Security + Chapter 1
Home > Flashcards > Print Preview
The flashcards below were created by user
on FreezingBlue Flashcards
. What would you like to do?
ensures that data is only viewable by authorized users. Access controls and encryption protect the confidentiality of data.
provides assurances that data has not been modified, tampered with, or corrupted through unauthorized orunintended changes. Data can be a message, a file, or data within a database. Hashing is one method of ensuring that integrityhas not been lost.
ensures that data and services are available when needed. A common goal is to remove single points offailure (SPOF). Methods used to increase or maintain availability include fault tolerance, backups, virtualization, HVAC systems,and generators.
indicates that unless something is explicitly allowed, it is denied. Firewalls often use implicit deny byexplicitly allowing some traffic and then implicitly denying all other traffic that is not identified. Anything not explicitly allowed isimplicitly denied.
is the possibility of a threat exploiting a vulnerability resulting in a loss.
is any circumstance or event that has the potential to compromise confidentiality, integrity, or availability.
is a weakness. It can be a weakness in the hardware, software, the configuration, or users operatingthe system.
reduces risk by reducing the chances that a threat will exploit a vulnerability.
occurs when a user professes or claims an identity, such as with a username.
occurs when an entity provides proof of an identity (such as a password) and the proof is verified by a second entity.
provides access to resources based on a proven identity.
Three factors of authentication:
- • Something you know (such as a username and password)
- • Something you have (such as a smart card, CAC, PIV, or a token)
- • Something you are (using biometrics)
Complexity (or key space) is calculated as
C^N (CN)where C is thenumber of possible characters used and N is the length of the password.
Self-service password systems
automate password recovery.
Account lockout policies
lock out an account after an incorrect password is entered too many times.
Common access cards (CACs) and personal identity verification (PIV) cards
can be used as photo IDs and as smartcards.
Tokens (or key fobs) display numbers in an LCD synchronized with a server. These numbers provide
rolling one-time usepasswords.
Biometric methods are the most difficult to falsify. Physical methods. Behavioral.
- fingerprints and iris scans.
- voice recognition and signature geometry.
is a network authentication protocol using tickets issued by a KDC. If a ticket-granting ticket expires, the usermay not be able to access resources. Kerberos is used in Microsoft Active Directory domains and in UNIX realms.
Lightweight Directory Access Protocol (LDAP)
specifies formats and methods to query directories. It provides a singlepoint of management for objects, such as users and computers, in an Active Directory domain.
Single sign-on (SSO)
allows users to authenticate with a single user account and access multiple resources on a networkwithout authenticating again. SSO can be used to provide central authentication with a federated database and use thisauthentication in an environment with different operating systems (nonhomogeneous environment).
Remote access authentication (RAS)
is used when a user accesses a private network from a remote location, suchas with a dial-up connection or a VPN connection.
PAP. Password Authentication Protocol.
Passwords are sent in clear text so PAP is rarely used today.
CHAP. Challenge Handshake Authentication Protocol.
CHAP uses a handshake process where the server challenges theclient. The client then responds with appropriate authentication information.
MS-CHAP. Microsoft’s implementation of CHAP
used only by Microsoft clients.
RADIUS. Remote Authentication Dial-In User Service.
Radius provides a centralized method of authentication for multiple remote access services servers. RADIUS encrypts the password packets, but not the entire authentication process.
Terminal Access Controller Access-Control System (TACACS)
is a remote authentication protocol that was commonly used in UNIX networks.
Extended TACACS (XTACACS)
is an improvement over TACACS developed by Cisco Systems and is proprietary to Cisco systems. Neither of these are commonly used today with most organizations using either RADIUS or TACACS+.
Terminal Access Controller Access-Control System+ (TACACS)
is an alternative to RADIUS and is proprietary to Cisco systems. A benefit of TACACS+ is that it can interact with Kerberos allowing it to work with a broader rangeof environments including Microsoft. Additionally, TACACS+ encrypts the entire authentication process (RADIUS encrypts only the password).
is the ability to perform mutual authentication. Notonly does the client authenticate to the server, but the server also authenticates to the client.
MS-CHAPv2 is used to authenticate Microsoft clients and includes mutual authentication. TACACS+ is used byCisco for authentication and can use Kerberos, allowing it to interact with a Microsoft environment. TACACS+uses TCP, encrypts the entire authentication process, and uses multiple challenges and responses. RADIUS usesUDP and encrypts just the password.
AAA protocols provide authentication, authorization, and accounting. Authentication verifies a user’sidentification. Authorization determines if a user should have access. Accounting tracks user access with logs.
What would you like to do?
Home > Flashcards > Print Preview