Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
Controlling Access
Controlling Access to Information Systems
| Question | Answer |
|---|---|
| Name three principles that make up the information security triad: | Confidentiality, Integrity and Availability |
| Prevents unauthorized disclosure of sensitive data: | Confidentiality |
| Guarantees that data and resources are accurate and reliable: | Integrity |
| Timely and reliable access to data and resources by authorized users: | Availability |
| What is Access Control? | Security mechanism that prevents the unauthorized access to facilities, system, network resources and information. |
| How is access control enforced? | Through individual and organization accountability and requires identification and validation before permitting or limiting access to infromation and network resources. |
| What are the goals of access control? | Prevents unauthorized users from accessing data and systems, athorized users from modifying or deleting information. Preserves internal and external data consistency and reduces the effects of security threats and vulnerabilities. |
| What is seperation of duties? | Dividing tasks between different people to complete a business process or work function. |
| What are the 3 access control categories? | Administrative, Physical and Technical aka logical |
| What does the administrative category include? | policies and procedures, security awareness training, background investigations, work habit audits, testing, and supervisory structure |
| What does the Physical category include? | perimeter security, network separation, work area separation, data backups, computer controls, security guards, lock boxes, cable protection and data backups |
| What does the technical category include? | antivirus, software, encryption, transmission protocols, network architecture, passwords, intrusion detection systems (IDSs) and network access. |
| Name the 5 control types: | Detective, Corrective, Deterrent, Recovery and Compensation |
| Define Detective: | Established to identify and react to security violations that occur. Used to restore systems that are victims of malicious attacks |
| Define Corrective: | Used to restore systems that are victims of malicious attacks |
| Define Deterrent: | Implemented to discourage violation to security |
| Define Recovery: | Used to restore capabilities and resources |
| Define Compensation: | Established to provide alternatives to other controls. |
| What is the purpose of access control types? | To protect resources, prevent loss and mitigate risk to data and network systems. |
| What does a access control stucture consist of? | Access control categories and access control types |
| What is a MAC? | Mandatory Access Control - Model that bases access decisions on rules and security labels, which consist of a classification and category. |
| What is Rule-Base access control? | Model in which rules determine an individual or group's ability to access data and systems. |
| What does a security label consist of? | classification and category |
| What is DAC? | Discretionary Access Control - model that bases access decisions on who owns the data |
| What is ACL? | Access Control List - Specifies which users have what privileges to a resource. (Bound to an object) |
| What is a access control matrix? | A tabular display of access held by users to an object |
| What are permissions? | Are commonly referred to as rights |
| Describe Non-Discretionary Access Control aka Role-Based Access Control: | A model that bases access decisions on a user’s position and job function with an organization. |
| What does the capability table contain? | Contains references to a subject and displays what objects that subject can access. |
| What access control model would you used for a company that had a high user turnover? | Non-Discretionary aka Role-Based |
| What access control model would you use for a military base? | Mandatory |
| What access control model would you use when each department needs control over their data? | Descretionary |
| Read | User may list the files in a directory or read the contents of a file but cannot make changes to the file |
| Write | User may add or delete files in a directory or make changes to a file. |
| Execute | User may search or read a directory or run an executable file |
| Change | User may add or delete files in a directory or read, write, execute or delete a file, but cannot change access control permissions. |
| Name the 3 requirements to consider when choosing the right model to control DATA access: | Availability, integrity, confidentiality |
| Key points to control SYSTEM access: | defining the privileges and accountability of those who enter the system and validating user identity and determine if access should be granted. |
| Name comprehensive systems for identification and authentication: | passwords, smartcards, biometric, single-signon |
| Name four password types: | One-time (dynamic), static, passphrase and tokens |
| What is a smart card? | Smart card can provide strong authentication for single sign-on or enterprise single sign-on to computers, laptops, data with encryption |
| These are examples of what type of authentication method:voice recognition, retinal scan, iris scan, palm scan fingerprint scan and hand geometry | biometric |
| In biometric devices, Type I is: | False rejection rate (FRR) |
| In biometric devices, Type II is: | False acceptance rate (FAR) |
| What is used to measure the accuracy of a biometrics system's sensitivity? | CER - Crossover Error Rate |
| Name commonly used single-signon methods: | Kerberos, SESAME, scripts |
| Uses symmetric key cryptograpy: | Kerberos |
| Exchanges a secret key between the user and the server via authentication service (AS)exchange and Ticket Granting service (TGS) exchange. | Kerberos |
| Used symmetric and asymmetric key cryptography: | SESAME |
| Uses Priviledged Attribute Certificates (PACs) containing user's identity, access capabilities and access time period. | SESAME |
| Uses public key cryptography to distribute secret keys. | SESAME |
| Files cotaining user credentials and runs in the background: | scripts |
| What is the purpose of the access control process? | protect system resources from unauthorized use. |
| What are the 3 steps to the access control process? | identification, authentication, authorization |
| Ensures the subject is who it claims to be: | identification |
| Validates the established identity with something the subject knows, or has. | authentication |
| Matches the subject to the object or system resource it is trying to access | authorization |
| Name 3 types of access control administration methods: | Centalized Domain, Decentalized Domain and Hybrid Domain |
| An authentication protocol used to authenticate and authorize dial-in users | Radius |
| Cisco proprietary authentication protocol used to authenticate and authorize dial-in users. | TACACS - Terminal Access Controller Access-Control System |
| Authentication protocol allowing for a variety of connection types, including dial-in, remote and wireless | Diameter |
| Access control administration method that denotes a single point or a consolidated point of control | Centralized |
| Access control administration method that distributes access control administration across several organizational entities. | Decentralized |
| An access control administration method that combines a centralized and decentralized domain. | Hybrid |
| With the exception of very small businesses, most organizations use a this type of access control administration method. | Hybrid |
| What type of access control adminstration method is access to individual files, folders, and resources is determined by the content authors or organization managers. | Hybrid |
| What type of access control adminstration method does individuals, functional departments, or managers control access to data and system resources. | decentralized |
| What type of access control adminstration method provides a consistent, uniform method of control using authentication protocols to authenticate and authorize for a variety of connection types, including dial-in, remote and wireless. | centralized |
| What 3 guidelines should be considered when determining an access control administration method? | frequency of access control administration requirements, Types of access protocols required by remote users and risk tolerancy of the org's data security. |
| What has the greatest impact when determining an access control administration method? | organization's security goals and risk tolerance |
| What are penetration tests? | staged attacks on your system to determine that authorized users have access, identifying vulnerabilities in your system and addressing system intrusion |
| Define Access Control Attacks: | A concentrated effort by an intruder to circumvent security controls to gain access to a network system or resource, or to prevent access to the network system or resource. |
| Applying the entire scope of an attacker’s resources towards bypassing network security. Typically a trial-and-error process. | BruteForce |
| Variation of a brute force attack that relies on the fact that typically users only pick password based on standard dictionary words. | Dictionary |
| Intends to cripple the victim’s resources rather than to gain entry to them. Usually engineered around some means to overwhelm system resources and force a shutdown. | Denial of Services (DoS) |
| One of several forms of DoS attacks. Causes severe congestion of the victim’s network resources by overwhelming it with ICMP ping response messages. | Smurfing |
| Attacker masquerade themselves as a trusted user, network resource or file. Spoofing is performed to advance of a DoS attack. | Spoofing |
| What is IDS? | Intrusion Detection Systems - A method of monitoring networks that attempts to detect an attack. It focuses on detection, no prevention. |
| Four types of IDS catagories? | Network or host based, Signature-based, Anomaly-based and Passive or reactive system |
| What is information system monitoring? | A security tool that monitors system activity and records these events to an audit log. |
| What are audit trails? | record of who has accessed the computer system and what operations were performed |
| What are events? | Network activity that could be audited and logged. |
| what are alarm and signal? | Used to alert network administrators when evidence of an attack or anomalous network behavior is detected. |
| Name the 5 steps when performing a penetration test: | Discovery, Enumerate, Vulnerability mapping, Exploitation and Management Reporting |
| Name a port scanner: | nMap |
| Name a vulnerability scanner: | Nessus |
| External penetration tests focus on: | infrastructure, and software, and is typically performed by an outside consultant. |
| Internal penetration tests focus on: | network access points and is typically performed by internal resources. |
| Application security assessment penetration tests focus on: | identifies and assesses threats to data and system via proprietary applications or systems. |
| Wireless/remote access security (RAS) penetration tests focus on: | vulnerability associated with mobile technologies. |
| Zero Knowledge type: | (Black Box) Team has no knowledge about the target system |
| Partial Knowledge type: | Team has some knowledge of the target system |
| Full Knowledge type: | (white box) Team has extensive data about the target system |
Created by:
jsowers105@aol.com
Popular Computers sets