Study sets, textbooks, questions
Upgrade to remove ads
Network Security: Chp. 5 - Access Controls
Get Quizlet's official A+ Core 2 - 1 term, 1 practice question, 1 full practice test
Terms in this set (100)
The process of protecting a resource so that it is used only by those allowed to use it; a particular method used to restrict or allow access to resources.
The process of providing credentials to claim to be a specific person or entity.
The process of proving you are the person or entity you claim to be.
The process of deciding who is approved for access to specific resources.
Defining the roles, responsibilities, and what key IT security employees and incident response team members must do.
Logical access controls
A mechanism that limits access to computer systems and network resources.
Physical access control
A mechanism that regulates access to physical resources, such as buildings or rooms.
A plastic card with authentication credentials embedded in either a microchip or magnetic strip on the card.
The central part of a computing environment's hardware, software, and firmware that enforces access control for computer systems.
Software that provides a central point of processing for all resource access requests.
Security kernel database
A database made up of rules that determine individual users' access rights.
Access control list (ACL)
An implementation technique to control access to a resource by maintaining a table of authorized user IDs; also used to permit or deny IP packets to/from router and switch interfaces to managed IP traffic flow.
Trusted operating systems (TOS)
A type of operating system that includes additional controls to address the additional security needs of systems that handle extremely sensitive information.
Access control policy
An organizational policy definition that defines how authorized users gain access to resources based on their role and job functions and duties. This policy defines the rules for how employees and authorized contractors are granted access and how their access is removed.
Protected objects in a computing system, such as files, computers, or printers.
The activities that authorized users can perform using IT assets, systems, applications, and data.
Optional conditions that exist between users and resources. They are permissions granted to an authorized user, such as read, write, and execute.
User assigned privileges
The most detailed authorization policy, it assigns specific privileges to the individual user.
Group membership policy
An authorization method in which access to resources is decided by what group(s) you are in.
An authorization method in which access resources are decided by the user's authority level.
The most common method to identify a user to a system. It is usually a character string that represents a person or group of people who access a computer system.
A physiological or behavioral human-recognition system (e.g., fingerprint reader, a retina scanner, a voice-recognition reader, etc.).
The process of recording audit trails and events in log files when monitoring access controls to information systems and applications.
In authentication, this is something you know, such as a password, a passphrase, or a PIN.
In authentication, this is something you have, such as a smart card, key, badge, or token.
In authentication, a unique physical attribute or manner of expression, such as a fingerprint or a signature. Such attributes are often referred to as "something you are."
An authentication method that uses only a single type of authentication credentials.
An authentication method that uses two types of authentication credentials. Provides a higher level of security than using only one.
Brute-force password attack
A method used to attempt to compromise logon and password access controls by attempting every input combination. These password attacks usually follow a specific attack plan, including the use of social engineering to obtain user information.
Type of password cracker that works with precalculated hashes of all passwords available within a certain character space.
An authentication credential that is generally longer and more complex than a password. Passphrases can also contain multiple words.
Some value that indicates a change from normal to abnormal behavior. In the case of failed logon attempts, a threshold of five means that when a user fails to log on five times, the action should be considered abnormal.
An independent third party review of an organization's existing financial situation, IT implementation, and/or IT security implementation.
In authentication, this is something you have, such as a smart card, key, badge, or token.
A device used as a logon authenticator for remote users of a network.
Time-based synchronization system
An authentication method in which a token's internal clock is synchronized with a server's clock to generate matching values.
event-based synchronization system
An authentication method in which a token's value is synchronized with a server based on each access request. The token's counter is increased each time a new value is requested.
An authentication token used to process challenge-response authentication with a server. The token takes the server's challenge value and calculates a response. The user enters the response to authenticate a connection.
Public key infrastructure (PKI)
A general approach to handling encryption keys using trusted entities and digital certificates; the hardware, software, policies, and procedures to manage all aspects of digital certificates.
A hardware device used for authentication that you plug into your computer's USB port. This device provides authentication credentials without the user having to type anything.
Common Criteria for Information Technology Security Evaluation
ISO/IEC 15408 standard for computer security.
Crossover error rate
The point where a biometric device's sensitivity returns false rejections and false acceptance equally.
Single sign-on (SSO)
A method of access control that allows a user to log on to a system and gain access to other resources within the network via the initial logon. SSO helps a user avoid having to log on multiple times and remember multiple passwords for various systems.
A collection of servers that share authentication credentials.
An authentication method in which the initial sign-on credentials are forwarded by request to other trusted servers.
Key distribution center (KDC)
The process of issuing keys to valid users of a cryptosystem so they can communicate.
Secure European System for Application in a Multi-Vendor Environment (SESAME)
A research and development project funded by the European Commission to provide Single Sign-On capability. SESAME was developed to address weaknesses in Kerberos.
Lightweight Directory Access Protocol (LDAP)
A directory service for network-based authentication. LDAP communication can be encrypted.
A version of LDAP that uses SSL/TLS for all messages exchanged across the network.
Journaled entries that provide details such as who logged on to the system, when they logged on, and what information or resources were accessed.
Action an organization takes to help reduce risk.
A device that creates a magnetic field that erases data from magnetic storage media.
The process of repetitively writing data to specific areas on a physical storage media to effectively replace any previous data stored in those areas.
Discretionary access control (DAC)
A means of restricting access to objects based on the identity of subjects and/or groups to which they belong.
Mandatory access control (MAC)
A means of restricting access to an object based on the object's classification and the user's security clearance.
The principle in which a subject—whether a user, application, or other entity—should be given the minimum level of rights necessary to perform legitimate functions.
Separation of duties
The process of dividing a task into a series of unique activities performed by different people, each of whom is allowed to execute only one part of the overall task.
Need to know
A property that indicates a specific subject needs access to a specific object. This is necessary to access the object in addition to possessing the proper clearance for the object's classification.
Two or more people working together to violate a security policy.
The action of multiple attackers planning a cyber attack; others working secretly especially in order to do something illegal or unauthorized.
These are hidden ways of passing information against organizational policy.
A method of restricting resource access to specific periods of time. You may see temporal isolation more commonly described as time of day restrictions.
Role-based access control (RBAC)
An access control method that bases access control approvals on the jobs the user is assigned.
Constrained user interface
Software that allows users to enter only specific information and perform only specific actions.
View-based access control (VBAC)
Limiting users' access to database views, as opposed to allowing users to access data in database tables directly.
A database feature that allows different groups of users to access the database without being able to access each other's data.
The act of transforming cleartext data into undecipherable ciphertext.
Bell-La Padula model
An access control model that provides multilayered security for access to systems, applications, and data based on a hierarchy.
Information that describes the current status of a network connection that is used by firewalls to make decisions on whether to pass or drop network packets.
The transition from one state to another state.
Biba integrity model
Access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity; this prevents users from corrupting data at a higher level than what the user may have access to and helps ensure data integrity.
Clark and Wilson integrity model
Published in 1987 by David Clark and David Wilson, this model focuses on what happens when users allowed into a system try to do things they are not permitted to do.
Brewer and Nash integrity model
Based on a mathematical theory published in 1989 to ensure fair competition.
A malicious software code that appears benign to the user but actually performs a task on behalf of a perpetrator with malicious intent.
The physical interception of data communications; eavesdropping.
An attack in which the attacker gets between two parties and intercepts messages before transferring them on to their intended destination.
A condition in which a memory buffer exceeds its capacity and extends its contents into adjacent memory. Often used as an attack against poor programming techniques or poor software quality control. Hackers can inject more data into a memory buffer than it can hold, which may result in the additional data overflowing into the next area of memory. If the overflow extends to the next memory segment designated for code execution, a skilled attacker can insert arbitrary code that will execute with the same privileges as the current program. Improperly formatted overflow data may also result in a system crash.
Personally identifiable information (PII)
Data that can be used to individually identify a person. Example include Social Security numbers, driver's license numbers, financial account data, and health data.
A system for collecting, managing, and using the information associated with access controls such as login IDs and passwords.
A centralized set of rules that govern the way Windows operates.
Group Policy Object (GPO)
A named object that contains a collection of Group Policy settings.
Authentication, authorization, and accounting (AAA)
Core services provided by one or more central servers to help standardize access control for network resources.
Remote Authentication Dail-In User Services (RADIUS)
Popular protocol, first introduced in the early 1990s, that supports remote user authentication for large numbers of users wishing to connect to central servers.
Terminal Access Controller Access System Plus (TACACS+)
A Cisco proprietary remote access client/server protocol that provides authentication, authorization, and accounting.
Terminal Access Controller Access System
A remote access client/server protocol that provides authentication and authorization capabilities to users who are accessing the network remotely. It is not a secure protocol.
Extended Terminal Access Controller Access System
An extension of the TACACS remote access client/server protocol that provides authentication and authorization capabilities to users who are accessing the network remotely. It is not a secure protocol.
A popular centralized access control protocol that succeeded RADIUS and provides access control for stable and static workforces.
User Datagram Protocal (UDP)
A communication protocol that is connectionless and is popular for exchanging small amounts of data or messages.
Security Assertion Markup Language (SAML)
An open XML standard used for exchanging both authentication and authorization data.
Decentralized access control
A system that puts access control into the hands of people such as department managers who are closest to system users; there is no one centralized entity to process access requests in this system.
Password Authentication Protocol (PAP)
Decentralized authentication protocol that uses cleartext usernames and passwords.
Challenge-Handshake Authentication Protocol (CHAP)
Decentralized authentication protocol that hashes passwords with a one-time challenge number to defeat eavesdropping and replay attacks.
Initiative for Open Authentication (OATH)
A collaborative organization supporting open standards and use of encryption for authentication.
HMAC-based one-time password (HOTP)
An algorithm that provides a very secure method to authenticate a mobile device user using an authentication server.
Time-based one-time password (TOTP)
An example of HOTP, this algorithm combines a timestamp with a hashed value to reduce vulnerability to replay attacks.
The protection of individual rights to non-disclosure.
The practice of using computing services that are hosted in a virtualized data center with remote access to the application and data (e.g., Software as a Service [SaaS] utilizes cloud computing).
Cloud service provider (CSP)
A company that maintains data centers with racks of server computers, each running multiple virtual machines, and is able to provide services to many clients simultaneously. Organizations of all types turn to CSPs to avoid having to maintain their own data centers.
Software as a Service (SaaS)
A model of software deployment or service where customers use applications on demand.
Cloud Security Alliance (CSA)
A nonprofit organization with a mission to promote security best practices for using cloud computing.
Sets with similar terms
ISEC Chapter 5 Vocabulary
Chapter 5 Vocab - ISEC
Chapter 5: Access Controls
ISM 4930 CH 5 VOCAB
Other sets by this creator
Chapter 6: Network Components
Common TCP/UDP Ports
Stats, Frequency Distributions, chp 2
Other Quizlet sets
AC 340 Ch 8
Computer Security I Notes