keywords:
Bookmark and Share



Front Back
False Reject Rate / TYPE 1 error.
used in biometrics.  Percentage of authorized users to whom the system denies access.
False Accept Rate / Type 2 error.
Used in biometrics.  Percentage of unauthorized users whom the system incorrectly allows sytem access.
Crossover Error Rate (CER).
The point when the False Reject Rate equals the False Accept Rate. 
Synchronous dynamic password token.
continuously generates new passwords at a fixed interval.  The password is a one-time password.
Asynchronous dynamic password token.
generates a new password by calculating the correct response to a sytem-generated random challenge string (nonce) that the owner manually enters into the token.  Password generator.
Kerberos
Single Sign On solution.  Uses one way hash function, dynamic session key and static secret key.  TGS generates TGT and Client/ TSG session keys.
Centralized access control.
User account info stored in a central location. Small enterprises. Uses LDAP, Remote access service (RAS), RADIUS, Diameter, TACAS+.
Remote access session (RAS)
Utilizes PPP to encapsulate IP packets and establish dial-in connections over serial and ISDN links.  Uses PAP, CHAP, and EAP. 
RADIUS
open source, client-server networking protocol. provide AAA. Is an application layer protocol useing UDP.  Implemented in Internet Service Provider (ISP). Uses PAP and CHAP to provide username/password to RADIUS client. 
Diameter.
Next Generation of RADIUS.  Uses TCP and Stream Control Transmission Protocol (SCTP) for reliable connection.  Uses IPSec and TLS for network security.
TACAS
Remote authentication protocol that is TCP based and supports any authentication mechanism.  uses dynamic passwords.
Decentralized Access Controls
User accounts are mainted in separate locations. Good for large organizations.  Disadvantages include - applying security policies that provide wrong level of access and disabling numerous accounts.  Examples of decentralized access control include domains, trusts, and databases.
Discretionary Access Controls
Access policy determined by the owner of data or a file.  Owner decides who is allowed to access the files and privileges.  Uses ACLs and is Role-based.
Disadvantages of Discretionary Access Controls.
1. lack of centralized administration
2. dependance on security-conscious owners.
3. difficult to audit due to large volume of log entries that can be generated.
Mandatory Access Controls
Access policy determined by the system instead of the owner.  Used by the government (classification levels).  Concepts of MAC include Sensitivity Labels and Data import and export.   Rule-based and Lattice based.
Disadvantages of Mandatory Access Controls.
1. Lack of flexability
2. difficulty in implementing and programming.
3. user frustration.
Bell-La Padula
Addresses storage and protection of classified information.  Confidentiality model for Mandatory Access Control.  Information cannot flow downward.  SS property states no read up.  Star property states no write down.
Biba Model
Integrity model - ensuring data is not modified.  A latice-based model address integrity.  SS property states No Read Down.  Star property states No Write Up.
Clark Wilson Model
Integrity model.  Data cannot be accessed by a user; must e accessed through an application.  Addresses all three goals of integrity. uses the following procedures for imputting data: Unconstrained data Item (UDI), Constrained data item (CDI), Integrity verification procedures (IVP), and Transformation Procedures (TP).
Noninterference Model
Ensures that objects and subjects dont see the actions of different objects and subjects on the same system. Ex: user of a lower acess level will not see changes made to a file by someone of a higher level.
Information flow model
A lattice-based model in which the system assigns objects a security class and value.  A security policy controls the direction of flow.
Black box testing
the tester has no prior knowledge of the system.  Hackers perform this kind of testing.
White box testing
the Person doing the testing has complete knowledge about the system.  This testing provides maximum assurance that organizations can identify existing vulnerabilities.
Grey box testing
Testers have some knowledge about the system.
x of y cards