14 - Controlling and Monitoring Access Flashcards

1
Q

What are Permissions, Rights, Privileges?

A
  • Permissions: The access granted for an object and determine what you can do with it.
  • Rights: The ability to take an action on a system.
  • Privileges: The combination of rights and permissions.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What are some authorization mechanisms used to control who can access specific objects?

A
  • Implicit Deny: Ensures access to an object is denied unless access has been explicitly granted to a subject.
  • Access Control Matrix: A table that includes subjects, objects, and assigned privileges that a system checks to confirm a subjects access. (more focused on objects)
  • Capability Tables: A table that is used to identify privileges that are more centered around subjects and their roles.
  • Constrained Interface: Interfaces that restrict what users can do or see based on their privileges.
  • Content-Dependent Control: Restrict access to data based on the content within an object.
  • Context-Dependent Control: Requires specific activity before granting users access.
  • Need to Know: Ensures that subjects are only granted access only to what they need to know for their work tasks and job functions.
  • Least Privilege: Ensures that subjects are only granted privileges they need to perform their work tasks and job functions.
  • Separation of Duties and Responsibilities: Ensures sensitive functions are split into tasks performed by two or more employees.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is a Security Policy?

A

A document that defines security requirements for an organization. Defines what assets need protection. Senior leadership approves the policy and provides a broad overview of the organization’s security needs. Meant to be used as a guide, not provide details.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is Defense in Depth?

A

The use of multiple layers or levels of access controls to provide security.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are the different Access Control Modes?

A
  • Discretionary Access Control (DAC): Every object has an owner (data custodian) and that owner can grant or deny access to subjects (NTFS). Managed with ACL’s.
  • Role-Based Access Control (RBAC): The use of roles or groups to assign permissions (AD). Helps enforce Least Privilege and prevent Privilege Creep.
  • Rule-based Access Control: The use of global rules to apply to all subjects (such as FW’s).
  • Attribute-Based Access Control (ABAC): Use of rules that have multiple attributes. Rules can get granular with conditional statements.
  • Mandatory Access Control (MAC): The use of labels applied to subjects and objects to determine access. (security clearance)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the different environments MAC models can exist in?

A
  • Hierarchical Environment: Labels are in an ordered structure from Low to High. Clearance in one level grants the subject access to objects in that level as well as lower levels.
  • Compartmentalized Environment: No relationship between one security domain and the other, they are isolated.
  • Hybrid Environment: Combines both Hierarchical and Compartmentalized concepts so that each level has subdivisions that are isolated from the rest of the domain.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is the difference between Risk, Threat, and Vulnerability?

A
  • Risk: The possibility or likelihood that a threat will exploit a vulnerability resulting in a loss such as harm to an asset.
  • Threat: Potential occurrence that can result in an undesirable outcome.
  • Vulnerability: Any type of weakness.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is Risk Management?

A

Attempts to reduce or eliminate vulnerabilities, or reduce the impact of potential threats by implementing controls. The process is:

  • Identifying Assets: (Asset Valuation) Identifying the actual value of assets with the goal of prioritizing them.
  • Identifying Threats: (Threat Modeling) Identifying, analyzing, and categorizing potential threats.
    • Advanced Persistent Threats (APT): A group of advanced attackers who focus on specific targets to exploit.
    • Approaches:
      • Focused on Assets
      • Focused on Attackers
      • Focused on Software
  • Identifying Vulnerabilities: (Vulnerability Analysis) Attempts to discover weaknesses in these systems against potential threats.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are some Common Access Control Attacks?

A
  • Access Aggregation Attacks: Combining multiple pieces of nonsensitive information to learn sensitive information.
  • Password Attacks: Attempts to retrieve a user’s password:
    • Dictionary Attack: Using a list of known passwords
    • Brute-Force Attacks: Systematically attempting all possible combinations of letters, numbers, and symbols.
    • Birthday Attack: Focuses on finding collisions based on statistics
    • Rainbow Table Attacks: Using a large database of hashed passwords to guess a password.
    • Sniffer Attacks: Capturing packets on the network in order to find the password.
  • Spoofing Attacks: Pretending to be something or someone else.
    • Email Spoofing: Senders spoof the From field to make it appear it was sent by someone else. The Reply-To can be a different address.
    • Phone Number Spoofing: Where a caller replaces a number with another one. Most of the time to make the call appear local.
  • Social Engineering Attacks: When an attacker tries to gain the trust of someone by impersonating, deceit, or threatening.
    • Phishing: A form of social engineering via email that attempts to trick users to give up sensitive info, opening an attachment, or clicking a link. Phishing emails are often sent indiscriminately as spam to a multitude of users.
    • Spear Phishing: A form of phishing targeted to a specific group.
    • Whaling: A variant of phishing that targets senior or high-level executives.
    • Vishing: Phishing via the phone system or VoIP.
  • Smartcard Attacks: (Side-Channel attack) Measuring the power consumption or monitoring the processing timings of a card in order glean valuable information.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are some methods to protect against access control attacks?

A
  • Control physical access to systems
  • Control electronic access to files
  • Create a strong password policy
  • Hash and salt passwords
  • Use password masking
  • Deploy MFA
  • Use account lockout controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly