Access Control

Question 1

CIA Triad

Answer 1

Confidentiality, Integrity and Availability - Cornerstone concept of Information Security

Question 2

DAD

Answer 2

Disclosure, Alternation and Destruction - The opposing forces to the CIA triad

Question 3

Confidentiality

Answer 3

CIA: prevention of unauthorized disclosure of information.

Question 4

Integrity

Answer 4

CIA: prevention of unauthorized changes to information.

Question 5

Integrity - 2 types

Answer 5

Data Integrity and System Integrity

Question 6

AAA

Answer 6

Authentication, Authorization and Accountability.

Question 7

Subject/Object

Answer 7

A subject is an active entity on a system. An OBJECT is any passive data (e.g. data files).

Question 8

Defense-in-Depth

Answer 8

Layer Defense. Implementation of multiple safeguards (controls) to reduce risk.

Question 9

DAC

Answer 9

Discretionary Access Control. Gives subjects full control of objects they have been given access to. Subject may give others access to their objects.

Question 10

MAC

Answer 10

Mandatory Access Control. SYSTEM-enforced control based on clearance and object labels. Example: security classification (Secret, Confidential, FOUO). Expensive and difficult to implement.

Question 11

RBAC

Answer 11

Role Based Access Control. Access is based on a user’s “role”. Example: administrator, nurse, backup-admin. Non-discretionary access control.

Question 12

Centralized Access Control

Answer 12

Access Control at one logical point for a system or organization. Systems authenticate via third party authentication servers (e.g. SSO - single signon)

Question 13

Decentralized Access Control

Answer 13

Local based control over multiple sites. AKA, “Distributed Access Control”.

Question 14

RADIUS

Answer 14

Remote Authentication Dial-In User Service. This is an AAA system. Uses multiple servers. Encrypts only password.

Question 15

Diameter

Answer 15

Access control protocol. Successor to RADIUS. Uses AAA framework. Uses single server. Uses TCP

Question 16

TACACS & TACACS+

Answer 16

Terminal Access Controller Access Control System. Centralized access control system that requires users send and ID and static password for authentication. Uses UDP or TCP. Encrypts all authentication data.

Question 17

PAP

Answer 17

Password Authentication Protocol. Sends password over wire in clear text - NOT SECURE.

Question 18

CHAP

Answer 18

Challenge Handshake Authentication Protocol. Use central location that challenges remote users. Protects against playback attacks. Mutual secret is stored by server and peer but not sent over wire.

Question 19

Microsoft AD Domains

Answer 19

Active Directory uses “domains” model for access control, Kerberos Authentication Protocol. Each domain has a separate authentication process and space.

Question 20

Access Control Defensive Categories (6)

Answer 20

Preventive, Detective, Corrective, Recovery, Deterrent, Compensation

Question 21

Administrative Access Control

Answer 21

Controls implemented by creating and following organization policy, procedures or regulations.

Question 22

Technical Access Control

Answer 22

Implemented using software, hardware or firmware. Examples: firewalls, routers or encryption.

Question 23

Physical Access Control

Answer 23

Implemented with physical devices such as locks, fences, gates, security guards, etc.

Question 24

Preventive Controls

Answer 24

Restrictions on what a user can do. ACL is one example. Also an example of an administrative preventive control is pre-employment or drug screenings

Question 25

Detective Controls

Answer 25

Controls that alert during of after a successful attack. Examples are IDS or security cameras that alert guards.

Question 26

Corrective Controls

Answer 26

Correcting a damaged system or process. Antivirus is both Detective and Corrective.

Question 27

Recovery Controls

Answer 27

Post-incident controls.Recovery means the system must be recovered (e.g. restored)

Question 28

Deterrent Controls

Answer 28

Used to “deter” a user from performing actions on a system. An example is a user login banner or a “Beware of Dog” sign.

Question 29

Compensating Controls

Answer 29

An additional security control used to compensate for weaknesses in other controls. Routine log reviews.

Question 30

Authentication Models (3)

Answer 30

Type 1 (something you know), Type 2 (something you have), Type 3 (something you are)

Question 31

Type 1 Authentication

Answer 31

Something you know. Passwords.

Question 32

Type 2 Authentication

Answer 32

Something you have. Token, keys, smarcards, etc.

Question 33

Synchronous Dynamic Token

Answer 33

Access code is dynamic, constantly changing. Server maintains record of each registered token and synchronizes codes for each.

Question 34

Asynchronous Dynamic Token

Answer 34

Use challenge/response tokens.

Question 35

Type 3 Authentication

Answer 35

Something you are. Biometrics

Question 36

Biometric Accuracy

Answer 36

FRR - False Reject Rate, FAR - False Accept Rate, CER - Crossover Error Rate

Question 37

Biometric Control Types

Answer 37

Fingerprints, Retinal Scan, Iris Scan, Hand Geometry, Keyboard Dynamics, Dynamic Signature, Voiceprint, Facial Scan

Question 38

SSO

Answer 38

Single Sign-on. Allows multiple systems to use a central authentication for access to multiple systems. Also provides centralized user management.

Question 39

Kerberos Components

Answer 39

Principal (client or service), Realm (kerberos network), Ticket, Credentials (ticket and service key), KDC - key distribution center, TGS - ticket granting service, TGT - Ticket Granting Ticket, C/S - Client/server

Question 40

SESAME

Answer 40

Secure European System for Application in a Multivendor Environment - A SSO system that support heterogeneous environments. Uses PACs (Privelege Attribute Certificates) instead of Kerberos tickets.

Question 41

Pen Test - Zero Knowledge

Answer 41

Aka, “black box”. Tester has no internal or trusted information. Attacks using public info only.

Question 42

Pen Test - Full Knowledge

Answer 42

Aka, “crystal-box”. Tester has internal information including network info, previous test results, etc.