Term
|
Definition
| Method of ensuring that a subject (user, program or process) is the entity that it claims to be. |
|
|
Term
|
Definition
| The subject is required to provide a second piece to the credential set. It could be a password, passphrase, cryptographic key, personal identification number or token. |
|
|
Term
|
Definition
| If the system determines that the subject has access the resource. |
|
|
Term
|
Definition
| When processes carry out their tasks on a shared resource in an incorrect order. |
|
|
Term
|
Definition
| Those tools used for identification, authentication, authorization and accountability. |
|
|
Term
| Three general factors can be used for authentication |
|
Definition
Something a person knows, something a person has and something a person is.
They are coommonly called authentication by knowledge, authentication by ownership and authentication by characteristic. |
|
|
Term
|
Definition
Authentication by knowledge: password, PIN, mothers maiden name, or combo to a lock
Least expensive to implement
Another person may acquire this knowledge and gain unauthorized access to a system or facility |
|
|
Term
|
Definition
Authentication by ownership
Can be a key, swipe card, access card, badge
Common for accessing facilities
Downside can be lost or stolen |
|
|
Term
| Something specific to a person |
|
Definition
Authentication by characteristic
Based upon a physical attribute
Example: Biometrics |
|
|
Term
Strong Authentication
Two-Factor Authentication |
|
Definition
Contains two out of the three methods: something a person knows, has, or is.
|
|
|
Term
|
Definition
| The use of different products to identify, authenticate, and authorize users through automated means. |
|
|
Term
|
Definition
| Contains information pertaining to the company's network resources and users. Most follow a hierarchival database format. |
|
|
Term
|
Definition
| Allows an administrator to configure and manage how identification, authentication and access control take place within a network. |
|
|
Term
|
Definition
| Verifies an individual's identity by analyzing a unique personal attribute or behavior, which is one of the most effective and accurate methods of verifying identification. |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
| Stated as percentage and represents the point at which the false rejection rate equals the false acceptance rate. |
|
|
Term
|
Definition
| An individual places fingerprint on the reader and it compares this to the reference file. If the two match the individual's identity has been verified. |
|
|
Term
|
Definition
| The individual places his hand on the biometric device, which scans and captures this information. This information is compared to a reference file and the identity is either verified or rejected. |
|
|
Term
|
Definition
| The shape of a persons hand (the shape, length, width of hand and fingers). |
|
|
Term
|
Definition
| Reads the persons retina and scans the blood-vessel pattern on the back of the eyeball. |
|
|
Term
|
Definition
| This is the colored portion of the eye. The iris has unique patterns, rifts, colors, rings, coronas, and furrows. This has the highest accuracy potential. |
|
|
Term
|
Definition
| Looks at how they signed the signature. Times and manner of how they do it. |
|
|
Term
|
Definition
| Captures the electrical signals when a person signs their name. More effective than having a password cause it is not obtainable, and harder to repeat. |
|
|
Term
|
Definition
| People's speech sounds and patterns have differences. Jumbles the words so they cannot be recorded. |
|
|
Term
|
Definition
| System scans a persons face for attributes and characteristics. |
|
|
Term
|
Definition
| Looks at different peaks and valleys of the hand along with its overall shape and curvature. |
|
|
Term
|
Definition
| Listening to network traffic to capture infomration especially when a user is sending her password to an authentication server. The password can be copied and reused by the attacker at another time (replay attack). |
|
|
Term
|
Definition
| Usually done on the authentication server. Contains many users' passwords. Can do a lot of damage! |
|
|
Term
|
Definition
| Performed with tools that cycle through many possible character, number, and symbol combinations to uncover a password. |
|
|
Term
|
Definition
| Riles of thousands of words are compared to the user's password until a match is found |
|
|
Term
|
Definition
| An attacker falsely convinces an individual that she has the necessary authorization to access specific resources |
|
|
Term
|
Definition
| An attacker uses a table that contains all possible passwords already in a hash format. |
|
|
Term
|
Definition
The certain number of failed ogon attempts to be allowed before a user is locked out
Should have an audit trail to track password usage for both successful and unsuccessful attempts |
|
|
Term
|
Definition
| Having password requirements, protection, generation should be addressed in security awareness programs so users understand what is expected of them. |
|
|
Term
|
Definition
Organizations perform dictionary and/or brute force attacks to detect weak passwords.
Need managements approval before attempting to test (break) employees passwords. |
|
|
Term
|
Definition
| File where passwords are located. This does not contain passwords in cleartext; instead your password is ran through a hashing algorithm, and the resulting value is stored in this file. |
|
|
Term
|
Definition
| Random values added to the encryption process to add more complexity. The use of salt means that the same password can be encrypted into several thousand different formats. |
|
|
Term
|
Definition
| A threshold can be set to allow only a certain amount of unsuccessful logon attempts. Should be locked for a period of time or indefinitely. |
|
|
Term
|
Definition
| Fact- or opinion-based information used to verifiy an individual's identity. Things that person would be unlikely to forget. |
|
|
Term
|
Definition
Dynamic Password
Used for authentication purposes and is only good once. After it used it is no longer valid. |
|
|
Term
|
Definition
| A password generator, is seperate from the computer is used to authenticate the user. |
|
|
Term
|
Definition
| A sequence of characters that is longer than a password. |
|
|
Term
|
Definition
| Holds information but cannot process information. |
|
|
Term
|
Definition
| Holds information and has the necessary hardware and software to actually process the information |
|
|
Term
|
Definition
Is an authentication protocol.
Is an exampe of a single sign-in system for distributed environments. |
|
|
Term
|
Definition
Secure European System for Applications in a Multi-vendor Environment.
Developed to be a single sign-in technology and improve on Kerberos weaknesses. |
|
|
Term
| Discretionary Access Control |
|
Definition
| The control of access is based upon the discretion of the owner. |
|
|
Term
|
Definition
| Users and data ownwers do not have much freedom to determind who can access files. The operating system makes the decision for them. |
|
|
Term
|
Definition
| Every subject and object must have a sensitivity label that contains classification and different categories. The classification indicates the sensitivity level and the categories enforce need-to-know rules. |
|
|
Term
| Role-Based Access Control |
|
Definition
Also called nondiscretionary access control.
Uses a centrally administrated set of controls to determine how subjects and objects interact. |
|
|
Term
| Rule-Based Access Control |
|
Definition
| Uses specific rules that indicate what can and cannot happen between a subject and an object |
|
|
Term
|
Definition
Remote Authentication Dial-In User Service (RADIUS)
Network Protocol that provides client/server authentication and authorization.
Takes place over PPP connections
Commonly used to allow road warriors to access network resources. |
|
|
Term
|
Definition
Policy and procedures
Personnel controls
Supervisory structure
Security Awareness Training
Testing |
|
|
Term
|
Definition
Network Segregation
Perimeter Security
Computer Controls
]
Work Area Segregation
Data Backups
Cabling
Control Zone |
|
|
Term
|
Definition
System Access
Network Architecture
Network Access
Encryption and protocols
Auditing |
|
|
Term
|
Definition
| Indicate how employees are expected to interact with security mechanisms and addres noncompliance issues pertaining to these applications. Those indicate the actions when hiring, firing and promoting individuals. |
|
|
Term
|
Definition
Which each employee has a superior to report to, and that superior is responsible for that employees actions.
Helps fight fraud and enforcing proper control |
|
|
Term
| Security Awareness Training |
|
Definition
Low priority for companies cause does not contribute to the bottom line.
Starting to recongize the value of this training |
|
|
