CISSP (Domain 1 - Access Control)

Question 1

What Are Access Control Mechanisms

Answer 1

Protect information and resources from unauthorized disclosure, modifications, and destruction

Question 2

3 main types of Access Control Mechanisms

ATP

Answer 2

• administrative (closest to data)
• technical
• physical

Question 3

Administrative Controls

Answer 3

How you should act.

Development of policies, standards, and procedures. (Ex. How servers should be installed)

Screening personnel, security awareness training, monitoring activity.

Question 4

Technical Controls

Answer 4

Protect Data.

Logical mechanisms that provide password and resource management, identification and authentication, and software configuration.

Ex: anti-virus software, IDS, encryption

Question 5

Physical Controls

Answer 5

Physical Threats. Barrier between bad people.

Protecting individual systems, the network, employees, and the facility from physical damage.

Ex: Removing floppy drives, security guards monitoring facility.

Question 6

7 Access Control Types/Categories

PDCDRCD

Answer 6

• Preventative
• Detective
• Corrective
• Deterrent
• Recovery
• Compensation
• Directive

Question 7

Preventive - AC Type*

Answer 7

Controls to prevent undesirable events.

Administrative - Policies, background checks
Technical - Passwords, Firewalls
Physical - Badges/Swipe Cards, CCTV

Question 8

Detective - AC Type*

Answer 8

Controls to identify undesirable events

Administrative - Job Rotation, Inspections
Technical - IDS, Review audit logs
Physical - Human evaluation of cameras

Question 9

Corrective - AC Type

Answer 9

Controls to correct the effects of undesirable events

Ex: Patch systems

Question 10

Deterrent - AC Type

Answer 10

Controls to discourage security violations

Ex: Signs

Question 11

Recovery - AC Type

Answer 11

Controls to restore resources

Ex: Restore backups

Question 12

Compensation - AC Type

Answer 12

Controls to provide alternative solutions

Ex: Personal PC vs. Hardware

Question 13

Directive - AC Type

Answer 13

Policies to preclude or mandate actions to reduce risk

Question 14

Access Control

Answer 14

Security features that control how subjects and objects communicate and interact with other subjects and objects

Question 15

Access Control - Subject/Object/Access

Answer 15

Subject: Active entity that requests access to an object or the data within the object.

Object: Passive entity that contains information

Access: Ability of subject to do something (CRUD)

Question 16

4 Steps of Access Control

IAAA

Answer 16

1. Identification
2. Authentication
3. Authorization
4. Accounting

Question 17

Access Control - Identification

Answer 17

Identify the subject

Ex: username, smartcard

Question 18

Access Control - Authentication

Answer 18

Proving the subject is who it claims to be

Ex: second piece of credential set

Question 19

Access Control - Authorization

Answer 19

Granting access to resources based on a criteria

Question 20

Access Control - Accounting

Answer 20

Keeping records of activity

Question 21

3 Types of Authentication

KHA

Answer 21

Type 1: Something you know (Password, PIN, Pass-phrase)
Type 2: Something you have (smart card, OTP, RSA Key)
Type 3: Something you are (Biometrics)

Question 22

Mutual Authentication (Two-way Authentication)

Answer 22

Both entities authenticate each other

Question 23

One-Time Password

Answer 23

Dynamic password only good for one use/session.

Type 2 authentication - something you have

Question 24

Token Device - Pro/Con

Answer 24

Pro:

• Not as vulnerable to electrical eavesdropping
• Higher level of protection than static passwords

Con:

• Can be lost
• Can fall pray to masquerading if user shares info

Question 25

Cryptographic Keys Can Be Used To Do What With An Identity

Answer 25

Private key or digital signature can be used to prove one’s identity

Question 26

Smart Card (what does it have thats different)

Answer 26

Has a microprocessor

After threshold of failed login attempts it can render itself unusable

Question 27

Authentication - Type 3 User Has: Error Types (2)

Answer 27

• Type 1 Error: False Rejection Rate (FRR)

- Type 2 Error: False Accept Rate (FAR)

Question 28

Authentication - Biometrics (Type I Error)

Answer 28

False Reject Rate (FRR) - Rejection of an authorized individual.

Question 29

Authentication - Biometrics (Type II Error)

Answer 29

False Acceptance Rate (FAR) - Acceptance of imposter

Question 30

Authentication - Biometrics (Crossover Error Rate)

Answer 30

Represents the point at which the Type I errors equal to the Type II errors.

Combines error and sensitivity levels.

Lower the number the better.

Question 31

Why we need Crossover Error Rate for Biometrics (2 reasons)

Answer 31

• Comparison of tools (Accuracy)

- Determine calibration of device

Question 32

Types of Biometrics - Physical & Behavioral/Dynamic

Answer 32

Physical:

• Fingerprint
• Palm Print
• Retina Scan (scans blood vessel patterns of retina)

Behavioral/Dynamic:

• Signature Dynamics
• Voice Print

Question 33

Access Control - Dual Control

Answer 33

Two people are required to complete a process

Question 34

8 Kerberos Components

DC/P/R/GS/AS/GT/ST/K

Answer 34

• Kerberos Domain Controller (KDC) Most Important
• Principals (Users, Applications, Services)
• Realm
• Ticket Granting Service (TGS)
• Authentication Server (AS)
• Ticket Granting Ticket (TGT)
• Ticket (Service Ticket)
• Secret and Submission Keys

Question 35

4 Things to Know about Kerberos (SSO, Enc Type, tickets, expire)

Answer 35

• Kerberos is a SSO Authentication System
• Symmetric Encryption (Shared Keys)
• Relies on tickets to establish connections (two types: session and secret)
• Relies on timing mechanism to expire keys

Question 36

5 Things for Kerberos Domain Center (KDC)

most/db/mgmt/authn/sess

Answer 36

• Most important component
• Maintains DB of secret keys
• Centralized key management
• AuthN identities of users
• Distributes session keys when principals communicate

Question 37

Kerberos Authentication Process (6 Steps)

Answer 37

• User authenticates to Authentication Service (AS) on KDC
• AS Sends initial Ticket Granting Ticket (TGT) to user
• User wants to access resource and requests Session Ticket (ST) from TGS
• ST has two instances of a session key (user/resource)
• User sends ST to resource for authN
• Authn communication encrypted

Question 38

3 Types of Access Control Models

Answer 38

• Discretionary Access Control (DAC) TCSEC
• Mandatory Access Control (MAC) TCSEC
• Role-Based Access Control (RBAC) NIST

Question 39

Discretionary Access Control (DAC)

object/prov/size/common/type/ex

Answer 39

• Every object has an owner
• Owner can grant and take away access to object
• Good for small user base
• Most common implementation is with Access Control Lists (ACL)
• Identity Based System
• s1 create o1, s1 grants s2 access to o1

Question 40

Mandatory Access Control (MAC)

acc/usr-obj/sec/data/proc

Answer 40

• Access based on security clearance of subject and classification of object
• Each user has a clearance/Each object has a classification
• Access defined by the system and not data owner
• Used for classified data
• System Based Process

Question 41

4 Government Classification Types

Answer 41

• Top Secret
• Secret
• Confidential
• Unclassified

Question 42

MAC Security Labels (2 things)

Answer 42

• Each object has a security label with its classification

- MAC access decisions are based on labels

Question 43

Role-Based Access Control (RBAC)

acc/ass/mgmt/needs

Answer 43

• Allow access to objects based on the role the user holds within the company
• Admins assign a user to a role and then assigns access rights to that role
• Good for high turnover
• Based on Job Description or needs of the user

Question 44

Lattice Based Access Control (LBAC)

acm/aka/ex

Answer 44

• Complex ACM based on interaction between any combination of objects and subjects
• AKA label-based or rule-based access control
• Ex: Firewall

Question 45

5 Goals of Identity Management

Answer 45

• Integrity and Non-Repudiation*
• Confidentiality
• AuthN and AuthZ
• Provisioning
• Management of AuthZ policies

Question 46

Security Assertion Markup Language (SAML)

Frame/exch/forw/indep

Answer 46

• Framework for authorization and authentication
• Allows for exchange of security information between vendors
• Allows for Forwarding
• Vendors are administrated independently

Question 47

Log Protection Issue

Answer 47

Attackers try to “scrub” logs to cover their tracks. Only administrators should have access to them.

Question 48

Control Against Signal Capture: TEMPEST

Answer 48

Special shielding in equipment to lower amount of radiation leakage.

Faraday cage usually heavy metal casings

Question 49

3 Steps to Access Control (Administration)

Answer 49

• Company decides upon the access control model they will implement (DAC and MAC)
• Company decides on technologies and techniques
• Company decides how access will be managed
  + Centralized, Decentralized, Hybrid Approach

Question 50

Centralized Access Control Systems

makes/decides/aaa/ex

Answer 50

• One entity makes access decisions
• Senior management decides what users can access specific objects
• AAA Service Provider (AuthN/AuthZ/Accounting)
• Ex: RADIUS/TACACS+/DIAMETER

Question 51

Remote Authentication Dial-In User Servers (RADIUS)

Answer 51

• AuthN protocol used to AuthN/AuthZ users

- Usually contains a database of users and credentials

Question 52

Terminal Access Controller Access Control System (TACAS+)

Answer 52

• AuthN protocol used to AuthN remote users
• Splits authentication, authorization, and accountability features
• Cisco proprietary protocol

Question 53

DIAMETER

Answer 53

• Protocol designed as the next generation RADIUS
• RADIUS only 256 Attribute Value Pairs (AVP) via SLIP
• 2^32 AVP - 4.3 Billion

Question 54

Decentralized Administration

Answer 54

• Control is given to people closer to the resource

- Managers usually have better judgement about users who should have access to different resources