Access Control Flashcards
CIA Triad
Confidentiality, Integrity and Availability - Cornerstone concept of Information Security
DAD
Disclosure, Alternation and Destruction - The opposing forces to the CIA triad
Confidentiality
CIA: prevention of unauthorized disclosure of information.
Integrity
CIA: prevention of unauthorized changes to information.
Integrity - 2 types
Data Integrity and System Integrity
AAA
Authentication, Authorization and Accountability.
Subject/Object
A subject is an active entity on a system. An OBJECT is any passive data (e.g. data files).
Defense-in-Depth
Layer Defense. Implementation of multiple safeguards (controls) to reduce risk.
DAC
Discretionary Access Control. Gives subjects full control of objects they have been given access to. Subject may give others access to their objects.
MAC
Mandatory Access Control. SYSTEM-enforced control based on clearance and object labels. Example: security classification (Secret, Confidential, FOUO). Expensive and difficult to implement.
RBAC
Role Based Access Control. Access is based on a user’s “role”. Example: administrator, nurse, backup-admin. Non-discretionary access control.
Centralized Access Control
Access Control at one logical point for a system or organization. Systems authenticate via third party authentication servers (e.g. SSO - single signon)
Decentralized Access Control
Local based control over multiple sites. AKA, “Distributed Access Control”.
RADIUS
Remote Authentication Dial-In User Service. This is an AAA system. Uses multiple servers. Encrypts only password.
Diameter
Access control protocol. Successor to RADIUS. Uses AAA framework. Uses single server. Uses TCP
TACACS & TACACS+
Terminal Access Controller Access Control System. Centralized access control system that requires users send and ID and static password for authentication. Uses UDP or TCP. Encrypts all authentication data.
PAP
Password Authentication Protocol. Sends password over wire in clear text - NOT SECURE.
CHAP
Challenge Handshake Authentication Protocol. Use central location that challenges remote users. Protects against playback attacks. Mutual secret is stored by server and peer but not sent over wire.
Microsoft AD Domains
Active Directory uses “domains” model for access control, Kerberos Authentication Protocol. Each domain has a separate authentication process and space.
Access Control Defensive Categories (6)
Preventive, Detective, Corrective, Recovery, Deterrent, Compensation
Administrative Access Control
Controls implemented by creating and following organization policy, procedures or regulations.
Technical Access Control
Implemented using software, hardware or firmware. Examples: firewalls, routers or encryption.
Physical Access Control
Implemented with physical devices such as locks, fences, gates, security guards, etc.
Preventive Controls
Restrictions on what a user can do. ACL is one example. Also an example of an administrative preventive control is pre-employment or drug screenings
Detective Controls
Controls that alert during of after a successful attack. Examples are IDS or security cameras that alert guards.
Corrective Controls
Correcting a damaged system or process. Antivirus is both Detective and Corrective.
Recovery Controls
Post-incident controls.Recovery means the system must be recovered (e.g. restored)
Deterrent Controls
Used to “deter” a user from performing actions on a system. An example is a user login banner or a “Beware of Dog” sign.
Compensating Controls
An additional security control used to compensate for weaknesses in other controls. Routine log reviews.
Authentication Models (3)
Type 1 (something you know), Type 2 (something you have), Type 3 (something you are)
Type 1 Authentication
Something you know. Passwords.
Type 2 Authentication
Something you have. Token, keys, smarcards, etc.
Synchronous Dynamic Token
Access code is dynamic, constantly changing. Server maintains record of each registered token and synchronizes codes for each.
Asynchronous Dynamic Token
Use challenge/response tokens.
Type 3 Authentication
Something you are. Biometrics
Biometric Accuracy
FRR - False Reject Rate, FAR - False Accept Rate, CER - Crossover Error Rate
Biometric Control Types
Fingerprints, Retinal Scan, Iris Scan, Hand Geometry, Keyboard Dynamics, Dynamic Signature, Voiceprint, Facial Scan
SSO
Single Sign-on. Allows multiple systems to use a central authentication for access to multiple systems. Also provides centralized user management.
Kerberos Components
Principal (client or service), Realm (kerberos network), Ticket, Credentials (ticket and service key), KDC - key distribution center, TGS - ticket granting service, TGT - Ticket Granting Ticket, C/S - Client/server
SESAME
Secure European System for Application in a Multivendor Environment - A SSO system that support heterogeneous environments. Uses PACs (Privelege Attribute Certificates) instead of Kerberos tickets.
Pen Test - Zero Knowledge
Aka, “black box”. Tester has no internal or trusted information. Attacks using public info only.
Pen Test - Full Knowledge
Aka, “crystal-box”. Tester has internal information including network info, previous test results, etc.
