Access Controls

Question 1

¿Qué significan las siglas IAAA?

Answer 1

Identification / Authentication / Authorization / Accounting

Question 2

¿A qué se refiere el término “Identification”?

Answer 2

Making a claim

Question 3

¿A qué se refiere el término “Authentication”?

Answer 3

Allows users to support the claim of their identity.

Question 4

¿Qué es “Identity and Access Management?

Answer 4

Services/ Policies/ procedures for managing a digital identity/provisioning.

Question 5

¿A qué se refiere el término “Authorization”?

Answer 5

Confirms than an authenticated entity has the privileges and permissions necessary.

Question 6

¿Qué significa el acrónimo CRUD?

Answer 6

Create / Read/ Update/ Delete

Question 7

¿Cuáles son los modelos de control de acceso más comúnes?

Answer 7

• DAC, Discretionary Access Control
• MAC, Mandatory Access Control
• RBAC, Role Based Access Control
• RUBAC, Rule Based Access Control

Question 8

¿A qué se refiere el término “Accountability”?

Answer 8

Tracing an action to a subject, also known as auditing

Question 9

¿En qué consiste el modelo DAC?

Answer 9

Discretionary Access Control

• Security of an object is at the owner’s discretion
• Identity based, who you are?

Question 10

¿En qué consiste el modelo MAC?

Answer 10

Mandatory Access Control

• Data owners cannot grant access
• Labels
• Users and data are given a clearance level (confidential, secret, top secret)

Question 11

¿En qué consiste el modelo RBAC?

Answer 11

Each role as a set of rights and permissions which cannot be changed.

Question 12

¿Cuáles son los tipos (factores) de autenticación?

Answer 12

Type 1: something you know
Type 2: something you have
Type 3: something you are

Question 13

¿What’s a cognitive password?

Answer 13

Son preguntas del tipo: ¿a qué escuela fuiste?

Question 14

¿Cuál es el objetivo de los “clipping levels?

Answer 14

reduce administration overhead

Question 15

Ejemplo de factores de autenticación tipo 2:

Answer 15

• Token
• Smart Card
• Memory Card
• HW Key
• Certificate
• Cryptographic key

Question 16

Características de los “Synchronous Token Devices”?

Answer 16

• Rely upon synchronizing with authentication server.

- Authentication server knows what “password” to expect based on time or event.

Question 17

¿Cómo funciona un “Asynchronous Token Devices”?

Answer 17

• User logs in
• Authentication returns a challenge to the user
• User types challenges string into token device and presses enter.
• Token devices return a reply
• Only that specific user’s token device could respond with the expected reply.

Question 18

¿Cuál es la característica principal de las Memory Cards?

Answer 18

• Holds information, does not process

- A credit card or ATM card is a type of memory card.

Question 19

¿Cuál es la característica principal de las SMART CARD?

Answer 19

• Chip
• Often integrated with PKI
• Includes a microprocessor.
• New credit cards

Question 20

¿Cuáles son algunos ataques conocidos a las SMART CARDS?

Answer 20

• Fault generation
• Micro probing
• Side channel attacks, differential power analysis, electromagnetic analysis.

Question 21

¿Cuáles son los dos tipos en los que se clasifican los biométricos?

Answer 21

Estáticos

Dinámicos

Question 22

¿Qué es un biométrico estático?

Answer 22

should not significantly, change over time. Bound to a user’s physiological traits. Fingerprint, hand geometry, iris, retina, etc.

Question 23

¿Qué es un biométrico dinámico?

Answer 23

Based on behavioral traits. Voice, signaturem keyboard cadence.

Question 24

¿A qué se le conoce como Error tipo 1?

Answer 24

FALSE REJECTION, a legitimate user is banned form access.

Question 25

¿A qué se le conoce como error tipo 2?

Answer 25

FALSE ACCEPTANCE, an impostor is allowed access.

Question 26

The level at which the FRR and the FAR meet is called:

Answer 26

CER (Crossover Error Rate). The lower the number, the more accurate the system. Iris scans are the most accurate.

Question 27

What are the most known biometrics concerns?

Answer 27

- User acceptance - Many users fell biometrics are intrusive - Cost/benefit analysis - No way to revoke biometrics

Question 28

Menciona ejemplos de tecnologías de single-sign on:

Answer 28

- Kerberos - LDAP - Sesame - Krypto Knight

Question 29

¿Qué es kerberos?

Answer 29

A network authetication protocol designed from MITs project Athena. Kerberos tries to ensure authentication security in an insecure environment.

Question 30

¿Qué tipo de cifrado usa kerberos?

Answer 30

Uses symmetric encryption to verify identifications.

Question 31

¿Cuáles son los componentes de kerberos?

Answer 31

- AS (Authentication server) - TGS (Ticket Granting Service) - KDC (Key Distribution Center) --> runs the TGS & AS

Question 32

¿Qué un ticket en Kerberos?

Answer 32

Means of distributing session key.

Question 33

Menciona brevemente como funciona kerberos:

Answer 33

Kerberos funciona como una "FERIA" donde se debe autenticar el usuario a la entrada para que le den un ticket (TGT) para poder accesar. Una vez dentro debe de contar con tickets de servicio (TGS) dependiendo a donde quiere accesar. Una vez dentro en el servicio las ACL's definen si puede o no accesar al servicio.

Question 34

What's a constrained user interfaces?

Answer 34

Restrict user access by not allowing them see certain data or have certain funcionality. Examples: views, restricted shells.

Question 35

What's a context dependant access control?

Answer 35

System reviews a situation, then makes a decision on access. P. ej. no acceso a nóminas desde casa o después de las 18 horas.

Question 36

¿Cuáles con las tecnologías o métodos de control de acceso mas conocidos?

Answer 36

- Rule Based Access Control - Constrained User interfaces - Content Dependant Access Control - Context Dependant Access Control

Question 37

What's a Content Dependant Access Control?

Answer 37

Access is determined by the type of data. P. ej. email filters tha look for specific things like "confidential", "SSN" images etc.

Question 38

¿A qué se refiere el término "Centralized Access Control Administration"?

Answer 38

A centralized place for configuring and managing access control. All the AAA protocols: Authentication, Authorization, Auditing.

Question 39

Menciona ejemplos de Centralized Access Control Administration:

Answer 39

- RADIUS - TACACS - TACACS + - DIAMETER

Question 40

¿Qué es RADIUS?

Answer 40

RADIUS (Remote Authentication Dial-In User Services) is an authentication protocol that authenticates and authorizes users.

Question 41

¿Cómo funciona el servicio RADIUS?

Answer 41

1. - Users usually dial in to an access server (RADIUS client) that communicates with the RADIUS server. 2. - RADIUS server usually contains a database of users and credentials. 3. - Communication between the RADIUS client and server is protected.

Question 42

¿Qué protocolo usa RADIUS?

Answer 42

UDP

Question 43

¿Qué protocolo usan TACACS, TACACS+, DIAMETER?

Answer 43

TCP

Question 44

¿Cuál es el modelo que usa RADIUS?

Answer 44

Supplicant (system trying to connect LAN) + Authenticator (access point, VPN Server) + Central Authenticator Server.

Question 45

¿Cuál es el estandar que usa RADIUS?

Answer 45

802.1x / EAPoL (EAP over LAN)

Question 46

¿Qué significas las siglas EAP?

Answer 46

Extensible Authenticator Protocol. Extends beyond passwords and supports many means of authentication.

Question 47

¿Qué significas las siglas CHAP?

Answer 47

Challenge Handshake Authentication Protocol, better but can only use passwords.

Question 48

¿Qué es Tempest?

Answer 48

Is a standard to develop countermeasures to protect against this: all devices give off electrical/ magnetic signals.