Domain 5

Ace your homework & exams now with Quizwiz!

A framework that dictates how subjects access objects

Access Control Model

The creation, modification, and decommissioning of user accounts

Account Management

Microsoft's implementation of LDAP. ADDS provides central authentication and authorization capabilities for users and system services on an enterprise-wide level. ADDS implementations also have the ability to enforce organizational and configuration policies across an enterprise.

Active Directory Domain Services (ADDS)

Verifying the identity of the user.

Authentication

Something you know (e.g. password)

Type I (Knowledge Factor)

When a biometric system rejects an authorized individual (false rejection)

Type I Error (Biometrics)

Something you have (e.g. token or smart card)

Type II (Ownership Factor)

When a biometric system accepts imposters who should be rejected (false acceptance)

Type II Error (Biometrics)

Something you are (e.g. fingerprint, other biometrics)

Type III (Characteristic Factor)

A type of identity management system used by organizations to easily and securely manage information about users on multiple systems or applications.

User Provisioning

Come in two forms (contact cards or contactless [proximity] cards). They have processing power, their systems are more reliable than memory cards, they can be encrypted and are harder to duplicate than memory cards

What are the advantages of smart cards?

Very expensive to implement across an entire organization

What are the disadvantage of smart cards?

A password with mixture of upper and lower case letter with numbers and special characters

What is a complex password?

A password that can only be used once. After one use, it is discarded

What is a one-time or dynamic password?

A long phrase used as password, sometimes with numbers and special characters mixed in for added security

What is a passphrase?

Allows users to reset their own passwords after they have been forgotten or compromised

What is a self-service password reset approach?

A minimum level security password that is changed infrequently

What is a static password?

Security policy which locks the account after too many incorrect attempts are made. It is implemented to protect against attacks carried out against passwords

What is an account lockout policy?

Users must contact the help desk personnel for help to change their password

What is an assisted password reset approach?

Identification identifies the user and authentication verifies that the identity provided is valid

What is the difference between identification and authentication?

The inability to revoke credentials due to physical attributes

What is the fundamental disadvantage of biometrics?

A retina scan is considered more intrusive than an iris scan

Which is more intrusive, a retina or iris scan?

A directory standard that uses Distinguished Names (DN) to define paths in a database. It actually consists of four separate protocols: 1. Directory Access Protocol (DAP) 2. Directory System Protocol (DSP) 3. Directory Information Shadowing Protocol (DISP) 4. Directory Operational Binding Management Protocol (DOP)

X.500

The time required for a biometric scan to complete an analysis and confirm or block access to a system or data

Biometric Throughput Rate

The precision of a biometric system

Biometric Accuracy

Technology that can authenticate a user based on physiological or behavioral characteristics. Some examples are scans of fingerprints, palms, face, retina, iris, and vascular patterns

Biometric Technology

This specifies the access rights a specific subject has in regards to specific objects. This is different from an ACL because the subject is bound to the Table as opposed to the object that is bound to the ACL.

Capability Table

The idea that a single element is responsible for configuring access controls. As users' unique information processing needs evolve over time, their access can only be modified through central administration. One advantage of this method is that it maintains strict control over information and very few people can make changes.

Centralized Administration

A configured baseline threshold above which violations will be recorded (for example, recording all password attempts after five failed attempts)

Clipping Level

Dividing users into groups to confine information to a single group or area

Compartmentalization

Systems for the management of user identity and authentication credentials. These systems should enforce stronger passwords, generate passwords, quickly find passwords, provide fine-grained access control, limit access, keep all passwords safe, maintain disaster preparedness, maintain availability, keep control of credentials, and track and audit access

Credential Management Systems

The point at which the False Acceptance Rate is equal to the False Rejected Rate

Crossover Error Rate (CER)

A network authentication protocol that guards a network through authentication, authorization, and auditing. A vulnerability of this is single point of failure

Kerberos

A type of biometric scan that measures the input patterns of a user entering their password

Keystroke Dynamics

Administration by the owners or creators of the files. These individuals are often the best judge of who should be able to access it because of their familiarity with the data. However, because the process is not centralized, data owners may accidentally implement combinations of access controls and introduce conflicts of interest.

Decentralized Administration

A database designed to centralize data management regarding network subjects and objects

Directory Service

An access control model through which users are given access at the discretion of the owner

Discretionary Access Control

The act of going through someone's trash to find confidential or useful information. It is considered unethical in all cases, but it is only illegal when it involves trespassing

Dumpster Diving

A behavioral biometric scan that measures the writing patterns of a user

Dynamic Signature Verification

A set of protocols that are used in RADIUS that are port-based access controls. EAP-TLS is the most secure and costly type because it requires both server side and client side certificates

Extensible Authentication Protocol (EAP)

The frequency of Type II errors, when an invalid user is falsely accepted by a biometric system

False Acceptance Rate (FAR)

The frequency of Type I errors, when a valid user is rejected by a biometric system

False Rejection Rate (FRR)

A third party, cloud-based service that provides identity and access management. In an enterprise, the IDaaS effectively provides single sign on (SSO) for the services housed within the cloud.

IDaaS (Identity as a Service)

The assertion of a unique identity for a person or system. It is the starting point for all access control. Without proper identification, it is impossible to determine to whom or what to apply the appropriate controls.

Identification

LDAP is a simplified version of X.500. It uses a hierarchical tree structure for directory entries. LDAP operates in a client/server architecture. Clients make requests for access to LDAP servers, and the server responds back to the client with the results of that request.

Lightweight Directory Access Protocol (LDAP)

Access control that limits users access to information, restricting it to only what is appropriate for them. Common access modes are Read Only, Read and Write, or Execute

Logical Access Control

An access control model through which objects are given a specific level of security, and only users with a clearance level that matches the object are allowed access. Often used for systems and data that are highly sensitive

Mandatory Access Control

This is any combination of factor authentication categories. For example, authentication using both a password (Type I) and a retinal scan (Type III). The more factors used to identify a person, the greater the trust of authenticity

Multi-Factor Authentication

An authentication method that uses a sniffer to read credentials stored in cleartext

Password Authentication Protocol (PAP)

The restriction of access to a physical place or resource such as buildings, floors, or rooms. Examples of physical access control methods are locks, fences, guards, mantraps, etc.

Physical Access Control

An access control model through which objects are separated into security policies by roles (assigned functions within an organization)

Role-Based Access Control

An access control model that is enforced through a predefined set of rules that covers all users

Rule-Based Access Control

A project that extends Kerberos functionality and fixes its weakness by using symmetric and asymmetric cryptography to protect interchanged data using a trusted authentication server at each host with PACs (Privileged Attribute Certificates) instead of tickets

SESAME (Secure European System for Applications in a Multi-vendor Environment)

Responsible for the classification of groups of servers/computers. Resources within each logical structure (domain) operate under the same security policy.

Security Domains

A term used to describe how a single instance of identification and authentication is applied to resources. Sessions can be vulnerable to attack because a session may be hijacked after a legitimate user signs in. This threat can be managed by implementing screensavers, timeouts, automatic logouts, session number limitations, and schedule limitations

Session Management

When someone looks at the screen of a user, often over their shoulder, in an attempt to obtain their login information or other confidential data

Shoulder Surfing

Allows a user to sign-in just once but access multiple systems. Advantages: convenient, faster. Disadvantages: single point of failure

Single Sign-On (SSO)


Related study sets

Bio 1200; Chapter 23 Systematics, Phylogenies, and Comparative Biology

View Set