Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
46 Cards in this Set
- Front
- Back
Subject
|
An active entity requesting access to an object or data
|
|
Object
|
A passive entity that contains info or data
|
|
Access
|
Ability of a subject to do something such as: read, write, create, execute
|
|
Access control
|
A security feature that controls how subjects and
objects interact with each other |
|
Granularity
|
The fine divisions of a component so that it can be
fine-tuned which access controls can be regulated. |
|
Identification
|
The association of some unique or at least useful
label to a subject. Ascertains the identity of a subject. |
|
Authentication
|
proving that the subject is who he claims to be.
Something he knows, password; something he has, smart card; something he is, fingerprint. |
|
Authorization
|
granting access to resources based on criteria list.
|
|
Strong authentication (two factor)
|
the requirement of having
two of the three factors of authentication. |
|
Excessive privilege
|
User or administrator has more privileges then he/she needs for the security of the system
|
|
Crypto keys
|
private key or digital signature to prove one’s
identity. A private key is a secret value in possession by one person. Digital signature is encrypting a hash value with the private key. More secure than static passwords. |
|
Passphrases
|
A sequence of characters is typed; software transforms them into a virtual password. More secure than a password because it is longer and easier to remember
|
|
Memory cards
|
It holds the authentication information. Just like an
ATM. Added cost of reader, card creation and maintenance |
|
Cognitive passwords
|
When fact based information is used to verify identity. A question is asked to the subject and he answers.
Mother’s name, pet name, favorite idol. It is easy to remember. |
|
One-time password
|
It is good only for one authentication, uses a
token. |
|
Synchronous one-time password generator
|
synchronized with
the authentication service by using time or an event to authenticate. Time /event driven. Encrypted using time value. |
|
Asynchronous one-time password generator
|
same thing but uses
a challenge response. |
|
Passwords characteristics
|
cheapest, least secure (easy to
shared, written down), most widely used authentication technology. |
|
Biometrics
|
Physical attributes for authentication through unique physical personal attributes, most accurate, sophisticated, and very expensive. It is not very accepted by society
|
|
Type I
|
False Reject Rate or false negative) is when a good subject is not authenticated
|
|
Type II
|
False Accept Rate or false positive) is when an impostor is authenticated
|
|
Crossover Error rate (CER)
|
The CER is the point where rejection and acceptance intersects.
|
|
Discretionary Access Control (DAC)
|
solely granted based on the authorization granted by the owner. Uses ACL.
|
|
Mandatory Access Control (MAC)
|
Is based on the security clearance of subject and classification of object, in other words based on labels. The OS determine access.
|
|
Role-Based Access Control (RBAC)
|
It’s also called a non-discretionary access control. It allows access to objects based on the role the user holds within the company. Administrator assigns to a role certain rights and each user is placed in a role. Oracle works that way.
|
|
Lattice-based Access Control
|
Every pair of elements is compared to roles, their permission and clearance levels with the sensitivity level of the object to determine access level.
|
|
Ruled based
|
Security policy based on global rules imposed for all subjects.
MAC is an example. Rule-based access techniques are based on specific rules that indicate what can and cannot happen to an object |
|
Menus
|
administrator specifies the menu available to the user
|
|
Shells
|
the administrator specifies the menu available to the user through OS command.
|
|
Database view
|
limited by table view
|
|
Physically constrained
|
limiting keypad or touch buttons like an ATM
|
|
Control matrix
|
Table of subjects and object specifies their access relationship
|
|
Capability table
|
specifies the access rights a certain subject has to an object
|
|
Access Control Lists (ACLs)
|
Are used to authorize a subject to access an object and they are bounded to the object
|
|
Content-dependent access control
|
Access to objects can be determined by the sensitivity of the content within the objects. As an example a user may have access to a payroll DB but another user cannot.
|
|
Access controls attributes
|
Groups, physical location, logical location, time of day, transaction type
|
|
Access control administration
|
centralized One entity, senior management make access rights policies admin enforce it, RADIUS, TACAS+, DIAMETER
|
|
Remote Authentication Dial-in Service (RADIUS)
|
An authentication protocol that authenticates and authorizes. It provides a handshakes protocol. User dials-in to communicate.
|
|
DIAMETER
|
A protocol that provides users authentication with more than just SLIP and PPP,
it provide protocols for PDAs, laptops or cell phones. It includes a better message transport, proxying, session control and higher security transactions. |
|
Terminal Access Controller Access Control System (TACACS+)
|
An authentication protocol to authenticate remote users. It splits authentication, authorization and auditing features. It is a Cisco protocol.
|
|
Single Sign-on (SSO) technology
|
A technology where the user
presents their credential once, the user can then access all resources across accredited network. It is less administration, user is centralized, user only needs to remember one set of credentials. It uses scripts or a directory services (LDAP). The various protocols are: Kerberos, Sesame, Thin clients. |
|
Kerberos
|
1)user authenticates to the Authentication Server (AS)
2) AS sends initial ticket 3) user requests to access an object 4) each time user requests to access an object the Ticket Granting Serv (TGS) creates new ticket with session key from the Kerberos Distribution Center (KDC), 5) user accesses the object. Downfalls are single point of failure, secret key stored with users, dictionary attacks, KDC must be available, by default not encrypted. |
|
Secure European Applications Multi-vendor Environment (Sesame)
|
1) user sends credentials to AS
2) AS sends token back to user 3) user with token requests to the Privilege Access Server (PAS) a Privilege Access Certificate (PAC), user accesses the object server. |
|
Thin-client
|
dumb terminals network where each terminal requests tickets from the mainframe.
|
|
Steps of controlling access
|
1) Decide on the model,
2) Decide on the technology/techniques, 3) How is access be managed (centralized, decentralized, hybrid) |
|
Auditing
|
controls through tracking activities of users and systems
|