The four means of authenticating user identity are based on: Show
Describes an organization's degree of certainty that a user has presented a credential that refers to his or her identity
What are the four levels of assurance?
What are the three levels of potential impact on organizations or security should there be a breach of security as defined by FIPS 199?
Define: Password-Based Authentication
What are passwords vulnerable to?
What is the purpose of salt values?
Define: The original UNIX Password Scheme
How was the original Unix Password Scheme improved?
Name four password cracking strategies
Define: Dictionary attack
Define: Rainbow table attack
Name four password selection strategies
Name three parts of Proactive Password Checking
Adversary attempts to learn the password by some sort of attack that involves the physical proximity of user and adversary Directed at the user file at the host where passwords, token passcodes, or biometric templates are stored Adversary repeats a previously captured user response Adversary attempts to achieve user authentication without access to the remote host or the intervening communications path An application or physical device masquerades as an authentic application or device for the purpose of capturing a user password, passcode, or biometric Define: Denial-of-Service Attempts to disable a user authentication service by flooding the service with numerous authentication attempts Define: False Match Rate (FMR or FAR, false accept rate)
Define: False non-match rate (FNMR also called FRRR, false reject rate)
Identifiers should be assigned carefully because authenticated identities are the basis for other security services (T/F) Enrollment creates an association between a user and the user's biometric characteristics (T/F) Memory cards store and process data (T/F) Depending on the application, user authentication on a biometric system involves either verification or identification (T/F) User authentication is the basis for most types of access control and for user accountability (T/F) User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic (T/F) A __________ attack involves an adversary repeating a previously captured user response
A _________ is a password guessing program
To counter threats to remote user authentication, systems generally rely on some form of __________ protocol
The ___________ strategy is when users are told the importance of using hard to guess passwords and provided with guidelines for selecting strong passwords
Recognition by fingerprint, retina, and face are examples of ___________
An institution that issues debit cards to cardholders and is responsible for the cardholder's account and authorizing transactions is the ___________
Each individual who is included in the database of authorized users must first be __________ in the system
A ________ strategy is one in which the system periodically runs its own password cracker to find guessable passwords
reactive password checking The overall scheme of Kerberos is that of a trusted third-party authentication service (T/F)
The approach taken by Kerberos is using authentication software tied to a secure authentication server (T/F) The authentication server shares a unique secret key with each server (T/F) The ticket-granting ticket is not reusable (T/F) The ticket-granting ticket is encrypted with a secret key known only to the AS and the TGS (T/F) Kerberos does not support interrealm authentication (T/F) X.509 provides a format for use in revoking a key before it expires (T/F) The principal objective for developing a PKI is to enable secure, convenient, and efficient acquisition of private keys (T/F) __________ requires that a user prove his or her identity for each service invoked and, optionally, requires servers to prove their identity to clients
The _________ consists of two dates: the first and last on which the certificate is valid.
________ is the process in which a CA issues a certificate for a user's public key and returns that certificate to the user's client system and/or posts that certificate in a repository
________ certificates are used in most network security applications, including IP security, secure sockets layer, secure electronic transactions, and S/MIME
An integer value unique within the issuing CA that is unambiguously associated with the certificate is the _________
_________ is the process whereby a user first makes itself known to a CA prior to that CA issuing a certificate or certificates for that user
Kerberos uses the _________ encryption algorithm
External devices such as firewalls cannot provide access control services (T/F) The default set of rights should always follow the rule of least privilege or read-only access (T/F) A constraint is a defined relationship among roles or a condition related to roles (T/F) An access right describes the way in which a subject may access an object (T/F) The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner (T/F) An ABAC model can define authorizations that express conditions on properties of both the resource and the subject (T/F) An auditing function monitors and keeps a record of user accesses to system resources (T/F) _________ implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance
_______ provide a means of adapting RBAC to the specifics of administrative and security policies in an organization
Subject attributes, object attributes, and environment attributes are the three types of attributes in the ________ model
A ________ is an entity capable of accessing objects
________ is based on the roles the users assume in a system rather than the user's identity
_________ is the traditional method of implementing access control
A _________ is a named job function within the organization that controls this computer system
________ refers to setting a maximum number with respect to roles
Define: Computer security Measures that implement and assure security services in a computer system, particularly those that assure access control service Verification that the credentials of a user or other system entity are valid
Define: discretionary access control (DAC)
Define: Role-based access control (RBAC)
Define: Mandatory access control (MAC) Controls access based on comparing security labels with security clearances Define: Attribute-based access control (ABAC)
Define: subject, in regards to access rights An entity capable of accessing objects What are the three classes of subjects, in regards to access rights?
Define: object, in regards to access rights?
What could access rights include?
Define: Extended Access Control Matrix
Define: Protection Domains
In UNIX File Access Control, files are administered using ________ In UNIX File Access Control, directories are structured in a ____________
What is the sticky bit in UNIX File Access Control?
Modern UNIX systems support ACLs (T/F) Define: User, in relation to RBAC An individual that has access to this computer system Define: Role, in relation to RBAC A named job function within the organization that controls this computer system Define: Permission, in relation to RBAC An approval of a particular mode of access to one or more objects Define: Session, in relation to RBAC A mapping between a user and an activated subset of the set of roles to which the user is assigned Define: Constraints, in relation to RBAC2
List and define three types of constraints in RBAC2 Mutually exclusive roles:
Cardinality:
Prerequisite roles:
List and define attributes of the ABAC model Subject attributes:
Object attributes:
Environment attributes:
Define: policies, in relation to the ABAC model
Why have database security not kept pace with the increased reliance on databases?
Provides a uniform interface to the database for users and applications Define: database management system (DBMS)
Because of their complexity and criticality, security requirements generated by database systems that are beyond the capability of typical OS-based security mechanisms or stand-alone security packages. How so?
What are some defining characteristics of Relational Databases?
Define the Relational Database Elements
Define: Primary key, in relation to relational databases
Define: Foreign key, in relation to relational databases Links one table to attributes in another Define: View/virtual table, in relation to relational databases
Define: Structured Query Language (SQL)
What can SQL statements be used to do?
Define: SQL Injection Attacks (SQLi)
Name the SQLi Attack Avenues
Define: Inband Attacks, in relation to SQLi Attacks
What do Inband Attacks include?
Define: Inferential Attack in relation to SQLi attacks There is no actual transfer of data, but the attacker is able to reconstruct the information by sending particular requests and observing the resulting behavior of the Website/database server What do SQLi Inferential Attacks include?
Define: Out-of-Band Attack in relation to SQLi Attacks
What are three types of SQLi Countermeasures?
What does a database access control system determine?
What administrative policies can database access control support?
What are the two commands for managing access rights?
Give the syntax of a GRANT command GRANT {privileges | role} ON [table] TO {user | role | PUBLIC} [IDENTIFIED BY password] [WITH GRANT OPTION] Ex: GRANT SELECT ON ANY TABLE TO ricflair What are the access rights of SQL access controls?
What is the syntax of a REVOKE command? REVOKE {privileges | role} ON [table] FROM {user | role | PUBLIC} Ex: REVOKE SELECT ON ANY TABLE FROM ricflair
When a user revokes an access right, any cascaded access right is also revoked, unless that access right would exist even if the original grant from A had never occurred (T/F) What are three categories of database users?
Define: Inference, in regards to database security The process of performing authorized queries and deducing unauthorized information from the legitimate responses received. The information transfer path by which unauthorized data is obtained is referred to as an inference channel. What two inference techniques can be used to derive additional information?
Encryption is the last line of defense in database security (T/F) What are disadvantages to encryption in database security?
Describe the Kerberos Protocol
Contains the minimum functionality for an RBAC system Includes the RBAC0 functionality and adds role hierarchies, which enables one role to inherit permissions from another role Includes RBAC0 and adds constraints, which restrict the ways in which the components of an RBAC system may be configured Contains the functionality of RBAC0, RBAC1, and RBAC2 (minimum RBAC functionality, role hierarchies, and constraints) Name two approaches to inference detection
What does a Kerberos environment consist of?
Networks of clients and servers under different administrative organizations generally constitute different ___________ What happens in Kerberos if there are multiple realms?
The first version of Kerberos that was widely used was version _, published in _________ What improvements were found in Kerberos version 5?
How does Kerberos affect performance in larger client-server installations?
What four general schemes have been proposed for the distribution of public keys?
Define: X.509 Certificates
X.509 was initially issued in _____ with the latest revision in ______ X.509 is based on the use of ___________ and ____________
public-key cryptography, digital signatures What algorithm does X.509 recommend? X.509 dictates a specific hash algorithm (T/F) X.509 certificates are the most widely accepted format for public-key certificates (T/F) What are some certificates are used in most network security applications?
Certificates created by a trusted Certification Authority (CA) should have which elements?
User certificates generated by a CA have what characteristics?
Is the granting of a right or permission to a system entity to access a system resource?Definition(s): The right or a permission that is granted to a system entity to access a system resource.
Which is the general term used to specify an entity capable of accessing objects?Responsible. Access Control List – specifies which entities, users or system processes are granted access to objects, such as information assets, as well as what operations are allowed on given objects.
What is based on the roles the users assume in a system rather than the user's identity?In contrast, RBAC is based on the roles that users assume in a system rather than the user's identity. Typically, RBAC models define a role as a job function within an organization. RBAC systems assign access rights to roles instead of individual users.
What are the three common techniques for verifying a person's identity and access privileges?There are three common factors used for authentication: Something you know (such as a password) Something you have (such as a smart card) Something you are (such as a fingerprint or other biometric method)
|