QUICK TIPS – CHAPTER 5

• Access---is a flow of information between a subject and an object.

• subject---is an active entity that requests access to an object, which is a passive entity.
• can be a user, program, or process.

• Some security mechanisms that provide confidentiality---encryption, logical and physical

access control, transmission protocols, database views, and controlled traffic flow.

• Identity management (IdM) solutions include directories, web access management,

password management, legacy single sign-on, account management, and profile update.

• Password synchronization reduces the complexity of keeping up with different passwords

for different systems.

• Self-service password reset reduces help-desk call volumes by allowing users to reset their
own passwords.

• Assisted password reset reduces the resolution process for password issues for the helpdesk
department.

• IdM directories contain all resource information, users’ attributes, authorization profiles,
roles, and possibly access control policies so other IdM applications have one centralized
resource from which to gather this information.

• An automated workflow component is common in account management products that

provide IdM solutions.

• User provisioning refers to the creation, maintenance, and deactivation of user objects and
attributes as they exist in one or more systems, directories, or applications.

• User access reviews ensure there are no active accounts that are no longer needed.

• The HR database is usually considered the authoritative source for user identities because
that is where each user’s identity is first developed and properly maintained.

• The five main access control models:

discretionary, mandatory, role based, rule based, and attribute based.
• Discretionary access control (DAC) enables data owners to dictate what subjects have
access to the files and resources they own.
• mandatory access control (MAC) model uses a security label system. Users have
clearances, and resources have security labels that contain data classifications. MAC
systems compare these two attributes to determine access control capabilities.
• Role-based access control (RBAC) is based on the user’s role and responsibilities (tasks)
within the company.
• Rule-based RBAC (RB-RBAC) builds on RBAC by adding Boolean logic in the form of
rules or policies that further restrict access.
• Attribute-based access control (ABAC) is based on attributes of any component of the
system. It is the most granular of the access control models.

• Three main types of constrained user interface measurements exist:

menus and shells, database views, and physically constrained interfaces.

• Access control lists are bound to objects and indicate what subjects can use them.

• A capability table is bound to a subject and lists what objects it can access.

• Some examples of remote access control technologies are RADIUS, TACACS+, and
Diameter.

• Examples of administrative controls are

security policy, personnel controls, supervisory structure, security awareness training,
and testing.

• Examples of physical controls are

network segregation, perimeter security, computer controls, work area separation, and
cable.

• Examples of technical controls are

system access, network architecture, network access, encryption and protocols, and
auditing.

• For a subject to be able to access a resource, it must be identified, authenticated, and

authorized, and should be held accountable for its actions.

• Authentication can be accomplished by biometrics, a password, a passphrase, a cognitive

password, a one-time password, or a token.

• A Type I error in biometrics means the system rejected an authorized individual, and a
Type II error means an imposter was authenticated.

• A memory card cannot process information, but a smart card can through the use of
integrated circuits and processors.

• Least-privilege and need-to-know principles limit users’ rights to only what is needed to
perform tasks of their job.

• Single sign-on capabilities can be accomplished through Kerberos, domains, and thin
clients.

• The Kerberos user receives a ticket granting ticket (TGT), which allows him to request
access to resources through the ticket granting service (TGS). The TGS generates a new
ticket with the session keys.

• Keystroke monitoring is a type of auditing that tracks each keystroke made by a user.

• Object reuse can unintentionally disclose information by assigning media to a subject

before it is properly erased.

• Just removing pointers to files (deleting file, formatting hard drive) is not always enough
protection for proper object reuse.

• Information can be obtained via electrical signals in airwaves. The ways to combat this
type of intrusion are TEMPEST, white noise, and control zones.

• User authentication is accomplished by what someone knows, is, or has.

• One-time password-generating token devices can use synchronous (time, event) or

asynchronous (challenge-based) methods.

• Strong authentication requires two of the three user authentication attributes (what someone
knows, is, or has).

• The following are weaknesses of Kerberos: the KDC is a single point of failure; it is
susceptible to password guessing; session and secret keys are locally stored; KDC needs to
always be available; and there must be management of secret keys.

• Phishing is a type of social engineering with the goal of obtaining personal information,
credentials, credit card numbers, or financial data.

• A race condition is possible when two or more processes use a shared resource and the
access steps could take place out of sequence.

• Mutual authentication is when two entities must authenticate to each other before sending
data back and forth. Also referred to as two-way authentication.

• A directory service is a software component that stores, organizes, and provides access to
resources, which are listed in a directory (listing) of resources. Individual resources are
assigned names within a namespace.

• A cookie is data that is held permanently on a hard drive in the format of a text file or held
temporarily in memory. It can be used to store browsing habits, authentication data, or
protocol state information.

• A federated identity is a portable identity, and its associated entitlements, that can be used
across business boundaries without the need to synchronize or consolidate directory
information.

• Extensible Markup Language (XML) is a set of rules for encoding documents in

machinereadable form to allow for interoperability between various web-based technologies.

• Service Provisioning Markup Language (SPML) is an XML-based framework being

developed by OASIS for exchanging user, resource, and service provisioning information
between cooperating organizations.

• Extensible Access Control Markup Language (XACML), which is both a declarative

access control policy language implemented in XML and a processing model, describes
how to interpret security policies.

• Replay attack is a form of network attack in which a valid data transmission is maliciously
or fraudulently repeated with the goal of obtaining unauthorized access.

• Clipping level is a threshold value. Once a threshold value is passed, the activity is
considered to be an event that is logged, investigated, or both.

• A rainbow table is a set of precomputed hash values that represents password

combinations. Rainbow tables are used in password attack processes and usually produce
results more quickly than dictionary or brute-force attacks.

• Cognitive passwords are fact- or opinion-based information used to verify an individual’s

identity.

• Smart cards can require physical interaction with a reader (contact) or no physical
interaction with the reader (contactless architectures). Two contactless architectures are
combi (one chip) and hybrid (two chips).

• A side channel attack is carried out by gathering data pertaining to how something works
and using that data to attack it or crack it, as in differential power analysis or
electromagnetic analysis.

• Authorization creep takes place when a user gains too much access rights and permissions
over time.

• Security information and event management (SIEM) implements data mining and analysis
functionality to be carried out on centralized logs for situational awareness capabilities.

• Intrusion detection systems are either host or network based and provide behavioral
(statistical) or signature (knowledge) types of functionality.

• Phishing is a type of social engineering attack. If it is crafted for a specific individual, it is

called spear-phishing. If a DNS server is poisoned and points users to a malicious website,
this is referred to as pharming.

• A web portal is commonly made up of portlets, which are pluggable user interface software
components that present information and services from other systems.

• The Service Provisioning Markup Language (SPML) allows for the automation of user
management (account creation, amendments, revocation) and access entitlement
configuration related to electronically published services across multiple provisioning
systems.

• The Security Assertion Markup Language (SAML) allows for the exchange of
authentication and authorization data to be shared between security domains.

• OpenID is an open standard and protocol that allows third-party authentication of a user.

• OAuth is an open standard that allows a user to grant authority to some web resource, like a
contacts database, to a third party.

• OpenID Connect is an authentication layer built on the OAuth 2.0 protocol that allows
transparent authentication and authorization of client resource requests.

• The Simple Object Access Protocol (SOAP) is a protocol specification for exchanging
structured information in the implementation of web services and networked environments.

• Service-oriented architecture (SOA) environments allow for a suite of interoperable

services to be used within multiple, separate systems from several business domains.

• Radio-frequency identification (RFID) is a technology that provides data communication

through the use of radio waves.