14 - Controlling and Monitoring Access Flashcards
What are Permissions, Rights, Privileges?
- Permissions: The access granted for an object and determine what you can do with it.
- Rights: The ability to take an action on a system.
- Privileges: The combination of rights and permissions.
What are some authorization mechanisms used to control who can access specific objects?
- Implicit Deny: Ensures access to an object is denied unless access has been explicitly granted to a subject.
- Access Control Matrix: A table that includes subjects, objects, and assigned privileges that a system checks to confirm a subjects access. (more focused on objects)
- Capability Tables: A table that is used to identify privileges that are more centered around subjects and their roles.
- Constrained Interface: Interfaces that restrict what users can do or see based on their privileges.
- Content-Dependent Control: Restrict access to data based on the content within an object.
- Context-Dependent Control: Requires specific activity before granting users access.
- Need to Know: Ensures that subjects are only granted access only to what they need to know for their work tasks and job functions.
- Least Privilege: Ensures that subjects are only granted privileges they need to perform their work tasks and job functions.
- Separation of Duties and Responsibilities: Ensures sensitive functions are split into tasks performed by two or more employees.
What is a Security Policy?
A document that defines security requirements for an organization. Defines what assets need protection. Senior leadership approves the policy and provides a broad overview of the organization’s security needs. Meant to be used as a guide, not provide details.
What is Defense in Depth?
The use of multiple layers or levels of access controls to provide security.
What are the different Access Control Modes?
- Discretionary Access Control (DAC): Every object has an owner (data custodian) and that owner can grant or deny access to subjects (NTFS). Managed with ACL’s.
- Role-Based Access Control (RBAC): The use of roles or groups to assign permissions (AD). Helps enforce Least Privilege and prevent Privilege Creep.
- Rule-based Access Control: The use of global rules to apply to all subjects (such as FW’s).
- Attribute-Based Access Control (ABAC): Use of rules that have multiple attributes. Rules can get granular with conditional statements.
- Mandatory Access Control (MAC): The use of labels applied to subjects and objects to determine access. (security clearance)
What are the different environments MAC models can exist in?
- Hierarchical Environment: Labels are in an ordered structure from Low to High. Clearance in one level grants the subject access to objects in that level as well as lower levels.
- Compartmentalized Environment: No relationship between one security domain and the other, they are isolated.
- Hybrid Environment: Combines both Hierarchical and Compartmentalized concepts so that each level has subdivisions that are isolated from the rest of the domain.
What is the difference between Risk, Threat, and Vulnerability?
- Risk: The possibility or likelihood that a threat will exploit a vulnerability resulting in a loss such as harm to an asset.
- Threat: Potential occurrence that can result in an undesirable outcome.
- Vulnerability: Any type of weakness.
What is Risk Management?
Attempts to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls. The process is:
- Identifying Assets: (Asset Valuation) Identifying the actual value of assets with the goal of prioritizing them.
-
Identifying Threats: (Threat Modeling) Identifying, analyzing, and categorizing potential threats.
- Advanced Persistent Threats (APT): A group of advanced attackers who focus on specific targets to exploit.
-
Approaches:
- Focused on Assets
- Focused on Attackers
- Focused on Software
- Identifying Vulnerabilities: (Vulnerability Analysis) Attempts to discover weaknesses in these systems against potential threats.
What are some Common Access Control Attacks?
- Access Aggregation Attacks: Combining multiple pieces of nonsensitive information to learn sensitive information.
-
Password Attacks: Attempts to retrieve a user’s password:
- Dictionary Attack: Using a list of known passwords
- Brute-Force Attacks: Systematically attempting all possible combinations of letters, numbers, and symbols.
- Birthday Attack: Focuses on finding collisions based on statistics
- Rainbow Table Attacks: Using a large database of hashed passwords to guess a password.
- Sniffer Attacks: Capturing packets on the network in order to find the password.
-
Spoofing Attacks: Pretending to be something or someone else.
- Email Spoofing: Senders spoof the From field to make it appear it was sent by someone else. The Reply-To can be a different address.
- Phone Number Spoofing: Where a caller replaces a number with another one. Most of the time to make the call appear local.
-
Social Engineering Attacks: When an attacker tries to gain the trust of someone by impersonating, deceit, or threatening.
- Phishing: A form of social engineering via email that attempts to trick users to give up sensitive info, opening an attachment, or clicking a link. Phishing emails are often sent indiscriminately as spam to a multitude of users.
- Spear Phishing: A form of phishing targeted to a specific group.
- Whaling: A variant of phishing that targets senior or high-level executives.
- Vishing: Phishing via the phone system or VoIP.
- Smartcard Attacks: (Side-Channel attack) Measuring the power consumption or monitoring the processing timings of a card in order glean valuable information.
What are some methods to protect against access control attacks?
- Control physical access to systems
- Control electronic access to files
- Create a strong password policy
- Hash and salt passwords
- Use password masking
- Deploy MFA
- Use account lockout controls