Chapter 5 Security
Ideally, you should change passwords at least once every...
30 days.
USB Token
A hardware device that you plug into your computer's USB port. The device is encoded with your digital signature. With it, you don't have to type anything in.
Rule-based access control -
A list of rules, maintained by the data owner, determines which users have access to objects.
Constrained user interface -
A user's ability to get into- or interface with - certain system resources is restrained by two things. The user's rights and permissions are restricted and constraints are put on the device or program providing the interface.
The three primary concerns with biometrics are
Accuracy, Acceptability, Reaction Time
List the most common types of security controls...
Administrative, Logical/technical, Hardware, Software, Physical.
Multi-tenancy
Allows different groups of users to access a database without being able to access each other's data.
The four parts of access control:
Authorization, Identification, Authentication, Accountability
Brewer and Nash Integrity Model
Based on a mathematical theory published in 1989 to ensure fair competition. It is used to apply dynamically changing access permissions. It can separate competitors' data within the same integrated database to make sure users don't make fraudulent changes to objects.
Examples of system controls for a human resources (HR) system include...
Deciding which users can get into a system. Monitoring what the user does on that system ( for example certain HR employees might be allowed to view documents, but not edit) Restraining or influencing the user's behavior on that system ( for example, an HR staffer who repeatedly tries to get into restricted info might be denied access to the entire system).
DAC
Discretionary access control (DAC) With DAC, the owner of the resource decides who gets in and changes permissions as needed. The owner can give that job to others.
Types of Biometrics
Fingerprint, palm bring, hand geometry, retina scan, Iris scan, facial recognition, voice pattern, keystroke dynamics, signature dynamics,
Biba Integrity Model
Fixes a weakness in the Bell-La Padula Model, which addresses only the confidentiality of data.
Bell-La Padula Model
Focuses on the confidentiality of data and the control of access to classified information. Parts of a system are divided into subjects and objects and the current condition of a system is described as its state. The model defines a secure state.
Clark and Wilson Integrity Model
Focuses on what happens when users allowed into a system try to do things they are not permitted to do.
Access controls can be compromised in several ways:
Gaining physical access. Eavesdropping by observation. Bypassing security. Exploiting hardware and software. Reusing or discarding media. Electronic eavesdropping. Intercepting communication. Accessing networks. Exploiting applications.
Accountability
How are actions traced to an individual to ensure that the person who makes changes to data or systems can be identified? This process of associating actions with users for later reporting and research is known as accountability.
There are three types of authentication...
Knowledge, ownership (something you have, such as a smart card), characteristics (something that is unique to you, such as your fingerprints, retina, or signature).
Passphrase
Longer and generally more secure than a password.
MAC
Mandatory Access Control. With MAC, permission to access a system or any resource is determined by the sensitivity of the resource and the security level of the subject. It cannot be given to someone else. This makes MAC stronger than DAC.
MAC
Media Access Control
Non-discretionary access control -
Non-discretionary access controls are closely monitored by the security administrator, and not the system administrator.
To manage access control policies well, relationships are defined as...
Optional conditions that exist between users and resources. Relationships are permissions granted to an authorized user, such as read, write, execute.
PINS
Personal information numbers
Organizations control access to resources primarily on two levels:
Physical access controls - These control entry into buildings, parking lots, and protected areas. Like a key.. Logic access controls - These control access to a computer system or network. Your company probably requires that you enter a unique username and password to log on to your company computer. That username and password allow you to use your organization's computer system and network resources.
To manage access control policies well, resources are defined as
Protected objects in the system. Resources can be accessed only by authorized subjects. Resources can be used only in authorized manners.
PKI
Public key infrastructure technology.
Overwriting
Repeatedly writing random characters over data. This process works well if the amount of data to be overwritten is fairly small and the overwriting is fairly fast.
RBAC
Role Based Access Control. This kind of policy bases access control approvals on the jobs the user is assigned. The security administrator assigns each user to one or more roles.
Unlike Kerberos...
SESAME improves key management by using both symmetric and asymmetric keys to protect interchanged data.
SSO
Single Sign-On strategy allows users to sign on to a computer or network once, and have their identification and authorization credentials allow them into all computers and systems where they are authorized. They don't need to enter multiple user IDs or passwords.
Time-based synchronization system
The current time is used as the input value. The taken generates a new dynamic password (usually every minute) that is displayed in the window of the token. To gain access, the password is entered with the user's PIN at the workstation. This system requires that the clock in the token remains in sync with the clock in the authentication server. If the clocks drift out of sync, the server can search three or four minutes on each side of the time to detect an offset.
The four parts of access control are divided into these two phases:
The policy definition phase - determines who has access and what systems or resources they can use. The authorization process operates in this phase. The policy enforcement phase - this phase grants or rejects requests for access based on the authorizations defined in the first phase. The identification, authentication, and accountability processes operate in this phase.
Role engineering
The process of defining roles, approvals, role hierarchies, and constraints.
TFA
Two-factor authentication, provides a higher level of security than using only one, single-factor authentication.
Four central elements of access to manage access control policies well:
Users, Resources, Actions, Relationships
Static biometrics
What you are. Physiological biometrics like fingerprints, iris granularity, retina blood vessels, etc.
Dynamic biometrics
What you do. Behavioral biometrics like voice inflections, keyboard strokes, and signature motions.
An example of SSO, Kerberos is
a computer-network authentication protocol that allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Is also a suite of free software published by MIT that applies the Kerberos protocol. Aimed at the client-server model.
The kernel allows or denies...
access based on the defined access rules. All access requests handled by the system are logged for later tracking and analysis.
The process of associating an action with users for later reporting or analysis is called...
accounting.
A synchronous token uses...
an algorithm that calculates a number at both the authentication server and the device. It displays the number on the device's screen. The user enters this number as a logon authenticator, just as he or she would use a password.
An event-based synchronization system...
avoids the time-synchronization problem by increasing the value of a counter with each use. The counter is the input value. The user presses a button to generate a one-time password, and then enters this password with his or her PIN at the workstation to gain access.
Degausser
creates a magnetic field that erases data from magnetic storage media.
The security kernel
is the central part of a computing environment's hardware, software, and firmware that enforces access control and implements the reference monitor concept. It mediates all access requests and permits access only when the appropriate rules or conditions are met.
The first step in enforcing an authorization policy is identification. Identification is the..
method a subject uses to request access to a system or resource.
The security kernel refers to its...
rules base, also known as the security kernel database. It uses these rules to determine access rights. Access rights are set according to the policies your organization has defined.
Asynchronous Tokens is the
second of two types of token-based devices. It looks like a credit card-sized calculator. The authentication server issues a challenge number that the user enters. The token computes a response to the value provided by the authentication server. The user then replies to the server with the value displayed on the token. Many of these systems also protect the token from misuse by requiring the user to enter a PIN along with the initial challenge value.
Authentication by knowledge is based on...
something you know, such as password, passphrase, or PIN.
The number of failed logon attempts that trigger an account action is called...
the Threshold.
When the subject requests access to a particular object...
the security kernel intercepts the request.
Continuous authentication...
used by systems that continuously validate the user. Often done with proximity cards or other devices that continuously communicate with the access control system.
A subject can be a...
user, process, or some other entity.
In an authority-level policy,
you need a higher degree of authority to access certain resources. For example, perhaps only a senior-level member of the IT group has permission to enter the room that houses servers.