What is the CIA triad?
Confidentiality
Integrity
Availability
What is the difference between policy and mechanism?
- Policy says what is, and is not, allowed. This defines “security” for the system.
- Mechanisms enforce policies through technical or procedural means.
What characterizes an Advanced Persistent Threat (APT)?
Organized Directed Well financed Patient Silent
What are four (4) common types of harm?
Interception, Interruption, Modification, Fabrication
What are the three classes of controls?
- Physical controls stop or block an attack by using something tangible too, such as walls and fences
- Procedural or administrative controls use a command or agreement that
- Technical controls counter threats with technology (hardware or software)
What are the three classes of authentication strategies?
- something you know
- something you have
- something you are
What are common attacks on “something you know”?
Dictionary attacks Inferring likely passwords/answers Guessing Defeating concealment Exhaustive or brute-force attack Rainbow tables
What is a rainbow table?
Rainbow Tables are datasets of chains of pre-generated “hash-values” for almost every popular password variant, thus reducing the difficulty of password cracking.
What are the goals of an access policy?
-Check every access
-Enforce least privilege
-Verify acceptable usage
(Access control ensures the prevention of unauthorized use of a resource, including the use of a resource in an unauthorized way.)
What is a potential vulnerability of a static authentication token, and what is an alternative?
Skimming attacks. Alternative is dynamic (time-based) authentication token.
What is Federated Identity Manager (FIM)?
A system that assists in managing identities and providing access to resources across different security domains and/or companies.
What is single sign-on (SSO)?
An authentication process that allows a user to access multiple applications with one set of login credentials.
What is an Access Control security policy?
Defines which users can access resources and with which rights (Who, what, how : Subject, object, attribute right).
For access control, what are “Subjects”?
- An entity trying to access a resource
- users, processes
For access control, what are “Objects”?
- things on which an action can be performed:
- Files, tables, programs, memory objects, hardware devices, strings, data fields, network connections, and processors are examples of objects
What are Access Rights?
- the permissions an individual user or a computer application holds to read, write, modify, delete or otherwise access a computer file; change configurations or settings, or add or remove applications.
- write, read, execute, create, transfer (WRECT)
What is an Access Control Directory?
- One simple way to protect an object is to use a mechanism that works like a file directory
- Therefore, the operating system must maintain all file directories, under commands from the owners of files.
- First, the list becomes too large if many shared objects, such as libraries of subprograms or a common table of users, are accessible to all users.
- the directory of each user must have one entry for each such shared object, even if the user has no intention of accessing the object.
- Deletion must be reflected in all directories.
What is an Access Control Matrix?
- table in which each row represents a subject, each column represents an object, and each entry is the set of access rights for that subject to that object
- also version of matrix that gets rid of empty cells which is useful
What is an Access Control List?
- permissions attached to an object
- There is one such list for each object, and the list shows all subjects who should have access to the object and what their access is.
- This approach differs from the directory list because there is one access control list per object
What is a privilege list?
- Sometimes called a directory, is a row of the access matrix, showing all those privileges or access rights for a given subject
- One advantage of a privilege list is ease of revocation: If a user is removed from the system, the privilege list shows all objects to which the user has access so that those rights can be removed from the object.
What is a capability?
- An unforgeable token that gives the possessor certain rights to an object.
- Single- or multi-use ticket to access an object or service
What is role-based access control (RBAC)?
- Associates privileges with groups, such as all administrators can have significant privileges, and others such as regular users or guests to have lower privileges.
- Administering security is easier if we can control access by job demands, not by person.
What is symmetric encryption?
- Uses same key for encryption and decryption
- This is a secret key, which must be distributed out-of-band
- Common schemes are AES and DES
What is asymmetric encryption?
- Each user has two keys, one public and one private
- The public key can be exposed and use to distribute other keys
