Side A Side B

What us CIA? Confidentiality, Integrity, and Availability

Confidentiality refers to the idea that information should only be accessible to its intended recipients
Integrity is the idea that information should arrive at a destination as it was sent
Availability refers to the idea that information should be available to those authorized to use it.
Type I
What you !now " Access control methods related to #what you !now# include
passwords, numeric !eys, $I% numbers, secret &uestions and answers
Type II What you have , physical !eys or cards, smart cards, and other physical devices
Type III
What you are, 'ome high(tech systems may use fingerprints, retinal scans, or even
)%A
There are essentially three steps to any access control process.
*. Identification Who is the user? +. Authentication Is the user who he says he is? ,.
Authorization What does the user have permission to do?
Authorization is actually achieved between the reference model and the -ernel of the operating system
What is -erberos?
an open(source and widely(accepted method of authentication that wor!s on a shared
secret !ey system with a trusted third par
the system in which a central administrator or administration dictates all of the access to
information in a networ! or system
.AC .andatory Access Control
the system in which the owners of files actually determine who gets access to the
information.
)AC )iscretionary Access Control
a system in which the roles of users determine their access to files /0AC /ole(0ased Access Control
-erberos uses a -ey )istribution Center or -)C to distribute the !eys to the parties
that wish to communicate then a Tic!et 1ranting 'erver that
allow for the actual communication between the clients by storing authentication
information.
What is one of -erbos vunerablities?
it ma!es e2tensive use of that trusted third party. If the third party is compromised,
information confidentiality and integrity may be breached. If the third party simply fails,
availability is lost.
-erberos is associated with ''3 or single sign on Technology
What is the most common form of authentication system 4sername and $assword

Side A Side B
What is a honey pot?
A honey pot is a computer that has been designated as a target for computer attac!s, it is
designed to be bro!en and gather information.
What is phishing?
$hishing is a form of social engineering where you gain information by ma!ing it loo! li!e
a legitimate re&uest.
What are computer viruses? Computer viruses are applications that carry out malicious actions.
What is privilege creep?
$rivilege creep is if you forget to revo!e the old privileges, the user may have access to
more information than they need.
What are TC$ wrappers?
TC$ wrappers are low(level logging pac!ages which provide additional detailed logging on
activity using a specific protocol.
What is footprinting?
5ootprinting is the process of systematically identifying the networ! and its security
posture.
What is a gap in the WA$?
It is if the interconnection between the WA$ server and the Internet isnt encrypted,
pac!ets between the devices may be intercepted.
What are the three As of forensics?
The three A6s of forensics are ac&uire the evidence, authenticate the evidence, and analyze
the evidence.
What is platform hardening? $latform hardening is the process of ma!ing a wor!station and server more secure.
What is war driving?
War driving is when you drive around town with a laptop loo!ing for wireless access points
that can be communicated with.
What is chip creep?
4nsoldered chips over time wor! their way out of the soc!ets that they are in and this is
!nown as chip creep.
What is the $A'' method?
The $A'' method is the recommended method to use a fire e2tinguisher is $ull, Aim,
'&ueeze, and 'weep.
What is tailgating?
Tailgating is a method of gaining entry to electronically loc!ed systems by following
someone through the door they 7ust unloc!ed.
What is spoofing?
'poofing tric!s something or someone into thin!ing something legitimate is occurring.
What is a site survey?
A site survey involves listening in on an e2isting wireless networ! using commercially
available technologies.
What is collusion?
Collusion is an agreement between two or more parties for the purpose of committing
deception or fraud.
What is a phrea!er? A phrea!e is someone who abuses phone systems, as opposed to data systems.
What does the CIA in the CIA 3f 'ecurity Topology stand for? Confidentiality, Integrity and Availability.
What are thin clients?
Thin clients are systems that dont provide any dis! storage or removable media on their
wor!stations.

Side A Side B
a computer program that detects viruses and repairs files. antivirus
giving the owner the e2clusive right to reproduce or distribute copies of his or her own
wor!
copyright protection
process of converting readable data into unreadable characters to prevent unauthorized
access
encryption
a person who secretly gains access to computers and files without permission hac!er
a safeguard for access to a computer or computer system password
the illegal copying and distribution of software piracy
a virus that is disguised as a useful piece of software tro7an horse
a software program capable of causing great harm to files or other programs on the same Computer 8irus
computer
computer software that is designed to collect personal info about users without their
informed consent
'pyware
unwanted e(mail 9usually of a commercial nature sent out in bul!:
'pam
software designed to infiltrate or damage a computer system without the user6s informed
consent
.alware
a security system that limits the e2posure of a computer to attac! from hac!ers 5irewall
invading someone else6s computer, usually for personal gain or to harm their programs ;ac!ing
a techni&ue to gain personal information for the purpose of identity theft, usually by
means of fraudulent e(mail
$hishing
A computer program designed to damage computer files. virus
A computer file designed to do damage that goes through a computer and possibly a
networ!
worm
a secret word or phrase !nown only to a restricted group $assword

Side A Side B
Which of the following are not valid access control mechs? A. .AC 0. 'AC C. )AC
). /0AC
0. 'AC
Access control mechanism in which access is granted based on the responsibilites an
individual user or process has in an organization?
/0AC 9/ole 0ased Access Control:
Access control mechanism that allows the data owner to create and administer access
control?
)AC 9)iscretionary Access Control:
What is the primary flaw in the )AC model?
)AC 9)iscretionary Access Control: relies on the I) of the user or process, leaving room
for a Tro7an ;orse.
Which Access Control methods provide the most granular access to ob7ects?
9A:Capabilities,90: Access Control <ists9C: $ermission bits 9):$rofiles
0. Access Control <ists
3wner/ead,Write,=2ecute,4serA /ead,Write. 4ser09none:, 'ales /ead, .ar!eting
/ead,Write. 4ser 0 is in 'ales, what effective perms does he have?
4ser 0 has no permissions on the file. Individual permissions overide group permissions.
Which are e2amples of /0AC A. 5ile,$rinter,mailbo2 roles.
0.'ales,mar!eting,production. C. 4ser and wor!station access roles.
0. 'ales, mar!eting and production.
With )AC access controls each ob7ect has an owner, which has full control over the
ob7ect. 9True or 5alse:
True
Which of the following are used to ma!e access decisions in .AC? A. Access Control
<ists 0. 3wnership C. 1roup .embership ). 'ensitivity <abels
). 'ensitivity <abels
Which Access Control methods allow access control based on security labels associated
with each data item and each user? 9.AC,/0AC,)AC:?
.AC 9.andatory Access Control:
Which access control method relies on user security clearance and data classification? .AC 9.andatory Access Control:
3ne characteristic of .AC is that it uses levels of security to classify users and data.
9True>5alse:
True
Which of the following terms best represents .AC? A. <attice 0. 0ell <a($adula C.
0I0A ). Clar! and Wilson
A. <attice
Which of the following passwords generators is based on challenge(response?
A:asynchronous 0:synchronous C:cryptographic !eys ):smart cards
A: asynchronous
Side A Side B
Which of the following are not valid access control mechs? A. .AC 0. 'AC C. )AC ).
/0AC
0. 'AC
Access control mechanism in which access is granted based on the responsibilites an
individual user or process has in an organization?
/0AC 9/ole 0ased Access Control:
Access control mechanism that allows the data owner to create and administer access
control?
)AC 9)iscretionary Access Control:
What is the primary flaw in the )AC model?
)AC 9)iscretionary Access Control: relies on the I) of the user or process, leaving room
for a Tro7an ;orse.
Which Access Control methods provide the most granular access to ob7ects?
9A:Capabilities,90: Access Control <ists9C: $ermission bits 9):$rofiles
0. Access Control <ists
3wner/ead,Write,=2ecute,4serA /ead,Write. 4ser09none:, 'ales /ead, .ar!eting
/ead,Write. 4ser 0 is in 'ales, what effective perms does he have?
4ser 0 has no permissions on the file. Individual permissions overide group permissions.
Which are e2amples of /0AC A. 5ile,$rinter,mailbo2 roles.
0.'ales,mar!eting,production. C. 4ser and wor!station access roles.
0. 'ales, mar!eting and production.
With )AC access controls each ob7ect has an owner, which has full control over the
ob7ect. 9True or 5alse:
True
Which of the following are used to ma!e access decisions in .AC? A. Access Control
<ists 0. 3wnership C. 1roup .embership ). 'ensitivity <abels
). 'ensitivity <abels
Which Access Control methods allow access control based on security labels associated
with each data item and each user? 9.AC,/0AC,)AC:?
.AC 9.andatory Access Control:
Which access control method relies on user security clearance and data classification? .AC 9.andatory Access Control:
3ne characteristic of .AC is that it uses levels of security to classify users and data.
9True>5alse:
True
Which of the following terms best represents .AC? A. <attice 0. 0ell <a($adula C.
0I0A ). Clar! and Wilson
A. <attice
Which of the following passwords generators is based on challenge(response?
A:asynchronous 0:synchronous C:cryptographic !eys ):smart cards
A: asynchronous
Which password system provides for large numbers of users? A:self service password
resets 0:locally saved passwords C:multiple access methods
A:self service password resets
Which of the following provide the best protection against an intercepted password?
98$%, $$T$, 3ne time password, Comple2 password re&uirement:
3ne Time $assword /e&uirement
A system generates a random challenge string that the user enters when prompted along
with the $I% is an e2ample of a ?????????(???????? session.
Challenge(/esponse session
What must be present for -erberos to wor!? 0:To!en Authentication devices C:Time
synch services for client and servers.
C:Time synchronization services for clients and servers.
Why are cloc!s used in -erberos systems? A:=nsure proper connections 0:=nsure
tic!ets e2pire. C:To generate seed value for encryption !eys.
0: To ensure tic!ets e2pire correctly.
What should be considered when using !erberos. A:Tic!ets can be spoofed. 0:%eeds a
central managed database of user>resource passwords.
0: It re&uires a centrally managed database of all user and resource passwords.
Which protocol is used to ensure only encrypted passwords are used during
authentication? 9$$T$, '.T$, -erberos, C;A$:
C;A$ 9Challenge ;andsha!e Authentication $rotocol: is used to encrypt passwords.
What are the main components of a !erberos server? Authentication server, security database, and privilege server.
When does C;A$ perform the handsha!e process? when ma!ing a connection and
anytime after it6s made or only when ma!ing a connection?
When establishing a connection and anytime after it is established. 9Challenge ;andsha!e
Authentication $rotocol
5or which of the following can 0iometrics be used A. Accountability 0. Certification C.
Authorization ). Authentication
). Authentication
Which is the most costly method of Authentication 9$asswords, To!ens, 0iometrics or
'hared 'ecrets:?
0iometrics