Access Control Flashcards
Access Control Systems include
File Permissions, Program Permissions and Data Rights
File Permissions allows
Create, Read, Edit or Delete on a File Server
Program Permissions allows
execution of a program on a server.
Data Rights allows
right to retrieve or update information in a database.
A “SUBJECT” is
an ACTIVE entity i.e., an individual or process that accesses an OBJECT.
An “OBJECT” is
a PASSIVE entity i.e., system or process that a SUBJECT ACTS UPON or accesses.
PREVENTIVE controls are for
reducing risk.
DETECTIVE controls are for
identifying violations and incidents.
CORRECTIVE controls are for
remedying violations and incidents and improving existing preventive and detective controls.
DETERRENT controls are for
discouraging violations and dissuading malicious activity.
RECOVERY controls are for
restoring systems and information.
COMPENSATING controls are for
providing alternative ways of achieving a task.
Preventive controls together with and overall security program are compensated by
DETECTIVE, CORRECTIVE, DETERRENT, RECOVERY and COMPENSATING controls.
ACCESS controls can be
Administrative, Technical, and Physical
ADMINISTRATIVE controls include
policies and procedures that are implemented as part of an overall information security strategy
Types of ADMINISTRATIVE controls may include
policies, standards, guidelines and procedures. Security awareness training. Asset clarification and control. Employment policies. Account administration. Account, log and journal monitoring. Review of audit trails.
TECHNICAL controls are
technical ( or logical ) controls that leverage HW or SW to implement access control.
PREVENTIVE TECHNICAL controls include
encryption, access control mechanisms, access control lists ( ACLs), Remote Access authentication protocols.
Common technical ENCRYPTION controls are
DES ( Data Encryption Standard ) AES ( Advanced Encryption Standard ) and Merkle-Hellman Knapsack.
Access Control Mechanisms are
Biometrics, Smart Cards, and Tokens.
Access Control Lists ( ACLs ) are
permission defining what a SUBECT can or cannot do to an object.
Remote Access Authentication Protocols are
PAP ( Password Authentication Protocol ) CHAP ( Challenge HandShake Authentication Protocol ) RADIUS ( Remote Authentication Dial In User Service ) and LDAP ( Lightweight Directory Access Protocol )
DETECTIVE TECHNICAL controls include
Violation reports, Audit Trails, Network Monitoring and Intrusion Detection.
PHYSICAL controls ensure
safety and security of the physical environment they are primarily PREVENTIVE AND DETECTIVE.
PHYSICAL PREVENTIVE controls include
perimeter protections like; fences, locked entry, restricted area and guards / dogs.
PHYSICAL DETECTIVE controls include
Motion detection and video cameras
ACCESS CONTOL SYSTEMS provide what three essential services?
Authentication, Authorization, and Accountability.
AUTHENTICATION is
( who can log in ) a two step process of Identification and Authentication or ( I&A).
IDENTIFICATION is the means by which
a user ( SUBJECT ) presents a specific ID ( like a USERNAME ) to a system ( OBJECT )
AUTHENTICATION is the process of verifying
an identity… IDENTIFICATION ( I of I&A) . A USERNAME ( identity) is verified with a PASSWORD ( authentication ).
What determines a SUBECT can LOG in
AUTHENTICATION
AUTHORIZATION or “establishment” defines
rights and permissions granted to a user account or process. ( what can be done with a system or resource )
What determines a what a SUBECT can do with assigned rights and permissions.
AUTHORIZATION
ACCOUNTABILITY is the capability to associate users and processes with
ACTIONS ( what they did ) AUDIT TRAILS AND SYSTEM LOGS.
“This” determines what a SUBJECT did
ACCOUNTABLITY
The ability to irrefutably associate a user with an action that can’t be denied is
NON-REPUDATION
What are the two categories of ACCESS CONTROL
SYSTEM ACCESS / DATA ACCESS controls
SYSTEM ACCESS controls provide
the first line of defense for data contained in a system. This is renowned as AUTHENTICATION but include AUTHORIZATION and ACCOUNTABILITY.
AUTHENTICATION is based on 3 FACTORS
something YOU KNOW ( PASSWORD and PINs ), YOU HAVE ( TOKEN or SMART CARD ) YOU ARE ( FINGERPRINT, VOICE, a physical body part )
TWO FACTOR authentication requires
two of the three.
STRONG authentication requires
at least TWO factors.
Using THREE FACTORS is
3 FACTOR authentication.
I & A techniques include
passwords/ phrases, PINS, BIOMETRICs, and OTP, Tokens, and SSO.
Common or shared accounts as root, admin, or system are examples of accounts that have
no accountability and should not be permitted.
The ACT of claiming a specific identity is
IDENTIFICATION
The ACT of verifying a specific identity is
AUTHENTICATION
The most common and weakest type of AUTHENTICATION is
the password.
More difficult to hack the PASSPHRASE uses
a sequence of characters or words that are usually easier to remember.
The downside of PASSPHRASE can be
inconvenient to implement ( too long ), system limitations for more than 8 characters or spaces. In the end a passphrase can be considered a password.
General challenges with PASSWORDS and PASSPHRASES are
insecure, easily broken, inconvenient, refutable.
Passwords or Passphrases are generally insecure because
human nature to select easy password. Transmission and storage in clear text.
Passwords or Passphrases are easily broken by
BRUTE FORCE attacks, such as John the Ripper and L0phtCrack
Passwords should demonstrate the following security best practices
LENGTH of six to eight characters. COMPLEXITY combination of upper lower case, special characters, AGING, which requires changes at regular intervals. HISTORY, allowing historical memory of up to 5 previous passwords, and LIMITED ATTEMPTS, defined number of unsuccessful log on attempts before lock out. LIMITED TIME PERIODS restrictions to when a user can log in, time of day. SYSTEM MESSAGES; LOGIN BANNER defining terms of use, and LAST USERNAME ( which should be disabled ) LAST SUCCESSFUL LOGIN unveils unlikely log in attempts.
PINS are relatively weak authentication because
there are only 10,000 possible combinations to a four digit PIN.
BIOMETRICs are based on THIRD FACTOR AUTHENTICATION which is
something YOU ARE. It is not considered STRONG authentication as it only uses one of three authentication requirements.
BIOMETRICS access controls can be
PHYSICAL, presenting a biometric characteristic to be verified against a database. LOGICAL entry of a username or password plus a biometric characteristic.
EFFECTIVE BIOMETRIC systems demonstrate
ACCURACY, SPEED and THROUGHPUT, DATA STORAGE REQUIREMENTS, RELIABILITY, ACCEPTABILITY
ACCURACY in BIOMETRICS is defined by
FALSE REJECT RATES ( FRR) TYPE 1 ERROR and FALSE ACCEPTANCE RATE TYPE 2 ERROR
( ! ) FALSE REJECT RATE ( FRR ) TYPE 1 ERROR
is the percentage of authorized users to whom the system incorrectly denies access.
( ! ) FALSE ACCEPT RATE ( FAR ) TYPE 2 ERROR
is the percentage of unauthorized users to whom the systems incorrectly grants access.
( ! ) CROSSOVER ERROR RATE
is the point at which the FRR equals the FAR stated as a percentage. It is considered the most important measure of BIOMETRIC accuracy.
( ! ) The most common difficulty with BIOMETRIC systems is
gaining user acceptance.
COMMON TYPES of PHYSIOLOGICAL access control systems include
Fingerprint recognition and scan, Hand geometry, Retina pattern, Iris pattern.
COMMON TYPES of BEHAVIORAL access control systems include
Voice, Signature dynamics, Keystroke or Typing dynamics.
ONE TIME PASSWORD is valid for
one log-on session only, after the session the PW is no longer valid. They provide maximum security for access control. ( TOKENS and S/KEY are types of OTP )
TOKENS are
two factor authentication ( something you have and something you know ) key fobs, dongles, smart cards, soft tokens, that store static passwords ( digital certificate ) or generate dynamic passwords.
The THREE general types of TOKENS are
STATIC PASSWORD ( digital certificate ) SYNCHRONOUS DYNAMIC PW ( timed event ) ASYNCHRONOUS DYNAMIC PW.
SINGLE SIGN ON addresses
multiple systems and multiple logins. Address human factor of poor password implementation / selection and productivity impact on user and IT maintenance team.
SSO challenges are
unrestricted access to multiple systems once logged in , and complexity to deploy the services.
SSO leverages these common third party ticket based services.
KERBEROS, SESAME, KRYPTOKNIGHT
In Kerberos two types of keys are
a SESSION KEY ( dynamic ) and a SECRET KEY
A SESSION KEY ( dynamic ) is
generated when needed and shared between two principals then destroyed as no longer need.
A SECRET KEY is
a static key that is used to encrypt a session key.
SEASAME =
SECURE EUROPEAN SYSTEM and APPLICATIONS in a Multi-vendor Environment.
SEASAME is a
ticket based system developed by the EUROPEAN COMPUTER MANUFACTURERS ASSOCIATION. ECMA
KRYPTOKNIGHT
ticket and key distribution system developed by IBM and provides two party authentication, key distribution and data integrity services.
( ! ) Three examples of TICKET BASED SSO services for AUTHENTICATION ARE
KERBEROS, SESAME, KRYPTOKNIGHT
Access Control Methodologies are generally classified as
CENTRALIZED or DECENTRALIZED
( ! ) CENTRALIZED ACCESS CONTROL examples include
LDAP ( Lightweight Directory Access Protocol ), RAS ( Remote Access Service ), RADIUS ( Remote Authentication Dial-in User Service ), DIAMETER, TACACS ( Terminal Access Controller Access Control System ),
REMOTE ACCESS SERVICE leverages Point to Point Protocol ( PPP ) to encapsulate IP packets and uses the following three authentication protocols
PAP ( Password Authentication Protocol ), CHAP ( CHALLENGE HANDSHAKE AUTHENTICATION PROTOCOL ), EAP ( Extensible Authentication Protocol )
DECENTRALIZED ACCESS CONTROL includes
multiple domains and trust, databases controlled by a DataBase Management System.
( ! ) A Database view is
a type of constrained user interface. Restricting access to specific functions by not allow requests of those functions.
Data Access Controls include
DISCRETIONARY ACCESS CONTOL, and MANDATORY ACCESS CONTOL
( ! ) Who determines access policy in DISCRETIONARY ACCESS CONTROL
OWNER
TWO CONCEPTS of DISCRETIONARY Access Control are
File and Data Ownership / Access Rights and Permissions
TWO CONCEPTS of MANDATORY Access Control are
Sensitivity Labels / Data Import Export
( ! ) What determines access policy in MANDATORY ACCESS CONTROL
SYSTEM
ACCESS CONTROL MODELS are
BELL - LA PADULA, BIBA, CLARK-WILSON, NonINTERFERRENCE MODEL, ACCESS MATRIX MODEL, INFORMATION FLOW MODEL.
BELL - LA PADULA defines two properties
Simple Security property ( ss property ) and *-property ( start property )
( ! ) BELL - LA PADULA addresses
CONFIDENTIALITY
( ! ) BIBA and CLARK WILSON addresses
INTEGRITY
ACCESS CONTOL ATTACKS are
Brute-Force or Dictionary Attack, Buffer or Stack overflow, Man in the Middle, Packet Sniffing, Session Hijacking, Social Engineering.
Tactics to deploy against Access Control attacks are
Threat Modeling, Asset Valuation, Vulnerability Analysis, and Access Aggregation.
Access Control Evaluation and Testing include
Port Scanning, Application Scanning, Blackbox testing, Whitebox testing, Greybox teststing, Host Scanning, Operating system detection.
