Shared Flashcard Set

Details

1. SSCP (Access Controls)
SSCP (Access Controls)
42
Computer Networking
Intermediate
05/03/2017

Additional Computer Networking Flashcards

 


 

Cards

Term
ACCESS CONTROL
Definition
ACCESS CONTROL
Term

Authentication Mechanisms

 

Definition

Identification

 

Authentication

 

Authorisation

 

Term
Types of Authenication
Definition

Something you know

Something you have

Something you are

Single Factor

Dual/Multi Factor

Term
Something you know passwords
Definition

Least secure methoed of authentication

Attacks: Shoulder surfing, Keylogging, Sniffing

Brute force and dictionary

Phishing and Social

Term
Something you know passwords. cont
Definition
Simple passwords easy to exploit
Passphrases may help
use strong and complex passwords
change every 90 days
password policy and lockout controls
Term
Something you have
Definition
Requires a physical device and PKI environment
Smart cards & tokens
Usually requires additional factor - pin
Attack: Steal the card
Attack:- Hack the authentication server
Term
Something you are
Definition
Biometrics - something unique about your body
Impossible to lose or forget
Examples - Fingerprints, voice recognition, retina scans, hardwritting
Term
[image]
Definition
[image]
Term
Biometric Accuracy
Definition
FRR - False Rejection Rate
FAR - False Accept Rate
CER - Cross Error Rate
Lower CER is better
Term
Multifactor Authentication
Definition
The combination of 2 or more factors
Password and Smart Card - Something you know and something you have
Term
Single sign on
Definition
Decentralized Authentication
Hard to manage - hard to backup
Centralized Authentication
Easy to manage - easy to backup
Singe sign-on
Requires centralized authentication - minimises number of passwords to remember - single compromise can affect a lot of systems.
Term
Single sign on kerberos
Definition
Win Domains use Kerbeors starting at Winserver2000
Supports Mutual Authentication - Client authenticates Server, Server Authenticates client.
Requires Synchronized clocks for time stamp symmetric encryption
Secure European system for applications in a multivendor Environment (SESAME) is similar.
Term
Kerberos components
Definition
Key Distribution Centre (KDC) Authentication Server (AS) Ticket Granting Server (TGS)
Term
[image]
Definition
Term
Others
Definition
Federated Access
SSO for different networks and OS owned and managed by deferent Orgs
Term
Others
Definition
Radius - Remote Authentication Dial in Service.
Works with PPP, CHAP,PAP,EAP
Not encrypted, susceptible to sniffing, relay attacks, DOS,
Use IPSEC to encrypt and unique secrets
Term
Others
Definition
TACAS+ - Terminal Access Controller Access Control system.
Authentication, authorisation and accounting.
Encrypts passwords and entire payload
TCP Port 49
TACAS and XTACAS - older - don't use
Term
Others
Definition
LDAP - Lightweight Directory Access Protocol
Not an Authentication service
X.500 objects and attributes
TCP/UDP Port 389
Term
Trust relationships
Definition
Makes it possible to authenticate users in one domain controller in another domain.
Reduces account management
Enables a single sign-on approach for multiple domains and forest
Can cause confusion assigning permission and maintaining permission management.
A trusted rough Admin has access to many domains.
Term
[image]
Definition
Term
[image]
Definition
Term
[image]
Definition
Term
Identity Proofing
Definition

To help prevent risks of cyber threats and identity fraud.

 

Classic Knowledge Based Authentication

Common and weakest, verification based on collected data from user. Easy to guess with simple background knowledge of user

Dynamic Knowledge based authentication

Challenge questions prodiuced on the-the fly from public financial questions

Difficult to hack but susceptible to data source breaches

Out of Band

Separate from the authentication process. One time passwords voice, text to phone.

Risk and Behaviour Based

Example based on Credit Card Purchasing behaviour

 

Term

Provisioning

 

Definition

The creation of account and permission assignment often automated

Example: HR application creates account when someone processes a new hire

Groups improve administratation and management and security

Individual user permission assignments are difficult to manage users are assigned to groups, groups are assigned the privildges remember least privildge

Remember to De-provision

Disable accounts dont delete - yet

 

 


Term
Maintenance
Definition

The management of accounts through their lifetime, often wwith account policies

Password Policies

Complexity, Length, Age(Min & Max), history

Lockout Policies

Number of failed attempts, time of lockout

Time Restrictions

Allowing users to access the system during specified hours

Remeber to De-Provision

Disable accounts

Educate Users

Term
Entitlement
Definition

Entitlement are the privilidges granted to a user follow the prinicle of least privilidge

Admins should seperate Andmin accounts

One for Admin

One for regular

Managing groups is better than managing individual users

Adding or removing priviiges to a group is more efficent and easier to troubleshoot.

Its not just People

Computers and devices

Term
[image]
Definition
Term
Subjects
Definition

Users

Computers

Devices

Applications

Networks

Term
Objects
Definition

Data (Files, Folders and shares)

Hardware (computers and Printers

Networks (Local Intranet)

Applications

Facilities

Term

Access Control Policy

 

 

Definition

Seperation of Duties

Restricts the power of users

Helps prevent Fraud

Clark-Wilson model

Focused on information integrity

Enforce the principle of SOD

Seperation of elements of a transation between people

Job Roatation

Helps prevent misuse and fraud

Trains redundant skills

Manatory Vacations

Help uncover miuse or illegalactivities

Audits can be performed while user is on vacation

Term
Mandatory Access Controls - MAC
Definition

Provides the highest level of security

Used by the military

Uses Labels to control access

Access is predefined by admins - users can't choose

 

Term
Goverment Classifications
Definition

Top Secret

Secret

Confidential

Unclassified

Term
MAC Architecture Models
Definition

Bell-LaPadula

Primary goal of Integrity

No Read Up

No Write down

Gaol: Prevent somome copying data from high level to lower

Biba

Primary Goal of integrity

No Read Down

No Write Up

Gaol:- Unauthorized people can't modify data

 

Term
MAC Architecture Models
Definition

Bell-LaPadula

Primary goal of Integrity

No Read Up

No Write down

Gaol: Prevent somome copying data from high level to lower

Biba

Primary Goal of integrity

No Read Down

No Write Up

Gaol:- Unauthorized people can't modify data

 

Term
MAC Architecture Models
Definition

Clark Wilson Model

Focused on information integrity

Enforce the principle of SOD

Sepertaion of elements of a transaction between people

 

Chinese Wall (Brewer-Nash)

Prevent conflict of Intrest - SOD

Term
Discretionary Access Control – DAC
Definition

Provdes the most granular control

Users have full access over their data and can assign permissions

Uses Access Control List (ACL) or DACLs

Entries anre Access Control Entries (ACE's) amd consits of the supject and permissions

Term

 

NON-Discretionary Access Control – DAC

 

Definition

Admins control access granted to users

MAC models

 

Implemented by some OS

To prevent system file access

Helps prevent malware from taking ownership of system files users still have DAC

Term

 

Role Based Access control – RBAC

 

Definition

Users Roles to determine access

Subject are placed in Roles

Roles are Granted object permissions

 

Easier To implement

 

Sometimes reffered to as Rule-Based Access Control

Term
Attribute Access Control – ABAC
Definition

Provides dynamic context-aware access Control

Speeds up application rollout

Great for cloud based applications

Roles are granted object permissions

One Standard - eXtensible Access Control Markup Language - XACML

 

Subject request for operations on objects are granted or denial based on attributes of the subject, attributes of the object, environment conditions, and a seyt of policies

Example: A Cardiolohgist can view records of heart patients while at the hospital

Term
Risk Management Framework
Definition

Step 1 - Categorize

Collect information on systems and threats

FIPS Publication 199 impact assesment - CIA

Step 2 - Select

Control baseline

Tailor for mission/business specifics

Step 3 - Implement

Consists of decisions about alternatives, cost, risks trade offs

Step 4 - Assess

Did the control perform as expected

Step 5 - Authorize

Report Information to authorizing officals

Step 6 - Monitor

Effectiveness of controls, changes to system, compliance to federal agencies

Term

Participate in Security Testing and Evaluation: Risks Analysis

Definition
[image]
Term

Bus Topology

One cut and its broken

Definition
[image]
Supporting users have an ad free experience!