Access Control Flashcards
What is an Object ?
A passive entity such as a file, database system
What is a Subject ?
A active entity such as an individual or a process.
What is Access Control ?
The ability to permit or deny the use of an object on a subject.
Purpose of Preventative Controls ?
Reducing Risk
Purpose of Detective Controls ?
identifying violations and risks
Purpose of Corrective Controls ?
Remedying violations and incidents and improving existing preventative and detective controls.
Purpose of Deterrent Controls ?
Discouraging Violations
Purpose of Recovery Controls ?
Restoring systems and information
Purpose of Compensating Controls ?
Providing alternative ways of achieving a task.
What are Administrative Controls ?
Polices and Procedures an Organisation implements as part of its info. sec. strategy.
What are Technical (logical) Controls ?
Technical controls use both hardware and software to implement access control.
Some Examples of Technical Controls ?
Encryption, Access Control (Biometrics, smart cards, tokens), ACLs, Remote Access Auth: (Radius, PAP, CHAP,LDAP)
Some Examples of Detective Tech. Controls ?
Violation Reports, Audit Trails, Network Monitoring and Intrusion Detection.
What are Physical Controls ?
Physical (preventative) Controls ensure the safety and security of the physical environment.
Some Examples of Physical Controls ?
Security Perimeters - fences, guards, dogs, motion detectors and video cameras.
What are the three components of Access Control Services ?
Authentication, Authourisation and Accountability (AAA)
auth-auth-acc
What is Authentication ? (Access Control Service)
A two step process consisting of identification and authentication.
What is Authourisation? ((Establishment),Access Control Service))
Defines the Rights / Permissions granted to a user account or process
What is Accountability ? (Access Control)
The capability to associate users and processes with their actions.
Some Examples of Accountability (Access Control)
Audit Trails, System Logs.
Non Repudiation
Associated with Accountability (A.C.) It means that a user can’t deny an action because you can irrefutably associate him with that action.
System Access Control
A control category that protects the entire system, first line of defense.
Data Access Control
A control category that is specific to controlling access to data in a system.
Three Factors of Authentication
(01) Something you know (PIN,Password), (02) Something you have (Access Card, RSA Token) (03) Somthing you are (FingerPrint, Voice, Retina, Iris).
What is two factor authentication
This is an authentication method that requires two different factors of anthentications (Are,Have,Know).
What is strong authentication
This is an authentication method that requires at least two different factors of anthentications (Are,Have,Know).
What is identification
Identification is the act of claiming a specific identity
What is authentication
authentication is the act of verifiying an identity
Recommended minimum password length:
6 to 8 characters
Recommended password complexity:
Combination of Alpha Numerics, with special characters and a mix of capitalised and none capitised alpha characters.
Recommended password aging time length:
30-60-90 days
Recommended password History:
5
Recommended login attempts:
CounterThreshhold: 3 to 5
Counter reset: 30min
What is FRR ? (Access Control)
False Reject Rate (Type 1 Error) Authourised Users to whom the system incorrectly denies, based as a %.
What is FAR? (Access Control)
False Accept Rate (Type 2 Error) Unauthourised Users to whom a system incorrectly allows, based as a %
What is CER (Access Control)
CrossOver Error Rate is the point where FRR = FAR stated as a %.
What is a Nonce?
System generated random challenge string (asyncronous / dynamic password token). Essentially a number used once.
What is Kerberos ?
Kerberos is a popular ticket based symmetric key authentication protocol (windows , Sun NFS))
What is SESAME ?
Secure European System and Applications in a Multi vendor Environment, an alternative to Kerberos. It uses PKI as well as asynchronous and Synchronous key exchange.
What is a Privileged Attribute Server (PAS)
Site specific authentication server in a SESAME implementation.
SESAME Security Flaws ?
1) It uses XOR function for encryption 2) Authentication is based on a message fragment, not the whole message. 3) Key generation is not quite so Random 4) Vuln. to password guessing attacks.
What is CryptoKnight ?
Ticket Based SSO Authentication system developed by IBM. It does not require clock syncronisation like Kerberos.
What is LDAP ?
Light Weight Directory Access Protocol, a centralized access control system. It is both a data model and an IP Protocol.
An Example of a Centralised Access Control for Remote Access.
What is RAS ?
Remote Access Service - uses point to point protocols (PPP) to encapsulate IP Packets and allow dial up over analogue and ISDN lines.
An Example of a Centralised Access Control for Remote Access.
What is PAP ?
Password Authentication Protocol - A 2 way handshake that authenticates a peer to a server when a link is established. It has no protection against Brute Force Attacks or Replay Attacks. It also transmits passwords in clear text.
What is Chap ?
Challenge Handshake Authentication Protocol - Uses a three way handshake for authentication between peer and server. Checks continue throughout the length of the connection. It uses a shared secret that is stored in cleartext. The cleartext password is hashed MD5 when calculating responses.
What is MS Chap ?
Microsoft’s Implementation of the Challenge Handshake Authentication Protocol. Same 3 way handshake for authentication, continued checking throughout the length of the communication. Shared Secret is encrypted rather than stored in clear text.
An Example of a Centralised Access Control for Remote Access.
What is EAP ?
The Extensible Authentication Protocol (EAP) adds flexibility to PPP authentication by implementing various authentication mechanisms, including MD5-challenge, S/ Key, generic token card, digital certificates, and so on. Many wireless networks implement EAP.
An Example of a Centralised Access Control for Remote Access.
What is Radius ?
The Remote Authentication Dial-In User Service (RADIUS) protocol is an open-source, client-server networking protocol that provides authentication, authorization, and accountability (AAA) services. RADIUS is an Application Layer protocol that utilizes User Datagram Protocol (UDP) packets for transport. UDP is a connection-less protocol, which means it’s fast but not as reliable as other transport protocols.
An Example of a Centralised Access Control for Remote Access.
What is a Diameter ?
This next-generation RADIUS protocol. Like RADIUS, Diameter provides AAA services and is an open protocol
Unlike RADIUS, Diameter utilizes Transmission Control Protocol (TCP) and Stream Control Transmission Protocol (SCTP) packets to provide a more reliable, connection-oriented transport mechanism. Also, Diameter uses Internet Protocol Security (IPSec) or Transport Layer Security (TLS) to provide network security or transport layer security (respectively) — rather than PAP or CHAP
Not fully backward compatible with RADIUS.
An Example of a Centralised Access Control for Remote Access.
What is TACACS ?
The Terminal Access Controller Access Control System (TACACS) is a remote authentication control protocol.
TACACS + is TCP based on (port 49) and supports practically any authentication mechanism (PAP, CHAP, MS-CHAP, EAP, token cards, Kerberos, and so on). The major advantages of TACACS + are its wide support of various authentication mechanisms and granular control of authorization parameters. TACACS + can also use dynamic passwords; TACACS uses static passwords only.
An Example of a Centralised Access Control for Remote Access.
Decentralised Access Control
Decentralized access control systems keep user account information in separate locations, maintained by different administrators, throughout an organization or enterprise.
Possible Issues:
- inconsistent security policies
- mass account management (add,remove)
Decentralised Access Control Examples:
- Multi Domain Microsoft Implementations (Forest)
* Database Management System (DBMS)
What is Discretionary Access Control ? (DAC)
This is an access policy determined by the owner of a file (or other resource). The owner decides who has access and what level of access they have (Read, Write, Execute).
What are the three basic types of Access Control ?
Read - The subject can read the file, object, directory.
Write - The subject can write to file, object, directory.
Execute - If the file is a program it can executed and run
What is an ACL ?
Access Control List, comes in 2 flavours (Discretionary Acccess Control (DAC)) and Networking - Routers. These are just contextual differences.
What is Role Based Access Control ?
Role-based access control is another method for implementing discretionary access controls. Role-based access control assigns group membership based on organizational or functional roles. Individuals may belong to one or many groups (acquiring cumulative permissions or limited to the most restrictive set of permissions for all assigned groups), and a group may contain only a single individual (corresponding to a specific organizational role assigned to one person). Access rights and permissions for objects are assigned to groups, rather than (or in addition to) individuals.
Major disadvantages of discretionary access control techniques such as ACLs or role-based access control ?
- Lack of Centralised Management
- Dependence of security conscious resource owners
- Many OSes default to full access
- Auditing is rough due to massive amount of logs.
What are Mandatory Access Controls (MAC) ?
A mandatory access control (MAC) is an access policy determined by the system, rather than by the owner. Organizations use MAC in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.
What are MAC sensitivity labels?
All subjects and objects must have assigned labels. A subject’s sensitivity label specifies its level of trust. An object’s sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object. For example, a user (subject) with a Top Secret clearance (sensitivity label) is permitted to access a file (object) that has a Secret classification level (sensitivity label) because his or her clearance level exceeds the minimum required for access.
What is MAC Rule Based Access Control ?
Somewhat logical method of determining access to an object. Is sensitivity label equal to or greater than the level of the object.
What are MAC Lattice Based Access Controls ?
A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object.
Organizations can use this model for complex access control decisions involving multiple objects and/ or subjects. For example, given a set of files that have multiple classification levels, the lattice model determines the minimum clearance level that a user requires to access all the files.
What are the Major disadvantages of Mandatory Access Controls ?
- Lack of Flexibility
- Difficulty in implementation and programming
- end user frustration
- data import / export must be monitored rigorously.
What is the Bell-La Padula Access Control Model ?
- A state machine model that address confidentiality during a data transfer.
- Information cannot flow downwards.
- simple security property (ss property): A subject can’t read information from an object that has a higher sensitivity label (no read up (NRU))
- *-property (star property): A subject can’t write information to an object that has a lower sensitivity label (no write down, or NWD).
What is the the Biba integrity Access Control Model ?
Biba is a lattice-based model that addresses the first goal of integrity — ensuring that unauthorized users or processes don’t make modifications to data.
- simple integrity property: A subject can’t read information from an object that has a lower integrity level (no read down).
- -integrity property (star integrity property): A subject can’t write information to an object that has a higher integrity level (no write up).
** Upside Down Bell-La Padula **
What is the Clark Wilson Integrity Control Model ?
Using the Clark-Wilson model, data cannot be directly accessed by a user. Instead, it must be accessed through an application which controls the access. Clark-Wilson addresses all three goals of integrity. Targets the following use cases:
- Unconstrained data item (UDI): Data outside the control area, such as input data
- Constrained data item (CDI): Data inside the control area (integrity must be preserved)
- Integrity verification procedures (IVP): Checks validity of CDIs
- Transformation procedures (TP): Maintains integrity of CDIs
What is an Access Control None Interference Model ?
A noninterference model ensures that objects and subjects don’t see the actions of different objects and subjects on the same system — and that those actions don’t interfere with them.
Ex: If a user with a higher level of access made a change to a file, a user with a lower level of access would not see those changes and would not be able to deduce any information from those changes.
What is an Access Control Access Model Matrix ?
An access matrix model provides object access rights (R/ W/ X) to subjects in a DAC system. An access matrix consists of access control lists (ACLs) and capability lists.
What is an Access Control Information Flow Model ?
An information flow model is a lattice-based model in which the system assigns objects a security class and value, and a security policy controls their direction of flow.
Access Control Attack - Brute Force ?
The attacker attempts every possible combination of letters, numbers and characters to break a password or pin.
Access Control Attack - Dictionary Attack ?
A dictionary attack is essentially a more focused type of brute force attack in which the attacker uses a predefined word list. You can find such word lists or dictionaries, including foreign language and special-interest dictionaries.
Think: L0phtCrack, John the Ripper - These utilities creates hashes of passwords contained in its dictionary or word list, and then compares the resulting hash to the password file.
Access Control Attack - Buffer / Stack Overflow ?
Buffer overflows in certain systems or applications may enable an attacker to gain unauthorized access to a system or directory. An overflow occurs when an application or protocol attempts to store more information than the allotted resources will allow. This causes previously entered data to become corrupted, the protocol or application to crash, or other unexpected or erratic behavior to occur.
Best Defense - Patch Often.
Access Control Attack - Tear Drop Attack ?
This is a type of stack overflow attack that exploits vulnerabilities in the IP protocol.
Best Defense - Patch Often.
Access Control Attack - Man in the Middle Attack ?
Here an attacker intercepts messages between two parties and forwards a modified version of the original message to the intended recipient.
Access Control Attack - Password / Packet Sniffing ?
An attacker uses an application or device, known as a sniffer, to capture network packets and analyze their contents, such as usernames and passwords, and shared keys.
Access Control Attack - Session Hijacking?
Similar to a Man-in-the-Middle attack, except that the attacker impersonates the intended recipient, instead of modifying messages in transit.
Access Control Attack - Social Engineering ?
This latter brazen technique can simply involve the attacker calling a user, pretending to be a system administrator and asking for the user’s password, or calling a help desk pretending to be a user and asking to have the password changed.
Also includes Phishing
What is Threat Modeling ?
Ensuring that Security is a crucial part of the application developement lifecycle.
What is Asset Valuation ?
The process of assigning a finacial value to an organisations information assets.
What is Vulnerability Analysis ?
The process of identifying and defining a systems vulnerabilities.
What is Access Aggregation ?
A combination of all of a users access rights and permissions across multiple networks and systems.
What is Port Scanning ?
The process of probing a system to determine which tcp/ip service ports are running on that system.
What is Application Scanning ?
The process of assessing whether an application has an weaknesses that might be exploited.
What is Black Box Testing ?
The Test has no prior knowledge of the system.
What is White Box Testing ?
The person testing has complete knowledge of the system being tested. (Max. Assurance of vuln discovery)
What is Grey Box Testing ?
The person doing the testing have some, but not all, knowledge with regards to the system being tested.
What is Host Scanning ?
The process of scanning a network in order to discover any host computers on the network ?
What is Operating System (OS) Detection ?
Determining the operating system running on the host(s) being scanned.
What is the Software Development Life Cycle (SDLC) ?
A series of processes that govern activities around an application - testing, pen testing, installation, maintenance and end of life.
What is the Identity & Access Provisioning Life Cycle ?
New Access (provisioning) must be constantly reviewed and assessed for risk, as well as frequent audits of users access rights, which can change over time.
