Oracle® Adaptive Access Manager Administrator's Guide Release 10g (10.1.4.5) Part Number E12055-03 |
|
|
View PDF |
Access Authentication
In the context of an HTTP transaction, the basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials—in the form of a user name and password—when making a request.
Action
An event activated when a rule is triggered. For example: block access, challenge question, ask for PIN, and so on.
Agent Cases
Agent Cases are used specifically by fraud investigators and investigation managers for analyzing data and finding relationships between sessions and cases. When an investigator links sessions and cases, Oracle Adaptive Access Manager can search the data for suspicious activity.
Alert
A message generated when a rule is triggered. For example: login attempt from a new country for this user.
Application ID
The primary ID for the user. For example, a user can be part of "bharosauiogrp" and "testgrp," but his Application Id or primary ID will be "bharosauiogrp." Application ID is similar to a userid group.
Attribute
Adaptive Risk Manager will collect data on the attributes to be used in the pattern membership.
For example, if you pick "user" as the member type and the attributes: IP (NNN.N.N.N), City (Redwood City) and Is Registered (False); Adaptive Risk Manager will record when users match all of these attributes. This profiling can then be used to evaluate risk for the "user."
Authentication
The process of verifying a person's, device's, application's identity. Authentication deals with the question "Who is trying to access my services?"
Authorization
Authorization regards the question "Who can access what resources offered by which components?"
Auto-learning
Auto learning is a feature that analyzes the behavior of user data coming into the system and profiles (creates digest) of the user's data. This data is then stored in a historical data table and used for calculating the risk based on rules. The best advantage of Auto-learning is that the system learns the changes in user's behavior and slowly adapts to it when calculating risk.
Blocked
If a user is "Blocked," it is because a Model has found certain conditions to be "true" and is set up to respond to these conditions with a "Block Action." If those conditions change, the user may no longer be "Blocked." The "Blocked" status is not necessarily permanent and therefore may or may not require an administrator action to resolve. For example, if the user was blocked because he was logging in from a blocked country, but he is no longer in that country, he may no longer be "Blocked."
Bots
Software applications that run automated or orchestrated tasks on compromised PCs over the internet. An organization of bots is known as a bot net or zombie network.
Buckets
Buckets are groupings of behaviors.
Auto-learning patterns are used to dynamically create and populate profiling buckets to track behavior and transactions.
Buckets help in creating the statistics for the entities based on their memberships to various patterns and hour/day/month/year time samples.
Case Status
Case Status is the current state of a case. Status values used for the case are New, Pending, Escalated, or Closed. When a case is created, the status is set to New by default.
Case Type
Type of case.
CSR - CSR cases are used in customer care situations associated within the normal course of doing business online and over the phone when providing assistance to customers. A CSR case is attached to a user.
Agent - Agent cases that fraud investigators and investigation managers work on. They are used specifically by fraud investigators and investigation managers for analyzing data and finding relationships between sessions and cases. An Agent case is not attached to any user like a CSR case.
Cases
Case tools for servicing customer needs. Tools enables the institution to review servicing logs for each individual client to investigate the reasons that actions were taken or alerts were triggered.
Challenge Questions
Challenge Questions are a finite list of questions used for secondary authentication.
Configurable Actions
Configurable Actions allow a user to create new supplementary actions that occur after the running of rules.
Completed Registration
Status of the user that has completed registration. To be registered a user may need to complete all of the following tasks: Personalization (image and phrase), registering KBA questions/answers and email/cellphone.
Cookie
A cookie (also browser cookie, computer cookie, tracking cookie, web cookie, internet cookie, and HTTP cookie) is a small string of text stored on a user's computer by a web browser. A cookie consists of one or more name-value pairs containing bits of information such as user preferences, shopping cart contents, the identifier for a server-based session, or other data used by Web sites. It is sent as an HTTP header by a web server to a web client (usually a browser) and then sent back unchanged by client each time it accesses that server. A cookie can be used for authenticating, session tracking (state maintenance), and maintaining specific information about users, such as site preferences or the contents of their electronic shopping carts.
Creation Method (Buckets)
Single Bucket - Single-bucket patterns will create and populate one bucket with the exact data points and value ranges specified in the pattern
Multi- Bucket – Multi-bucket patterns have buckets for sub-ranges of a parameter range
CSR
Customer service representatives resolve low risk customer issues originating from customer calls. CSRs has limited access to Adaptive Risk Manager
View the reason why a login or transaction was blocked
View a severity flag with alert status to assist in escalation
Complete actions such as issuing temporary allow for a customer
CSR Cases
CSR Cases are used in customer care situations associated within the normal course of doing business online and over the phone when providing assistance to customers. The customer support representatives can use the CSR set of tools for handling inquiries associated with Adaptive Risk Manager.
CSR Manager
A CSR Manager is in charge of overall management of CSR type cases. CSR Managers have all the access and responsibilities of a CSR plus access to more sensitive operations.
Device Fingerprinting
A mechanism to recognize the device a customer typically uses to login – whether it is a desktop computer, laptop computer, PDA, cell phone, kiosk, or other web enabled device. The fingerprinting process produces a fingerprint that is unique to the user and designed to protect against the "replay attacks" and the "cookie based registration bypass" process.
Disposition
The disposition describes the way in which the issue was resolved in a case. Cases only have dispositions when they're closed. If a case has any status besides closed, the disposition is left blank.
Device Registration
Device registration is a feature that allows a user to flag the device (computer, mobile, PDA, and others) he is using as a safe device. The customer can then configure the rules to challenge a user that is not coming from one of his registered devices.
Entities Editor
A tool to edit entities, a user-defined structure that can be re-used across different transactions. Only appropriate and related fields should be grouped into an Entity.
Entity
1. A referencible data structure that can be used in transaction definitions or directly in patterns. Entities or actors are users, devices, IP.
2. Entity can be defined as an organized array of individual elements and parts forming and working as a unit
3. Entity is a set of fields. It is like a user-defined structure that can be re-used across different transactions
Expiration Date
Date when CSR case expires. By default, the length of time before a case expires is 24 hours. After 24 hours, the status will change from New to Expired. After the case expires, the CSR user will not be able to open the case anymore, but the CSR Manager will be able to. The length of time before a case expires is configurable.
Evaluation Priority
The priority in which data is evaluated.
First
The data is evaluated in real-time (highest priority)
Second
The data is evaluated in near-real-time (low priority). If the server has a large system load, the patterns marked as "second" can be skipped. The system load is the number of authentication, transaction, rule processing (and other) reports and requests served by the Oracle Adaptive Access Manager server.
Fraud Investigator
A Fraud Investigator primarily looks into suspicious situations either escalated from customer service or directly from Adaptive Risk Manager alerts. Agents have access to all of the customer care functionality as well as read only rights to security administration and BI Publisher reporting.
Fraud Investigation Manager
A Fraud Investigation Manager has all of the access and duties of an investigator plus the responsibility to manage all cases. A manager must routinely search for overdue cases to make sure none are forgotten.
Fraud Scenario
A fraud scenario is a potential or actual deceptive situation involving malicious activity directed at a company's online application.
Gated Security
The multiple security checkpoints a user must pass through to gain access to sensitive data or transactions.
Groups
Groups allow you to view and administister a collection of like items as a single group. You should assign each group a unique name. The types of groups you can create include User ID, Login ID, Location, Device, Action, and Alert.
KBA Phone Challenge
When a customer's challenge questions are used for phone authentication. If the customer answers the question correctly, the system automatically takes appropriate action depending on their status such as unlocking the customer if they were locked out. If the customer answered the question incorrectly, they will get additional attempts at that question (depending on configuration). If the customer exceeds the maximum number of failures for a question another question will be asked. If two or more questions are asked in this process, and they answer successfully, their questions are automatically reset. If all of the questions were asked and the customer failed all attempts at each question, the customer will be locked out of online access.
KBA (Knowledge Based Authentication)
KBA is a secondary authentication infrastructure for pre-registered challenge questions, the creation, edit, validations, registration, presentation, and answers of challenge questions.
KeyPad
Virtual keyboard for entry of passwords, credit card number, and on. The KeyPad protects against Trojan or keylogging.
Keystroke Loggers
Software that captures a user's keystrokes. Keylogging software can be used to gather sensitive data entered on a user's computer.
Last Global Case Action
The last action that occurred for this user in all CSR cases. Agent cases and Escalated cases are not taken into account.
Last Online Action
The last action that user executed, for example - Answered challenge question would show "Challenge Question" or if user is blocked, "Block."
Locked
"Locked" is the status that Oracle Adaptive Access Manager sets if the user fails a question challenge. The "Locked" status is only used if the One-Time-Password (OTP) facility is in use. OTP sends a one-time password to the user via e-mail or SMS text message. If the user exceeds the number of retries when attempting to put in his OTP code, then his account becomes "Locked." After that, a Customer Service Representative must reset the status to "Unlocked" before the account can be used to enter the system.
Malware
Malware is software designed to infiltrate or damage a computer system without the owner's informed consent. Malware may contain key loggers or other types of malicious code.
Man-In-The-Middle-Attack (Proxy Attacks)
An attack in which a fraudster is able to read, insert and modify at will, messages between two parties without either party knowing that the link between them has been compromised
Manual Override
Outcomes based strictly on the combinations of Rule triggers. You can specify a score, action group and alert group based on different Rule return combinations or you can point to a nested models to further evaluate the risk. The rows of manual overrides evaluate from top to bottom, stopping as soon as a Rule return combination is matched. Actions and alerts triggered by a manual override will be added to any actions and alerts triggered by individual Rules.
Model
A Model is a set of rules that run at a single time. A Model contains rules that when linked to a group, are used to evaluate group members. The rules are added to the Model, configured, and linked to groups by the administrator. A new rule can be added to an existing Model at any time. In a Model, you can control the timing and combinations of rule firing with manual overrides.
Mutual Authentication
Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other suitably. In technology terms, it refers to a client or user authenticating himself to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity.
Nested Models
A Nested Model is a secondary model used to further quantify the risk score in instances where the original result output by the system is inconclusive. Nested Models can be assigned to ensure a higher degree of accuracy for the risk score. A Nested Model is run only when a specific sequence of answers is returned from the primary Model. Nested Models therefore reduce false positives and negatives.
One-Time PIN/Password
Generation and delivery of a single use volatile credential. For example: Server generated, hand-held device, software generated, and so on. The purpose of a one-time pin/password (OTP) is to make it more difficult to gain unauthorized access to restricted resources, like a bank account. Traditionally static passwords can more easily be accessed by an unauthorized intruder given enough attempts and time. By constantly altering the pin/password, as is done with a one-time pin/password, this risk can be greatly reduced.
Out Of Band Authentication
The use of two separate networks working simultaneously to authenticate a user. For example: email, SMS, phone, and so on.
Overdue
A flag that will signal when a case has not been accessed in a given time range. The overdue flag is set to allow managers to see cases that require attention.
Patterns
A composite of traits or features characteristic of an individual or a group. One's pattern of behavior.
Used for Auto-learning, a profiling process in which an administrator defines behavior patterns. These patterns are in turn used by Adaptive Risk Manager to dynamically create and populate buckets based on the pattern parameters.
An individual's location is from USA and from his home desktop
The accounts group processes orders between 8AM-1PM
A user transfers amount between $100 to $200 once a week to his overseas account
Personalization Active
Status of the user who has an image, a phrase and questions active. Personalization consists of a personal background image and phrase. The timestamp is generated by the server and embedded in the single-use image to prevent reuse. Each Authenticator interface is a single image served up to the end user for a single use.
Pharming
Pharming (pronounced farming) is an attack aiming to redirect a Web site's traffic to another, bogus Web site.
Phishing
A criminal activity utilizing social engineering techniques to trick users into visiting their counterfeit Web application. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity. Often a phishing exercise starts with an email aimed to lure in gullible users.
Plug-in
A plug-in consists of a computer program that interacts with a host application (a web browser or an email client, for example) to provide a certain, usually very specific, function "on demand".
Policy Set
A policy set is the collection of all the currently configured policies used to evaluate traffic to identify possible risks. As a fail-safe, an action override or a score override can be created for a policy set so that the override is automatically invoked to override a particular action triggered by a rule when a specific set of circumstance occurs.
Policy Type
The Policy Types are Security and Business.
Security Policy-A Security Policy is based on cross-industry best practices.
Business Policy-A Business Policy is based upon parameters established for mitigation of transaction risk
Questions Active
Status of the user who has completed registration and questions exists by which he can be challenged.
QuestionPad
Device that presents challenge questions for users to answer before they can perform sensitive tasks. This method of data entry helps to defend against session hijacking.
Rule Conditions
Rule conditions are the building blocks and make the rule-related functions in Oracle Adaptive Access Manager available to the client.
Rules
Rules are housed in Models, identify and react to certain information, and trigger actions, alerts, and scores. Rules can be added to Models, and Models can be applied to a group of users or all users.
Runtime
A Runtime is a specified point in a session when rules in a model will run. For example, at pre-authentication, post-authentication, and in-session. Risk can be evaluated at any time specified by a Runtime. To gain access to sensitive data or transactions a user must successfully pass through multiple security checkpoints.
Scores & Weights
Score refers to the numeric scoring used to evaluate the risk level associated with a specific situation. Weight refers to the multiplier used to influence the total score at various evaluation levels. Weight is only applied to a score when a given Model or Policy type is using a "weighted" scoring engine.
Scoring Engine
Fraud analytics engine you want to use to calculate the numeric score that determines the risk level. The various engines are listed below along with examples of how each scoring engine would calculate a Model Score.
Aggregate Score
Sum of the scores of all fired Rules.
Average
Average = (sum of scores of all fired Rules) / (count of all Rules used)
Maximum
Higher score out of all fired Rules
Minimum
Lower score out of all fired Rules
Weighted Average
[Average =(sum of scores of all fired Rules) / (count of all Rules used)] * (weight modifier specified by Model)
Weighted Maximum Score
(larger score out of all fired Rules) * (weight modifier specified by Model)
Weighted Minimum Score
(lower score out of all fired Rules) * (weight modifier specified by Model)
Restricted Note
A note describing why an action was taken in a case. A "Restricted" note can only be written by investigators and read by customer service managers and investigators.
Security Token
Security tokens (or sometimes a hardware token, hard token, authentication token, USB token, cryptographic token) are used to prove one's identity electronically (as in the case of a customer trying to access their bank account). The token is used in addition to or in place of a password to prove that the customer is who they claim to be. The token acts like an electronic key to access something.
Severity Level
A marker to communicate to case personnel how severe this case is. The severity level is set by whomever creates the case. The available severity levels are High, Medium, and Low. If a customer suspects fraud, then the severity level assigned is "High." If the customer wants a different image, then the severity level assigned is "Low." Severity levels of a case can be escalated or de-escalated as necessary.
Session Hijacking
The term Session Hijacking refers to the exploitation of a valid computer session - sometimes also called a session key - to gain unauthorized access to information or services in a computer system
SOAP
SOAP, originally defined as Simple Object Access Protocol, is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) as its message format, and usually relies on other Application Layer protocols (most notably Remote Procedure Call (RPC) and HTTP) for message negotiation and transmission. SOAP can form the foundation layer of a web services protocol stack, providing a basic messaging framework upon which web services can be built.
Social Engineering
Social engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information to a fraudulent entity.
Spoofing Attack
In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.
Spyware
Spyware is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user's interaction with the computer, without the user's informed consent.
Standard Note
A note describing why an action was taken in a case. A "Standard" note can be written and read by customer service representatives, managers, and investigators.
Status (Pattern)
Status is the current state of a Pattern.
Active - If data needs to be collected, the pattern must be in the active state.
Inactive - If the pattern is complete, but you don't want to collect data, pick "Inactive."
Incomplete - If pattern creation has started, but you need to save it for completion later, choose "Incomplete." Data is not collected for this state.
Invalid - The administrator may choose to mark the pattern as invalid if he does not want the pattern used. Data is not collected for this state.
Strong Authentication
An authentication factor is a piece of information and process used to authenticate or verify the identity of a person or other entity requesting access under security constraints. Two-factor authentication (T-FA) is a system wherein two different factors are used in conjunction to authenticate. Using two factors as opposed to one factor generally delivers a higher level of authentication assurance.
Using more than one factor is sometimes called strong authentication.
Temporary Allow
Temporary account access that is granted to a customer who is being blocked from logging in or performing a transaction.
TextPad
Personalized device for entering a password or PIN using a regular keyboard. This method of data entry helps to defend against phishing.
Transaction Definition
Application data is mapped using the transaction definition before transaction monitoring and profiling can begin. Each type of transaction Oracle Adaptive Access Manager deals with should have a separate transaction definition.
Trojan/Trojan Horse
A program that installs malicious software while under the guise of doing something else.