Access Control Flashcards

1
Q

What is an Object ?

A

A passive entity such as a file, database system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Subject ?

A

A active entity such as an individual or a process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What is Access Control ?

A

The ability to permit or deny the use of an object on a subject.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Purpose of Preventative Controls ?

A

Reducing Risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Purpose of Detective Controls ?

A

identifying violations and risks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Purpose of Corrective Controls ?

A

Remedying violations and incidents and improving existing preventative and detective controls.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Purpose of Deterrent Controls ?

A

Discouraging Violations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Purpose of Recovery Controls ?

A

Restoring systems and information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Purpose of Compensating Controls ?

A

Providing alternative ways of achieving a task.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are Administrative Controls ?

A

Polices and Procedures an Organisation implements as part of its info. sec. strategy.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What are Technical (logical) Controls ?

A

Technical controls use both hardware and software to implement access control.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Some Examples of Technical Controls ?

A

Encryption, Access Control (Biometrics, smart cards, tokens), ACLs, Remote Access Auth: (Radius, PAP, CHAP,LDAP)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Some Examples of Detective Tech. Controls ?

A

Violation Reports, Audit Trails, Network Monitoring and Intrusion Detection.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are Physical Controls ?

A

Physical (preventative) Controls ensure the safety and security of the physical environment.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Some Examples of Physical Controls ?

A

Security Perimeters - fences, guards, dogs, motion detectors and video cameras.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the three components of Access Control Services ?

A

Authentication, Authourisation and Accountability (AAA)

auth-auth-acc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is Authentication ? (Access Control Service)

A

A two step process consisting of identification and authentication.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is Authourisation? ((Establishment),Access Control Service))

A

Defines the Rights / Permissions granted to a user account or process

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is Accountability ? (Access Control)

A

The capability to associate users and processes with their actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Some Examples of Accountability (Access Control)

A

Audit Trails, System Logs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Non Repudiation

A

Associated with Accountability (A.C.) It means that a user can’t deny an action because you can irrefutably associate him with that action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

System Access Control

A

A control category that protects the entire system, first line of defense.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Data Access Control

A

A control category that is specific to controlling access to data in a system.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Three Factors of Authentication

A

(01) Something you know (PIN,Password), (02) Something you have (Access Card, RSA Token) (03) Somthing you are (FingerPrint, Voice, Retina, Iris).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is two factor authentication

A

This is an authentication method that requires two different factors of anthentications (Are,Have,Know).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is strong authentication

A

This is an authentication method that requires at least two different factors of anthentications (Are,Have,Know).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is identification

A

Identification is the act of claiming a specific identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is authentication

A

authentication is the act of verifiying an identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Recommended minimum password length:

A

6 to 8 characters

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Recommended password complexity:

A

Combination of Alpha Numerics, with special characters and a mix of capitalised and none capitised alpha characters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Recommended password aging time length:

A

30-60-90 days

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Recommended password History:

A

5

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Recommended login attempts:

A

CounterThreshhold: 3 to 5

Counter reset: 30min

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is FRR ? (Access Control)

A

False Reject Rate (Type 1 Error) Authourised Users to whom the system incorrectly denies, based as a %.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What is FAR? (Access Control)

A

False Accept Rate (Type 2 Error) Unauthourised Users to whom a system incorrectly allows, based as a %

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is CER (Access Control)

A

CrossOver Error Rate is the point where FRR = FAR stated as a %.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is a Nonce?

A

System generated random challenge string (asyncronous / dynamic password token). Essentially a number used once.

38
Q

What is Kerberos ?

A

Kerberos is a popular ticket based symmetric key authentication protocol (windows , Sun NFS))

39
Q

What is SESAME ?

A

Secure European System and Applications in a Multi vendor Environment, an alternative to Kerberos. It uses PKI as well as asynchronous and Synchronous key exchange.

40
Q

What is a Privileged Attribute Server (PAS)

A

Site specific authentication server in a SESAME implementation.

41
Q

SESAME Security Flaws ?

A

1) It uses XOR function for encryption 2) Authentication is based on a message fragment, not the whole message. 3) Key generation is not quite so Random 4) Vuln. to password guessing attacks.

42
Q

What is CryptoKnight ?

A

Ticket Based SSO Authentication system developed by IBM. It does not require clock syncronisation like Kerberos.

43
Q

What is LDAP ?

A

Light Weight Directory Access Protocol, a centralized access control system. It is both a data model and an IP Protocol.

An Example of a Centralised Access Control for Remote Access.

44
Q

What is RAS ?

A

Remote Access Service - uses point to point protocols (PPP) to encapsulate IP Packets and allow dial up over analogue and ISDN lines.

An Example of a Centralised Access Control for Remote Access.

45
Q

What is PAP ?

A

Password Authentication Protocol - A 2 way handshake that authenticates a peer to a server when a link is established. It has no protection against Brute Force Attacks or Replay Attacks. It also transmits passwords in clear text.

46
Q

What is Chap ?

A

Challenge Handshake Authentication Protocol - Uses a three way handshake for authentication between peer and server. Checks continue throughout the length of the connection. It uses a shared secret that is stored in cleartext. The cleartext password is hashed MD5 when calculating responses.

47
Q

What is MS Chap ?

A

Microsoft’s Implementation of the Challenge Handshake Authentication Protocol. Same 3 way handshake for authentication, continued checking throughout the length of the communication. Shared Secret is encrypted rather than stored in clear text.

An Example of a Centralised Access Control for Remote Access.

48
Q

What is EAP ?

A

The Extensible Authentication Protocol (EAP) adds flexibility to PPP authentication by implementing various authentication mechanisms, including MD5-challenge, S/ Key, generic token card, digital certificates, and so on. Many wireless networks implement EAP.

An Example of a Centralised Access Control for Remote Access.

49
Q

What is Radius ?

A

The Remote Authentication Dial-In User Service (RADIUS) protocol is an open-source, client-server networking protocol that provides authentication, authorization, and accountability (AAA) services. RADIUS is an Application Layer protocol that utilizes User Datagram Protocol (UDP) packets for transport. UDP is a connection-less protocol, which means it’s fast but not as reliable as other transport protocols.

An Example of a Centralised Access Control for Remote Access.

50
Q

What is a Diameter ?

A

This next-generation RADIUS protocol. Like RADIUS, Diameter provides AAA services and is an open protocol

Unlike RADIUS, Diameter utilizes Transmission Control Protocol (TCP) and Stream Control Transmission Protocol (SCTP) packets to provide a more reliable, connection-oriented transport mechanism. Also, Diameter uses Internet Protocol Security (IPSec) or Transport Layer Security (TLS) to provide network security or transport layer security (respectively) — rather than PAP or CHAP

Not fully backward compatible with RADIUS.
An Example of a Centralised Access Control for Remote Access.

51
Q

What is TACACS ?

A

The Terminal Access Controller Access Control System (TACACS) is a remote authentication control protocol.

TACACS + is TCP based on (port 49) and supports practically any authentication mechanism (PAP, CHAP, MS-CHAP, EAP, token cards, Kerberos, and so on). The major advantages of TACACS + are its wide support of various authentication mechanisms and granular control of authorization parameters. TACACS + can also use dynamic passwords; TACACS uses static passwords only.

An Example of a Centralised Access Control for Remote Access.

52
Q

Decentralised Access Control

A

Decentralized access control systems keep user account information in separate locations, maintained by different administrators, throughout an organization or enterprise.

Possible Issues:

  • inconsistent security policies
  • mass account management (add,remove)
53
Q

Decentralised Access Control Examples:

A
  • Multi Domain Microsoft Implementations (Forest)

* Database Management System (DBMS)

54
Q

What is Discretionary Access Control ? (DAC)

A

This is an access policy determined by the owner of a file (or other resource). The owner decides who has access and what level of access they have (Read, Write, Execute).

55
Q

What are the three basic types of Access Control ?

A

Read - The subject can read the file, object, directory.
Write - The subject can write to file, object, directory.
Execute - If the file is a program it can executed and run

56
Q

What is an ACL ?

A

Access Control List, comes in 2 flavours (Discretionary Acccess Control (DAC)) and Networking - Routers. These are just contextual differences.

57
Q

What is Role Based Access Control ?

A

Role-based access control is another method for implementing discretionary access controls. Role-based access control assigns group membership based on organizational or functional roles. Individuals may belong to one or many groups (acquiring cumulative permissions or limited to the most restrictive set of permissions for all assigned groups), and a group may contain only a single individual (corresponding to a specific organizational role assigned to one person). Access rights and permissions for objects are assigned to groups, rather than (or in addition to) individuals.

58
Q

Major disadvantages of discretionary access control techniques such as ACLs or role-based access control ?

A
  • Lack of Centralised Management
  • Dependence of security conscious resource owners
  • Many OSes default to full access
  • Auditing is rough due to massive amount of logs.
59
Q

What are Mandatory Access Controls (MAC) ?

A

A mandatory access control (MAC) is an access policy determined by the system, rather than by the owner. Organizations use MAC in multilevel systems that process highly sensitive data, such as classified government and military information. A multilevel system is a single computer system that handles multiple classification levels between subjects and objects.

60
Q

What are MAC sensitivity labels?

A

All subjects and objects must have assigned labels. A subject’s sensitivity label specifies its level of trust. An object’s sensitivity label specifies the level of trust required for access. In order to access a given object, the subject must have a sensitivity level equal to or higher than the requested object. For example, a user (subject) with a Top Secret clearance (sensitivity label) is permitted to access a file (object) that has a Secret classification level (sensitivity label) because his or her clearance level exceeds the minimum required for access.

61
Q

What is MAC Rule Based Access Control ?

A

Somewhat logical method of determining access to an object. Is sensitivity label equal to or greater than the level of the object.

62
Q

What are MAC Lattice Based Access Controls ?

A

A lattice model is a mathematical structure that defines greatest lower-bound and least upper-bound values for a pair of elements, such as a subject and an object.

Organizations can use this model for complex access control decisions involving multiple objects and/ or subjects. For example, given a set of files that have multiple classification levels, the lattice model determines the minimum clearance level that a user requires to access all the files.

63
Q

What are the Major disadvantages of Mandatory Access Controls ?

A
  • Lack of Flexibility
  • Difficulty in implementation and programming
  • end user frustration
  • data import / export must be monitored rigorously.
64
Q

What is the Bell-La Padula Access Control Model ?

A
  • A state machine model that address confidentiality during a data transfer.
  • Information cannot flow downwards.
  • simple security property (ss property): A subject can’t read information from an object that has a higher sensitivity label (no read up (NRU))
  • *-property (star property): A subject can’t write information to an object that has a lower sensitivity label (no write down, or NWD).
65
Q

What is the the Biba integrity Access Control Model ?

A

Biba is a lattice-based model that addresses the first goal of integrity — ensuring that unauthorized users or processes don’t make modifications to data.

  • simple integrity property: A subject can’t read information from an object that has a lower integrity level (no read down).
  • -integrity property (star integrity property): A subject can’t write information to an object that has a higher integrity level (no write up).

** Upside Down Bell-La Padula **

66
Q

What is the Clark Wilson Integrity Control Model ?

A

Using the Clark-Wilson model, data cannot be directly accessed by a user. Instead, it must be accessed through an application which controls the access. Clark-Wilson addresses all three goals of integrity. Targets the following use cases:

  • Unconstrained data item (UDI): Data outside the control area, such as input data
  • Constrained data item (CDI): Data inside the control area (integrity must be preserved)
  • Integrity verification procedures (IVP): Checks validity of CDIs
  • Transformation procedures (TP): Maintains integrity of CDIs
67
Q

What is an Access Control None Interference Model ?

A

A noninterference model ensures that objects and subjects don’t see the actions of different objects and subjects on the same system — and that those actions don’t interfere with them.

Ex: If a user with a higher level of access made a change to a file, a user with a lower level of access would not see those changes and would not be able to deduce any information from those changes.

68
Q

What is an Access Control Access Model Matrix ?

A

An access matrix model provides object access rights (R/ W/ X) to subjects in a DAC system. An access matrix consists of access control lists (ACLs) and capability lists.

69
Q

What is an Access Control Information Flow Model ?

A

An information flow model is a lattice-based model in which the system assigns objects a security class and value, and a security policy controls their direction of flow.

70
Q

Access Control Attack - Brute Force ?

A

The attacker attempts every possible combination of letters, numbers and characters to break a password or pin.

71
Q

Access Control Attack - Dictionary Attack ?

A

A dictionary attack is essentially a more focused type of brute force attack in which the attacker uses a predefined word list. You can find such word lists or dictionaries, including foreign language and special-interest dictionaries.

Think: L0phtCrack, John the Ripper - These utilities creates hashes of passwords contained in its dictionary or word list, and then compares the resulting hash to the password file.

72
Q

Access Control Attack - Buffer / Stack Overflow ?

A

Buffer overflows in certain systems or applications may enable an attacker to gain unauthorized access to a system or directory. An overflow occurs when an application or protocol attempts to store more information than the allotted resources will allow. This causes previously entered data to become corrupted, the protocol or application to crash, or other unexpected or erratic behavior to occur.

Best Defense - Patch Often.

73
Q

Access Control Attack - Tear Drop Attack ?

A

This is a type of stack overflow attack that exploits vulnerabilities in the IP protocol.

Best Defense - Patch Often.

74
Q

Access Control Attack - Man in the Middle Attack ?

A

Here an attacker intercepts messages between two parties and forwards a modified version of the original message to the intended recipient.

75
Q

Access Control Attack - Password / Packet Sniffing ?

A

An attacker uses an application or device, known as a sniffer, to capture network packets and analyze their contents, such as usernames and passwords, and shared keys.

76
Q

Access Control Attack - Session Hijacking?

A

Similar to a Man-in-the-Middle attack, except that the attacker impersonates the intended recipient, instead of modifying messages in transit.

77
Q

Access Control Attack - Social Engineering ?

A

This latter brazen technique can simply involve the attacker calling a user, pretending to be a system administrator and asking for the user’s password, or calling a help desk pretending to be a user and asking to have the password changed.

Also includes Phishing

78
Q

What is Threat Modeling ?

A

Ensuring that Security is a crucial part of the application developement lifecycle.

79
Q

What is Asset Valuation ?

A

The process of assigning a finacial value to an organisations information assets.

80
Q

What is Vulnerability Analysis ?

A

The process of identifying and defining a systems vulnerabilities.

81
Q

What is Access Aggregation ?

A

A combination of all of a users access rights and permissions across multiple networks and systems.

82
Q

What is Port Scanning ?

A

The process of probing a system to determine which tcp/ip service ports are running on that system.

83
Q

What is Application Scanning ?

A

The process of assessing whether an application has an weaknesses that might be exploited.

84
Q

What is Black Box Testing ?

A

The Test has no prior knowledge of the system.

85
Q

What is White Box Testing ?

A

The person testing has complete knowledge of the system being tested. (Max. Assurance of vuln discovery)

86
Q

What is Grey Box Testing ?

A

The person doing the testing have some, but not all, knowledge with regards to the system being tested.

87
Q

What is Host Scanning ?

A

The process of scanning a network in order to discover any host computers on the network ?

88
Q

What is Operating System (OS) Detection ?

A

Determining the operating system running on the host(s) being scanned.

89
Q

What is the Software Development Life Cycle (SDLC) ?

A

A series of processes that govern activities around an application - testing, pen testing, installation, maintenance and end of life.

90
Q

What is the Identity & Access Provisioning Life Cycle ?

A

New Access (provisioning) must be constantly reviewed and assessed for risk, as well as frequent audits of users access rights, which can change over time.