Access Control Flashcards

1
Q

Access Control Concepts

CIA Triad

Confidentiality
Integrity
Availability

A

Confidentiality
Prevents disclosure of data

Integrity
Ensures data is protected from corruption or unauthorized modification

Availability
Ensures data accessible when and where it’s needed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Access Control Concepts

Default Stance (default allow or default deny)

Defense in Depth

A

Default stance is either an allow by default, or deny by default

Deny by default is recommended because it’s stricter

Defense in depth is the practice of using layers of security between the data and the resources it resides on, and attackers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Access Control Process

Identify Resources, Users, Relationships between them

A
ID resources
which need protection
How are they accessed
Which data on the resources will be accessed
Who will be accessing this data

ID Users
Document user levels and needs
Analyze needs against organizational polices, legal issues, data sensitivity and risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Identification and Authentication

A

Identification
act of user professing an identity, ie a user ID or username

authentication
validating a user with a unique identifier by providing credentials like a password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

3 Factors for Authentication

Knowledge
Ownership
Characteristic

A

Knowledge - something user knows, ie password

Ownership - something user possesses - smartcard

Characteristic - something a person is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Knowledge Factors (Type 1 Factor)

A

Most popular form is a password

Also includes birthday, PIN, mother’s maiden name

If knowledge factor is used, identity (account) and password word management are crucial

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Identity and Account Management

5 elements of proper account management

A

Establish formal process for establishing, issuing, closing user accounts

Periodically review user accounts

Implement process for tracking access authorization

Periodically prescreen personnel in sensitive positions

Periodically verify legitimacy of user accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Password Types and Management

Standard
Combination
Static
Complex
Passphrase
A

Standard - single words
Combination (composition)- mix of two unrelated words
Static - remains same for each login. Most often seen in P2P networks
Complex - mix of upper, lowercase letter, numbers, special characters
Passphrase - a long phrase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Password Types and Management

Cognitive
One Time Passwords (dynamic)
Graphical
Numeric

A

Cognitive - piece of information, usually a series of questions based on user’s life (first car, favorite color)

OTP - only used once

Graphical - uses pictures, like CAPTCHA

Numeric - only has numbers, easier to guess because possibilities are known

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Password Policies

A
Password Life
Password history
Authentication period - how long user can stay logged in
Password complexity
Password length
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Password Types and Management
(Knowledge Factors)

password locations and default accounts
Linux, UNIX
Windows

A

/etc/passwd
/etc/shadow (protected)
root account

c:\windows\system32\config\SAM
administrator and guest accounts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Password Types and Management
Ownership Factors, Type 2 authentication factor

Tokens
Memory Cards
Memory Cards
Smart Cards

A

Synchronous token generates unique password at fixed time intervals with the authentication server

Asynchronous token generates password based on challenge/response, with token generating correcting response to server’s challenge

Memory card is a card containing authentication information

Smart Cards - contain a chip
contact cards require physical contact
contactless cards / proximity cards
hybrid cards are both contact and contactless

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Password Types and Management
Characteristic Factors, Type 3 authentication factor
Biometrics

Physiological Characteristics
Behavioral Characteristics

A

Physiological - unique attributes of the user: iris, fingerprints, etc

Behavioral - measure actions: voice patterns, data entry characteristics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Types of physiological factors

A

fingeprint
finger scan
hand geometry - size, shape, finger length
hand topography - peaks, valleys, shape of hand
palm or hand scan
facial scan - bone structure, eye width, etc
retina scan - retinal blood vessel pattern
iris scan - scans colored portion of eye, rifts, coronas, furrows
vascular scans - pattern of veins in hand or face

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Behavioral Characteristics

A

Signature dynamic
stroke speed, pen pressure, acceleration, deceleration

Keystroke dynamics
measures typing pattern when inputting password or predetermined phrase

Voice Pattern or print
measures sound pattern of user stating certain word

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Biometric Considerations

Enrollment Time
Feature Extraction
Accuracy
Throughput Rate
Acceptability
A

Enrollment Time
Process of obtaining sample used by biometric system

Feature Extraction
approach to obtaining biometric info from user

Accuracy
most important characteristics of biometric systems

Throughput Rate
Rate that system can scan characteristics and complete the analysis to permit / deny

Acceptability
Likelihood that users will accept and follow the system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Biometric Considerations

(FRR) False Rejection Rate
Type 1 Error

(FAR) False Acceptance Rate
Type 2 Error

(CER) Crossover Error Rate

A

FRR - Measurement of valid users that will be falsely rejected by the system. Type 1 Error

FAR - Measurement of percentage of invalid users that will be falsely accepted by the system. Type 2 Error

CER - Point where FRR = FAR
This is the most important metric. Expressed as a percentage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Authorization Concepts

Access Control policy

Separation of Duties

A

Access Control policy defines methods for identifying and authenticating users and the level access granted to them

Separation of Duties
Prevents fraud by distributing tasks and their rights and privilege between more than one user.
1. Dual Controls
2. Split Knowledge - no single user has all knowledge to perform certain task. ie one bank officer half combination, other officer knows other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Authorization Concepts

Principle of Least Privilege

Need to Know Principle

A

Principle of Least Privilege
Requires user or process has only minimum privileges needed to do a certain task

Need to Know Principle
defines the minimums for each job or function

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Authorization Concepts

No Access

Directory Service

SSO (Single Sign-On)

A

No Access is recommended default level of access

Directory Service - database for centralizing data management for network subjects and objects

  1. X.500
  2. LDAP
  3. X.400

SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Authorization Concepts

No Access

Directory Service

SSO (Single Sign-On)

A

No Access is recommended default level of access

Directory Service - database for centralizing data management for network subjects and objects

  1. X.500
  2. LDAP
  3. X.400

SSO - enter credentials once to access all resources. Can be implemented in Kerberos and SESAME (Secure European System for Applications in Multivendor Environment)

Any directory service should provide a single sign on

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Authorization Concepts

Kerberos

A

authentication protocol using a client server model
default authentically model for Windows Server and used in Apple, Sun, Linux

Uses symmetric key cryptography, provides integrity and confidentiality

KDC (Key Distribution Center) is repository for all user and service secret keys

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Kerberos Process

4 Steps

A
  1. User access KDC
  2. KDC gives TGT (Ticket Granting Ticket)
  3. User gives TGT to Resource Server
  4. Resource Server provides access
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Authorization Process

Security Domain

A

set of resources that follow same security policies and are available to a subject

Domains usually arranged in hierarchal structure of parent and child domains

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Federated Identity
portable identity that can be used across organizations Each organization that joins federation agrees to enforce common policies and standards Cross-Certification Model each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards Trusted third party or bridge Model Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations
26
Federated Identity 2 Models that it's based on Cross Certification Trusted Third-Party
portable identity that can be used across organizations Each organization that joins federation agrees to enforce common policies and standards Cross-Certification Model each organization certifies every other one is trusted. Each organization must verify and certify other orgs meet or exceed standards Trusted third party or bridge Model Each organization subscribes to standards of a third party, the third party manages verification, certification, due diligence for all organizations
27
User Accountability
Organization's ability hold users responsible for their actions Usually involves Auditing, Reporting Vulnerability Assessments Penetration Testing Threat Modeling
28
Auditing and Reporting
Ensures uses held accountable for their actions You should monitor: network, system, application, user events. Maybe keystroke activity Remember that auditing impacts performance
29
Guidelines for Auditing
Develop audit log management plan (control size, backups, reviews) Ensure ability to delete audit log requires 2 people Monitor all high level accounts Ensure audit trail includes who processed transaction, when it happened, where it happened, whether it succeeded or not Ensure deleting the log and data in it can't occur unless user has appropriate permissions
30
Auditing and Reporting baselining clipping levels notifications
To identify abnormal patterns of behavior you should first identify normal patterns of behavior Establish a clipping level, a baseline of errors above which violations will be recorded Audit trails must be monitored, automatic notifications should be configured
31
Vulnerability Assessment Personnel Physical System and Network
Personnel - reviews standard practices and procedures that users follow Physical - reviews facility and perimeter protection System and Network - review systems, devices, network topology
32
Penetration Testing 5 Steps
Simulate attack to ID threats from internal or external sources that could exploit vulnerabilities of a system or device 1. document target system or device 2. gather info about attack methods including port scanning 3. ID known vulnerabilities of target 4. execute attacks against target to gain user or privileged access 5. document results of pen test, report findings with suggestions for remediation
33
Penetration Testing Blind Test Double-Blind Test Target Test
Blind Test testing team given limited knowledge of the network using publicly available info. Security team knows attack is coming. This requires more work by testing team, it must simulate actual attack Double-blind Test Like blind test except Security Team doesn't know attack is coming. Requires equal effort for testing and security teams Target Test Both testing and security teams are given maximum information about network and the type of test. Easiest test to complete but won't provide full picture of organization's security
34
Penetration Testing Zero-Knowledge Test Partial-Knowledge Test Full-Knowledge Test
Zero-Knowledge Test (Black Box Test) Testing team provided with no knowledge about organization's network. They can use any means possible to learn about it. Partial-Knowledge Test Testing team provided with public knowledge about organization's network. Boundaries might be set for this type of test Full-Knowledge Test Testing team provided with all available knowledge about organization's network. This test focused more on what attacks can be carried out.
35
Threat Modeling aka Risk Assessment
Lets you apply structured approach to security and address top threats that have greatest impact to your application first.
36
Access Control Categories 7 Main Categories 1. Compensative 2. Corrective 3. Detective 4. Deterrent
1. Compensative - acts as mitigation to risks. ie two signatures to release sensitive information, or 2 keys for safe deposit box 2. Corrective - reduces effect of attack. ie fire extinguishers, isolating or terminating connection, new firewall rules. 3. Detective - detects attack while it's occurring and alerts personnel. ie motion doctors, IDS, guards, job rotation, investigations 4. Deterrent - deters or discourages attackers. Often trigger preventive and corrective controls. ie User ID and authentication, fences, lighting, security policies and NDA's
37
Access Control Categories 7 Main Categories 1. Compensative 2. Corrective 3. Detective 4. Deterrent
1. Compensative - acts as mitigation to risks. ie two signatures to release sensitive information, or 2 keys for safe deposit box 2. Corrective - reduces effect of attack. ie fire extinguishers, isolating or terminating connection, new firewall rules. 3. Detective - detects attack while it's occurring and alerts personnel. ie motion doctors, IDS, guards, job rotation, investigations 4. Deterrent - deters or discourages attackers. Often trigger preventive and corrective controls. ie User ID and authentication, fences, lighting, security policies and NDA's
38
Access Control Categories 5. Directive 6. Preventive 7. Recovery
5. Directive - Specifies acceptable practice in an organization. Often is a AUP, acceptable use policy that lists proper and improper procedures 6. Preventive - Prevents attack from occurring. ie locks, badges, biometrics, encryption, IPS, antivirus, personnel security, guards, passwords, training 7. Recovery - recovers a system after an attack has occurred. ie Disaster Recovery plans, backups, offsite facilities
39
3 Access Control Types 1. Administrative (Management) 2. Logical (Technical) 3. Physical
1. Administrative - administers organization's assets and personnel. ie personnel controls, data classification, data labeling, security awareness training, supervision 2. Logical (Technical) - Restricts access. ie firewalls, IDS, IPS, encryption, authentication systems, protocols, auditing, monitoring, biometrics, smart cards, passwords 3. Physical - Protects organization's facilities and personnel. ie perimeter security, badges, cards, guards, dogs, man traps, biometrics, cabling
40
Access Control Models Discretionary Access Control Mandatory Access Control Role-Based Access Control
Discretionary Access Control Owner of object specifies which subjects can access the resource. Access based on subject's identity, profile or role. DAC is a need-to-know control Mandatory Access Control Subject authorization is based on security labels. MAC is prohibitive because it's based on security label system. Under MAC everything not expressly allowed is denied. Only administrators can change category of a resource Role-Based Access Control Each subject assigned to one or more roles. Roles are hierarchical. Access control based on the roles. Can be used to easily enforce minimum privileges for subjects
41
Access Control Models Rule-Based Access Control (not role-based) Content-Dependent Access Control Context-Dependent Access Control
Rule-Based Access Control (not role-based) facilitates frequent changes to data permissions. Using this method, a security policy is based on global rules for all users Content-Dependent Access Control makes access decisions based on data contained within the object Context-Dependent Access Control based on subject or object attributes or environmental characteristics. These characteristics can include locations or time of data
42
Access Control Models Access Control Matrix Capabilities Table Access Control List
Access Control Matrix table that has subjects, list of objects and list of actions that a subject can take on each object. Rows in the matrix are the subjects and columns are the objects ``` Capabilities Table (for subject) A capability corresponds to a subject's row from an Access Control Matrix. A capability table lists access rights that a particular subject has to objects. A capability table is about the subject ``` ACL (for object) corresponds to an object's column from an Access Control Matrix. an ACL lists all the access rights that subjects have to a particular object. An ACL is about the object
43
Access Control Administration Models Centralized Decentralized
Centralized Central department oversees access for all organizational resources. Ensures user access is controlled in a consistent manner across enterprise Decentralized Personnel closest to resources oversee the access control. This methods ensure that those who know the data, control the access to it.
44
Provisioning Life Cycle
Formal process for creating, changing, removing users. This includes user approval, creation, creation standards, authorization Users should always sign a statement explaining conditions and responsibilities Access modification and removal procedures should be documented User provision policies should be integrated as part of HR management. HR formally requests creation or deletion of user account
45
Access Control Monitoring IDS IPS
IDS - detects unauthorized access or attacks IPS - detects and acts to prevent and contain attack
46
Access Control Monitoring Network based IDS Host based IDS
Network IDS - most common. monitors network traffic Host based IDS - monitors traffic on single system. Protects system it is installed on by using audit trails and logs
47
IDS Implementations Signature based Anomaly based Rule or Heuristic based
Signature based - analyzes traffic, compares it to attack or signatures in the IDS database Anomaly based - analyzes traffic, compares it to normal traffic to determine if threat or not Rule or Heuristic based - expert system that uses knowledge base, inference engine and rule-based programming. Knowledge is configured as rules. Data and traffic analyzed and rules applied to the analyzed traffic
48
Signature based implementations Pattern Matching Stateful Matching
Pattern Matching compares traffic to database of attack patterns Stateful Matching records initial OS state. any changes to it that violate defined rules, result in alerts
49
Anomaly based implementations statistical protocol traffic
statistical - samples live environment, the longer it runs the more accurate a profile will be built protocol - has knowledge of protocols it's monitoring. Profile of normal usage is built and compared traffic - IDS tracks traffic pattern changes. All future traffic patterns are compared to the sample
50
Access Control Threats Password threats
Dictionary attackers use dictionary of words to discover passwords ``` Brute Force (aka exhaustive attack) attackers work through all possible combinations of numbers and characters. ```
51
Access Control Threats Social Engineering Attacks
Phishing - attackers learn personal data by implementing fake website to mimic legitimate one Pharming - pollutes DNS cache of user's computer so legitimate sites are rerouted to attacker's site Shoulder surfing attacker watches when user enters login or other data Identity theft someone obtains personal information and uses it to assume identity of the victim dumpster diving attackers examine garbage to obtain confidential information
52
Access Control Threats DOS / DDoS Buffer Overflow Mobile Code
DOS / DDoS attackers flood device with enough requests to degrade performance of targeted device. Synflood and Teardrop Buffer Overflow Data submitted to application is larger than the buffer can handle Mobile Code Any software transmitted over a network to be executed on local system.
53
Access Control Threats ``` Malicious Software Virus Worm Trojan Horse Spyware ``` Spoofing
Virus - malware that attaches to other application to replicate or distribute itself Worm - malware that replicates itself without other application or human interaction Trojan Horse - malware disguised as needed application while performing malicious activity Spyware - Malware that collects private data Spoofing - when communication from attacker appears to come from trusted source
54
Access Control Threats ``` Malicious Software Virus Worm Trojan Horse Spyware ``` Spoofing
Virus - malware that attaches to other application to replicate or distribute itself Worm - malware that replicates itself without other application or human interaction Trojan Horse - malware disguised as needed application while performing malicious activity Spyware - Malware that collects private data Spoofing - when communication from attacker appears to come from trusted source
55
Access Control Threats Sniffing Emanating Backdoor / Trapdoor
Sniffing - device or software that collects all information transmitted over the medium Emanating - electromagnetic signals that are emitted by electronic device. TEMPEST by US and UK researches ways to limit this Backdoor / Trapdoor - mechanism implemented in devices that give user root access to it
56
Define a security domain
a domain that's managed by the same group using the same security policy A security domain builds upon the definition of a domain (set of resources available to a subject) by adding that the resources within the domain are working under the same security policy and managed by the same group Different domains are separated by logical boundaries like firewalls, directory services, etc.
57
Does TACACS+ use TCP and encrypt all data between client and server?
yes
58
Does RADIUS only encrypt the password?
yes
59
Are Attribute Value Pairs (AVP's) constructs that outline how entities will communicate?
yes They are not protocol parameters
60
Is time synchronization a characteristic of counter-based token devices?
no Counter-based means that the server and token share the same list of access codes and secret key. The secret key encrypts the access cord, which is the one time password the user enters for authentication
61
At a trade show, is a constrained user interface a good way to prevent test users from gaining elevated privileges at a demonstration system?
yes
62
What type of token uses a challenge-response system?
Asynchronous Server sends a challenge (nonce), user puts it into token which encrypts it and returns a value used as the one-time password
63
If you get several brute force attempts, is reducing the clipping level a good solution?
yes In this case, the clipping level is the number of allowed failed login attempts before locking out the account.
64
Are behavioral biometrics more or less accurate than physical attributes?
less. They can change over time
65
What is a virtual password?
the length and format required by the application