5. Logical and Physical Access Control

Question 1

Logical access control: what is often used to manage?

Answer 1

Logical access control software: by function or application, who can read, copy, write, create update, delete, execute.

Question 2

Logical access control: what kind of proof is used for user authentication?

Answer 2

• Proof by knowledge: passwords
• Proof by knowledge and possession: security tokens/credit cards
• Proof by physical identifier: biometric controls (thumbprint, retina patterns, voice-print, face)
• Proof by mannerism/context: touch on the keyboard, time of system use
• Multi-factor authentication: multiple authentication procedures - highly secure

Question 3

Logical access control: Password (knowledge): how good are they? How are they need to be?

Answer 3

• Not so good authentication system.
• Need to be strong (i.e. impossible to remember - use password manager?): eight or longer characters, include upper/lower case letters, one numeral and one special character, change periodically (every 3 months?)

Question 4

Logical access control: Password: what is an effective control?

Answer 4

Standard: lockout after 3 failed attempts with reset.

Question 5

Logical access control: what is security token?

Answer 5

One-time password (device displays; user inputs device password, user ID and account password) - e.g. new password: generate every 30-60 seconds

Question 6

Logical access control: what are smart cards and identification badges?

Answer 6

Embedded identification information read by card reader

e.g. credit card chip

Question 7

Logical (electronic) access control: what does user authorization matrix do?

Answer 7

Define user’s access rights based on role.

Question 8

Logical access control: what makes security (challenge) questions good?

Answer 8

Safe, memorable, stable, definitive.

Should not use something people could easily search for.

Question 9

Logical access control: what are 3 kinds of firewall?

Answer 9

NAP: Network, Application, Personal

Question 10

Logical access control: what is and does firewall do?

Answer 10

Prevent and detect unauthorized access.
Hardware and/or software to review and filter network traffic.
e.g. block noncompliant data packets based on set parameters.

Question 11

Logical access control: what is and does network firewall do?

Answer 11

On a network (e.g. server).

• Filters data packets based on header info (source and destination IP address and communication port)
• Blocks noncompliant transmission based on rules in access control list
• Very fast (examine headers only)
• Forward approved packets to application firewall

Question 12

Logical access control: what is application firewall?

Answer 12

• Inspect data packet contents

* Can perform deep packet inspection (detailed packet examination)

Question 13

Logical access control: what is personal firewall?

Answer 13

Software enabling end-users to block unwanted network traffic.
Usually on a home network or computer.

Question 14

Logical access control: what is IDS? What does it do?

Answer 14

Intrusion Detection Systems.

*Monitors network for anomalies

Question 15

Logical access control: IDS: what are 3 identification methods?

Answer 15

• Signature-based: stored patterns/sources
• Statistical-based: unusual activity - modeling
• Neural networks: learns from created database

Question 16

Logical access control: what is IPS? Example?

Answer 16

Intrusion Prevention Systems - allows identification and blocking from live systems
E.g. honeypot/honeynet: allow hackers access to a decoy system

Question 17

What are IT facilities?

Answer 17

• Computer hardware (CPUs, disk and tape drivers, printers, communications devices, etc)
• Software (program files)
• Data files
• Computing infrastructure (network communication media and devices) computing rooms and buildings in which they reside

Question 18

What does IT facility control?

Answer 18

General controls

• Some preventative controls: e.g. restricting access to IT dept
• Some corrective controls: e.g. program and data backup, disaster recovery

Question 19

What are power system risks?

Answer 19

• Failure (blackout)
• Reduced voltage (brownout)
• Sags, spikes, surges
• Electromagnetic interference (EMI)

Question 20

What are environmental (physical location) controls?

Answer 20

• Alarm control panel
• Water and smoke detectors
• Climate control, humidity
• Fire extinguishers
• Manual fire alarms
• Uninterruptible power supply

Question 21

Physical location controls: fire suppression system: What are needed?

Answer 21

Fire suppression systems appropriate for electrical fires *chemical suppressor (halon no longer used) or water
*periodic maintenance

Question 22

Physical access controls: what must be done re: mainframe/large system?

Answer 22

• Restrict access to programs, data files, and computer hardware (e.g. identification badges)
• Additional restrictions: locks, keypad devices, access card readers, security personnel, and surveillance
• Secrecy: Keep IT facilities location private

Question 23

Logical access controls: what are system penetration risk?

Answer 23

• “Social engineering”: seek access by tricking employees

* May be conducted by “white” hackers (those hired by other companies) or “black” hackers (criminals, etc)

Question 24

Physical/logical access control: what is physical access risks and responses?

Answer 24

Piggybacking = unauthorized user follows and uses authorized user credentials
Response: restricted it by electronic/logical access controls (in a computer lab), physical controls (computer room)

Question 25

Security: What can be done to secure physical access?

Answer 25

* Magnetic disks and tape protection * Set file attributes * Use software to restrict, record, read, write, update

Question 26

What is encryption? What is the process of reversing encryption called?

Answer 26

The process of converting a plaintext message into a secure-coded form (cipher text). Decryption (to read a message).

Question 27

Why is encryption needed?

Answer 27

* Protect stored or transmitted data | * Verify authenticity of data

Question 28

Encryption: what are essential elements?

Answer 28

* Encryption algorithm: math function * Encryption keys: device or code that makes the message unique. Needed to encrypt or decrypt. Begins with an input or parameter. Device encryption (e.g. on a laptop, smart phones). Longer keys are, slower, but harder to crack

Question 29

Encryption: how does it work? What does it facilitate?

Answer 29

``` Algorithm makes information (called plaintext) unreadable (called ciphertext) except to those with a key. Facilitates privacy (protect from unauthorized access) and authentication (user identification). ```

Question 30

Encryption: what is symmetric encryption?

Answer 30

Single-key (1 key) or private key encryption. * One algorithm to encrypt and decrypt * Sender create and sends ciphertext, tells which algorithm (key) * Receiver reverses process * Most common: data encryption standard (DES-old) and AES (advanced encryption standard-better)

Question 31

Encryption: symmetric encryption: what are advantages? Problem?

Answer 31

A: Fast, simple and easy. Common in storage archives (i.e. data at rest). P: If sending a message, then sender must communicate algorithm - how? what if intercepted?

Question 32

Encryption: what is Asymmetric Encryption?

Answer 32

2 keys: also called Public/private encryption. Paired algorithms *One to encrypt, one to decrypt *If public key used to encrypt, private key used to decrypt. Vice versa (usually receiver uses private key) Safe, but more complicated (slower). Common in sending of messages (i.e. data in transit)

Question 33

Encryption: what must be a part of encryption? What are other controls that must accompany for stronger security?

Answer 33

Comprehensive strategy to achieve confidentiality and security. * Access controls and strong authentication techniques * Limiting user actions (read, write, change, delete, copy, etc) when accessing confidential info

Question 34

Encryption: what is the phenomenon called with hackers?

Answer 34

An "arms" raise with hackers.

Question 35

Encryption: what are emerging strategies?

Answer 35

* "Honey" encryption - wrong guesses about encrypting key yield falsified data that looks correct (but isn't) * Quantum encryption where data are encrypted using the Alice-in-Wonderland-like qualities of quantum computers

Question 36

What is digital certificate?

Answer 36

* Electronic document that contains info. * Purpose: provide legally recognized identity and create secure communication. * Use public/private key technology

Question 37

What is certificate or certification authority (CA)?

Answer 37

* Created by Microsoft * Use asymmetric keys * To acquire key pair, user applies for CA - CA registers public key on server and sends private key to user (additional layer of approval to get key).

Question 38

What is digital signature? Weakness?

Answer 38

* Facilitate secure exchanges (e.g. E-commerce) * Use public/private key pair to authenticate sender * Provide nonrepudiation (audit trail - can't say he didn't do) * Weakness: public/private key pair can be acquired without verification

Question 39

What are 3 forms of secure internet transmissions protocols? What do they use?

Answer 39

*SSL (Secure Socket Layer) *S-HTTP (Secure Hypertext Transport Protocol) *SET (Secure Electronic Transactions) Protocol Asymmetric keys

Question 40

What is a key?

Answer 40

A combination of an encryption algorithm and a decryption algorithm.

Question 41

What is VPN?

Answer 41

Virtual private network. *a secure way to create an encrypted communication tunnel to allow remote users secure access to a network. *uses authentication to identify users and encryption to prevent unauthorized users from intercepting data.