Term
| What are other names for a subject and an object? |
|
Definition
Subject - User, program, process
Object - Data, Devices |
|
|
Term
| What are the steps of the access control chain? |
|
Definition
| Identification -> Authentication -> Authorization -> Access the resource -> Accountability. |
|
|
Term
| What are the three Authentication factors, and what defines "strong authentication"? |
|
Definition
| Something you Know, Something you Are, or Something you Have. Strong is two or more of these. |
|
|
Term
| What are the three key aspects of issuing secure identifies? |
|
Definition
| Uniqueness (no two alike), Nondescriptive (nothing to indicate the purpose), issuance (by a trusted authority). |
|
|
Term
| Most Identity Management directories rely on what standard and what protocol? |
|
Definition
|
|
Term
| What is a Meta-Directory? |
|
Definition
| it gathers the necessary directory information from multiple sources and physically stores them in once central database. |
|
|
Term
| What is a Virtual Directory? |
|
Definition
| Does not store directory data physically, but points to where the actual data resides. |
|
|
Term
|
Definition
| Web Access Management software. It controls what a user can access when using a web browser to interact with enterprise assets. |
|
|
Term
| What is user provisioning? |
|
Definition
| the creation, maintenance, and deactivation of user object and attributes. |
|
|
Term
| What is a collection of data about a user called? |
|
Definition
|
|
Term
| What is a Federated Identity? |
|
Definition
| it is a portable identity that allows a user to be authenticated across multiple IT systems and business boundaries. |
|
|
Term
| In Biometrics, what is the difference between Type I and Type II errors? |
|
Definition
| Type I is false rejections, Type II is false acceptance. |
|
|
Term
| What are the two categories of biometrics? |
|
Definition
| Physiological and Behavioral. |
|
|
Term
| What is the CER and the EER? |
|
Definition
| (Both the same) Cross-over Error Rate / Equal Error Rate - it is the point where the false rejections rate equals the false acceptance rate. |
|
|
Term
| What is the most accurate Biometric technique? |
|
Definition
|
|
Term
| What are the three behavioral biometrics? |
|
Definition
| Signature dynamical, Keystroke dynamics, and voice print. |
|
|
Term
| What is a Synchronous Token Device? |
|
Definition
| It links up with a authentication service by using time or a counter as the core piece of the authentication process. |
|
|
Term
|
Definition
| a sequence of characters that is longer than a password. |
|
|
Term
| What can be created from a passphrase? |
|
Definition
|
|
Term
| What are the three types of SmartCard attacks? |
|
Definition
| Fault generation (reverse-engineering the encryption), Side-Channel (noninvasive; watching to see how it works), or Microprobing (directly tapping into the ROM chips. |
|
|
Term
|
Definition
| A symmetric key, end-to-end encryption/security, single-sign-on system for distributed environments. |
|
|
Term
| What is the most important component of Kerberos? |
|
Definition
| the KDC (Key Distribution Center) |
|
|
Term
| What is a Domain called in Kerberos? |
|
Definition
|
|
Term
| What is used in Kerberos to fight replay attacks? |
|
Definition
|
|
Term
|
Definition
| The European version of Kerberos that uses both Symmetric and Asymmetric key cryptography. |
|
|
Term
| What are the three access control models? |
|
Definition
|
|
Term
| Regarding Access Controls, what is DAC? |
|
Definition
| Discretionary access control. Enables the owner to specify who can access specific resources, most commonly through ACLs. |
|
|
Term
| Regarding Access Controls, what is MAC? |
|
Definition
| The operation system makes the decision based on a security label system. (Military System) |
|
|
Term
| Regarding Access Controls, what is RBAC? |
|
Definition
| A.K.A. non-discretionary access controls - use a centrally administered set of access controls, makes it great for high turnovers! |
|
|
Term
| What are software and hardware Guards? |
|
Definition
| They allow the exchange of data between trusted and less-trusted systems and environments. |
|
|
Term
| What are the two types of separation of duties under Hierarchical RBAC? |
|
Definition
Static Separation of Duty (SSD - meaning users can only be a part of ONE group.)
Dynamic Separation of Duties (DSD - Can be a member of more than one ground, but only one can be active at a time. |
|
|
Term
| What is Rule-Based Access Control? |
|
Definition
| Based on "if x then y" programming rules. Like an ACL or Firewall. |
|
|
Term
| What are the Access Control Techniques? |
|
Definition
| Rule-Based (routers, ACLs), Constrained User Interface (Kiosk PC, ATM), ACL (bound to the object), Capability table (Tokens, kicket, key). |
|
|
Term
| What is the difference between Content and Context dependant? |
|
Definition
| Content deals with object context, like a web filter or spam filter, and Context is a based on the context of a data set, sequence, situation, or state, like a stateful firewall. |
|
|
Term
| What are the three access control management systems? |
|
Definition
| RADIUS (UDP based), TACACS (Cisco, TCP, encrypts all data between client and server), and DIAMETER. |
|
|
Term
| What central access control management system is better for environments that require sophisticated authentication steps? |
|
Definition
|
|
Term
| What are the three services provided by AAA? |
|
Definition
| Authentication, Authorization, Accounting. |
|
|
Term
| What is another way to describe decentralized access control administration? |
|
Definition
|
|
Term
| What are the seven different access control types, and give examples? |
|
Definition
1. Deterrent (discourage) - lighting, signs.
2. Preventive (avoid) - background check, fence, badges.
3. Corrective (fix) - Anitvirus, images.
4. Recovery (restore) - backups, offsite storage.
5. Detective (discovery) - Audit logs and files.
6. Compensating (alternates) - pretty much everything
7. Directive - mandatory controls due to regulations or the environment. |
|
|
Term
| Define Scrubbing as it relates to audit logs. |
|
Definition
| Deleting specific incriminating data. |
|
|
Term
| What is the acronym for Emanation Security? |
|
Definition
|
|
Term
| What are the three generic IDS types? |
|
Definition
| Signature based, Anomaly-based, and Rule Based. |
|
|
Term
| What are some characteristic of Signature-based IDS's? |
|
Definition
| AKA Knowledge base, uses pattern matching - like an antivirus system - or stateful matching. They cannot detect new attacks |
|
|
Term
| What are some characteristic of Anomaly-based IDS's? |
|
Definition
| Creates a 'normal' profile and compares network behavior. Three types - Statistical (uses profile), Protocol (IDs uncommonly used protocols), and Traffic (unusual loads). They CAN detect new attacks. |
|
|
Term
| What are some characteristic of Rule-based IDS's? |
|
Definition
| They care considered expert systems. Uses IF/THEN programming, and allow for artificial intelligence. |
|
|
Term
| What is the key difference between an IDS and an IPS? |
|
Definition
|
|
Term
| Explain network sniffing as a threat to access control. |
|
Definition
| analyzing network traffic |
|
|
Term
| Explain a dictionary attack as a threat to access control. |
|
Definition
| using a pre-hashed list of passwords |
|
|
Term
| Explain brute force as a threat to access control. |
|
Definition
| trying every possible combination for a password |
|
|
Term
| Explain spoofing as a threat to access control. |
|
Definition
| faking credentials or a logon screen |
|
|
Term
| Explain phishing sniffing as a threat to access control. |
|
Definition
|
|
Term
| Explain pharming as a threat to access control. |
|
Definition
| combined with DNS poisoning, directs a user to a fake website. |
|
|
