Term
|
Definition
|
|
Term
Authentication Mechanisms
|
|
Definition
Identification
Authentication
Authorisation
|
|
|
Term
|
Definition
Something you know
Something you have
Something you are
Single Factor
Dual/Multi Factor |
|
|
Term
| Something you know passwords |
|
Definition
Least secure methoed of authentication
Attacks: Shoulder surfing, Keylogging, Sniffing
Brute force and dictionary
Phishing and Social |
|
|
Term
| Something you know passwords. cont |
|
Definition
Simple passwords easy to exploit
Passphrases may help
use strong and complex passwords
change every 90 days
password policy and lockout controls |
|
|
Term
|
Definition
Requires a physical device and PKI environment
Smart cards & tokens
Usually requires additional factor - pin
Attack: Steal the card
Attack:- Hack the authentication server |
|
|
Term
|
Definition
Biometrics - something unique about your body
Impossible to lose or forget
Examples - Fingerprints, voice recognition, retina scans, hardwritting |
|
|
Term
|
Definition
|
|
Term
|
Definition
FRR - False Rejection Rate
FAR - False Accept Rate
CER - Cross Error Rate
Lower CER is better |
|
|
Term
| Multifactor Authentication |
|
Definition
The combination of 2 or more factors
Password and Smart Card - Something you know and something you have |
|
|
Term
|
Definition
Decentralized Authentication
Hard to manage - hard to backup
Centralized Authentication
Easy to manage - easy to backup
Singe sign-on
Requires centralized authentication - minimises number of passwords to remember - single compromise can affect a lot of systems. |
|
|
Term
|
Definition
Win Domains use Kerbeors starting at Winserver2000
Supports Mutual Authentication - Client authenticates Server, Server Authenticates client.
Requires Synchronized clocks for time stamp symmetric encryption
Secure European system for applications in a multivendor Environment (SESAME) is similar. |
|
|
Term
|
Definition
| Key Distribution Centre (KDC) Authentication Server (AS) Ticket Granting Server (TGS) |
|
|
Term
|
Definition
|
|
Term
|
Definition
Federated Access
SSO for different networks and OS owned and managed by deferent Orgs |
|
|
Term
|
Definition
Radius - Remote Authentication Dial in Service.
Works with PPP, CHAP,PAP,EAP
Not encrypted, susceptible to sniffing, relay attacks, DOS,
Use IPSEC to encrypt and unique secrets |
|
|
Term
|
Definition
TACAS+ - Terminal Access Controller Access Control system.
Authentication, authorisation and accounting.
Encrypts passwords and entire payload
TCP Port 49
TACAS and XTACAS - older - don't use |
|
|
Term
|
Definition
LDAP - Lightweight Directory Access Protocol
Not an Authentication service
X.500 objects and attributes
TCP/UDP Port 389 |
|
|
Term
|
Definition
Makes it possible to authenticate users in one domain controller in another domain.
Reduces account management
Enables a single sign-on approach for multiple domains and forest
Can cause confusion assigning permission and maintaining permission management.
A trusted rough Admin has access to many domains. |
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
|
|
Term
|
Definition
To help prevent risks of cyber threats and identity fraud.
Classic Knowledge Based Authentication
Common and weakest, verification based on collected data from user. Easy to guess with simple background knowledge of user
Dynamic Knowledge based authentication
Challenge questions prodiuced on the-the fly from public financial questions
Difficult to hack but susceptible to data source breaches
Out of Band
Separate from the authentication process. One time passwords voice, text to phone.
Risk and Behaviour Based
Example based on Credit Card Purchasing behaviour
|
|
|
Term
|
Definition
The creation of account and permission assignment often automated
Example: HR application creates account when someone processes a new hire
Groups improve administratation and management and security
Individual user permission assignments are difficult to manage users are assigned to groups, groups are assigned the privildges remember least privildge
Remember to De-provision
Disable accounts dont delete - yet
|
|
|
Term
|
Definition
The management of accounts through their lifetime, often wwith account policies
Password Policies
Complexity, Length, Age(Min & Max), history
Lockout Policies
Number of failed attempts, time of lockout
Time Restrictions
Allowing users to access the system during specified hours
Remeber to De-Provision
Disable accounts
Educate Users |
|
|
Term
|
Definition
Entitlement are the privilidges granted to a user follow the prinicle of least privilidge
Admins should seperate Andmin accounts
One for Admin
One for regular
Managing groups is better than managing individual users
Adding or removing priviiges to a group is more efficent and easier to troubleshoot.
Its not just People
Computers and devices |
|
|
Term
|
Definition
|
|
Term
|
Definition
Users
Computers
Devices
Applications
Networks |
|
|
Term
|
Definition
Data (Files, Folders and shares)
Hardware (computers and Printers
Networks (Local Intranet)
Applications
Facilities |
|
|
Term
|
Definition
Seperation of Duties
Restricts the power of users
Helps prevent Fraud
Clark-Wilson model
Focused on information integrity
Enforce the principle of SOD
Seperation of elements of a transation between people
Job Roatation
Helps prevent misuse and fraud
Trains redundant skills
Manatory Vacations
Help uncover miuse or illegalactivities
Audits can be performed while user is on vacation |
|
|
Term
| Mandatory Access Controls - MAC |
|
Definition
Provides the highest level of security
Used by the military
Uses Labels to control access
Access is predefined by admins - users can't choose
|
|
|
Term
| Goverment Classifications |
|
Definition
Top Secret
Secret
Confidential
Unclassified |
|
|
Term
|
Definition
Bell-LaPadula
Primary goal of Integrity
No Read Up
No Write down
Gaol: Prevent somome copying data from high level to lower
Biba
Primary Goal of integrity
No Read Down
No Write Up
Gaol:- Unauthorized people can't modify data
|
|
|
Term
|
Definition
Bell-LaPadula
Primary goal of Integrity
No Read Up
No Write down
Gaol: Prevent somome copying data from high level to lower
Biba
Primary Goal of integrity
No Read Down
No Write Up
Gaol:- Unauthorized people can't modify data
|
|
|
Term
|
Definition
Clark Wilson Model
Focused on information integrity
Enforce the principle of SOD
Sepertaion of elements of a transaction between people
Chinese Wall (Brewer-Nash)
Prevent conflict of Intrest - SOD |
|
|
Term
| Discretionary Access Control – DAC |
|
Definition
Provdes the most granular control
Users have full access over their data and can assign permissions
Uses Access Control List (ACL) or DACLs
Entries anre Access Control Entries (ACE's) amd consits of the supject and permissions |
|
|
Term
NON-Discretionary Access Control – DAC
|
|
Definition
Admins control access granted to users
MAC models
Implemented by some OS
To prevent system file access
Helps prevent malware from taking ownership of system files users still have DAC |
|
|
Term
Role Based Access control – RBAC
|
|
Definition
Users Roles to determine access
Subject are placed in Roles
Roles are Granted object permissions
Easier To implement
Sometimes reffered to as Rule-Based Access Control |
|
|
Term
| Attribute Access Control – ABAC |
|
Definition
Provides dynamic context-aware access Control
Speeds up application rollout
Great for cloud based applications
Roles are granted object permissions
One Standard - eXtensible Access Control Markup Language - XACML
Subject request for operations on objects are granted or denial based on attributes of the subject, attributes of the object, environment conditions, and a seyt of policies
Example: A Cardiolohgist can view records of heart patients while at the hospital |
|
|
Term
| Risk Management Framework |
|
Definition
Step 1 - Categorize
Collect information on systems and threats
FIPS Publication 199 impact assesment - CIA
Step 2 - Select
Control baseline
Tailor for mission/business specifics
Step 3 - Implement
Consists of decisions about alternatives, cost, risks trade offs
Step 4 - Assess
Did the control perform as expected
Step 5 - Authorize
Report Information to authorizing officals
Step 6 - Monitor
Effectiveness of controls, changes to system, compliance to federal agencies |
|
|
Term
Participate in Security Testing and Evaluation: Risks Analysis
|
|
Definition
|
|
Term
Bus Topology
One cut and its broken |
|
Definition
|
|
