Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
55 Cards in this Set
- Front
- Back
|
What are the 3 stages a user must pass (in sequence) in order to gain access to a network resource? |
Identification Authentication Authorization |
|
|
What prevents one person in a system from both performing a security related function and also verifying it? |
Separation of duties |
|
|
What access control method gives access based on a user's job functions? |
Role-based access control. This scheme does not give any individual access rights or permissions. All access is based on the role assigned. |
|
|
What is N-person control? |
Requiring multiple people to perform a certain function |
|
|
What can prevent internal corruption and improve accountability, in addition to creating broader job knowledge? |
Job rotation |
|
|
What is the security aspect of mandatory vacations? |
It is harder to cover up ongoing fraud because someone else will have to fill in and notice the activity. |
|
|
What policy should network access start with? |
Implicit deny. If a resource is not authorized, it is assumed to be denied. |
|
|
What is explicit deny? |
Access to a certain resource is explicity denied to a user or group. This would override access that might be inherited from another policy. |
|
|
What policy gives a user only what they need to perform their job? |
Least privilege |
|
|
What are the access control types? |
Mandatory Discretionary Role-based Rule-based |
|
|
What access control method is used in high security environments and gives the user little or no control over their files? |
Mandatory access control (MAC) |
|
|
RBAC |
Role-Based Access Control |
|
|
What access control method allows users to specify other users who can access their resources |
Discretionary access control (DAC) |
|
|
What is a good user naming convention and why? |
First initial and last name or some variation of that. Never use job descriptions or departments as part of a username as it can attract undesired attention to that account. |
|
|
What can thwart a brute force attack on a network? |
Limited login attempts. Usually set at 3 to 5 attempts, after which a user must contact an administrator. |
|
|
What can be set for a temporary contract worker? |
An account expiry date will preclude the chance of a contractor maintaining access after their contract is over. |
|
|
What should you do when an employee leaves the company? |
Disable the account. |
|
|
What access control method uses an ACL? |
ACL is an Access Control List and is used with a Rule-based access control system. This is typically implemented on network devices such as routers, firewalls and content filtering systems and apply to all users regardless of who they are. |
|
|
What should you do if you don't recognize an account as valid? |
Disable it. If it is actually an authorized user, they will contact you when they cannot log in. |
|
|
What can reduce the risk of unauthorized users breaking into someone's account during off hours? |
Setting time restrictions on an account |
|
|
What can prevent login from a laptop being brought in and connected? |
Machine restrictions such as MAC address, computer name, or IP address. |
|
|
What can provide an extra layer of security, in the event someone's username and password are compromised? |
A physical token, such as an RSA SecurID or a Cryptocard can provide logical token number that is generated on demand in conjunction with the access control server. |
|
|
What periodic task can mitigate insider threats and potentially find find some external threats that have gained access? |
User access reviews |
|
|
List the basic password policies that a security plan should have |
Minimum length & complexity Password history Password rotation & expiration Password recovery |
|
|
What security concept allows users to gain access across organizational boundaries? |
Federation, which implements a system of transitive trust between organizations. |
|
|
What permissions would typically be specified in an ACL? |
Read Write Read & Execute Modify Full control |
|
|
What does the full control permission have that modify does not? |
The ability to change permissions and take ownership. |
|
|
What is the main drawback of most intrusion detection systems? |
False alarms which can occur due to weather, animals or improper calibration. |
|
|
What is AAA? |
Authentication Authorization & Accounting |
|
|
Give an example of a common single sign on system |
Microsoft Active Directory |
|
|
what is a security risk of cable modems? |
They are always connected to the internet. Use of a firewall is recommended. The same applies to DSL (Digital Subscriber Line) |
|
|
Where is it ok to use Telnet? |
Within an already secure network environment. Telnet sends username and password information in clear text. SSH is preferable. |
|
|
What utilities send login credentials in clear text? |
Telnet FTP RSH (Remote Shell) |
|
|
What is the preferred protocol to use for dialup? |
PPP (Point to Point Protocol) is preferred to the older SLIP (Serial Line Internet Protocol). PPP supports common authentication methods such as PAP, CHAP, MS-CHAP & EAP. |
|
|
What is a security risk of PPTP (Point to Point Tunneling Protocol)? |
When a connection is negotiated, It sends the information in clear text. VPN's typically encapsulate this with MPPE (Microsoft Point to Point Encryption) for security. |
|
|
What are the 2 components used in L2TP (Layer 2 Tunneling Protocol)? |
LAC (L2TP Access Concentrator) Client side LNS (L2TP Network Server) remote side |
|
|
What it the advantage of L2TP compared to PPTP? |
It can be tunneled through other network protocols such as IPX (Netware), while PPTP can only run on top of other IP networks. L2TP also supports authentication services such as RADIUS and TACACS+ |
|
|
What kind of encryption does L2TP provide? |
L2TP does not include any native encryption and must be combined with other encryption methods such as IPSEC. |
|
|
What is PAP and what is a weakness of it? |
Password Authentication Protocol Credentials are sent in clear text |
|
|
What is CHAP and how does it protect against replay attacks? |
Challenge Handshake Authentication Protocol. It uses an incrementally changing identifier and a variable challenge value. The authentication can be repeated anytime during a session using new identifiers. |
|
|
Where is LANMAN used? |
This is the Windows Lan Manager authentication and is no longer secure. It was used on older versions of Windows and has been replaced by NTLM and NTLMv2. |
|
|
What hash method does NTLM use? |
NTLM uses an MD4 hash NTLMv2 uses HMAC-MD5 hashing |
|
|
What is EAP and where is it typically used |
Extensible Authentication Protocol It is usually used in wireless networks, though it can be used with other access methods. |
|
|
What is RADIUS? |
Remote Authentication Dial In User Service Requires a server. |
|
|
What port does LDAP use? |
TCP 389 |
|
|
What port does LDAP over SSL use? |
TCP 689 |
|
|
What port does LDAP over TLS use? |
TCP 636 |
|
|
What is SAML? |
Security Assertion Markup Language
An XML based open standard used for exchanging authentication and authorization information. |
|
|
What are the three roles used by SAML |
Principle (user) Identity provider Service provider |
|
|
What is the weak point in a Kerberos system? |
The Kerberos server can be a single point of failure or potential attack. Without this server, the entire system is either compromised or unavailable. |
|
|
What is the port based authentication method used for wired and wireless LAN's? |
802.1x |
|
|
What issues a certificate? |
The CA (Certificate Authority) |
|
|
What is a common 2 step authentication algorithm? |
HOTP HMAC-based One Time Password Authenticates users against an authentication server. |
|
|
What is TOTP and what is it based on? |
Time Based one Time password An extension of the HOTP concept, adding a time factor, usually measured in seconds. Generally uses a dongle or smartphone app to display a one time password that expires after just a few seconds. |
|
|
What are some drawbacks of biometrics? |
High cost Frequent calibration High rate of false permissions or denials |
