Access Control - Domain 1 Flashcards
1
Q
Q
A
A
2
Q
What do Access Control mechanisms protect against?
A
Protect information and resources from unauthorized disclosure, modification and destruction.
3
Q
What do Access Control mechanisms defend against?
A
The defend against unauthorized entry, access and use.
4
Q
Three main types of Access Control Mechanisms:
A
Physical, Administrative, and Technical.
5
Q
What do Administrative Controls do in Access Control:
A
Develop policies, standards and procedures. Screen personal, security awareness training, monitoring system and network activity, and change control.
6
Q
What do Technical Controls do in Access Control:
A
Logical mechanisms that provide password and resource management, identification and authentication, and software configurations.
7
Q
What do Physical Controls do in Access Control:
A
Protect individual systems, the network, employees, and the facility from physical damage.
8
Q
What are the 8 Access control administrative controls?
A
- Develop a security program. 2. Determine compliance levels and consequences of non-compliance. 3. Indicate who has authorized access and who is unauthorized. 4. Classifying data and enforcing the necessary protection required for that classification. 5. Developing policies and standards and enforcing them when they are broken. 6. Developing an incident response team. 7. Developing a business continuity and disaster recovery plan. 8. Operational and continuity testing.
9
Q
What are the 5 Access control technical controls?
A
- Implement access control - requiring users to authenticate before accessing a system or data. 2. Encrypting data where it is stored or transmitted, 3. Implement firewalls and IDS. 4. Fault tolerance and load balancing. 5. Auditing.
10
Q
What are the 5 Access control physical controls?
A
- Locks and alarms on doors.2. Security guards watching for suspicious individuals and activities. 3. IDS to physical protect the facility. 4. Removing floppy drives so information cannot be copied and brought out of a building. 5. Storing backup data in a fire proof safe and/or at an offsite facility.
11
Q
What are the 7 Access Control types/categories:
A
- Preventative. 2. Detective. 3. Corrective. 4. Deterrent. 5. Recovery. 6. Compensation. 7.Directive.
12
Q
What are the 4 Preventative-Administrative control combinations?
A
- Policies and procedures. 2. Pre-employment background checks. 3. Data classification and labeling. 4. Security awareness.
13
Q
What are the 3 Preventative-Physical control combinations?
A
- Badges and swipe cards. 2. Guards, dogs, motion detectors, CCTV. 3. Fences, locks, man traps, alarms.
14
Q
What are the 3 Preventative-Technical control combinations?
A
- Passwords, biometrics, smart cards. 2. Encryption, protocols, call-back systems, database views, constrained user interface. 3. Anti-virus software, ACL’s, firewalls, routers, slipping levels.
15
Q
What are the 4 Detective-Administrative control combinations?
A
- Job rotation. 2. Sharing responsibilities. 3. Inspections. 4. Incident response.
16
Q
What are the 3 Detective-Technical control combinations?
A
- IDS. 2. Reviewing audit logs. 3. Reviewing violations of clipping levels.
17
Q
What is the Detective-Physical control combination?
A
Human evaluation of output from sensors or cameras.
18
Q
Access control definitions - Subject:
A
Active entity that requests access to an object or the data within an object.
19
Q
Access control definitions - Object:
A
Passive entity that contains information.
20
Q
Access control definitions - Access:
A
Ability of subject to do something.
21
Q
Access control definitions - Access Control:
A
Security features that control how subjects and objects communicate and interact with other subjects and objects.
22
Q
Access Control - Identification
A
Identifying the subjects using username, smart card or memory card.
23
Q
Access Control - Authentication
A
Proving the subject is who it claims to be with a second piece of a credential set.
24
Q
Access Control - Authorization
A
Granting access to resources based on a criteria.
25
Access Control - Accounting
Keeping records of activity.
26
Access Control - Authenticating a subject
A subject must prove its identity.
27
Access Control - Authentication types
1. Something you know. 2. Something you have. 3. Something you are.
28
Access Control - TFA
Strong authentication employs two out of the three authentication types.
29
Access Control - Mutual authentication
Two-way authentication.
30
Access Control - What are the five things a user knows?
1. Password. 2. Personal history. 3. Passphrase. 4. PIN. 5. Graphical.
31
Access Control - Password characteristics
1. Cheapest lest secure, most widely used authentication technology. 2. Least secure because users choose easy passwords, share them, write them down, or do not change them. 3. Lack of strict password policy enforcement reduces security. 4. Password generators can create complex passwords, but users will just write them down.
32
Access Control - Password best practices
1. Use at least 8 characters - alphanumeric/upper and lower case. 2. User should not be able to reuse password or share it. 3. Threshold (clipping level) of acceptable number of failed logins logged. 4. Audit log should contain date, time, userid, and workstation logged in from. 5. Password lifetime should be short, but practical.
33
Access Control - Password type - Cognitive
1. Fact or opinion based information used to verify an individuals identity. 2. Enrollment phase includes questions about one’s life. 3. Easier to remember than a password.
34
Access Control - Authentication mechanism - Passphrase
1. A sequence of characters longer than a password. 2. Once entered, the software transforms it into a virtual password. 3. Usually easier for a user to remember.
35
Access Control - Type 2 Authentication
1. Token device. 2. Cryptographic keys. 3. Memory cards. 4. Smart cards.
36
Access Control - OTP generators
1. Dynamic password that is good for only one time. 2. Useless if an attacker obtains password. 3. Usually created via token device.
37
Access Control - Synchronous OTP
1. Synchronizes with the authentication device by using time or an event as the core piece of the authentication process.
38
Access Control - Asynchronous OTP
Challenge response scheme to communicate with the authentication service.
39
Access Control - Token - cons
1. Can be lost. 2. Schemes can fall prey to masquerading if the user shares information.
40
Access Control - Token- pros
1. Not as vulnerable to electrical eavesdropping, replay attacks, and password guessing. 2. Provides a higher level of protection than static passwords.
41
Authentication Mechanism - Crypto Keys
1. Private or digital signature can be used to prove ones identity. 2. Used when more security is required.
42
Authentication Mechanism - Memory Card
1. Card holds user authentication information. 2. User puts card in reader and enters USN and PIN. 3. Card only holds information, doesn’t process it. 4. Added cost of reader, card creation, and maintenance.
43
Authentication Mechanism - Smart Card
1. Has a microprocessor. 2. Tamperproof mobile storage of user authentication data. 3. Can work with PKI to provide mutual authentication of parties. 4. After a threshold of failed login attempts, it can render itself unusable.
44
Two types of Smart Cards
1. Contact. 2. Contactless.
45
What is Type 3 authentication method?
Biometrics - Something you are.
46
Biometrics - Physical attributes for authentication:
1. Verifies an individuals identity by a unique personal attribute. 2. Most accurate, sophisticated and expensive way of identifying individuals. 3. Low acceptance rate by society. 4. Staic versus dymanic.
47
Biometrics - contrast static versus dynamic.
Physiological (what you are) versus behavioral (what you do)
48
Biometrics process - Enrollment
Enrollment stores attributes in a reference file. When the user needs to authenticate his attributes are compared to this file. Process looks at highly detailed information. and is prone to errors.
49
Biometric enrollment - Type 1 error
Rejects authorized individual - False rejection rate (FRR)
50
Biometric enrollment - Type 2 error
Accepts imposter - False acceptance rate (FAR)
51
Biometric - Cross Over Error Rate
A rating that represents the point at which the Type 1 error are equal the Type 2 errors.
52
Biometric - Cross Over Error Rate - state two metrics
Error Level and sensitivity setting.
53
Biometrics - contrast CER 3 versus CER 4
The lower the CER the more accurate the system.
54
Types of Biometrics
Fingerprint, Palm Print, Finger Scan, Hand geometry, Retina Scan, Iris Scan, Facial Scan, Hand Topology, Signature Dynamics, Keyboard Dym=namics, Voice Print
55
Authorization
The process of comparing a subjects credentials and permissions to an access criteria.
56
List the 4 Access Criteria characteristics
1. Clearance. 2. Need to know. 3. Least privilege. 4. Default to “no access”.
57
Define separation of duties
Dividing roles and responsibilities of individuals or departments so that one critical task cannot be performed by one entity.
58
Define dual control.
Ensuring that more than one individual has to be involved in completing a task.
59
SSO
1. Requires users to present their credentials once. 2. Users then can access all resources. 3. Less administration. 4. Centralization of user information. Users only need to remember one set of reds.
60
SSO Technologies
1. Scripts. 2. AD (Directory Services). 3. Kerberos 4. Sesame 5. Thin Clients
61
SSO - Kerberos
1. Authentication protocol. 2. Uses symmetric key (DES). 3. Ticket based authentication.
62
SSO - Kerberos compnents
1. Key Distribution Center (KDC). 2. Principals (user, applications, services). 3. Realm. 4. Ticketing granting service (TGS). 5. Authentication Server. 6. Ticket Granting Ticket (TGT). 7. Ticket. 8. Secret and session keys.
63
SSO _ Kerberos Weakness
1. Provides authentication, confidentiality, and integrity only. 2. KDC is single point of failure. 3. Keys are stored local on WS. 4. Kerberos susceptible to password guessing. 5. All principals must be “kerborized”.
64
SSO - Sesame
1. Secure European System for Applications in a Multi-Vendor Environment. 2. Uses PKI. 3. Adds more access control features. 4. Vulnerable to password guessing.
65
Access Control Model
1. A framework that dictates how subjects access objects. 2. Uses technologies and methods to enforce the rules and objectives of the security policy.
66
Access Control models (3)
1. Discretionary (DAC-TCSEC). 2. Mandatory (MAC-TCSEC). 3. Role-based Access control (RBAC-NIST).
67
Discretionary Access Control (DAC) Characteristics
1. Data owner specifies who can access resources. 2. Data owner is usually the creator and has full control of object. 3. Called discretionary because control of access is based on the discretion of the owner. 4. Mostly implemented through ACL’s., based on “need to know” 5. DAC model is used in environments that do not require a high level of centralized security. User-controlled sharing that reduces central system administration. 7. End users are usually not the owners of all the objects they access - the corporation is the actual owner.
68
Mandatory Access Control (MAC) Characteristics
1. Access is based on security clearance of subject and classification of object. 2. Each user is assigned a clearance, and each object has a classification and compartment stored in its security label. 3. Access is decided by the system and not up to the discretion of the owner - subject cannot pass access permission to another subject. 4. Used in environments that require high levels of security and structure - DAC = uncles, MAC is class. Used in many military installations.
69
Security Labels
1. Each object has a security label indicating its classification. 2. Compartments or categories enforce a need to know basis. 3. In MAC, access decisions are based on these labels.
70
Labels (Security)
1. Key to MAC decision making. 2. To access and modify an object, the subjects label must dominate the objects label. 3. A physical unique label is not necessary for every object. 4. Trusted computer system ensures that labels cannot be arbitrarily changed. 5. Trusted computer controls flow fo information between classification levels.
71
MAC vs DAC
MAC = security label vs DAC = ACL
72
Role-Based Access Control (RBAC)
1. Allows access to objects based on the role the user holds within the company. 2. Administrators assign a user to a role and then assign access rights to that role, not directly to the user. 3. This is best used in environments witha high rate of turnover of employees. 4. Roles can be based on role user fulfills in organization and tasks user performs.
73
RBAC - Characteristics
1. Security policy based on global rules imposed for all objects. 2. MAC is an example of a Rule_based Access Control approach.
74
Access Control Technique - RBAC
1. RBAC techniques are based on specific rules that indicate what can and cannot happen to an object. 2. Access is not necessarily granted based on subjects identity.
75
Access Control Technique - Restricted Interfaces
1. Menus - only the functions that the administrator wants a user to be able to perform are provided in a menu. 2. Shells - only the commands that the administrator wants a user to be able to run will be available in the shell environment. 3. Database views - dbase can be configured to only show certain information to different users, depending on their credentials. 4. Physically constrained - only providing a limited keypad or touch buttons on a screen as in ATM machines. 5. Encryption - requires a decryption key to unmask sensitivity information.
76
Access Control Matrix Model
1. Two dimensional matrix representing subjects in rows and objets in columns. 2. Specifies the operations and access rights allowed for each subject as it relates to its specific objects. 3. Operating systems implement this model in a. capabilities b. profiles and c. ACL’s.
77
Access Control Technique - Capability Table and ACL’s
1. A capability table specifies the access rights a certain subject possesses pertaining to specific objects. 2. ACL’s are used to authorize a subject to an object.
78
Identity Management
Set of technologies that offer greater ease and flexibility to manage users. 1. Host - The system, user, application, or service providing an interface for identification and authentication. 2. Requestor - sometimes referred to as Network Access Server (NAS) it provides a challenge to the host. 3. Authenticatior - the systems that perform the validation of the users credentials.
79
Who can use Identity Management.
1. Operating Systems. 2. Servers. 3. Users. 4. Human Resources. 5. Payroll. 6. Different applications. 7. Customer Relationship Managment. 8. E-Commrce. 9. Enterprise Resource Managment Systems Planning. (ERP).
80
Example of Identity Management.
1. Microsoft Passport. 2. Liberty Alliance. 3. Open ID.
81
Benefits of Identity Management.
1. Reduce duplication of user accounts. 2. Reduce number of orphan accounts. 3. Reduce number of passwords being used. 4. Can scale to very large enterprise. 5. Work with SSO. 6. Can be viewed as a super sign - from one company to another - from one service provider to another - can be federated to a very large scale - B2B, B2C, etc…
82
ID Mgnt - Subject
Person, group, corporation, software program, or other entity making a request to access a resource (object).
83
ID Mgnt - Resource
Web page, dbase data, file, or transaction.
84
ID Mgnt - Attributes
Medical history, past purchases, bank balance, credit rating, dress size, age, sex, etc…
85
ID Mgnt - Preferencs
Desires such as airline seat, brand name, use of a specific crypto standard, current, color, etc.
86
ID Mgnt - Traits
1. Features of the subject that are inherent. 2. Blue eyes, where and how a company was formed.
87
ID Mgnt - Identity
1. Collection of data representing attributes, preferences, and traits. 2. Needed to access a resource.
88
ID Mgnt - Credentials
1. Proof that a subject can assert a particular identity. 2. A way of transferring trust between identities. 3. Must present credentials to access a resource.
89
SAML
1. Framework for authorization and authentication. 2. Allow exchange of security information between vendors. 3. Provides a. SSO b. federated identity c. web services d. Simple Object Access Protocol (SOAP) e. credential transport in SOAP f. XML signature and g. XML encryption.
90
Log Protection
1. Attackers usually try to scrub logs to cover their tracks.2. Integrity of logs can be protected with hashing algorithms, digital signatures, and Host IDs. 3. Their condfidentiality can be protected by storing them encrypted. 4. They can be stored on write-once media.
91
Attacks on access controls
1. Unauthorized disclosure of information. 2. Impersonation. 3. Rogue infrastructure. 4. Replay attacks.
92
Social Engineering
1. Pretending to be a repairman. 2. Spoofing e-mail. 3. Impersonating another person.
93
Prevent Unauthorized Disclosure
1. Reassigning media once it has contained sensitive information. 2. Media should be cleared of any residual information before given to another subject. 3. Many times easier than it sounds. 4. Degaussing maybe required. 5. Physically destroying.
94
Deleting a file or formatting a disk
1. Object reuse. 2. Data remnants. 3. clearing - same organization. 4. Purging - for outside use..
95
Unauthorized disclosure - Emanation Security
1. All electronic devices emit electronic radiation. 2. With the right equipment, an attacker can capture this data and reassemble it back into its original format, thus accessing data in an unauthorized manner. 3. There are three main countermeasures to protect from this type of compromise - TEMPEST, white noise, and control zones (Faraday Cage). 4. Today the word TEMPEST is not used frequently - now referred to as Emission Security - EMSEC.
96
TEMPEST
1. A study and control of spurious emitted electronic signals. 2. Vendors must meet Tempest standards if they want their product to be considered a TEMPEST product. 3. Special shielding in equipment to lower amount of radiation leakage. 4. Technology is complex and expensive, thus only used in high security areas.
97
White Noise
1. A uniform spectrum of random electronic signals, which confounds an intruders attempt to decipher real information from random nooise. 2. Jamming the signal.
98
Attacks on Passwords
1. Dictionary - program with a file of passwords. 2. Brute Force - program that tries different characters, note words. 3. Hybrid attacks.
99
Accountability - Auditing
1. Ensure that users are accountable for their actions. 2. Verift that the security policies are enforced. 3. Detect Malicious Activity. 4. Ability to undertake preventive measures when attacks are detected. 5. Used as investigation tools.
100
Accountability - Auditing Types
1. Real-time - IDS. 2. Non-Real-time - reviewing logs. 3. A well protected environment would use both.
101
Steps of Access Control
1. Company decides on the access control model they will use - MAC vs DAC. 2. The technologies and techniques that will be used within that model are decided on. 3. Next decision is how access is managed - a. centralized b. decentralized. c. Hybrid.
102
Centralized Access Control - Radius
1. Remote authentication dial-in user service (RADIUS) is an authentication protocol that authenticates and authorizes users. 2. Handshaking protocol that allows the Radius server to provide authentication and authorization information to netwrok server. 3. User usually dials in to an access server (Radius Client) that communicates with the Radius server. 4. Radius server usually contains a database of users and reds. 5. Comms between client and server is protected.
103
Radius steps
1. User initiates PPP authentication with ISP. 2. Radius client prompts for creds. 3. User supplies reds. 4. Radius client sends reds to Radius server. 5. Radius server responds with Accept, reject, or Challenge. 6. If authentication is successful Radius client allows access to networks.
104
TACACS+
1. Terminal Access Controller Access Control System authentication protocol used to authenticate remote users (Cisco). 2. Splits authentication, authorization, and auditing features. 3. Cisco prop
105
Diameter - Remote Authentication Protocol
1. Next gen Radius. 2. Radius is limited to SLIP or PPP dial up connections. 3. Internet protocol that supports seamless and continuous connectivity for mobile devices - such as PDA’s, laptops, or cell with Internet data capabilities. 4. Move between service provider networks and change their points of attachment to the Net. 5. Including better message transport, proxying, session control, and higher security for AAA transactions.
106
Directory tree
1. Root. 2. Country. 3. Org. 4. OU. 5. Individual.
107
Access Controls - Physical Layer
1. Network segregation. 2. Perimeter Security. 3. Computer Controls. 4. Work area separation. 5. Cabling.
108
Access Controls Summary
1. Access controls are the first line of defense. 2. They dictate how subjects access objectes and resources. 3. Their main goal is to protect resources from unauthorized access. 4.The models are DAC, MAC, RBAC and RuBAC. 5. The admin of the model can be centralized, decentralized or hybrid. 6. The controls can be administrative, technical, or physical. 7. the controls can supply preventative, detective, and corrective services., recovery, compensation and deterrent.
