Network Security: Chp. 5 - Access Controls
Security Assertion Markup Language (SAML)
An open XML standard used for exchanging both authentication and authorization data.
Transition functions
The transition from one state to another state.
Software as a Service (SaaS)
A model of software deployment or service where customers use applications on demand.
Authority-level policy
An authorization method in which access resources are decided by the user's authority level.
Group membership policy
An authorization method in which access to resources is decided by what group(s) you are in.
Access control list (ACL)
An implementation technique to control access to a resource by maintaining a table of authorized user IDs; also used to permit or deny IP packets to/from router and switch interfaces to managed IP traffic flow.
Audit
An independent third party review of an organization's existing financial situation, IT implementation, and/or IT security implementation.
Role-based access control (RBAC)
An access control method that bases access control approvals on the jobs the user is assigned.
Bell-La Padula model
An access control model that provides multilayered security for access to systems, applications, and data based on a hierarchy.
HMAC-based one-time password (HOTP)
An algorithm that provides a very secure method to authenticate a mobile device user using an authentication server.
Man-in-the-middle attack
An attack in which the attacker gets between two parties and intercepts messages before transferring them on to their intended destination.
Passphrase
An authentication credential that is generally longer and more complex than a password. Passphrases can also contain multiple words.
Time-based synchronization system
An authentication method in which a token's internal clock is synchronized with a server's clock to generate matching values.
event-based synchronization system
An authentication method in which a token's value is synchronized with a server based on each access request. The token's counter is increased each time a new value is requested.
Transitive trust
An authentication method in which the initial sign-on credentials are forwarded by request to other trusted servers.
Single-factor authentication
An authentication method that uses only a single type of authentication credentials.
Two-factor authentication
An authentication method that uses two types of authentication credentials. Provides a higher level of security than using only one.
Asynchronous token
An authentication token used to process challenge-response authentication with a server. The token takes the server's challenge value and calculates a response. The user enters the response to authenticate a connection.
Time-based one-time password (TOTP)
An example of HOTP, this algorithm combines a timestamp with a hashed value to reduce vulnerability to replay attacks.
Extended Terminal Access Controller Access System
An extension of the TACACS remote access client/server protocol that provides authentication and authorization capabilities to users who are accessing the network remotely. It is not a secure protocol.
Username
The most common method to identify a user to a system. It is usually a character string that represents a person or group of people who access a computer system.
User assigned privileges
The most detailed authorization policy, it assigns specific privileges to the individual user.
Sniffing
The physical interception of data communications; eavesdropping.
Crossover error rate
The point where a biometric device's sensitivity returns false rejections and false acceptance equally.
Cloud computing
The practice of using computing services that are hosted in a virtualized data center with remote access to the application and data (e.g., Software as a Service [SaaS] utilizes cloud computing).
Least privilege
The principle in which a subject—whether a user, application, or other entity—should be given the minimum level of rights necessary to perform legitimate functions.
Authorization
The process of deciding who is approved for access to specific resources.
Separation of duties
The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task.
Key distribution center (KDC)
The process of issuing keys to valid users of a cryptosystem so they can communicate.
Access control
The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources.
Identification
The process of providing credentials to claim to be a specific person or entity.
Authentication
The process of proving you are the person or entity you claim to be.
Accounting
The process of recording audit trails and events in log files when monitoring access controls to information systems and applications.
Overwriting
The process of repetitively writing data to specific areas on a physical storage media to effectively replace any previous data stored in those areas.
Privacy
The protection of individual rights to non-disclosure.
Covert channels
These are hidden ways of passing information against organizational policy.
Common Criteria for Information Technology Security Evaluation
ISO/IEC 15408 standard for computer security.
Terminal Access Controller Access System Plus (TACACS+)
A Cisco proprietary remote access client/server protocol that provides authentication, authorization, and accounting.
Group policy
A centralized set of rules that govern the way Windows operates.
Initiative for Open Authentication (OATH)
A collaborative organization supporting open standards and use of encryption for authentication.
Federation
A collection of servers that share authentication credentials.
User Datagram Protocal (UDP)
A communication protocol that is connectionless and is popular for exchanging small amounts of data or messages.
Cloud service provider (CSP)
A company that maintains data centers with racks of server computers, each running multiple virtual machines, and is able to provide services to many clients simultaneously. Organizations of all types turn to CSPs to avoid having to maintain their own data centers.
Buffer overflow
A condition in which a memory buffer exceeds its capacity and extends its contents into adjacent memory. Often used as an attack against poor programming techniques or poor software quality control. Hackers can inject more data into a memory buffer than it can hold, which may result in the additional data overflowing into the next area of memory. If the overflow extends to the next memory segment designated for code execution, a skilled attacker can insert arbitrary code that will execute with the same privileges as the current program. Improperly formatted overflow data may also result in a system crash.
Multitenancy
A database feature that allows different groups of users to access the database without being able to access each other's data.
Security kernel database
A database made up of rules that determine individual users' access rights.
Degausser
A device that creates a magnetic field that erases data from magnetic storage media.
Synchronous token
A device used as a logon authenticator for remote users of a network.
Lightweight Directory Access Protocol (LDAP)
A directory service for network-based authentication. LDAP communication can be encrypted.
Public key infrastructure (PKI)
A general approach to handling encryption keys using trusted entities and digital certificates; the hardware, software, policies, and procedures to manage all aspects of digital certificates.
USB token
A hardware device used for authentication that you plug into your computer's USB port. This device provides authentication credentials without the user having to type anything.
Trojan horses
A malicious software code that appears benign to the user but actually performs a task on behalf of a perpetrator with malicious intent.
Mandatory access control (MAC)
A means of restricting access to an object based on the object's classification and the user's security clearance.
Discretionary access control (DAC)
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
Logical access controls
A mechanism that limits access to computer systems and network resources.
Physical access control
A mechanism that regulates access to physical resources, such as buildings or rooms.
Single sign-on (SSO)
A method of access control that allows a user to log on to a system and gain access to other resources within the network via the initial logon. SSO helps a user avoid having to log on multiple times and remember multiple passwords for various systems.
Temporal isolation
A method of restricting resource access to specific periods of time. You may see temporal isolation more commonly described as time of day restrictions.
Brute-force password attack
A method used to attempt to compromise logon and password access controls by attempting every input combination. These password attacks usually follow a specific attack plan, including the use of social engineering to obtain user information.
Group Policy Object (GPO)
A named object that contains a collection of Group Policy settings.
Cloud Security Alliance (CSA)
A nonprofit organization with a mission to promote security best practices for using cloud computing.
Biometrics
A physiological or behavioral human-recognition system (e.g., fingerprint reader, a retina scanner, a voice-recognition reader, etc.).
smart card
A plastic card with authentication credentials embedded in either a microchip or magnetic strip on the card.
DIAMETER
A popular centralized access control protocol that succeeded RADIUS and provides access control for stable and static workforces.
Need to know
A property that indicates a specific subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification.
Terminal Access Controller Access System
A remote access client/server protocol that provides authentication and authorization capabilities to users who are accessing the network remotely. It is not a secure protocol.
Secure European System for Application in a Multi-Vendor Environment (SESAME)
A research and development project funded by the European Commission to provide Single Sign-On capability. SESAME was developed to address weaknesses in Kerberos.
Credential management
A system for collecting, managing, and using the information associated with access controls such as login IDs and passwords.
Decentralized access control
A system that puts access control into the hands of people such as department managers who are closest to system users; there is no one centralized entity to process access requests in this system.
Trusted operating systems (TOS)
A type of operating system that includes additional controls to address the additional security needs of systems that handle extremely sensitive information.
Secure LDAP
A version of LDAP that uses SSL/TLS for all messages exchanged across the network.
Biba integrity model
Access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity; this prevents users from corrupting data at a higher level than what the user may have access to and helps ensure data integrity.
Security control
Action an organization takes to help reduce risk.
Access control policy
An organizational policy definition that defines how authorized users gain access to resources based on their role and job functions and duties. This policy defines the rules for how employees and authorized contractors are granted access and how their access is removed.
Brewer and Nash integrity model
Based on a mathematical theory published in 1989 to ensure fair competition.
Authentication, authorization, and accounting (AAA)
Core services provided by one or more central servers to help standardize access control for network resources.
Personally identifiable information (PII)
Data that can be used to individually identify a person. Example include Social Security numbers, driver's license numbers, financial account data, and health data.
Challenge-Handshake Authentication Protocol (CHAP)
Decentralized authentication protocol that hashes passwords with a one-time challenge number to defeat eavesdropping and replay attacks.
Password Authentication Protocol (PAP)
Decentralized authentication protocol that uses cleartext usernames and passwords.
Accountability
Defining the roles, responsibilities, and what key IT security employees and incident response team members must do.
Characteristic
In authentication, a unique physical attribute or manner of expression, such as a fingerprint or a signature. Such attributes are often referred to as "something you are."
Ownership
In authentication, this is something you have, such as a smart card, key, badge, or token.
Knowledge
In authentication, this is something you know, such as a password, a passphrase, or a PIN.
State
Information that describes the current status of a network connection that is used by firewalls to make decisions on whether to pass or drop network packets.
Log files
Journaled entries that provide details such as who logged on to the system, when they logged on, and what information or resources were accessed.
View-based access control (VBAC)
Limiting users' access to database views, as opposed to allowing users to access data in database tables directly.
Relationships
Optional conditions that exist between users and resources. They are permissions granted to an authorized user, such as read, write, and execute.
Remote Authentication Dail-In User Services (RADIUS)
Popular protocol, first introduced in the early 1990s, that supports remote user authentication for large numbers of users wishing to connect to central servers.
Resources
Protected objects in a computing system, such as files, computers, or printers.
Clark and Wilson integrity model
Published in 1987 by David Clark and David Wilson, this model focuses on what happens when users allowed into a system try to do things they are not permitted to do.
Constrained user interface
Software that allows users to enter only specific information and perform only specific actions.
Reference monitor
Software that provides a central point of processing for all resource access requests.
Threshold
Some value that indicates a change from normal to abnormal behavior. In the case of failed logon attempts, a threshold of five means that when a user fails to log on five times, the action should be considered abnormal.
Encryption
The act of transforming cleartext data into undecipherable ciphertext.
Colluding
The action of multiple attackers planning a cyber attack; others working secretly especially in order to do something illegal or unauthorized.
Actions
The activities that authorized users can perform using IT assets, systems, applications, and data.
Security kernel
The central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems.
Collusion
Two or more people working together to violate a security policy.
Rainbow tables
Type of password cracker that works with precalculated hashes of all passwords available within a certain character space.