Chapter 5 Security

Pataasin ang iyong marka sa homework at exams ngayon gamit ang Quizwiz!

Ideally, you should change passwords at least once every...

30 days.

USB Token

A hardware device that you plug into your computer's USB port. The device is encoded with your digital signature. With it, you don't have to type anything in.

Rule-based access control -

A list of rules, maintained by the data owner, determines which users have access to objects.

Constrained user interface -

A user's ability to get into- or interface with - certain system resources is restrained by two things. The user's rights and permissions are restricted and constraints are put on the device or program providing the interface.

The three primary concerns with biometrics are

Accuracy, Acceptability, Reaction Time

List the most common types of security controls...

Administrative, Logical/technical, Hardware, Software, Physical.

Multi-tenancy

Allows different groups of users to access a database without being able to access each other's data.

The four parts of access control:

Authorization, Identification, Authentication, Accountability

Brewer and Nash Integrity Model

Based on a mathematical theory published in 1989 to ensure fair competition. It is used to apply dynamically changing access permissions. It can separate competitors' data within the same integrated database to make sure users don't make fraudulent changes to objects.

Examples of system controls for a human resources (HR) system include...

Deciding which users can get into a system. Monitoring what the user does on that system ( for example certain HR employees might be allowed to view documents, but not edit) Restraining or influencing the user's behavior on that system ( for example, an HR staffer who repeatedly tries to get into restricted info might be denied access to the entire system).

DAC

Discretionary access control (DAC) With DAC, the owner of the resource decides who gets in and changes permissions as needed. The owner can give that job to others.

Types of Biometrics

Fingerprint, palm bring, hand geometry, retina scan, Iris scan, facial recognition, voice pattern, keystroke dynamics, signature dynamics,

Biba Integrity Model

Fixes a weakness in the Bell-La Padula Model, which addresses only the confidentiality of data.

Bell-La Padula Model

Focuses on the confidentiality of data and the control of access to classified information. Parts of a system are divided into subjects and objects and the current condition of a system is described as its state. The model defines a secure state.

Clark and Wilson Integrity Model

Focuses on what happens when users allowed into a system try to do things they are not permitted to do.

Access controls can be compromised in several ways:

Gaining physical access. Eavesdropping by observation. Bypassing security. Exploiting hardware and software. Reusing or discarding media. Electronic eavesdropping. Intercepting communication. Accessing networks. Exploiting applications.

Accountability

How are actions traced to an individual to ensure that the person who makes changes to data or systems can be identified? This process of associating actions with users for later reporting and research is known as accountability.

There are three types of authentication...

Knowledge, ownership (something you have, such as a smart card), characteristics (something that is unique to you, such as your fingerprints, retina, or signature).

Passphrase

Longer and generally more secure than a password.

MAC

Mandatory Access Control. With MAC, permission to access a system or any resource is determined by the sensitivity of the resource and the security level of the subject. It cannot be given to someone else. This makes MAC stronger than DAC.

MAC

Media Access Control

Non-discretionary access control -

Non-discretionary access controls are closely monitored by the security administrator, and not the system administrator.

To manage access control policies well, relationships are defined as...

Optional conditions that exist between users and resources. Relationships are permissions granted to an authorized user, such as read, write, execute.

PINS

Personal information numbers

Organizations control access to resources primarily on two levels:

Physical access controls - These control entry into buildings, parking lots, and protected areas. Like a key.. Logic access controls - These control access to a computer system or network. Your company probably requires that you enter a unique username and password to log on to your company computer. That username and password allow you to use your organization's computer system and network resources.

To manage access control policies well, resources are defined as

Protected objects in the system. Resources can be accessed only by authorized subjects. Resources can be used only in authorized manners.

PKI

Public key infrastructure technology.

Overwriting

Repeatedly writing random characters over data. This process works well if the amount of data to be overwritten is fairly small and the overwriting is fairly fast.

RBAC

Role Based Access Control. This kind of policy bases access control approvals on the jobs the user is assigned. The security administrator assigns each user to one or more roles.

Unlike Kerberos...

SESAME improves key management by using both symmetric and asymmetric keys to protect interchanged data.

SSO

Single Sign-On strategy allows users to sign on to a computer or network once, and have their identification and authorization credentials allow them into all computers and systems where they are authorized. They don't need to enter multiple user IDs or passwords.

Time-based synchronization system

The current time is used as the input value. The taken generates a new dynamic password (usually every minute) that is displayed in the window of the token. To gain access, the password is entered with the user's PIN at the workstation. This system requires that the clock in the token remains in sync with the clock in the authentication server. If the clocks drift out of sync, the server can search three or four minutes on each side of the time to detect an offset.

The four parts of access control are divided into these two phases:

The policy definition phase - determines who has access and what systems or resources they can use. The authorization process operates in this phase. The policy enforcement phase - this phase grants or rejects requests for access based on the authorizations defined in the first phase. The identification, authentication, and accountability processes operate in this phase.

Role engineering

The process of defining roles, approvals, role hierarchies, and constraints.

TFA

Two-factor authentication, provides a higher level of security than using only one, single-factor authentication.

Four central elements of access to manage access control policies well:

Users, Resources, Actions, Relationships

Static biometrics

What you are. Physiological biometrics like fingerprints, iris granularity, retina blood vessels, etc.

Dynamic biometrics

What you do. Behavioral biometrics like voice inflections, keyboard strokes, and signature motions.

An example of SSO, Kerberos is

a computer-network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Is also a suite of free software published by MIT that applies the Kerberos protocol. Aimed at the client-server model.

The kernel allows or denies...

access based on the defined access rules. All access requests handled by the system are logged for later tracking and analysis.

The process of associating an action with users for later reporting or analysis is called...

accounting.

A synchronous token uses...

an algorithm that calculates a number at both the authentication server and the device. It displays the number on the device's screen. The user enters this number as a logon authenticator, just as he or she would use a password.

An event-based synchronization system...

avoids the time-synchronization problem by increasing the value of a counter with each use. The counter is the input value. The user presses a button to generate a one-time password, and then enters this password with his or her PIN at the workstation to gain access.

Degausser

creates a magnetic field that erases data from magnetic storage media.

The security kernel

is the central part of a computing environment's hardware, software, and firmware that enforces access control and implements the reference monitor concept. It mediates all access requests and permits access only when the appropriate rules or conditions are met.

The first step in enforcing an authorization policy is identification. Identification is the..

method a subject uses to request access to a system or resource.

The security kernel refers to its...

rules base, also known as the security kernel database. It uses these rules to determine access rights. Access rights are set according to the policies your organization has defined.

Asynchronous Tokens is the

second of two types of token-based devices. It looks like a credit card-sized calculator. The authentication server issues a challenge number that the user enters. The token computes a response to the value provided by the authentication server. The user then replies to the server with the value displayed on the token. Many of these systems also protect the token from misuse by requiring the user to enter a PIN along with the initial challenge value.

Authentication by knowledge is based on...

something you know, such as password, passphrase, or PIN.

The number of failed logon attempts that trigger an account action is called...

the Threshold.

When the subject requests access to a particular object...

the security kernel intercepts the request.

Continuous authentication...

used by systems that continuously validate the user. Often done with proximity cards or other devices that continuously communicate with the access control system.

A subject can be a...

user, process, or some other entity.

In an authority-level policy,

you need a higher degree of authority to access certain resources. For example, perhaps only a senior-level member of the IT group has permission to enter the room that houses servers.


Kaugnay na mga set ng pag-aaral

NSCI 175 Final (All Learning Objectives)

View Set

8 Principles of Social Justice & The Biblical Roots of Catholic Social Teaching

View Set

Chapter 9 - What is double marginalization

View Set

EMT Chapter 35- Geriatric emergencies

View Set

Prep U QC: Growth and Development

View Set

CIE ICT IGCSE THEORY/PRACTICAL GLOSSARY

View Set

UT 2 Funds The Nursing Process Chapter 10-15

View Set

NCLEX Questions Substance Abuse, Eating disorders and Impulse control disorders

View Set

Congenital Uterine Anomalies SONO 123

View Set

Ch 23: Management of Patients With Chest and Lower Respiratory Tract Disorders

View Set