Old - Domain 1: Access Control Flashcards
(134 cards)
1
Q
Subject
A
An active entity on an information system.
2
Q
Object
A
A passive data file.
3
Q
Discretionary Access Control (DAC)
A
Gives subject full control of objects they have been given access to, including sharing the objects with others.
4
Q
Mandatory Access Control (MAC)
A
System-enforced access control based on subject’s clearances and object’s labels.
5
Q
Role-based Access Control (RBAC)
A
Subjects are grouped in to roles, and each defined role has access permissions based upon the role, not the individual.
6
Q
Purpose of Access Control?
A
To protect the confidentiality, integrity, and availability of data.
7
Q
Opposite of CIA?
A
Disclosure, Alteration, Destruction (DAD)
8
Q
Honeywell’s SCOMP, Purple Penelope, and Linux Intrusion Detection System (LIDS) are all examples of what type of access control system?
A
Mandatory Access Control (MAC) – List examples.
9
Q
Examples of Non-discretionary Access Control?
A
Role Based Access Control
Task Based Access Control
–Are examples of what type of access control?
10
Q
RBAC has what rules?
A
- Role assignment
- Role authorization
- Transaction authorization
11
Q
What are the 3 primary models for access control?
A
- Discretionary Access Control (DAC)
- Mandatory Access Control (MAC)
- Non-discretionary Access Control (Such as RBAC)
12
Q
Access provisioning lifecycle: Name the steps IBM has outlined.
A
- Password policy compliance checking.
- Notifying users to change pwd before it expires.
- Identifying lifecycle changes (ex: inactive accounts).
- Identifying new accounts that haven’t been used for 10 days after creation.
- Identifying accounts that can be deleted (ex: suspended for 30 days).
- Identifying all accounts belonging to a business partner or contractor and revoking access when no longer required.
13
Q
Access aggregation (authorization creep)
A
Occurs as individual users gain more access to more systems. (sometimes through role or duty changes)
14
Q
RADIUS
A
Remote Authentication Dial-In User Service
15
Q
According to RFC 2865 RADIUS supports what codes?
A
- Access-Request
- Access-Accept
- Access-Reject
- Accounting-Request
- Accounting-Response
- Access-Challenge
- Status-Server (Experimental)
- Status-Client (Experimental)
16
Q
Name the protocols & ports used by RADIUS.
A
UDP ports 1812 (authentication) & 1813 (accounting)
Formerly used 1645 (authentication) & 1646 (accounting)
17
Q
Name the RFCs that RADIUS is described in.
A
RFC 2865 & 2866
18
Q
RADIUS request and response data is carried in?
A
Attribute-Value Pairs (AVPs)
19
Q
Diameter
A
Successor to RADIUS, designed to provide an improved AAA framework.
20
Q
Differences between Diameter & RADIUS?
A
- Radius uses 8 bits for AVP field, Diameter uses 32 bits.
- Diameter uses single server to manage policies for many services, as opposed to RADIUS which requires many.
- Diameter uses TCP, RADIUS uses UDP.
21
Q
Name the RFC that Diameter is described in.
A
RFC 3588
22
Q
TACACS
A
The Terminal Access Controller Access Control System
23
Q
TACACS ports?
A
UDP port 49 (may also use TCP)
24
Q
RADIUS or TACACS+ more secure?
A
Radius encrypts only password, all other data is unencrypted. TACACS+ encrypts all data below TACACS+ header, so it is more secure then RADIUS.
25
TACACS+ port?
TCP port 49
26
Name RFC that PAP is described in.
RFC 1334
27
PAP
Password Authentication Protocol (not a strong authentication method)
28
CHAP
The Challenge Handshake Authentication Protocol
29
Name the RFC that CHAP is described in.
RFC 1994
30
Advantage of CHAP over PAP?
CHAP uses a shared secret that is known only to the authenticator and peer. This isn't passed over the network so it can't be captured using a sniffer.
31
Name the RFC that describes the Kerberos Authentication Protocol (Microsoft).
RFC 1510
32
Trust (nontransitive)
Trust relationship exists only between two trust partners.
33
Trust (transitive)
Trust relationship exists between two partners and all of their partners.
34
Labels
Applied to objects in MAC.
35
Clearances
Applied to subjects in MAC.
36
Object labels used by many world governments?
Confidential, Secret, Top Secret.
37
Additional labels used by government?
- Unclassified (data that is not sensitive)
- Sensitive but unclassified (SBU)
- For official use only (FOUO)
- Sensitive compartmented information (SCI) - these compartments require a documented and approved need to know in addition to a normal clearance such as top secret.
38
Labels used by private sector companies?
- Internal use only
| - Company proprietary
39
Rule-based access control
System that uses a series of defined rules, restrictions, and filters for accessing objects.
40
Types of access control
- Preventative
- Detective
- Corrective
- Recovery
- Deterrent
- Compensating
41
Categories that each access control type can fall in to?
- Administrative
- Technical
- Physical
42
Preventative controls
Access control type that stops actions from occurring.
43
Detective controls
Access control type that alerts during or after a successful attack.
44
Preventative control examples?
- Physical - lock, mantrap
- Technical - firewall
- Administrative - Pre-employment drug screening
45
Detective control examples?
Physical - CCTV, light
Technical - IDS
Administrative - Post-employment random drug screenings.
46
Corrective controls
Access control type that works by correcting a damaged system or process.
47
Recovery controls
Access control type that is used to restore functionality to a system or organization after a security incident.
48
Deterrent controls
Access control type that discourages users from performing actions on a system.
49
Compensating controls
Access control type that is an additional security control put in place to make up for weaknesses in other controls.
50
Types of authentication methods?
```
Type 1 (something you know)
Type 2 (something you have)
Type 3 (something you are)
Type 4 (someplace you are)
```
51
Four types of passwords?
- Static passwords
- Passphrases
- One-time passwords
- Dynamic passwords
52
Static passwords
Reusable passwords that may or may not expire.
53
Passphrases
Long static passwords, comprised of words in a phrase or sentence.
54
One-time password
Used for a single authentication. Very secure but difficult to manage.
55
Dynamic passwords
Change at regular intervals. (SecurID Token Code)
-Very secure, but tokens are expensive
56
Strong authentication (multifactor authentication)
Requires user to present more than one authentication factor. (Ex: ATM card & Pin)
57
Hashing
One-way encryption using an algorithm and no key.
58
Password cracking
An attack where the attacker runs the hash algorithm forward many times, selecting various possible passwords and comparing the output to a desired hash, hoping to find a match.
59
Unix/Linux system passwords are stored where?
/etc/shadow file - only root has read access.
60
Windows system passwords are stored where?
Security account management file (SAM file)
-Both locally and on DC
61
fgdump
Tool to dump windows password hashes from memory.
62
Microsoft LAN Manager (LM)
Passwords are converted to uppercase before hashing. (Not as secure)
63
Dictionary attack
Uses a predefined list of words and then runs each word through a hash algorithm.
64
Brute force attack
Attacker calculates the hash outputs for every possible password.
65
Rainbow tables
Acts as a database that contains the precomputed hashed output for most or all possible passwords.
66
Hybrid attack
Appends, prepends, or changes characters in words from a dictionary before hashing, to attempt the fastest crack of complex passwords.
67
Salt
Allows one password to hash multiple ways. (ensures that the same password will encrypt differently when used by different users. (Makes rainbow tables highly ineffective)
68
Department of Defense minimum password security controls.
- Password history = 24 passwords
- Maximum password age = 90 days
- Minimum password age = 2 days
- Minimum password length = 8 characters
- Passwords must meet complexity requirements = true
- Store password using reversible encryption = false
69
Token
An object that helps prove an identity claim.
70
Synchronous dynamic token
Use time or counters to synchronize a displayed token code with the code expected by the authentication server.
71
3 pieces of information the authentication server uses to predict a dynamic token code?
- Serial number of authorized token
- User it is associated with
- Current time
72
Asynchronous dynamic tokens
Not synchronized with a central server. The most common variety is challenge-response tokens. These produce a challenge, or input for the token device. The user then manually enters the info into the device along with the user's PIN, and the device produces an output. This output is then sent to the system for authentication.
73
Template or file size
Data storage required to represent biometric information. (1000 bytes or less is typical, much less for some systems such as hand geometry)
74
Retina scans
Rarely used due to health risks and unwarranted privacy issues. (press eye against an eyecup - potential exchange of bodily fluid)
75
Biometrics - In a large organization (10,000 or more)
Some staff may not have fingerprints or eyes, so appropriate biometric systems must be used.
76
Enrollment
The process of registering for a biometric system.
77
Throughput (biometric system response time)
-Typically 6-10 seconds
Process of authenticating to a biometric system.
78
Metrics used to judge biometric accuracy?
- False reject rate (FRR)
- False accept rate (FAR)
- Crossover error rate (CER)
79
False reject rate (FRR)
Occurs when an authorized subject is rejected by the biometric system as unauthorized. (Type 1 Error)
80
False accept rate (FAR)
Occures when an unauthorized subject is accepted as valid. (Type 2 Error)
81
Is Type 1 or Type 2 error worse?
Type 2 errors are worse.
82
Crossover error rate (CER) - also known as the equal error rate (EER)
Describes the point where the false reject rate (FRR) and the false accept rate (FAR) are equal.
83
Way to lower FRR?
Lower the data points tracked by the system (this will increase the FAR).
84
More sensitive biometric system has?
Higher FRR, lower FAR.
85
Less sensitive biometric system has?
Higher FAR, lowever FRR.
86
Fingerprints
Most widely used biometric control available today.
87
Minutiae
Mathematical representation of a fingerprint.
88
Details of a fingerprint friction ridges.
Minutiae - including whorls, ridges, and bifurcations.
89
Retina scan (definition)
Laser scan of the capillaries that feed the retina at the back of the eye.
90
Iris scan
Passive biometric control. A camera takes a picture of the iris (colored portion of the eye) and then compares the photogragh with the authentication db. (works through contact lens and glasses)
-Extremely accurate, passive, no exchange of bodily fluid
91
Hand geometry
biometric control, measurements are taken from specific points on the subject's hand. (records length, thickness, and surface area)
-Simply, as little as 9 bytes needed for storage
92
Keyboard dynamics
Refers to how hard a person presses each key and the rhythm with which the keys are pressed. (suprisingly inexpensive to implement)
93
Dynamic signatures
Measures the process by which someone signs his or her name. (measuring time, pressure, loops in signature, beginning & ending points)
94
Voiceprint
Measures the subject's tone of voice while stating a specific sentence or phrase.
- Vulnerable to replay attacks so must be combined with other access controls
- Another issue is a person's voice may change due to illness, resulting in false rejection.
95
Facial scan (facial recognition)
Process of passively taking a picture of a subject's face and comparing that picture to a list stored in a database.
-Not frequently used for authentication due to high cost, but is used by law enforcement
96
Someplace you are
Describes location based access control using technologies such as GPS, IP address-based geo-location, or physical location for point-of-sale purchases.
97
Single sign-on (SSO)
Allows multiple systems to use a central authentication server (AS). This allows users to authenticate once and then access multiple different systems.
98
Advantages of SSO
- Improved user productivity - No multiple logins, less username/passwords to remember. Less calls to support.
- Improved developer productivity - allows them to work with a common authentication framework or even not have to worry about authentication at all.
- Simplified administration
99
Disadvantages of SSO
- Difficult to retrofit to existing applications
- Unattended desktop - Malicious user could gain access to all applications.
- Single point of attack - Central auth server is attractive target for hackers.
100
Identity management
Refers to the policies, processes, and technologies that establish user identities and enforce rules about access to digital resources.
101
Federated identity management (FIdM)
Creates a trusted authority for digital identities across multiple organizations. Participating institutions share identity attributes based on agreed-upon standards, facilitating authentication from other members of the federation and granting appropriate access to online resources.
102
Frameworks used to implement FIdM?
OpenID or SAML
103
Kerberos
Developed under Project Athena at the Massechusetts Institute of Technology.
104
Kerberos definition
A network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communication over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data stream integrity and secrecy using cryptography systems such as DES.
105
Name the RFC that describes Kerberos version 5.
RFC 4120
106
Name the components of Kerberos.
- Principal - Client (user) or service
- Realm - A logical Kerberos network
- Ticket - Data that authenticates a principal's identity
- Credentials - A ticket and a service key
- KDC - Key distribution center, which authenticates principals
- TGS - Ticket granting service
- TGT - Ticket granting ticket
- C/S - Client/Server, regarding communications between the two
107
Kerberos description
Uses symmetric encryption and provides mutual authentication of both clients and servers. It protects against network sniffing and replay attacks.
108
Kerberos operational steps (example)
1. Kerberos principal Alice contacts the KDC, which acts as an authentication server, to request authentication.
2. The KDC sends Alice a session key, encrypted with Alice's secret key. The KDC also sends a TGT, encrypted with the TGS secret key.
3. Alice decrypts the session key and uses it to request permission to print from the TGS.
4. Seeing Alice has a valid session key, the TGS sends Alice a C/S session key to use to print. The TGS also sends a service ticket, encrypted with the printer's key.
5. Alice connects to the printer. The printer, seeing a valid C/S session key, knows Alice has permission to print and knows that Alice is authentic.
109
For Kerberos, many sites run both the KDC and TGS services on one system, but they may be run on separate systems. It is helpful to think of them as independent systems for the exam.
Blank
110
TGT lifetime
Good for a site-selected specific lifetime, often set to 10 hours (the length of a work day, plus a few). This allows a typical user to authenticate once and access network resources for the lifetime of the ticket.
111
Kerberos service ticket
Cannot be decrypted by Alice, only passed on to printer. This allows printer to trust what is receives from Alice without consulting KDC or TGS.
112
Kerberos weaknesses
- All keys are stored on a central server. If that is compromise all keys could be compromised.
- KDC and TGS are single points of failure. If they go down no new credentials can be issued.
- Replay attacks are still possible for the lifetime of the authenticator.
- In kerberos 4, user may request session key for another user. Could then launch local password guessing attack on encrypted session key.
- While kerberos can mitigate malicious network attacks, it does not mitigate local host attacks because plaintext keys may exist in memory or cache.
113
SESAME (Secure European System for Applications in a Multivendor Environment)
Signle sign-on system that supports heterogeneous environments. (Sequel to Kerberos)
114
SESAME improvements over Kerberos?
Heterogeneity, sophisticated access control features, scalability of public key systems, better manageability, audit and delegation. Of the improvements, public key encryption is the most compelling because it no longer requires plaintext storage of symetric keys.
115
According to NIST, what types of logs should be collected?
- Network security software/hardware
- AV logs
- IDS/IPS logs
- Remote access logs (VPN)
- Web proxy
- Vulnerability management
- Authentication servers
- Routers and firewalls
- OS
- System events
- Audit records
- Applications
- Client requests and server responses
- Usage info
- Significant operational actions
116
According to the article "Five Mistakes of Log Analysis", audit record management typically faces five distinct problems, what are they?
1. Logs not reviewed on regular and timely basis.
2. Audit logs and trails not stored long enough.
3. Logs are not standardized or viewable from a central location.
4. Log entries and alerts aren't prioritized.
5. Audit records are only reviewed for the "bad stuff"
117
Outsiders
Unauthorized attackers with no authorized privileged access to a system or organization. They launch the majority of attacks but most a successfully mitigated.
118
Titan Rain
MyFip worm that caused a lot of damage in 2005. Would search systems for certain file types and embed itself in them to transfer to other computers. US government suspect China was behind this.
119
Insiders
Internal user who may be authorized to use the system that is attacked. Cause most high impact security incidents. Most successful attacks are caused by them.
120
NIST threat actions that insiders cause?
- Assault
- Blackmail
- Browsing of proprietary info
- Computer abuse
- Fraud/theft
- Information bribery
- Input of falsified, corrupt data
- Interception
- Malicious code
- Sale of personal info
- System bugs
- System intrusion
- System sabotage
- Unauthorized system access
121
Bot
Computer running malware that is controlled via a botnet.
122
Botnet
Contains a central command and control network, managed by humans called bot herders.
123
Bot herders
Managers of a botnet.
124
Phisher
Malicious attacker that attempts to trick a user in to divulging personal information.
125
Spear phishing (also called Whaling or Whale hunting)
Similar to phishing but focuses on fewer, but higher value targets. These attacks are more targeted, typically referring to users by their full name, title, and other supporting information.
126
War dialing
Attack that uses a modem to dial a series of phone numbers, looking for an answering modem carrier tone, then attempts to access the system.
127
Social engineering
Attack that uses the human mind to bypass security controls.
128
Zero knowledge (black box) test
A blind pen test, in which the tester begins with no external or trusted information and begins the attack with public information only.
129
Full knowledge (crystal box) test
A pen test in which the tester is provided internal information before the test.
130
Partial knowledge test
A test that is a mix between full knowledge and zero knowledge.
131
Methodology used by penetration testers?
- Planning
- Reconnaissance
- Scanning (also called enumeration)
- Vulnerability assessment
- Exploitation
- Reporting
132
Flag
A dummy file containing no regulated or sensitive data that is placed on systems being targetted by pen testers. If they can read/write to this file they can prove the attack was successful.
133
Security audit
This is a test against a published standard.
134
Security assessments
Holistic approach to assessing the effectiveness of access control.
