|
divide elements of a work function among different users or roles w/in a function
|
|
|
When is static separation of duties used?
|
when the assignment of individuals to roles and work functions element to roles is possible
|
|
|
When is dynamic separation of duties used?
|
When compliance w/ reqts can only be determined during system operation. *allows more flexibility
|
|
|
What are the two factors to be addressed when determining applicability of separation of duties?
|
1) sensitivity of the function
2) available process that lend themselves to distribution |
|
|
Element distribution is broken down to what 3 parts?
|
1) Element identification, importance, criticality (potential for abuse)
2) Operational Considerations 3) User skills and availability |
|
|
What is described by "requires that a user or process be given no more privilege than necessary to perform a job"
|
least privilege
|
|
|
Practice of evaluation the risk level of the organization's information to ensure that the information receives the appropriate level of protection
|
Information Classification
|
|
|
What are the steps for establishing and sustaining a data classification process?
|
1) Determine data classification project objectives
2) Establish organizational support 3) Develop data classifcation policy 4) Develop data classification standard 5) Develop data classification process flow and procedure 6) Develop tools to support process 7) Identify application owners 8) Identify data owners and data owner delegates 9) Distribute standard templates 10) Classify information and applications 11) Develop auditing procedures 12) Load informatino into central repository 13) Train users 14) Periodically review and update data classifications |
|
|
Benefits of data classication
|
increases CIA
Improved workflow Reduction in costs of overprotection Ability for managers to enforce accountability Protection of departmental intellectual property/trade secrets |
|
|
Communicates req't to classify info and the purpose of data classification
|
Data Classification Policy
|
|
|
Communicates how to determine classification of a particular information item
|
Data classification standard
|
|
|
Levels of data classification
|
Public (unclassified)
Internal Use Only Confidential (optional higher level) |
|
|
What data classification level required no special protections?
|
Public (unclassified)
|
|
|
Information that could harm the company if disclosed externally (e.ge. customer lists, vendor pricing, organizational policies, standards & procedures)
|
Internal use only
|
|
|
Information that if released outside of the org would create sever problems for the org (ie. trade secrets, IP, research design, payroll info, health records, sr mgmt correspondence, business plans)
|
Confidential
|
|
|
Six main access control categories (characteristics of Access Control categories):
|
1) Preventive - avoid incident
2) Deterrent - discourage incident 3) Detective - identify incident 4) Corrective - remedy circumstance/mitigate damage and restore controls 5) Recovery - restore conditions to normal 6) Compensating - alternative control (e.g. Supervision) |
|
|
Three types of access control
|
1) Administrative
2) Physical 3) Technical |
|
|
What type of access control defines the roles, responsibilities, policies...?
|
Administrative
|
|
|
What type of access control is the nontechnical environment, such as locks, fire management, gates and guards?
|
Physical
|
|
|
What type of access control encompasses the electronic controls as the personification of the control environment?
|
Technical
|
|
|
Aspects of Administrative access control
|
Operational policies and procedures,
Personnel security, evaluation and clearances, Security policies, Monitoring User management, Privilege management |
|
|
Change control, business continuity and disaster recover, performance, configuration management, vulnerability management, product life-cycle management, network management are all examples of which aspect of Administrative access control
|
Operational policies and procedures
|
|
|
the administrative tasks performed on a system or device to ensure optimal operations.
|
Configuration Management
|
|
|
Establishing security reqts and validating individuals to bobtain credentials are part of which aspect of Administrative Controls
|
Personnel security, evaluation and clearances
|
|
|
Access Control policy should consider:
|
-Security reqts of individual enterprise apps, systems and services
-statements of info dissemination & authorization, such asleast privilege, data classification and specified controls for access, -The consistency between the access control and information classificiation policies of different systems and networks -Contractual obligations or regulatory compliance regarding protection of assets -standards defining user access profiles for organizational roles |
|
|
Contractual obligations or regulatory compliance regarding protection of assets
|
standards defining user access profiles for organizational roles
|
|
|
Best approach to ensuring consistency and control in password management is:
|
1)Clearly defined policies
2) Well-implemented system controls 3) Understanding of the technical considerations 4) Comprehensive user training 5)Continual auditing |
|
|
Physical security is based on
|
Zones, concentric areas within a facility, that require access
|
|
|
What is priority in all decision of physical security?
|
Human safety
|
|
|
mechanisms employed within the digital infrastructure that enforces policy
|
Technical Access Control
|
|
|
Types of technical access controls
|
1) User controls
2) Network access 3) Remote access 4) System Access 5) Application access 6) Malware control 7) Encryption |
|
|
ACLs, remote-access solutions, VLANs, protocols, firewalls, and IDSs are examples of which technical access control type
|
Network access
|
|
|
what is an example of a network access control that increases the level of access management in the environment?
|
proxy servers
|
|
|
What is used to segment traffic and limit the interaciton form one network to another?
|
VLAN
|
|
|
Cisco clean access is an example of
|
network access Technical access control
|
|
|
VPNs are example of which technical control
|
remote access
|
|
|
File system is an example of which technical control
|
System Access
|
|
|
buffer overflows that potentially allow malicious activity circumvent which type of technical control?
|
System Access
|
|
|
time-outs, data entry validation, and limiting access to specific service or modules based on user rights and needs are examples of which type of technical control?
|
Application Access
|
|
|
Controls within application access control include what:
|
user activity, internal service, and data service..inter-process sharing/privs
|
|
|
Antivirus, IPSs are what type of technical control
|
Malware control
|
|
|
Encryption can be used to ensure the:?
|
confidentiality of information and authenticate information integrity
|
|
|
most predominant aspect of crypto in access control is?
|
employment of cryptographic mecahnisms to ensure the integrity of authentication protocols & processes
|
|
|
Threats to access control and CIA
|
DoS, Buffer overflows, mobile code, malicious code, malware, password crackers, spoofing, sniffers, emanations, shoulder sufing, tapping, object reuse, data remnants, onauthorized targetted daata mining, dumpster diving, backdoor,theft, intruders, social engineering
|
|
|
teardrop attack
|
DoS attack using overlapping fragmented datagrams
|
|
|
Buffer overflow errors can be due to:
|
1) poor coding
2) Errors in the system BIOS |
|
|
s/w transmitted across a network from a remote source to a local system ad is then executed
|
mobile code (e.g. Active X, java applets, scripts)
|
|
|
Malicious mobile code represents a failure of which technical control?
|
Application controls
|
|
|
software, applications, applets, scripts, or any digital material that performs undesirable functions
|
Malicious software
|
|
|
Parasitic code that req's human transferral or insertion, or attaches itselft to another program to facilitate replication
|
Virus
|
|
|
self-propagating code that exploits system or application vulnerabilities
|
Worm
|
|
|
John the Ripper and L0phtcrack are?
|
password crackers
|
|
|
rainbow chains/tables, introduced by Phillippe Oechslin was an improvement over whose previous techniques of password cracking
|
Rivest-1982-distinguished points at the ends of chains
Martin Hellman-1980-time-memory tradeoff precalculated data stored in memory |
|
|
who popularized IP spoofing
|
Kevin Mitnick
|
|
|
example of emanations are:
|
wireless wi-fi, electromagnetic loos from comm lines, computer monitors, bluetooth-enabled devices, sound propagation
|
|
|
three type of antenna propagation
|
1) omnidirectional 2) semidirectional 3) highly directional
|
|
|
Name one defense against shoulder surfers
|
screen filters
|
|
|
allocation or reallocation of system resources to an unauthorized user or , more appropriately to an application or process
|
Object reuse
|
|
|
Two aspects of object reuse:
|
1) direct employment of the object
2) reuse of the data input or output from the object |
|
|
remains or partial remains of data (even after overwritting/degaussing)
|
data remanence
|
|
|
what is the name of the space within a cluster that is not occupied by the file
|
slack space
|
|
|
overwritting data several times ensures what?
|
1) enough randomization to avoid statistical analysis
2) each write works to furhter mask the remnants of any exctromagnetic representaiton of the original info |
|
|
practice of coercion and misdirection to obtain information
|
Social Engineering
|
|
|
assertion of a unique user identity
|
identification
|
|
|
verifying the identity of athe user
|
authentication
|
|
|
3 user identification guidelines
|
Uniqueness,
Nondescriptive, issuance |
|
|
issuance of identities must be ___ and ____
|
secure and documented
|
|
|
different bet password and passphrase
|
passphrases are longer to enter and harder to attack
|
|
|
two basic two-factor methods
|
1) asynchronous
2) Synchronus |
|
|
which method is:
auth server provies challenge to remote entity, to which entity calculates response using token and replies |
Asynchronous
|
|
|
paypal football/RSA securID example of which method (time-based, event, location)
|
synchronous
|
|
|
swipe card/ATM cards with PINs are examples of
|
memory card
|
|
|
data stored on a memory card is
|
unprotected (unencrypted) * unlike smart cards
|
|
|
security controls and logic are embedded in the integration circuit
|
Smart Card (can hold more than magnetic stripe)
|
|
|
Information on samart card can be divided into what section
|
1) read only
2) added only 3) updated only 4) no access available |
|
|
Types of memory on an ICC (IC card)
|
ROM, PROM (*reqs high voltages), EPROM (erasable programmable read-only memory, operating in one-time programmable mode, req's UV light)
EEPROM (electrically erasable PROM, IC of choise 8-256KB) RAM |
|
|
most smart card offer between __ and ___ r/w cycles
|
250,000 and 500,000
|
|
|
average life of smartcards
|
7-10yrs
|
|
|
two types of smart cards
|
contact & contactless (proximity)
|
|
|
what provides all the power and signalling control for communications with the Proximity Integrated Circuit Card (PICC)
|
Proximity Coupling Device (PCD)
|
|
|
two types of modulation that a PCD uses
|
A, B
|
|
|
for smart cards, log-on process is done at?
|
Reader
|
|
|
what are the capabilities of smart cards?
|
-Store personal info
-high degree of security(2factor) and portability -have tamper -resistant storage -can isolate secuiryt-critical computations within -officers secure enterprisewide authentication -used in encryption sytems to store keys -offers capability to perform encryption algorithms on the card |
|
|
Two types of biometics
|
physiological
behavioral |
|
|
representative of acquiring info about unique , physical attributes, (fingerprint, etc)
|
Physiological
|
|
|
what does hand geometry measure?
|
tension in the tendons, temperature, finger and bone length, and hand width
|
|
|
located at the back of eye
|
Retina
|
|
|
colored material surrounding the pupil that governs the amount of light permitted to enter the eye
|
Iris
|
|
|
keystroke pattern analysis and handwritting dynamics are examples of
|
behavioral
|
|
|
biometrics are prone to
|
errors, environmental variables
|
|
|
three categories of biometic accuracy (all percentages)
|
1) False reject rate (type I error)
2) False accept rate (type II error) 3) Corssover error rate (CER): The point at which the false rejection rates and the false acceptance rates are equal. The smaller the CER, the more accurate the system |
|
|
Biometric consideration
|
resistance to counterfeiting
data storage requirments user acceptance reliability and accuracy |
|
|
standard enrollment for authentication should take how long
|
2min
|
|
|
most significant disadvantage of biometics
|
inability to revoke the physical attribute of the credential (unlike a token, fob or smartcard)
|
|
|
Access control services provide...
|
identification,authentication,authorization,accountability
|
|
|
control architecture
|
Host, Requester, Authenticator
|
|
|
the requester is also referred to as the what? (provides challenge to the host for authentication)
|
Network Access Server
|
|
|
set of technologies intended to offer greater efficiency in the mgmt of diverse user and technical environment
|
Identity mgmt
|
|
|
Key mgmt challenges of identity mgt solution
|
consistency, efficient, usability, reliability, scalability
|
|
|
Identity mgt solutions should include what:
|
Directories (LDAP), web access mgt, password mgt, legacy SSO, account mgmt, profile update
|
|
|
limitation of directories (Critical Path, IBM/Tivoli,Msft,Novell,Oracle, Siemens, Sun/iPlanet)?
|
integration w/ legacy systems
|
|
|
Disadvantage of SSO?
|
single point of compromise
|
|
|
major drawback of access manamgent systems is?
|
deployment time and cost
|
|
|
Access Control Technolgoies
|
SSO, Kerberos, Secure European System for Applications in a Multi-Ventor Environment (SESAME), Security Domains
|
|
|
Advantages of SSO
|
-efficient log-on
-users may create stronger pwds -Time=out and attempt threshold enforced platform-wide -Centralized admin |
|
|
Disadvantages of SSO:
|
-single point of compromise
-legacy/unique platforms |
|
|
what 4 basic reqts for access control does Kerberos meet?
|
1) Security
2) Reliability 3) Transparance 4) Scalability |
|
|
Three components of Kerberso
|
1) Requesting system (Principle)
2) endpoint dest server 3) kerberos server(KDC) |
|
|
the Keberos distribution ctr is comprised of
|
Auth Svr and TicketGranting Server AS,TGS
|
|
|
area based on trues between resources or services sharing a single security policy
|
Security Domain
|
|
|
controls placed on data by the owner of the data
|
Discretionary Access Controls (DAC)
|
|
|
controls determined by the owner of the system
|
Mandatory access controls (MACs)
|
|
|
ACcess control matrix
|
table structure of ACL
|
|
|
access in based on a list of rules that dettermined what accesses should be granted
|
rule-based access control
|
|
|
access policy based on the function that user is allowed to perform w/in an org
|
role-based access control (RBAC)
|
|
|
access based on content of data
|
Content-dependent access control
|
|
|
access controls are those employed at a given time for e predetermined duration
|
Temporal (time-based) Isolation
|
|
|
RADIUS, TACACS+, and DIAMETER are examples of
|
Centralized Access Control
|
|
|
control is given to ppl closer to the resource, (e.g. dept mangers and sometimes users)
|
Decentralized access control
|
|
|
two basic analysis methods for IDS
|
pattern matching & anomaly
|
|
|
attributes of anomaly-based IDS:
|
-develops baseline of normal traffic activity
-Can id unknown attacks and DoS -Can be difficult to tune properly -must have a clear undersatnding of normal traffice enviorment |
|
|
id's any unacceptable deviation from expected behavior based on known protocols and signal an alers
|
protocol anomaly-based intrustion detection
|
|
|
Attributes of protocol-anomaly IDS
|
-looks for deviations from stnds (RFCs)
-not signature dep'dnt -reduces false positives -may lead to false-positives and fealse-negatives w/ poorly understood protocols -protocol analysis modules take longer to delploy to customers than signatures |
|
|
attributes of traffic anomaly-based IDS
|
-looks for unusal taffice
-can id unknown attacks/DoS -can be difficult to tune -must have clear unstnd of normal traffic enviorment |
|
|
core capability of IDS to to
|
produce alarms
|
|
|
3 fundamental components of alarms
|
1) Sensor
2) Control/communication 3) Alert/enunciator/actuator |
|
|
data collected from various systems logging activity
|
audit trail
|
|
|
5 key types of audit events
|
1) Network
2) System 3) Application 4) User 5) keystroke |
|
|
logs of file creation/mod/deletions are examples of what type of audit events
|
system
|
|
|
logs of URLs request are of what type of audit events?
|
application
|
|
|
log-on/off, privilege use, and data access are examples of what kind of audit events
|
User
|
|
|
employment of exploittive techniques to dtermin the level or risk associated with an vulnerability/ies
|
Penetration testing
|
|
|
primary goal of pen testing
|
simulate an attack
|
|
|
key to successful and valuable pentesting:
|
clearly defined objectives, scope, stated goals, agreed upon limitation and acceptable activities.
|
|
|
Types of pentest
|
Zero knowledge,
partial knowledge, Full knowledge |
|
|
Basic methodology of pentesting:
|
1) reconnaissance/discovery
2) Enumeration 3) Vulnerability analysis 4) Exploitation |
|
|
port scanning is part of which phase of pentesting methodology
|
Enumeration
|
|
|
process of comparing the information collected with known vulnerabilities
|
Vulnerability analysis
|
|
|
The attack process is broken up into
|
threads and groups
|
|
|
a collection of tasks that must be performed in a specifi order to acheive a goal
|
thread
|
|
|
attack process groups
|
collections of threads
|
|
|
divergences from attack plan must be determined in what two ways
|
Expectations (scope, goals, unexpected results)
Technical (system reacting diff than expected) |
|
|
Goals of penetration testing
|
gain awareness and detailed understanding of the state of the security environment
|
|
|
Pentest findings document should include
|
findings, tactics used, tools employed, info collected, recommendations
|
|
|
Pen test results can help w/ id'ing
|
vulnerabilities, gap in security measures, IDS and intrustion response capability, whether anyone is monitoring audit logs, how suspicious activity is reported, suggessted counter measures
|
|
|
blind/double-blind/targeted testing
|
tt giving min/IT staff don't know/both IT and TT know&provided info
|
|
|
Types of testing a PentTest team may carry out
|
Application,DoS,War dialing, wireless network, social eng, PBX
|
|
|
1. A preliminary step in managing resources is:
|
b. Defining who can access a given system or information
|
|
|
2. Which best describes access controls?
|
Access controls help protect against threats and vulnerabilities by reducing exposure to unauthorized activities and providing access to information and systems to only those who
have been approved. |
|
|
3. _______ requires that a user or process be granted access to only those resources necessary
to perform assigned functions. |
c. Least privilege
|
|
|
4. What are the six main categories of access control?
|
b. Deterrent, preventative, detective, corrective, compensating, and recovery
|
|
|
5. What are the three types of access control?
|
a. Administrative, physical, and technical
|
|
|
6. Which approach revolutionized the process of cracking passwords?
|
b. Rainbow table attack
|
|
|
7. What best describes two-factor authentication?
a. Something you know b. Something you have c. Something you are d. A combination of two listed above |
d. A combination of two listed above
|
|
|
8. A potential vulnerability of the Kerberos authentication server is:
|
a. Single point of failure
|
|
|
9. In mandatory access control, the system controls access and the owner determines:
|
b. Need to know
|
|
|
10. Which is the least significant issue when considering biometrics?
a. Resistance to counterfeiting b. Technology type c. User acceptance d. Reliability and accuracy |
b. Technology type
|
|
|
11. Which is a fundamental disadvantage of biometrics?
|
a. Revoking credentials
|
|
|
12. Role-based access control _______:
|
c. Is based on user job functions
|
|
|
13. Identity management is:
|
A set of technologies and processes intended to offer greater efficiency in the management of a diverse user and technical environment
|
|
|
14. A disadvantage of single sign-on is:
|
b. A compromised password exposes all authorized resources
|
|
|
15. Which of the following is incorrect when considering privilege management?
Privileges associated with each system, service, or application, and the defined roles within the organization to which they are needed, should be identified and clearly documented. a. Privileges should be managed based on least privilege. Only rights required to perform a job should be provided to a user, group, or role. b. An authorization process and a record of all privileges allocated should be maintained. Privileges should not be granted until the authorization process is complete and validated. c. Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function. |
Any privileges that are needed for intermittent job functions should be assigned to multiple user accounts, as opposed to those for normal system activity related to the job function.
|
|
|
16. Capability lists are related to the subject, whereas access control lists (ACLs) are related to the
object, and therefore: |
Under access control lists, a user can invoke a program to access objects normally restricted.
|
|
|
Special priviliges should be assigned to normal accts (TF)
|
false
|
|
|
what provides access control assurance
|
due diligence
|
|
|
what are 3 basic reqts of access control
|
1) Scalability
2) Security 3) Transparency |
|
|
An operattional report is:
a) detective b) corrective c) preventative d) directive |
detective
|
|
|
In MAC, the need-to-know element is provided by:
|
Information owner
|
|
|
In Content dependent access control the key element that determines access authorization is provided by the
|
arbiter program
|
|
|
in non-discretionary access control, the defintion of access rules are closely managed by the
|
Security admin
|
|
|
An audit trail should include data about:system-level, app level and user level events and`
|
network connections
|
|
|
who is the ultimate data owner
|
CIO
|
|
|
why are biometric devices more accurate than other types of auth technologies
|
they're harder to circumvent
|
|
|
Type II error:
|
False accept
|
|
|
Type I error
|
false reject
|
|
|
what type of control is auditing
|
technical
|
|
|
password advisor doesa
|
instructs user on pwd that are easy to rmember and difficult to crack
|
|
|
syskey
|
ms's pwd db
|
|
|
how is Kerberos SSO
|
TGT
|
|
|
Capbility tables are bound to
|
subjects
|
|
|
Whta is a Kerberos authenticator and what is its purpose
|
Principal identifaction and timestampe encrypted with a shared session key. It is used to authenticate the the requesting principal and is a countermeasure against replay attacks
|
|
|
The TGT is generate to allow aprincipal to be able to
|
communicate with the TGS
|
