ACL An access control list is a list that specifies which subjects can access which objects.
Administrative Detective Control Policy or rule that detects when something has occurred by using auditing or performance reviews to see the actions that subjects have taken.
Asynchronized Device A token device which uses a challenge-response approach to generate a password.
Authentication A system for validating that the subject or object is really who or what they say or appear to be.
Authentication Service The part of the KDC that actually authenticates the subjects and objects.
Authorization Creep Accidentally giving a subject access to objects that are not intended for them to have access to.
Biometrics The most expensive and secure authentication type which uses physical characteristics to authenticate a person. Biometrics use characteristics such as retina and iris scans, fingerprint and handprint characteristics, voice patterns, keystroke patterns, and signatures to authenticate a subject.
Brute Force An attack that attempts to gain access many times using different input types. Examples of brute force attacks are password guessing and war dialing.
CER Crossover Error Rate is the value or system based upon the point at which the FRR and the FAR cross if it were graphed. The CER allows two different biometric methods to be compared.
Centralized Authentication Authentication type where a single identity controls all access to certain objects. It is a strict control with a single point of failure that allows for easy administration.
Control A safeguard that lessens risk once a high probability of a loss has been realized.
DAC Discretionary Access Control is an identity-based access control. This means that the user must be authenticated as a specific user, and, based on those privileges, can specify who else can access that object. DAC gives the owner the ability to specify access restrictions.
Decentralized Authentication An authentication type in which administrative access is handled closer to the objects that are being controlled, such as multiple machines with information like a security domain.
Dictionary Attack A selective attack where a dictionary of common words, identification credentials, or frequently used user IDs are submitted to the authentication device.
DoS Attack A Denial of Service attack attempts to stop a network by flooding it with useless traffic. A DoS system is used as a master to communicate with, and host hacking tools from the Internet allowing the hacker to send out attacks using a single command.
Domain A group of computers on a network that share a Security Accounts Manager database and security policies.
FAR False Acceptance Rate is the rate at which a biometrics system accepts an invalid subject.
FRR False Rejection Rate is the rate at which a biometrics system would reject a valid subject.
Hacker Also referred to as a cracker, a hacker is a person who is well skilled in a programming language and often considered an expert on the subject. Can be a complimentary or derogatory term.
Honeypot A monitoring process that segments an area or entire machine onto a portion of the network, opening ports to entice a hacker to find and attack the machine.
Hybrid Model A combination of centralized and decentralized authentication.
IDS An intrusion detection system inspects all network activity and identifies any suspicious patterns indicative of an attack.Identification A claim to be a valid subject.
KDC Key Distribution Center is a component of the Kerberos system which holds all cryptographic keys. The KDC must be communicated with at every phase in order to initiate any type of authentication.
Kerberos A product developed by MIT that provides authentication and message protection using one key to encrypt a message on one side and the same key to decrypt the message on the other side.
Least Privilege A concept that grants subjects only enough access for objects to perform the required tasks. The goal is to limit authorization creep.
Object An entity that contains or controls data.
MAC Mandatory Access Control is a mandatory set of rules that everyone must abide by. It is a rule-based access control in which data owners are granted access based upon rules.
Man-in-the-Middle Attack A network attack where the hacker intercepts a public key exchange and substitutes his own public key for the requested one, thus enabling him to intercept messages from both sides of the communication.
Non-Discretionary Control A role-based access control in which access is granted based upon the subject’s role instead of identity. This type of control is common in an environment with frequent personnel changes.
Penetration Testing A legal hacking process of pretending to be a hacker, scanning and probing the systems to see if it can be accessed. A coordinated set of attacks to judge the vulnerability of a system.
Physical Access Controls Controls which limit physical access to hardware.
Physical Preventative Control A control, such as a badge or access card, which stops something before it occurs.
RADIUS Remote Authentication Dial-In User Server is a centralized authentication protocol that authenticates and authorizes users, generally through dial-up access, and provides the authentication mechanism that allows dial-up subjects to access objects.
SESAME Secure European System for Applications in a Multivendor Environment is an authentication service for use in Europe. SESAME uses public key cryptography to distribute secret keys and a Privilege Attribute Certificate mechanism which contains key information and the necessary authentication packet to pass authentication.
SSO Single Sign-On is a method that allows the users to have a domain of control. SSO simplifies the authentication process by allowing the users to authenticate themselves into an entry point of a domain which signs them into every component of the domain.
Security Label A concept that assigns a classification level to objects.
Shoulder Surfing An observation technique in which information is obtained by looking over someone’s shoulder.
Spoofing A technique used by hackers to gain entry to a system by modifying packet headers so as to appear as a trusted host.
Synchronized Device A token device that generates time-based passwords to correspond with a central server.
TACACS Terminal Access Controller Access Control System is a centralized authentication type that provides single factor authentication and authorization for direct access. The TACACS+ version implements two-factor authentication.
Ticket A multiple component message that is sent back and forth in Kerberos. The message contains the ticket and an authentication message specifying that the subject is authenticated or that a subject has been authenticated and is valid to access a specific object.
Token Device A small device that generates passwords based on synchronous or asynchronous query to a centralized server. An example would be a smart card.
War Dialer A computer program built to seek modems by dialing continuous phone numbers. War Dialers are built to find vulnerable computer systems.
