Controlling and Monitoring Access Flashcards
Identify common authorization mechanisms
Authorization ensures that the requested activity or object access is possible, given the authenticated identity’s privileges. For example, it ensures that users with appropriate privileges can access files and other resources. Common authorization mechanisms include implicit deny, access control lists, access control matrixes, capability tables, constrained interfaces, content-dependent controls, and contextdependent controls. These mechanisms enforce security principles such as need to know, the principle of least privilege, and separation of duties.
Describe key concepts of the Discretionary Access Control (DAC) model
With the DAC model, all objects have owners, and the owners can modify permissions. Each object has an access control list defining permissions, such as read and modify for files. All other models are nondiscretionary models, and administrators centrally manage nondiscretionary controls.
Describe key concepts of the Role-Based Access Control (RBAC) model
RBAC models use task-based roles, and users gain privileges when administrators place their accounts into a role or group. Taking a user out of a role removes the permissions granted through the role membership.
Describe key concepts of the rule-based access control model
Rule-based access control models use a set of rules, restrictions, or filters to determine access. A firewall’s access control list includes a list of rules that define what access is allowed and what access is blocked.
Describe key concepts of the Attribute-Based Access Control (ABAC) model
An ABAC model is an advanced implementation of a rule-based access control model, applying rules based on attributes. Software-defined networks (SDNs) often use an ABAC model.
Describe key concepts of the Mandatory Access Control (MAC) model
The MAC model uses labels to identify security domains. Subjects need matching labels to access objects. The MAC model enforces the need to know principle and supports a hierarchical environment, a compartmentalized environment, or a combination of both in a hybrid environment. It is frequently referred to as a lattice-based model.
Describe key concepts of the risk-based access control model
A risk-based access control model evaluates the environment and the situation, and makes decisions based on softwarebased security policies. It can control access based on multiple factors such as a user’s location, determined by IP addresses, whether the user has logged on with multifactor authentication, and the user’s device. Advanced implementations can use machine learning to evaluate risk.
Understand single sign-on methods used on the internet
Single sign-on (SSO) is a mechanism that allows subjects to authenticate once and access multiple objects without authenticating again. Security Assertion Markup Language (SAML) is an open XML-based standard used to exchange authentication and authorization information. OAuth 2.0 is an authorization framework described in RFC 6749 and supported by many online sites. OASIS maintains OpenID and OpenID Connect (OIDC). OpenID provides authentication. OIDC provides both authentication and authorization by using the OAuth framework and building on the OpenID standard.
Describe Kerberos
Kerberos is the most common SSO method used within organizations. The primary purpose of Kerberos is authentication. It uses symmetric cryptography and tickets to prove identification and provide authentication. One server synchronizes its time with a Network Time Protocol (NTP) server, and all clients within a network synchronize with the same time.
Understand the purpose of AAA protocols
Several protocols provide centralized authentication, authorization, and accounting services. Network access (or remote access) systems use AAA protocols. For example, a network access server is a client to a RADIUS server, and the RADIUS server provides AAA services. RADIUS uses UDP and encrypts the password only. TACACS+ uses TCP and encrypts the entire session. Diameter is based on RADIUS and improves many of the weaknesses of RADIUS, but Diameter is not compatible with RADIUS.
Describe privilege escalation
Attackers use privilege escalation techniques to gain additional privileges after exploiting a single system. They typically try to gain additional privileges on the exploited systems first. They can also reach other systems in a network and attempt to gain elevated privileges on them. Limiting privileges given to service accounts reduces the success of some privilege escalation attacks. This includes minimizing the use of the sudo account.
Know about pass-the-hash attacks
Pass-the-hash attacks allow an attacker to impersonate a user with the captured hash of a user’s password instead of the user’s password. Pass-the-hash attacks typically exploit NTLM vulnerabilities, but attackers also use similar attacks against other protocols, including Kerberos.
Know about Kerberos exploitation attacks
Kerberos attacks attempt to exploit weaknesses in Kerberos tickets. In some attacks, they capture tickets held in the lsass.exe process and use them in pass-the-ticket attacks. A silver ticket grants the attacker all the privileges granted to a service account. Attackers can create golden tickets after obtaining the hash of the Kerberos service account (KRBTGT), giving them the ability to create tickets at will within Active Directory.
Know how brute-force and dictionary attacks work
Brute-force and dictionary attacks are carried out against a stolen password database file or the system’s logon prompt. They are designed to discover passwords. In brute-force attacks, all possible combinations of keyboard characters are used, whereas a predefined list of possible passwords is used in a dictionary attack. Account lockout controls prevent their effectiveness against online attacks.
Understand how salt and pepper thwart password attacks
Salting adds additional bits to a password before hashing it and helps thwart rainbow table attacks. Some algorithms, such as Argon2, bcrypt, and Password-Based Key Derivation Function 2 (PBKDF2), add the salt and repeat the hashing functions many times. Salts are stored in the same database as the hashed password. A pepper is a large constant number used to increase the security of the hashed password further, and it is stored somewhere outside the database holding the hashed passwords.
