Domain 5
A framework that dictates how subjects access objects
Access Control Model
The creation, modification, and decommissioning of user accounts
Account Management
Microsoft's implementation of LDAP. ADDS provides central authentication and authorization capabilities for users and system services on an enterprise-wide level. ADDS implementations also have the ability to enforce organizational and configuration policies across an enterprise.
Active Directory Domain Services (ADDS)
Verifying the identity of the user.
Authentication
Something you know (e.g. password)
Type I (Knowledge Factor)
When a biometric system rejects an authorized individual (false rejection)
Type I Error (Biometrics)
Something you have (e.g. token or smart card)
Type II (Ownership Factor)
When a biometric system accepts imposters who should be rejected (false acceptance)
Type II Error (Biometrics)
Something you are (e.g. fingerprint, other biometrics)
Type III (Characteristic Factor)
A type of identity management system used by organizations to easily and securely manage information about users on multiple systems or applications.
User Provisioning
Come in two forms (contact cards or contactless [proximity] cards). They have processing power, their systems are more reliable than memory cards, they can be encrypted and are harder to duplicate than memory cards
What are the advantages of smart cards?
Very expensive to implement across an entire organization
What are the disadvantage of smart cards?
A password with mixture of upper and lower case letter with numbers and special characters
What is a complex password?
A password that can only be used once. After one use, it is discarded
What is a one-time or dynamic password?
A long phrase used as password, sometimes with numbers and special characters mixed in for added security
What is a passphrase?
Allows users to reset their own passwords after they have been forgotten or compromised
What is a self-service password reset approach?
A minimum level security password that is changed infrequently
What is a static password?
Security policy which locks the account after too many incorrect attempts are made. It is implemented to protect against attacks carried out against passwords
What is an account lockout policy?
Users must contact the help desk personnel for help to change their password
What is an assisted password reset approach?
Identification identifies the user and authentication verifies that the identity provided is valid
What is the difference between identification and authentication?
The inability to revoke credentials due to physical attributes
What is the fundamental disadvantage of biometrics?
A retina scan is considered more intrusive than an iris scan
Which is more intrusive, a retina or iris scan?
A directory standard that uses Distinguished Names (DN) to define paths in a database. It actually consists of four separate protocols: 1. Directory Access Protocol (DAP) 2. Directory System Protocol (DSP) 3. Directory Information Shadowing Protocol (DISP) 4. Directory Operational Binding Management Protocol (DOP)
X.500
The time required for a biometric scan to complete an analysis and confirm or block access to a system or data
Biometric Throughput Rate
The precision of a biometric system
Biometric Accuracy
Technology that can authenticate a user based on physiological or behavioral characteristics. Some examples are scans of fingerprints, palms, face, retina, iris, and vascular patterns
Biometric Technology
This specifies the access rights a specific subject has in regards to specific objects. This is different from an ACL because the subject is bound to the Table as opposed to the object that is bound to the ACL.
Capability Table
The idea that a single element is responsible for configuring access controls. As users' unique information processing needs evolve over time, their access can only be modified through central administration. One advantage of this method is that it maintains strict control over information and very few people can make changes.
Centralized Administration
A configured baseline threshold above which violations will be recorded (for example, recording all password attempts after five failed attempts)
Clipping Level
Dividing users into groups to confine information to a single group or area
Compartmentalization
Systems for the management of user identity and authentication credentials. These systems should enforce stronger passwords, generate passwords, quickly find passwords, provide fine-grained access control, limit access, keep all passwords safe, maintain disaster preparedness, maintain availability, keep control of credentials, and track and audit access
Credential Management Systems
The point at which the False Acceptance Rate is equal to the False Rejected Rate
Crossover Error Rate (CER)
A network authentication protocol that guards a network through authentication, authorization, and auditing. A vulnerability of this is single point of failure
Kerberos
A type of biometric scan that measures the input patterns of a user entering their password
Keystroke Dynamics
Administration by the owners or creators of the files. These individuals are often the best judge of who should be able to access it because of their familiarity with the data. However, because the process is not centralized, data owners may accidentally implement combinations of access controls and introduce conflicts of interest.
Decentralized Administration
A database designed to centralize data management regarding network subjects and objects
Directory Service
An access control model through which users are given access at the discretion of the owner
Discretionary Access Control
The act of going through someone's trash to find confidential or useful information. It is considered unethical in all cases, but it is only illegal when it involves trespassing
Dumpster Diving
A behavioral biometric scan that measures the writing patterns of a user
Dynamic Signature Verification
A set of protocols that are used in RADIUS that are port-based access controls. EAP-TLS is the most secure and costly type because it requires both server side and client side certificates
Extensible Authentication Protocol (EAP)
The frequency of Type II errors, when an invalid user is falsely accepted by a biometric system
False Acceptance Rate (FAR)
The frequency of Type I errors, when a valid user is rejected by a biometric system
False Rejection Rate (FRR)
A third party, cloud-based service that provides identity and access management. In an enterprise, the IDaaS effectively provides single sign on (SSO) for the services housed within the cloud.
IDaaS (Identity as a Service)
The assertion of a unique identity for a person or system. It is the starting point for all access control. Without proper identification, it is impossible to determine to whom or what to apply the appropriate controls.
Identification
LDAP is a simplified version of X.500. It uses a hierarchical tree structure for directory entries. LDAP operates in a client/server architecture. Clients make requests for access to LDAP servers, and the server responds back to the client with the results of that request.
Lightweight Directory Access Protocol (LDAP)
Access control that limits users access to information, restricting it to only what is appropriate for them. Common access modes are Read Only, Read and Write, or Execute
Logical Access Control
An access control model through which objects are given a specific level of security, and only users with a clearance level that matches the object are allowed access. Often used for systems and data that are highly sensitive
Mandatory Access Control
This is any combination of factor authentication categories. For example, authentication using both a password (Type I) and a retinal scan (Type III). The more factors used to identify a person, the greater the trust of authenticity
Multi-Factor Authentication
An authentication method that uses a sniffer to read credentials stored in cleartext
Password Authentication Protocol (PAP)
The restriction of access to a physical place or resource such as buildings, floors, or rooms. Examples of physical access control methods are locks, fences, guards, mantraps, etc.
Physical Access Control
An access control model through which objects are separated into security policies by roles (assigned functions within an organization)
Role-Based Access Control
An access control model that is enforced through a predefined set of rules that covers all users
Rule-Based Access Control
A project that extends Kerberos functionality and fixes its weakness by using symmetric and asymmetric cryptography to protect interchanged data using a trusted authentication server at each host with PACs (Privileged Attribute Certificates) instead of tickets
SESAME (Secure European System for Applications in a Multi-vendor Environment)
Responsible for the classification of groups of servers/computers. Resources within each logical structure (domain) operate under the same security policy.
Security Domains
A term used to describe how a single instance of identification and authentication is applied to resources. Sessions can be vulnerable to attack because a session may be hijacked after a legitimate user signs in. This threat can be managed by implementing screensavers, timeouts, automatic logouts, session number limitations, and schedule limitations
Session Management
When someone looks at the screen of a user, often over their shoulder, in an attempt to obtain their login information or other confidential data
Shoulder Surfing
Allows a user to sign-in just once but access multiple systems. Advantages: convenient, faster. Disadvantages: single point of failure
Single Sign-On (SSO)